The password for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next password, the others will simply send back to you whatever you send to it.
Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap
Looking at the list of commands, nmap seems to be what we need (port scanner). The option -p is for specific ports and you can also use a range by separating the start and end port by -.
nmap -p 31000-32000 localhost Starting Nmap 5.21 ( http://nmap.org ) at 2014-11-02 07:06 UTC Nmap scan report for localhost (127.0.0.1) Host is up (0.00087s latency). Not shown: 996 closed ports PORT STATE SERVICE 31046/tcp open unknown 31518/tcp open unknown 31691/tcp open unknown 31790/tcp open unknown 31960/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds
There are 5 ports that are open within the scan range. We can just check each one and find out that port 31790 is the one we want. Alternatively, we can write a script for this. Then we create a folder in /tmp/key/ (already created when I do it) and save the key in there.
cat /etc/bandit_pass/bandit16 | openssl s_client -connect localhost:31790 -quiet > /tmp/key/b16pkey
If you try to use the key as it is, it will say the key is too insecure and that everyone can see it. The reason is that the permission for this file is rw for owner/group/everyone. We need to change it so that it is only rw for the owner.
chmod 600 /tmp/key/b16pkey
Once this is done we will use this key as our private key (see Level 13 → 14).
ssh -i /tmp/key/b16pkey bandit17@localhost
The password is at the same location. I record the next level password in case I need to stop and don’t want to redo the level. I can just jump right into level 17 using the password.
cat /etc/bandit_pass/bandit17 xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn