bandit13——>bandit14
关卡提示:The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on
根据提示,需要用bandit14用户登录才能查看密码,并给我们ssh的私钥了,所以可以使用ssh -i 指定私钥进行登录。登录之后根据提示,password存在/etc/bandit_pass/bandit14,查看即可。
bandit14——>bandit15
关卡提示:The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
根据提示,我们需要将密码提交到localhost的30000端口上,所以使用telnet连接端口,然后将密码发送过去。
bandit15——>bandit16
关卡提示:The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…
根据提示,可以使用如下命令:
openssl s_client -ign_eof -connect localhost:30001
bandit16——>bandit17
关卡提示:The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
根据提示31000-32000只有一个服务器是我们要找的,可以用nmap进行端口扫描。
可见有两个端口开放,接着尝试哪个支持SSL。
openssl s_client -connect localhost:31518
openssl s_client -connect localhost:31790
测试后发现31790可行。返回的是一个私钥,保存到一个文件中ssh.priv,由于权限管理,所以需要在/tmp目录下创建一个目录才能写入到文件中。
mkdir /tmp/b16
cd /tmp/b16
nano ssh.priv
chmod 600 ssh.priv
ssh -i ./ssh.priv bandit17@localhost
bandit17——>bandit18
关卡提示:There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new
NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19
根据提示,需要使