The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL/TLS and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
hint : ssh, telnet, nc, ncat, socat, openssl, s_client, nmap, netstat, ss
오늘 사용할 명령어
- ssh : ssh 접속해요
- scp : 서버에 있는 파일 또는 디렉토리를 가져와요
- openssl : 파일을 암호/해독 해용
- s_client : 서버 접속해요
- nmap : portscan을 해보아요
- -p- : 1 - 65535 번 포트를 전부 스캔하는 옵션
우선 31000 - 32000번대 port scan을 해봐야겠죠
bandit16@bandit:~$ nmap localhost -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-20 10:34 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00013s latency).
Not shown: 65505 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
1111/tcp open lmsocialserver
1840/tcp open netopia-vo2
2220/tcp open netiq
2221/tcp open rockwell-csp1
2223/tcp open rockwell-csp2
2224/tcp open efi-mg
2225/tcp open rcip-itu
2226/tcp open di-drm
2227/tcp open di-msg
2228/tcp open ehome-ms
2230/tcp open queueadm
2231/tcp open wimaxasncp
2232/tcp open ivs-video
4091/tcp open ewinstaller
4258/tcp open vrml-multi-use
4321/tcp open rwhois
5842/tcp open reversion
8000/tcp open http-alt
30000/tcp open ndmps
30001/tcp open pago-services1
30002/tcp open pago-services2
31046/tcp open unknown
31518/tcp open unknown
31691/tcp open unknown
31790/tcp open unknown
31960/tcp open unknown
50001/tcp open unknown
51790/tcp open unknown
60917/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 2.62 seconds자 총 5개가 떴네요
openssl s_client -connect localhost:[31046 - 31960]
위와 같은 명령어를 쳤을때 답변을 받을 수 있었던 포트는 [31518, 31790]이였습니다 그런데 31518번 포트는 제가 보낸 패스워드를 그대로 돌려보내기만해서 우리가 사용할 포트번호는 아무래도 31790번이네요
그럼 이제 bandit16번 password를 보내서 답변을 받아볼까요
bandit16@bandit:~$ echo 'kSkvUpMQ7lBYyCM4GBPvCvT1BfWRy0Dx' | openssl s_client -connect localhost:31790 -ign_eof <- 여기에서 -ign_eof 옵션이 굉장히 중요합니다
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 CN = SnakeOil
verify error:num=18:self-signed certificate
verify return:1
depth=0 CN = SnakeOil
verify return:1
---
Certificate chain
0 s:CN = SnakeOil
i:CN = SnakeOil
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Jun 10 03:59:50 2024 GMT; NotAfter: Jun 8 03:59:50 2034 GMT
---
Server certificate
.
.
.
.
.
---
read R BLOCK
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----
closed
그래서 -ign_eof 옵션이 무엇인가 하믄
보통 openssl s_client 명령어를 사용할 때
- 사용자가 입력한 데이터나 'echo' 명령어를 통해 들어온 데이터를 서버로 전송
- 전송이 다 되면 자동으로 EOF(서버 연결 종료)
- 그럼 서버에 응답을 보내도 서버가 이미 닫혔기 때문에 우리는 응답 password 를 받을 수가 없음
그래서 -ign_eof 명령어가 필요한것
위에 상황에서 만약 -ign_eof 명령어 없이
echo 'bandit16_password' | openssl s_client -connect localhost:31790
이렇게만 썼으면 아무런 응답도 받을 수 없음
그리하여 private key를 얻었습니다 저 상태로는 bandit17에 로그인하기에 무리가 있으니 bandit13 문제를 풀었을 때 처럼 privatekey를 로컬로 가져와서 로컬에서 private key를 사용해 bandit17에 접속하도록 해볼게요
우선 private key를 서버 편한곳에 저장해놓고
bandit16@bandit:~$ mktemp -d
/tmp/tmp.LAZMqsk0tq
bandit16@bandit:~$ cd /tmp/tmp.LAZMqsk0tq
bandit16@bandit:/tmp/tmp.LAZMqsk0tq$ touch password.txt
bandit16@bandit:/tmp/tmp.LAZMqsk0tq$ ls
password.txt
bandit16@bandit:/tmp/tmp.LAZMqsk0tq$ vi password.txt
bandit16@bandit:/tmp/tmp.LAZMqsk0tq$ cat password.txt
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----
bandit16@bandit:/tmp/tmp.LAZMqsk0tq$ ls -al
total 440
drwx------ 2 bandit16 bandit16 4096 Nov 20 10:01 .
drwxrwx-wt 465 root root 438272 Nov 20 10:03 ..
-rw-rw-r-- 1 bandit16 bandit16 1675 Nov 20 10:01 password.txt
bandit16@bandit:/tmp/tmp.LAZMqsk0tq$ chmod 600 password.txt
bandit16@bandit:/tmp/tmp.LAZMqsk0tq$ ls -al
total 440
drwx------ 2 bandit16 bandit16 4096 Nov 20 10:01 .
drwxrwx-wt 465 root root 438272 Nov 20 10:04 ..
-rw------- 1 bandit16 bandit16 1675 Nov 20 10:01 password.txt <--- 권한 600 or 400으로 변경하는거 잊지마세요~!
제 로컬 pc로 와서 bandit16에 저장해놓은 private key를 가져와보겠어요
┌──(miso㉿KimMDR)-[~]
└─$ scp -P 2220 bandit16@bandit.labs.overthewire.org:/tmp/tmp.LAZMqsk0tq/password.txt .
_ _ _ _
| |__ __ _ _ __ __| (_) |_
| '_ \ / _` | '_ \ / _` | | __|
| |_) | (_| | | | | (_| | | |_
|_.__/ \__,_|_| |_|\__,_|_|\__|
This is an OverTheWire game server.
More information on http://www.overthewire.org/wargames
backend: gibson-0
bandit16@bandit.labs.overthewire.org's password: <-- bandit16 비번 치고
password.txt 100% 1675 2.5KB/s 00:00 <--- 전송 완료 ★
scp -P 2220 bandit16@bandit.labs.overthewire.org:/tmp/tmp.LAZMqsk0tq/password.txt
자꾸 제가 까먹어서 그러는데
위와 같이 명령어 치고 맨 마지막에 저 온점 "." <- 이거 잊어먹지 맙시다 현재 내 로컬 경로에 복사한 파일을 붙여넣기 하겠다는 뜻!!
그렇다면 bandit17에 접속해볼까요
┌──(miso㉿KimMDR)-[~]
└─$ ssh -i password.txt bandit17@bandit.labs.overthewire.org -p 2220
_ _ _ _
| |__ __ _ _ __ __| (_) |_
| '_ \ / _` | '_ \ / _` | | __|
| |_) | (_| | | | | (_| | | |_
|_.__/ \__,_|_| |_|\__,_|_|\__|
This is an OverTheWire game server.
More information on http://www.overthewire.org/wargames
backend: gibson-0
,----.. ,----, .---.
/ / \ ,/ .`| /. ./|
/ . : ,` .' : .--'. ' ;
. / ;. \ ; ; / /__./ \ : |
. ; / ` ; .'___,/ ,' .--'. ' \' .
; | ; \ ; | | : | /___/ \ | ' '
| : | ; | ' ; |.'; ; ; \ \; :
. | ' ' ' : `----' | | \ ; ` |
' ; \; / | ' : ; . \ .\ ;
\ \ ', / | | ' \ \ ' \ |
; : / ' : | : ' |--"
\ \ .' ; |.' \ \ ;
www. `---` ver '---' he '---" ire.org
Welcome to OverTheWire!
If you find any problems, please report them to the #wargames channel on
discord or IRC.
.
.
.
.
.
For more information regarding individual wargames, visit
http://www.overthewire.org/wargames/
For support, questions or comments, contact us on discord or IRC.
Enjoy your stay!접속이 정상적으로 됐으니 다음에는 더 편하게 접속하기 위해서 bandit17 password를 보러 가봅시다
더보기
더보기
bandit17@bandit:~$ cd /etc/bandit_pass
bandit17@bandit:/etc/bandit_pass$ cat bandit17
EReVavePLFHtFlFsjn3hyzMlvSuSAcRD
이렇게 찾았답니다 야호
'bandit' 카테고리의 다른 글
| [OverTheWire] bandit 21 -> 22 (0) | 2025.11.26 |
|---|---|
| [OverTheWire] bandit 17 -> 19 (0) | 2025.11.23 |
| [OverTheWire] bandit 15 -> 16 (0) | 2025.11.23 |
| [OverTheWire] bandit 14 -> 15 (0) | 2025.11.23 |
| [OverTheWire] bandit 20 -> 21 (0) | 2025.11.23 |