1. Bandit16 목표
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000.
First find out which of these ports have a server listening on them.
Then find out which of those speak SSL and which don’t.
There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap
2. Bandit16 구현
# 비밀번호 root 입력 접속
ssh -oStrictHostKeyChecking=no root@localhost -p 2220
chown -R root:root /home/bandit16/.[!.]*
cat <<'BANDIT_TMP' > /tmp/bandit16_dummy.c
#include "stdio.h"
#include "stdlib.h"
#include "string.h"
#include "time.h"
#include "sys/types.h"
#include "sys/socket.h"
#include "netinet/in.h"
#include "arpa/inet.h"
#include "unistd.h"
#include "pthread.h"
#define BUF_LEN 128
void *run_server(void *arg)
{
int port = *((int *)arg);
char buffer[BUF_LEN];
struct sockaddr_in server_addr, client_addr;
char temp[20];
int server_fd, client_fd;
socklen_t len;
ssize_t msg_size;
if ((server_fd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
perror("Server : Can't open stream socket");
pthread_exit(NULL);
}
memset(&server_addr, 0x00, sizeof(server_addr));
server_addr.sin_family = AF_INET;
server_addr.sin_addr.s_addr = htonl(INADDR_ANY);
server_addr.sin_port = htons(port);
if (bind(server_fd, (struct sockaddr *)&server_addr, sizeof(server_addr)) < 0)
{
perror("Server : Can't bind local address");
close(server_fd);
pthread_exit(NULL);
}
if (listen(server_fd, 5) < 0)
{
perror("Server : Can't listen for connections");
close(server_fd);
pthread_exit(NULL);
}
printf("Server on port %d : waiting for connection request.\n", port);
len = sizeof(client_addr);
while (1)
{
client_fd = accept(server_fd, (struct sockaddr *)&client_addr, &len);
if (client_fd < 0)
{
perror("Server: accept failed");
continue;
}
inet_ntop(AF_INET, &client_addr.sin_addr, temp, sizeof(temp));
printf("Server on port %d : %s client connected.\n", port, temp);
msg_size = read(client_fd, buffer, BUF_LEN - 1);
if (msg_size < 0)
{
perror("Server: read failed");
close(client_fd);
continue;
}
buffer[msg_size] = '\0'; // Ensure null-terminated string
printf("Received %ld bytes on port %d: %s\n", msg_size, port, buffer);
buffer[strcspn(buffer, "\n")] = '\0'; // Remove newline character if exists
write(client_fd, buffer, strlen(buffer));
close(client_fd);
printf("Server on port %d : %s client closed.\n", port, temp);
}
close(server_fd);
pthread_exit(NULL);
}
int main()
{
int ports[] = {31046, 31691, 31960}; // 하드코딩된 포트 번호들
int num_ports = sizeof(ports) / sizeof(ports[0]);
pthread_t threads[num_ports];
for (int i = 0; i < num_ports; i++)
{
if (pthread_create(&threads[i], NULL, run_server, (void *)&ports[i]) != 0)
{
perror("Failed to create thread");
return 1;
}
}
for (int i = 0; i < num_ports; i++)
{
pthread_join(threads[i], NULL);
}
return 0;
}
BANDIT_TMP
gcc -o /tmp/bandit16_dummy /tmp/bandit16_dummy.c -pthread
rm -f /tmp/bandit16_dummy.c
mv /tmp/bandit16_dummy /bin/
cat <<'BANDIT_TMP' > /etc/systemd/system/bandit16_dummy.service
[Unit]
Description=Bandit16 Dummy Service
After=network.target
[Service]
ExecStart=/bin/bandit16_dummy
Restart=always
[Install]
WantedBy=multi-user.target
BANDIT_TMP
systemctl daemon-reload
systemctl enable bandit16_dummy
systemctl start bandit16_dummy
cat <<'BANDIT_TMP' > /tmp/bandit17_answer.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <pthread.h>
#define BUF_LEN 128
void initialize_openssl()
{
SSL_load_error_strings();
OpenSSL_add_ssl_algorithms();
}
void cleanup_openssl()
{
EVP_cleanup();
}
SSL_CTX *create_context()
{
const SSL_METHOD *method;
SSL_CTX *ctx;
method = SSLv23_server_method();
ctx = SSL_CTX_new(method);
if (!ctx)
{
perror("Unable to create SSL context");
ERR_print_errors_fp(stderr);
exit(EXIT_FAILURE);
}
return ctx;
}
void configure_context(SSL_CTX *ctx)
{
/* Set the key and cert */
if (SSL_CTX_use_certificate_file(ctx, "/etc/ssl/certs/server.crt", SSL_FILETYPE_PEM) <= 0)
{
ERR_print_errors_fp(stderr);
exit(EXIT_FAILURE);
}
if (SSL_CTX_use_PrivateKey_file(ctx, "/etc/ssl/private/server.key", SSL_FILETYPE_PEM) <= 0)
{
ERR_print_errors_fp(stderr);
exit(EXIT_FAILURE);
}
}
int create_socket(int port)
{
int s;
struct sockaddr_in addr;
s = socket(AF_INET, SOCK_STREAM, 0);
if (s < 0)
{
perror("Unable to create socket");
exit(EXIT_FAILURE);
}
memset(&addr, 0, sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_addr.s_addr = htonl(INADDR_ANY);
addr.sin_port = htons(port);
if (bind(s, (struct sockaddr *)&addr, sizeof(addr)) < 0)
{
perror("Unable to bind");
exit(EXIT_FAILURE);
}
if (listen(s, 1) < 0)
{
perror("Unable to listen");
exit(EXIT_FAILURE);
}
return s;
}
void *run_server(void *arg)
{
int port = *(int *)arg;
SSL_CTX *ctx;
int sock;
char buffer[BUF_LEN];
int client;
struct sockaddr_in addr;
uint len = sizeof(addr);
SSL *ssl;
initialize_openssl();
ctx = create_context();
configure_context(ctx);
sock = create_socket(port);
printf("Server listening on port %d\n", port);
while (1)
{
client = accept(sock, (struct sockaddr *)&addr, &len);
if (client < 0)
{
perror("Unable to accept");
exit(EXIT_FAILURE);
}
ssl = SSL_new(ctx);
SSL_set_fd(ssl, client);
if (port != 31790)
{
struct timeval timeout;
timeout.tv_sec = 10;
timeout.tv_usec = 0;
if (setsockopt(client, SOL_SOCKET, SO_RCVTIMEO, (const char*)&timeout, sizeof(timeout)) < 0) {
// perror("Unable to set receive timeout");
}
if (setsockopt(client, SOL_SOCKET, SO_SNDTIMEO, (const char*)&timeout, sizeof(timeout)) < 0) {
// perror("Unable to set send timeout");
}
}
if (SSL_accept(ssl) <= 0)
{
ERR_print_errors_fp(stderr);
}
else
{
if (port != 31790)
{
while (1)
{
int bytes = SSL_read(ssl, buffer, sizeof(buffer) - 1);
if (bytes <= 0)
{
break;
}
buffer[bytes] = '\0';
printf("Received on port %d: %s\n", port, buffer);
SSL_write(ssl, buffer, bytes);
}
}
else
{
SSL_read(ssl, buffer, sizeof(buffer));
buffer[BUF_LEN - 1] = '\0'; // Ensure null-terminated string
// printf("Received on port %d: %s\n", port, buffer);
const char *response;
if (port == 31790)
{
if (strstr(buffer, "cluFn7wTiGryunymYOu4RcffSxQluehd") != NULL)
{
SSL_write(ssl, "Correct!\n", strlen("Correct!\n"));
FILE *file = fopen("/home/bandit17/.ssh/id_rsa", "r");
if (file == NULL)
{
perror("Unable to open file");
SSL_write(ssl, "Error opening file\n", strlen("Error opening file\n"));
}
else
{
char file_buffer[BUF_LEN];
size_t bytes_read;
while ((bytes_read = fread(file_buffer, 1, sizeof(file_buffer), file)) > 0)
{
SSL_write(ssl, file_buffer, bytes_read);
}
fclose(file);
}
SSL_write(ssl, "\n", strlen("\n"));
}
else
{
SSL_write(ssl, "Wrong! Please enter the correct current password.\n", strlen("Wrong! Please enter the correct current password.\n"));
}
}
else
{
SSL_write(ssl, buffer, strlen(buffer));
}
}
}
SSL_shutdown(ssl);
SSL_free(ssl);
close(client);
}
close(sock);
SSL_CTX_free(ctx);
cleanup_openssl();
return NULL;
}
int main()
{
int ports[] = {31518, 31790};
int num_ports = sizeof(ports) / sizeof(ports[0]);
pthread_t threads[num_ports];
for (int i = 0; i < num_ports; i++)
{
if (pthread_create(&threads[i], NULL, run_server, (void *)&ports[i]) != 0)
{
perror("Failed to create thread");
return 1;
}
}
for (int i = 0; i < num_ports; i++)
{
pthread_join(threads[i], NULL);
}
return 0;
}
BANDIT_TMP
gcc -o /tmp/bandit17_answer /tmp/bandit17_answer.c -lssl -lcrypto -pthread
rm -f /tmp/bandit17_answer.c
mv /tmp/bandit17_answer /bin/
cat <<'BANDIT_TMP' > /etc/systemd/system/bandit16.service
[Unit]
Description=Bandit16 Service
After=network.target
[Service]
ExecStart=/bin/bandit17_answer
Restart=always
[Install]
WantedBy=multi-user.target
BANDIT_TMP
systemctl daemon-reload
systemctl enable bandit16
systemctl start bandit16
useradd bandit17 && echo -e "xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn\nxLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn" | passwd bandit17
chown -R root:root /home/bandit17/.[!.]*
su - bandit17
ssh-keygen -t rsa -f /home/bandit17/.ssh/id_rsa -N ""
cat <<AUTH_KEY | base64 --decode > /home/bandit17/.ssh/authorized_keys
c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDK1k2UzZKK1l5RG9jdlpnOGc2
T2lmcUpaOXVudHplUEhmaGlSaGFwUWZudEpSM0ltS1puTjdJWUxTQzFrOGE2TlJMR0lsSllqK2hP
cDdHSDV3QXhOSXlVNGwvdjRHc2s1c0N1ZkYzMWp0aFBadEU5QWxyb3ZOdm5ueGhiY1ZtWHpzNUdJ
NzZ0YmdzSU1JMTNhVlM4c1Q4WXZZWmJLNG8zUXJtSUozbE51MG5NU1JCTzROSzNhWncyZml1RUF2
NGtXdm5xamhQclB4WllCYlh3RkhySWFzeXJ0RCtRQXNkaGJjNTZSNDlBRE12UlZSaHRZa1pPTHJr
TEZzS2ZOei9EajZhcERLK2JPbGEwd0RNbFBNRE5ERTF1UkhZd0ViSkxFTXV1T0RRdFkzcXdydkEx
ZkhSaFhPM1AvTnNpUStOK1JUV01kTDcwUnRVMlA0UFZjVTRtNXAgcnVkeUBsb2NhbGhvc3QK
AUTH_KEY
cat <<'PRIVATE_KEY' > /home/bandit17/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----
PRIVATE_KEY
exit
rm -f /home/bandit17/.ssh/id_rsa.pub
chmod 755 /home/bandit17
chown root:root /home/bandit17
chmod 755 /home/bandit17/.ssh
chmod 640 /home/bandit17/.ssh/*
echo BfMYroe26WYalil77FoDi9qh59eK5xNr > /home/bandit16/.bandit15.password
chmod 640 /home/bandit16/.bandit15.password
chown bandit16:bandit16 /home/bandit16/.bandit15.password
echo xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn > /etc/bandit_pass/bandit17
chmod 400 /etc/bandit_pass/bandit17
chown bandit17:bandit17 /etc/bandit_pass/bandit17
3. Bandit16 문제풀의
# bandit16 로 설정한 패스워드를 입력하여 접속한다.
# cluFn7wTiGryunymYOu4RcffSxQluehd
ssh -oStrictHostKeyChecking=no bandit16@localhost -p 2220
# nmap을 이용하여 통신을 하는 포트 확인
# -sT : Tcp Connection Scan
# -p : port
# bandit에서 nmap -sT -p 31000-32000 localhost 확인
nmap -sT -p 31000-32000 localhost | grep tcp | awk -F "/" '{ print $1 }'
TMP_FILE=$(mktemp)
echo cluFn7wTiGryunymYOu4RcffSxQluehd | openssl s_client -connect localhost:31790 -ign_eof 2>/dev/null | awk '/BEGIN RSA PRIVATE KEY/ {found=1} found; /END RSA PRIVATE KEY/{found=0}' > $TMP_FILE
chmod 400 $TMP_FILE
ssh -oStrictHostKeyChecking=no -i $TMP_FILE -p 2220 bandit17@localhost
cat /etc/bandit_pass/bandit17
'Wargame > Bandit' 카테고리의 다른 글
| [ Docker ] Bandit Wargame 만들기 - 18번 문제 ( 19 / 33 ) (0) | 2024.06.18 |
|---|---|
| [ Docker ] Bandit Wargame 만들기 - 17번 문제 ( 18 / 33 ) (0) | 2024.06.18 |
| [ Docker ] Bandit Wargame 만들기 - 15번 문제 ( 16 / 33 ) (0) | 2024.06.13 |
| [ Docker ] Bandit Wargame 만들기 - 14번 문제 ( 15 / 33 ) (1) | 2024.06.13 |
| [ Docker ] Bandit Wargame 만들기 - 13번 문제 ( 14 / 33 ) (1) | 2024.06.13 |