Level: 0→1
Level: 1→2
Level: 2→3
Level: 3→4
Level: 4→5
Level: 5→6
Level: 6→7
Level: 7→8
Level: 8→9
Level: 9→10
Level: 10→11
Level: 11→12
Level: 12→13
Level: 13→14
Level: 14→15
Level: 15→16
Level: 16→17
Level: 17→18
Level: 18→19
Level: 19→20
Level: 20→21
Level: 21→22
Level: 22→23
Level: 23→24
Level: 24→25
Level: 25→26
Level: 26→27
Level: 27→28
Level: 28→29
Level: 29→30
Level: 30→31
Level: 31→32
Level: 32→33
Level: 33→34

~ Level 16→17 ~

Level Description

The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.

Commands given to solve this level are as follows: ssh, telnet, nc, openssl, s_client, and nmap.

The final piece of information given is a link to Wikipedia on applications known as port scanners.

Research Before Solving

Reading the article on port scanning is important for this level. We learn through the reading that a port scanner is able to probe a host or server to see what ports are open. Requests are sent from the device running the scanner in hopes of recieving a reply. A reply signifies an open port that is currently accepting requests for communication. The article goes on to give information regarding the plethora of scans available.

We need to find a tool that is used to scan ports within Linux. For this we turn to nmap. According to this command's man pages it is used to rapidly scan an entire network or an individual host to determine if any ports are available for commmunicating.

Solution Walkthrough

Initiate the level by logging in as bandit16. We first need to probe the server to see what ports are open and what services they are running. To do so we need to use nmap. The switch required to scan for services is -sV and we also need -p in order to specify the port range to search. Putting all of this together we get: nmap -sV -p31000-32000 localhost.

This process does take some time so be patient. Using the port range does make it faster as it is not scanning through all potential 65,535 ports. Once the nmap is finished running, we want to look at the port numbers, port state, and service.

The level description tells us that only one server will provide the password, the rest will send back anything we send to them. Using that knowledge, we find the second to last server as the only host that is not running an echo service. This is the server we want to send the current level's password to.

Because the server is using the SSL protocol, we should establish communication using openssl. Using the same syntax from the last level, this is how our command should appear: openssl s_client -connect localhost:31790

The resulting output will appear just as it did the first time we used openssl. There is a blinking cursor at the bottom for us to send the password from bandit16. After sending the password we are presented with the following output:

response back in the form of a private key

Since we are given a private key, we must use ssh -i along with a file that contains the key. To do this we will start by making a directory under /tmp/user. Next we will create a new, blank file so that we may save the retrieved private key. We can create a blank file with the touch command. To create a file named sshkey.private type: touch /tmp/user/sshkey.private.

If you haven't yet, copy the output of the private key, make sure to include the begin and end lines. Next, we will use the command known as vim. This will allow us to edit the blank file. To edit our specific file type vim /tmp/user/sshkey.private. Press the letter i to allow for insert mode. Paste the private key, make sure everything appears perfectly. Finally, to save the file, hit the esc> key, followed by typing :wq. The w stands for write changes, and the q will quit out of the editor.

Now that we have our private key ready, we can attempt to use the following command to gain access to bandit17: ssh -i /tmp/user/sshkey.private bandit17@127.0.0.1

After typing yes to confirm the connection, we are advised the permissions for our private key file are bad. The second reading from level 15→16 spoke of this issue. ssh has a requirement in it's documentation that says private key files should be given limited access. To solve this issue, we will use the following command: chmod 600 /tmp/user/sshkey.private. Describing the logic behind the number 600 is beyond the scope of this walkthrough, I would urge you to research linux file permissions further if you are curious.

Now that permissions should be properly set, let's try our command again: ssh -i /tmp/user/sshkey.private bandit17@127.0.0.1

We were able to get access to the server as user bandit17! The final step to complete is to obtain the password. We do this by doing the following: cat /etc/bandit_pass/bandit17.

Congratulations on finding the password. You may now log out of the session and get ready for the next level!

Password: xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn

Previous Level

Next Level