Bandit?

Journey of a noob through Bandit

From Level 5 to 6

du -ahb | grep 1033

54943274
Bandit 15 to 16
Goal
Send the current level password BfMYroe26WYalil77FoDi9qh59eK5xNr to port 30001 on localhost using SSL encryption.

Helpful note:
Getting “HEARTBEATING” and “Read R BLOCK”? Use -quiet and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…

Solution:

#ssh bandit15@bandit.labs.overthewire.org

password is BfMYroe26WYalil77FoDi9qh59eK5xNr

#openssl s_client -connect localhost:30001 -quiet

then paste the current level password and enter.

BfMYroe26WYalil77FoDi9qh59eK5xNr
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehd
#ssh bandit16@localhost

or from another console

#ssh bandit16@bandit.labs.overthewire.org

password is cluFn7wTiGryunymYOu4RcffSxQluehd

60s-spiderman-meme-christmasBandit 16 to 17

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         THIS WAS ONE HELL OF A LEVEL                    @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Level Goal

The password for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next password, the others will simply send back to you whatever you send to it.

What I did:
Find the open ports first
nmap localhost -p 31000-32000

bandit16@melinda:~$ nmap localhost -p 31000-32000

Starting Nmap 5.21 ( http://nmap.org ) at 2014-10-23 23:33 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0011s latency).
Not shown: 996 closed ports
PORT      STATE SERVICE
31046/tcp open  unknown
31518/tcp open  unknown
31691/tcp open  unknown
31790/tcp open  unknown
31960/tcp open  unknown

So, include service discovery with -sV

nmap localhost -p 31000-32000 -sV

bandit16@melinda:~$ nmap localhost -p 31000-32000 -sV

Starting Nmap 5.21 ( http://nmap.org ) at 2014-10-23 23:33 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00081s latency).
Not shown: 996 closed ports
PORT      STATE SERVICE VERSION
31046/tcp open  echo
31518/tcp open  msdtc   Microsoft Distributed Transaction Coordinator (error)
31691/tcp open  echo
31790/tcp open  msdtc   Microsoft Distributed Transaction Coordinator (error)
31960/tcp open  echo
Service Info: OS: Windows

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.24 seconds

Now I need to send the current level password to those ports. But it is obvious that ports with echo will only echo.
So, i will send only to 31518 and 31790.
And i have to send them over ssl (just like the previous levels)

openssl s_client -connect localhost:31518 -quiet

bandit16@melinda:~$ openssl s_client -connect localhost:31518 -quiet   
depth=0 CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = localhost
verify return:1
cluFn7wTiGryunymYOu4RcffSxQluehd
cluFn7wTiGryunymYOu4RcffSxQluehd

It just echoed. So this is not the one. let me try the next one.

openssl s_client -connect localhost:31790 -quiet

bandit16@melinda:~$ openssl s_client -connect localhost:31790 -quiet
depth=0 CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = localhost
verify return:1
cluFn7wTiGryunymYOu4RcffSxQluehd
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----

read:errno=0

BINGO!

But it didn’t give me the password, instead it gave me the private key. That also works for me.

what i did next

bandit16@melinda:~$ mkdir /tmp/foodi
bandit16@melinda:~$ cd /tmp/foodi
bandit16@melinda:/tmp/fooi$ touch sslkey.private
bandit16@melinda:/tmp/fooi$ nano sslkey.private

In the nano editor , i pasted the long key with ctrl+shift+v
saved it with ctrl+o and exit with ctrl+x

Try to connect with that key
ssh bandit17@localhost -i sslkey.private

bandit16@melinda:/tmp/fooi$ ssh bandit17@localhost -i sslkey.private 
Could not create directory '/home/bandit16/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is 91:b4:28:0b:9a:4d:0c:b6:39:1f:8f:68:89:4a:ce:92.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit16/.ssh/known_hosts).

This is the OverTheWire game server. More information on http://www.overthewire.org/wargames

Please note that wargame usernames are no longer level, but wargamename
e.g. vortex4, semtex2, ...

Note: at this moment, blacksun and drifter are not available.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0664 for 'sslkey.private' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: sslkey.private
bandit17@localhost's password: 

It didn’t allow me and asks for a password.For a second, i thought i should extract the passphrase from the key, but then i thought its stupid, because it would take forever to get the passphrase from it and still not sure if it will be possible or not. Besides, it was encrypted with god knows what!
The next option is to somehow make the server accept what i have. I am going to make an offer to him that he cant refuse!
As the private key is open and accessible by others.
I guess i need to change permission.

chmod 700 sslkey.private
and verify with ls -l

bandit16@melinda:/tmp/fooi$ chmod 700 sslkey.private 
bandit16@melinda:/tmp/fooi$ ls -l
total 4
-rwx------ 1 bandit16 bandit16 1677 Oct 23 23:51 sslkey.private

Good, lets try again.

bandit16@melinda:/tmp/fooi$ ssh bandit17@localhost -i sslkey.private 
Could not create directory '/home/bandit16/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is 91:b4:28:0b:9a:4d:0c:b6:39:1f:8f:68:89:4a:ce:92.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit16/.ssh/known_hosts).

This is the OverTheWire game server. More information on http://www.overthewire.org/wargames

Please note that wargame usernames are no longer level, but wargamename
e.g. vortex4, semtex2, ...

Note: at this moment, blacksun and drifter are not available.

Welcome to Ubuntu 12.04.5 LTS (GNU/Linux 3.15.4-x86_64-linode45 x86_64)

 * Documentation:  https://help.ubuntu.com/

Welcome to the OverTheWire games machine !

Please read /README.txt for more information on how to play the levels
on this gameserver.

 System information disabled due to load higher than 8.0

1 package can be updated.
1 update is a security update.

New release '14.04.1 LTS' available.
Run 'do-release-upgrade' to upgrade to it.



*** System restart required ***

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

bandit17@melinda:~$ 

Guys, I am in.😀

I guess its time to sleep.
Enough Bandit for one day, actually my first day!

Spiderman_39860d_2081461

One response to “Bandit?

  1. Pingback: Overthewire Bandit | The Loafing Oxen·

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s