Hello friends! Today we are going to solve the CTF challenge “Valentine” which is a vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have a very good collection of vulnerable labs as challenges from beginners to Expert level.

Difficulty Level: Medium

Task: find user.txt and root.txt file on victim’s machine.

Steps involved:

• Port scanning and services detection
• Web server directory enumeration
• Discovery of hex encoded ssh key
• Decoding key
• Finding Passphrase
• Capturing user flag
• Capturing root flag

This lab has a static IP and IP of 10.10.10.79. So let’s start the CTF challenge with port scanning.

nmap –A 10.10.10.79

From its scanning result we found port 22 and 80 are open for ssh and http services.

Let’s enumerate the web service running on port 80.  The below image could be a hint, there is a heart and blood. Does it mean heartbleed?  Could be!  Let’s enumerate further.

Let’s see what we can find by directory brute forcing:

dirb http://10.10.10.79

It put so many files but /dev looks more interesting so Lets browse http://10.10.10.73/dev.

Great we found some directories here. Let’s manually check these directories one by one. The directory “dev” seems very interesting, There are two files as shown in the below images.

Firstly I opened notes.txt file as shown in the below image, it seems there is some encoding and decoding is involved.

Then we opened another file hype_key and notice found encoded hex text, let’s convert it into plain text and see if it makes any sense.

With help of burp we try to decode above hex into plain text as shown in the image. So it’s a RSA private key, but it has space after each character, which needs to be fixed.

After removing space using sed command, we get our key as shown in the image below. Now all we need is a passphrase.

sed 's/ //g' key> sshkey
cat sshkey

Checking if the HTTPS web service is vulnerable to heartbleed with help of nmap script.

nmap –p 443 --script ssl-heartbleed 10.10.10.79

As expected the service is vulnerable to heartbleed, now let’s try to exploit it.

Searching heartbleed exploit using searchsploit, and luckily found a python exploit 32764.py in our local system.

searchsploit heartbleed

 So I copied the python exploit on the desktop and run against target’s IP for exploiting heartbleed.

python 32764.py 10.10.10.79

Wow! It worked perfectly as aspect.

As shown in the image above, there is a string. Let’s decode the string with the help of following command, it may give the passphrase for ssh login.

 echo aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg== | base64 –d

Now let’s try to login SSH using the key and passphrase and after making successful login we found user.txt file from inside /home/hype/Desktop

ssh –i key hype@10.10.10.79
cd /home
ls
cd hype
ls
cd Desktop
ls
cat user.txt

So we logged in successfully and captured the user flag. Here 1^st task is completed; let’s find out root.txt to finish the 2^nd task.

During further enumerating the history of commands on the system, we found some interesting commands

cat .bash_history
tmux –S /.devs/dev_sess

Hmm!!! We got the root as shown in last image.

Now let’s grab the root.txt file quickly and finish this task. On running the below command we got our Root flag.

cd /root
ls
cat root.txt

We finished both tasks successfully!!

Author: Vishva Vaghela is a Digital Forensics enthusiast and enjoys technical content writing. You can reach her on Here