Level Goal

The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL/TLS and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.

Helpful note: Getting “DONE”, “RENEGOTIATING” or “KEYUPDATE”? Read the “CONNECTED COMMANDS” section in the manpage.

Commands you may need to solve this level

  • ssh
  • telnet
  • nc
  • socat
  • openssl
  • s_client
  • nmap
  • netstat
  • ss

My Answer (Step by step)

  1. 連線到伺服器並登入
ssh bandit16@bandit.labs.overthewire.org -p 2220
  1. 透過 nc 與 grep 指令找到指定範圍中所有開放的 TCP port
nc -vnz -w 1 127.0.0.1 31000-32000 2>&1 | grep succeeded
# Connection to 127.0.0.1 31046 port [tcp/*] succeeded!
# Connection to 127.0.0.1 31518 port [tcp/*] succeeded!
# Connection to 127.0.0.1 31691 port [tcp/*] succeeded!
# Connection to 127.0.0.1 31790 port [tcp/*] succeeded!
# Connection to 127.0.0.1 31960 port [tcp/*] succeeded!

筆者在此找到五個開放 port

  1. 使用 openssl 指令循序嘗試連線上個步驟找到的 port,並輸入當前等級密碼直到獲得下一等級 ssh 金鑰!
openssl s_client -quiet localhost:31790
  1. 透過 mktemp 產生暫存資料夾,並透過 cd 指令進入該資料夾
mktemp -d
# /tmp/tmp.WGUd2JpYBc
cd /tmp/tmp.WGUd2JpYBc
  1. 透過 touch 指令產生儲存下一等級 ssh 金鑰的檔案,並透過 vim, vi, nano 等指令將金鑰內容輸入至檔案中,然後用 chmod 指令修改金鑰檔權限
touch private.key
nano private.key
chmod 400 private.key
  1. 透過 ssh 指令連線到下一等級,並透過 cat 指令將 Level 17 密碼呈現出來!
ssh bandit17@bandit.labs.overthewire.org -p 2220 -i private.key
cat /etc/bandit_pass/bandit17