1. Bandit15 목표
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”?
Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage.
Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…
Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap
2. Bandit15 구현
# 비밀번호 root 입력 접속
ssh -oStrictHostKeyChecking=no root@localhost -p 2220
chown -R root:root /home/bandit15/.[!.]*
mkdir -p /etc/ssl/certs /etc/ssl/private
openssl req -x509 -nodes -days 73000 -newkey rsa:2048 -keyout /etc/ssl/private/server.key -out /etc/ssl/certs/server.crt -subj "/C=KR/ST=Seoul/L=Seoul/O=MyCompany/OU=IT Department/CN=mycompany.com"
cat <<'BANDIT_TMP' > /tmp/bandit16_answer.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#define BUF_LEN 128
void initialize_openssl()
{
SSL_load_error_strings();
OpenSSL_add_ssl_algorithms();
}
void cleanup_openssl()
{
EVP_cleanup();
}
SSL_CTX *create_context()
{
const SSL_METHOD *method;
SSL_CTX *ctx;
method = SSLv23_server_method();
ctx = SSL_CTX_new(method);
if (!ctx)
{
perror("Unable to create SSL context");
ERR_print_errors_fp(stderr);
exit(EXIT_FAILURE);
}
return ctx;
}
void configure_context(SSL_CTX *ctx)
{
/* Set the key and cert */
if (SSL_CTX_use_certificate_file(ctx, "/etc/ssl/certs/server.crt", SSL_FILETYPE_PEM) <= 0)
{
ERR_print_errors_fp(stderr);
exit(EXIT_FAILURE);
}
if (SSL_CTX_use_PrivateKey_file(ctx, "/etc/ssl/private/server.key", SSL_FILETYPE_PEM) <= 0)
{
ERR_print_errors_fp(stderr);
exit(EXIT_FAILURE);
}
}
int create_socket(int port)
{
int s;
struct sockaddr_in addr;
s = socket(AF_INET, SOCK_STREAM, 0);
if (s < 0)
{
perror("Unable to create socket");
exit(EXIT_FAILURE);
}
memset(&addr, 0, sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_addr.s_addr = htonl(INADDR_ANY);
addr.sin_port = htons(port);
if (bind(s, (struct sockaddr *)&addr, sizeof(addr)) < 0)
{
perror("Unable to bind");
exit(EXIT_FAILURE);
}
if (listen(s, 1) < 0)
{
perror("Unable to listen");
exit(EXIT_FAILURE);
}
return s;
}
int main(int argc, char **argv)
{
SSL_CTX *ctx;
int sock;
char buffer[BUF_LEN];
int client;
struct sockaddr_in addr;
uint len = sizeof(addr);
SSL *ssl;
if (argc != 2)
{
fprintf(stderr, "Usage: %s <port>\n", argv[0]);
exit(EXIT_FAILURE);
}
int port = atoi(argv[1]);
initialize_openssl();
ctx = create_context();
configure_context(ctx);
sock = create_socket(port);
while (1)
{
client = accept(sock, (struct sockaddr *)&addr, &len);
if (client < 0)
{
perror("Unable to accept");
exit(EXIT_FAILURE);
}
ssl = SSL_new(ctx);
SSL_set_fd(ssl, client);
if (SSL_accept(ssl) <= 0)
{
ERR_print_errors_fp(stderr);
}
else
{
SSL_read(ssl, buffer, sizeof(buffer));
// printf("Received: %s\n", buffer);
// 응답에 따라 다른 출력 결과
if (strstr(buffer, "BfMYroe26WYalil77FoDi9qh59eK5xNr") != NULL)
{
const char *prefix = "Correct!\ncluFn7wTiGryunymYOu4RcffSxQluehd";
size_t prefix_len = strlen(prefix);
size_t total_len = prefix_len + 2;
char *result = (char *)malloc(total_len);
snprintf(result, total_len, "%s\n\n", prefix);
SSL_write(ssl, result, total_len);
}
else
{
SSL_write(ssl, "Wrong! Please enter the correct current password.\n", strlen("Wrong! Please enter the correct current password.\n"));
}
}
SSL_shutdown(ssl);
SSL_free(ssl);
close(client);
}
close(sock);
SSL_CTX_free(ctx);
cleanup_openssl();
return 0;
}
BANDIT_TMP
gcc -o /tmp/bandit16_answer /tmp/bandit16_answer.c -lssl -lcrypto
rm -f /tmp/bandit16_answer.c
mv /tmp/bandit16_answer /bin/
cat <<'BANDIT_TMP' > /etc/init.d/bandit16_answer.sh
#!/bin/bash
if [ -z "`ps -ef | grep bandit16_answer | grep 30001 | grep -v grep | awk '{print $2}'`" ]; then
nohup bandit16_answer 30001 1>/dev/null 2>&1 &
else
echo "bandit16_answer is already running."
fi
BANDIT_TMP
chmod 755 /etc/init.d/bandit16_answer.sh
cat <<'BANDIT_TMP' > /etc/init.d/bandit16_answer_stop.sh
#!/bin/bash
p_id=`ps -ef | grep bandit16_answer | grep 30001 | grep -v grep | awk '{print $2}'`
if [ -n "${p_id}" ]
then
kill -9 ${p_id}
echo "bandit16_answer is killed."
else
echo "bandit16_answer is not already running."
fi
BANDIT_TMP
chmod 755 /etc/init.d/bandit16_answer_stop.sh
source /etc/init.d/bandit16_answer.sh
cat <<'BANDIT_TMP' > /etc/systemd/system/bandit15.service
[Unit]
Description=Bandit15 Service
After=network.target
[Service]
Type=simple
ExecStart=/etc/init.d/bandit16_answer.sh
ExecStop=/etc/init.d/bandit16_answer.sh
RemainAfterExit=true
[Install]
WantedBy=multi-user.target
BANDIT_TMP
systemctl daemon-reload
systemctl enable bandit15
echo BfMYroe26WYalil77FoDi9qh59eK5xNr | openssl s_client -connect localhost:30001 -ign_eof
useradd bandit16 && echo -e "cluFn7wTiGryunymYOu4RcffSxQluehd\ncluFn7wTiGryunymYOu4RcffSxQluehd" | passwd bandit16
chmod 755 /home/bandit16
chown root:root /home/bandit16
3. Bandit15 문제풀의
# bandit15 로 설정한 패스워드를 입력하여 접속한다.
# BfMYroe26WYalil77FoDi9qh59eK5xNr
ssh bandit15@localhost -p 2220
# 자신의 패스워드 제출해서 비밀번호 획득
echo BfMYroe26WYalil77FoDi9qh59eK5xNr | openssl s_client -connect localhost:30001 -ign_eof'Wargame > Bandit' 카테고리의 다른 글
| [ Docker ] Bandit Wargame 만들기 - 17번 문제 ( 18 / 33 ) (0) | 2024.06.18 |
|---|---|
| [ Docker ] Bandit Wargame 만들기 - 16번 문제 ( 17 / 33 ) (0) | 2024.06.13 |
| [ Docker ] Bandit Wargame 만들기 - 14번 문제 ( 15 / 33 ) (1) | 2024.06.13 |
| [ Docker ] Bandit Wargame 만들기 - 13번 문제 ( 14 / 33 ) (1) | 2024.06.13 |
| [ Docker ] Bandit Wargame 만들기 - 12번 문제 ( 14 / 33 ) (1) | 2024.06.12 |