old notes

#nmap #nc #localhost #networking

Re-write this page with steps vs reflections after redoing it using `tmux

This level. Oh this level.

Things learned:
1. what the results from nmap mean
2. how to find the right port to use (reserved vs ephmeral ports)
3. who sends the message and why?

How to learn more:
– is there another way to get the password?
– redo using tmux
—

The following steps need to happen:
1. a port needs to exist to listen for suconnect
2. suconnect needs to be able to connect to this port
3. this port needs to be able to send a string to suconnect
4. suconnect needs to receive this string and if correct, return the password to the next level

—

Mistakes made:

1. the result you get from nmap localhost shows the ports that are open and listening. This means they are already occupied and cannot be used to make a new socket connection.

`bandit20@bandit:~$ nmap localhost

Starting Nmap 7.40 ( https://nmap.org ) at 2022-01-02 19:59 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00037s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
113/tcp open ident
30000/tcp open ndmps

Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds`

FIRST MISTAKE: thinking this meant that I should use these ports
RED HERRING: The port 22 does respond

Attempts

1. Trying a reserved port

bandit20@bandit:~$ nc -lp 500 Can't grab 0.0.0.0:500 with bind : Permission denied

• because reserved

2. Trying a random port --5000`

bandit20@bandit:~$ nmap localhost

Starting Nmap 7.40 ( https://nmap.org ) at 2022-01-02 20:57 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00032s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
113/tcp open ident
5000/tcp open upnp
30000/tcp open ndmps

1. Trying a random port — '4000'

bandit20@bandit:~$ nmap localhost

Starting Nmap 7.40 ( https://nmap.org ) at 2022-01-02 21:16 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00025s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
113/tcp open ident
4000/tcp open remoteanything
30000/tcp open ndmps

The open port for service remoteanything sounded promising so I used the command bandit20@bandit:~$ ./suconnect 4000

Typed in GbKksEFF4yrVs6il55v6gwY5aVje5f0j from the nc port.

The response: gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr aka the next password!

Other Ways to Solve This?

• decided to try to use echo to send the password in the same command line as setting up the listening port.

bandit20@bandit:~$ echo "GbKksEFF4yrVs6il55v6gwY5aVje5f0j" | nc -lp 4000

—

Questions

• What type of service was I using? Can't figure this out because don't have lsof permissions

What I know

Summary