Bandit15->16

Level Goal

The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.

Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…

Commands useful to solve the level

• s_client

Helpful Reading Material

• OpenSSL Cookbook
• OpenSSL Wikipedia Page
• Transport Layer Security

Where to start?

For the network analysis and password retrieval, you can go to the previous challenge. In this challenge I'm only going to show how to use the s_client command from the openssl program to efficiently communicate with our server.

Part 1 : Communicating with the SSL server

Our first goal is to lean how to open a connection with our SSL server, to do so we are going to use the s_client command.

Hint

By looking at the s_client man page and only looking for the fields that talk about connecting to the SSL server, can you figure out a way to open a connection with the server? The server will read all its input from stdin

Solution

By running the command openssl s_client localhost:30001 or openssl s_client -connect localhost:30001, you can open a connection with the server.

Part 2 : Sending the password to the server using the client

Now that we've opened a connection to the server, we want to send the password. We could copy and paste the password, press enter and then ^C the client and it would actually work but this is not what we are going to do here.

As the password is contained within the file /etc/bandit_pass/bandit15, it would be way easier to just redirect the input from that file. However, when we do it like this, no password appears on the standard output. Our goal is to fix that issue.

Hint

By looking at the CONNECTED COMMANDS section of the s_client man page, try to understand why we can observe such a behavior and then, look at the OPTIONS section to see if you can retrieve an option that will fix this behavior.

Solution

We can observe such behavior because at the end of any file, there is an EOF character that is interpreted by our s_client command as a signal to close the connection. By using the option -ign_eof we can explicitely tell s_client to keep the connection open, and thus receive the password from the server.
Here is our final command :

openssl s_client -ign_eof localhost:30001 < /etc/bandit_pass/bandit15

Full Solution

1. openssl s_client -quiet localhost:30001 < /etc/bandit_pass/bandit15 to retrieve the password from the SSL server

You can now jump to the next level