Bandit Level 16 Walkthrough

Level 15 ➔ Level 16: Mastering Secure SSL/TLS Connections

1. My Objective

I am currently logged in as bandit15. Similar to the previous level, the password for the next level is held by a service running on port 30001 of localhost. However, there is a major catch: this service will only talk to me if I use SSL/TLS encryption. If I try to use standard nc (Netcat), the connection will fail because Netcat speaks "plain text," while the server is expecting "encrypted text."

The Mission Goal: I must find a way to "wrap" my password in an encrypted layer before sending it to the port. I also need to handle the complex handshake messages that come with encrypted connections.

2. The Feynman Explanation: Shouting vs. The Secret Tube

In the last level, using nc was like shouting my password across a room. Everyone (including hackers sniffing the network) could hear it. This time, the server demands a "Secure Channel."

The Soundproof Tube Analogy:

Imagine I am in a crowded cafeteria. If I want to give someone a secret code, I don't just yell it. Instead, I use a Soundproof Tube (SSL/TLS) that connects my mouth directly to their ear.

Before I speak, we have to "Agree" on how the tube works—this is the Handshake. We check each other's ID cards to make sure we are who we say we are. Once the tube is locked in place, I can whisper the password. Even if someone is standing an inch away, they can't hear a thing. OpenSSL is the tool I use to build this encrypted tube.

3. Practical Solution

I log in as bandit15. I need the password I found at the end of Level 14. To talk to the encrypted service, I use the openssl s_client utility.

# Step 1: Read the bandit15 password from the pass file
bandit15@bandit:~$ cat /etc/bandit_pass/bandit15
jNo3No6pE6vSAr4S019SAb36906sV... (I copy this)

# Step 2: Connect using OpenSSL s_client
# -connect specifies host:port | -ign_eof prevents early disconnect
bandit15@bandit:~$ openssl s_client -connect localhost:30001 -ign_eof

# Step 3: A lot of "Handshake" text will fly by.
# I wait until the text stops, then I paste the password and hit ENTER.
jNo3No6pE6vSAr4S019SAb36906sV...

# The service responds with the password for Level 16:
Correct!
cluFn06pE6vSAr4S019SAb36906sV...

Why did I use -ign_eof?

Sometimes, as soon as I send the password, the server sends the answer and immediately hangs up. The -ign_eof flag tells OpenSSL: "Don't close the window as soon as I finish typing; wait for the server to finish talking back to me." This ensures I actually see the password on my screen.

🚀 My Pro Tips: Debugging Encrypted Services

✨ Silencing the "Noise"

OpenSSL shows a lot of technical data about certificates. If I only want to see the conversation, I can use the -quiet flag:
openssl s_client -connect localhost:30001 -quiet

⭐ Dealing with "RENEGOTIATING"

If the connection seems to "freeze" or show "DONE," it usually means I need to be faster with my input or check if the server is expecting a specific end-of-line character. Always try pasting your password and hitting Enter immediately after the connection is established.

🔍 SSL vs. TLS

I often hear these used interchangeably. In reality, SSL is the old, "broken" version, and TLS is the modern, secure version. When I use s_client, it usually picks the best one (TLS) automatically to keep the connection safe.

4. Why this matters

This is exactly how your web browser (Chrome, Firefox) talks to your bank's website. The "HTTPS" in your address bar is just HTTP wrapped in the same SSL/TLS layer I used here. Understanding how to manually create these connections is a vital skill for penetration testers who need to test if a server is using weak or outdated encryption.

Secure Password Retrieved!

I've successfully navigated the complexities of encrypted networking. I'll save the new password and move on to Level 16 ➔ Level 17, where I will use port scanning to find hidden services!

Tags: #Linux #Bandit #OverTheWire #SSL #TLS #OpenSSL #EncryptedNetworking #CyberSecurity #FeynmanTechnique #CodeWithPritom #ProTips