{"id":664,"date":"2015-02-06T03:36:01","date_gmt":"2015-02-06T03:36:01","guid":{"rendered":"https:\/\/www.hackmethod.com\/?p=664"},"modified":"2022-06-03T05:39:34","modified_gmt":"2022-06-03T05:39:34","slug":"overthewire-bandit-17","status":"publish","type":"post","link":"https:\/\/hackmethod.com\/overthewire-bandit-17\/","title":{"rendered":"OvertheWire &#8211; Bandit 17"},"content":{"rendered":"<p>[et_pb_section fb_built=&#8221;1&#8243; admin_label=&#8221;section&#8221; _builder_version=&#8221;3.22&#8243;][et_pb_row admin_label=&#8221;row&#8221; _builder_version=&#8221;3.25&#8243; background_size=&#8221;initial&#8221; background_position=&#8221;top_left&#8221; background_repeat=&#8221;repeat&#8221;][et_pb_column type=&#8221;4_4&#8243; _builder_version=&#8221;3.25&#8243; custom_padding=&#8221;|||&#8221; custom_padding__hover=&#8221;|||&#8221;][et_pb_text admin_label=&#8221;Text&#8221; _builder_version=&#8221;4.7.5&#8243; background_size=&#8221;initial&#8221; background_position=&#8221;top_left&#8221; background_repeat=&#8221;repeat&#8221; hover_enabled=&#8221;0&#8243; sticky_enabled=&#8221;0&#8243;]<strong>Recap of Level 16: <\/strong>Learned about ports, telnet, and openssl.<\/p>\n<p>&nbsp;<\/p>\n<p><a href=\"http:\/\/overthewire.org\/wargames\/bandit\/bandit17.html\"><strong>Bandit Level 17<\/strong><\/a><\/p>\n<h4><strong>Objective:<\/strong><\/h4>\n<p>Find the password to the next level<\/p>\n<h4><strong>Intel Given:<\/strong><\/h4>\n<ul>\n<li>The password for the next level can be retrieved by submitting the password of the current level to\u00a0<strong>a port on localhost in the range 31000 to 32000<\/strong>.<\/li>\n<li>First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don\u2019t. There is only 1 port that will give the next password, the others will simply send back to you whatever you send to it.<\/li>\n<\/ul>\n<p><!--more--><\/p>\n<h4><strong>How to:<\/strong><\/h4>\n<p>Thanks to reddit user <a href=\"http:\/\/www.reddit.com\/user\/177854\" target=\"_blank\" rel=\"noopener\">177854<\/a>\u00a0for providing this write-up!<\/p>\n<p><strong>NOTE:\u00a0<\/strong>\u00a0There is some debate over the legality of scanning computers\/servers with nmap. Nmap is considered to be the\u00a0active reconnaissance\u00a0step of the <a href=\"https:\/\/www.hackmethod.com\/hacker-methodology\/\" target=\"_blank\" rel=\"noopener\">hacker methodology<\/a>\u00a0and is often a precursor of further action. \u00a0Administrators don&#8217;t like it and you can be reported to your ISP, nmap using its default settings is VERY loud to the vigilant defender. So I caution you. Do not nmap targets that have not given you EXPRESS WRITTEN PERMISSION. I&#8217;ll get off my soapbox now.<\/p>\n<p>In the last lesson we were given a port number to connect to get the password. Now we have a wide ranges of ports that <em>could<\/em> host the service that holds that precious password. Looking at the commands we need to know we see Nmap, a network and port scanner that you\u2019ve probably heard of. Nmap is a utility that allows us to scan an IP address and find out information about what OS it\u2019s running, what ports are open, and most important to us finding out what services are running. Services are what the server is running or providing to the outside world. This can be things like FTP, SMTP, POP3, SSH, HTTP etc. Nmap scanning is a tutorial and art\u00a0in its own right, so we&#8217;ll briefly cover it here and return to it in depth in a later article.<\/p>\n<p>Looking in the man page of Nmap we see we can do a Service Scan with the option -sV that will query ports to see what service they are running. This will enable us to find which ports \u201cSpeak SSL\u201d and which ones are just echos.<\/p>\n<p><a href=\"https:\/\/i0.wp.com\/www.hackmethod.com\/wp-content\/uploads\/2015\/02\/bandit-17.1.png?ssl=1\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" data-attachment-id=\"665\" data-permalink=\"https:\/\/hackmethod.com\/overthewire-bandit-17\/bandit-17-1\/\" data-orig-file=\"https:\/\/i0.wp.com\/hackmethod.com\/wp-content\/uploads\/2015\/02\/bandit-17.1.png?fit=666%2C296&amp;ssl=1\" data-orig-size=\"666,296\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"bandit 17.1\" data-image-description=\"\" data-image-caption=\"\" data-medium-file=\"https:\/\/i0.wp.com\/hackmethod.com\/wp-content\/uploads\/2015\/02\/bandit-17.1.png?fit=300%2C133&amp;ssl=1\" data-large-file=\"https:\/\/i0.wp.com\/hackmethod.com\/wp-content\/uploads\/2015\/02\/bandit-17.1.png?fit=666%2C296&amp;ssl=1\" class=\" size-full wp-image-665 aligncenter\" src=\"https:\/\/i0.wp.com\/www.hackmethod.com\/wp-content\/uploads\/2015\/02\/bandit-17.1.png?resize=666%2C296&#038;ssl=1\" alt=\"bandit 17.1\" width=\"666\" height=\"296\" srcset=\"https:\/\/i0.wp.com\/hackmethod.com\/wp-content\/uploads\/2015\/02\/bandit-17.1.png?w=666&amp;ssl=1 666w, https:\/\/i0.wp.com\/hackmethod.com\/wp-content\/uploads\/2015\/02\/bandit-17.1.png?resize=600%2C267&amp;ssl=1 600w, https:\/\/i0.wp.com\/hackmethod.com\/wp-content\/uploads\/2015\/02\/bandit-17.1.png?resize=300%2C133&amp;ssl=1 300w\" sizes=\"(max-width: 666px) 100vw, 666px\" \/><\/a><\/p>\n<p>So by doing our service scan of the localhost ports 31000 through 32000 there are 5 open ports, 2 of which are running Microsoft Distributed Transaction Coordinator. Two out of five is do able manually so let\u2019s try connecting to these ports! Remember in the objective they said the one containing the password is running SSL so we\u2019ll use openssl to try and connect.<\/p>\n<p><a href=\"https:\/\/i0.wp.com\/www.hackmethod.com\/wp-content\/uploads\/2015\/02\/bandit-17.2.png?ssl=1\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" data-attachment-id=\"666\" data-permalink=\"https:\/\/hackmethod.com\/overthewire-bandit-17\/bandit-17-2\/\" data-orig-file=\"https:\/\/i0.wp.com\/hackmethod.com\/wp-content\/uploads\/2015\/02\/bandit-17.2.png?fit=673%2C158&amp;ssl=1\" data-orig-size=\"673,158\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"bandit 17.2\" data-image-description=\"\" data-image-caption=\"\" data-medium-file=\"https:\/\/i0.wp.com\/hackmethod.com\/wp-content\/uploads\/2015\/02\/bandit-17.2.png?fit=300%2C70&amp;ssl=1\" data-large-file=\"https:\/\/i0.wp.com\/hackmethod.com\/wp-content\/uploads\/2015\/02\/bandit-17.2.png?fit=673%2C158&amp;ssl=1\" class=\" size-full wp-image-666 aligncenter\" src=\"https:\/\/i0.wp.com\/www.hackmethod.com\/wp-content\/uploads\/2015\/02\/bandit-17.2.png?resize=673%2C158&#038;ssl=1\" alt=\"bandit 17.2\" width=\"673\" height=\"158\" srcset=\"https:\/\/i0.wp.com\/hackmethod.com\/wp-content\/uploads\/2015\/02\/bandit-17.2.png?w=673&amp;ssl=1 673w, https:\/\/i0.wp.com\/hackmethod.com\/wp-content\/uploads\/2015\/02\/bandit-17.2.png?resize=600%2C141&amp;ssl=1 600w, https:\/\/i0.wp.com\/hackmethod.com\/wp-content\/uploads\/2015\/02\/bandit-17.2.png?resize=300%2C70&amp;ssl=1 300w\" sizes=\"(max-width: 673px) 100vw, 673px\" \/><\/a><\/p>\n<p>Well it looks like the input has been mirrored back, just like the objective said it would. And no password. Let\u2019s try the other.<\/p>\n<p><a href=\"https:\/\/i0.wp.com\/www.hackmethod.com\/wp-content\/uploads\/2015\/02\/bandit-17.3.png?ssl=1\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" data-attachment-id=\"667\" data-permalink=\"https:\/\/hackmethod.com\/overthewire-bandit-17\/bandit-17-3\/\" data-orig-file=\"https:\/\/i0.wp.com\/hackmethod.com\/wp-content\/uploads\/2015\/02\/bandit-17.3.png?fit=667%2C624&amp;ssl=1\" data-orig-size=\"667,624\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"bandit 17.3\" data-image-description=\"\" data-image-caption=\"\" data-medium-file=\"https:\/\/i0.wp.com\/hackmethod.com\/wp-content\/uploads\/2015\/02\/bandit-17.3.png?fit=300%2C281&amp;ssl=1\" data-large-file=\"https:\/\/i0.wp.com\/hackmethod.com\/wp-content\/uploads\/2015\/02\/bandit-17.3.png?fit=667%2C624&amp;ssl=1\" class=\" size-full wp-image-667 aligncenter\" src=\"https:\/\/i0.wp.com\/www.hackmethod.com\/wp-content\/uploads\/2015\/02\/bandit-17.3.png?resize=667%2C624&#038;ssl=1\" alt=\"bandit 17.3\" width=\"667\" height=\"624\" srcset=\"https:\/\/i0.wp.com\/hackmethod.com\/wp-content\/uploads\/2015\/02\/bandit-17.3.png?w=667&amp;ssl=1 667w, https:\/\/i0.wp.com\/hackmethod.com\/wp-content\/uploads\/2015\/02\/bandit-17.3.png?resize=600%2C561&amp;ssl=1 600w, https:\/\/i0.wp.com\/hackmethod.com\/wp-content\/uploads\/2015\/02\/bandit-17.3.png?resize=300%2C281&amp;ssl=1 300w\" sizes=\"(max-width: 667px) 100vw, 667px\" \/><\/a><\/p>\n<p>Not a password, but an RSA Private key! We won\u2019t get into how to use it in this lesson but go ahead and save it in a text file. If you\u2019re on Windows go ahead and download <a href=\"http:\/\/www.chiark.greenend.org.uk\/~sgtatham\/putty\/download.html\" target=\"_blank\" rel=\"noopener\">puttygen<\/a>\u00a0to get a head start on the next level.<\/p>\n<h4><strong>Conclusion:<\/strong><\/h4>\n<p>We learned about Nmap and port scanning, got a RSA private key, and used openssl again to connect to more ports. Again, don&#8217;t get too wrapped around the axle about how to use Nmap.\u00a0The &#8220;bible&#8221; [easyazon_link asin=&#8221;0979958717&#8243; locale=&#8221;US&#8221; new_window=&#8221;default&#8221; nofollow=&#8221;default&#8221; tag=&#8221;hackm01-20&#8243;]Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning[\/easyazon_link] is over 464 pages long. For now focus on the fact that Nmap can be used to obtain more information about a computer\/server.<br \/>\n[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=&#8221;4.7.5&#8243; _module_preset=&#8221;default&#8221; column_structure=&#8221;1_2,1_2&#8243;][et_pb_column _builder_version=&#8221;4.7.5&#8243; _module_preset=&#8221;default&#8221; type=&#8221;1_2&#8243;][et_pb_image src=&#8221;https:\/\/hackmethod.com\/wp-content\/uploads\/2020\/12\/Previous.png&#8221; _builder_version=&#8221;4.7.5&#8243; _module_preset=&#8221;default&#8221; alt=&#8221;Previous Level&#8221; title_text=&#8221;Previous&#8221; url=&#8221;https:\/\/hackmethod.com\/overthewire-bandit-16&#8243; hover_enabled=&#8221;0&#8243; sticky_enabled=&#8221;0&#8243;][\/et_pb_image][\/et_pb_column][et_pb_column _builder_version=&#8221;4.7.5&#8243; _module_preset=&#8221;default&#8221; type=&#8221;1_2&#8243;][et_pb_image src=&#8221;https:\/\/hackmethod.com\/wp-content\/uploads\/2020\/12\/Next.png&#8221; _builder_version=&#8221;4.7.5&#8243; _module_preset=&#8221;default&#8221; alt=&#8221;Next Level&#8221; title_text=&#8221;Next&#8221; url=&#8221;https:\/\/hackmethod.com\/overthewire-bandit-18&#8243; align=&#8221;right&#8221; hover_enabled=&#8221;0&#8243; sticky_enabled=&#8221;0&#8243;][\/et_pb_image][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Recap of Level 16: Learned about ports, telnet, and openssl. &nbsp; Bandit Level 17 Objective: Find the password to the next level Intel Given: The password for the next level can be retrieved by submitting the password of the current level to\u00a0a port on localhost in the range 31000 to 32000. First find out which [&hellip;]<\/p>\n","protected":false},"author":8,"featured_media":665,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"<strong>Recap of <a href=\"https:\/\/www.hackmethod.com\/overthewire-bandit-16\/\">Last\u00a0Lesson<\/a>:\u00a0<\/strong>Learned about ports, telnet, and openssl\r\n\r\n<a href=\"http:\/\/overthewire.org\/wargames\/bandit\/bandit17.html\"><strong>Bandit Level 17<\/strong><\/a>\r\n\r\n<strong>Objective<\/strong>\r\n\r\nFind the password to the next level\r\n\r\n<strong>Intel Given<\/strong>\r\n<ul>\r\n\t<li>The password for the next level can be retrieved by submitting the password of the current level to\u00a0<strong>a port on localhost in the range 31000 to 32000<\/strong>.<\/li>\r\n\t<li>First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don\u2019t. There is only 1 port that will give the next password, the others will simply send back to you whatever you send to it.<\/li>\r\n<\/ul>\r\n<!--more-->\r\n\r\n<strong>How to<\/strong>\r\n\r\nThanks to reddit user <a href=\"http:\/\/www.reddit.com\/user\/177854\" target=\"_blank\">177854<\/a>\u00a0for providing this write-up!\r\n\r\n<strong>NOTE:\u00a0<\/strong>\u00a0There is some debate over the legality of scanning computers\/servers with nmap. Nmap is considered to be the\u00a0active reconnaissance\u00a0step of the <a href=\"https:\/\/www.hackmethod.com\/hacker-methodology\/\" target=\"_blank\">hacker methodology<\/a>\u00a0and is often a precursor of further action. \u00a0Administrators don't like it and you can be reported to your ISP, nmap using its default settings is VERY loud to the vigilant defender. So I caution you. Do not nmap targets that have not given you EXPRESS WRITTEN PERMISSION. I'll get off my soapbox now.\r\n\r\nIn the last lesson we were given a port number to connect to get the password. Now we have a wide ranges of ports that <em>could<\/em> host the service that holds that precious password. Looking at the commands we need to know we see Nmap, a network and port scanner that you\u2019ve probably heard of. Nmap is a utility that allows us to scan an IP address and find out information about what OS it\u2019s running, what ports are open, and most important to us finding out what services are running. Services are what the server is running or providing to the outside world. This can be things like FTP, SMTP, POP3, SSH, HTTP etc. Nmap scanning is a tutorial and art\u00a0in its own right, so we'll briefly cover it here and return to it in depth in a later article.\r\n\r\nLooking in the man page of Nmap we see we can do a Service Scan with the option -sV that will query ports to see what service they are running. This will enable us to find which ports \u201cSpeak SSL\u201d and which ones are just echos.\r\n\r\n<a href=\"https:\/\/www.hackmethod.com\/wp-content\/uploads\/2015\/02\/bandit-17.1.png\"><img class=\" size-full wp-image-665 aligncenter\" src=\"https:\/\/www.hackmethod.com\/wp-content\/uploads\/2015\/02\/bandit-17.1.png\" alt=\"bandit 17.1\" width=\"666\" height=\"296\" \/><\/a>\r\n\r\nSo by doing our service scan of the localhost ports 31000 through 32000 there are 5 open ports, 2 of which are running Microsoft Distributed Transaction Coordinator. Two out of five is do able manually so let\u2019s try connecting to these ports! Remember in the objective they said the one containing the password is running SSL so we\u2019ll use openssl to try and connect.\r\n\r\n<a href=\"https:\/\/www.hackmethod.com\/wp-content\/uploads\/2015\/02\/bandit-17.2.png\"><img class=\" size-full wp-image-666 aligncenter\" src=\"https:\/\/www.hackmethod.com\/wp-content\/uploads\/2015\/02\/bandit-17.2.png\" alt=\"bandit 17.2\" width=\"673\" height=\"158\" \/><\/a>\r\n\r\nWell it looks like the input has been mirrored back, just like the objective said it would. And no password. Let\u2019s try the other.\r\n\r\n<a href=\"https:\/\/www.hackmethod.com\/wp-content\/uploads\/2015\/02\/bandit-17.3.png\"><img class=\" size-full wp-image-667 aligncenter\" src=\"https:\/\/www.hackmethod.com\/wp-content\/uploads\/2015\/02\/bandit-17.3.png\" alt=\"bandit 17.3\" width=\"667\" height=\"624\" \/><\/a>\r\n\r\nNot a password, but an RSA Private key! We won\u2019t get into how to use it in this lesson but go ahead and save it in a text file. If you\u2019re on Windows go ahead and download <a href=\"http:\/\/www.chiark.greenend.org.uk\/~sgtatham\/putty\/download.html\" target=\"_blank\">puttygen<\/a>\u00a0to get a head start on the next level.\r\n\r\n<strong>Conclusion<\/strong>\r\n\r\nWe learned about Nmap and port scanning, got a RSA private key, and used openssl again to connect to more ports. Again, don't get too wrapped around the axle about how to use Nmap.\u00a0The \"bible\" [easyazon_link asin=\"0979958717\" locale=\"US\" new_window=\"default\" nofollow=\"default\" tag=\"hackm01-20\"]Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning[\/easyazon_link] is over 464 pages long. For now focus on the fact that Nmap can be used to obtain more information about a computer\/server.","_et_gb_content_width":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[44],"tags":[43,45,46],"class_list":["post-664","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-overthewire","tag-bandit","tag-overthewire","tag-tutorials"],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/hackmethod.com\/wp-content\/uploads\/2015\/02\/bandit-17.1.png?fit=666%2C296&ssl=1","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p5zY4D-aI","_links":{"self":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts\/664","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/comments?post=664"}],"version-history":[{"count":7,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts\/664\/revisions"}],"predecessor-version":[{"id":27547,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts\/664\/revisions\/27547"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/media\/665"}],"wp:attachment":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/media?parent=664"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/categories?post=664"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/tags?post=664"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}