Tuesday, December 9, 2014

Bandit Level 15 to Level 16

Submitting a password to a port using SSL encryption.
 
Host name is bandit.labs.overthewire.org 
User: bandit15
password: BfMYroe26WYalil77FoDi9qh59eK5xNr

Goal: The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -quiet and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…

Commands used for this level:
echo - display a line of text
openssl -  OpenSSL command line tool

Step 1.
We need to somehow submit our current password to port 30001 using SSL.
We know from the last level we can use echo to send the current password to a command. We also know we need to use SSL to connect to port 30001. Lets check the man page of SSL.
Type man ssl
Looking at the man page for ssl we see that SSL is OpenSSL SSL/TLS library. The info is different than other man pages we have looked at. This man page is just info on what ssl is because ssl is not a command, it is a type of connection. If we scroll to the bottom of the man page we can see that the info shown appeared in Openssl. To verify that ssl is not what we want go ahead and try to echo the password and pipe it to ssl with localhost 30001
Type echo BfMYroe26WYalil77FoDi9qh59eK5xNr | ssl localhost 30001
We get No command 'ssl' found.
We do now know that openssl might be the command we need so lets check the man page for openssl.
Type man openssl 
We see that OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer, which is exactly what we need from the goal given. More can be read about SSL/TLS here.
You should also read here about connecting to ssl servers as it gives us exactly what we need for our command.
We now know pretty much everything we need for our command. From the goal we know we need to use -quiet with our command and from reading here we have this as an example openssl s_client -connect www.example.com:443
Let's open the man page of openssl again and read about the s_client option.
Type man openssl
We see that the s_client option implements a generic SSL/TLS client which can establish a transparent connection to a remote server speaking SSL/TLS.

So we will echo our password, pipe it to openssl. We now have everything for our command. We will echo our password, pipe it to openssl with s_client, -connect, and -quiet options.

Step 2.
Type echo BfMYroe26WYalil77FoDi9qh59eK5xNr | openssl s_client -quiet -connect localhost:30001
We see the full handshake happen as our connection goes out as a self signed certificate. It then returns 1 and we verify a return of 1 and we are connected. Our password is displayed as cluFn7wTiGryunymYOu4RcffSxQluehd

Posted by at
Labels:

2 comments:

  1. testAugust 23, 2017 at 10:52 PM

    Why did you use the -quiet option?

    ReplyDelete
  2. fhn3h5tSeptember 4, 2019 at 3:19 AM

    I'm also a noob, but it looks to me like -quiet implicitly turns on -ign_eof while also silencing the console output of certs. Using just -ign_eof gives the password after the certs.

    ReplyDelete

Subscribe to: Post Comments (Atom)