1.

nmap
bandit13@bandit:~$ nmap -sT localhost
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 06:39 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00034s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open ssh
1111/tcp open lmsocialserver
1840/tcp open netopia-vo2
4321/tcp open rwhois
8000/tcp open http-alt
30000/tcp open ndmps

Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds

bandit13@bandit:~$

//
___________________________________________________________________________________
___________________
// Level 13 PWD : wbWdlBxEir4CaE8LaPhauuOo6pwRmrDw
//
___________________________________________________________________________________
___________________

2. ssh
SSH 공개키 접속
//.1 클라이언트 키 쌍 생성
아래 명령어를 이용하여 RSA 알고리즘 키 쌍 생성
$ ssh-keygen -t rsa
별 다른 설정이 필요하지 않으므로, 엔터를 계속 누르면 현재 로그인되어있는 사용자의 홈디렉토리 .ssh 폴더 밑에 키 쌍이 생성 됨

//.2 공개키 전송
리눅스계열에서는 공개키를 복사하는 명령어 ssh-copy-id 를 사용

$ ssh-copy-id USER@remote-host
예) $ ssh-copy-id [email protected]
-i 옵션을 사용하지 않으면, 현재 로그인 되어있는 계정의 .ssh/id_rsa.pub 파일을 전송 (기본값)
공개키 파일이 다른 경로에 있다면 -i 옵션을 이용하여 별도의 경로를 지정해야 함
$ ssh-copy-id -i /home/test/key/key.pub [email protected]
윈도우에서는 ssh 와 cat 을 이용한 명령어 조합을 이용

type $env:공개키경로 | ssh USER@remote-host "cat >> .ssh/authorized_keys"

예) type $env:C:\Users\LDB.ssh\id_rsa.pub | ssh [email protected] "cat >>
.ssh/authorized_keys"
//.3 로그인
공개키 방식으로 SSH 접속 시 -i 옵션 생략 시, 아래 경로에 있는 개인키로 접속을 시도

윈도우: USER_NAME\.ssh\id_rsa
리눅스: USER_NAME/.ssh/id_rsa
만약 개인키의 위치가 다르거나 AWS 의 pem 파일인 경우 -i 옵션 이용

$ssh -i KEY_PATH\key.pem USER@remote-host

$ssh -i KEY_PATH\id_rsa USER@remote-host

//
___________________________________________________________________________________
___________________
login as: bandit13
Pre-authentication banner message from server:
| _ _ _ _
| | |__ __ _ _ __ __| (_) |_
| | '_ \ / _` | '_ \ / _` | | __|
| | |_) | (_| | | | | (_| | | |_
| |_.__/ \__,_|_| |_|\__,_|_|\__|
|
|
| This is an OverTheWire game server.
| More information on http://www.overthewire.org/wargames
|
End of banner message from server
[email protected]'s password:

,----.. ,----, .---.

/ / \ ,/ .`| /. ./|
/ . : ,` .' : .--'. ' ;
. / ;. \ ; ; / /__./ \ : |
. ; / ` ; .'___,/ ,' .--'. ' \' .
; | ; \ ; | | : | /___/ \ | ' '
| : | ; | ' ; |.'; ; ; \ \; :
. | ' ' ' : `----' | | \ ; ` |
' ; \; / | ' : ; . \ .\ ;
\ \ ', / | | ' \ \ ' \ |
; : / ' : | : ' |--"
\ \ .' ; |.' \ \ ;
www. `---` ver '---' he '---" ire.org

Welcome to OverTheWire!

If you find any problems, please report them to the #wargames channel on
discord or IRC.

--[ Playing the games ]--

This machine might hold several wargames.

If you are playing "somegame", then:

* USERNAMES are somegame0, somegame1, ...

* Most LEVELS are stored in /somegame/.
* PASSWORDS for each level are stored in /etc/somegame_pass/.

Write-access to homedirectories is disabled. It is advised to create a

working directory with a hard-to-guess name in /tmp/. You can use the
command "mktemp -d" in order to generate a random and hard to guess
directory in /tmp/. Read-access to both /tmp/ is disabled and to /proc
restricted so that users cannot snoop on eachother. Files and directories
with easily guessable or short names will be periodically deleted! The /tmp
directory is regularly wiped.
Please play nice:

* don't leave orphan processes running

* don't leave exploit-files laying around
* don't annoy other players
* don't post passwords or spoilers
 * again, DONT POST SPOILERS!
This includes writeups of your solution on your blog or website!

--[ Tips ]--

This machine has a 64bit processor and many security-features enabled

by default, although ASLR has been switched off. The following
compiler flags might be interesting:

-m32 compile for 32bit

-fno-stack-protector disable ProPolice
-Wl,-z,norelro disable relro

In addition, the execstack tool can be used to flag the stack as

executable on ELF binaries.

Finally, network-access is limited for most levels by a local

firewall.

--[ Tools ]--

For your convenience we have installed a few useful tools which you can find
in the following locations:

* gef (https://github.com/hugsy/gef) in /opt/gef/

* pwndbg (https://github.com/pwndbg/pwndbg) in /opt/pwndbg/
* peda (https://github.com/longld/peda.git) in /opt/peda/
* gdbinit (https://github.com/gdbinit/Gdbinit) in /opt/gdbinit/
* pwntools (https://github.com/Gallopsled/pwntools)
* radare2 (http://www.radare.org/)

Both python2 and python3 are installed.

--[ More information ]--

For more information regarding individual wargames, visit

http://www.overthewire.org/wargames/

For support, questions or comments, contact us on discord or IRC.

Enjoy your stay!

bandit13@bandit:~$ ls -al
total 24
drwxr-xr-x 2 root root 4096 Apr 23 18:04 .
drwxr-xr-x 70 root root 4096 Apr 23 18:05 ..
-rw-r--r-- 1 root root 220 Jan 6 2022 .bash_logout
-rw-r--r-- 1 root root 3771 Jan 6 2022 .bashrc
-rw-r--r-- 1 root root 807 Jan 6 2022 .profile
-rw-r----- 1 bandit14 bandit13 1679 Apr 23 18:04 sshkey.private

bandit13@bandit:~$ nmap -v localhost

Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-18 06:59 UTC
Initiating Ping Scan at 06:59
Scanning localhost (127.0.0.1) [2 ports]
Completed Ping Scan at 06:59, 0.00s elapsed (1 total hosts)
Initiating Connect Scan at 06:59
Scanning localhost (127.0.0.1) [1000 ports]
Discovered open port 22/tcp on 127.0.0.1
Discovered open port 4321/tcp on 127.0.0.1
Discovered open port 1840/tcp on 127.0.0.1
Discovered open port 8000/tcp on 127.0.0.1
Discovered open port 1111/tcp on 127.0.0.1
Discovered open port 30000/tcp on 127.0.0.1
Completed Connect Scan at 06:59, 0.04s elapsed (1000 total ports)
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00013s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open ssh
1111/tcp open lmsocialserver
1840/tcp open netopia-vo2
4321/tcp open rwhois
8000/tcp open http-alt
30000/tcp open ndmps
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds

bandit13@bandit:~$ ssh -i sshkey.private bandit14@localhost -p 2220 ====> 2220 은

반딧 호스트 ssh 포트 No
The authenticity of host '[localhost]:2220 ([127.0.0.1]:2220)' can't be
established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Could not create directory '/home/bandit13/.ssh' (Permission denied).
Failed to add the host to the list of known hosts
(/home/bandit13/.ssh/known_hosts).
_ _ _ _
| |__ __ _ _ __ __| (_) |_
| '_ \ / _` | '_ \ / _` | | __|
| |_) | (_| | | | | (_| | | |_
|_.__/ \__,_|_| |_|\__,_|_|\__|

This is an OverTheWire game server.

More information on http://www.overthewire.org/wargames

!!! You are trying to log into this SSH server with a password on port 2220 from
localhost.
!!! Connecting from localhost is blocked to conserve resources.
!!! Please log out and log in again.

,----.. ,----, .---.

/ / \ ,/ .`| /. ./|
/ . : ,` .' : .--'. ' ;
. / ;. \ ; ; / /__./ \ : |
. ; / ` ; .'___,/ ,' .--'. ' \' .
; | ; \ ; | | : | /___/ \ | ' '
| : | ; | ' ; |.'; ; ; \ \; :
. | ' ' ' : `----' | | \ ; ` |
 ' ;
\; / | ' : ; . \ .\ ;
\ \
', / | | ' \ \ ' \ |
; : / ' : | : ' |--"
\ \ .' ; |.' \ \ ;
www. `---` ver '---' he '---" ire.org

Welcome to OverTheWire!

If you find any problems, please report them to the #wargames channel on
discord or IRC.

--[ Playing the games ]--

This machine might hold several wargames.

If you are playing "somegame", then:

* USERNAMES are somegame0, somegame1, ...

* Most LEVELS are stored in /somegame/.
* PASSWORDS for each level are stored in /etc/somegame_pass/.

Write-access to homedirectories is disabled. It is advised to create a

working directory with a hard-to-guess name in /tmp/. You can use the
command "mktemp -d" in order to generate a random and hard to guess
directory in /tmp/. Read-access to both /tmp/ is disabled and to /proc
restricted so that users cannot snoop on eachother. Files and directories
with easily guessable or short names will be periodically deleted! The /tmp
directory is regularly wiped.
Please play nice:

* don't leave orphan processes running

* don't leave exploit-files laying around
* don't annoy other players
* don't post passwords or spoilers
* again, DONT POST SPOILERS!
This includes writeups of your solution on your blog or website!

--[ Tips ]--

This machine has a 64bit processor and many security-features enabled

by default, although ASLR has been switched off. The following
compiler flags might be interesting:

-m32 compile for 32bit

-fno-stack-protector disable ProPolice
-Wl,-z,norelro disable relro

In addition, the execstack tool can be used to flag the stack as

executable on ELF binaries.

Finally, network-access is limited for most levels by a local

firewall.

--[ Tools ]--

For your convenience we have installed a few useful tools which you can find
in the following locations:

* gef (https://github.com/hugsy/gef) in /opt/gef/

 * pwndbg (https://github.com/pwndbg/pwndbg) in /opt/pwndbg/
* peda (https://github.com/longld/peda.git) in /opt/peda/
* gdbinit (https://github.com/gdbinit/Gdbinit) in /opt/gdbinit/
* pwntools (https://github.com/Gallopsled/pwntools)
* radare2 (http://www.radare.org/)

Both python2 and python3 are installed.

--[ More information ]--

For more information regarding individual wargames, visit

http://www.overthewire.org/wargames/

For support, questions or comments, contact us on discord or IRC.

Enjoy your stay!

bandit14@bandit:~$ ls -al
total 24
drwxr-xr-x 3 root root 4096 Apr 23 18:04 .
drwxr-xr-x 70 root root 4096 Apr 23 18:05 ..
-rw-r--r-- 1 root root 220 Jan 6 2022 .bash_logout
-rw-r--r-- 1 root root 3771 Jan 6 2022 .bashrc
-rw-r--r-- 1 root root 807 Jan 6 2022 .profile
drwxr-xr-x 2 root root 4096 Apr 23 18:04 .ssh
bandit14@bandit:~$ cd .ssh
bandit14@bandit:~/.ssh$ ls -al
total 12
drwxr-xr-x 2 root root 4096 Apr 23 18:04 .
drwxr-xr-x 3 root root 4096 Apr 23 18:04 ..
-rw-r----- 1 bandit14 bandit14 396 Apr 23 18:04 authorized_keys
bandit14@bandit:~/.ssh$ ls -al authorized_keys
-rw-r----- 1 bandit14 bandit14 396 Apr 23 18:04 authorized_keys

bandit14@bandit:~/.ssh$ cd ~
bandit14@bandit:~$ ls -al
total 24
drwxr-xr-x 3 root root 4096 Apr 23 18:04 .
drwxr-xr-x 70 root root 4096 Apr 23 18:05 ..
-rw-r--r-- 1 root root 220 Jan 6 2022 .bash_logout
-rw-r--r-- 1 root root 3771 Jan 6 2022 .bashrc
-rw-r--r-- 1 root root 807 Jan 6 2022 .profile
drwxr-xr-x 2 root root 4096 Apr 23 18:04 .ssh
bandit14@bandit:~$ nmap localhost
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-18 07:05 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00016s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open ssh
1111/tcp open lmsocialserver
1840/tcp open netopia-vo2
4321/tcp open rwhois
8000/tcp open http-alt
30000/tcp open ndmps --> nc 명령포트 (브로커포트)

Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds

bandit14@bandit:~$ cd /etc
bandit14@bandit:/etc$ cd bandit_pass
bandit14@bandit:/etc/bandit_pass$ ls
bandit0 bandit13 bandit18 bandit22 bandit27 bandit31 bandit6
bandit1 bandit14 bandit19 bandit23 bandit28 bandit32 bandit7
bandit10 bandit15 bandit2 bandit24 bandit29 bandit33 bandit8
bandit11 bandit16 bandit20 bandit25 bandit3 bandit4 bandit9
bandit12 bandit17 bandit21 bandit26 bandit30 bandit5
bandit14@bandit:/etc/bandit_pass$ file bandit14
bandit14: ASCII text
bandit14@bandit:/etc/bandit_pass$

//
___________________________________________________________________________________
___________________
3. nc 명령어
Localhost 는 호스트 이름이고 IP 주소는 '127.0.0.1'입니다. 이러한 서비스를 실행하는 동일한 장치에서 네트워크 서비스에 액세스하는
데 사용됩니다.

nc 또는 netcat 네트워크 연결을 통해 데이터를 읽고 쓸 수 있는 명령입니다. TCP 및 UDP 연결에 사용할 수 있습니다. 네트워크의 서비스에
클라이언트로 연결하기 위한 명령 구문은 다음과 같습니다 nc <host> <port>. 들어오는 패킷을 수신하는 서버를 생성하기 위한 명령은 다음과
같습니다 nc -l <port>.

해결책
먼저 bandit14 의 비밀번호를 찾아야 합니다. 이전 레벨에서는 비밀번호가 /etc/bandit_pass/bandit14 에 있다고 명시했습니다 .
1
2

bandit14@bandit:~$ find / -type f -name "*bandit14*" 2>/dev/null

/home/bandit15/.bandit14.password
/etc/bandit_pass/bandit14
bandit14@bandit:~$
bandit14@bandit:~$ cat /etc/bandit_pass/bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
다음으로, localhost 의 포트 30000 에 비밀번호를 제출해야 합니다. 저는 nclocalhost 포트 3000 에 접속해서 비밀번호를 쓰곤
했습니다.
1
2
3
4
bandit14@bandit:~$ nc localhost 30000
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr

4. chmod 권한변경
rw-r--r-- 로 표시되는 부분이 부여된 권한을 나타내는데 3 개씩 끊어서 보면
앞에 3 개가 user 즉 소유자(owner)의 권한이고,
중간에 3 개는 group 에 대한 권한,
마지막 3 개가 others 에 대한 권한이 됩니다.

이 권한을 8 진수로 표현하면 rwx 권한을 다 갖는 경우 7 이 됩니다.

각 권한을 숫자값으로 표현하면 r = 4, w = 2, x = 1 이기 때문에 r + w + x = 7 이렇게 되는 것이죠.
파일에 user 와 group 에 대해서만 read 권한을 부여하려면 440 으로 적용하면 됩니다.
+, - 기호를 사용해서 특정 권한을 더하거나 뺄 수도 있습니다.
예제
ex) text.txt 파일에 대해서 user 의 모든권한을 부여하고 group 과 others 는 모든 권한을 제외
chmod 700 test.txt

ex) text.txt 파일에 대해서 실행 권한 추가 부여

chmod +x test.txt

ex) text.txt 파일에 대해서 group 에 write 권한 부여

chmod g+w test.txt

ex) text.txt 파일에 대해서 others 의 모든 권한 박탈

chmod o-rwx test.txt
//
___________________________________________________________________________________
___________________

5. SSH authorized_keys 파일이란? ==> 공개키를 포함하고 있다.

SSH 의 authorized_keys 파일은 SSH 가장 중요한 파일임.

authorized_keys 파일은 public key 인증을 사용하여 원격 호스트에 로그인 하도록 허용된 사용자를 인증하는 데 사용되는 키를
저장하고 있음.
authorized_keys 파일에 public key 가 저장되어 있으면 해당 public key 를 사용해서 ssh server 에 영구적으로 접속할
수 있어서 신경써서 관리가 필요함.
ssh-copy-id 를 사용하면 원격 ssh server 에 authorized_keys 파일이 없다면 생성해주고 있다면 public key 를
추가해줌.

SSH authorized_keys 특징
authorized_keys 파일 경로 default path 경로는 각 계정의 ~/.ssh/authorized_keys 에 있음.
만약 인증서를 통한 접속 시도가 없었다면 authorized_keys 파일은 존재하지 않음.

public key 정보
authorized_keys 파일의 각 line 에는 하나의 public key 정보가 포함됨.
SSH 프로토콜 버전 2 의 경우 public key 유형은 ''ssh-dss'' 또는 ''ssh-rsa'' 2 가지가 있음.
public key 정보는 base64 encoding 되어서 저장됨.

authorized_keys 주석 처리
빈 줄과 '#'으로 시작하는 줄은 주석으로 무시됨.

[1] 권한 빼주기
① $ cd ~
② $ chmod 700 .
⇒ 홈 디렉토리의 권한을 700 으로 변경 //Owner 가 아닌 Group 이나 Other 쪽에 쓰기 권한이 있으면 안된다.
③ $ chmod 700 .ssh
④ $ cd .ssh
⑤ $ chmod 600 authorized_keys

이제 재접속해보자...

//
___________________________________________________________________________________
___________________
// Level 14 PWD : fGrHPx402xGC7U7rXKDaxiWFTOiF0ENq
//
___________________________________________________________________________________
___________________

//1. 먼저 bandit14 의 비밀번호를 찾아야 합니다. 이전 레벨에서는 비밀번호가 /etc/bandit_pass/bandit14 에 있다고

명시했습니다 .

//2. SSH 로 Telnet 으로 브로커포트를 열고, Telnet 으로 브로커포트를 통해 데이터송수신

bandit14@bandit:~$ cat /etc/bandit_pass/bandit14

fGrHPx402xGC7U7rXKDaxiWFTOiF0ENq
bandit14@bandit:~$ ssh -p 30000 bandit15@localhost
kex_exchange_identification: Connection closed by remote host
Connection closed by 127.0.0.1 port 30000
bandit14@bandit:~$ telnet localhost 30000
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
fGrHPx402xGC7U7rXKDaxiWFTOiF0ENq
Correct!
jN2kgmIXJ6fShzhT2avhotn4Zcka6tnt

Connection closed by foreign host.

bandit14@bandit:~$

//
___________________________________________________________________________________
___________________
// Level 15 PWD : jN2kgmIXJ6fShzhT2avhotn4Zcka6tnt
//
___________________________________________________________________________________
___________________
참고로 s_client 란
openssl 명령으로 운영중인 웹서버의 SSL 인증서 정보를 살펴 보는 SSL 에 대해 매우 유용한 진단도구이다.
s_client 는 SSL/TLS 를 사용하는 원격 호스트에 접속하기 위한 일반적인 SSL/TLS client 를 구현하는 명령어이다.
서버에 연결하기 위해서는 위에처럼 host 와 port 를 적어야한다.

opeenssl s_clioent -connect [서버]:[포트]

//
___________________________________________________________________________________
___________________

bandit15@bandit:~$ ls -al
total 24
drwxr-xr-x 2 root root 4096 Apr 23 18:04 .
drwxr-xr-x 70 root root 4096 Apr 23 18:05 ..
-rw-r----- 1 bandit15 bandit15 33 Apr 23 18:04 .bandit14.password
-rw-r--r-- 1 root root 220 Jan 6 2022 .bash_logout
-rw-r--r-- 1 root root 3771 Jan 6 2022 .bashrc
-rw-r--r-- 1 root root 807 Jan 6 2022 .profile

bandit15@bandit:~$ openssl s_client -connect localhost:30001

CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 CN = localhost
verify error:num=18:self-signed certificate
verify return:1
depth=0 CN = localhost
verify error:num=10:certificate has expired
notAfter=Sep 18 14:32:45 2023 GMT
verify return:1
depth=0 CN = localhost
notAfter=Sep 18 14:32:45 2023 GMT
verify return:1
---
Certificate chain
0 s:CN = localhost
i:CN = localhost
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA1
v:NotBefore: Sep 18 14:31:45 2023 GMT; NotAfter: Sep 18 14:32:45 2023 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDCzCCAfOgAwIBAgIEX0ZMHDANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDDAls
b2NhbGhvc3QwHhcNMjMwOTE4MTQzMTQ1WhcNMjMwOTE4MTQzMjQ1WjAUMRIwEAYD
VQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCv
uZRRFzw3NdTa2RqdMyBbsAWUGopIM/cRWtQPIAnuGhd3NFysGrz30A/xP0p1Z2No
bChnVPjwxAcx9WRgxHR8cMyZjJKar0IhpoTvqf5gd0y6wpKHpzwMsKmzfAftkg0P
gzAo3KZiEYYvg4Ro+Yxa5vBVSTl0LaQ/t4vcoH/Sw7JO4tIJ2yt142JpDvpgNS6v
WdIJYvIrxQlbmsrW9QkO72755Oa+cDxdimwtxGet2X5tFs5s4FhF6XdnwwBfnT7c
Gpm379qBu8RpoioW7q/hpQb55kOCk9vADAVwUj9lBFtpoii20xTNj/HPyMRg44vS
DS48k/PIt0V6EQrMphOjAgMBAAGjZTBjMBQGA1UdEQQNMAuCCWxvY2FsaG9zdDBL
BglghkgBhvhCAQ0EPhY8QXV0b21hdGljYWxseSBnZW5lcmF0ZWQgYnkgTmNhdC4g
U2VlIGh0dHBzOi8vbm1hcC5vcmcvbmNhdC8uMA0GCSqGSIb3DQEBBQUAA4IBAQCK
WvdQ9gC/lFFZz72Uv7Kb5ypsjNgMH1CEPwXAa9LQ1ZemaQdLM7WIZDsOT/bW//yP
EjcqkL4csHqgysXjbRQqUgk+U87EEGHSwLjVurN+SlONony9HOTYVkIxiWV2eWy0
C9gpNSUAQFkvJM0g91sGgDwN8fDdwUyyhr5ttKQLVTnE3EEV/j4FEsijEx2ls0W0
Gavgcxw/9rqMWcsFnCMncZVJj3mOWgWWnRdL2WjthOyBZaC0xQZvFmP/Um8B7MSR
Jt0ZEaf3jQyldwtWLj7E3NT8EjYl52/7WDG3QMDV7feCTRTt8IFfV58rGv801Ypo
tjCpdg6uvG3ck02soIoD
-----END CERTIFICATE-----
subject=CN = localhost
issuer=CN = localhost
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1339 bytes and written 373 bytes
Verification error: certificate has expired
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 10 (certificate has expired)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
 Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 964017BB16F18FBF89DF2C9E1908365C9D88D75A11C4072B84A3BD30A4054479
Session-ID-ctx:
Resumption PSK:
785C781188FDB3B9E3189EF555A4B89E287DACF92AB9DFF36BDA3273B8D71ED9B1AC5FB5392D639C558
98A7FEA5169BD
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - aa 90 d2 aa 8c 5d 88 78-47 2c 29 eb f6 80 ef d8 .....].xG,).....
0010 - 50 34 84 eb a6 a3 ac 18-ef 30 ab 0b 4b 77 49 4e P4.......0..KwIN
0020 - 97 9e 91 66 32 fb 7a 51-c6 ca 15 b2 88 ac 38 30 ...f2.zQ......80
0030 - 18 8f b6 37 c0 36 8c 7e-d9 d9 4e 69 ec 5d 1f 67 ...7.6.~..Ni.].g
0040 - b7 0a 31 03 ac 1a ea 88-ff 2f 56 b8 58 3c 0c 2b ..1....../V.X<.+
0050 - 50 de 52 85 07 5c 36 a9-a2 a7 82 66 56 f1 93 ea P.R..\6....fV...
0060 - 8c 80 22 06 a5 d4 0b f4-cd a1 00 05 ed 84 24 42 .."...........$B
0070 - fa 0b e9 0b f0 ff d1 10-a1 47 8a b1 0b 27 23 56 .........G...'#V
0080 - a3 fd 6e 28 be d0 13 9c-40 de 80 13 a1 4f c1 29 ..n([email protected].)
0090 - 6c 9f 82 d5 72 90 31 61-78 4e ea 32 56 51 47 18 l...r.1axN.2VQG.
00a0 - 37 5b ec 5a 06 a4 8e dc-20 a8 f0 74 e3 47 e0 0e 7[.Z.... ..t.G..
00b0 - 45 fd b7 bc de ed 1a 68-ac 1c 48 29 c5 3f 91 f7 E......h..H).?..
00c0 - a9 7c 53 82 75 99 63 08-b5 34 44 94 78 41 80 9e .|S.u.c..4D.xA..

Start Time: 1695102210

Timeout : 7200 (sec)
Verify return code: 10 (certificate has expired)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 1DAB037796102306E01FDEACCA135DD7FD6D594195208325C5A28E7C08903B9F
Session-ID-ctx:
Resumption PSK:
2C480285A017D80719CB01002F03C0802A55ACEA3AB1829660F2F738AE6A344707AE30833396F96D809
81BFEE7C24CB4
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - aa 90 d2 aa 8c 5d 88 78-47 2c 29 eb f6 80 ef d8 .....].xG,).....
0010 - b3 74 57 90 07 e0 b8 86-ef 4f 12 af 16 42 33 68 .tW......O...B3h
0020 - fe fa 71 90 1e e7 ed 31-8c 7e 52 9d 23 55 0a 07 ..q....1.~R.#U..
0030 - 54 d3 f8 40 3a 0c 7e 26-5a 32 af e0 b2 f9 ec 5b T..@:.~&Z2.....[
0040 - c8 22 64 00 eb 16 5f c8-80 df 02 f1 5e 6e 7e b9 ."d..._.....^n~.
0050 - b5 d3 31 f9 e4 eb 75 1f-2c 36 96 c4 92 c4 ee 6d ..1...u.,6.....m
0060 - ff fa b4 b2 c4 f6 a8 6a-34 06 b0 8f 28 f1 a2 be .......j4...(...
0070 - 7e 99 06 28 80 af 05 ee-3b 92 18 c0 ce c3 de 2c ~..(....;......,
0080 - 79 64 d8 d2 d5 b1 64 1c-64 25 93 65 dd 8e 45 fc yd....d.d%.e..E.
0090 - 53 8b 70 88 07 df f0 d1-1e 92 59 d4 59 2d ac d2 S.p.......Y.Y-..
00a0 - fc 16 2a ec 51 0d 2a 74-6a c8 a2 fc bb e6 56 ff ..*.Q.*tj.....V.
 00b0 - 3d 8c 37 20 e2 ec 8f 8b-f6 a3 c8 0e 27 a4 2f 45 =.7 ........'./E
00c0 - 8f 82 b9 08 a6 12 2f ea-77 72 ee dc 09 54 91 91 ....../.wr...T..

Start Time: 1695102210

Timeout : 7200 (sec)
Verify return code: 10 (certificate has expired)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
jN2kgmIXJ6fShzhT2avhotn4Zcka6tnt <----- Level 15 패스워드를 복사하여입력한다.
Correct!
JQttfApK4SeyHwDlI9SXGR50qclOAil1

closed
bandit15@bandit:~$

//
___________________________________________________________________________________
___________________
// Level 16 PWD : JQttfApK4SeyHwDlI9SXGR50qclOAil1
//
___________________________________________________________________________________
___________________

bandit15@bandit:~$ ssh -Y bandit16@localhost -p 2220