ctf_aria

write up ctf by ariafatah

---

Project maintained by ariafatah0711 Hosted on GitHub Pages — Theme by mattgraham

‹ 13 14 15 16 17 ›

soal

The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.

ssh

sshpass -p "MU4VWeTyJk8ROof1qqmcBPaLh7lDCPvS" ssh -o StrictHostKeyChecking=no bandit14@bandit.labs.overthewire.org -p 2220

solve

## netcat / nc
echo "MU4VWeTyJk8ROof1qqmcBPaLh7lDCPvS" | nc localhost 30000
# Correct!
# 8xCjnmgoKbGLhHFAZlGE5Tmu4M2tKJQo

## telnet
telnet localhost 30000
# Trying 127.0.0.1...
# Connected to localhost.
# Escape character is '^]'.
MU4VWeTyJk8ROof1qqmcBPaLh7lDCPvS
# Correct!
# 8xCjnmgoKbGLhHFAZlGE5Tmu4M2tKJQo

# Connection closed by foreign host

## sockat
echo "MU4VWeTyJk8ROof1qqmcBPaLh7lDCPvS" | socat - TCP:localhost:30000
# Correct!
# 8xCjnmgoKbGLhHFAZlGE5Tmu4M2tKJQo

another option but didn’t work

# curl for POST web
curl -X POST -d "data" http://localhost:3000

# curl if not web
curl telnet://localhost:3000 --data "data"

# bash /dev/tcp
echo "data" > /dev/tcp/localhost/3000

# openssl
echo "data" | openssl s_client -connect localhost:3000 # only secure layer (ssl/tls)

• or you can use python but here after i tried it it didn’t work

    import socket
  
    HOST = 'localhost'
    PORT = 3000
    data = "data"
  
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
        s.connect((HOST, PORT))
        s.sendall(data.encode())
        response = s.recv(1024)
        print("Received:", response.decode())
  

flag

8xCjnmgoKbGLhHFAZlGE5Tmu4M2tKJQo