Level 16 - 17 - consoletornado.com

**Level Information** > [!important] The credentials for the next level can be retrieved by submitting the password of the current level to **a port on localhost in the range 31000 to 32000**. First find out which of these ports have a server listening on them. Then find out which of those speak SSL/TLS and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it. > > **Helpful note: Getting “DONE”, “RENEGOTIATING” or “KEYUPDATE”? Read the “CONNECTED COMMANDS” section in the manpage.** > > > > **Commands you may need to solve this level:** > > - ssh, telnet, nc, ncat, socat, openssl, s_client, nmap, netstat, ss Scanning for ports? Definitely sounds like a job for nmap. We can do an `nmap` scan for a port range between `31000` and `32000`. ![[Level 16 - 17.png]] We have a bunch of open ports in that range, now we just have to find which ports “speak SSL/TLS” . The reason we didn’t use the `-sV` in the beginning to scan for services and version running, is that it takes way too long. Upon further research, the following command can be used to remove some of the noise. The `—version-intensity 1` filters by ports with services of a rarity of 1 or less. Coincidentally SSL/TLS runs on version intensity 1, reducing the time needed to complete this scan returns the services running on the identified ports. ![[Level 16 - 17-1.png]] This scan points towards the “unknown” SSL service on port `31790`. With this I had some errors and kept getting `KEY UPDATE` in response to inputting the password. Upon reading the man pages and looking more into the `s_client` command, I found there was a switch `-quiet` that skipped these and allowed us to find the RSA KEY. ![[Level 16 - 17-2.png]] Another temp directory file was created. ![[Level 16 - 17-3.png]] The RSA key file was created using the nano editor and was copied into it, then saved. ![[Level 16 - 17-4.png]] Next we have to make the key file read only by us. ![[Level 16 - 17-5.png]] Lastly, using `-i` switch we can use the private key again to ssh into the next level and cat the level password from the `/etc/bandit_pass/bandit17` directory. ![[Level 16 - 17-6.png]] ![[Level 16 - 17-7.png]]