I have been slacking as of lately due to the holidays. And I have been finding it difficult to stay to my own schedule. However, here it is my write up for bandit level 16. If you haven’t had a chance to read my OverTheWire Bandit Write Up – Level 15 write up, give it a quick read then head back over here.

Level 16

The objective of this level is to find an open port between 31000 and 32000 that accepts SSL. Once the port has been found I need to submit the password for the current level. I should then be able to get the password for the next.

Let’s Start Hacking Then

Just the same as all the previous levels I need to spin up a fresh terminal and initiate a SSH connection to the machine. I run the following and get started:

ssh bandit16@bandit.labs.overthewire.org -p 2220

I’m prompted for the password, and entering the one I got fr the last level and I’m in.

The first thing I need to do is to scan the machine for open ports and what’s running on the ports. I know from looking at the bandit level 16 requirements that the port is somewhere between 31000 and 32000. Looking at the nmap man page I have found that I can specify a range ports to scan, I run the following command to search through the required ports:

nmap -A -p 31000-32000 localhost

The command takes a while but then returns two ports alongside a bunch of error messages – which can be ignored. One of the ports is showing as unknown while the other is showing ssl. Knowing that I need to send the password to a port that accepts SSL I now know which port I need to use.

PORT STATE SERVICE
31518/tcp filtered unknown
31790/tcp open ssl/unknown

I’m now in possession of all the information I need to retrieve the password. I can use the openssl command to send the password over SSL to the machine on port 31790 to get the password for the next level. I run the following command;

echo `cluFn7wTiGryunymYOu4RcffSxQluehd` | openssl s_client -connect localhost:31790 -ign_eof

However, instead of being greeted with the password for the next I got a message of Correct! and the following RSA Private key.

-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----

Back in a previous level I need to use a private key to initiate a SSH connection to the system. Remembering this I take a copy of the above RSA Private key and exit` my connection. I create a new file in my Documents and name it bandit17.key I paste in the RSA contents and save the file.

Using this private key I can initiate a connection to the system as the bandit17 user using the following command;

ssh bandit17@bandit.labs.overthewire.org -p 2220 -i bandit17.key

That worked without a problem. I can now get a copy of the password from the bandit password directory using the following.

cat /etc/bandit_pass/bandit17

…and Wham! Bam! Thank you ma’am! I have the password now for level 17.

Level 16 Complete

I have hidden the password here, if you are playing along don’t peek! Please! It’s more fun getting it yourself.

Categories:Hacking

Justin Byrne

Justin Byrne is a self motivated tech enthusiasts. Spending more than half his life dedicated to the tech industry. He built his first computer at the age of 11, and has been building ever since. His interests have changed across the years from system building to web programming and even a dab of software engineering., and just like his interests, his operating system has changed sometimes more then 4 times a year.

0 Comments

Leave a Reply