Bandit 16

Bandit 16

Level Goal

The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.

Commands you may need to solve this level

ssh, telnet, nc, openssl, s_client, nmap

Helpful Reading Material



Okay so per our instructions it seems we need to use a port scanner here. I used nmap here last time and am fairly familiar with it, 

bandit16@bandit:~$ nmap -sV -p 31000-32000 localhost

Starting Nmap 6.40 ( http://nmap.org ) at 2017-08-27 20:04 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00063s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 996 closed ports
PORT      STATE SERVICE VERSION
31046/tcp open  echo
31518/tcp open  msdtc   Microsoft Distributed Transaction Coordinator (error)
31691/tcp open  echo
31790/tcp open  msdtc   Microsoft Distributed Transaction Coordinator (error)
31960/tcp open  echo
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.29 seconds
bandit16@bandit:~$

This is nice it tells me that port 31518 and 31790 are both pretty interesting. By default nmap does a half open scan, which  sends a synchronization request or SYN  request out to ports on our target, which is how connections are initiated, then it waits and monitors responses from ports. A SYN/ACK reponse is an acknowledgement to a synchronization  request (hence the SYN/ACK) essentially saying "Feel free to connect here!" and is the second part of a TCP/IP handshake. Nmap doesnt respond but it marks the port as listening/open as we can create a connection here. If a response from a port comes back as RST or reset, it is not listening or closed. If we get no response it's assumed that our packet has been filtered by some device on the way to our target. It could be anything from a firewall, IPS, the router, or even our target itself. We just know that our packet doesn't reach the port or if it does, it doesn't come all the way back to us.

  As nice as this output is, I want to solve it in a new way and challenge myself a little, so I'm going to use netcat (nc). Finding a solution was difficult. 

bandit16@bandit:~$nc -z localhost 31000-32000

Which didn't work, this command brought up nothing.

So I tried this:

bandit16@bandit:~$nc -vz localhost 31000-32000 | 2> /dev/null

Netcat is finicky, this resulted in everything showing, it was the exact same result of the first command as if I had ran it without the "| 2> /dev/null". After trying a couple more tries and variations and doing some reading I tried this

bandit16@bandit:~$nc -vz localhost 31000-32000 | grep -o 'succeeded!'

I thought this would work for sure, grep for some reason could not filter the result, I tried more variations with different switches and commands outside the scope of our list like "cut" and "awk" all failed. I still don't know if I made a mistake, finally I went to the internet and checked other peoples answers. Nothing, no one used netcat apparently to scan port on level 16.

I was determined to use netcat and learn something new. After a lot of searching, reading man pages and so on.I found something relevant and changed it a little to work. Here: 


for i in {31000..32000}; do
   netcat -vz localhost $i 2>/dev/null && {
      echo port $i open;
      echo "cluFn7wTiGryunymYOu4RcffSxQluehd" | \
      timeout 2 openssl s_client -connect localhost:$i -ign_eof ;
   };
done

We create a for loop and that runs "netcat -vz localhost" on every port (who's number gets stored in the variable i) and discard any errors with /dev/null. If the port is open, we submit the password  of the current level via ssl


 I checked a couple resources trying to find the best explanation for "$" because in context it confused me. It's a special character in bash so I was unsure how it worked in this. I found my answer here



bandit16@bandit:~$ for i in {31000..32000}; do    netcat -zv localhost $i 2>/dev/null && {       echo port $i open;       echo "cluFn7wTiGryunymYOu4RcffSxQluehd" |       timeout 2 openssl s_client -connect localhost:$i -ign_eof ;    }; done
port 31046 open
CONNECTED(00000003)
140737354053280:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:795:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 295 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
port 31518 open
CONNECTED(00000003)
depth=0 CN = a9678380ab81
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = a9678380ab81
verify return:1
---
Certificate chain
 0 s:/CN=a9678380ab81
   i:/CN=a9678380ab81
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICvjCCAaagAwIBAgIJAO6iKan6EbNwMA0GCSqGSIb3DQEBCwUAMBcxFTATBgNV
BAMTDGE5Njc4MzgwYWI4MTAeFw0xNzA2MTUxMTI3MjVaFw0yNzA2MTMxMTI3MjVa
MBcxFTATBgNVBAMTDGE5Njc4MzgwYWI4MTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBALOcuRCY9evp5X6Ooe8oyq4qRECAXplyMejybRRPNnRAz+wwRMJs
y/hoHUZVRCVmww95xPdwl1pCiHBGoApvDGMacYS4SH58/76WGfOxBzTat+hdPIzq
H4FZMWbH/H3MzAWvEUmz8uQDlettwIGro7yYT3c1oZ3BBDWTj93769mJ/+FxaVGa
DiwX0l5XGB2qNoDBYwXaIhDa85nu5Sgs+nOYz++3ISafVr0V7XnheS5l0TCqDQRp
HBNwF0V3GFC9RawTIrboe4LJ6ZLDa41jCTUpq1S6Zmwedeqp63D+dnRtGst/l/7g
iVcoeYZmts2LjKc/5FlL4h3vr3O+oiAzFdcCAwEAAaMNMAswCQYDVR0TBAIwADAN
BgkqhkiG9w0BAQsFAAOCAQEAHEh77j3hSkLXLLQ40hvF7HMP5gFl9oj1q45cQblb
zm4nMbmDOeiRclzeZ5JDnfr7W6PXnBfwLR5svhIc9CEtUDc0clJToK0iF8TT8ucy
ZB6F28/PAvTwvpAzIgLj9JnsJU8kJvJA6WCKTz7QJxXVGNT8qbk5DQw1THm0Ed38
U6o3hbqgvP7p5mK5F+m6yuo7oBlsVPu/c4YZJkMbbvf/IxQSD/j8ZPFGYVBdwRIf
FGLZsRlt9CgC/FjYc19XBTe75nqjkxNeuD+6sP7MCn+Pp5j6h6ULthDJaD8dhvDu
IF0zPWm885s6xG6xt74lFp2GOFJyayP0AlRu7iA1uUoS7g==
-----END CERTIFICATE-----
subject=/CN=a9678380ab81
issuer=/CN=a9678380ab81
---
No client certificate CA names sent
---
SSL handshake has read 1682 bytes and written 637 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 7E09DF5A6C86A0685A84F955D5A152FE1B23696B09A1F925577F4BC0687BA050
    Session-ID-ctx: 
    Master-Key: F97D14AB14EA7FDFDA4C0A11021A10E94C4ECC196F2B16CAECC00203750977B620AFCBEF31FD877E67FABEE9307156F4
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1503870942
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
cluFn7wTiGryunymYOu4RcffSxQluehd
port 31691 open
CONNECTED(00000003)
140737354053280:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:795:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 295 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
port 31790 open
CONNECTED(00000003)
depth=0 CN = a9678380ab81
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = a9678380ab81
verify return:1
---
Certificate chain
 0 s:/CN=a9678380ab81
   i:/CN=a9678380ab81
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICvjCCAaagAwIBAgIJAO6iKan6EbNwMA0GCSqGSIb3DQEBCwUAMBcxFTATBgNV
BAMTDGE5Njc4MzgwYWI4MTAeFw0xNzA2MTUxMTI3MjVaFw0yNzA2MTMxMTI3MjVa
MBcxFTATBgNVBAMTDGE5Njc4MzgwYWI4MTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBALOcuRCY9evp5X6Ooe8oyq4qRECAXplyMejybRRPNnRAz+wwRMJs
y/hoHUZVRCVmww95xPdwl1pCiHBGoApvDGMacYS4SH58/76WGfOxBzTat+hdPIzq
H4FZMWbH/H3MzAWvEUmz8uQDlettwIGro7yYT3c1oZ3BBDWTj93769mJ/+FxaVGa
DiwX0l5XGB2qNoDBYwXaIhDa85nu5Sgs+nOYz++3ISafVr0V7XnheS5l0TCqDQRp
HBNwF0V3GFC9RawTIrboe4LJ6ZLDa41jCTUpq1S6Zmwedeqp63D+dnRtGst/l/7g
iVcoeYZmts2LjKc/5FlL4h3vr3O+oiAzFdcCAwEAAaMNMAswCQYDVR0TBAIwADAN
BgkqhkiG9w0BAQsFAAOCAQEAHEh77j3hSkLXLLQ40hvF7HMP5gFl9oj1q45cQblb
zm4nMbmDOeiRclzeZ5JDnfr7W6PXnBfwLR5svhIc9CEtUDc0clJToK0iF8TT8ucy
ZB6F28/PAvTwvpAzIgLj9JnsJU8kJvJA6WCKTz7QJxXVGNT8qbk5DQw1THm0Ed38
U6o3hbqgvP7p5mK5F+m6yuo7oBlsVPu/c4YZJkMbbvf/IxQSD/j8ZPFGYVBdwRIf
FGLZsRlt9CgC/FjYc19XBTe75nqjkxNeuD+6sP7MCn+Pp5j6h6ULthDJaD8dhvDu
IF0zPWm885s6xG6xt74lFp2GOFJyayP0AlRu7iA1uUoS7g==
-----END CERTIFICATE-----
subject=/CN=a9678380ab81
issuer=/CN=a9678380ab81
---
No client certificate CA names sent
---
SSL handshake has read 1682 bytes and written 637 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: CF7DD1648E1144235113C5233D86EB2793488BF7ED93D5D6DF1B076305ED373F
    Session-ID-ctx: 
    Master-Key: 120336A91C1E2EF3D04C7250F50FAFBF0E6A53A7CC8D773F96A29F897F667743C59C3FEABBF930D36022E354B1FE2E62
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1503870945
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----

read:errno=0
port 31960 open
CONNECTED(00000003)
140737354053280:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:795:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 295 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
bandit16@bandit:~$
So it will send the string via SSL to all open ports, then you look at the buffer of your terminal to find the answer. Here, it returns a private key that must be used to access the next level. Copy and paste the key into a file. Looking back we could have piped  the output to cut and only gotten our key.


bandit16@bandit:~$ 
bandit16@bandit:~$ vi key    
bandit16@bandit:~$ ls
key
bandit16@bandit:~$ ssh -i key bandit17@localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is ee:4c:8c:e7:57:2c:bc:63:24:b8:e6:23:27:63:72:9f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
 _                     _ _ _   
| |__   __ _ _ __   __| (_) |_ 
| '_ \ / _` | '_ \ / _` | | __|
| |_) | (_| | | | | (_| | | |_ 
|_.__/ \__,_|_| |_|\__,_|_|\__|
                               
a http://www.overthewire.org wargame.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0664 for 'key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: key
bandit17@localhost's password:
Now we're on lvl 17!







Glowfish Contrast

Comments

Post a Comment

Popular posts from this blog

Thoughts on ISSA talk on using AI to automate security

Recently I attended the ISSA presentation in MN, the description of it: The Power and Potential of Robotic Process Automation. And the Security Risks. Please join us on March 22 nd  as we explore the powerful and emerging Robotic Process Automation technology in regards to what IT security professionals need to know about RPA platforms . Robotic process automation (RPA) is a powerful and emerging technology that streamlines and standardizes many human user processes as well as harmonizes different systems across an organization’s environment. So what do IT security professionals need to know about RPA platforms? Very simply, it is a new attack vector and organizations need to start to understand their risk. Because RPA software interacts directly with business applications and mimics the way applications use and mirror human credentials and entitlements, this can introduce risks when the software robots automate and perform routine business processes across multiple
Read more

Bandit 12

Bandit 12 bandit12@bandit:~$ ls data.txt bandit12@bandit:~$ mkdir data bandit12@bandit:~$ cp data.txt ./data bandit12@bandit:~$ cd data bandit12@bandit:~/data$ ls data.txt bandit12@bandit:~/data$ file data.txt data.txt: ASCII text 0000000: 1f8b 0808 4572 4259 0203 6461 7461 322e ....ErBY..data2. 0000010: 6269 6e00 0143 02bc fd42 5a68 3931 4159 bin..C...BZh91AY 0000020: 2653 59a3 fd61 8800 0019 ffff dffb 1ff5 &SY..a.......... 0000030: f7d7 dfdb fe4f ffb3 b5f7 ffdf b2d8 fefb .....O.......... 0000040: e7dd fffa fefd 7f7b d1fb fe3f b001 3b56 .......{...?..;V 0000050: a106 81a0 1a00 07a8 0068 01a1 a69a 0000 .........h...... 0000060: d1a0 d034 6868 34f5 0641 a000 000d 000f ...4hh4..A...... 0000070: 5064 00d0 321a 69e9 0323 1a27 a883 4003 Pd..2.i..#.'..@. 0000080: 41a0 01ea 0000 0003 4000 0068 7a4f 4800 A.......@..hzOH. 0000090: 0c8c 803d 41a0 64d1 a3d4 d1a3 6a68 01a0 ...=A.d.....jh.. 00000a0: 34da 8340 003d 4347 a83a 69a6 8699 0034 4..@.=CG.:i....4 00000b0: 3203 4610 3
Read more

Bandit level 14

Bandit 14 Level Goal The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost . Commands you may need to solve this level ssh, telnet, nc, openssl, s_client, nmap Helpful Reading Material How the Internet works in 5 minutes (YouTube) (Not completely accurate, but good enough for beginners) IP Addresses IP Address on Wikipedia Localhost on Wikipedia Ports Port (computer networking) on Wikipedia Okay so I know telnet doesn't have authentication. I know I'm probably using that so I check the man page. Synopsis telnet [ -8EFKLacdfrx ] [ -X authtype ] [ -b hostalias ] [ -e escapechar ] [ -k realm ] [ -l user ] [ -n tracefile ] [ host [ port ]] Okay so the command will be "telnet localhost 30000", remember those instructions from the previous level on where that password was? Neither do , lets read it again! "The pa
Read more