This level asks us to find open ports between 31000 and 32000 and figure out which ones are listening. Once we find the open ports, we need to submit the current level password in order to get the next one. We’re told that some of the serviecs will simply repeat whatever we send it, but the real one will give us the next password. Additionally, some of them are using ssl. Based on the hint, we seem to be intended to port scan the box. However, given that we already have command line access, it seems to be much easier to use netstat (note:I realize that the normal net-tools have been deprecated, but I can’t be arsed to look up the replacement commands at the moment, or to even check whether this box has them installed):
bandit16@bandit:~$ netstat -A inet -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:31960 *:* LISTEN
tcp 0 0 *:31518 *:* LISTEN
tcp 0 0 127.0.0.11:36319 *:* LISTEN
tcp 0 0 *:31046 *:* LISTEN
tcp 0 0 *:31691 *:* LISTEN
tcp 0 0 *:2220 *:* LISTEN
tcp 0 0 *:31790 *:* LISTEN
tcp 0 0 *:30000 *:* LISTEN
tcp 0 0 *:30001 *:* LISTEN
tcp 0 0 *:auth *:* LISTEN
tcp 0 0 *:30002 *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
udp 0 0 127.0.0.11:48614 *:*
bandit16@bandit:~$
Alright, so now we know which ports are open. Lets connect to them and see what we can find.
bandit16@bandit:~$ telnet 127.0.0.1 31960
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXX
Nope
bandit16@bandit:~$ telnet 127.0.0.1 31518
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
XXXXXXXXXXXXXXXXXXXXX
ERROR
140737354053280:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:351:
Connection closed by foreign host.
bandit16@bandit:~$
Looks like we’ve found one using open ssl.
bandit16@bandit:~$ openssl s_client -ign_eof -connect 127.0.0.1:31518
CONNECTED(00000003)
depth=0 CN = a9678380ab81
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = a9678380ab81
verify return:1
---
Certificate chain
0 s:/CN=a9678380ab81
i:/CN=a9678380ab81
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICvjCCAaagAwIBAgIJAO6iKan6EbNwMA0GCSqGSIb3DQEBCwUAMBcxFTATBgNV
BAMTDGE5Njc4MzgwYWI4MTAeFw0xNzA2MTUxMTI3MjVaFw0yNzA2MTMxMTI3MjVa
MBcxFTATBgNVBAMTDGE5Njc4MzgwYWI4MTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBALOcuRCY9evp5X6Ooe8oyq4qRECAXplyMejybRRPNnRAz+wwRMJs
y/hoHUZVRCVmww95xPdwl1pCiHBGoApvDGMacYS4SH58/76WGfOxBzTat+hdPIzq
H4FZMWbH/H3MzAWvEUmz8uQDlettwIGro7yYT3c1oZ3BBDWTj93769mJ/+FxaVGa
DiwX0l5XGB2qNoDBYwXaIhDa85nu5Sgs+nOYz++3ISafVr0V7XnheS5l0TCqDQRp
HBNwF0V3GFC9RawTIrboe4LJ6ZLDa41jCTUpq1S6Zmwedeqp63D+dnRtGst/l/7g
iVcoeYZmts2LjKc/5FlL4h3vr3O+oiAzFdcCAwEAAaMNMAswCQYDVR0TBAIwADAN
BgkqhkiG9w0BAQsFAAOCAQEAHEh77j3hSkLXLLQ40hvF7HMP5gFl9oj1q45cQblb
zm4nMbmDOeiRclzeZ5JDnfr7W6PXnBfwLR5svhIc9CEtUDc0clJToK0iF8TT8ucy
ZB6F28/PAvTwvpAzIgLj9JnsJU8kJvJA6WCKTz7QJxXVGNT8qbk5DQw1THm0Ed38
U6o3hbqgvP7p5mK5F+m6yuo7oBlsVPu/c4YZJkMbbvf/IxQSD/j8ZPFGYVBdwRIf
FGLZsRlt9CgC/FjYc19XBTe75nqjkxNeuD+6sP7MCn+Pp5j6h6ULthDJaD8dhvDu
IF0zPWm885s6xG6xt74lFp2GOFJyayP0AlRu7iA1uUoS7g==
-----END CERTIFICATE-----
subject=/CN=a9678380ab81
issuer=/CN=a9678380ab81
---
No client certificate CA names sent
---
SSL handshake has read 1682 bytes and written 637 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : DHE-RSA-AES256-SHA
Session-ID: D027A3F5BC416F4792E6B4B2822B43D9C456A8FF6BEEF4C9A389F11EEF18D1C4
Session-ID-ctx:
Master-Key: 60DEB19DC1872EF939F8E2D83E85BC410CA191A3D936D896813FA38152739EEEE861588781E3258320F5A273948E2A0B
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1504830754
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXX
^C
Narp.
After many attempts later
bandit16@bandit:~$ openssl s_client -ign_eof -connect 127.0.0.1:XXXXXX
CONNECTED(00000003)
depth=0 CN = a9678380ab81
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = a9678380ab81
verify return:1
---
Certificate chain
0 s:/CN=a9678380ab81
i:/CN=a9678380ab81
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICvjCCAaagAwIBAgIJAO6iKan6EbNwMA0GCSqGSIb3DQEBCwUAMBcxFTATBgNV
BAMTDGE5Njc4MzgwYWI4MTAeFw0xNzA2MTUxMTI3MjVaFw0yNzA2MTMxMTI3MjVa
MBcxFTATBgNVBAMTDGE5Njc4MzgwYWI4MTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBALOcuRCY9evp5X6Ooe8oyq4qRECAXplyMejybRRPNnRAz+wwRMJs
y/hoHUZVRCVmww95xPdwl1pCiHBGoApvDGMacYS4SH58/76WGfOxBzTat+hdPIzq
H4FZMWbH/H3MzAWvEUmz8uQDlettwIGro7yYT3c1oZ3BBDWTj93769mJ/+FxaVGa
DiwX0l5XGB2qNoDBYwXaIhDa85nu5Sgs+nOYz++3ISafVr0V7XnheS5l0TCqDQRp
HBNwF0V3GFC9RawTIrboe4LJ6ZLDa41jCTUpq1S6Zmwedeqp63D+dnRtGst/l/7g
iVcoeYZmts2LjKc/5FlL4h3vr3O+oiAzFdcCAwEAAaMNMAswCQYDVR0TBAIwADAN
BgkqhkiG9w0BAQsFAAOCAQEAHEh77j3hSkLXLLQ40hvF7HMP5gFl9oj1q45cQblb
zm4nMbmDOeiRclzeZ5JDnfr7W6PXnBfwLR5svhIc9CEtUDc0clJToK0iF8TT8ucy
ZB6F28/PAvTwvpAzIgLj9JnsJU8kJvJA6WCKTz7QJxXVGNT8qbk5DQw1THm0Ed38
U6o3hbqgvP7p5mK5F+m6yuo7oBlsVPu/c4YZJkMbbvf/IxQSD/j8ZPFGYVBdwRIf
FGLZsRlt9CgC/FjYc19XBTe75nqjkxNeuD+6sP7MCn+Pp5j6h6ULthDJaD8dhvDu
IF0zPWm885s6xG6xt74lFp2GOFJyayP0AlRu7iA1uUoS7g==
-----END CERTIFICATE-----
subject=/CN=a9678380ab81
issuer=/CN=a9678380ab81
---
No client certificate CA names sent
---
SSL handshake has read 1682 bytes and written 637 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : DHE-RSA-AES256-SHA
Session-ID: 7B3086995FFE2B6D2F18ADC3D9748A14022EE9730552666C56760F18F77B964C
Session-ID-ctx:
Master-Key: C9F1B24A5600937DDF8A737560DF51D105045A67D2599A95A1A05F82EB05D01532CA559CFE6D2A3AD8CD0666301C345E
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1504830986
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
XXXXXXXXXXXXXXXXXXXXXXXX
Correct!
-----BEGIN RSA PRIVATE KEY-----
..... Contents of key
-----END RSA PRIVATE KEY-----
read:errno=0
bandit16@bandit:~$