Kappa
“Great things are not done by impulse, but by a series of small things brought together.”
Host: bandit.labs.overthewire.org
Port: 2220
Level 16
ssh bandit16@bandit.labs.overthewire.org -p 2220
password: JQttfApK4SeyHwDlI9SXGR50qclOAil1
Objective:
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
- Run nmap
- openssl s_client
- save access key in /tmp
- chmod 600
CLI:
bandit16@bandit:~$ nmap -sV localhost -p 31000-32000
Starting Nmap 7.80 ( https://nmap.org ) at 2024-03-31 18:28 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00012s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
31046/tcp open echo
31518/tcp open ssl/echo
31691/tcp open echo
31790/tcp open ssl/unknown
31960/tcp open echo
bandit16@bandit:~$ openssl s_client -connect localhost:31790
bandit16@bandit:~$ cd /tmp
bandit16@bandit:/tmp$ touch 17key
bandit16@bandit:/tmp$ nano 17key
bandit16@bandit:/tmp$ cat 17key
bandit16@bandit:/tmp$ chmod 600 17key
bandit16@bandit:/tmp$ ls -l 17key
-rw------- 1 bandit16 bandit16 1675 Mar 31 20:59 17key
bandit16@bandit:/tmp$ ssh -i 17key bandit17@localhost -p 2220
JQttfApK4SeyHwDlI9SXGR50qclOAil1