Level13
- Hint
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on
- ssh 명령어
-i 옵션을 이용하여 private_key를 명시하면 서버에 접속이 가능함
bandit13@bandit:~$ ls
sshkey.private
bandit13@bandit:~$ cat sshkey.private
-----BEGIN RSA PRIVATE KEY-----
.
.
.
qT1EvQKBgQDKm8ws2ByvSUVs9GjTilCajFqLJ0eVYzRPaY6f++Gv/UVfAPV4c+S0
kAWpXbv5tbkkzbS0eaLPTKgLzavXtQoTtKwrjpolHKIHUz6Wu+n4abfAIRFubOdN
/+aLoRQ0yBDRbdXMsZN/jvY44eM+xRLdRVyMmdPtP8belRi2E2aEzA==
-----END RSA PRIVATE KEY-----
bandit13@bandit:~$ cat /etc/bandit_pass/bandit14
cat: /etc/bandit_pass/bandit14: Permission denied
bandit13@bandit:~$ ssh -i sshkey.private bandit14@bandit.labs.overthewire.org -p 2220
The authenticity of host '[bandit.labs.overthewire.org]:2220 ([127.0.0.1]:2220)' can't be established.
.
.
.
For support, questions or comments, contact us on discord or IRC.
Enjoy your stay!
bandit14@bandit:~$
bandit14@bandit:~$ cat /etc/bandit_pass/bandit14
fGrHPx402xGC7U7rXKDaxiWFTOiF0ENqfGrHPx402xGC7U7rXKDaxiWFTOiF0ENq
Level14
- Hint
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
- 명령어
telnet [host] [port]
nc [host] [port]
bandit14@bandit:~/.ssh$ ssh -p 30000 localhost
kex_exchange_identification: Connection closed by remote host
Connection closed by 127.0.0.1 port 30000
bandit14@bandit:~/.ssh$ nc localhost 30000
fGrHPx402xGC7U7rXKDaxiWFTOiF0ENq
Correct!
jN2kgmIXJ6fShzhT2avhotn4Zcka6tnt
bandit14@bandit:~/.ssh$ telnet localhost 30000
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
fGrHPx402xGC7U7rXKDaxiWFTOiF0ENq
Correct!
jN2kgmIXJ6fShzhT2avhotn4Zcka6tnt
Connection closed by foreign host.jN2kgmIXJ6fShzhT2avhotn4Zcka6tnt
Level15
- Hint
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…
- openssl
SSL/TLS 프로토콜 구현한 라이브러리
s_client : 웹서버의 SSL 인증서 정보를 볼 수 있음
s_client 옵션
-connect [host]:[port]
bandit15@bandit:~$ openssl s_client -connect localhost:30001
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 CN = localhost
.
.
.
---
read R BLOCK
jN2kgmIXJ6fShzhT2avhotn4Zcka6tnt
Correct!
JQttfApK4SeyHwDlI9SXGR50qclOAil1
closedJQttfApK4SeyHwDlI9SXGR50qclOAil1
Level16
- Hint
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
- nmap 옵션
-p 옵션으로 포트 구간을 지정해줄 수 있음
31790 포트로 접속하면 RSA PRIVATE 키를 얻을 수 있는데,
이 키를 저장한 후 bandit17에 접속할 때 사용하면 된다.
키 파일의 권한을 낮춘 후 접속해야 한다. (chmod)
bandit16@bandit:~$ nmap -p 31000-32000 localhost
Starting Nmap 7.80 ( https://nmap.org ) at 2023-07-11 03:31 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00017s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
31046/tcp open unknown
31518/tcp open unknown
31691/tcp open unknown
31790/tcp open unknown
31960/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds
bandit16@bandit:~$ openssl s_client -connect localhost:31790
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 CN = localhost
verify error:num=18:self-signed certificate
verify return:1
depth=0 CN = localhost
verify error:num=10:certificate has expired
notAfter=Jul 10 09:52:42 2023 GMT
verify return:1
depth=0 CN = localhost
notAfter=Jul 10 09:52:42 2023 GMT
verify return:1
---
Certificate chain
0 s:CN = localhost
i:CN = localhost
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA1
v:NotBefore: Jul 10 09:51:42 2023 GMT; NotAfter: Jul 10 09:52:42 2023 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDCzCCAfOgAwIBAgIEQaIMOzANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDDAls
b2NhbGhvc3QwHhcNMjMwNzEwMDk1MTQyWhcNMjMwNzEwMDk1MjQyWjAUMRIwEAYD
VQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB
V5PVeWk3RuTpzZlsuNlFdF97AN7C01vpkQrBqrkDfYfYTmK+X2afN2zcsrppZcFX
imX5eWnbk+ibnaEWnXvo/4sQxRaqDvmAeWll8OrnuQGFi0OEnca/z8NHlxWGkvj+
Vkt01BdofOLWRjlGdVCZPAfvdcCT1ZGDpUXOMa909S+2VlYNkkHLikxsqabVeGvA
1DZDjIjeNR9JbLvoJAeBoK5GxL2ceMdFy6+OAWhqszlsp28su6/p06PqAqGmkJwx
iuBu2A1HXZDFMv45g9p4oQ+FnwCJgoRvOGzFWKFADy5OD6ajNE0Jbv46HiDXokkE
AUfgb0qhbsKDJuMb64PfAgMBAAGjZTBjMBQGA1UdEQQNMAuCCWxvY2FsaG9zdDBL
BglghkgBhvhCAQ0EPhY8QXV0b21hdGljYWxseSBnZW5lcmF0ZWQgYnkgTmNhdC4g
U2VlIGh0dHBzOi8vbm1hcC5vcmcvbmNhdC8uMA0GCSqGSIb3DQEBBQUAA4IBAQC5
01e8mef1XisMtswm5r6dsd3k3ULhvUddLlP1cc0X0W8AyglOD1xU4oD5cuK8TUhK
3W1+RXDiPT+wOwBxf2bg+al6CWENNafkn1xVHWa1mBdmvfSVXpyBFxDSH7d88dfD
opO9SN3jv2815idBPXwEVAKjnhHP+cSGPlytiWoIijkYfSp0Jx5yrEZabM0L//lt
Z4AZnlo/hMRdh0QbnCuPy0C1t9263H8Wd/zNoRkwEToSiAX87ZsEPPypo3VIMWKV
7A5sKzr06VZA02RcCnayPhoVf8eE87TmNicYwhoHiM9k20HC27sagIbas8WhIapp
2BlvKLSXVVyuufxSTtJR
-----END CERTIFICATE-----
subject=CN = localhost
issuer=CN = localhost
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1339 bytes and written 373 bytes
Verification error: certificate has expired
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 10 (certificate has expired)
---
.
.
.
---
read R BLOCK
JQttfApK4SeyHwDlI9SXGR50qclOAil1
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----
closed
bandit16@bandit:/tmp/key$ vi key # RSA PRIVATE KEY
bandit16@bandit:/tmp/key$ ssh -i key bandit17@localhost -p 2220
The authenticity of host '[localhost]:2220 ([127.0.0.1]:2220)' can't be established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Could not create directory '/home/bandit16/.ssh' (Permission denied).
Failed to add the host to the list of known hosts (/home/bandit16/.ssh/known_hosts).
_ _ _ _
| |__ __ _ _ __ __| (_) |_
| '_ \ / _` | '_ \ / _` | | __|
| |_) | (_| | | | | (_| | | |_
|_.__/ \__,_|_| |_|\__,_|_|\__|
This is an OverTheWire game server.
More information on http://www.overthewire.org/wargames
!!! You are trying to log into this SSH server with a password on port 2220 from localhost.
!!! Connecting from localhost is blocked to conserve resources.
!!! Please log out and log in again.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0664 for 'key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "key": bad permissions
bandit17@localhost: Permission denied (publickey).
bandit16@bandit:/tmp/key$ chmod 400 key
bandit16@bandit:/tmp/key$ ssh -i key bandit17@localhost -p 2220
The authenticity of host '[localhost]:2220 ([127.0.0.1]:2220)' can't be established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Could not create directory '/home/bandit16/.ssh' (Permission denied).
Failed to add the host to the list of known hosts (/home/bandit16/.ssh/known_hosts).
_ _ _ _
| |__ __ _ _ __ __| (_) |_
| '_ \ / _` | '_ \ / _` | | __|
| |_) | (_| | | | | (_| | | |_
|_.__/ \__,_|_| |_|\__,_|_|\__|
.
.
.
Enjoy your stay!
bandit17@bandit:~$
bandit17@bandit:/etc/bandit_pass$ cat bandit17
VwOSWtCA7lRKkTfbr2IDh6awj9RNZM5eVwOSWtCA7lRKkTfbr2IDh6awj9RNZM5e
Level17
- Hint
There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new
NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19
- diff
두 개의 파일 간 차이에 대한 정보를 출력
new 파일의 42번째 줄과 old 파일의 42번째 줄 출력
42c42
< hga5tuuCLF6fFzUpnagiMN8ssu9LFrdg
---
> glZreTEH1V3cGKL6g4conYqZqaEj0mte
bandit17@bandit:~$ ls
passwords.new passwords.old
bandit17@bandit:~$ diff passwords.new passwords.old
42c42
< hga5tuuCLF6fFzUpnagiMN8ssu9LFrdg
---
> glZreTEH1V3cGKL6g4conYqZqaEj0mte
# hga5tuuCLF6fFzUpnagiMN8ssu9LFrdg
Byebye !
Connection to bandit.labs.overthewire.org closed.hga5tuuCLF6fFzUpnagiMN8ssu9LFrdg
Level18
- Hint
The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.
-> readme 파일에 비밀번호가 저장되어 있는데, 수정된 .bashrc 파일에 의해 ssh 접속이 불가하다.
- ssh 원격 명령어 실행
ssh 접속 명령어 뒤에 실행하고자 하는 명령어를 함께 전송하면 실행된다.
ssh bandit18@bandit.labs.overthewire.org -p 2220 ls -al
total 24
drwxr-xr-x 2 root root 4096 Apr 23 18:04 .
drwxr-xr-x 70 root root 4096 Apr 23 18:05 ..
-rw-r--r-- 1 root root 220 Jan 6 2022 .bash_logout
-rw-r----- 1 bandit19 bandit18 3794 Apr 23 18:04 .bashrc
-rw-r--r-- 1 root root 807 Jan 6 2022 .profile
-rw-r----- 1 bandit19 bandit18 33 Apr 23 18:04 readme
ssh bandit18@bandit.labs.overthewire.org -p 2220 cat readme
awhqfNnAbc1naukrpqDYcF95h7HoMTrCawhqfNnAbc1naukrpqDYcF95h7HoMTrC
Level19
To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.
- setuid
소유자 권한으로 파일을 실행시켜준다.
./bandit20-do를 실행하면 소유자 권한인 bandit20 권한으로 실행시켜준다.
bandit19@bandit:~$ ls -al
total 36
drwxr-xr-x 2 root root 4096 Apr 23 18:04 .
drwxr-xr-x 70 root root 4096 Apr 23 18:05 ..
-rwsr-x--- 1 bandit20 bandit19 14876 Apr 23 18:04 bandit20-do
-rw-r--r-- 1 root root 220 Jan 6 2022 .bash_logout
-rw-r--r-- 1 root root 3771 Jan 6 2022 .bashrc
-rw-r--r-- 1 root root 807 Jan 6 2022 .profile
bandit19@bandit:~$ ./bandit20-do
Run a command as another user.
Example: ./bandit20-do id
bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
VxCazJaVykI6W36BkBU0mJTCM8rR95XTVxCazJaVykI6W36BkBU0mJTCM8rR95XT
Level20
- Hint
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
NOTE: Try connecting to your own network daemon to see if it works as you think
-> setuid가 설정되어 있기 때문에 홈 디렉터리에 있는 파일 suconnect를 실행하면 bandit21 권한으로 실행됨
-> suconnect 실행할 때 인자로 전달하는 포트로 연결 시도를 하고, bandit20 비밀번호를 입력받으면 bandit21 비밀번호를 되돌려줌
- nc -l 옵션
listen 모드로 지정한 port open
bandit20@bandit:~$ ls
suconnect
bandit20@bandit:~$ ./suconnect
Usage: ./suconnect <portnumber>
This program will connect to the given port on localhost using TCP. If it receives the correct password from the other side, the next password is transmitted back.
bandit20@bandit:~$ ./suconnect 1234
Could not connect
# other terminal
bandit20@bandit:~$ nc -l -p 1234
bandit20@bandit:~$ ./suconnect 1234
# other terminal
bandit20@bandit:~$ nc -l -p 1234
VxCazJaVykI6W36BkBU0mJTCM8rR95XT
NvEJF7oVjkddltPSrdKEFOllh9V1IBcq
bandit20@bandit:~$ ./suconnect 1234
Read: VxCazJaVykI6W36BkBU0mJTCM8rR95XT
Password matches, sending next passwordNvEJF7oVjkddltPSrdKEFOllh9V1IBcq'linux > OverTheWire' 카테고리의 다른 글
| Bandit: Level 27 - Level 33 (0) | 2023.09.17 |
|---|---|
| Bandit:Level 21 - Level 26 (0) | 2023.09.12 |
| Bandit:Level 11 - Level 12 (0) | 2023.09.10 |
| Bandit:Level 1 - Level 10 (0) | 2023.09.10 |
| Bandit:Level 0 (0) | 2023.09.10 |