OverTheWire Bandit 16
The password for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next password, the others will simply send back to you whatever you send to it.
We first run nmap against local host using the port range specified. Note that 3 of them come back echo, which we were warned about.
I try the first of the 2 which didnt identify as echo service. This attempt it repeats the password given back to me, which is a fail.
I then try copying the password to the 2nd candidate address. We are presented with a RSA private key.
I copy the private key into a new file. You will need to create this under /tmp folder as home isnt writable.
I then try to connect using the private.key we found.
The key is ignored because the file permissions are too permissive. The program falls back to asking for passwords.
I use the cmod command to make the file read and writable by only the file owner. I then attempt to login once more.
Success! we are logged in, I am able to display contents of the password file.