Writeups
THM LoveNote
nmap -sV -sC -v 10.66.146.120
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 8a:f0:8a:39:96:e5:bb:93:60:02:2c:c6:86:bb:7e:a0 (ECDSA)
|_ 256 34:df:d4:bf:6f:26:04:5a:ac:b0:c2:51:54:f5:d0:55 (ED25519)
5000/tcp open http Werkzeug httpd 2.0.2 (Python 3.10.12)
http-methods:
|_ Supported Methods: GET OPTIONS HEAD
|_http-title: LoveNote - Secure Valentine’s Day Messaging
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
We find a webpage that seems to use RSA-2048 with pub keys and priv keys
We make an account and receive our key pair.
Heres our public key:
-----BEGIN PUBLIC KEY-----
MFswDQYJKoZIhvcNAQEBBQADSgAwRwJANG6s913F/7fE3IJP1yCZLi4KE6Is1fjo
rJ32CfcBO6daC+7R19xZ4OyXVF5AcqxY6aGD7b0AlpZUGlD5Q3u7swIDAQAB
-----END PUBLIC KEY-----
Our private key:
-----BEGIN PRIVATE KEY-----
MIIBUgIBADANBgkqhkiG9w0BAQEFAASCATwwggE4AgEAAkA0bqz3XcX/t8Tcgk/X
IJkuLgoToizV+OisnfYJ9wE7p1oL7tHX3Fng7JdUXkByrFjpoYPtvQCWllQaUPlD
e7uzAgMBAAECQDBaJC4WjyJsQSItFh3IlRqOIILMmtZULZYKMbwsyjlNGgIuME8m
jGg8p0Q/pK3Uyx+h541Fsu+xMNQ49ibTdwkCIGK2VsHw7y9PaxFVT6kY2uX0XXX9
Wuscta45szQYoWINAiEAh/pQyLJRdaYtLX9x6KAsTaJuG1pjOgeOermz5pbA5L8C
IDBm5h2MzUtubrp+EWSB6nvNGbLMOzODzVYTtto5pZBVAiEAgz0oPRxGHOvfTLtl
oGT/fYqZBNNvU7G5ZV/Yb2TvFZcCICREksSfQ85QjQsktB6eGpweB2VH4fYqoYmO
T+59jOkt
-----END PRIVATE KEY-----
We find /debug
[2026-02-06 14:23:15] Development mode: ENABLED
[2026-02-06 14:23:15] Using deterministic key generation
[2026-02-06 14:23:15] Seed pattern: {username}_lovenote_2026_valentine
[DEBUG] Seed converted to bytes for cryptographic processing
[DEBUG] Seed hashed using SHA256 to produce large numeric material
[DEBUG] Prime derivation step 1:
[DEBUG] Converting SHA256(seed) into a large integer
[DEBUG] Checking consecutive integers until a valid prime is reached
[DEBUG] Prime p selected
[DEBUG] Prime derivation step 2:
[DEBUG] Modifying seed with PKI-related constant (SHA256(seed + b"pki"))
[DEBUG] Hashing modified seed with SHA256
[DEBUG] Converting hash into a large integer
[DEBUG] Checking consecutive integers until a valid prime is reached
[DEBUG] Prime q selected
[2026-02-06 14:23:16] RSA modulus generated from p × q
[2026-02-06 14:23:16] RSA-2048 key pair successfully constructed
[2026-02-06 14:23:17] Public and private keys saved to disk
We are informed that the keys used for auth are generated deterministically
We can recreate the key with this information. I tried to generated a python script with a coding AI but it failed.
Ended up finding this script : https://gist.github.com/2h3ph3rd/547d03abb1b842a8a615dd1e70031422
It worked gave us a signature and a message to enter.
Root flag
THM{PR3D1CT4BL3_S33D5_BR34K_H34RT5}
___
Notes:
Normally Public/Private key cryptography use a non-determistic method of generating the keys, this helps secure the key by increasing entropy and removing reproducibility. In this case we have all the information needed to reproduce the key pair needed to fully compromise the machine.