Bandit Level 16 → Level 17

Level Goal

The password for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next password, the others will simply send back to you whatever you send to it.

Commands you may need to solve this level

ssh, telnet, nc, openssl, s_client, nmap

Looking at the list of commands, nmap seems to be what we need (port scanner). The option -p is for specific ports and you can also use a range by separating the start and end port by -.

nmap -p 31000-32000 localhost

Starting Nmap 5.21 ( ) at 2014-11-02 07:06 UTC
Nmap scan report for localhost (
Host is up (0.00087s latency).
Not shown: 996 closed ports
31046/tcp open  unknown
31518/tcp open  unknown
31691/tcp open  unknown
31790/tcp open  unknown
31960/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds

There are 5 ports that are open within the scan range. We can just check each one and find out that port 31790 is the one we want. Alternatively, we can write a script for this. Then we create a folder in /tmp/key/ (already created when I do it) and save the key in there.

cat /etc/bandit_pass/bandit16 | openssl s_client -connect localhost:31790 -quiet > /tmp/key/b16pkey

If you try to use the key as it is, it will say the key is too insecure and that everyone can see it. The reason is that the permission for this file is rw for owner/group/everyone. We need to change it so that it is only rw for the owner.

chmod 600 /tmp/key/b16pkey

Once this is done we will use this key as our private key (see Level 13 → 14).

ssh -i /tmp/key/b16pkey bandit17@localhost

The password is at the same location. I record the next level password in case I need to stop and don’t want to redo the level. I can just jump right into level 17 using the password.

cat /etc/bandit_pass/bandit17