Bandit Nmap
Start course
3h 8m

This course will walk you through a variety of exercises and techniques as part of a capture the flag (CTF) game called Bandit. This will make sure that you have the necessary skills in Linux in order to excel in penetration testing and privilege escalation.


Hi. We are currently in the Bandit 15 and we want to go to Bandit Level 16. So, I'm going to open the tips for the Level 16 and let's see what we have here. So, the password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption. So, this seems to be some kind of the same thing that we did previously. However, this time, we're going to have to use SSL encryption. And over here, we have an openssl as a tip. So, let me check the help of this openssl and I believe we don't have openssl help over here, so let me just say openssl -h. And, yeah, we cannot get that. Let me try like this man openssl.  Yeah. Here we go. So, if you cannot find the help documentation, you can always run man as in manual. Okay?

You can see the manual of the command that you're trying to run. So, here we go. Let's see how we can transfer any information or send that information to a port over here. Okay? And I haven't used this openssl in a while, at least in Kali Linux. Let me see if we can easily find the command that we need in order to send this too. So, here you go. We have a server over here, this implements a generic SSL server. I believe that's not the thing that we're looking for. We generally use openssl in order to configure SSL in our web server but over here, we need to do something else. Okay? So, let me hit 'Q' to quit over here. So, let's not waste time over here. I explicitly remember that we can do this with netcat, so I'm just going to search for SSL netcat over here and I believe I misspelled netcat. Yup. Here we go. So, I'm just going to open one of the things that I'm going to find over here like Connecting to HTTPS with netcat. Yup. Here you go. So, let's see if we can find the solution over here. Yeah, here we go. We can use the openssl I believe like this but it's going to be easier with netcat. So, let me try to find this. This is also piping into the openssl and it says that nc doesn't do https but I believe we can do https with netcat. So, it's piping the result to the openssl here. As you can see, it's trying to connect to that server, maybe we can try that. But here you go. We have ncat, which is kind of netcat. Let me see if we have ncat over here. So, like nmap but this is ncat. This is not nmap, okay? So, ncat --help. Here you go. We have ncat. So, let's scan this help documentation over here. It actually says ncat --ssl and here we go. We can connect or listen with SSL using ncat. So, this is what we need and it's going to be fairly easy. I won't spare time to learn about openssl over here, rather I'm just going to go with ncat. I'm going to say ncat and let me just come over here and see. So, it's port 30001. Okay? So, I'm going to do --ssl and localhost and 30001. So, let me try to paste the password for the level 15. Let's see if we can get back the level 16 password. Okay? I'm going to paste the selection over here and here we go. It gives us the password for the level 16. So, I'm going to copy this. I'm going to nano the password over there and I'm going to paste this and save it. Okay? So, here we go. So, let's try this. Let's see if we can get back from here. Yup, here we go. Let me just go to bandit16 and try to give the password that we have obtained. So, let's try this. Yeah, here we go. Let me just say paste selection and hit 'Enter' and we are inside of bandit16. So, next, let's go to the bandit17. So, from 16-17, let's see what we got here. So, credentials for the next level can be retrieved by submitting the password of the current level. So, here we go. Again, the same thing but this time, we are trying to find a port on localhost in the range from 31000-32000. First, find out which of these ports have a server listening on them. So, we don't know of the port yet. We have to find out some kind of listening ports over here and I believe you can understand what kind of thing, what kind of tool that we should use in this case. So, it's basically nmap, right? So, why do we use nmap? In order to find the services and the ports and the services that are running on this ports. So, in order to understand if these ports are open or closed. So, basically we're going to use the nmap. It's very obvious and we have the nmap as a tip in the command section here as well. So, I'm going to run nmap. Right? So, I believe you're familiar with that if you have taken this course. And we can just skip the parameters over here actually, just specify the port range and in order to do that we can use -p. And maybe you have done this before, maybe you haven't. Let me show you. I'm going to just run this against a localhost. Okay? So, we don't have to specify the IP number or something like that. If we do something like this -p-, it will scan all the ports but it will be a waste of time for us because we know the range. So, we know it's going to start from the 31000-32000. So, we can specify a range rather than scanning all the ports in this case; and in order to do that, just delete the second - and give the port range over here like this. So, it will start from 31000 and it will end in 32000. And as you can see, we get all these ports. Actually, we have only five ports opened over here and they are ready to listen. I believe all we have to do is to find out which of those speak SSL and which don't. And actually, we can run some other additional parameters in order to understand that using nmap like listen for services and stuff but we can just try it and see as well because there's only five. So, I'm going to run the same command that we have run in the previous lecture. So, I'm going to copy the level 15 over here. Okay? I'm going to copy this, not level 15, the level 16. I'm going to copy this. If I can, let me just select it one more time and right click and say 'Copy Selection.' Come back here and paste it over there. Let's see. Here we go. Yeah, we don't get back anything I believe. Let me try other things by 'Ctrl C.' Let me just go for 31518, paste selection. Yeah, it did give something back but it's the same thing. I believe this doesn't work as well. So, I'm going to 'Ctrl C' out of this and let's try the third one, 691, and let's paste the password over here and hit 'Enter'. Yeah, we didn't get anything back. So, let me try the fourth one. So, 790 and hit 'Enter,' paste the password over here and here we go. We get something back. It looks like an RSA key. So, let's see. There is only one server that will give the next credentials. So, it didn't give us the password but it gave us the RSA private key, which is exactly the same thing that we have done before. This is a private key. We can use this in order to connect to the next level. Right? So, all you got to do is actually copy this thing and create an SSH key for yourselves. So, let's do that. So, the main thing over here is to not omit anything in this key. So, you have to get everything in order to create your key, including this End RSA private key over here as well, right? So, take this from here just from like the end of this should be containing all the dashes and stuff as well. Begin RSA private key and End RSA private key. So, I'm going to go into, or you can just create it over here as well. Like in the Bandit folder, we don't have anything besides our password.txt. All you got to do is just to create a new file called privatekey17. Okay? And just paste the thing that you have copied and save it by 'Ctrl O' 'Enter' and 'Ctrl X'. So, here we go. Now, we have the private key over here like that privatekey17. I named it 17 because we are going to use it to connect it to the 17th. So, I'm going to cd into the Bandit folder because that's where our private key resides, right? So, what I'm going to do I'm going to run the ssh command and give the IParameter like we have done before. Remember the IParameter? So, I'm going to just run this. But rather than just saying bandit and something like that, let me change it to 17 and give the additional parameter of I with our private key over here. So, here we go. Now, if I hit 'Enter,' it won't ask me for a password because I have already supplied the credentials for that. So, it's asking for a password for some reason. Yeah, it says that your Permissions 06444 privatekey17 are too open. So, maybe you know about this stuff, this is the permission for the file itself. So, if you run ls -la, as you can see right now we have the read-write, read and read permissions over here. So, we're going to dive into that permissions later on and I believe you know about this stuff, I assume you know about this stuff. But for right now, I'm just going to change it to 444, chmod is going to do that for us. So, all you got to do is just run chmod 444 privatekey17. This will change the permission settings for this file. Over here, as you can see, it's a read-write execute, okay? And right now we have changed that. So, this is not going to be read-write execute. This is not even going to be read-write in this case. This is only going to be read only. Okay? So, 444 does that for us. And the four stands for the bit that is going to be supplying this logic to our file. So, if I run ssh privatekey17 one more time, let's see if we can go into. It says that connection closed by remote host. Let me just change it to 400 and only we can run this, only we can read this and nobody else. Let's see if this works or not. Okay? And here we go. So, all you got to do is just run chmod 400 on that. And if you don't know the logic behind this, don't worry, we're going to see it later on. And, of course, you can search for the chmod commands in Kali Linux in order to gain a broader understanding in YouTube or in any kind of tutorial online as well. Anyhow, before we go into the level 18, let's see if we can find the command that we have run before. I have written history because I wanted to find whether these passwords are saved on the server. I couldn't remember that. Remember we have found some passwords on the etc folder before, so I want to get the password for the bandit17 as well rather than only the private key because we are keeping a log in our own CTF folder and we may need it again. So, I'm going to try this right now. So, I believe it was bandit pass. Yeah, here we go. So, cat /etc/bandit pass and this time we're going to go for bandit14, not 14, we have gone for bandit14. But right now we're going to go for bandit17. So, the logic is, this is saved under the Bandit folder, bandit pass folder under etc but only if you're logged in, you can read it. So, we have got the password for the level 17 from here as well. Great. Now, it's time to go for level 18, but we're going to do that within the next lecture.


About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.