AIS Heartbleed Challenge Server

The server serving this website is specifically prepared to be vulnerable to the Heartbleed bug. Most public servers on the Internet are patched by now against this vulnerability. Additionally, it would be a legal offence to attack some arbitrary server.

To demonstrate the effects and effectiveness of this bug, we installed this server and explicitly allow for exploiting it with the heartbleed bug. This is safe since the server is isolated from our normal infrastructure, even though it might look as it is integrated in our normal web presence. As long as you are accessing https://heartbleed.ais.uni-kassel.de, you are on the isolated bastion server. Additionally, there is no real information stored on it. For HTTPS we use a self-signed certificate, which we consider compromised as it is possible to extract it with the heartbleed bug. All usernames and passwords used are fake and do not provide any real login.

Besides learning about the heartbleed bug, we provide a challenge comprising three stages. All three stages can be solved by using the heartbleed bug. When solved correctly, you will find a codeword, which you can use to solve the respective challenge on MysteryTwisterC3 (the challenges will soon be online there).

The technical details of our server are:

  • Host: heartbleed.ais.uni-kassel.de
  • IPv4: 141.51.125.19
  • Port: 443
  • Service: HTTPS
  • Webserver: nginx 1.2.1 with openssl-1.0.1f

You may now proceed to solve the AIS Heartbleed Challenge be clicking on Heartbleed Challenge in the left menu.