This article is the continuation of the Over The Wire Bandit walkthrough. In case,you haven’t seen my last article it is here OVERTHEWIRE: Bandit walkthough 12-15.
So let’s begin with the further levels.
Login with the bandit16 user with the password.
The hint of this level says
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
What we need to do here is to scan the localhost with ports between 31000 and 32000 and see which one of those truly contains the password.
Scanning tool will be nmap and the command is below:
nmap localhost -p 31000-32000
This gave me a list of ports amd I manually made connections to each using openssl like we did in previous level, level 16. I am showing the output of the correct port only which is 31790.
When I submit the password to this level, It gave me the private key to another level.
Login with the above ssh private key to the bandit17 level.
Below, you will see the connection failure due to permission that I haven’t given to the script file which actually contains the private key we found above. If you’ve gone through my previous article, I have talked about chmod 400 for the keys. If you haven’t read it, the link is here:
The hint for this level says:
There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new
NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19
With the help of diff command, we can find that the command I have used is shown in the image below.
The password is the first one since we used first file as passwords.new
I will be continuing this series for further solutions.