Valentine Walkthrough
For all CTF players! Today we have machine from HackTheBox like CTF challenges upon you get RCE :) βValentineβ letβs take a look at the machineβs info


Okay good itβs easy but have good ideas if you play CTF or not, letβs get startedβ¦
Nmap scan
In this step we will scan the machineβs IP for open ports and service running on these ports nmap -sS -sV -T4 -oG val.gnmap 10.10.10.79
and as you can see we will generate gnmap
to try brute-force the credentials if itβs available.

As you can see here we have ssh
is open so itβs available to brute-force its credentials also we have http/https
been open, but thereβs nothing important for them so letβs work on ssh
Iβve used metasploit modules, nmap scripts and brutespray tool
to try brute-forcing the credentials but itβs failed, so we cannot brute force, letβs try to open 10.10.10.79:80
and scan.
Web Enumeration
At first and after opening the website we found this image

No keywords No CMS name or anything that lead us to exploitation even in the source code
so letβs scan it by nikto
nikto -h 10.10.10.79

As you can, we have /dev
the directory is available and information disclosure about the PHP & Server
through these parameters, but itβs not important for us, letβs discover the /dev

Here we have hype_keys
and it seems that hype is the name of the user and notes.txt
letβs discover them


For hype_key
we have hex-encoded key and the notes.txt
asked hype to decode it so letβs do that by any online decoder, and you will get this RSA Key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,AEB88C140F69BF2074788DE24AE48D46DbPrO78kegNuk1DAqlAN5jbjXv0PPsog3jdbMFS8iE9p3UOL0lF0xf7PzmrkDa8R
5y/b46+9nEpCMfTPhNuJRcW2U2gJcOFH+9RJDBC5UJMUS1/gjB/7/My00Mwx+aI6
0EI0SbOYUAV1W4EV7m96QsZjrwJvnjVafm6VsKaTPBHpugcASvMqz76W6abRZeXi
Ebw66hjFmAu4AzqcM/kigNRFPYuNiXrXs1w/deLCqCJ+Ea1T8zlas6fcmhM8A+8P
OXBKNe6l17hKaT6wFnp5eXOaUIHvHnvO6ScHVWRrZ70fcpcpimL1w13Tgdd2AiGd
pHLJpYUII5PuO6x+LS8n1r/GWMqSOEimNRD1j/59/4u3ROrTCKeo9DsTRqs2k1SH
QdWwFwaXbYyT1uxAMSl5Hq9OD5HJ8G0R6JI5RvCNUQjwx0FITjjMjnLIpxjvfq+E
p0gD0UcylKm6rCZqacwnSddHW8W3LxJmCxdxW5lt5dPjAkBYRUnl91ESCiD4Z+uC
Ol6jLFD2kaOLfuyee0fYCb7GTqOe7EmMB3fGIwSdW8OC8NWTkwpjc0ELblUa6ulO
t9grSosRTCsZd14OPts4bLspKxMMOsgnKloXvnlPOSwSpWy9Wp6y8XX8+F40rxl5
XqhDUBhyk1C3YPOiDuPOnMXaIpe1dgb0NdD1M9ZQSNULw1DHCGPP4JSSxX7BWdDK
aAnWJvFglA4oFBBVA8uAPMfV2XFQnjwUT5bPLC65tFstoRtTZ1uSruai27kxTnLQ
+wQ87lMadds1GQNeGsKSf8R/rsRKeeKcilDePCjeaLqtqxnhNoFtg0Mxt6r2gb1E
AloQ6jg5Tbj5J7quYXZPylBljNp9GVpinPc3KpHttvgbptfiWEEsZYn5yZPhUr9Q
r08pkOxArXE2dj7eX+bq65635OJ6TqHbAlTQ1Rs9PulrS7K4SLX7nY89/RZ5oSQe
2VWRyTZ1FfngJSsv9+Mfvz341lbzOIWmk7WfEcWcHc16n9V0IbSNALnjThvEcPky
e1BsfSbsf9FguUZkgHAnnfRKkGVG1OVyuwc/LVjmbhZzKwLhaZRNd8HEM86fNojP
09nVjTaYtWUXk0Si1W02wbu1NzL+1Tg9IpNyISFCFYjSqiyG+WU7IwK3YU5kp3CC
dYScz63Q2pQafxfSbuv4CMnNpdirVKEo5nRRfK/iaL3X1R3DxV8eSYFKFL6pqpuX
cY5YZJGAp+JxsnIQ9CFyxIt92frXznsjhlYa8svbVNNfk/9fyX6op24rL2DyESpY
pnsukBCFBkZHWNNyeN7b5GhTVCodHhzHVFehTuBrp+VuPqaqDvMCVe1DZCb4MjAj
Mslf+9xK+TXEL3icmIOBRdPyw6e/JlQlVRlmShFpI8eb/8VsTyJSe+b853zuV2qL
suLaBMxYKm3+zEDIDveKPNaaWZgEcqxylCC/wUyUXlMJ50Nw6JNVMM8LeCii3OEW
l0ln9L1b/NXpHjGa8WHHTjoIilB5qNUyywSeTBF2awRlXH9BrkZG4Fc4gdmW/IzT
RUgZkbMQZNIIfzj1QuilRVBm/F76Y/YMrmnM9k/1xSGIskwCUQ+95CGHJE8MkhD3
-----END RSA PRIVATE KEY-----
But unfortunately, itβs encoded private key, we need the password which will decode it and then use this key to login to ssh
As CTF players know there are techniques that donβt predict like from the upper photo we can guess thereβs something related to heartbleed and after searching for these keywords we get more than vulnerability

We will use the first one, itβs easy, just download, compile and run it.

From the results you will get this text, itβs base64 encoded, so we will use any decoder to decode it

Okay good, I think itβs the password that we will need, letβs decode the RSA Key
To decode the private RSA key, you can use openssl
as follows
openssl rsa -in <encoded_file_name> -out <decoded_file_name>

Itβs worked and now we have priv_decoded_key.txt
as itβs the key that we will use

Ok that good, letβs try to login to ssh
To login to ssh form terminal, you have 2 ways
ssh username@<server_ip>
and it will ask you for passwordssh -i rsa_key username@<server_ip>
We will use the 2nd method because we donβt have the password

Thatβs nice, weβre logged in as hype user
but I think it has low privileges so get the user flag easily and letβs try to get more privileges
if you type ls -la
you will find .bash_history
and from this file, you can know the bash commands which the user typed so letβs try to look at it


Hereβs the user has used tmux
to manage the sessions, to know more about tmux
see this resource
Itβs used to open more than a session is the single terminal screen, so he used cd /.devs
and then created one dev_sess
so letβs use it and see its role and privileges by typing cd /.devs
+ tumx -S dev_sess
and you will get the open session for the dev team

Okay, that's good, and you have the root flag now β€
Congrats and Thank you β€
Last updated