Hack The Box - Valentine

We are going to pwn Valentine from Hack The Box.

Link : https://www.hackthebox.eu/home/machines/profile/127

Like always begin with our Nmap Scan.

Nmap Scan Results

22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

22/tcp  open  ssh      OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 96:4c:51:42:3c:ba:22:49:20:4d:3e:ec:90:cc:fd:0e (DSA)
|   2048 46:bf:1f:cc:92:4f:1d:a0:42:b3:d2:16:a8:58:31:33 (RSA)
|_  256 e6:2b:25:19:cb:7e:54:cb:0a:b9:ac:16:98:c6:7d:a9 (ECDSA)
80/tcp  open  http     Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
443/tcp open  ssl/http Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=valentine.htb/organizationName=valentine.htb/stateOrProvinceName=FL/countryName=US
| Not valid before: 2018-02-06T00:45:25
|_Not valid after:  2019-02-06T00:45:25
|_ssl-date: 2019-12-07T15:32:32+00:00; +19s from scanner time.
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.0 (95%), Linux 2.6.32 - 3.5 (95%), Nokia N9 phone (Linux 2.6.32) (95%), Linux 2.6.38 - 3.0 (94%), Linux 3.2 (94%), Linux 2.6.38 - 2.6.39 (94%), Linux 2.6.39 (94%), Linux 3.5 (93%), Linux 2.6.32 - 3.10 (93%), Linux 2.6.32 - 3.9 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Start from Webpage like always

This image looks like heartbleed it may be heartbleed vulnerability

Gobuster Results

Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
[+] Url:  
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
2019/12/07 19:25:22 Starting gobuster
/index (Status: 200)
/dev (Status: 301)
/encode (Status: 200)
/decode (Status: 200)
/omg (Status: 200)
/server-status (Status: 403)
2019/12/07 21:11:06 Finished

To know about what is heartbleed this will be very helpful


To confirm that , we can use nmap scripts

Yes it is confirmed, so I searched for exploits

This one might work


when the script runs and it grabs some memory for us

While its running on background I looked for directories There is /decode.php

And /encode.php

I tried some commands to get anything useful but none worked!

And the script found some base64 lets try decode them for that I used /decode.php

It may be password for something

Getting User Shell

While checking other directories found hype_key from /dev

It is in hex , so we can decode them and see what we got

xxd - make a hexdump or do the reverse.

-r reverse
-p plain

We got an ssh private key

We can try login with them with hype since we got it as hype_key

It’s asking for passphrase may be the one we got from heartbleed exploit


We are successfully logged in as hype

Privilege Escalation

While checking the kernel it looks old one

Yes it is we can use Dirty Cow for Priv Escalation


I uploaded the Script into the machine and from the given instruction I run that

Yes it worked it created new user as root