Bandit Level 15 → Level 16

Level Goal

The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…

Level Answer

1. cat [FILE] | openssl s_client [-ign_eof] [-connect host:port]

[-ign_eof] inhibit shutting down the connection when end of file is reached in the input.
[-connect host:port] This specifies the host and optional port to connect to.

$ cat /etc/bandit_pass/bandit15 | openssl  s_client -ign_eof -connect localhost:30001
CONNECTED(00000003)
depth=0 CN = bandit
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = bandit
verify return:1
---
Certificate chain
 0 s:/CN=bandit
   i:/CN=bandit
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICsjCCAZqgAwIBAgIJAKZI1xYeoXFuMA0GCSqGSIb3DQEBCwUAMBExDzANBgNV
BAMMBmJhbmRpdDAeFw0xNzEyMjgxMzIzNDBaFw0yNzEyMjYxMzIzNDBaMBExDzAN
BgNVBAMMBmJhbmRpdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOcX
ruVcnQUBeHJeNpSYayQExCJmcHzSCktnOnF/H4efWzxvLRWt5z4gYaKvTC9ixLrb
K7a255GEaUbP/NVFpB/sn56uJc1ijz8u0hWQ3DwVe5ZrHUkNzAuvC2OeQgh2HanV
5LwB1nmRZn90PG1puKxktMjXsGY7f9Yvx1/yVnZqu2Ev2uDA0RXij/T+hEqgDMI7
y4ZFmuYD8z4b2kAUwj7RHh9LUKXKQlO+Pn8hchdR/4IK+Xc4+GFOin0XdQdUJaBD
8quOUma424ejF5aB6QCSE82MmHlLBO2tzC9yKv8L8w+fUeQFECH1WfPC56GcAq3U
IvgdjGrU/7EKN5XkONcCAwEAAaMNMAswCQYDVR0TBAIwADANBgkqhkiG9w0BAQsF
AAOCAQEAnrOty7WAOpDGhuu0V8FqPoKNwFrqGuQCTeqhQ9LP0bFNhuH34pZ0JFsH
L+Y/q4Um7+66mNJUFpMDykm51xLY2Y4oDNCzugy+fm5Q0EWKRwrq+hIM+5hs0RdC
nARP+719ddmUiXF7r7IVP2gK+xqpa8+YcYnLuoXEtpKkrrQCCUiqabltU5yRMR77
3wqB54txrB4IhwnXqpO23kTuRNrkG+JqDUkaVpvct+FAdT3PODMONP/oHII3SH9i
ar/rI9k+4hjlg4NqOoduxX9M+iLJ0Zgj6HAg3EQVn4NHsgmuTgmknbhqTU3o4IwB
XFnxdxVy0ImGYtvmnZDQCGivDok6jA==
-----END CERTIFICATE-----
subject=/CN=bandit
issuer=/CN=bandit
---
No client certificate CA names sent
---
SSL handshake has read 1015 bytes and written 631 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
    Session-ID: EEBFAAD356263D2A898E291E684F52A1459CEA00D948AECDDFF8AABAAF5E9406
    Session-ID-ctx: 
    Master-Key: 0B51F77536C54AC8A2FE0B81CBD7E757CFA3551C7793725FD1C58B6F0DAFEF1F7CAF898730B59C545ECBF123C71BE198
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 29 a6 28 17 9b 5c 28 7b-85 c9 28 dc 8e 75 2f 22   ).(..\({..(..u/"
    0010 - 2f ab 38 e2 4a 6d ee c9-31 02 37 f0 7c 78 61 d8   /.8.Jm..1.7.|xa.
    0020 - a7 e5 b5 4b 1a 6c 6d e3-3f 92 2d 03 80 f3 9a eb   ...K.lm.?.-.....
    0030 - 6c 4d d2 4f b6 f6 fc 35-1a f1 6a e3 d3 50 ba 1f   lM.O...5..j..P..
    0040 - 74 7f b1 67 9d 45 36 0d-82 6a 1e 41 5b 7f 18 d4   t..g.E6..j.A[...
    0050 - c2 4a 16 c2 13 dc 57 eb-1d 73 ec 36 69 53 3b cf   .J....W..s.6iS;.
    0060 - 10 69 56 f9 08 84 ef e5-5c 94 e7 53 76 50 ec 89   .iV.....\..SvP..
    0070 - a5 48 6b 18 29 14 bc 8c-99 e9 25 e3 4f 6b 17 ac   .Hk.).....%.Ok..
    0080 - 0a 9b 76 82 88 fd 94 23-0e 53 3c 8a 2f 9b e6 b5   ..v....#.S<./...
    0090 - 1b e3 d9 05 16 88 f4 f0-11 0d 0b a1 5c 06 70 db   ............\.p.

    Start Time: 1518252845
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehd

closed

2. ssh [-p port] [user@]hostname

[-p port] Port to connect to on the remote host.

$ ssh -p 2220 [email protected]

Level Password

cluFn7wTiGryunymYOu4RcffSxQluehd

Level 15 → Level 16

Bandit Level 15 → Level 16

Level Goal

Level Answer

Level Password

results matching ""

No results matching ""