HackTheBox - Valentine

    Heartbleed came out not long after the time I began my journey into the security side of the house.  I recall a box that I believe was vulnerable to the the Heartbleed attack but I wasn't seasoned enough to know what to do with it. 

    When I saw the name Valentine on this box, I knew it was a clue -- most of the names ARE clues but I didn't hone in on it until I saw the main page for the website.

    Notice the similarity:

    We kick off with an Nmap scan:

    We see three ports open and I have an idea where this is headed but not exactly.  Looking at the web port with Nikto:

    Nikto uncovers /dev and we take a look:

    Two more nuggets.  First we check hype_key:

    That looks like hex, let's decode it:

    A private key and by the name, we assume the username is "hype" but when I attempt to use the key, I am prompted for a passphrase.  

    Moving on, I check out the note:

    We get some hints.  

    Let's dig a little deeper with GoBuster:

    More directories to explore:


    I play around with this to see if I can inject something but no such luck.  I play a bit more with Burp:

    Still nothing so I switch over to HeartBleed exploits:

    Truncating the noise, we get to the end....

    And we see that it's vulnerable but this script provides little value and I go hunting for another:

    The first script appears to be just for detection but this one is actually showing us leaked memory data:

    That looks like base64.  Let's decode:

    After decoding, I think I have the passphrase, I put the key and the phrase together and I'm able to login.

    Let's see what we're dealing with:

    This smells like DirtyCow.  But first, let's get the user.txt file:

    Going in for the kill:

    After the fact, I looked around and I think I found the intended method for root but root is root so what can I say.  I also think the entry is really what makes this box fun.  The privilege escalation is just the way to wrap it up and call it done.

    © 2020 sevenlayers.com