OverTheWire: Bandit Level 16→ Level 17

3 min readOct 23, 2023

https://overthewire.org/wargames/bandit/bandit17.html

Level Goal

The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap

SOLUTION

Step 1: Information

Server Address: bandit.labs.overthewire.org
Username: bandit16
Password: JQttfApK4SeyHwDlI9SXGR50qclOAil1
Port: 2220

Step 2: Understanding the Task

Our task involves identifying a specific port within the range 31000 to 32000 on localhost. We’re required to find out:
-> Which ports have servers listening.
-> Which of these servers communicate using SSL.

Only one of these servers will provide the subsequent level’s credentials.

Step 3: Scanning Ports

To get an overview of the open ports within the designated range, employ the nmap tool:

Syntax: nmap -A -p 31000–32000 localhost

The output will delineate the open ports.

Step 4: Pinpointing the Relevant Server

The scan results might present various active services. A closer inspection reveals an intriguing detail: port 31790 dispatches a message, “Enter correct password.” This hints that it’s the desired port.

Since the service at port 31790 communicates via SSL encryption, we’ll use openssl coupled with the s_client command:

Syntax: openssl s_client -connect localhost:31790

While we don’t directly receive a password, we obtain an RSA Key. This key is pivotal for SSH access. Save this key either by creating a directory in /tmp or transferring it to your local system.