Bandit16->17
Level Goal
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
Commands useful to solve the level
Helpful Reading Material
Where to start?
What we need to do here is to find a way to scan the network so we know on which port the server we need to talk to resides. First, let's
scan the network between the port 31000 and 32000. To do so, we can use two utilities, nmap and nc
Part 1 : Basic Port Scanning with nc
Hint
By lookint at the PORT SCANNING section of the
nc man page, can you figure out a way
to perform a basic scan of the ports between 31000 and 32000 with nc?
Solution
With nc, we can use the following command :
nc -zv localhost 31000-32000 |& grep -v -E '^nc'
nc -zv localhost 31000-32000tells nc to report the open ports between the port 31000 and 32000, writing verbose output to stderr|&is a metacharacter that is equivalent to2 >& 1 |which means to redirect stdout and stderr through a pipe (see pipelines in the gnu bash manual for more information)grep -v -E '^nc'uses the regular expression^ncto mach lines beginning by 'nc' and the-voption uses the inverted match to match only the lines that don't begin with nc (meaning the only lines that didn't report an error).
Here is the output from this command :
bandit16@bandit:~$ nc -zv localhost 31000-32000 |& grep -v -E '^nc'
Connection to localhost (127.0.0.1) 31046 port [tcp/*] succeeded!
Connection to localhost (127.0.0.1) 31518 port [tcp/*] succeeded!
Connection to localhost (127.0.0.1) 31691 port [tcp/*] succeeded!
Connection to localhost (127.0.0.1) 31790 port [tcp/*] succeeded!
Connection to localhost (127.0.0.1) 31960 port [tcp/*] succeeded!
bandit16@bandit:~$
Part 2 : Basic Port Scanning with nmap
Hint
By using the PORT SPECIFICATION AND SCAN ORDER section of the
nmap man page, can you figure out a way to
perform a basic scan of the ports between 31000 and 32000 with nmap?
Solution
With nmap, it is even more simple. We just need to provide the range of ports
to scan as nmap is already a port scanner.
Here is the command we're looking for :
nmap localhost -p 31000-32000
Starting Nmap 7.80 ( https://nmap.org ) at 2024-06-04 14:27 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00013s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
31046/tcp open unknown
31518/tcp open unknown
31691/tcp open unknown
31790/tcp open unknown
31960/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds
Part 3 : Service detection with nmap
Now that we have a little more info about the open ports, we can now run a more
advance scan using nmap on the open ports we found.
Hint
By taking a look at the SERVICE AND VERSION DETECTION section of the nmap man page, can you figure out how to know on which port resides the service we want to communicate with ?
Solution
The -sV option is the option we're looking for, it will allow us to identify the service that
lies on each port that we're scanning.
As the scan doesn't need to be full (as 4 out of 5 of these services will echo back to the sender
all the information they receive), we will enable the option --version-light so
that the scan takes less time.
The command we're looking for is the following :
nmap -sV --version-light -p 31046,31518,31691,31790,31960 localhost
nmap -sV --version-light -p 31000-32000.
Here is the output from this command (--version-light is an alias for --version-intensity 2):
bandit16@bandit:~$ nmap -sV --version-intensity 2 localhost -p 31046,31518,31691,31790,31960
Starting Nmap 7.80 ( https://nmap.org ) at 2024-06-04 14:38 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00013s latency).
PORT STATE SERVICE VERSION
31046/tcp open echo
31518/tcp open ssl/echo
31691/tcp open echo
31790/tcp open ssl/unknown
31960/tcp open echo
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port31790-TCP:V=7.80%T=SSL%I=2%D=6/4%Time=665F2708%P=x86_64-pc-linux-gn
SF:u%r(GenericLines,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20cur
SF:rent\x20password\n")%r(GetRequest,31,"Wrong!\x20Please\x20enter\x20the\
SF:x20correct\x20current\x20password\n")%r(SSLSessionReq,31,"Wrong!\x20Ple
SF:ase\x20enter\x20the\x20correct\x20current\x20password\n")%r(TLSSessionR
SF:eq,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20current\x20passwo
SF:rd\n");
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.61 seconds
bandit16@bandit:~$
s_client command to send the password to the server
listening at 31790 and retrieve the ssh key to connect to bandit 17.
Full Solution
nmap -sV --version-light -p 31000-32000to retrieve the server that is listening for our passwordopenssl s_client -ign_eof localhost:31790 < /etc/bandit_pass/bandit16to retrieve the private ssh key needed to connect to bandit 17.
Bonus : Writting the ssh key directly to a file
Wouldn't it be way more suitable to output our ssh key directly to a file? Fortunately, there is an easy way to do so.
Hint
Searching again into the s_client man page, can you figure out a way to output the ssh_key directly to a file ?
Solution
First, we need to create a file to store the private ssh key, we'll create it using the
mktemp utility.
Then, using the -sess_out option we will be able to output our ssl session (which is the ssh key)
directly to the file.
This is what our set of commands look like :
PRIVATE_KEY="$(mktemp)"
openssl s_client -ign_eof -sess_out "$PRIVATE_KEY" localhost:31790 < /etc/bandit_pass/bandit16`
echo "$PRIVATE_KEY" to get the name of the file and use the
scp command to retrieve the file on our machine.
You can now jump to the next level