Using a port scanning tool to find open ports and copying and using a private ssh key to connect to a server. Then level 18 comparing files for differences.
Host name is bandit.labs.overthewire.org
User: bandit16
password: cluFn7wTiGryunymYOu4RcffSxQluehd
Goal: The password for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next password, the others will simply send back to you whatever you send to it.
Host name is bandit.labs.overthewire.org
User: bandit16
password: cluFn7wTiGryunymYOu4RcffSxQluehd
Goal: The password for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next password, the others will simply send back to you whatever you send to it.
Commands used for this level:
nmap - Network
exploration tool and security / port scanner
echo - display a line of text
nc - arbitrary TCP and UDP connections and listens (nc is short for netcat)
openssl
- OpenSSH SSH client (remote login program)
mkdir
- make directories.
cd
- change directory.
touch
- change file timestamps
vim
- Vi IMproved, a programmers text editor
Commands used for level 18:
ls - List information about the FILE's (the current directory by default).
diff - compare files line by line
Step 1.
First thing we need to do is find a way to scan ports in the given range from our goal. Linux has a tool for doing just that called nmap. Lets check the man page on nmap to see how it works and what it does.
Type man nmap
We see nmap is a
port scanner and that is exactly the tool we need. If we read further
down to SCAN TECHNIQUES section we see we have multiple options for
scanning. We know that first we want to find what ports are open for
a connection. We read that the sT option in this section is for
connect so that looks good for our first option. We also need to
select a range of ports to scan so if we read down further we see
that the -p option will let us select specific ports to scan or a
range even. We know we want to scan localhost and ports from 31000 to
32000 so lets put together our scan options. We will use nmap command
for our port scanner tool with -sT to attempt a connection, send that
to localhost with a port range of 31000-32000
Type nmap -sT
localhost -p31000-32000
We see we have 5
ports open 31046, 31518,
31691, 31790, and 31960 all with unknown service.
Step 2.
We now have 5 ports we can attempt to connect to and we know from our goal we need to find the port
that speaks SSL. We also know that the wrong ports will simply
echo back what we send them. Lets echo some text, pipe it to netcat
like in level 14, and use localhost with the each port number to see
what ports echo back our text and which ones give us an SSL response.
echo hello | nc
localhost 31046
gives
us our hello in return
echo hello | nc
localhost 31518
gives us an SSL
error
echo hello | nc
localhost 31691
gives
us our hello in return
echo hello | nc
localhost 31790
gives us an SSL
error
echo hello | nc
localhost 31960
gives
us our hello in return
Step 3.
We
know know we have two ports that reply with an SSL error.
Let's
hit those two ports with our password and our openssl tool like in
level 15.
echo
cluFn7wTiGryunymYOu4RcffSxQluehd | openssl s_client -quiet -connect
localhost:31518
It
looks like we have connected but it has replied our current password
like the other ports so lets try the other SSL port.
echo
cluFn7wTiGryunymYOu4RcffSxQluehd | openssl s_client -quiet -connect
localhost:31790
We
get a private RSA key in return instead
of the password. Not
exactly what we hoped for but we know what to do with the key from
previous levels.
Step 4.
Copy the RSA key, don't forget to get the whole
thing including the header and footer of the key. Now we need to save this private key and do exactly what
we did in level 13.
Lets create a directory under /tmp,
create a file and save our key to it. We can then use ssh to send
that key to the next level and get our password.
mkdir
/tmp/yourname
cd
/tmp/yourname
touch
sshkey.private
vim
sshkey.private
You
are now in vim editor and can paste your copied key.
Press
a first in vim to append the file.
Now paste the copied key into the
file. Once you've pasted the key
press esc key to exit editing
mode of vim and type :wq to write
and quit the editor. If you want more info on moving around in vi editor cheack the man page on it.
Step 5.
We can now do like we did in level 13 and use ssh to send the RSA privatekey to
bandit17
ssh
-i ./sshkey.private bandit17@localhost
We
are asked if we want to continue and we need to type yes
We
see we get an error stating; It is required that your private key
files are NOT accessible by others. What we need to do is change the
permission of our privatekey so it is not accessible by other users.
We can use chmod to do that.
Step 6.
Lets
read some about chmod options here.
We know we need to
only allow us, the owner of the file to read and write to it and
after reading the above link we see that chmod 600 will do that.
chmod
600 sshkey.private
Now do a ls -la to view read write permissions of our file.
Step 7.
Let's
try sending our privatekey again.
ssh
-i ./sshkey.private bandit17@localhost
We
are now into level 17 but we do
not have a password for the level so we need to get level 18
password.
Level
17 to 18
Compare two files
and find the difference.
Goal:
There are 2 files in the homedirectory: passwords.old
and passwords.new. The password for the next level is in
passwords.new and is the only line that has been
changed between passwords.old and passwords.new
Commands used in this level:
ls - List information about the FILE's (the current directory by default).
diff - compare files line by line
Step 1.
We need to
compare the two files and find the different line between the two
files. We can use the diff command to do that. Let's check the man
page of diff.
Type man diff
Type man diff
We see that
diff will compare files line by line and that is our exact goal.
Type diff
passwords.old passwords.new
We get the below output:
<
BS8bqB1kqkinKJjuxL6k072Qq9NRwQpR
---
> kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
Looks like
we have two options for passwords so lets try them on level 18.
Try the
first one and it doesn't work but the second password does and we
have our password for level 18: kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
No comments:
Post a Comment