What is it? @.@

Here is the place where I record some tactics about wargame, systems, and other security issues.

2014-01-23

OverTheWire - Bandit - Level 16 to Level 18

Description:

[Level 16]

Level Goal
The password for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don't. There is only 1 server that will give the next password, the others will simply send back to you whatever you send to it.
Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap
Helpful Reading Material
Port scanner on Wikipedia
[Level 17]

Level Goal
There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new
Commands you may need to solve this level
cat, grep, ls
Solution:
  1. [Comment] Using SSH to connect the server
  2. sp@simple-plan:~|=> ssh bandit16@bandit.labs.overthewire.org
    ...
    bandit16@bandit.labs.overthewire.org's password: cluFn7wTiGryunymYOu4RcffSxQluehd
  3. [Comment] Using nmap to do port scanning
  4. bandit16@melinda:~$ nmap -sT localhost -p31000-32000

    Starting Nmap 5.21 ( http://nmap.org ) at 2014-01-22 09:25 UTC
    Nmap scan report for localhost (127.0.0.1)
    Host is up (0.0013s latency).
    Not shown: 996 closed ports
    PORT      STATE SERVICE
    31046/tcp open  unknown
    31518/tcp open  unknown
    31691/tcp open  unknown
    31790/tcp open  unknown
    31960/tcp open  unknown
  5. [Comment] Testing open ports with netcat to filter the targets
  6. bandit16@melinda:~$ echo test | nc -v localhost 31046
    Connection to localhost 31046 port [tcp/*] succeeded!
    test
  7. bandit16@melinda:~$ echo test | nc -v localhost 31518
    Connection to localhost 31518 port [tcp/*] succeeded!
    ERROR
    140737354069664:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:348:
  8. bandit16@melinda:~$ echo test | nc -v localhost 31691
    Connection to localhost 31691 port [tcp/*] succeeded!
    test
  9. bandit16@melinda:~$ echo test | nc -v localhost 31790
    Connection to localhost 31790 port [tcp/*] succeeded!
    ERROR
    140737354069664:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:348:
  10. bandit16@melinda:~$ echo test | nc -v localhost 31960
    Connection to localhost 31960 port [tcp/*] succeeded!
    test
  11. [Comment] Now, we can focus on port 31518 and 31790.
  12. [Comment] Using openssl with s_client option to establish the communication
  13. bandit16@melinda:~$ echo cluFn7wTiGryunymYOu4RcffSxQluehd | openssl s_client -quiet -connect localhost:31518
    depth=0 CN = localhost
    verify error:num=18:self signed certificate
    verify return:1
    depth=0 CN = localhost
    verify return:1
    cluFn7wTiGryunymYOu4RcffSxQluehd
    ^C
  14. [Comment] There is no response from the service listening on port 31518.
  15. [Comment] Let's try another one!
  16. bandit16@melinda:~$ echo cluFn7wTiGryunymYOu4RcffSxQluehd | openssl s_client -quiet -connect localhost:31790
    depth=0 CN = localhost
    verify error:num=18:self signed certificate
    verify return:1
    depth=0 CN = localhost
    verify return:1
    Correct!
    -----BEGIN RSA PRIVATE KEY-----
    MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
    imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
    Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
    DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
    JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
    x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
    KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
    J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
    d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
    YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
    vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
    +TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
    8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
    SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
    HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
    SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
    R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
    Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
    R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
    L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
    blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
    YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
    77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
    dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
    vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
    -----END RSA PRIVATE KEY-----

    read:errno=0
  17. [Comment] We got a private key from the service for next level.
  18. [Comment] Save the private key in a temporary directory and use it to login the server.
  19. bandit16@melinda:~$ mkdir -p /tmp/key/
  20. bandit16@melinda:~$ cd /tmp/key/
  21. bandit16@melinda:/tmp/key$ touch sshkey.private
  22. bandit16@melinda:/tmp/key$ vim sshkey.private
    -----BEGIN RSA PRIVATE KEY-----
    MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
    imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
    Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
    DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
    JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
    x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
    KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
    J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
    d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
    YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
    vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
    +TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
    8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
    SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
    HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
    SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
    R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
    Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
    R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
    L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
    blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
    YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
    77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
    dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
    vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
    -----END RSA PRIVATE KEY-----
  23. [Comment] Using SSH with -i option and the private key to connect the server without password
  24. bandit16@melinda:/tmp/key$ ssh -i ./sshkey.private bandit17@localhost
    ...
    Are you sure you want to continue connecting (yes/no)? yes
  25. [Comment] Now, we are in level 17!
  26. [Comment] Using ls command to list directory contents
  27. bandit17@melinda:~$ ls
    passwords.new  passwords.old
  28. [Comment] Using diff command to compare files line by line
  29. bandit17@melinda:~$ diff passwords.new passwords.old
    42c42
    < kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
    ---
    > PRjrhDcANrVM6em57fPnFp4Tcq8gvwzK
  30. [Comment] Using exit command to disconnect connection to server
  31. bandit17@melinda:~$ exit
    logout
    Connection to localhost closed.
  32. bandit16@melinda:/tmp/key$ exit
    logout
    Connection to bandit.labs.overthewire.org closed.
  33. [Comment] It's done! Saving the password for next level.
Reference:
sshhttp://linuxcommand.org/man_pages/ssh1.html
lshttp://linuxcommand.org/man_pages/ls1.html
cathttp://linuxcommand.org/man_pages/cat1.html
exithttp://linuxcommand.org/man_pages/exit1.html
cdhttp://linuxcommand.org/lc3_man_pages/cdh.html
findhttp://linuxcommand.org/man_pages/find1.html
grephttp://linuxcommand.org/lc3_man_pages/grep1.html
sorthttp://linuxcommand.org/lc3_man_pages/sort1.html
uniqhttp://linuxcommand.org/man_pages/uniq1.html
stringshttp://linuxcommand.org/man_pages/strings1.html
base64http://linux.die.net/man/1/base64
trhttp://linuxcommand.org/man_pages/tr1.html
aliashttp://linuxcommand.org/man_pages/alias1.html
mkdirhttp://linuxcommand.org/man_pages/mkdir1.html
cphttp://linuxcommand.org/man_pages/cp1.html
xxdhttp://linuxcommand.org/man_pages/xxd1.html
filehttp://linuxcommand.org/man_pages/file1.html
mvhttp://linuxcommand.org/man_pages/mv1.html
gziphttp://linuxcommand.org/man_pages/gzip1.html
bzip2http://linuxcommand.org/man_pages/bzip21.html
tarhttp://linuxcommand.org/man_pages/tar1.html
echohttp://linuxcommand.org/man_pages/echo1.html
nchttp://linuxcommand.org/man_pages/nc1.html
opensslhttp://linuxcommand.org/man_pages/openssl1.html
diffhttp://linuxcommand.org/man_pages/diff1.html

5 comments:

  1. You need to CHMOD 600 "FILE" then try again

    ReplyDelete
  2. Nah. you need to copy the whole RSA key. that includes the
    ------- BEGIN RSA KEY -------

    as well as the

    ----- END RSA KEY -------

    bits.

    ReplyDelete
  3. Is it necesarry to have extension .private in order to execute the command:
    #ssh -i ./sskey.private bandit17@localhost?
    Because i created as a keyphrase file, put the permisions 600, but i couldn't login into the machine, it was requesting me passphrase. So i just put the extension and then works, so the question is why?

    ReplyDelete
  4. This level is all screwed up. It says to perform a diff on password.new and password.old. It gives you two strings and neither is the correct password. To get the pwd you have to do cat /etc/bandit_pass/bandit17

    ReplyDelete