Objective:
Find the password to the next level
Intel Given:
- The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
- Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -quiet and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…
How to:
Lets take a quick moment to discuss note taking. When infiltrating a network note taking is EXTREMELY important. It’s often easy to get lost and confused in the mix of things. This is an example of what my notes look like when I’m doing these exercises/pen-testing.
So because we took such excellent notes of all our clues beforehand we know that our password is probably where the other account passwords are…right?
So we now know the password we need to submit, but how do we submit our password using SSL via the command line?
Lets take a step back and briefly discuss what SSL or Secure Sockets Layer is. To oversimplify SSL is client to server encryption link. If someone were to intercept traffic in between the client and server it would be unreadable. A certificate is passed that is either trusted by client or by a client trusted-third party. Then a key is exchanged and the server and client authenticate with a trusted encrypted connection. More detail on how SSL works can be found here.
So we need to connect to via SSL. There is no trickery here, we’re simply going to execute the command that allows us to utilize SSL. openssl is a tool that allows the use of OpenSSL’s crypto library. Which for us means that we can use it as an SSL/TLS client. If you look at the command below it looks like I’m invoking two commands ‘openssl’ as well as ‘s_client’ this is because we’re using the s_client command within openssl to create a generic SSL/TLS client connection to a “remote server”. I put “remote server” in quotes because we’re technically just connecting back to ourself to a SSL service on port 30001. If you execute the command below without the -quiet switch you will be able to connect to the service. However, when you input your the password for Bandit 15 you’ll find that you’ll get two messages “HEARTBEATING” and “read R BLOCK” instead of the password for level 16. The switch ‘-quiet’ according to the man page “inhibits printing of session and certificate information and will also inhibit shutting down the connection when end of file is reached in the input”.
So what does this mean for us? I’ll be honest. I don’t have a clue, I speculate that its because our password begins with the letter B the connection will be torn down. If you read the man page for s_client the letters Q or R will also have a similar effect. Undocumented bug/capability? Either way, afixing the -quiet switch will provide us with a prompt that will allow us to enter our level 15 password.
Note: There is a way to send our password into our openssl command without the need for copy and paste. Please comment below if you know the answer! HINT
Conclusion:
A very brief introduction of SSL/TLS was given as well as the method to connect to an SSL/TLS service running on a remote server with the s_client function. We also needed to do a bit of troubleshooting to figure out why our command wouldn’t work without the -quiet switch. Finally I left off with a very small amount of extra credit to see if you’ve been paying attention to the previous lessons.