Niveau 16

Niveau 16

Level Goal

The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.

Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…

Commands you may need to solve this level

ssh, telnet, nc, openssl, s_client, nmap

Helpful Reading Material

Secure Socket Layer/Transport Layer Security on Wikipedia
OpenSSL Cookbook - Testing with OpenSSL

Une fois connecté en tant qu'utilisateur bandit15 il suffit d'envoyer le mot de passe du niveau en cours sur le port local 30001 en utilisant le client openssl :

bandit15@bandit:~$ echo "BfMYroe26WYalil77FoDi9qh59eK5xNr" | openssl s_client -connect localhost:30001 -ign_eof
CONNECTED(00000003)
depth=0 CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = localhost
verify return:1
---
Certificate chain
 0 s:/CN=localhost
   i:/CN=localhost
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICBjCCAW+gAwIBAgIEXcVbPTANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDDAls
b2NhbGhvc3QwHhcNMjIwMzA5MTk0NzQyWhcNMjMwMzA5MTk0NzQyWjAUMRIwEAYD
VQQDDAlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALDCas6k
DHxTRoxVISHtXOeCwJ8Sax5BZN76Hle8AH6pYTAdv9/FRssWL1xppFAtiGnFvglu
95FJvHEQirY4F0oPBTbtGU2xhzZzkWRL5Yj2C3Q2c99cyh+uWQT7sXPtB8W1osPc
YIo83YkXiArpt28474ZYdl+ohbPtP1oQHBv3AgMBAAGjZTBjMBQGA1UdEQQNMAuC
CWxvY2FsaG9zdDBLBglghkgBhvhCAQ0EPhY8QXV0b21hdGljYWxseSBnZW5lcmF0
ZWQgYnkgTmNhdC4gU2VlIGh0dHBzOi8vbm1hcC5vcmcvbmNhdC8uMA0GCSqGSIb3
DQEBBQUAA4GBAC2693WiK/kXMCauf1fEg5DwuxIfm0saYKiLSceyZo1G4IggqOBO
9JCtvMIV/xRAmYEnPvJmf0JtYv+2fsicaPh9E1GRmU0vGoYDZzA7NTZOgRmHlRKe
ihh/XSGrY7tE1qU+EfizmhcB35iZ7W5INIKlu7oyBWcvk3rI4jtPQeZp
-----END CERTIFICATE-----
subject=/CN=localhost
issuer=/CN=localhost
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1019 bytes and written 269 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 438FCA6060EABD8C50F47DEAD17ABC0C1FDAEBF0EE5FC647B70D80EA4E357733
    Session-ID-ctx:
    Master-Key: FAC278321BAC83040B9A7118A717ACAA92158815C2BD2B8AF2B9C0BC02A0887687E47652C43A48596E20BE45F7BD47CB
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - d3 53 01 d9 4c 2e 82 50-ef 16 38 c5 d8 1b dd f2   .S..L..P..8.....
    0010 - 92 c7 6d 47 ea 82 e5 89-fb a2 34 f5 8d 27 c9 e6   ..mG......4..'..
    0020 - 43 b4 24 09 db 5a 7b 35-66 9f e5 62 ee a5 93 e3   C.$..Z{5f..b....
    0030 - a2 c6 c9 31 06 26 ec 6f-2d c0 ae 09 bb c1 af 05   ...1.&.o-.......
    0040 - df 98 59 d6 c4 a0 e1 50-f3 ed ec f0 1b f0 d2 99   ..Y....P........
    0050 - 5a c0 3e 50 e6 a0 97 4f-a3 c2 db 30 76 9b 10 7c   Z.>P...O...0v..|
    0060 - 98 e6 e8 37 89 9d 24 5a-f1 cf 96 9c 2e 6c 38 66   ...7..$Z.....l8f
    0070 - e8 e8 cf 48 b1 9f 64 7a-24 29 d5 c8 8e 52 65 a7   ...H..dz$)...Re.
    0080 - ed 5e f5 4f 4b 24 9d dc-1a e3 b7 da f9 7b f8 b4   .^.OK$.......{..
    0090 - bd d3 d7 4a 3c 6e 2b f2-0e 59 10 14 d7 a8 da d4   ...J<n+..Y......

    Start Time: 1647186315
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: yes
---
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehd

closed

Le mot de passe pour le prochain niveau est donc cluFn7wTiGryunymYOu4RcffSxQluehd

À noter que le paramètre ign_eof permet de recevoir la réponse textuelle du serveur.