Tue. Oct 20th, 2020

Pentesting Fun Stuff

following the cyber security path…

Valentine

Starting with a port scan.

When browsing to port 80 I get a not so subtle hint to heartbleed.

Let’s check with nmap.

Looks like we have ourself a winner.

When looking inside the blob I see a base64 string (when running the module multiple times will give different pieces of data from memory).

That looks useful. But it’s no password or at least not for ssh with username ‘valentine’.
So I do some more enumeration.

Another run at dirsearch gives up more information.



But when I try to encode something…..

Not really what I was hoping for. But when looking at the found key I tried some hex decoding and got my self a private key.

So it looks like the decode string is the password for the key and is not working as the password for the user valentine (I’ve tried root, but that’s not working either).
After some pondering I looked at where I found the file: hype_key……..key of ‘hype’?

Nice.

Now for some enumeration on the machine to figure out how to elevate my rights.

Not the newest Ubuntu.

………and I’ve killed the box.

After a reset…..I continue with a different approach. Because I don’t wanna kill off the machine again. So more enumeration.

After uploading a perl script to check possible exploits I get 3 results. Because the 2th is mainly for Red Hat and the Perf exploit kills my ssh connection, I finally go for the Dirty Cow.
After getting the exploit from exploit-db and uploading it to the remote machine I compile and run it.

Setting the password.

Nice. Now for the final flag.

And done.
 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.