{"id":129963,"date":"2022-11-22T20:08:47","date_gmt":"2022-11-22T20:08:47","guid":{"rendered":"https:\/\/blog.finxter.com\/?p=914974"},"modified":"2022-11-22T20:08:47","modified_gmt":"2022-11-22T20:08:47","slug":"bash-port-scanning-ssh-as-a-python-script-tryhackme","status":"publish","type":"post","link":"https:\/\/sickgaming.net\/blog\/2022\/11\/22\/bash-port-scanning-ssh-as-a-python-script-tryhackme\/","title":{"rendered":"Bash Port Scanning (SSH) as a Python Script [TryHackMe]"},"content":{"rendered":"\n
\n
\n
\n
\n
<\/div>\n<\/p><\/div>\n
\n
<\/div>\n<\/p><\/div>\n
\n
<\/div>\n<\/p><\/div>\n
\n
<\/div>\n<\/p><\/div>\n
\n
<\/div>\n<\/p><\/div>\n<\/p><\/div>\n
\n
\n
<\/div>\n<\/p><\/div>\n
\n
<\/div>\n<\/p><\/div>\n
\n
<\/div>\n<\/p><\/div>\n
\n
<\/div>\n<\/p><\/div>\n
\n
<\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/div>\n
5\/5 – (1 vote) <\/div>\n<\/div>\n
\"YouTube<\/a>
<\/figcaption><\/figure>\n

Background<\/h2>\n

I\u2019ve been working on the Alice in Wonderland series of free hacking CTF (Capture the Flag) challenges on TryHackMe. <\/p>\n

\"\ud83d\udea9\" Recommended Tutorial<\/strong>: Capture the Flag – Alice in Wonderland – TryHackMe Walkthrough<\/a><\/p>\n

While working on the second box in the series, Looking Glass<\/a>, I stumbled upon a bash script<\/a> written by Tay1or<\/em>, another user on TryHackMe. <\/p>\n

The opening challenge involves finding the correct port which hides an encrypted poem, Jabberwocky<\/em><\/a> by Lewis Caroll. <\/p>\n

Using a script here is a more efficient solution because it is quite time-consuming to manually attempt connecting to different ssh ports over and over until the correct port can be found. <\/p>\n

The box also resets the mystery port after each login, so unless you solve the box on your first attempt, the script will come in handy multiple times.<\/p>\n

Bash Script<\/h2>\n

Here is Tay1or<\/strong>\u2019s bash script with a few slight modifications in bold to make it run on my machine:<\/p>\n

#!\/usr\/bin\/bash low=9000<\/strong>\nhigh=13000<\/strong> while true\ndo mid=$(echo \"($high+$low)\/2\" | bc) echo -n \"Low: $low, High: $high, Trying port: $mid – \" msg=$(ssh -o \"HostKeyAlgorithms=+ssh-rsa\"<\/strong> -p $mid $targetIP | tr -d '\\r') echo \"$msg\" if [[ \"$msg\" == \"Lower\" ]] then low=$mid elif [[ \"$msg\" == \"Higher\" ]] then high=$mid fi\ndone<\/code>\n<\/pre>\n
I\u2019m still new to bash scripting, but because I already understand the context of the problem being faced, I can more or less guess what the script is doing. <\/p>\n
At the top, under the shebang line, it first sets low and high values for the ports to be searched. Then we see a while true<\/code> loop. <\/p>\n
The first command in the loop calculates the midpoint between the low and the high port values in the given range. <\/p>\n
The echo<\/code> command prints the low\/high\/and midpoint port that is currently being tested. <\/p>\n
Then we have if\/elif<\/code> commands to respond appropriately to the output of the $msg<\/code> to set the mid to either the lower or higher range variables. By resetting the range after each attempted connection, the search will take a minimal amount of time by eliminating the largest number of ports possible on each attempt. <\/p>\n
When the output msg is neither \u201cHigher\u201d or \u201cLower\u201d it will end the loop because we will have hit our secret encrypted message on the correct port.<\/p>\n
Conversion into a Python script<\/h2>\n
I started wondering how it might be possible to translate the bash script to a Python script and decided to try my hand at converting the functionality of the code.<\/p>\n
I\u2019m more comfortable scripting in Python, and I think it will probably come in handy later in future challenges to be able to quickly write up a script during CTF challenges to save time.\u00a0<\/p>\n
The inputs of the code are the targetIP<\/code> and high and low values of the target SSH port range. <\/p>\n
Outputs are the response from the targetIP<\/code> on each attempted connection until the secret port is found. Once the secret port is found, the program will reiterate that you have found the port.<\/p>\n
I posted the final version of the python script here on GitHub<\/a>. For your convenience, I’ll include it here too:<\/p>\n
#!\/usr\/bin\/env python3\n# These sites were used as references: https:\/\/stackabuse.com\/executing-shell-commands-wi>\n# https:\/\/stackoverflow.com\/questions\/4760215\/running-shell-command-and-capturing-the-> #set up initial conditions for the target port search\nimport subprocess\nlow_port=9000\nhigh_port=13790\ntargetIP = \"10.10.252.52\"\nprint(targetIP)\n#initialize loop_key variable:\nloop_key=\"higher\" while loop_key==\"Higher\" or \"Lower\": print('low = ' + str(low_port) + ', high = ' + str(high_port))\n#a good place to use floor division to cut off the extra digit mid_port=(high_port+low_port)\/\/2 print('Trying port ' + str(mid_port)) #attempt to connect to the mid port result = subprocess.run(['ssh', 'root@' + str(targetIP), '-oHostKeyAlgorithms=+ssh-rsa', '-p', str(mid_port)], stdout=subprocess.PIPE) # prep the decoded output variable msg = result.stdout decoded_msg = msg.decode('utf-8') # print result of attempted ssh connection print(decoded_msg) if \"Higher\" in decoded_msg: #print(\"yes I see the words Higher\") high_port=mid_port print(high_port) loop_key=\"Higher\" elif \"Lower\" in decoded_msg: low_port=mid_port print(low_port) loop_key=\"Lower\" else: print(\"You found the secret port - \" + str(mid_port)) exit()<\/pre>\n","protected":false},"excerpt":{"rendered":"
5\/5 – (1 vote) Background I\u2019ve been working on the Alice in Wonderland series of free hacking CTF (Capture the Flag) challenges on TryHackMe. Recommended Tutorial: Capture the Flag – Alice in Wonderland – TryHackMe Walkthrough While working on the second box in the series, Looking Glass, I stumbled upon a bash script written by […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[857],"tags":[73,468,528],"class_list":["post-129963","post","type-post","status-publish","format-standard","hentry","category-python-tut","tag-programming","tag-python","tag-tutorial"],"_links":{"self":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/129963","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/comments?post=129963"}],"version-history":[{"count":0,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/129963\/revisions"}],"wp:attachment":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media?parent=129963"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/categories?post=129963"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/tags?post=129963"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}