Niveau 17
Level Goal
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
Commands you may need to solve this level
ssh,telnet,nc,openssl,s_client,nmapHelpful Reading Material
Une fois connecté en tant qu'utilisateur bandit16 on peut utiliser nmap pour scanner l'intervalle de ports spécifié dans l'énoncé :
bandit16@bandit:~$ nmap -sV -T4 -p 31000-32000 127.0.0.1 | grep ssl
31518/tcp open ssl/echo
31790/tcp open ssl/unknown
On obtient 2 ports ; le 31518 et le 31790. D'après les informations retournées par le scan nmap on peut supposer que le bon port est le 31790 et lui envoyer le mot de passe du niveau en cours :
bandit16@bandit:~$ echo "cluFn7wTiGryunymYOu4RcffSxQluehd" | openssl s_client -connect localhost:31790 -ign_eof
CONNECTED(00000003)
depth=0 CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = localhost
verify return:1
---
Certificate chain
0 s:/CN=localhost
i:/CN=localhost
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICBjCCAW+gAwIBAgIENrkPujANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDDAls
b2NhbGhvc3QwHhcNMjIwMzA5MTgyNTAyWhcNMjMwMzA5MTgyNTAyWjAUMRIwEAYD
VQQDDAlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALiKByZP
lrfe4ehmGKTQcJbvyVtpDIalvmniZhbGIioIDKF4aaJjfgIUU1EVRvKv6tHjcHUx
zyDD0J9h60VYzOFjM6rSga2NT17qTY1V6RhUbxMYf1EBSlfPKK1ygBTv8D45YSDT
n+v6FFNKRoColFotUkheKGHlA4/SKIkqewHZAgMBAAGjZTBjMBQGA1UdEQQNMAuC
CWxvY2FsaG9zdDBLBglghkgBhvhCAQ0EPhY8QXV0b21hdGljYWxseSBnZW5lcmF0
ZWQgYnkgTmNhdC4gU2VlIGh0dHBzOi8vbm1hcC5vcmcvbmNhdC8uMA0GCSqGSIb3
DQEBBQUAA4GBAG5ZI4DpzyiaffMjo5TOFknr5NifZaKRStjvTv7A7FJonW19hUxi
za7DAvYelWcrzCNSlo/DyzqPzjSdmz5NciwDUtkZ0hTWLNbAR7g+BsEY4wxKqPGF
vFxCA2i2q8IRECehwTjewvii0F7HjPZcNZLUgTIEJCp969nbaDyS0KKu
-----END CERTIFICATE-----
subject=/CN=localhost
issuer=/CN=localhost
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1019 bytes and written 269 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: E2AF16A2723D66DC528EAC57AE8AE9C8D187F7C8537008EC37CB560664E2067D
Session-ID-ctx:
Master-Key: 14420085FFDE816E67EE1F85685F20C3B980D8754C9C7FAAC5FC8A39ED93F0F548F44F5D445A5E5E5391CCEC3BA80CF7
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 0f 76 78 ef f7 7f 4a 33-d1 d0 df fd 48 8c 13 70 .vx...J3....H..p
0010 - 16 f1 a2 1b 06 1a c2 53-ee 99 88 bc 43 e5 60 c8 .......S....C.`.
0020 - 8c 1c 5a 73 5b 78 5b 5b-43 56 ab 1f 4a 87 1c a6 ..Zs[x[[CV..J...
0030 - df 21 26 4a 92 30 22 9e-03 c1 36 b4 fc d8 58 fb .!&J.0"...6...X.
0040 - d1 cc ac 1d a5 91 80 26-77 36 dc 62 19 b4 15 6b .......&w6.b...k
0050 - 43 58 f5 c8 7d 85 53 cd-a5 a9 b8 ee d5 6a ca 1b CX..}.S......j..
0060 - 6e 7f 54 4c c2 e4 08 d9-7a cd 08 19 ff 0d fe 11 n.TL....z.......
0070 - af c6 36 fc 50 01 23 ea-d4 44 5f b5 d5 45 85 b6 ..6.P.#..D_..E..
0080 - 4f f2 13 52 56 59 f9 fd-6d a9 eb 86 73 da 1e 0d O..RVY..m...s...
0090 - 2a ef 9b 01 93 66 b7 7d-9d 82 43 23 0b 6b 0a 26 *....f.}..C#.k.&
Start Time: 1647188215
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
Extended master secret: yes
---
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----
closed
On obtient une clef privée qui, comme pour le niveau 14, permettra de se connecter au prochain niveau.