Exploring OverTheWire: Level 16 to Level 17 - Bandit Challenge

Introduction

As we continue our ascent in the Bandit Challenge, Level 17 ↗️ introduces a dynamic challenge. This time, we’re required to submit the password of the current level to a port within a specific range on localhost.

By leveraging our knowledge of port scanning, network exploration, and employing tools like nmap, nc, and openssl, we’ll identify the correct port, establish a connection, and retrieve the next set of credentials.

Challenge Overview

Through careful port scanning and exploration, we’ll complete this challenge and access the coveted credentials.

Approach and Strategy

Follow these steps to successfully solve Level 17

ssh [email protected] -p 2220

Enter the password you obtained from the previous level.

Next, we’ll use nmap to scan ports within the specified range for active servers and use the --script ssl-cert option to identify the port with a server listening for SSL connections.

The -T5 option sets the timing template to 5, which is the most aggressive timing template.

nmap -p 31000-32000 --script ssl-cert -T5 localhost

This command will scan ports within the specified range to identify active servers.

Examine the results of the port scan to identify the port with a server listening.

For the identified port, use openssl and s_client like we did in previous level to establish a secure connection and retrieve the next set of credentials.

echo {current_level_password} | openssl s_client -connect localhost:{identified_port} -ign_eof

Replace {current_level_password} with the password you obtained from the current level and {identified_port} with the port you identified in the step before.

The -ign_eof flag ensures that the connection isn’t terminated prematurely.

The output of the command will display the a private key file instead of a password this time, take a note of it and save it to a file.

Notes

• Port scanning helps identify active servers within a specified range.
• Use the -p option with nmap to specify the range of ports to scan.
• Use the --script ssl-cert option with nmap to identify the port with a server listening for SSL connections.
• The -T5 option sets the timing template to 5, which is the most aggressive timing template.
• After identifying the port, use openssl and s_client to establish a secure connection.
• The -ign_eof flag prevents the connection from being closed prematurely.

Conclusion

Congratulations on successfully completing Level 17 of the Bandit Challenge! By scanning ports, identifying the correct port with a server, and establishing a secure connection using openssl and s_client, we gained access to the next set of credentials.

Stay tuned for the next blog post, where we’ll tackle Level 18 and continue our quest to become skilled cybersecurity practitioners.