OverTheWire: Bandit Level 16→ Level 17
https://overthewire.org/wargames/bandit/bandit17.html
Level Goal
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap
SOLUTION
Step 1: Information
Server Address: bandit.labs.overthewire.org
Username: bandit16
Password: JQttfApK4SeyHwDlI9SXGR50qclOAil1
Port: 2220
Step 2: Understanding the Task
Our task involves identifying a specific port within the range 31000 to 32000 on localhost. We’re required to find out:
-> Which ports have servers listening.
-> Which of these servers communicate using SSL.
Only one of these servers will provide the subsequent level’s credentials.
Step 3: Scanning Ports
To get an overview of the open ports within the designated range, employ the nmap tool:
Syntax: nmap -A -p 31000–32000 localhost
The output will delineate the open ports.
Step 4: Pinpointing the Relevant Server
The scan results might present various active services. A closer inspection reveals an intriguing detail: port 31790 dispatches a message, “Enter correct password.” This hints that it’s the desired port.
Since the service at port 31790 communicates via SSL encryption, we’ll use openssl coupled with the s_client command:
Syntax: openssl s_client -connect localhost:31790
While we don’t directly receive a password, we obtain an RSA Key. This key is pivotal for SSH access. Save this key either by creating a directory in /tmp or transferring it to your local system.
Step 5: Accessing the Next Level
Copy the provided identity key to your local system. Then, use it to connect to bandit17:
Syntax: ssh -i /path/to/saved/key bandit17@bandit.labs.overthewire.org -p 2220
Once inside, navigate to the directory containing the password for bandit17: /etc/bandit_pass/bandit17.
Step 6: Documenting the Retrieved Password
Password for Level 17 to Level 18:
VwOSWtCA7lRKkTfbr2IDh6awj9RNZM5e