nc

Attempt 1: I tried writing a script that iterates through 0000-9999, combines each number with the current level's password, and then send each line to the port:

#!/bin/bash start=0000 count=9999

while [ $start -lt $count ] do echo "current password $start" | nc localhost 30002 ((start++)) done

Mistakes Made:

Unfortunately, my loop never stopped looping...

I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space. Wrong! Please enter the correct current password. Try again. Timeout. Exiting. I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space. Wrong! Please enter the correct current password. Try again.

FOLLOW UP ON WHY

Attempt 2: Breaking it down more

This time I decided to separate the problem into two parts:

Script 1: Create a list of possible password + pin combos

#!/bin/bash touch list.txt

for i in {0000..9999}doecho “UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i”>> list.txtdone`

Script 2: Iterate through my list.txt and send each one to the listening daemon with nc

#!/bin/bash for line in list.txt do nc localhost 30002 $line done

And viola!

Bandit LV 20

January 2, 2022

#nmap #nc #localhost #networking

Re-write this page with steps vs reflections after redoing it using `tmux

This level. Oh this level.

Things learned: 1. what the results from nmap mean 2. how to find the right port to use (reserved vs ephmeral ports) 3. who sends the message and why?

How to learn more: – is there another way to get the password? – redo using tmux —

The following steps need to happen: 1. a port needs to exist to listen for suconnect 2. suconnect needs to be able to connect to this port 3. this port needs to be able to send a string to suconnect 4. suconnect needs to receive this string and if correct, return the password to the next level

—

Mistakes made:

the result you get from nmap localhost shows the ports that are open and listening. This means they are already occupied and cannot be used to make a new socket connection.

`bandit20@bandit:~$ nmap localhost

Starting Nmap 7.40 ( https://nmap.org ) at 2022-01-02 19:59 CET Nmap scan report for localhost (127.0.0.1) Host is up (0.00037s latency). Not shown: 996 closed ports PORT STATE SERVICE 22/tcp open ssh 113/tcp open ident 30000/tcp open ndmps

Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds`

FIRST MISTAKE: thinking this meant that I should use these ports RED HERRING: The port 22 does respond

Attempts

Trying a reserved port

bandit20@bandit:~$ nc -lp 500 Can't grab 0.0.0.0:500 with bind : Permission denied

because reserved

2. Trying a random port --5000`

bandit20@bandit:~$ nmap localhost

Starting Nmap 7.40 ( https://nmap.org ) at 2022-01-02 20:57 CET Nmap scan report for localhost (127.0.0.1) Host is up (0.00032s latency). Not shown: 996 closed ports PORT STATE SERVICE 22/tcp open ssh 113/tcp open ident 5000/tcp open upnp 30000/tcp open ndmps

Trying a random port — '4000'

bandit20@bandit:~$ nmap localhost

Starting Nmap 7.40 ( https://nmap.org ) at 2022-01-02 21:16 CET Nmap scan report for localhost (127.0.0.1) Host is up (0.00025s latency). Not shown: 996 closed ports PORT STATE SERVICE 22/tcp open ssh 113/tcp open ident 4000/tcp open remoteanything 30000/tcp open ndmps

The open port for service remoteanything sounded promising so I used the command bandit20@bandit:~$ ./suconnect 4000

Typed in GbKksEFF4yrVs6il55v6gwY5aVje5f0j from the nc port.

The response: gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr aka the next password!

Other Ways to Solve This?

decided to try to use echo to send the password in the same command line as setting up the listening port.

bandit20@bandit:~$ echo "GbKksEFF4yrVs6il55v6gwY5aVje5f0j" | nc -lp 4000

—

Questions

What type of service was I using? Can't figure this out because don't have lsof permissions

What I know

Summary

Bandit LVL 13-16

December 31, 2021

#SSL #SSH #NC #nmap #bandit #overthewire #linux #cli

Level 13 –> 14

In this level, we were given: – “a private SSH key that can be used to log into the next level”

Upon examination, there was a RSA key in the file sshkey.private. The goal is to use this key to login to the next level.

_What is immediately different about how we are asked to log in here vs previous levels?

Previously, we had to exit the connection and SSH into the server using the next username and password. This time, we must use the next username and RSA key.

To log in using a private SSH key, we use: ssh -i sshkey.private bandit14@localhost

We are staying on the same server (localhost) so we don't need to specify the port number.

Level 14—>15

We are asked to submit data to port 30000 on localhost in order to retrieve the next password.

The utility nc (netcat) allows us to “read or write data across network connections using the TCP or UDP protocols”. The basic syntax is: nc [options] host port

The data we needed to send is a file called bandit14 so we used: less bandit14 | nc localhost 30000 to solve this level.

QUESTION: Can I log into LV15 from within the server?

Yes! It worked to use SSH bandit15@localhost! Yay for learning to be more efficient!

Level 15 –> 16

In this level, we are asked to submit “the password of the current level to port 30001 on localhost using SSL encryption”.

Tools to explore: openssl, client_s

s_client will connect to “a remote host using SSL/TLS.”

QUESTION: why does it specify that it connects to a remote host? What about connecting to a service on localhost?

What I tried (unsuccessful):

openssl s_client -connect localhost:30001

I knew this wouldn't work because I wasn't sending the password. But it did say CONNECTED. Unfortunately, it kept waiting for something and I wasn't sure how to interpret this so I looked up a hint online. It turns out it was waiting for a password! There was no password prompt so I didn't think to try sending any input. Had I tried sending _anything at all, I would have received a wrong password message and realized what was happening!

LESSON LEARNED: TRY EVERYTHING!!!

The answer turned out to be: openssl s_client -connect localhost:30001 $PASS (with the password string saved in $PASS)

Level 16 –> 17

In this level, we have to (1) scan for open ports for a server that listens to SSL and then (2) forward the response credentials to login to the next level.

I used nmap -p 31000-32000 localhost to scan for the ports on localhost between 31000-32000 (the range given in the instructions). This returned only 5 active ports (yay!):

Starting Nmap 7.40 ( https://nmap.org ) at 2021-12-31 02:52 CET Nmap scan report for localhost (127.0.0.1) Host is up (0.00033s latency). Not shown: 996 closed ports PORT STATE SERVICE 31046/tcp open unknown 31518/tcp open unknown 31691/tcp open unknown 31790/tcp open unknown 31960/tcp open unknown

Then I manually attempted an openssl s_client connection to each port to see if there would be a response.

I found that port 31790 responded with the credentials (an RSA key). I then created a temporary file containing this key and attemped to SSH into the next level using the method from a few levels back: ssh -i lumpo.private bandit17@localhost

Unfortuately, this did not work because I got this warning back:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0644 for 'lumpo.private' are too open. It is required that your private key files are NOT accessible by others. This private key will be ignored.

So now my options are to either (1) set permissions for my temporary file so that it is not accessible by others, or (2) find a way to forward the credentials automatically when they are returned from the server.

Trying (1) first:

chmod 600 /tmp/lumpo.private will restrict my file so that the owner (me) has access to read/write but nobody else can do so. Retried sending ssh with private key after adding this permission restriction and success!

What I could have done better?

Instead of manually testing each listening port with openssl s_client, I should have figured out how to automate it because testing manually would not work for a large pool of ports.