首页 > 其他分享 >Wargames-Bandit-Level16

Wargames-Bandit-Level16

时间:2022-12-03 01:33:28浏览次数:47  
标签:Wargames x20the bandit16 31 Bandit Wrong Level16 x20enter SF

Level 16

目录

Level Goal

The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.

Solution

说是ssl连接31000到32000之间的开放ssl连接的端口,直接扫一下:

bandit16@bandit:~$ nmap localhost -p 31000-32000
Starting Nmap 7.80 ( https://nmap.org ) at 2022-12-02 16:43 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00012s latency).
Not shown: 996 closed ports
PORT      STATE SERVICE
31046/tcp open  unknown
31518/tcp open  unknown
31691/tcp open  unknown
31790/tcp open  unknown
31960/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds

扫出来5个端口,但是不知道是不是开着ssl,再加上-sV扫这几个端口:

bandit16@bandit:~$ nmap localhost -sV -p 31046,31518,31691,31790,31960
Starting Nmap 7.80 ( https://nmap.org ) at 2022-12-02 16:46 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000090s latency).

PORT      STATE SERVICE     VERSION
31046/tcp open  echo
31518/tcp open  ssl/echo
31691/tcp open  echo
31790/tcp open  ssl/unknown
31960/tcp open  echo
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port31790-TCP:V=7.80%T=SSL%I=7%D=12/2%Time=638A2BE8%P=x86_64-pc-linux-g
SF:nu%r(GenericLines,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20cu
SF:rrent\x20password\n")%r(GetRequest,31,"Wrong!\x20Please\x20enter\x20the
SF:\x20correct\x20current\x20password\n")%r(HTTPOptions,31,"Wrong!\x20Plea
SF:se\x20enter\x20the\x20correct\x20current\x20password\n")%r(RTSPRequest,
SF:31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20current\x20password\
SF:n")%r(Help,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20current\x
SF:20password\n")%r(SSLSessionReq,31,"Wrong!\x20Please\x20enter\x20the\x20
SF:correct\x20current\x20password\n")%r(TerminalServerCookie,31,"Wrong!\x2
SF:0Please\x20enter\x20the\x20correct\x20current\x20password\n")%r(TLSSess
SF:ionReq,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20current\x20pa
SF:ssword\n")%r(Kerberos,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x
SF:20current\x20password\n")%r(FourOhFourRequest,31,"Wrong!\x20Please\x20e
SF:nter\x20the\x20correct\x20current\x20password\n")%r(LPDString,31,"Wrong
SF:!\x20Please\x20enter\x20the\x20correct\x20current\x20password\n")%r(LDA
SF:PSearchReq,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20current\x
SF:20password\n")%r(SIPOptions,31,"Wrong!\x20Please\x20enter\x20the\x20cor
SF:rect\x20current\x20password\n");

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 98.27 seconds

直接暴露了31790这个端口是对passwrod的认证,ssl连接就行:

bandit16@bandit:~$ openssl s_client localhost:31790
.....
.....
.....
---
read R BLOCK
JQttfApK4SeyHwDlI9SXGR50qclOAil1
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----

closed
bandit16@bandit:~$

拿到私钥保存到tmp下面,然后直接ssh连接

bandit16@bandit:~$ mkdir /tmp/111bbb
bandit16@bandit:~$ cd /tmp/111bbb/
bandit16@bandit:/tmp/111bbb$ vim 1.key
bandit16@bandit:/tmp/111bbb$ ssh -i 1.key bandit17@localhost -p 2220
The authenticity of host '[localhost]:2220 ([127.0.0.1]:2220)' can't be established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Could not create directory '/home/bandit16/.ssh' (Permission denied).
Failed to add the host to the list of known hosts (/home/bandit16/.ssh/known_hosts).
                         _                     _ _ _   
                        | |__   __ _ _ __   __| (_) |_ 
                        | '_ \ / _` | '_ \ / _` | | __|
                        | |_) | (_| | | | | (_| | | |_ 
                        |_.__/ \__,_|_| |_|\__,_|_|\__|
                                                       

                      This is an OverTheWire game server. 
            More information on http://www.overthewire.org/wargames

!!! You are trying to log into this SSH server on port 2220 on localhost.
!!! Please log out and log in again instead.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0664 for '1.key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "1.key": bad permissions
bandit17@localhost: Permission denied (publickey).

提示说是这个文件的权限太高了,不能是644,改成600试试:

bandit16@bandit:/tmp/111bbb$ chmod 600 1.key 
bandit16@bandit:/tmp/111bbb$ ssh -i 1.key bandit17@localhost -p 2220
The authenticity of host '[localhost]:2220 ([127.0.0.1]:2220)' can't be established.
.....
.....
.....
  Enjoy your stay!

bandit17@bandit:~$ ls
passwords.new  passwords.old

成功登陆了。

标签:Wargames,x20the,bandit16,31,Bandit,Wrong,Level16,x20enter,SF
From: https://www.cnblogs.com/dyhaohaoxuexi/p/16946098.html

相关文章

  • Wargames-Bandit-Level12
    Level12目录Level12LevelGoalSolutionLevelGoalThepasswordforthenextlevelisstoredinthefiledata.txt,whichisahexdumpofafilethathasbeenr......
  • Wargames-Bandit-Level11
    Level11目录Level11LevelGoalSolutionLevelGoalThepasswordforthenextlevelisstoredinthefiledata.txt,wherealllowercase(a-z)anduppercase(A-Z......
  • Wargames-Bandit-Level15
    Level15目录Level15LevelGoalSolutionLevelGoalThepasswordforthenextlevelcanberetrievedbysubmittingthepasswordofthecurrentleveltoport300......
  • Wargames-Bandit-Level14
    Level14目录Level14LevelGoalSolutionLevelGoalThepasswordforthenextlevelcanberetrievedbysubmittingthepasswordofthecurrentleveltoport300......
  • Wargames-Bandit-Level13
    Level13目录Level13LevelGoalSolutionLevelGoalThepasswordforthenextlevelisstoredin/etc/bandit_pass/bandit14andcanonlybereadbyuserbandit14......
  • Wargames-Bandit-Level5
    Level5目录Level5LevelGoalSolutionLevelGoalThepasswordforthenextlevelisstoredinafilesomewhereundertheinheredirectoryandhasallofthefo......
  • Wargames-Bandit-Level9
    Level9目录Level9LevelGoalSolutionLevelGoalThepasswordforthenextlevelisstoredinthefiledata.txtinoneofthefewhuman-readablestrings,prece......
  • Wargames-Bandit-Level7
    Level7目录Level7LevelGoalSolutionLevelGoalThepasswordforthenextlevelisstoredinthefiledata.txtnexttothewordmillionthSolution说是million......
  • Wargames-Bandit-Level8
    Level8目录Level8LevelGoalSolutionLevelGoalThepasswordforthenextlevelisstoredinthefiledata.txtandistheonlylineoftextthatoccursonlyo......
  • Wargames-Bandit-Level6
    Level6目录Level6LevelGoalSolutionLevelGoalThepasswordforthenextlevelisstoredsomewhereontheserverandhasallofthefollowingproperties:ow......