[overthewire] Bandit Level 16 → Level 17

moon_security·2025년 3월 18일
bandit

[OverTheWire] Bandit

목록 보기
18/32

문제 목표!

The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL/TLS and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.

다음 레벨의 비밀번호를 얻기 위해서는 현재 레벨의 비밀번호를 31000 ~ 32000 사이의 한 개의 포트로 보내야 합니다. SSL/TLS를 사용중인 포트와 통신해야 한다고 하네요!

문제 풀이!

먼저, 로컬호스트의 31000 ~ 32000 포트중에서 열려있는 포트를 찾아야 합니다.
이를 위해 네트워크 탐색 및 보안 점검을 위한 도구인 'Nmap(Network Mapper)를 활용하면 됩니다!

📌 Nmap 이란
대상 호스트에서 열려 있는 포트와 실행 중인 서비스를 확인할 수 있음
✅ 주요 기능
1. 포트 스캔: 대상 시스템에서 열려 있는 포트를 찾음
2. 서비스 탐지: 특정 포트에서 실행 중인 프로그램 식별
3. 운영체제(OS) 탐지: 대상 장비의 운영체제 분석
...

bandit16의 서버를 대상으로 nmap 명령어 사용 시, 다양한 포트에서 서비스들이 오픈되어 있는 것을 확인할 수 있음

bandit16@bandit:~$ nmap localhost
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-18 12:11 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00014s latency).
Not shown: 992 closed tcp ports (conn-refused)
PORT      STATE SERVICE
22/tcp    open  ssh
1111/tcp  open  lmsocialserver
1840/tcp  open  netopia-vo2
4321/tcp  open  rwhois
8000/tcp  open  http-alt
10000/tcp open  snet-sensor-mgmt
30000/tcp open  ndmps
50001/tcp open  unknown

이번 문제에서는 localhost 포트 범위 31000 ~ 32000에서 오픈되어 있는 포트를 알아야 합니다. 아래 명령어를 한번 보시죠!

bandit16@bandit:~$ nmap -p 31000-32000 localhost

뭔가 직관적인 명령어라 느낌이 오시죠??
nmap -p <포트 범위> <IP 주소> 입니다.
이 명령어를 사용한 결과는 아래와 같습니다.

bandit16@bandit:~$ nmap -p 31000-32000 localhost
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-18 12:59 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00027s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT      STATE SERVICE
31046/tcp open  unknown
31518/tcp open  unknown
31691/tcp open  unknown
31790/tcp open  unknown
31960/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds

31046, 31518, 31691, 31790, 31960 포트가 오픈되어 있군요!
이제 SSL/TLS를 사용하는 포트를 찾아야 합니다!!
저번 문제에서 다뤄봤던 openssl 명령어를 이용하면 될 듯 합니다.

bandit16@bandit:~$ openssl s_client -connect localhost:31046
bandit16@bandit:~$ openssl s_client -connect localhost:31518
bandit16@bandit:~$ openssl s_client -connect localhost:31691
bandit16@bandit:~$ openssl s_client -connect localhost:31790
bandit16@bandit:~$ openssl s_client -connect localhost:31960

위 명령어를 실행한 결과 2개의 포트가 SSL/TLS를 사용하는 것으로 알아냈습니다.
31518, 31790 인데요! 어떻게 알았을까요?
제가 판단한 기준은 아래와 같습니다.

📌 SSL/TLS 연결 성공 여부 판단 기준
✅ 1. CONNECTED(00000003) 표시 여부
-> 연결 성공 시 해당 라인이 나와야 함
-> 연결 실패 시 connection refused 라인이 존재
✅ 2. Cipher is... 문구 확인
-> 연결 성공 시 암호화 방식(Cipher Suite)이 출력됨
✅ 3. 서버 인증서 출력 여부
-> 연결 성공 시 아래와 같은 라인이 나옴
Server certificate
-----BEGIN CERTIFICATE-----
MIIFBzCCAu+gAwIBAgIUBLz7DBxA0IfojaL/WaJzE6Sbz7cwDQYJKoZIhvcNAQEL
...
XM0mpLoxsq6vVl3AJaJe1ivdA9xLytsuG4iv02Juc593HXYR8yOpow0Eq2T
U5EyeuFg5RXYwAPi7ykw1PW7zAPL4MlonEVz+QXOSx6eyhimp1VZC11SCg==
-----END CERTIFICATE-----

이제 2개의 포트로 현재 레벨의 비밀번호를 전송해 보겠습니다.

bandit16@bandit:~$ echo "kSkvUpMQ7lBYyCM4GBPvCvT1BfWRy0Dx" | openssl s_client -connect localhost:31518 -quiet
Can't use SSL_get_servername
depth=0 CN = SnakeOil
verify error:num=18:self-signed certificate
verify return:1
depth=0 CN = SnakeOil
verify return:1
kSkvUpMQ7lBYyCM4GBPvCvT1BfWRy0Dx
bandit16@bandit:~$ echo "kSkvUpMQ7lBYyCM4GBPvCvT1BfWRy0Dx" | openssl s_client -connect localhost:31790 -quiet
Can't use SSL_get_servername
depth=0 CN = SnakeOil
verify error:num=18:self-signed certificate
verify return:1
depth=0 CN = SnakeOil
verify return:1
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----

31518 포트에서는 문제의 조건과 같이 제가 보낸 데이터를 그대로 반환해 주네요!
31790 포트에서는 RSA PRIVATE KEY가 응답 값으로 왔습니다.
Bandit Level 13 → Level 14 활용했던 방법처럼 개인키를 저장하여 ssh 연결을 진행하면 될 듯 합니다.
아래와 같이 /tmp 경로로 이동 후, vi 명령어를 사용하여 개인키를 저장할 임시 파일을 만들어 줍니다.

bandit16@bandit:~$ cd /tmp
bandit16@bandit:/tmp$ vi bandit_17_key
# 위 명령어 실행 후, 개인키 복사 붙여넣기함
# 그 후 :wq 명령어로 저장!

이제 개인키로 bandit17 계정으로 로그인해 봅시다!

bandit16@bandit:/tmp$ ssh -i bandit_17_key -p 2220 bandit17@localhost
The authenticity of host '[localhost]:2220 ([127.0.0.1]:2220)' can't be established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Could not create directory '/home/bandit16/.ssh' (Permission denied).
Failed to add the host to the list of known hosts (/home/bandit16/.ssh/known_hosts).
                         _                     _ _ _   
                        | |__   __ _ _ __   __| (_) |_ 
                        | '_ \ / _` | '_ \ / _` | | __|
                        | |_) | (_| | | | | (_| | | |_ 
                        |_.__/ \__,_|_| |_|\__,_|_|\__|
                                                       

                      This is an OverTheWire game server. 
            More information on http://www.overthewire.org/wargames

!!! You are trying to log into this SSH server with a password on port 2220 from localhost.
!!! Connecting from localhost is blocked to conserve resources.
!!! Please log out and log in again.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0664 for 'bandit_17_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "bandit_17_key": bad permissions
bandit17@localhost: Permission denied (publickey).

아래와 같은 이유로 연결이 되지 않은 것 같군요

📌 Permissions 0664 for 'bandit_17_key' are too open.
SSH에서는 개인키 파일이 보호되지 않을 경우 사용할 수 없는 정책이 존재함
✅ 664 권한의 파일은 모든 사용자가 읽을 수 있기에, 소유자만 읽고 쓸 수 있도록 600 권한으로 변경해야 함

권한 변경 후 연결 해보니 성공했습니다 :)

bandit16@bandit:/tmp$ chmod 600 bandit_17_key
bandit16@bandit:/tmp$ ssh -i bandit_17_key -p 2220 bandit17@localhost
The authenticity of host '[localhost]:2220 ([127.0.0.1]:2220)' can't be established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Could not create directory '/home/bandit16/.ssh' (Permission denied).
Failed to add the host to the list of known hosts (/home/bandit16/.ssh/known_hosts).
                         _                     _ _ _   
                        | |__   __ _ _ __   __| (_) |_ 
                        | '_ \ / _` | '_ \ / _` | | __|
                        | |_) | (_| | | | | (_| | | |_ 
                        |_.__/ \__,_|_| |_|\__,_|_|\__|
                                                       

                      This is an OverTheWire game server. 
            More information on http://www.overthewire.org/wargames

!!! You are trying to log into this SSH server with a password on port 2220 from localhost.
!!! Connecting from localhost is blocked to conserve resources.
!!! Please log out and log in again.


      ,----..            ,----,          .---.
     /   /   \         ,/   .`|         /. ./|
    /   .     :      ,`   .'  :     .--'.  ' ;
   .   /   ;.  \   ;    ;     /    /__./ \ : |
  .   ;   /  ` ; .'___,/    ,' .--'.  '   \' .
  ;   |  ; \ ; | |    :     | /___/ \ |    ' '
  |   :  | ; | ' ;    |.';  ; ;   \  \;      :
  .   |  ' ' ' : `----'  |  |  \   ;  `      |
  '   ;  \; /  |     '   :  ;   .   \    .\  ;
   \   \  ',  /      |   |  '    \   \   ' \ |
    ;   :    /       '   :  |     :   '  |--"
     \   \ .'        ;   |.'       \   \ ;
  www. `---` ver     '---' he       '---" ire.org


Welcome to OverTheWire!

If you find any problems, please report them to the #wargames channel on
discord or IRC.

--[ Playing the games ]--

  This machine might hold several wargames.
  If you are playing "somegame", then:

    * USERNAMES are somegame0, somegame1, ...
    * Most LEVELS are stored in /somegame/.
    * PASSWORDS for each level are stored in /etc/somegame_pass/.

  Write-access to homedirectories is disabled. It is advised to create a
  working directory with a hard-to-guess name in /tmp/.  You can use the
  command "mktemp -d" in order to generate a random and hard to guess
  directory in /tmp/.  Read-access to both /tmp/ is disabled and to /proc
  restricted so that users cannot snoop on eachother. Files and directories
  with easily guessable or short names will be periodically deleted! The /tmp
  directory is regularly wiped.
  Please play nice:

    * don't leave orphan processes running
    * don't leave exploit-files laying around
    * don't annoy other players
    * don't post passwords or spoilers
    * again, DONT POST SPOILERS!
      This includes writeups of your solution on your blog or website!

--[ Tips ]--

  This machine has a 64bit processor and many security-features enabled
  by default, although ASLR has been switched off.  The following
  compiler flags might be interesting:

    -m32                    compile for 32bit
    -fno-stack-protector    disable ProPolice
    -Wl,-z,norelro          disable relro

  In addition, the execstack tool can be used to flag the stack as
  executable on ELF binaries.

  Finally, network-access is limited for most levels by a local
  firewall.

--[ Tools ]--

 For your convenience we have installed a few useful tools which you can find
 in the following locations:

    * gef (https://github.com/hugsy/gef) in /opt/gef/
    * pwndbg (https://github.com/pwndbg/pwndbg) in /opt/pwndbg/
    * gdbinit (https://github.com/gdbinit/Gdbinit) in /opt/gdbinit/
    * pwntools (https://github.com/Gallopsled/pwntools)
    * radare2 (http://www.radare.org/)

--[ More information ]--

  For more information regarding individual wargames, visit
  http://www.overthewire.org/wargames/

  For support, questions or comments, contact us on discord or IRC.

  Enjoy your stay!

다음 문제에 활용할 수도 있으니 bandit17의 비밀번호를 알아볼까요?
/etc/bandit_pass 경로로 이동하여 해당하는 레벨의 파일을 읽으면 비밀번호를 얻을 수 있답니다!!

bandit17@bandit:/etc/bandit_pass$ cat bandit17
EReVavePLFHtFlFsjn3hyzMlvSuSAcRD
profile
moon_security
모의해킹 & 보안 공부 기록 블로그
이전 포스트

[overthewire] Bandit Level 15 → Level 16

다음 포스트

[overthewire] Bandit Level 17 → Level 18

0개의 댓글