Bandit 16

OverTheWire Bandit 16

Level Goal

The password for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next password, the others will simply send back to you whatever you send to it.


We first run nmap against local host using the port range specified. Note that 3 of them come back echo, which we were warned about.


I try the first of the 2 which didnt identify as echo service. This attempt it repeats the password given back to me, which is a fail.


I then try copying the password to the 2nd candidate address. We are presented with a RSA private key.


I copy the private key into a new file. You will need to create this under /tmp folder as home isnt writable.


I then try to connect using the private.key we found.


The key is ignored because the file permissions are too permissive. The program falls back to asking for passwords.


I use the cmod command to make the file read and writable by only the file owner. I then attempt to login once more.


Success! we are logged in, I am able to display contents of the password file.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s