Difficulty: Easy
Machine Creator: mrb3n
Tools Used: NMAP Gobuster Python
Network Enumeration Let’s start with a quick NMAP scan to discover open ports
nmap -sS –min-rate 5000 –max-retries 1 -p- 10.10.10.79
Web Directory Enumeration Let’s use Gobuster to search for directories.
HTTP Enumeration
If we browse the directories from the Gobuster scan, we can see a couple of files in the dev directory.
/usr/share/nmap/scripts/ | grep “ssl”
nmap –script=ssl-heartbleed -p 443 10.10.10.79
If we look back at the image in the website, this can hint to the vulnerability.
Exploitation There is a Metasploit module for heartbleed but let’s do this exploit manually. We can download a python script from GitHub that will exploit heartbleed.1
https://gist.githubusercontent.com/eelsivart/10174134/raw/8aea10b2f0f6842ccff97ee921a836cf05cd7530/heartbleed.py
User.txt
We can read user.txt as user hype.
Privilege escalation
tmux -S /.devs/dev_sess
Connecting to the root tmux session we now have a root terminal.
Root.txt
