[Tut] Bash Port Scanning (SSH) as a Python Script [TryHackMe] - Printable Version +- Sick Gaming (https://www.sickgaming.net) +-- Forum: Programming (https://www.sickgaming.net/forum-76.html) +--- Forum: Python (https://www.sickgaming.net/forum-83.html) +--- Thread: [Tut] Bash Port Scanning (SSH) as a Python Script [TryHackMe] (/thread-100281.html) |
[Tut] Bash Port Scanning (SSH) as a Python Script [TryHackMe] - xSicKxBot - 11-24-2022 Bash Port Scanning (SSH) as a Python Script [TryHackMe] <div> <div class="kk-star-ratings kksr-auto kksr-align-left kksr-valign-top" data-payload='{"align":"left","id":"914974","slug":"default","valign":"top","ignore":"","reference":"auto","class":"","count":"1","legendonly":"","readonly":"","score":"5","best":"5","gap":"5","greet":"Rate this post","legend":"5\/5 - (1 vote)","size":"24","width":"142.5","_legend":"{score}\/{best} - ({count} {votes})","font_factor":"1.25"}'> <div class="kksr-stars"> <div class="kksr-stars-inactive"> <div class="kksr-star" data-star="1" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> <div class="kksr-star" data-star="2" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> <div class="kksr-star" data-star="3" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> <div class="kksr-star" data-star="4" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> <div class="kksr-star" data-star="5" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> </p></div> <div class="kksr-stars-active" style="width: 142.5px;"> <div class="kksr-star" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> <div class="kksr-star" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> <div class="kksr-star" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> <div class="kksr-star" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> <div class="kksr-star" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> </p></div> </div> <div class="kksr-legend" style="font-size: 19.2px;"> 5/5 – (1 vote) </div> </div> <figure class="wp-block-embed-youtube wp-block-embed is-type-video is-provider-youtube"><a href="https://blog.finxter.com/bash-port-scanning-ssh-as-a-python-script-tryhackme/"><img src="https://blog.finxter.com/wp-content/plugins/wp-youtube-lyte/lyteCache.php?origThumbUrl=https%3A%2F%2Fi.ytimg.com%2Fvi%2F6GQYPGmEFQI%2Fhqdefault.jpg" alt="YouTube Video"></a><figcaption></figcaption></figure> <h2>Background</h2> <p>I’ve been working on the Alice in Wonderland series of free hacking CTF (Capture the Flag) challenges on TryHackMe. </p> <p class="has-base-background-color has-background"><img src="https://s.w.org/images/core/emoji/14.0.0/72x72/1f6a9.png" alt="?" class="wp-smiley" style="height: 1em; max-height: 1em;" /> <strong>Recommended Tutorial</strong>: <a href="https://blog.finxter.com/tryhackme-capture-the-flag-ctf-walkthrough-lookingglass/" data-type="post" data-id="914098" target="_blank" rel="noreferrer noopener">Capture the Flag – Alice in Wonderland – TryHackMe Walkthrough</a></p> <p>While working on the second box in the series, <a href="https://tryhackme.com/room/lookingglass" target="_blank" rel="noreferrer noopener">Looking Glass</a>, I stumbled upon a <a href="https://tay1or.li/post/thm-lookingglass/" target="_blank" rel="noreferrer noopener">bash script</a> written by <em>Tay1or</em>, another user on TryHackMe. </p> <p>The opening challenge involves finding the correct port which hides an encrypted poem, <a href="https://www.poetryfoundation.org/poems/42916/jabberwocky" target="_blank" rel="noreferrer noopener"><em>Jabberwocky</em></a> by Lewis Caroll. </p> <p>Using a script here is a more efficient solution because it is quite time-consuming to manually attempt connecting to different ssh ports over and over until the correct port can be found. </p> <p>The box also resets the mystery port after each login, so unless you solve the box on your first attempt, the script will come in handy multiple times.</p> <h2>Bash Script</h2> <p>Here is <strong>Tay1or</strong>’s bash script with a few slight modifications in bold to make it run on my machine:</p> <pre class="wp-block-preformatted"><code>#!/usr/bin/bash low=<strong>9000</strong> high=<strong>13000</strong> while true do mid=$(echo "($high+$low)/2" | bc) echo -n "Low: $low, High: $high, Trying port: $mid – " msg=$(ssh -o <strong>"HostKeyAlgorithms=+ssh-rsa"</strong> -p $mid $targetIP | tr -d '\r') echo "$msg" if [[ "$msg" == "Lower" ]] then low=$mid elif [[ "$msg" == "Higher" ]] then high=$mid fi done</code> </pre> <p>I’m still new to bash scripting, but because I already understand the context of the problem being faced, I can more or less guess what the script is doing. </p> <p>At the top, under the shebang line, it first sets low and high values for the ports to be searched. Then we see a <code>while true</code> loop. </p> <p>The first command in the loop calculates the midpoint between the low and the high port values in the given range. </p> <p>The <code>echo</code> command prints the low/high/and midpoint port that is currently being tested. </p> <p>Then we have <code>if/elif</code> commands to respond appropriately to the output of the <code>$msg</code> to set the mid to either the lower or higher range variables. By resetting the range after each attempted connection, the search will take a minimal amount of time by eliminating the largest number of ports possible on each attempt. </p> <p>When the output msg is neither “Higher” or “Lower” it will end the loop because we will have hit our secret encrypted message on the correct port.</p> <h2>Conversion into a Python script</h2> <p>I started wondering how it might be possible to translate the bash script to a Python script and decided to try my hand at converting the functionality of the code.</p> <p>I’m more comfortable scripting in Python, and I think it will probably come in handy later in future challenges to be able to quickly write up a script during CTF challenges to save time. </p> <p>The inputs of the code are the <code>targetIP</code> and high and low values of the target SSH port range. </p> <p>Outputs are the response from the <code>targetIP</code> on each attempted connection until the secret port is found. Once the secret port is found, the program will reiterate that you have found the port.</p> <p>I posted the final version of the python script <a href="https://github.com/Benjamin-James-Reitz/THM-Looking-Glass-Python-Script/blob/main/script-new.py" target="_blank" rel="noreferrer noopener">here on GitHub</a>. For your convenience, I’ll include it here too:</p> <pre class="EnlighterJSRAW" data-enlighter-language="python" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">#!/usr/bin/env python3 # These sites were used as references: https://stackabuse.com/executing-shell-commands-wi> # https://stackoverflow.com/questions/4760215/running-shell-command-and-capturing-the-> #set up initial conditions for the target port search import subprocess low_port=9000 high_port=13790 targetIP = "10.10.252.52" print(targetIP) #initialize loop_key variable: loop_key="higher" while loop_key=="Higher" or "Lower": print('low = ' + str(low_port) + ', high = ' + str(high_port)) #a good place to use floor division to cut off the extra digit mid_port=(high_port+low_port)//2 print('Trying port ' + str(mid_port)) #attempt to connect to the mid port result = subprocess.run(['ssh', 'root@' + str(targetIP), '-oHostKeyAlgorithms=+ssh-rsa', '-p', str(mid_port)], stdout=subprocess.PIPE) # prep the decoded output variable msg = result.stdout decoded_msg = msg.decode('utf-8') # print result of attempted ssh connection print(decoded_msg) if "Higher" in decoded_msg: #print("yes I see the words Higher") high_port=mid_port print(high_port) loop_key="Higher" elif "Lower" in decoded_msg: low_port=mid_port print(low_port) loop_key="Lower" else: print("You found the secret port - " + str(mid_port)) exit()</pre> </div> https://www.sickgaming.net/blog/2022/11/22/bash-port-scanning-ssh-as-a-python-script-tryhackme/ |