OverTheWire - Bandit - Level 17

Level Goal

The password for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range of 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don't. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send it.

Commands you may need to solve this level

• ssh
• telnet
• nc
• openssl
• s_client
• nmap

Helpful Reading Material

• Port scanner on Wikipedia

---

As the Helpful Reading Material section suggests researching, we'll be using a Port scanner first. The command line utility for this is nmap which is a exploration tool and security / port scanner. All we need to provide is the port range.

nmap -p 31000-32000 localhost

Now we have a list of ports that are listening for connections we can try connecting to them using openssl - if we get an error it doesn't support SSL and if it echoes back the password we send it isn't the right machine.

echo "password" | openssl s_client -connect localhost:31960 -quiet

If you use the exact command above it will narrow it down to the single port that will provide the password and you'll have to replace the "password" with the actual password for this level. This should give you the password to log in to bandit17.

We were able to chain the second part of this, but we didn't look at any way to combine the nmap command output. I'm not sure it follows the same rules that the previous levels have allowed us to 'cheat' to get only the password displaying in a single command sequence. If you have any suggestions on how to do this, leave me a comment.