# Valentine

## Valentine - 10.10.10.79

### Target Enumeration:

OS: Linux

IP: 10.10.10.79

User: e6710a5464769fd5fcd216e076961750

Root: f1bb6d759df1f272914ebbc9ed7765b2

### Ports / Services / Software Versions Running

22/tcp  open ssh      OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)

80/tcp  open http     Apache httpd 2.2.22 ((Ubuntu))

443/tcp open  ssl/http Apache httpd 2.2.22 ((Ubuntu))

5353/udp open  zeroconf

### Vulnerability Exploited:

Heartbleed information disclosure

### Privilege Escalation:

TMux Session with root logged in within the .dev folder

### Exploiting the host:

Nmap

<div align="left"><img src="https://lh4.googleusercontent.com/Sp2h9Qj7XcGPIhm7kBKLLf8kRlnto1Gt0VxJhnYhEAsyLzR7jshLlPdVSPvQPZ36mVzaA9M8qroJORbloJj9VzpCIu37M5JP2bK7rY3ygjL6WyJr1JoUq6Fqs1lpbfWMb_AifUeB" alt=""></div>

SSLScan gives us heartbleed:

![](https://lh3.googleusercontent.com/oOrLuDNEPRVVb3jqC8LefszphvBLpaFWYjuxW77lN_KDbvrON5G9DXzpcQb_Qji01a4Slt3sXmqVblOcZV_bkwFlQOgvu0e9jrzKKdGiVoRUonZo7yhYTS2de-0f-jGGwezFzOgN)

Dirb gives us:

![](https://lh5.googleusercontent.com/eXnHC9eQ6J6veSLNdkQtx5wx8FNamKXpmQ3-EhvnLs-b10B7td256aD6n57S7pPHN8L2t2KW2Gpw5Ta6LOoNUXnZRd0x6MnHw8tN7SJkBbBk5YwJkRd_DEMXUY9P515S8O__6LAb)

Metasploit key dump gives us a private key for the server, not sure if this is useful as it will not work as an ssh key.

<div align="left"><img src="https://lh3.googleusercontent.com/D6hN_fi9vUn0ZNAHDd2MMD89opfHUSD3O1tkw5EkyFAtwEIssWagf98y4-DtQYoS28DQLoHZddaABhBPLq4G3pdrWOYpgD_C0jUpNTmosKXXzkvq3KzUhSwybZpYCRAqsBy5X4j_" alt=""></div>

/dev/ gives us a hype key. It is in ascii hex so decode with another tool as that will not work.

![](https://lh4.googleusercontent.com/YlU4BA8iZFo53aISLxYo73xvcHp3GqyMJ_ogSpQk8MNAQJh0t8z2Z6wlSZKIJZ7Fwur8c6MTw02vzBGeMb5U1b6eopfb3nU598rraw7wfBNWy48R7256bNqToU5G8W3-s4_CFksK)

Convert again online as that included line breaks and whitespace.

![](https://lh4.googleusercontent.com/q6qqvwDT-blJ4d_SFzGvwoKg6aRDrwS_sFkh_aR6yDkYNCxoVc990WUUS2cUb1EhxmrWM3gAe92ooa13qf6uolPHnB4qm5CzBW-Zb4_ylcWWb-aqLKw0SI55XVqWN92S4Iyd_ugL)

Looks useful but will not allow us to login yet as we do not know the key, so copy to a text file and chmod 400 the file.

Run the following python script in a loop 100 times and review manually the results until you get the following string

![](https://lh3.googleusercontent.com/v_KiNOMvxexdEbDtx_9-_2PjZ0uHVEbvv0XAg4QXdQjoL2FYAHqrLA385mgULaPIVw-83sCoA8nxui8Pfq_873WXKW_v3uiLd53tuinfqoZXhWRKafrNHBCPEYVBIAEyi_7t4yBd)

You are looking for this string:

![](https://lh6.googleusercontent.com/hRYRCRRU0Pnf_s9ttLwh_CpmYHqTmTqEQwqeJuaW3EMWX1TzrANb4Te_6fc6ahTAShXcmtTk8FxSp1BsHlOPqtJ86jADpsxu7JVpYegYPBwW3L3B_ByRhTsF3315PdIp247-KRUE)

Decode this base64 string to get

![](https://lh6.googleusercontent.com/CjZrne1Xji2ffFftCh7_DkbQkls27iwAcuWxR0hI_srEcdVpGCm1swjHOZJ71nR0eIqAs4Wr7UDxNy6iH5IkNwn2x-4pxg_TchbmZLZQwZWjzO-9rhLsMu2z89TQF3i1_ZET6dbD)

This password is for the RSA key but now we need a user.

Now try several usernames to login with ssh, valentine, hype, heartbleed etc

Eventually you will find hype is a valid user as hype and you have low priv.

![](https://lh6.googleusercontent.com/5fM7sanoeZZY8xuXWpBdFXsThRe8lRcIm21cvretdJclChqgGtjZ-4pKjx_j_VGviScZEEoyLM_bc96vi9l1ExWvE1-5Ivgqqk9MiphVz1JYcqTG2tktu93A8riZIObHGRGKxS-w)

Now enumerate the system.

Considering it has heartbleed it may be vulnerable to some older kernel exploits but we will leave that till last, first we need to enumerate the whole system.

Download linenum and linprivchecker.py and run, once done review the findings.

![](https://lh4.googleusercontent.com/HcorrGi3liPsUCOs54Co-wnSYwNYUcsnZrI6JVuhrQ7yebLy7PXwOz2ga5AtlqDNJq0bJNG2gNI44qwjGstdaroN5Hn3Lwcw0qIwfVSDNwkvgtLhOYf6x7FNxg45AF5iOGBaLRcb)

We found some old data in the current users .bashhistory file

![](https://lh3.googleusercontent.com/NtJd4vNDG3HW_HtpQewvhbh_tIV5SqwDGbcPWJ3TCTgU1puWAeLtIKmuB9EN1e0cCf-9yA7dnTwyNg0PKf-_IMqNDOtwRtICGYzT_GI18QUlhVmiDCT_nvwGTqNMGOpIfE474xyN)

This opens a tmux session as root so collect your flags.

![](https://lh6.googleusercontent.com/OU10lQYyhsvVBec_o-dc8ohrVjJoL0cyiAZ95W3LYIxGx-bk1SZ7WU7wC4lMfG-3BpvvMU5NSQhKqdfys7CV0Ls5d-aRlzU-AS9KM6dI0ktAHGRgcZaUIfek8T3_Z9zv8SZm_yBO)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.jdksec.com/hack-the-box/valentine.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.