- Get link
- X
- Other Apps
- Get link
- X
- Other Apps
Bandit Level 17 Walkthrough
Level 16 ➔ Level 17: Port Scanning and Private Key Extraction
1. My Objective
I am currently logged in as bandit16. This mission is different: I am not given a specific port. I am told that the secret service is running on one of the ports in the range 31000 to 32000. I need to find which ports are open, which ones use SSL/TLS, and then find the single server that returns a Private SSH Key instead of just echoing my password back to me.
The Mission Strategy: I need a tool to "knock" on all 1,001 doors in that range. Once I find the open doors, I have to test each one with my current password to see which one hands me the key to Level 17.
2. The Feynman Explanation: The Large Apartment Complex
Imagine I am looking for a secret club inside a massive apartment building with 1,000 rooms. I don't know the room number, only that it is between Room 31000 and 32000.
The Knocking Analogy:
1. The Scan: I walk down the hallway and knock on every door. Most rooms are empty. A few people answer. This is what nmap does—it "scans" the range and tells me which doors (ports) have someone listening behind them.
2. The Verification: For every door that opens, I check for a "Secure Entrance" sign. If it has one (SSL), I step inside and give the person my secret password.
3. The Echo vs. The Key: Most people in the building are "Copycats"—if I say "Hello," they just yell "Hello" back. But the person I am looking for is a "Messenger." When I give them my password, they don't repeat it; they hand me a physical Private Key. That key is what I will use to unlock the door to the next level.
3. Practical Solution
I log in as bandit16. I start by using nmap to find all open ports in the specified range on localhost.
# Step 1: Scan for open services in the range 31000-32000
# -sV detects service versions (helps identify SSL)
bandit16@bandit:~$ nmap -sV localhost -p 31000-32000
# I see a few open ports. I'm looking for ones labeled 'ssl'.
# Let's say I find Port 31790 is open and uses SSL.
# Step 2: Connect to the promising port using OpenSSL
bandit16@bandit:~$ openssl s_client -connect localhost:31790 -ign_eof
# Step 3: I paste the bandit16 password and hit ENTER.
# The server responds with a multi-line RSA PRIVATE KEY!
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA75... (I copy the entire key)
-----END RSA PRIVATE KEY-----
# -sV detects service versions (helps identify SSL)
bandit16@bandit:~$ nmap -sV localhost -p 31000-32000
# I see a few open ports. I'm looking for ones labeled 'ssl'.
# Let's say I find Port 31790 is open and uses SSL.
# Step 2: Connect to the promising port using OpenSSL
bandit16@bandit:~$ openssl s_client -connect localhost:31790 -ign_eof
# Step 3: I paste the bandit16 password and hit ENTER.
# The server responds with a multi-line RSA PRIVATE KEY!
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA75... (I copy the entire key)
-----END RSA PRIVATE KEY-----
How did I handle the Private Key?
Unlike previous levels, the output is not a one-line password. It is a Private Key file. I must copy the entire block (including the BEGIN and END lines), save it to a file in /tmp, and set the correct permissions (chmod 600) before I can use it to log into bandit17.
🚀 My Pro Tips: Mastering Port Scans
✨ The Service Version Flag (-sV)
Without -sV, nmap might just tell me a port is "open." With it, nmap performs a "handshake" to figure out what kind of program is running. This is how I instantly know which port is running an SSL service versus a plain-text echo service.
⭐ RSA Key Permissions
If I try to use a private key file that is "readable by everyone," SSH will reject it for security reasons. I always run:
chmod 600 /tmp/my_key_file
This tells Linux: "Only I, the owner, can touch this key."
🔍 Netstat as an Alternative
If I didn't want to use nmap, I could use netstat -tulpn to see which ports are currently listening for connections on the system. It's like checking the building's internal registry instead of knocking on doors from the outside.
4. Why this matters
I use nmap in every single penetration test. It is the "eyes" of a security professional. Before you can exploit a system, you must know which services are running. Discovering an unintentional SSL service or a misconfigured private key file is a common way real-world hackers gain initial access to corporate networks.
Key Acquired!
I've successfully scanned the range and retrieved the private key. I'll save it to /tmp and move on to Level 17 ➔ Level 18, where I will use this key to log in and compare two files!
Tags: #Linux #Bandit #OverTheWire #Nmap #PortScanning #SSHKey #RSAPrivateKey #SSL #CyberSecurity #FeynmanTechnique #CodeWithPritom #ProTips
- Get link
- X
- Other Apps
Devoted to excellence as a Software Engineer
Comments
Post a Comment