{"id":1231,"date":"2019-09-09T13:19:56","date_gmt":"2019-09-09T05:19:56","guid":{"rendered":"http:\/\/van-yzt.com\/?p=1231"},"modified":"2019-09-09T13:19:56","modified_gmt":"2019-09-09T05:19:56","slug":"bandit-level-16-%e2%86%92-level-17-2","status":"publish","type":"post","link":"https:\/\/huzi-baozi.com\/?p=1231","title":{"rendered":"Bandit Level 16 \u2192 Level 17"},"content":{"rendered":"

The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don\u2019t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.<\/p>\n

\n\u89e3\u5bc6<\/h2>\n
bandit15@bandit:~$ nmap -p31000-32000 localhost\n\nStarting Nmap 7.40 ( https:\/\/nmap.org ) at 2019-09-07 16:57 CEST\nNmap scan report for localhost (127.0.0.1)\nHost is up (0.00019s latency).\nNot shown: 999 closed ports\nPORT      STATE SERVICE\n31518\/tcp open  unknown\n31790\/tcp open  unknown\n\nNmap done: 1 IP address (1 host up) scanned in 0.07 seconds\n\nbandit15@bandit:~$ openssl s_client -host localhost -port 31790\n\n....\n\n---\ncluFn7wTiGryunymYOu4RcffSxQluehd\nCorrect!\n-----BEGIN RSA PRIVATE KEY-----\nMIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ\nimZzeyGC0gtZPGujUSxiJSWI\/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ\nJa6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE\/GL2GWyuKN0K5iCd5TbtJzEkQTu\nDSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q\/kALHYW3OekePQAzL0VUYbW\nJGTi65CxbCnzc\/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX\nx0YVztz\/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD\nKHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl\nJ9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd\nd8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC\nYNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A\nvLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama\n+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT\n8c8hAuRBb2G82so8vUHk\/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx\nSatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd\nHCctNi\/FwjulhttFx\/rHYKhLidZDFYeiE\/v45bN4yFm8x7R\/b0iE7KaszX+Exdvt\nSghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A\nR57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi\nTtiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ\/lemmEY5eTDAFMLy9FL2m9oQWCg\nR8VdwSk8r9FGLS+9aKcV5PI\/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu\nL8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni\nblh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq\/ZJQ7YfzOKU4ZxEnabvXnvWkU\nYOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a\/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM\n77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b\ndxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3\nvBgsyi\/sN3RqRBcGU40fOoZyfAMT8s1m\/uYv52O6IgeuZ\/ujbjY=\n-----END RSA PRIVATE KEY-----\n\nclosed\n\n<\/code><\/pre>\n
\n\u77e5\u8bc6\u70b9<\/h2>\n
    \n
  1. \nnmap<\/code>\u547d\u4ee4\u662f\u5f3a\u5927\u7684\u7f51\u7edc\u626b\u63cf\u5de5\u5177\uff0c\u5728\u8fd9\u91cc\u4f7f\u7528\u53c2\u6570-p<\/code>\u6765\u6307\u5b9a\u9700\u8981\u626b\u63cf\u7aef\u53e3\u7684\u533a\u95f4\u8303\u56f4\uff1b<\/li>\n
  2. \nopenssl s_client<\/code>\u7528\u4e8e\u5efa\u7acbTLS\u94fe\u63a5\uff1b<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"
    The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don\u2019t. There is only … <\/p>\n
    Continue reading “Bandit Level 16 \u2192 Level 17”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-1231","post","type-post","status-publish","format-standard","hentry","category-bandit"],"_links":{"self":[{"href":"https:\/\/huzi-baozi.com\/index.php?rest_route=\/wp\/v2\/posts\/1231","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/huzi-baozi.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/huzi-baozi.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/huzi-baozi.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/huzi-baozi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1231"}],"version-history":[{"count":1,"href":"https:\/\/huzi-baozi.com\/index.php?rest_route=\/wp\/v2\/posts\/1231\/revisions"}],"predecessor-version":[{"id":1232,"href":"https:\/\/huzi-baozi.com\/index.php?rest_route=\/wp\/v2\/posts\/1231\/revisions\/1232"}],"wp:attachment":[{"href":"https:\/\/huzi-baozi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1231"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/huzi-baozi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1231"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/huzi-baozi.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1231"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}