~/ Home Projects Tools Link
Writeups
hackthebox/
  • 2million
  • Facts
  • Checkpoint
  • Enigma
  • Nimbus
  • Reactor
  • tryhackme/
  • Wonderland
  • Highschool
  • Ignite
  • JokerCTF
  • Lazy Admin
  • Lightroom
  • Lookup
  • Love Connect
  • Love note
  • Pyrat
  • Startup
  • Tryheartme
  • Valenfind
  • Valley
  • When hearts collide
  • Writeups

    THM LoveNote


    nmap -sV -sC -v 10.66.146.120

    PORT STATE SERVICE VERSION
    22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey:
    | 256 8a:f0:8a:39:96:e5:bb:93:60:02:2c:c6:86:bb:7e:a0 (ECDSA)
    |_ 256 34:df:d4:bf:6f:26:04:5a:ac:b0:c2:51:54:f5:d0:55 (ED25519)
    5000/tcp open http Werkzeug httpd 2.0.2 (Python 3.10.12)

    http-methods:

    |_ Supported Methods: GET OPTIONS HEAD

    |_http-title: LoveNote - Secure Valentine’s Day Messaging

    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

    We find a webpage that seems to use RSA-2048 with pub keys and priv keys

    We make an account and receive our key pair.

    Heres our public key:

    -----BEGIN PUBLIC KEY-----
    MFswDQYJKoZIhvcNAQEBBQADSgAwRwJANG6s913F/7fE3IJP1yCZLi4KE6Is1fjo
    rJ32CfcBO6daC+7R19xZ4OyXVF5AcqxY6aGD7b0AlpZUGlD5Q3u7swIDAQAB
    -----END PUBLIC KEY-----

    Our private key:

    -----BEGIN PRIVATE KEY-----
    MIIBUgIBADANBgkqhkiG9w0BAQEFAASCATwwggE4AgEAAkA0bqz3XcX/t8Tcgk/X
    IJkuLgoToizV+OisnfYJ9wE7p1oL7tHX3Fng7JdUXkByrFjpoYPtvQCWllQaUPlD
    e7uzAgMBAAECQDBaJC4WjyJsQSItFh3IlRqOIILMmtZULZYKMbwsyjlNGgIuME8m
    jGg8p0Q/pK3Uyx+h541Fsu+xMNQ49ibTdwkCIGK2VsHw7y9PaxFVT6kY2uX0XXX9
    Wuscta45szQYoWINAiEAh/pQyLJRdaYtLX9x6KAsTaJuG1pjOgeOermz5pbA5L8C
    IDBm5h2MzUtubrp+EWSB6nvNGbLMOzODzVYTtto5pZBVAiEAgz0oPRxGHOvfTLtl
    oGT/fYqZBNNvU7G5ZV/Yb2TvFZcCICREksSfQ85QjQsktB6eGpweB2VH4fYqoYmO
    T+59jOkt
    -----END PRIVATE KEY-----

    We find /debug

    [2026-02-06 14:23:15] Development mode: ENABLED
    
    [2026-02-06 14:23:15] Using deterministic key generation
    [2026-02-06 14:23:15] Seed pattern: {username}_lovenote_2026_valentine
    
    [DEBUG] Seed converted to bytes for cryptographic processing
    [DEBUG] Seed hashed using SHA256 to produce large numeric material
    
    [DEBUG] Prime derivation step 1:
    [DEBUG] Converting SHA256(seed) into a large integer
    [DEBUG] Checking consecutive integers until a valid prime is reached
    [DEBUG] Prime p selected
    
    [DEBUG] Prime derivation step 2:
    [DEBUG] Modifying seed with PKI-related constant (SHA256(seed + b"pki"))
    [DEBUG] Hashing modified seed with SHA256
    [DEBUG] Converting hash into a large integer
    [DEBUG] Checking consecutive integers until a valid prime is reached
    [DEBUG] Prime q selected
    
    [2026-02-06 14:23:16] RSA modulus generated from p × q
    [2026-02-06 14:23:16] RSA-2048 key pair successfully constructed
    [2026-02-06 14:23:17] Public and private keys saved to disk

    We are informed that the keys used for auth are generated deterministically

    We can recreate the key with this information. I tried to generated a python script with a coding AI but it failed.

    Ended up finding this script : https://gist.github.com/2h3ph3rd/547d03abb1b842a8a615dd1e70031422

    It worked gave us a signature and a message to enter.

    Root flag

    THM{PR3D1CT4BL3_S33D5_BR34K_H34RT5}
    ___

    Notes:

    Normally Public/Private key cryptography use a non-determistic method of generating the keys, this helps secure the key by increasing entropy and removing reproducibility. In this case we have all the information needed to reproduce the key pair needed to fully compromise the machine.


    Tools: