Level16

Level Goal

The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.

Solution

We can use utilities like netstat and ss to examine what ports are being listened on.

root@0xCAB: /writeups/overthewire/bandit/level16/

$ netstat -tln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:31518 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:31691 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:31046 0.0.0.0:* LISTEN
...

$ ss -tln
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
...
LISTEN 0 10 0.0.0.0:31960 0.0.0.0:*
LISTEN 0 1 0.0.0.0:12345 0.0.0.0:*
LISTEN 0 10 0.0.0.0:31518 0.0.0.0:*
LISTEN 0 10 0.0.0.0:31046 0.0.0.0:*
...

$

Nmap is also available on the system so we can use that to not only look for open ports in the given range, but also try and detect the services listening on them. This will show only one service that is not listed as “echo”, so we can then use one of the utilities from the previous level to send the password.

root@0xCAB: /writeups/overthewire/bandit/level16/

$ nmap -p 31000-32000 -sV 127.0.0.1
...
PORT STATE SERVICE VERSION
31046/tcp open echo
31518/tcp open ssl/echo
31691/tcp open echo
31790/tcp open ssl/unknown
31960/tcp open echo
...

$ ncat --ssl 127.0.0.1 31790
JQttfApK4SeyHwDlI9SXGR50qclOAil1
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
...

$

We are given the private SSH key that we can then use to log in as bandit17.