Bandit 15

Bandit 15

Level Goal

The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…

Commands you may need to solve this level

ssh, telnet, nc, openssl, s_client, nmap

Helpful Reading Material




Last time on bandit! : BfMYroe26WYalil77FoDi9qh59eK5xNr

So our next thing, we need to read two things, it's pretty obviously hinting that we should use ssl, and by luck! We've got a command called "openssl" lets look at that first, which I found here. So first of all the synopsis:

openssl command [ command_opts ] [ command_args ]
openssl [ list-standard-commands | list-message-digest-commands | list-cipher-commands | list-cipher-algorithms | list-message-digest-algorithms | list-public-key-algorithms]
openssl no-XXX [ arbitrary options ]

 Whats that thing here? "...[ list-standard-commands | li..." A list of standard commands sounds interesting. Scrolling down I see another thing

STANDARD COMMANDS

asn1parse
Par...
...
...
...

s_client
This implements a generic SSL/TLS client which can establish a transparent connection to a remote server speaking SSL/TLS. It's intended for testing purposes only and provides only rudimentary interface functionality but internally uses mostly all functionality of the OpenSSL ssl library.
 "s_client" is a command that gets used with "openssl" We're piecing this together, lets man s_client and see it's page:

SYNOPSIS

openssl s_client [-connect host:port]...

Good find! We now know how to use openssl and s_client lets try it 


bandit15@bandit:~$ openssl s_client -connect localhost:30001
CONNECTED(00000003)
depth=0 CN = a9678380ab81
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = a9678380ab81
verify return:1
---
Certificate chain
 0 s:/CN=a9678380ab81
   i:/CN=a9678380ab81
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICvjCCAaagAwIBAgIJAO6iKan6EbNwMA0GCSqGSIb3DQEBCwUAMBcxFTATBgNV
BAMTDGE5Njc4MzgwYWI4MTAeFw0xNzA2MTUxMTI3MjVaFw0yNzA2MTMxMTI3MjVa
MBcxFTATBgNVBAMTDGE5Njc4MzgwYWI4MTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBALOcuRCY9evp5X6Ooe8oyq4qRECAXplyMejybRRPNnRAz+wwRMJs
y/hoHUZVRCVmww95xPdwl1pCiHBGoApvDGMacYS4SH58/76WGfOxBzTat+hdPIzq
H4FZMWbH/H3MzAWvEUmz8uQDlettwIGro7yYT3c1oZ3BBDWTj93769mJ/+FxaVGa
DiwX0l5XGB2qNoDBYwXaIhDa85nu5Sgs+nOYz++3ISafVr0V7XnheS5l0TCqDQRp
HBNwF0V3GFC9RawTIrboe4LJ6ZLDa41jCTUpq1S6Zmwedeqp63D+dnRtGst/l/7g
iVcoeYZmts2LjKc/5FlL4h3vr3O+oiAzFdcCAwEAAaMNMAswCQYDVR0TBAIwADAN
BgkqhkiG9w0BAQsFAAOCAQEAHEh77j3hSkLXLLQ40hvF7HMP5gFl9oj1q45cQblb
zm4nMbmDOeiRclzeZ5JDnfr7W6PXnBfwLR5svhIc9CEtUDc0clJToK0iF8TT8ucy
ZB6F28/PAvTwvpAzIgLj9JnsJU8kJvJA6WCKTz7QJxXVGNT8qbk5DQw1THm0Ed38
U6o3hbqgvP7p5mK5F+m6yuo7oBlsVPu/c4YZJkMbbvf/IxQSD/j8ZPFGYVBdwRIf
FGLZsRlt9CgC/FjYc19XBTe75nqjkxNeuD+6sP7MCn+Pp5j6h6ULthDJaD8dhvDu
IF0zPWm885s6xG6xt74lFp2GOFJyayP0AlRu7iA1uUoS7g==
-----END CERTIFICATE-----
subject=/CN=a9678380ab81
issuer=/CN=a9678380ab81
---
No client certificate CA names sent
---
SSL handshake has read 1682 bytes and written 637 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: D0443E7CC334115F74370CF2A6394D810002650097782A9704577CEE41033CC3
    Session-ID-ctx: 
    Master-Key: 31499BD7446954F5CB85A8FB0BC900EA00543CDF4391842E70A23EE8C1B76D03F5703624303A0500660A10F87EE67B4C
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1503535318
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
BfMYroe26WYalil77FoDi9qh59eK5xNr
HEARTBEATING
read R BLOCK
read:errno=0
bandit15@bandit:~$

Wait something is wrong? Try again with the -ign_eof per our instructions



bandit15@bandit:~$ openssl s_client -connect localhost:30001 -ign_eof
CONNECTED(00000003)
depth=0 CN = a9678380ab81
verify error:nu...
...
...
...
    Start Time: 1503535511
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
BfMYroe26WYalil77FoDi9qh59eK5xNr
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehd

read:errno=0
bandit15@bandit:~$
Okay so it worked, but why?
-ign_eof
inhibit shutting down the connection when end of file is reached in the input
-quiet
inhibit printing of session and certificate information. This implicitly turns on -ign_eof as well.
So we use -ign_eof to maintain our connection when the server is done reading the file for that session? I can't say for sure, also I found this -quiet thing, from the looks of it we could have used the -quiet switch to complete this as well.

Glowfish Contrast

Comments

Post a Comment

Popular posts from this blog

Thoughts on ISSA talk on using AI to automate security

Recently I attended the ISSA presentation in MN, the description of it: The Power and Potential of Robotic Process Automation. And the Security Risks. Please join us on March 22 nd  as we explore the powerful and emerging Robotic Process Automation technology in regards to what IT security professionals need to know about RPA platforms . Robotic process automation (RPA) is a powerful and emerging technology that streamlines and standardizes many human user processes as well as harmonizes different systems across an organization’s environment. So what do IT security professionals need to know about RPA platforms? Very simply, it is a new attack vector and organizations need to start to understand their risk. Because RPA software interacts directly with business applications and mimics the way applications use and mirror human credentials and entitlements, this can introduce risks when the software robots automate and perform routine business processes across multiple
Read more

Bandit 12

Bandit 12 bandit12@bandit:~$ ls data.txt bandit12@bandit:~$ mkdir data bandit12@bandit:~$ cp data.txt ./data bandit12@bandit:~$ cd data bandit12@bandit:~/data$ ls data.txt bandit12@bandit:~/data$ file data.txt data.txt: ASCII text 0000000: 1f8b 0808 4572 4259 0203 6461 7461 322e ....ErBY..data2. 0000010: 6269 6e00 0143 02bc fd42 5a68 3931 4159 bin..C...BZh91AY 0000020: 2653 59a3 fd61 8800 0019 ffff dffb 1ff5 &SY..a.......... 0000030: f7d7 dfdb fe4f ffb3 b5f7 ffdf b2d8 fefb .....O.......... 0000040: e7dd fffa fefd 7f7b d1fb fe3f b001 3b56 .......{...?..;V 0000050: a106 81a0 1a00 07a8 0068 01a1 a69a 0000 .........h...... 0000060: d1a0 d034 6868 34f5 0641 a000 000d 000f ...4hh4..A...... 0000070: 5064 00d0 321a 69e9 0323 1a27 a883 4003 Pd..2.i..#.'..@. 0000080: 41a0 01ea 0000 0003 4000 0068 7a4f 4800 A.......@..hzOH. 0000090: 0c8c 803d 41a0 64d1 a3d4 d1a3 6a68 01a0 ...=A.d.....jh.. 00000a0: 34da 8340 003d 4347 a83a 69a6 8699 0034 4..@.=CG.:i....4 00000b0: 3203 4610 3
Read more

Bandit level 14

Bandit 14 Level Goal The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost . Commands you may need to solve this level ssh, telnet, nc, openssl, s_client, nmap Helpful Reading Material How the Internet works in 5 minutes (YouTube) (Not completely accurate, but good enough for beginners) IP Addresses IP Address on Wikipedia Localhost on Wikipedia Ports Port (computer networking) on Wikipedia Okay so I know telnet doesn't have authentication. I know I'm probably using that so I check the man page. Synopsis telnet [ -8EFKLacdfrx ] [ -X authtype ] [ -b hostalias ] [ -e escapechar ] [ -k realm ] [ -l user ] [ -n tracefile ] [ host [ port ]] Okay so the command will be "telnet localhost 30000", remember those instructions from the previous level on where that password was? Neither do , lets read it again! "The pa
Read more