Warning: This post contains a solution!
Only continue if:
1.) you want to see a possible alternative solution or
2.) you are stuck and need a hint!
Connect to the server using the following credentials:
Level Goal is:
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
First, perform a nmap scan to find the open ports:
bandit16@bandit:~$ nmap -sV -p31000-32000 localhost Starting Nmap 7.40 ( https://nmap.org ) at 2019-01-01 12:31 CET Nmap scan report for localhost (127.0.0.1) Host is up (0.00019s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 31518/tcp open ssl/echo 31790/tcp open ssl/unknown 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port31790-TCP:V=7.40%T=SSL%I=7%D=1/1%Time=5C2B4FA1%P=x86_64-pc-linux-gn SF:u%r(GenericLines,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20cur SF:rent\x20password\n")%r(GetRequest,31,"Wrong!\x20Please\x20enter\x20the\ SF:x20correct\x20current\x20password\n")%r(HTTPOptions,31,"Wrong!\x20Pleas SF:e\x20enter\x20the\x20correct\x20current\x20password\n")%r(RTSPRequest,3 SF:1,"Wrong!\x20Please\x20enter\x20the\x20correct\x20current\x20password\n SF:")%r(Help,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20current\x2 SF:0password\n")%r(SSLSessionReq,31,"Wrong!\x20Please\x20enter\x20the\x20c SF:orrect\x20current\x20password\n")%r(TLSSessionReq,31,"Wrong!\x20Please\ SF:x20enter\x20the\x20correct\x20current\x20password\n")%r(Kerberos,31,"Wr SF:ong!\x20Please\x20enter\x20the\x20correct\x20current\x20password\n")%r( SF:FourOhFourRequest,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20cu SF:rrent\x20password\n")%r(LPDString,31,"Wrong!\x20Please\x20enter\x20the\ SF:x20correct\x20current\x20password\n")%r(LDAPSearchReq,31,"Wrong!\x20Ple SF:ase\x20enter\x20the\x20correct\x20current\x20password\n")%r(SIPOptions, SF:31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20current\x20password\ SF:n"); Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 88.30 seconds
There are two open ports, 31518 and 31790. The first one is the 'echo' port, the second one is the correct on. Connect to this port and then type in the password from the current level:
bandit16@bandit:~$ openssl s_client -connect localhost:31790 CONNECTED(00000003) depth=0 CN = localhost [...]
A private key is returned:
[...] --- cluFxxxxxxxxxxxxxxxxxxxxxxxxxxxx Correct! -----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd <snipped> -----END RSA PRIVATE KEY----- closed