1
00:00:00,780 --> 00:00:09,870
Hi, we are currently independent 15 and we want to go to Bendit, level 16, so I'm going to open the

2
00:00:10,290 --> 00:00:15,380
tips for the level 16 and let's see what we have here.

3
00:00:15,390 --> 00:00:22,530
So the password for the next level can be retrieved by submitting the password of the current level

4
00:00:22,800 --> 00:00:30,020
to port thirty thousand and one on localhost using SSL encryption.

5
00:00:30,450 --> 00:00:36,500
So this seems to be some kind of the same thing that we did previously.

6
00:00:36,780 --> 00:00:44,550
However, this time we're going to have to use SSL encryption and over here we have an open SSL is a

7
00:00:44,550 --> 00:00:44,910
tip.

8
00:00:44,920 --> 00:00:52,770
So let me check the help of this open SSL and I believe we don't have open SSL help over here.

9
00:00:52,770 --> 00:00:59,220
So let me just say open SSL dash h and yeah, we cannot get that.

10
00:00:59,220 --> 00:01:00,990
Let me try like this man.

11
00:01:01,020 --> 00:01:01,950
Openness is up.

12
00:01:01,950 --> 00:01:02,130
Yeah.

13
00:01:02,250 --> 00:01:02,790
Here you go.

14
00:01:03,180 --> 00:01:10,500
So if you cannot find the documentation you can always run men as in manual.

15
00:01:10,500 --> 00:01:14,640
OK, you can see the manual of the command that you're trying to run.

16
00:01:15,150 --> 00:01:16,710
So here you go.

17
00:01:16,710 --> 00:01:24,140
Let's see how we can transfer any information or send that information to airport over here, OK?

18
00:01:24,630 --> 00:01:30,540
And I haven't used this openness in a while, at least in color Linux.

19
00:01:30,900 --> 00:01:37,150
Let me see if we can easily find the comment that we need in order to send this to.

20
00:01:37,800 --> 00:01:38,850
So here you go.

21
00:01:39,210 --> 00:01:41,310
We have a server over here.

22
00:01:41,310 --> 00:01:43,980
This implements a generic SSL server.

23
00:01:44,430 --> 00:01:47,310
Yeah, I believe that's not the thing that we are looking for.

24
00:01:47,310 --> 00:01:52,800
We generally use openness to sell in order to configure SSL in our Web server.

25
00:01:53,190 --> 00:01:57,030
But over here we need to do something else.

26
00:01:57,570 --> 00:02:05,310
OK, so let me hit queue to quit over here, so let's not waste time over here.

27
00:02:05,310 --> 00:02:12,480
I explicitly remember that we can do this with net cat, so I'm just going to search for SSL net cat

28
00:02:12,480 --> 00:02:17,430
over here and I believe I, I believe I misspelled net Kathy up.

29
00:02:17,430 --> 00:02:18,030
Here you go.

30
00:02:18,390 --> 00:02:26,430
So I'm just going to open one of the things that I'm going to find over here, like connecting to https

31
00:02:26,430 --> 00:02:27,300
with that cat.

32
00:02:27,310 --> 00:02:27,750
Yep.

33
00:02:27,750 --> 00:02:28,430
Here you go.

34
00:02:28,950 --> 00:02:32,250
So let's see if we can find the solution over here.

35
00:02:32,520 --> 00:02:33,360
Yeah, here you go.

36
00:02:33,360 --> 00:02:41,010
We can use the open SSL, I believe like this, but it's it's going to be easier with that cat.

37
00:02:41,460 --> 00:02:43,800
So let me try to find this.

38
00:02:43,800 --> 00:02:44,100
Yeah.

39
00:02:44,160 --> 00:02:52,800
This is also piping into the open SSL and it says that NC doesn't do a HTTPS, but I believe we can

40
00:02:52,800 --> 00:02:54,960
do a https with net cat.

41
00:02:55,170 --> 00:02:56,280
So it's Peiping.

42
00:02:56,280 --> 00:03:01,740
The result to the open SSL here, as you can see, it's trying to connect to that server.

43
00:03:01,740 --> 00:03:04,110
Maybe we can try that, but here you go.

44
00:03:04,110 --> 00:03:06,990
We have Incat, which is kind of neat cat.

45
00:03:06,990 --> 00:03:09,630
Let me see if we have Encanto over here.

46
00:03:10,140 --> 00:03:14,910
So like a map but this is and cat and this is not a map.

47
00:03:14,910 --> 00:03:23,760
Okay, so Incat, Dashty Shapiro, we have a CAT, so let's scan this documentation over here.

48
00:03:24,120 --> 00:03:28,800
It actually says and cat dash dash SSL and here you go.

49
00:03:28,950 --> 00:03:32,790
We can connect or listen with SSL using and cat.

50
00:03:33,330 --> 00:03:36,720
So this is what we need and it's going to be fairly easy.

51
00:03:37,020 --> 00:03:40,260
I won't spare time to learn about openness.

52
00:03:40,260 --> 00:03:42,240
Azal over here rather.

53
00:03:42,240 --> 00:03:49,560
I'm just going to go with Incat, I'm going to say and cat and let me just come over here and see so

54
00:03:49,560 --> 00:03:52,260
it's port thirty thousand and one.

55
00:03:52,500 --> 00:03:59,280
OK, so I'm going to do dash dash SSL and localhost and thirty and 2001.

56
00:03:59,760 --> 00:04:04,260
So let me try to paste the password for the level fifteen.

57
00:04:04,530 --> 00:04:07,980
Let's see if we can get back to level sixteen password.

58
00:04:08,460 --> 00:04:12,390
OK, I'm going to paste this election over here and here you go.

59
00:04:12,390 --> 00:04:15,540
It gives us the password for the level sixteen.

60
00:04:15,840 --> 00:04:17,070
So I'm going to copy this.

61
00:04:17,070 --> 00:04:22,760
I'm gonna neno the password over there and I'm going to paste this and save it.

62
00:04:23,160 --> 00:04:25,140
OK, so here you go.

63
00:04:26,310 --> 00:04:27,780
So let's try this.

64
00:04:27,780 --> 00:04:31,860
Let's see if we can get back from here.

65
00:04:31,860 --> 00:04:32,160
Yep.

66
00:04:32,160 --> 00:04:32,760
Here you go.

67
00:04:32,760 --> 00:04:39,510
Let me just go to Bendit sixteen and try to give the password that we have obtained.

68
00:04:40,230 --> 00:04:42,120
So let's try this.

69
00:04:42,930 --> 00:04:44,010
Yeah, here you go.

70
00:04:44,010 --> 00:04:49,800
Let me just say page selection and hit enter and we are inside of Bendit succeed.

71
00:04:50,220 --> 00:04:53,630
So next let's go to the Bendat seventeen.

72
00:04:54,180 --> 00:04:56,670
So from 16 to 17.

73
00:04:56,670 --> 00:04:58,350
Let's see what we got here.

74
00:04:58,770 --> 00:04:59,820
So credentials.

75
00:05:00,070 --> 00:05:04,180
The next level can be retrieved by submitting the password of the current level.

76
00:05:04,500 --> 00:05:06,630
So here you go again, the same thing.

77
00:05:06,900 --> 00:05:16,950
But this time we are trying to find a port on localhost in the range from 31000 to 32000.

78
00:05:17,190 --> 00:05:21,020
First, find out which of these birds have a server listening on them.

79
00:05:21,300 --> 00:05:23,330
So we don't know of the port yet.

80
00:05:23,700 --> 00:05:28,080
We have to find out some kind of listening ports over here.

81
00:05:28,410 --> 00:05:36,130
And I believe you can understand what kind of thing, what kind of tool that we should use in this case.

82
00:05:36,570 --> 00:05:39,000
So it's basically a map, right?

83
00:05:39,630 --> 00:05:46,170
So why do we use a map in order to find the services and the ports and the servers they're running on

84
00:05:46,170 --> 00:05:46,920
this ports?

85
00:05:47,220 --> 00:05:51,040
So in order to understand if these ports are open or closed.

86
00:05:51,240 --> 00:05:54,210
So basically, we're going to use the end map.

87
00:05:54,220 --> 00:05:55,590
It's very obvious.

88
00:05:55,740 --> 00:06:00,900
And we have the map as a tip in the comment section here as well.

89
00:06:01,200 --> 00:06:02,670
So I'm going to run a map.

90
00:06:02,670 --> 00:06:03,090
Right.

91
00:06:03,100 --> 00:06:05,850
So I believe you're familiar with that.

92
00:06:05,850 --> 00:06:16,320
If you have taken this course and we can just skip the parameters over here, actually just specify

93
00:06:16,320 --> 00:06:17,490
the port range.

94
00:06:17,490 --> 00:06:23,610
And in order to do that, we can use that DP and maybe you have done this before.

95
00:06:24,630 --> 00:06:25,700
Maybe you haven't.

96
00:06:25,700 --> 00:06:26,760
Let me show you.

97
00:06:26,880 --> 00:06:31,200
I'm going to just run it against an localhost, OK?

98
00:06:31,200 --> 00:06:34,620
So we don't have to specify the IP number or something like that.

99
00:06:34,860 --> 00:06:41,100
If we do something like this, dash, dash, it will scan all the ports, but it will be a waste of

100
00:06:41,100 --> 00:06:43,470
time for us because we know the range.

101
00:06:43,770 --> 00:06:48,590
So we know it's going to start from the third to 1000 to 2000.

102
00:06:48,990 --> 00:06:53,910
So we can specify a range rather than scanning all the ports in this case.

103
00:06:54,240 --> 00:07:01,020
And in order to do that, just delete the second dash and give the port range over here like this.

104
00:07:01,170 --> 00:07:06,210
So it will start from thirty one thousand and it will end in thirty two thousand.

105
00:07:06,300 --> 00:07:09,480
And as you can see, we get all these ports.

106
00:07:09,720 --> 00:07:16,410
Actually we have only five ports opening opens over here and they are ready to listen.

107
00:07:16,770 --> 00:07:25,040
I believe all we have to do is to find out which of those SSL and which don't.

108
00:07:25,410 --> 00:07:34,680
And actually we can run some other additional parameters in order to understand that using a map like

109
00:07:34,700 --> 00:07:36,600
Alisson for services and stuff.

110
00:07:36,780 --> 00:07:41,010
But we can just try it and see as well because there's only five.

111
00:07:41,310 --> 00:07:47,280
So I'm going to run the same command that we have run in the previous lecture.

112
00:07:47,520 --> 00:07:50,670
So I'm going to copy the level fifteen over here.

113
00:07:50,700 --> 00:07:53,130
OK, I'm going to copy this.

114
00:07:53,500 --> 00:07:56,070
I'm not level fifteen, the level sixteen.

115
00:07:56,310 --> 00:07:59,250
I'm going to copy this if I can.

116
00:07:59,250 --> 00:08:02,310
Let me just select it one more time and right.

117
00:08:02,310 --> 00:08:04,080
Click and say copy selection.

118
00:08:04,290 --> 00:08:07,950
Come back here and paste it over there.

119
00:08:08,160 --> 00:08:09,000
Let's see.

120
00:08:09,270 --> 00:08:10,200
Here we go.

121
00:08:11,490 --> 00:08:11,940
Yeah.

122
00:08:11,940 --> 00:08:14,460
We don't get back anything I believe.

123
00:08:14,460 --> 00:08:17,160
Let me try other things by control.

124
00:08:17,160 --> 00:08:24,180
See, let me just go for thirty one five eighths based selection.

125
00:08:24,930 --> 00:08:25,230
Yeah.

126
00:08:25,650 --> 00:08:28,230
It did give something back but it's the same thing.

127
00:08:28,230 --> 00:08:30,180
I believe this doesn't work as well.

128
00:08:30,690 --> 00:08:33,510
So I'm going to control Sead of this.

129
00:08:33,840 --> 00:08:43,080
And let's try the third one six nine one and let's paste the password over here and hit enter.

130
00:08:44,010 --> 00:08:44,400
Yeah.

131
00:08:44,400 --> 00:08:48,930
We didn't get anything back so let me try the first one.

132
00:08:49,350 --> 00:08:51,600
So seven nine oh and hit.

133
00:08:51,600 --> 00:08:56,340
Enter the password over here and here you go.

134
00:08:56,340 --> 00:09:00,990
We get something back, it looks like an hour as a key.

135
00:09:01,500 --> 00:09:03,210
So let's see this.

136
00:09:03,630 --> 00:09:07,140
There is only one server that will give the next credentials.

137
00:09:07,410 --> 00:09:15,510
So it didn't give us the password, but it gave us the RSA private key, which is exactly the same thing

138
00:09:15,510 --> 00:09:16,650
that we have done before.

139
00:09:16,650 --> 00:09:17,910
This is a private key.

140
00:09:18,060 --> 00:09:23,670
We can use this in order to connect to the next level.

141
00:09:24,030 --> 00:09:24,540
Right.

142
00:09:24,660 --> 00:09:30,730
So all you got to do is actually copy this thing and create and this is the key for yourselves.

143
00:09:31,230 --> 00:09:32,970
So let's do that.

144
00:09:32,980 --> 00:09:39,690
So the main thing over here is to not omit anything in this key.

145
00:09:39,690 --> 00:09:48,150
So you have to get everything in order to create your key, including this and RSA private key over

146
00:09:48,150 --> 00:09:48,990
here as well.

147
00:09:49,260 --> 00:09:49,740
Right.

148
00:09:49,920 --> 00:09:52,020
So take this from here.

149
00:09:52,440 --> 00:09:59,100
Just from like the end of this should be containing all the dashes and stuff as well.

150
00:09:59,400 --> 00:09:59,720
Begin.

151
00:09:59,800 --> 00:10:02,450
RSA, private key and RSA private key.

152
00:10:03,370 --> 00:10:10,840
So I'm going to go into or you can just created over here as well, like in the banded folder, we don't

153
00:10:10,840 --> 00:10:13,740
have anything besides our password that you see.

154
00:10:14,200 --> 00:10:20,730
All you got to do is just to create a new file called Private Key 17.

155
00:10:21,190 --> 00:10:28,990
OK, and just paste the thing that you have copied and save it by control over enter and control X..

156
00:10:29,560 --> 00:10:30,810
So here you go.

157
00:10:31,210 --> 00:10:36,040
Now you have the private key over here like that private key 17.

158
00:10:36,370 --> 00:10:42,340
I named it 17 because we're going to use it to connect it to the 17th.

159
00:10:42,820 --> 00:10:48,150
So I'm going to CD into the Bendit folder because that's where our private key resides.

160
00:10:48,370 --> 00:10:48,820
Right.

161
00:10:49,390 --> 00:10:56,800
So what I'm going to do, I'm going to run this comment and give the Ibram there like we have done before.

162
00:10:56,830 --> 00:10:58,510
Remember the AI parameter?

163
00:10:58,900 --> 00:11:01,720
So I'm going to just run this.

164
00:11:02,200 --> 00:11:11,260
But rather than just saying Bendat and something like that, let me change it to 17 and give the additional

165
00:11:11,260 --> 00:11:15,130
parameter of AI with our private key over here.

166
00:11:15,670 --> 00:11:17,030
So here you go.

167
00:11:17,050 --> 00:11:24,310
Now if I hit enter, it won't ask me for a password because I have already have supplied the credentials

168
00:11:24,310 --> 00:11:24,910
for that.

169
00:11:26,110 --> 00:11:30,890
So it's asking for a password for some reason.

170
00:11:31,930 --> 00:11:32,170
Yeah.

171
00:11:32,170 --> 00:11:40,770
It says that your permissions zero six four four for private key 17 are to open.

172
00:11:41,350 --> 00:11:44,110
So maybe you know about this stuff.

173
00:11:44,140 --> 00:11:47,300
This is the permission for the file itself.

174
00:11:47,710 --> 00:11:56,800
So if you're on Al-Saleh, as you can see right now, we have the read, write, read and read permissions

175
00:11:56,800 --> 00:11:57,580
over here.

176
00:11:58,180 --> 00:12:01,740
So we're going to dive into that permissions later on.

177
00:12:02,200 --> 00:12:04,480
And I believe you know about this stuff.

178
00:12:04,480 --> 00:12:06,220
I assume you know about this stuff.

179
00:12:06,220 --> 00:12:12,130
But for right now, I'm just going to change it to four four four four mode is going to do that for

180
00:12:12,130 --> 00:12:12,480
us.

181
00:12:12,640 --> 00:12:17,150
So all you got to do is just run S.H. Mold for for for for a private key 17.

182
00:12:17,530 --> 00:12:23,340
This will change the permissions settings for this file over here.

183
00:12:23,350 --> 00:12:25,690
As you can see, it's a read, right?

184
00:12:25,690 --> 00:12:26,720
Execute.

185
00:12:26,740 --> 00:12:27,310
OK.

186
00:12:27,730 --> 00:12:30,560
And right now we have changed that.

187
00:12:30,880 --> 00:12:33,910
So this is not going to be read, write, execute.

188
00:12:33,920 --> 00:12:36,220
This is not even going to be read right.

189
00:12:36,400 --> 00:12:37,270
In this case.

190
00:12:37,270 --> 00:12:39,490
This is only going to be only.

191
00:12:39,910 --> 00:12:44,170
OK, so four four four four does that for us.

192
00:12:44,860 --> 00:12:51,840
And the four stands for the bit that is going to be supplying this logic to our file.

193
00:12:51,850 --> 00:12:59,170
So if I a private key 17 one more time, let's see if we can go into.

194
00:13:00,280 --> 00:13:00,520
Yeah.

195
00:13:00,520 --> 00:13:03,410
It says that connection closed by remote host.

196
00:13:03,940 --> 00:13:09,820
Let me just change it to 400 and only we can run this.

197
00:13:09,820 --> 00:13:12,330
Only we can read this and nobody else.

198
00:13:12,580 --> 00:13:14,350
Let's see if this works or not.

199
00:13:15,050 --> 00:13:16,460
OK, and here you go.

200
00:13:16,750 --> 00:13:20,470
So all you got to do is just around 400 on that.

201
00:13:20,740 --> 00:13:23,950
And if you don't know the logic behind this, don't worry.

202
00:13:23,950 --> 00:13:25,650
We're going to see it later on.

203
00:13:26,170 --> 00:13:34,630
And of course, you can search for these remote commands in Linux in order to gain a broader understanding

204
00:13:34,630 --> 00:13:39,420
in YouTube or in any kind of tutorial online as well.

205
00:13:40,180 --> 00:13:44,540
Anyhow, before we go into the level 18.

206
00:13:44,890 --> 00:13:49,160
Let's see if we can find the comment that we have run before.

207
00:13:49,480 --> 00:13:57,220
Yeah, I have written history because I wanted to find there are decent things are where the passwords

208
00:13:57,220 --> 00:13:59,860
are saved on the server.

209
00:13:59,860 --> 00:14:01,390
I couldn't remember that.

210
00:14:01,510 --> 00:14:08,770
I remember we have found some passwords on the Etsy folder before, so I want to get the password for

211
00:14:08,770 --> 00:14:16,540
the Bendit 17 as well, rather than only the private key, because we are keeping a log in our own CTF

212
00:14:16,540 --> 00:14:18,700
folder and we may need that again.

213
00:14:18,940 --> 00:14:21,160
So I'm going to try this right now.

214
00:14:21,160 --> 00:14:23,980
So I believe it was Bendit Pass.

215
00:14:24,010 --> 00:14:24,850
Yeah, here you go.

216
00:14:25,090 --> 00:14:31,860
So Cat at Bendit Pass and this time we're going to go for Bendit 14, not 14.

217
00:14:31,870 --> 00:14:33,790
We have gone for Bendit 14.

218
00:14:34,630 --> 00:14:37,290
But right now we're going to go for Bendit 17.

219
00:14:37,630 --> 00:14:45,310
So the logic is this is saved under the Bendit folder, Bendit Pass filter under ETSI, but only if

220
00:14:45,310 --> 00:14:46,080
you're logged in.

221
00:14:46,090 --> 00:14:47,080
You can read it.

222
00:14:47,530 --> 00:14:54,730
So we have got the password for the level 17 for from here as well.

223
00:14:55,870 --> 00:14:56,700
Great.

224
00:14:56,710 --> 00:14:59,320
Now it's time to go for level 18.

225
00:14:59,320 --> 00:14:59,710
But we.

226
00:14:59,770 --> 00:15:02,380
Going to do that within the next lecture.