Heartbleed came out not long after the time I began my journey into the security side of the house.  I recall a box that I believe was vulnerable to the the Heartbleed attack but I wasn't seasoned enough to know what to do with it. 

When I saw the name Valentine on this box, I knew it was a clue -- most of the names ARE clues but I didn't hone in on it until I saw the main page for the website.

Notice the similarity:

We kick off with an Nmap scan:

We see three ports open and I have an idea where this is headed but not exactly.  Looking at the web port with Nikto:

Nikto uncovers /dev and we take a look:

Two more nuggets.  First we check hype_key:

That looks like hex, let's decode it:

A private key and by the name, we assume the username is "hype" but when I attempt to use the key, I am prompted for a passphrase.  

Moving on, I check out the note:

We get some hints.  

Let's dig a little deeper with GoBuster:

More directories to explore:


I play around with this to see if I can inject something but no such luck.  I play a bit more with Burp:

Still nothing so I switch over to HeartBleed exploits:

Truncating the noise, we get to the end....

And we see that it's vulnerable but this script provides little value and I go hunting for another:

The first script appears to be just for detection but this one is actually showing us leaked memory data:

That looks like base64.  Let's decode:

After decoding, I think I have the passphrase, I put the key and the phrase together and I'm able to login.

Let's see what we're dealing with:

This smells like DirtyCow.  But first, let's get the user.txt file:

Going in for the kill:

After the fact, I looked around and I think I found the intended method for root but root is root so what can I say.  I also think the entry is really what makes this box fun.  The privilege escalation is just the way to wrap it up and call it done.