Bandit Level 16 → Level 17

 

Goal

The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.

다음 레벨의 credentials는 현재 레벨의 패스워드를 localhost의 31000 - 32000번 사이의 포트에 제출하면 얻을 수 있다. 첫 번째로 해야 하는 것은 어떤 포트가 열려 있는지 찾는 것이다. 그 다음 SSL 통신을 하는 포트와 그렇지 않은 포트를 찾아라. 1개의 서버에서만 다음 레벨의 credentials를 얻을 수 있고, 나머지 서버는 네가 보낸 값을 단순히 돌려줄 뿐이다.

 

Commands you may need to solve this level

`ssh`, `telnet`, `nc`, `openssl`, `s_client`, `nmap`

 

Write Up

bandit16@bandit:~$ nc -zv 127.0.0.1 31000-32000 2>&1 | grep succeeded
Connection to 127.0.0.1 31046 port [tcp/*] succeeded!
Connection to 127.0.0.1 31518 port [tcp/*] succeeded!
Connection to 127.0.0.1 31691 port [tcp/*] succeeded!
Connection to 127.0.0.1 31790 port [tcp/*] succeeded!
Connection to 127.0.0.1 31960 port [tcp/*] succeeded!

 

열려 있는 포트는 총 5개 이고, 이 중 SSL 통신을 하면서 credentials를 반환하는 포트를 찾았다.

bandit16@bandit:~$ openssl s_client -connect 127.0.0.1:31790

 

현재 레벨의 플래그를 입력하고 RSA Key 값을 얻었다.

bandit16@bandit:~$ cd $(mktemp -d) && vi credential

 

이 값을 `/tmp` 디렉토리 하위에 credential 파일을 만들고 붙여넣기 해서 저장했다.

bandit16@bandit:/tmp/tmp.ifS7iJ5IER$ chmod 700 ./credential
bandit16@bandit:/tmp/tmp.ifS7iJ5IER$ ssh -i ./credential bandit17@localhost -p 2220

 

RSA Key 파일의 접근 권한을 변경하고 이를 통해 bandit17 서버에 접속했다. 이전 레벨과 마찬가지로 `/etc/bandit_pass` 디렉토리에서 bandit17의 패스워드를 얻었다.