Bandit level 16
Level Goal
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL/TLS and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
Helpful note: Getting “DONE”, “RENEGOTIATING” or “KEYUPDATE”? Read the “CONNECTED COMMANDS” section in the manpage.
This level is close to identical to the previous level. But the port we need to connect to is unknown, we only know which port range the port exists. For finding the port we need to use a port scanner to find a port with SSL/TLS connection. As per usual, make use of the man pages.
Useful commands:
- man
- openssl
Solution - Spoiler Alert!
Firstly we need to do a port scan to get the ports that are open in that range. Using nmap we can get the ports that are open, I first tried nmap -p 31000-32000 this gave me 5 open ports, but all unknown services. To unveil the services running we can add the -sV option. But since we know which ports are open, we can limit the search to those specific ports. With nmap -p 31046,31518,31619,31790,31960 -sV localhost we get the service of the 5 ports. Two of the ports have ssl, but one with echo service, and the other with an unknown service.
The unknown one seems most interesting, so I tried openssl s_client --connect localhost:31790 and pasted the current password in. And as a result i got the keyupdate return. After i had tried the same over and over again (might work the 2nd or 3rd or 6th time right?) I consulted the man pages with man openssl s_client which gives another man page than man openssl and saw that i could add --quiet to my command i tried openssl s_client --connect localhost:31790 --quiet. Pasting in the current password here results in what looks like an SSH key.
I copied the key to a text file on my desktop and will use it for SSH in the next level
Comments ()