Recap of Last LessonLearned about ports, telnet, and openssl

Bandit Level 17


Find the password to the next level

Intel Given

  • The password for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000.
  • First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 port that will give the next password, the others will simply send back to you whatever you send to it.

How to

Thanks to reddit user 177854 for providing this write-up!

NOTE:  There is some debate over the legality of scanning computers/servers with nmap. Nmap is considered to be the active reconnaissance step of the hacker methodology and is often a precursor of further action.  Administrators don’t like it and you can be reported to your ISP, nmap using its default settings is VERY loud to the vigilant defender. So I caution you. Do not nmap targets that have not given you EXPRESS WRITTEN PERMISSION. I’ll get off my soapbox now.

In the last lesson we were given a port number to connect to get the password. Now we have a wide ranges of ports that could host the service that holds that precious password. Looking at the commands we need to know we see Nmap, a network and port scanner that you’ve probably heard of. Nmap is a utility that allows us to scan an IP address and find out information about what OS it’s running, what ports are open, and most important to us finding out what services are running. Services are what the server is running or providing to the outside world. This can be things like FTP, SMTP, POP3, SSH, HTTP etc. Nmap scanning is a tutorial and art in its own right, so we’ll briefly cover it here and return to it in depth in a later article.

Looking in the man page of Nmap we see we can do a Service Scan with the option -sV that will query ports to see what service they are running. This will enable us to find which ports “Speak SSL” and which ones are just echos.

bandit 17.1

So by doing our service scan of the localhost ports 31000 through 32000 there are 5 open ports, 2 of which are running Microsoft Distributed Transaction Coordinator. Two out of five is do able manually so let’s try connecting to these ports! Remember in the objective they said the one containing the password is running SSL so we’ll use openssl to try and connect.

bandit 17.2

Well it looks like the input has been mirrored back, just like the objective said it would. And no password. Let’s try the other.

bandit 17.3

Not a password, but an RSA Private key! We won’t get into how to use it in this lesson but go ahead and save it in a text file. If you’re on Windows go ahead and download puttygen to get a head start on the next level.


We learned about Nmap and port scanning, got a RSA private key, and used openssl again to connect to more ports. Again, don’t get too wrapped around the axle about how to use Nmap. The “bible” Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning is over 464 pages long. For now focus on the fact that Nmap can be used to obtain more information about a computer/server.