HackTheBox “Valentine” Walkthrough

6 min readJul 8, 2023

Valentine, an easy-level Linux OS machine on HackTheBox, a vulnerable web service affected by Heartbleed exploit. By leveraging this vulnerability, an attacker extracts a password from memory Combined with an encrypted RSA key found in a web directory grants SSH access. Privilege escalation offers two paths, with the root tmux session being favored and kernel exploit using DirtyCow.

Let’s get started! 🚀

Recon & Enumeration

Let’s use nmap to scan for open ports and services:

Visit the target on port 80.

Visit the target on port 443.

We will use nmap NSE scripts to look for vulnerabilities targetting port 80 and 443.

┌──(kali㉿kali)-[~/Desktop]
└─$ sudo nmap -p 80,443 --script vuln 10.10.10.79
[sudo] password for kali: 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-08 17:04 +03
Nmap scan report for 10.10.10.79
Host is up (0.11s latency).

PORT    STATE SERVICE
80/tcp  open  http
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-enum: 
|   /dev/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)'
|_  /index/: Potentially interesting folder
443/tcp open  https
| ssl-poodle: 
|   VULNERABLE:
|   SSL POODLE information leak
|     State: VULNERABLE
|     IDs:  BID:70574  CVE:CVE-2014-3566
|           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
|           products, uses nondeterministic CBC padding, which makes it easier
|           for man-in-the-middle attackers to obtain cleartext data via a
|           padding-oracle attack, aka the "POODLE" issue.
|     Disclosure date: 2014-10-14
|     Check results:
|       TLS_RSA_WITH_AES_128_CBC_SHA
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
|       https://www.imperialviolet.org/2014/10/14/poodle.html
|       https://www.openssl.org/~bodo/ssl-poodle.pdf
|_      https://www.securityfocus.com/bid/70574
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| ssl-heartbleed: 
|   VULNERABLE:
|   The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
|     State: VULNERABLE
|     Risk factor: High
|       OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.
|           
|     References:
|       http://cvedetails.com/cve/2014-0160/
|       http://www.openssl.org/news/secadv_20140407.txt 
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-enum: 
|   /dev/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)'
|_  /index/: Potentially interesting folder
| ssl-ccs-injection: 
|   VULNERABLE:
|   SSL/TLS MITM vulnerability (CCS Injection)
|     State: VULNERABLE
|     Risk factor: High
|       OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h
|       does not properly restrict processing of ChangeCipherSpec messages,
|       which allows man-in-the-middle attackers to trigger use of a zero
|       length master key in certain OpenSSL-to-OpenSSL communications, and
|       consequently hijack sessions or obtain sensitive information, via
|       a crafted TLS handshake, aka the "CCS Injection" vulnerability.
|           
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
|       http://www.cvedetails.com/cve/2014-0224
|_      http://www.openssl.org/news/secadv_20140605.txt

Nmap done: 1 IP address (1 host up) scanned in 41.82 seconds

Exploitation:

And the results mention Heartbleed vulnerability, let’s go for it.

Copying the exploit to the working directory.

Run on the target.

By scrolling on the right side, you’ll come across the string “aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==”. It appears to be encoded in base64, so let’s attempt to decode it.

The decoded phrase “heartbleedbelievethehype” is noted for future use.

During the vulnerability scan using NSE scripts in the nmp tool, two intriguing directories, “dev” and “index,” were discovered on port 80 of the target. Now, let’s examine the “dev” directory.

lets check the hype_key file.

Download the hexdump file above in the working directory.

Now we convert the hexdump file above to ASCII using the “xxd” tool.

Let’s try to decrypt it using openssl.

We are prompted for a password, so let’s try entering the passphrase we obtained using the Heartbleed exploit: “heartbleedbelievethehype.”

Next, we’ll attempt SSH access to the target using the decrypted key file and the username “hype” guessed according to the key file name found in the /dev directory of the target.

Encountering an error while attempting to SSH with the key: “sign_and_send_pubkey: no mutual signature supported.”

This could be due to outdated SSH ciphers on the system. To address this, it is recommended to search for a workaround online. The RSA SHA-1 hash algorithm is being phased out due to security vulnerabilities, leading to its rejection by various operating systems and SSH clients. If generating new SSH keys using ECDSA and ED25519 algorithms is possible, it is advised to do so.

However, if not feasible, one potential solution is to add the line “-oPubkeyAcceptedAlgorithms=+ssh-rsa” to the affected SSH client’s config file to re-enable ssh-rsa support.