Post

Heartbleed

Heartbleed

Heartbleed

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-06-15 07:05 UTC
Nmap scan report for ip-10-82-120-36.eu-west-1.compute.internal (10.82.120.36)
Host is up (0.00012s latency).
Not shown: 65531 closed tcp ports (reset)
PORT      STATE SERVICE  VERSION
22/tcp    open  ssh      OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 5e:ca:ea:25:17:cc:a1:18:a1:e4:37:68:83:7d:ff:6b (RSA)
|   256 d4:bd:22:63:72:b1:a6:20:b6:c6:55:30:f2:3d:32:c5 (ECDSA)
|_  256 97:b7:4d:b6:3f:95:b5:dc:61:1d:81:54:a5:1e:3f:3f (ED25519)
111/tcp   open  rpcbind  2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          37981/tcp6  status
|   100024  1          40839/tcp   status
|   100024  1          43757/udp6  status
|_  100024  1          49129/udp   status
443/tcp   open  ssl/http nginx 1.15.7
| tls-nextprotoneg: 
|_  http/1.1
| ssl-cert: Subject: commonName=localhost/organizationName=TryHackMe/stateOrProvinceName=London/countryName=UK
| Not valid before: 2019-02-16T10:41:14
|_Not valid after:  2020-02-16T10:41:14
|_ssl-date: TLS randomness does not represent time
|_http-title: What are you looking for?
|_http-server-header: nginx/1.15.7
40839/tcp open  status   1 (RPC #100024)
MAC Address: 06:9E:50:3E:06:11 (Unknown)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.12 seconds

πŸ” Port Scanning

πŸ•΅οΈ The scan reveals port 443 is running OpenSSL. Let’s see if it is vulnerable to Heartbleed.

πŸ•΅οΈ Vulnerability Exploration

πŸ’» I researched the vulnerability and found an exploit. However, it was written for an older version of Python, so I updated it: https://raw.githubusercontent.com/adamalston/Heartbleed/refs/heads/master/attack.py

πŸ’‘ I added heartbleed.thm to my hosts file.

New Version - https://github.com/KaviruN/heartbleed-poc/blob/master/heartbleed-poc.py Pasted image 20260615131715.png

⚑ It returned a binary file, which I loaded into a hex editor to easily find the flag: Pasted image 20260615132111.png

This post is licensed under CC BY 4.0 by the author.