OverTheWire - Bandit: Level 17 to Level 18
Now, knowing how to connect to SSL ports as well as non-SSL ports the next level includes some network reconnaissance.
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
To get a clue which of these ports has SSL and hopefully which is the one we are searching for we use nmap
in a first step.
1 $ nmap -A -p 31000-32000 localhost
2 Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-29 17:20 UTC
3 Nmap scan report for localhost (127.0.0.1)
4 Host is up (0.00012s latency).
5 Not shown: 996 closed ports
6 PORT STATE SERVICE VERSION
7 31046/tcp open echo
8 31518/tcp open ssl/echo
9 | ssl-cert: Subject: commonName=localhost
10 | Subject Alternative Name: DNS:localhost
11 | Not valid before: 2023-10-28T09:38:22
12 |_Not valid after: 2023-10-28T09:39:22
13 31691/tcp open echo
14 31790/tcp open ssl/unknown
15 | fingerprint-strings:
16 | FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SIPOptions, SSLSessionReq, TLSSessionReq, TerminalServerCookie:
17 |_ Wrong! Please enter the correct current password
18 | ssl-cert: Subject: commonName=localhost
19 | Subject Alternative Name: DNS:localhost
20 | Not valid before: 2023-10-28T09:38:22
21 |_Not valid after: 2023-10-28T09:39:22
22 31960/tcp open echo
23 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
24 SF-Port31790-TCP:V=7.80%T=SSL%I=7%D=10/29%Time=653E9478%P=x86_64-pc-linux-
25 SF:gnu%r(GenericLines,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20c
26 SF:urrent\x20password\n")%r(GetRequest,31,"Wrong!\x20Please\x20enter\x20th
27 SF:e\x20correct\x20current\x20password\n")%r(HTTPOptions,31,"Wrong!\x20Ple
28 SF:ase\x20enter\x20the\x20correct\x20current\x20password\n")%r(RTSPRequest
29 SF:,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20current\x20password
30 SF:\n")%r(Help,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20current\
31 SF:x20password\n")%r(SSLSessionReq,31,"Wrong!\x20Please\x20enter\x20the\x2
32 SF:0correct\x20current\x20password\n")%r(TerminalServerCookie,31,"Wrong!\x
33 SF:20Please\x20enter\x20the\x20correct\x20current\x20password\n")%r(TLSSes
34 SF:sionReq,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20current\x20p
35 SF:assword\n")%r(Kerberos,31,"Wrong!\x20Please\x20enter\x20the\x20correct\
36 SF:x20current\x20password\n")%r(FourOhFourRequest,31,"Wrong!\x20Please\x20
37 SF:enter\x20the\x20correct\x20current\x20password\n")%r(LPDString,31,"Wron
38 SF:g!\x20Please\x20enter\x20the\x20correct\x20current\x20password\n")%r(LD
39 SF:APSearchReq,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20current\
40 SF:x20password\n")%r(SIPOptions,31,"Wrong!\x20Please\x20enter\x20the\x20co
41 SF:rrect\x20current\x20password\n");
42
43 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
44 Nmap done: 1 IP address (1 host up) scanned in 98.99 seconds
This worked pretty well and we also know now which port is asking for our password. The application behind port 31790
sent “Wrong! Please enter the correct current password”. The other ports are simple echo-servers.
Again we use the openssl s_client
tool to connect and send our password.
1 $ openssl s_client -crlf -connect localhost:31790 -noservername
2 <SSL connection output>
3 $ JQttfApK4SeyHwDlI9SXGR50qclOAil1
4 Correct!
5 -----BEGIN RSA PRIVATE KEY-----
6 MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
7 imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
8 Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
9 DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
10 JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
11 x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
12 KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
13 J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
14 d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
15 YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
16 vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
17 +TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
18 8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
19 SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
20 HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
21 SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
22 R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
23 Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
24 R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
25 L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
26 blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
27 YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
28 77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
29 dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
30 vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
31 -----END RSA PRIVATE KEY-----
This time we got a RSA private key instead of a password. This key can probably be used as private SSH key for Level 17 -> Level 18.