Hack the Box: Valentine Walkthrough
Hello friends! Today we are going to solve the CTF challenge “Valentine” which is a vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have a very good collection of vulnerable labs as challenges from beginners to Expert level.
Difficulty Level: Medium
Task: find user.txt and root.txt file on victim’s machine.
Steps involved:
- Port scanning and services detection
- Web server directory enumeration
- Discovery of hex encoded ssh key
- Decoding key
- Finding Passphrase
- Capturing user flag
- Capturing root flag
This lab has a static IP and IP of 10.10.10.79. So let’s start the CTF challenge with port scanning.
nmap –A 10.10.10.79
From its scanning result we found port 22 and 80 are open for ssh and http services.
Let’s enumerate the web service running on port 80. The below image could be a hint, there is a heart and blood. Does it mean heartbleed? Could be! Let’s enumerate further.
Let’s see what we can find by directory brute forcing:
dirb http://10.10.10.79
It put so many files but /dev looks more interesting so Lets browse http://10.10.10.73/dev.
Great we found some directories here. Let’s manually check these directories one by one. The directory “dev” seems very interesting, There are two files as shown in the below images.
Firstly I opened notes.txt file as shown in the below image, it seems there is some encoding and decoding is involved.
Then we opened another file hype_key and notice found encoded hex text, let’s convert it into plain text and see if it makes any sense.
With help of burp we try to decode above hex into plain text as shown in the image. So it’s a RSA private key, but it has space after each character, which needs to be fixed.
After removing space using sed command, we get our key as shown in the image below. Now all we need is a passphrase.
sed 's/ //g' key> sshkey cat sshkey
Checking if the HTTPS web service is vulnerable to heartbleed with help of nmap script.
nmap –p 443 --script ssl-heartbleed 10.10.10.79
As expected the service is vulnerable to heartbleed, now let’s try to exploit it.
Searching heartbleed exploit using searchsploit, and luckily found a python exploit 32764.py in our local system.
searchsploit heartbleed
So I copied the python exploit on the desktop and run against target’s IP for exploiting heartbleed.
python 32764.py 10.10.10.79
Wow! It worked perfectly as aspect.
As shown in the image above, there is a string. Let’s decode the string with the help of following command, it may give the passphrase for ssh login.
echo aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg== | base64 –d
Now let’s try to login SSH using the key and passphrase and after making successful login we found user.txt file from inside /home/hype/Desktop
ssh –i key hype@10.10.10.79 cd /home ls cd hype ls cd Desktop ls cat user.txt
So we logged in successfully and captured the user flag. Here 1st task is completed; let’s find out root.txt to finish the 2nd task.
During further enumerating the history of commands on the system, we found some interesting commands
cat .bash_history tmux –S /.devs/dev_sess
Hmm!!! We got the root as shown in last image.
Now let’s grab the root.txt file quickly and finish this task. On running the below command we got our Root flag.
cd /root ls cat root.txt
We finished both tasks successfully!!
Author: Vishva Vaghela is a Digital Forensics enthusiast and enjoys technical content writing. You can reach her on Here