1. Bandit14 목표
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap
2. Bandit14 구현
# 비밀번호 root 입력 접속
ssh -oStrictHostKeyChecking=no root@localhost -p 2220
cat <<'BANDIT_TMP' > /tmp/bandit15_answer.c
#include "stdio.h"
#include "stdlib.h"
#include "string.h"
#include "time.h"
#include "sys/types.h"
#include "sys/socket.h"
#include "netinet/in.h"
#include "arpa/inet.h"
#include "unistd.h"
#define BUF_LEN 128
int main(int argc, char *argv[])
{
char buffer[BUF_LEN];
struct sockaddr_in server_addr, client_addr;
char temp[20];
int server_fd, client_fd;
socklen_t len;
ssize_t msg_size;
char *answer = "4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e";
if(argc != 2)
{
printf("usage : %s [port]\n", argv[0]);
exit(0);
}
if((server_fd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
perror("Server : Can't open stream socket");
exit(1);
}
memset(&server_addr, 0x00, sizeof(server_addr));
server_addr.sin_family = AF_INET;
server_addr.sin_addr.s_addr = htonl(INADDR_ANY);
server_addr.sin_port = htons(atoi(argv[1]));
if(bind(server_fd, (struct sockaddr *)&server_addr, sizeof(server_addr)) < 0)
{
perror("Server : Can't bind local address");
close(server_fd);
exit(1);
}
if(listen(server_fd, 5) < 0)
{
perror("Server : Can't listen for connections");
close(server_fd);
exit(1);
}
printf("Server : waiting for connection request.\n");
len = sizeof(client_addr);
while(1)
{
client_fd = accept(server_fd, (struct sockaddr *)&client_addr, &len);
if(client_fd < 0)
{
perror("Server: accept failed");
continue;
}
inet_ntop(AF_INET, &client_addr.sin_addr, temp, sizeof(temp));
printf("Server : %s client connected.\n", temp);
msg_size = read(client_fd, buffer, BUF_LEN - 1);
if(msg_size < 0)
{
perror("Server: read failed");
close(client_fd);
continue;
}
buffer[msg_size] = '\0'; // Ensure null-terminated string
printf("Received %ld bytes: %s\n", msg_size, buffer);
buffer[strcspn(buffer, "\n")] = '\0'; // Remove newline character if exists
if(strcmp(buffer, answer) == 0)
{
write(client_fd, "Correct!\nBfMYroe26WYalil77FoDi9qh59eK5xNr\n\n", strlen("Correct!\nBfMYroe26WYalil77FoDi9qh59eK5xNr\n\n"));
}
else
{
write(client_fd, "Wrong! Please enter the correct current password\n", strlen("Wrong! Please enter the correct current password\n"));
}
close(client_fd);
printf("Server : %s client closed.\n", temp);
}
close(server_fd);
return 0;
}
BANDIT_TMP
gcc -o /tmp/bandit15_answer /tmp/bandit15_answer.c
rm -f /tmp/bandit15_answer.c
mv /tmp/bandit15_answer /bin/
touch /etc/init.d/bandit15_answer.sh
echo '#!/bin/bash' > /etc/init.d/bandit15_answer.sh
echo >> /etc/init.d/bandit15_answer.sh
echo -e 'if [ -z "`ps -ef | grep bandit15_answer | grep 30000 | grep -v grep | awk \047{print $2}\047`" ]; then' >> /etc/init.d/bandit15_answer.sh
echo -e 'nohup bandit15_answer 30000 1>/dev/null 2>&1 &' >> /etc/init.d/bandit15_answer.sh
echo 'else' >> /etc/init.d/bandit15_answer.sh
echo -e 'echo "bandit15_answer is already running."' >> /etc/init.d/bandit15_answer.sh
echo 'fi' >> /etc/init.d/bandit15_answer.sh
touch /etc/init.d/bandit15_answer_stop.sh
chmod 755 /etc/init.d/bandit15_answer_stop.sh
echo '#!/bin/bash' > /etc/init.d/bandit15_answer_stop.sh
echo >> /etc/init.d/bandit15_answer_stop.sh
echo -e 'p_id=`ps -ef | grep bandit15_answer | grep 30000 | grep -v grep | awk \047{print $2}\047`' >> /etc/init.d/bandit15_answer_stop.sh
echo >> /etc/init.d/bandit15_answer_stop.sh
echo -e 'if [ -n "${p_id}" ]' >> /etc/init.d/bandit15_answer_stop.sh
echo 'then' >> /etc/init.d/bandit15_answer_stop.sh
echo -e 'kill -9 ${p_id}' >> /etc/init.d/bandit15_answer_stop.sh
echo -e 'echo "bandit15_answer is killed."' >> /etc/init.d/bandit15_answer_stop.sh
echo 'else' >> /etc/init.d/bandit15_answer_stop.sh
echo -e 'echo "bandit15_answer is not already running."' >> /etc/init.d/bandit15_answer_stop.sh
echo 'fi' >> /etc/init.d/bandit15_answer_stop.sh
source /etc/init.d/bandit15_answer.sh
cat <<'BANDIT_TMP' > /etc/systemd/system/bandit14.service
[Unit]
Description=Bandit14 Service
After=network.target
[Service]
Type=simple
ExecStart=/etc/init.d/bandit15_answer.sh
ExecStop=/etc/init.d/bandit15_answer_stop.sh
RemainAfterExit=true
[Install]
WantedBy=multi-user.target
BANDIT_TMP
systemctl daemon-reload
systemctl enable bandit14
echo 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e | nc localhost 30000
useradd bandit15 && echo -e "BfMYroe26WYalil77FoDi9qh59eK5xNr\nBfMYroe26WYalil77FoDi9qh59eK5xNr" | passwd bandit15
chmod 755 /home/bandit15
chown root:root /home/bandit15
3. Bandit14 문제풀의
# bandit14 로 설정한 패스워드를 입력하여 접속한다.
# 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
ssh bandit14@localhost -p 2220
# 자신의 패스워드 제출해서 비밀번호 획득
echo 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e | nc localhost 30000 | awk 'NR==2'
'Wargame > Bandit' 카테고리의 다른 글
| [ Docker ] Bandit Wargame 만들기 - 16번 문제 ( 17 / 33 ) (0) | 2024.06.13 |
|---|---|
| [ Docker ] Bandit Wargame 만들기 - 15번 문제 ( 16 / 33 ) (0) | 2024.06.13 |
| [ Docker ] Bandit Wargame 만들기 - 13번 문제 ( 14 / 33 ) (1) | 2024.06.13 |
| [ Docker ] Bandit Wargame 만들기 - 12번 문제 ( 14 / 33 ) (1) | 2024.06.12 |
| [ Docker ] Bandit Wargame 만들기 - 11번 문제 ( 13 / 33 ) (1) | 2024.06.12 |