Posted in Uncategorized

Bandit Level 13 – 17 [overthewire.org]

   Published Date: May 19, 2021

Level 13 – 14

This time we are told that the password to the next level is stored in /etc/bandit_pass/bandit14, and can only be read by user bandit14

Also, in this level we won’t get a password, instead we will receive a private SSH key that we can then use to log into the next level.

The SSH key is located in the home directory

to use the private SSH key we can use ssh command with -i option (connection using identity file)

ssh -i sshkey.private bandit14@localhost

Now, logged as user bandit14 we can read password stored in /etc/bandit_pass directory. Write it down, as we will need it to pass the next level.

bandit14@bandit:~$ cd /etc/bandit_pass
bandit14@bandit:/etc/bandit_pass$ cat bandit14

Level 14 – 15

To get to the next level we need to submit the password obtained in level 13 to port 30000 on localhost. To do that we can simply use the netcat command (nc), specifying localhost and port number.

nc localhost 30000

Now enter the password we collected in level 13, and the server will return the password to level 15.

Level 15 – 16

In this level to retrieve the password to level 16, we need to connect to port 30001 on localhost using SSL encryption. To do that we can use openssl command

bandit15@bandit:~$ openssl s_client -connect localhost:30001

After that simply provide the password to the 15 level and the server should return password for level 16.

Level 16 – 17

In this level we have to scan ports in the range 31000 – 32000 and identify which of them “speak SSL” and which don’t. Only one of these ports will give us credentials for the next level.

First we will use a nmap command line tool to scan ports, using following options: -v to increase verbosity and print more information about the progress, -A (aggressive scan), and p to specify the port range on localhost.

bandit16@bandit:~$ nmap -A -v -p 31000-32000 localhost

The command returns 5 hosts, with 3 running echo service, 1 running msdtc, and one port running ssl (31790)

Lets connect to the port 31790

openssl s_client -connect localhost:31790

Enter the password you have used to access level 16. As a result we receive private RSA key. Now lets create a new text file in tmp directory to store the RSA key

cd /tmp
cat > RSA.txt

now past the key (including Begin and End RSA lines) and exit the file using ctrl+d.

The host won’t let us use this file as it is unprotected, we have to first change permissions with chmod command.

bandit16@bandit:/tmp$ chmod 600 RSA.txt

Now lets try to log into the bandit17 using the RSA key:

ssh -i RSA.txt bandit17@localhost

The password for the next level is stored in /etc/bandit_pass/bandit17 file, to get it we can se cat command again

bandit17@bandit:~$ cat /etc/bandit_pass/bandit17

Author: Lukasz Milek