old notes

networking

#nmap #nc #localhost #networking

Re-write this page with steps vs reflections after redoing it using `tmux

This level. Oh this level.

Things learned: 1. what the results from nmap mean 2. how to find the right port to use (reserved vs ephmeral ports) 3. who sends the message and why?

How to learn more: – is there another way to get the password? – redo using tmux

The following steps need to happen: 1. a port needs to exist to listen for suconnect 2. suconnect needs to be able to connect to this port 3. this port needs to be able to send a string to suconnect 4. suconnect needs to receive this string and if correct, return the password to the next level

Mistakes made:

  1. the result you get from nmap localhost shows the ports that are open and listening. This means they are already occupied and cannot be used to make a new socket connection.

`bandit20@bandit:~$ nmap localhost

Starting Nmap 7.40 ( https://nmap.org ) at 2022-01-02 19:59 CET Nmap scan report for localhost (127.0.0.1) Host is up (0.00037s latency). Not shown: 996 closed ports PORT STATE SERVICE 22/tcp open ssh 113/tcp open ident 30000/tcp open ndmps

Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds`

FIRST MISTAKE: thinking this meant that I should use these ports RED HERRING: The port 22 does respond

Attempts

  1. Trying a reserved port

bandit20@bandit:~$ nc -lp 500 Can't grab 0.0.0.0:500 with bind : Permission denied

  • because reserved

2. Trying a random port --5000`

bandit20@bandit:~$ nmap localhost

Starting Nmap 7.40 ( https://nmap.org ) at 2022-01-02 20:57 CET Nmap scan report for localhost (127.0.0.1) Host is up (0.00032s latency). Not shown: 996 closed ports PORT STATE SERVICE 22/tcp open ssh 113/tcp open ident 5000/tcp open upnp 30000/tcp open ndmps

  1. Trying a random port — '4000'

bandit20@bandit:~$ nmap localhost

Starting Nmap 7.40 ( https://nmap.org ) at 2022-01-02 21:16 CET Nmap scan report for localhost (127.0.0.1) Host is up (0.00025s latency). Not shown: 996 closed ports PORT STATE SERVICE 22/tcp open ssh 113/tcp open ident 4000/tcp open remoteanything 30000/tcp open ndmps

The open port for service remoteanything sounded promising so I used the command bandit20@bandit:~$ ./suconnect 4000

Typed in GbKksEFF4yrVs6il55v6gwY5aVje5f0j from the nc port.

The response: gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr aka the next password!

Other Ways to Solve This?

  • decided to try to use echo to send the password in the same command line as setting up the listening port.

bandit20@bandit:~$ echo "GbKksEFF4yrVs6il55v6gwY5aVje5f0j" | nc -lp 4000

Questions

  • What type of service was I using? Can't figure this out because don't have lsof permissions

What I know

Summary