I have been slacking as of lately due to the holidays. And I have been finding it difficult to stay to my own schedule. However, here it is my write up for bandit level 16. If you haven’t had a chance to read my OverTheWire Bandit Write Up – Level 15 write up, give it a quick read then head back over here.
The objective of this level is to find an open port between
32000 that accepts SSL. Once the port has been found I need to submit the password for the current level. I should then be able to get the password for the next.
Let’s Start Hacking Then
Just the same as all the previous levels I need to spin up a fresh terminal and initiate a SSH connection to the machine. I run the following and get started:
ssh email@example.com -p 2220
I’m prompted for the password, and entering the one I got fr the last level and I’m in.
The first thing I need to do is to scan the machine for open ports and what’s running on the ports. I know from looking at the bandit level 16 requirements that the port is somewhere between
32000. Looking at the
nmap man page I have found that I can specify a range ports to scan, I run the following command to search through the required ports:
nmap -A -p 31000-32000 localhost
The command takes a while but then returns two ports alongside a bunch of error messages – which can be ignored. One of the ports is showing as unknown while the other is showing
ssl. Knowing that I need to send the password to a port that accepts SSL I now know which port I need to use.
PORT STATE SERVICE 31518/tcp filtered unknown 31790/tcp open ssl/unknown
I’m now in possession of all the information I need to retrieve the password. I can use the
openssl command to send the password over SSL to the machine on port
31790 to get the password for the next level. I run the following command;
echo `cluFn7wTiGryunymYOu4RcffSxQluehd` | openssl s_client -connect localhost:31790 -ign_eof
However, instead of being greeted with the password for the next I got a message of
Correct! and the following RSA Private key.
-----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama +TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT 8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM 77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3 vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY= -----END RSA PRIVATE KEY-----
Back in a previous level I need to use a private key to initiate a SSH connection to the system. Remembering this I take a copy of the above RSA Private key and
exit` my connection. I create a new file in my Documents and name it
bandit17.key I paste in the RSA contents and save the file.
Using this private key I can initiate a connection to the system as the bandit17 user using the following command;
ssh firstname.lastname@example.org -p 2220 -i bandit17.key
That worked without a problem. I can now get a copy of the password from the bandit password directory using the following.
…and Wham! Bam! Thank you ma’am! I have the password now for level 17.
Level 16 Complete
I have hidden the password here, if you are playing along don’t peek! Please! It’s more fun getting it yourself.
Level 17 password