InfoSec LAB

Valentine_Recon

Created: 3 min read

Nmap

┌──(kali㉿kali)-[~/archive/htb/labs/valentine]
└─$ nmap -sC -sV -p- $IP                   
starting nmap 7.92 ( https://nmap.org ) at 2022-10-07 23:57 CEST
Nmap scan report for 10.10.10.79
Host is up (0.032s latency).
not shown: 65532 closed tcp ports (conn-refused)
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 96:4c:51:42:3c:ba:22:49:20:4d:3e:ec:90:cc:fd:0e (DSA)
|   2048 46:bf:1f:cc:92:4f:1d:a0:42:b3:d2:16:a8:58:31:33 (RSA)
|_  256 e6:2b:25:19:cb:7e:54:cb:0a:b9:ac:16:98:c6:7d:a9 (ECDSA)
80/tcp  open  http     Apache httpd 2.2.22 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.2.22 (Ubuntu)
443/tcp open  ssl/http Apache httpd 2.2.22 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=valentine.htb/organizationName=valentine.htb/stateOrProvinceName=FL/countryName=US
| not valid before: 2018-02-06T00:45:25
|_not valid after:  2019-02-06T00:45:25
|_ssl-date: 2022-10-07T21:58:00+00:00; 0s from scanner time.
|_http-server-header: Apache/2.2.22 (Ubuntu)
service info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
service detection performed. please report any incorrect results at https://nmap.org/submit/ .
nmap done: 1 IP address (1 host up) scanned in 27.82 seconds

nmap scan returns open ports of:

  • 22 : OpenSSH 5.9p1
  • 80 : Apache httpd 2.2.22
  • 443 : Apache httpd 2.2.22

Running an additional scan on the port 443

┌──(kali㉿kali)-[~/archive/htb/labs/valentine]
└─$ nmap --script ssl-* -p443 $IP
starting nmap 7.92 ( https://nmap.org ) at 2022-10-08 19:45 CEST
Nmap scan report for 10.10.10.79
Host is up (0.031s latency).
not shown: 997 closed tcp ports (conn-refused)
PORT    STATE SERVICE
443/tcp open  https
|  ssl-poodle: 
|   vulnerable:
|   SSL POODLE information leak
|     state: VULNERABLE
|     ids:  BID:70574  CVE:CVE-2014-3566
|           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
|           products, uses nondeterministic CBC padding, which makes it easier
|           for man-in-the-middle attackers to obtain cleartext data via a
|           padding-oracle attack, aka the "POODLE" issue.
|     disclosure date: 2014-10-14
|     check results:
|       TLS_RSA_WITH_AES_128_CBC_SHA
|     references:
|       https://www.imperialviolet.org/2014/10/14/poodle.html
|       https://www.securityfocus.com/bid/70574
|       https://www.openssl.org/~bodo/ssl-poodle.pdf
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
| ssl-cert: Subject: commonName=valentine.htb/organizationName=valentine.htb/stateOrProvinceName=FL/countryName=US
| issuer: commonName=valentine.htb/organizationName=valentine.htb/stateOrProvinceName=FL/countryName=US
| public key type: rsa
| public key bits: 2048
| signature algorithm: sha1WithRSAEncryption
| not valid before: 2018-02-06T00:45:25
| not valid after:  2019-02-06T00:45:25
| md5:   a413 c4f0 b145 2154 fb54 b2de c7a9 809d
|_sha-1: 2303 80da 60e7 bde7 2ba6 76dd 5214 3c3c 6f53 01b1
|_ssl-date: 2022-10-08T17:45:31+00:00; 0s from scanner time.
| ssl-heartbleed: 
|   vulnerable:
|   The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
|     state: VULNERABLE
|     risk factor: High
|       OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.
|           
|     references:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
|       http://cvedetails.com/cve/2014-0160/
|_      http://www.openssl.org/news/secadv_20140407.txt 
| ssl-ccs-injection: 
|   vulnerable:
|   SSL/TLS MITM vulnerability (CCS Injection)
|     state: VULNERABLE
|     risk factor: High
|       OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h
|       does not properly restrict processing of ChangeCipherSpec messages,
|       which allows man-in-the-middle attackers to trigger use of a zero
|       length master key in certain OpenSSL-to-OpenSSL communications, and
|       consequently hijack sessions or obtain sensitive information, via
|       a crafted TLS handshake, aka the "CCS Injection" vulnerability.
|           
|     references:
|       http://www.cvedetails.com/cve/2014-0224
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
|_      http://www.openssl.org/news/secadv_20140605.txt
 
nmap done: 1 IP address (1 host up) scanned in 4.48 seconds

nmap identified 3 vulnerabilities related to the port 443:

  • SSL POODLE information leak
  • ssl-heartbleed
  • ssl-ccs-injection

Interactive Graph View

Backlinks