Let's make a directory first to work on the box —> mkdir valentine
And then run a Nmap scan —> nmap -sVC 10.10.10.79
We see there are 3 TCP ports open. After having a quick look at the website I didn't find anything interesting apart from a very cool picture
So I decided to run another Nmap scan using the build-in scripts to see if I could spot any vulnerabilities —>nmap -sV --script vuln 10.10.10.79
And seems like we found the one, very romantic everything indeed. Let’s dive into the history of this lovely bug before proceeding to exploit it.
The Heartbleed bug was a major security vulnerability that affected the widely used OpenSSL cryptographic software library. It was discovered in early April 2014 and had a significant impact on internet security at the time.
The vulnerability allowed attackers to access small chunks of random memory (up to 64KB) from the server's memory without leaving any trace of intrusion.
Dr Robin Seggelmann, a 31-year-old German developer who introduced the Heartbeat concept to OpenSSL on New Year's Eve, 2011, says it was just a programming error in the code that unintentionally created the "Heartbleed" vulnerability.
"In one of the new features, unfortunately, I missed validating a variable containing a length"
Here's how the Heartbleed bug worked:
The attacker sent a maliciously crafted Heartbeat request to the server.
The server, running the vulnerable version of OpenSSL, would respond to the request and include a chunk of its memory in the response, as specified by the attacker.
The attacker could potentially extract sensitive information, such as encryption keys, user credentials, and other data that happened to be stored in the server's memory.
If you are interested in a more detailed explanation go here!
This bug was particularly dangerous because it had been present in the OpenSSL codebase for about two years before it was discovered.
Bloomberg accused the National Security Agency (NSA) of knowing the Heartbleed bug for the last two years. Not even this, the report says the agency was using it continuously to gain information instead of disclosing it to the OpenSSL developers. But if it is so, then this would be one of the biggest developments in the history of wiretapping ever. However, the agency denied it saying NSA was not aware of Heartbleed until it was made public.
The discovery of the Heartbleed bug was made by researchers from Google's Security Team and a Finnish security firm, Codenomicon.
OK? Cool, let's get back to business.
I found a script to exploit this manually that I could not make work, but I will let it here in case you would like to give it a try
So I decided with all the pain in my heart (hehe) to use Metasploit, and seems like it was meant to be used
Very lovely, I know. Let's search for the exploit
Set all the necessary options, I particularly set the ACTION to DUMP so I could analyse the output later on
After running it 3 times I found an interesting string on one of the files, that seems to be a base64 hash
I went to Cyberchef to check if I could decrypt it, and bingo!
So now we have a password, I tried to ssh in with it but had no luck, so I decided to do more enumeration using Gobuster to look for possible subdomains (something, by the way, that I should have done way earlier though)
And we found some stuff, let's head to /dev first
Looking at the files we found an encrypted key on what seems to be hex
Passing it to CyberChef we got a RSA key
Let’s save it into a file and give it chmod +600
permissions so we can use it to SSH, easy right? Well, is not that easy.
The RSA SHA-1 hash algorithm in use is deprecated, meaning that we need to re-enable RSA, I almost gave up before I use the verbose option -vvv
. Pasted the output on Google and found this:
So the command you want to use may look like this —> ssh -o 'PubkeyAcceptedKeyTypes +ssh-rsa' -i hype.key hype@10.10.10.79
Enter the passphrase we found before and we are in!
Very easily after this, you will be able to find the user’s flag. Now let's escalate our privileges, to do so I used Linpeas, you can easily find it in GitHub in case you don’t know it.
Deploy an HTTP server using the python module on the folder where you got the Linpeas script —> sudo python3 -m http.server 80
Now download it from the target and give it execution permission so we can run it
And seems like we found a critical vulnerability on the list of processes
Let’s check Hacktricks for some information about this vulnerability
And we found some information! It even refers to this box particularly! A nice taste of history!
Follow the steps and get that root flag!