 Alright, welcome back everyone. Hope you're enjoying this series on the Over the Wire Bandit Wargame. My name is John Hammond, and let's jump right back in. We were at level 15 just previously, finished up 14, which is a small netcat connection. Now we're going to be doing kind of the same thing, but connecting through SSL, through a secured encrypted layer. So let's get to level 15 with the paths we have saved in the file, using SSH paths, and using the correct user for SSH connection. So nothing in the home directory, because it says the prompts here. The password for the next level can be retrieved by submitting the password of the current level to port 30,001 on local hosts using SSL encryption. So, netcat is normally how we would use a pretty simple, easy, raw sockets connection for just a TCP or UDP port or service. When we're using SSL, we do it in a different way. And I could Google around, and I guess I suppose I will, how to do this OpenSSL, connect to SSL. And I can show you, okay, you can Google around to how to connect to these things, and you can see the example syntax. And this is exactly what I needed to tell you, because I feel bad that this is like a, hey, you just got to remember the syntax. But you literally, you literally just have to memorize that these are the words that make you connect with SSL. You just need your hostname and port, like usual, like you would for any regular netcat connection, but you use OpenSSL as client to connect, and then you just use your hostname and port number. That's all. So let's rock through this. Like this isn't going to be hard now that we know that syntax. Let's get our current password, right, bandit pass for bandit 15. We can read that that's our password. And let's open SSL, s clients, s underscore client, tag connect, pull it local host. And this is the weird one, because not like SSH where it needs attack P, not like netcat where it doesn't need anything, but it needs a colon to denote the port number that you want to use, just like you'd normally see in a web browser. So gross got a lot of stuff. Huh. What is our output? Did we get anything? Let's check out what it says here. It says, Oh, if you're getting heart beating, try using IGN, you F. Okay. Let's ignore and the file is out with that is you F. And okay, cool. That just fits it out for us. That is the password for the next level. Let's jump that put it in bandit 16. And we can keep cruising. Put that one in your back pocket open SSL s client connect. I don't do that practically ever. This is in fact the only CTF cybersecurity thing where I've ever had to do that, but it's a neat thing to know. If you met that making SSL connection stuff like that. All right. 17 the credentials for the next level can be retrieved by sending a pass of the current level to a port on this computer ranging from 31,000 to 32,000. Find out which these ports of the server and then find out which of these speak SSL which don't. Hmm. Okay. Well, we could use net cat and just try and brute force everything from 31,000 to 32,000, but that would be kind of gross and messy. So the other option, something that kind of suggests here in the commands, you may need to solve this level section is end map. So if you haven't used that map before, it's awesome. And you totally should. It is a network mapper network scanner. I'll find open ports and stuff like that. I won't go into the details on it, but we will use it to poke at our website or not our website, but our server, the server here and see what we have open. So it is installed right now. I don't think it's usually installed by default. I could be wrong. So end map the host that we want local host. And if you wanted to, you can check the man page to see how this really goes through. But you do need to specify the host name, obviously. And then if you want to specify more ports, like we can use a port range or something, you can see it takes tack P. And if you wanted to go through specific numbers, you can use that number through like start and stop. So let's try that. Let's try end map local host, 31,000. I'll tack P sorry, tack P 31,000 to 32,000. And we get results just like that. There aren't a whole lot here. So I'm going to be okay with just trying these one by one. If you're cool with that. Let's get our password for one thing. Bandit pass mandate 16. Now let's pump that to open SSL s underscore client. That connects local host with that port number. Let's make sure we include our ignore into file or IG and EOF. Doesn't look like that happened. Okay, let's try the next one. Doesn't seem to work either. We're just kind of expecting the password, right? So let's try again. If you know a smarter way to determine this. Hey, please fill me in. Okay, that didn't connect. So that probably again doesn't. Maybe maybe that's not speaking SSL like the first one or something. Let's check the next one. Getting pretty close to the end here. So one of these has got to be it. Oh, hey, okay. Correct. Now we have a RSA private key. Okay, let's use this to connect to Bennett 17. It's 17. Let's save this in our home directory on our server on our own computer. And now we've got to use that as our special key, right? Bennett 17, bandit.labs.overthewire. Remember, I'm doing that with just attack I flag an argument. Oh, we need to chmod that file, change the permission so only we can read it. No one else. Now it'll be okay to use. We'll go ahead and have a, oh, we aren't connecting. What? We may only be able to use that on like from that server. Maybe, maybe it won't accept remote locations. So let's put this in our, in our temp file. I totally broke it. No, no, no. Into 27. Or did I, did I not go into, I don't need, I don't need like those right visit permissions. I'll just do it with VI. I paste WQ. So I just used Vim or VI and then I hit I to insert. I pasted it in and then you would escape to get back into edit mode. And then colon WQ to save. Oh, let's save this as bandit 17. Why can I not open this file? Oh, I don't own this directory. Duh, because I made this directory as another user. So, okay, let's make directory temp john2. Goodness gracious guys. I'm so sorry. I wasted all your time. Now we can use nano for real, properly paste it here. And now let's try an SSH attack I bandit 17 at using bandit 17 at localhost. Yes, I want to do it. Let's change these permissions so only we can read it. And let's connect. Please work. Yay. Okay, cool. Bandit 17. Now, what is this challenge? Two files in the home directory, passwords old and passwords new. Pass through for the next levels and passwords new. And it's the only line that's been changed. Okay. How, how big are these files? Not too huge, but still tracking them down, tracking down the difference would be kind of hard to do manually. So the commands you may need to solve this level, there's one peculiar, one peculiar command that you might be able to see called diff. And that will probably tell you the differences between two files. You can check the main page if you haven't done it before, but we'll compare files line by line, which sounds like exactly what we need. And you can compare any files that you pass as arguments. So let's diff passwords old and have it compared to passwords new. So it looks like the new file on the right, that's what these arrows are trying to say the new has been changed to this. And that's the only line that has been changed. So this must be what we need. Let's just throw this in Bandit 18 and break out of all these connections. And let's try to connect to Bandit 18. Now that we've done that. And we're in. Oh, okay. It says bye bye. And we're immediately kicked out. What's going on? It says, if you solve this level and see bye bye when trying to log in. This is the next level. Okay, sweet. Let's try this. Password for the next level is to read me a file in the home directory, but someone has modified the bash RC file to log you out when you log in with SSH. So a bash RC file is what happens like immediately, like once you have the bash program started, like once you have a shell, it'll automatically execute the things in that script. So if it's trying to log us out immediately, we don't really get a shell. But we can get around this because SSH will allow us to run commands. Really, once we have our connection without being in the shell, you can actually pass these as an argument. So you may not be able to see, but I'm at the very, very end of my line here. If I were to say cat, read me or any other command just like ID, you can see the command output just like that before we're at our shell and we're immediately back to where we were before. We didn't keep a persistent connection. We just ran that command. SSH pass will handle this as well. So we can just say cat, read me as the command that we want to run at the very, very end. And now we've got our password. Cool. Let's put this at Bandit 19. And we are moving. Great. Thanks for watching guys. Hope you're enjoying these. We don't need to actually cat anything else now once we're connected, but we want to make sure we are connected. And we got level 19. Alright, see you in the next video guys. We'll jump in pretty soon.