Heartbleed
Heartbleed
Heartbleed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-06-15 07:05 UTC
Nmap scan report for ip-10-82-120-36.eu-west-1.compute.internal (10.82.120.36)
Host is up (0.00012s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 5e:ca:ea:25:17:cc:a1:18:a1:e4:37:68:83:7d:ff:6b (RSA)
| 256 d4:bd:22:63:72:b1:a6:20:b6:c6:55:30:f2:3d:32:c5 (ECDSA)
|_ 256 97:b7:4d:b6:3f:95:b5:dc:61:1d:81:54:a5:1e:3f:3f (ED25519)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 37981/tcp6 status
| 100024 1 40839/tcp status
| 100024 1 43757/udp6 status
|_ 100024 1 49129/udp status
443/tcp open ssl/http nginx 1.15.7
| tls-nextprotoneg:
|_ http/1.1
| ssl-cert: Subject: commonName=localhost/organizationName=TryHackMe/stateOrProvinceName=London/countryName=UK
| Not valid before: 2019-02-16T10:41:14
|_Not valid after: 2020-02-16T10:41:14
|_ssl-date: TLS randomness does not represent time
|_http-title: What are you looking for?
|_http-server-header: nginx/1.15.7
40839/tcp open status 1 (RPC #100024)
MAC Address: 06:9E:50:3E:06:11 (Unknown)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.12 seconds
π Port Scanning
π΅οΈ The scan reveals port 443 is running OpenSSL. Letβs see if it is vulnerable to Heartbleed.
π΅οΈ Vulnerability Exploration
π» I researched the vulnerability and found an exploit. However, it was written for an older version of Python, so I updated it: https://raw.githubusercontent.com/adamalston/Heartbleed/refs/heads/master/attack.py
π‘ I added heartbleed.thm to my hosts file.
New Version - https://github.com/KaviruN/heartbleed-poc/blob/master/heartbleed-poc.py 
β‘ It returned a binary file, which I loaded into a hex editor to easily find the flag: 
This post is licensed under CC BY 4.0 by the author.