Level Goal
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
Solution
Password: cluFn7wTiGryunymYOu4RcffSxQluehd
1 |
$ ssh [email protected] -p 2220 |
Okey dokey. So now we have to find active ports in range 31000 to 32000. I know what you’re thinking, how the hell do we do that?
Simples. nmap with a port range.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
[email protected]:~$ nmap localhost -p 31000-32000 Starting Nmap 7.01 ( https://nmap.org ) at 2018-02-16 05:56 CET Nmap scan report for localhost (127.0.0.1) Host is up (0.00028s latency). Other addresses for localhost (not scanned): ::1 Not shown: 996 closed ports PORT STATE SERVICE 31046/tcp open unknown 31518/tcp open unknown 31691/tcp open unknown 31790/tcp open unknown 31960/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds |
So now we have five ports potentially containing the password. We need to find which ones have SSL. nmap can give us some more information.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
[email protected]:~$ nmap -A localhost -p 31046,31518,31691,31790,31960 Starting Nmap 7.01 ( https://nmap.org ) at 2018-02-16 05:58 CET Nmap scan report for localhost (127.0.0.1) Host is up (0.00032s latency). Other addresses for localhost (not scanned): ::1 PORT STATE SERVICE VERSION 31046/tcp open echo 31518/tcp open ssl/echo | ssl-cert: Subject: commonName=bandit | Not valid before: 2017-12-28T13:23:40 |_Not valid after: 2027-12-26T13:23:40 |_ssl-date: TLS randomness does not represent time 31691/tcp open echo 31790/tcp open ssl/unknown | ssl-cert: Subject: commonName=bandit | Not valid before: 2017-12-28T13:23:40 |_Not valid after: 2027-12-26T13:23:40 |_ssl-date: TLS randomness does not represent time 31960/tcp open echo 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port31790-TCP:V=7.01%T=SSL%I=7%D=2/16%Time=5A866516%P=x86_64-pc-linux-g SF:nu%r(GenericLines,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20cu SF:rrent\x20password\n")%r(GetRequest,31,"Wrong!\x20Please\x20enter\x20the SF:\x20correct\x20current\x20password\n")%r(HTTPOptions,31,"Wrong!\x20Plea SF:se\x20enter\x20the\x20correct\x20current\x20password\n")%r(RTSPRequest, SF:31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20current\x20password\ SF:n")%r(Help,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20current\x SF:20password\n")%r(SSLSessionReq,31,"Wrong!\x20Please\x20enter\x20the\x20 SF:correct\x20current\x20password\n")%r(TLSSessionReq,31,"Wrong!\x20Please SF:\x20enter\x20the\x20correct\x20current\x20password\n")%r(Kerberos,31,"W SF:rong!\x20Please\x20enter\x20the\x20correct\x20current\x20password\n")%r SF:(FourOhFourRequest,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20c SF:urrent\x20password\n")%r(LPDString,31,"Wrong!\x20Please\x20enter\x20the SF:\x20correct\x20current\x20password\n")%r(SIPOptions,31,"Wrong!\x20Pleas SF:e\x20enter\x20the\x20correct\x20current\x20password\n"); Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 94.41 seconds |
So only ports 31518 and 31790 are running SSL. We were informed by the level goal that all but one port will echo input back to you. It seems 31790 doesn’t echo, but actually has output. So let’s try that. Remember to use -ign_eof to actually get a response and -quiet to remove the random crap.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
[email protected]:~$ openssl s_client -connect localhost:31790 -ign_eof -quiet depth=0 CN = bandit verify error:num=18:self signed certificate verify return:1 depth=0 CN = bandit verify return:1 cluFn7wTiGryunymYOu4RcffSxQluehd Correct! -----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama +TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT 8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM 77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3 vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY= -----END RSA PRIVATE KEY----- |
Uuuuuuuuuurgh, another private key. Use your favourite text editor to create a file called sshkey.private. The name doesn’t matter, it’s more for consistency.
Woo.