Create an account


Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[Tut] Bash Port Scanning (SSH) as a Python Script [TryHackMe]

#1
Bash Port Scanning (SSH) as a Python Script [TryHackMe]

<div>
<div class="kk-star-ratings kksr-auto kksr-align-left kksr-valign-top" data-payload='{&quot;align&quot;:&quot;left&quot;,&quot;id&quot;:&quot;914974&quot;,&quot;slug&quot;:&quot;default&quot;,&quot;valign&quot;:&quot;top&quot;,&quot;ignore&quot;:&quot;&quot;,&quot;reference&quot;:&quot;auto&quot;,&quot;class&quot;:&quot;&quot;,&quot;count&quot;:&quot;1&quot;,&quot;legendonly&quot;:&quot;&quot;,&quot;readonly&quot;:&quot;&quot;,&quot;score&quot;:&quot;5&quot;,&quot;best&quot;:&quot;5&quot;,&quot;gap&quot;:&quot;5&quot;,&quot;greet&quot;:&quot;Rate this post&quot;,&quot;legend&quot;:&quot;5\/5 - (1 vote)&quot;,&quot;size&quot;:&quot;24&quot;,&quot;width&quot;:&quot;142.5&quot;,&quot;_legend&quot;:&quot;{score}\/{best} - ({count} {votes})&quot;,&quot;font_factor&quot;:&quot;1.25&quot;}'>
<div class="kksr-stars">
<div class="kksr-stars-inactive">
<div class="kksr-star" data-star="1" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="2" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="3" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="4" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="5" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
</p></div>
<div class="kksr-stars-active" style="width: 142.5px;">
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
</p></div>
</div>
<div class="kksr-legend" style="font-size: 19.2px;"> 5/5 – (1 vote) </div>
</div>
<figure class="wp-block-embed-youtube wp-block-embed is-type-video is-provider-youtube"><a href="https://blog.finxter.com/bash-port-scanning-ssh-as-a-python-script-tryhackme/"><img src="https://blog.finxter.com/wp-content/plugins/wp-youtube-lyte/lyteCache.php?origThumbUrl=https%3A%2F%2Fi.ytimg.com%2Fvi%2F6GQYPGmEFQI%2Fhqdefault.jpg" alt="YouTube Video"></a><figcaption></figcaption></figure>
<h2>Background</h2>
<p>I’ve been working on the Alice in Wonderland series of free hacking CTF (Capture the Flag) challenges on TryHackMe. </p>
<p class="has-base-background-color has-background"><img src="https://s.w.org/images/core/emoji/14.0.0/72x72/1f6a9.png" alt="?" class="wp-smiley" style="height: 1em; max-height: 1em;" /> <strong>Recommended Tutorial</strong>: <a href="https://blog.finxter.com/tryhackme-capture-the-flag-ctf-walkthrough-lookingglass/" data-type="post" data-id="914098" target="_blank" rel="noreferrer noopener">Capture the Flag – Alice in Wonderland – TryHackMe Walkthrough</a></p>
<p>While working on the second box in the series, <a href="https://tryhackme.com/room/lookingglass" target="_blank" rel="noreferrer noopener">Looking Glass</a>, I stumbled upon a <a href="https://tay1or.li/post/thm-lookingglass/" target="_blank" rel="noreferrer noopener">bash script</a> written by <em>Tay1or</em>, another user on TryHackMe. </p>
<p>The opening challenge involves finding the correct port which hides an encrypted poem, <a href="https://www.poetryfoundation.org/poems/42916/jabberwocky" target="_blank" rel="noreferrer noopener"><em>Jabberwocky</em></a> by Lewis Caroll. </p>
<p>Using a script here is a more efficient solution because it is quite time-consuming to manually attempt connecting to different ssh ports over and over until the correct port can be found. </p>
<p>The box also resets the mystery port after each login, so unless you solve the box on your first attempt, the script will come in handy multiple times.</p>
<h2>Bash Script</h2>
<p>Here is <strong>Tay1or</strong>’s bash script with a few slight modifications in bold to make it run on my machine:</p>
<pre class="wp-block-preformatted"><code>#!/usr/bin/bash low=<strong>9000</strong>
high=<strong>13000</strong> while true
do mid=$(echo "($high+$low)/2" | bc) echo -n "Low: $low, High: $high, Trying port: $mid – " msg=$(ssh -o <strong>"HostKeyAlgorithms=+ssh-rsa"</strong> -p $mid $targetIP | tr -d '\r') echo "$msg" if [[ "$msg" == "Lower" ]] then low=$mid elif [[ "$msg" == "Higher" ]] then high=$mid fi
done</code>
</pre>
<p>I’m still new to bash scripting, but because I already understand the context of the problem being faced, I can more or less guess what the script is doing. </p>
<p>At the top, under the shebang line, it first sets low and high values for the ports to be searched. Then we see a <code>while true</code> loop. </p>
<p>The first command in the loop calculates the midpoint between the low and the high port values in the given range. </p>
<p>The <code>echo</code> command prints the low/high/and midpoint port that is currently being tested. </p>
<p>Then we have <code>if/elif</code> commands to respond appropriately to the output of the <code>$msg</code> to set the mid to either the lower or higher range variables. By resetting the range after each attempted connection, the search will take a minimal amount of time by eliminating the largest number of ports possible on each attempt. </p>
<p>When the output msg is neither “Higher” or “Lower” it will end the loop because we will have hit our secret encrypted message on the correct port.</p>
<h2>Conversion into a Python script</h2>
<p>I started wondering how it might be possible to translate the bash script to a Python script and decided to try my hand at converting the functionality of the code.</p>
<p>I’m more comfortable scripting in Python, and I think it will probably come in handy later in future challenges to be able to quickly write up a script during CTF challenges to save time. </p>
<p>The inputs of the code are the <code>targetIP</code> and high and low values of the target SSH port range. </p>
<p>Outputs are the response from the <code>targetIP</code> on each attempted connection until the secret port is found. Once the secret port is found, the program will reiterate that you have found the port.</p>
<p>I posted the final version of the python script <a href="https://github.com/Benjamin-James-Reitz/THM-Looking-Glass-Python-Script/blob/main/script-new.py" target="_blank" rel="noreferrer noopener">here on GitHub</a>. For your convenience, I’ll include it here too:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="python" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">#!/usr/bin/env python3
# These sites were used as references: https://stackabuse.com/executing-shell-commands-wi>
# https://stackoverflow.com/questions/4760...turing-the-> #set up initial conditions for the target port search
import subprocess
low_port=9000
high_port=13790
targetIP = "10.10.252.52"
print(targetIP)
#initialize loop_key variable:
loop_key="higher" while loop_key=="Higher" or "Lower": print('low = ' + str(low_port) + ', high = ' + str(high_port))
#a good place to use floor division to cut off the extra digit mid_port=(high_port+low_port)//2 print('Trying port ' + str(mid_port)) #attempt to connect to the mid port result = subprocess.run(['ssh', 'root@' + str(targetIP), '-oHostKeyAlgorithms=+ssh-rsa', '-p', str(mid_port)], stdout=subprocess.PIPE) # prep the decoded output variable msg = result.stdout decoded_msg = msg.decode('utf-8') # print result of attempted ssh connection print(decoded_msg) if "Higher" in decoded_msg: #print("yes I see the words Higher") high_port=mid_port print(high_port) loop_key="Higher" elif "Lower" in decoded_msg: low_port=mid_port print(low_port) loop_key="Lower" else: print("You found the secret port - " + str(mid_port)) exit()</pre>
</div>


https://www.sickgaming.net/blog/2022/11/...tryhackme/
Reply



Forum Jump:


Users browsing this thread:
1 Guest(s)

Forum software by © MyBB Theme © iAndrew 2016