상세 컨텐츠

본문 제목

[bandit] bandit16 -> bandit17

리눅스/bandit

by 해공학(해킹을 공부하는 학생) 2023. 6. 26. 06:47

본문

Overthewire 페이지 해석 

31000에서 32000 사이 localhost 포트에 현재의 비밀번호를 제출하여 다음것의 비밀번호를

얻을수 있습니다. 단한개의 서버만 귀하에게 자격 증명을 할것입니다.

 

이말을 좀 풀어 설명하면, 31000~32000 localhost 포트에 현제 비밀번호를 제출하면 단한개의 서버만 대답을 해준다. 라고 생각하면 될것 같습니다.

 

 

이 문제를 풀기위해 알아야 할것들

이문제를 풀기위해 알아야 할것은 다음과 같습니다.

 

nmap : https://halinstudy.tistory.com/46

localhost : https://halinstudy.tistory.com/34

private key, public key : https://halinstudy.tistory.com/42

 

문제 풀기

우선 nmap을 이용해 Ping 스캔을 해보겠습니다.

bandit16@bandit:~$ nmap localhost -p 31000-32000
Starting Nmap 7.80 ( https://nmap.org ) at 2023-06-25 21:13 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00013s latency).
Not shown: 996 closed ports
PORT      STATE SERVICE
31046/tcp open  unknown
31518/tcp open  unknown
31691/tcp open  unknown
31790/tcp open  unknown
31960/tcp open  unknown

이런식으로 하면 다섯개의 포트가 열여 있다고 뜨네요. 그럼 한번 하나하나 차근차근히 해보겠습니다.

 

 

31046 :

bandit16@bandit:~$ openssl s_client -connect localhost:31046
CONNECTED(00000003)
  (생략)
Early data was not sent
Verify return code: 0 (ok)
---

 

31518 : 

bandit16@bandit:~$ openssl s_client -connect localhost:31518
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 CN = localhost
     (생략)
    Max Early Data: 0
---
read R BLOCK
JQttfApK4SeyHwDlI9SXGR50qclOAil1
JQttfApK4SeyHwDlI9SXGR50qclOAil1

이 녀석은 비밀번호를 똑같이 돌려주네요.

 

31691 : 

bandit16@bandit:~$ openssl s_client -connect localhost:31691
CONNECTED(00000003)
   (생략)
Early data was not sent
Verify return code: 0 (ok)
---

 

31790 : 

bandit16@bandit:~$ openssl s_client -connect localhost:31790
           (생략)
    Max Early Data: 0
---
read R BLOCK
JQttfApK4SeyHwDlI9SXGR50qclOAil1
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----

closed

얘가 진짜 포트 이네요. 그럼 한번 31790포트가 준 private 키로 한번 접속을 시도 해보겠습니다.

 

우선 private 키를 복사한후 전 /tmp/lemon으로 복붙할 생각 입니다. 그 다음으로 권한 변경까지 꼭 해주셔야 됩니다!!

bandit16@bandit:~$ mkdir /tmp/lemon
bandit16@bandit:~$ cd /tmp/lemon
bandit16@bandit:/tmp/lemon$ vi
bandit16@bandit:/tmp/lemon$ ls
file
bandit16@bandit:/tmp/lemon$ cp file lemon
bandit16@bandit:/tmp/lemon$ ls
file  lemon
bandit16@bandit:/tmp/lemon$ rm file
bandit16@bandit:/tmp/lemon$ ls
lemon
bandit16@bandit:chmod 600 lemon

이런식으로 전 private key 나온걸 복사 해가지고 /tmp/lemon에다가 lemon이라는 파일을 만들었습니다.

 

이제 ssh 명령어로 private key를 실행 해주면 되겠죠?

bandit16@bandit:/tmp/lemon$ ssh -i lemon bandit17@localhost -p 2220
The authenticity of host '[localhost]:2220 ([127.0.0.1]:2220)' can't be established.
        (생략)

  For support, questions or comments, contact us on discord or IRC.

  Enjoy your stay!

 

이제 패스워드가 어디있는지만 찾으면 되는데...

혹시 저번에 bandit14할때 기억 나시나요? 

bandit14의 비밀번호가 /etc/bandit_pass/bandit14에 있던것을...?

그럼 이 힌트를 활용해 bandit17의 비밀번호도 알아보겠습니다.

bandit17@bandit:~$ cd /etc/bandit_pass
bandit17@bandit:/etc/bandit_pass$ ls
bandit0   bandit13  bandit18  bandit22  bandit27  bandit31  bandit6
bandit1   bandit14  bandit19  bandit23  bandit28  bandit32  bandit7
bandit10  bandit15  bandit2   bandit24  bandit29  bandit33  bandit8
bandit11  bandit16  bandit20  bandit25  bandit3   bandit4   bandit9
bandit12  bandit17  bandit21  bandit26  bandit30  bandit5
bandit17@bandit:/etc/bandit_pass$ cat bandit17
VwOSWtCA7lRKkTfbr2IDh6awj9RNZM5e

bandit17의 비밀번호는 VwOSWtCA7lRKkTfbr2IDh6awj9RNZM5e 입니다!!

'리눅스 > bandit' 카테고리의 다른 글

[bandit] bandit19 -> bandit20  (0) 2023.07.05
[bandit] bandit17 -> bandit18  (0) 2023.06.27
[bandit] bandit15 -> bandit16  (0) 2023.05.31
[bandit] bandit14 -> bandit15  (0) 2023.05.20
[bandit] bandit13 -> bandit14  (0) 2023.05.17

관련글 더보기

티스토리툴바