ctf_aria

write up ctf by ariafatah

---

Project maintained by ariafatah0711 Hosted on GitHub Pages — Theme by mattgraham

‹ 15 16 17 18 19 ›

soal

The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000.
First find out which of these ports have a server listening on them. Then find out which of those speak SSL/TLS and which don’t.
There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.

ssh

sshpass -p "kSkvUpMQ7lBYyCM4GBPvCvT1BfWRy0Dx" ssh -o StrictHostKeyChecking=no bandit16@bandit.labs.overthewire.org -p 2220

solve

check the port open with nmap

nmap -p 31000-32000 localhost
# Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-09 13:14 UTC
# Nmap scan report for localhost (127.0.0.1)
# Host is up (0.00013s latency).
# Not shown: 995 closed tcp ports (conn-refused)
# PORT      STATE    SERVICE
# 31046/tcp open     unknown
# 31518/tcp open     unknown
# 31691/tcp open     unknown
# 31700/tcp filtered unknown
# 31790/tcp open     unknown
# 31960/tcp open     unknown

# Nmap done: 1 IP address (1 host up) scanned in 1.26 seconds

echo "kSkvUpMQ7lBYyCM4GBPvCvT1BfWRy0Dx" | ncat --ssl localhost 31046
# Ncat: Input/output error.

echo "kSkvUpMQ7lBYyCM4GBPvCvT1BfWRy0Dx" | ncat --ssl localhost 31518
# kSkvUpMQ7lBYyCM4GBPvCvT1BfWRy0Dx
## this cred for bandit16

echo "kSkvUpMQ7lBYyCM4GBPvCvT1BfWRy0Dx" | ncat --ssl localhost 31691
# Ncat: Input/output error.

echo "kSkvUpMQ7lBYyCM4GBPvCvT1BfWRy0Dx" | ncat --ssl localhost 31790
# Correct!
# -----BEGIN RSA PRIVATE KEY-----
# MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
# ...
# -----END RSA PRIVATE KEY-----

login with id_rsa

workdir=$(mktemp -d)
cd $workdir
# vi id_rsa
echo "kSkvUpMQ7lBYyCM4GBPvCvT1BfWRy0Dx" | ncat --ssl localhost 31790 > id_rsa

ssh -i id_rsa bandit17@localhost -p 2220
# Permissions 0664 for 'id_rsa' are too open.

# if u got error WARNING: UNPROTECTED PRIVATE KEY FILE!
# change the private key permissions 600 (user:read, group:no, other:no)
chmod 600 id_rsa
## ur need delete permission for group and other
## and minimal permission read

ssh -i id_rsa bandit17@localhost -p 2220

cat /etc/bandit_pass/bandit17
# EReVavePLFHtFlFsjn3hyzMlvSuSAcRD

flag

EReVavePLFHtFlFsjn3hyzMlvSuSAcRD