I have been slacking as of lately due to the holidays. And I have been finding it difficult to stay to my own schedule. However, here it is my write up for bandit level 16. If you haven’t had a chance to read my OverTheWire Bandit Write Up – Level 15 write up, give it a quick read then head back over here.
The objective of this level is to find an open port between
32000 that accepts SSL. Once the port has been found I need to submit the password for the current level. I should then be able to get the password for the next.
Let’s Start Hacking Then
Just the same as all the previous levels I need to spin up a fresh terminal and initiate a SSH connection to the machine. I run the following and get started:
ssh email@example.com -p 2220
I’m prompted for the password, and entering the one I got fr the last level and I’m in.
The first thing I need to do is to scan the machine for open ports and what’s running on the ports. I know from looking at the bandit level 16 requirements that the port is somewhere between
32000. Looking at the
nmap man page I have found that I can specify a range ports to scan, I run the following command to search through the required ports:
nmap -A -p 31000-32000 localhost
The command takes a while but then returns two ports alongside a bunch of error messages – which can be ignored. One of the ports is showing as unknown while the other is showing
ssl. Knowing that I need to send the password to a port that accepts SSL I now know which port I need to use.
PORT STATE SERVICE 31518/tcp filtered unknown 31790/tcp open ssl/unknown
I’m now in possession of all the information I need to retrieve the password. I can use the
openssl command to send the password over SSL to the machine on port
31790 to get the password for the next level. I run the following command;
echo `cluFn7wTiGryunymYOu4RcffSxQluehd` | openssl s_client -connect localhost:31790 -ign_eof
However, instead of being greeted with the password for the next I got a message of
Correct! and the following RSA Private key.
-----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama +TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT 8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM 77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3 vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY= -----END RSA PRIVATE KEY-----
Back in a previous level I need to use a private key to initiate a SSH connection to the system. Remembering this I take a copy of the above RSA Private key and
exit` my connection. I create a new file in my Documents and name it
bandit17.key I paste in the RSA contents and save the file.
Using this private key I can initiate a connection to the system as the bandit17 user using the following command;
ssh firstname.lastname@example.org -p 2220 -i bandit17.key
That worked without a problem. I can now get a copy of the password from the bandit password directory using the following.
…and Wham! Bam! Thank you ma’am! I have the password now for level 17.
Level 16 Complete
I have hidden the password here, if you are playing along don’t peek! Please! It’s more fun getting it yourself.
Level 17 password
Justin Byrne is a self motivated tech enthusiasts. Spending more than half his life dedicated to the tech industry. He built his first computer at the age of 11, and has been building ever since. His interests have changed across the years from system building to web programming and even a dab of software engineering, and just like his interests, his operating system has changed sometimes more then 4 times a year.