Given:
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…
Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap
There are multiple ways to do this
Method 1: Using openssl
- ssh into bandit15
- use openssl to submit the password of the current level i.e. bandit15 to port 30001 on localhost using SSL encryption.
└─$ ssh bandit15@bandit.labs.overthewire.org -p 2220
bandit15@bandit:~$ ls -la
total 24
drwxr-xr-x 2 root root 4096 May 14 2020 .
drwxr-xr-x 41 root root 4096 May 7 2020 ..
-rw-r — — — 1 bandit15 bandit15 33 May 14 2020 .bandit14.password
-rw-r — r — 1 root root 220 May 15 2017 .bash_logout
-rw-r — r — 1 root root 3526 May 15 2017 .bashrc
-rw-r — r — 1 root root 675 May 15 2017 .profilebandit15@bandit:~$ openssl s_client -connect localhost:30001
CONNECTED(00000003)
depth=0 CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = localhost
verify return:1
— -
Certificate chain
0 s:/CN=localhost
i:/CN=localhost
— -
Server certificate
— — -BEGIN CERTIFICATE — — -
MIICBjCCAW+gAwIBAgIEHxhZ+zANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDDAls
b2NhbGhvc3QwHhcNMjEwODA1MjEyMjEzWhcNMjIwODA1MjEyMjEzWjAUMRIwEAYD
VQQDDAlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALqNmx6R
csRsPgzRcRsq5oQ4BC9AT/Yu473WbK4SRjHOWwuA4Oqk9w8SLKYZ39FrDEnXSZJw
xqKPR0AH72+l7Itv7X1H07VbeMTQoJVm6NsJm3cuyyxjRwfaIOUFsRtQQyvQlmw7
3CgTbd3wEk1CD+6jlksJj801Vd0uvZh1VVERAgMBAAGjZTBjMBQGA1UdEQQNMAuC
CWxvY2FsaG9zdDBLBglghkgBhvhCAQ0EPhY8QXV0b21hdGljYWxseSBnZW5lcmF0
ZWQgYnkgTmNhdC4gU2VlIGh0dHBzOi8vbm1hcC5vcmcvbmNhdC8uMA0GCSqGSIb3
DQEBBQUAA4GBADjhbe3bTnDWsS4xt8FFg7PJIqNAxF6QjP+7xzJ4yMvWtPP6tVXo
F7SNI52juwH0nFDyM9KOrM/AknWqCYF+yfz6bLD7MaKZ+Kg3DiLaoVJOrVg6Y02+
0vq1rLsqGko5wamCFamx7X9CtFsV0WQjZdA53Na/VwehtlFpf/p20VAi
— — -END CERTIFICATE — — -
subject=/CN=localhost
issuer=/CN=localhost
— -
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
— -
SSL handshake has read 1019 bytes and written 269 bytes
Verification error: self signed certificate
— -
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 3C9059D20D1A27BE66469600E94A94285CDB758DAFF6650A9833B00106B32BDD
Session-ID-ctx:
Master-Key: 95739FC9107A9992046F817CC0BD843F0EA4C45021E55CD20E41D6265C31951A91E9272DF4B997FE080F471DEB57860A
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000–3a a9 fe 3b 12 a1 ed 2b-8d a6 cf aa 23 c9 12 88 :..;…+….#…
0010 — ad cb 3f 75 6b 93 9f e8–13 24 c4 6b fd a8 35 5b ..?uk….$.k..5[
0020–2a 07 46 34 fd b5 fe 3b-de f5 8f 42 7b ea a0 f2 *.F4…;…B{…
0030–36 1f 1d 4a 26 4c ea 41-af 6d 43 6a e5 03 38 c9 6..J&L.A.mCj..8.
0040–24 07 d8 73 dc 1b 0b 3d-61 d6 0a 0c c9 1e 48 ab $..s…=a…..H.
0050–5f fc b1 60 ef 92 25 82-a7 03 f9 13 ba 10 d5 1a _..`..%………
0060–71 96 e1 b9 d4 dc c4 1e-7e b5 a0 40 9b db 08 08 q…….~..@….
0070 — fc 93 b7 0b 71 d3 38 db-64 83 35 ea 96 37 78 de ….q.8.d.5..7x.
0080–47 d0 32 7d 0d 71 2b 5c-7b d2 3a a9 02 55 b4 96 G.2}.q+\{.:..U..
0090–34 b1 b4 41 3c f2 ac c6–91 7b 47 95 c0 98 b9 e8 4..A<….{G…..Start Time: 1629294914
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
Extended master secret: yes
— -
BfMYroe26WYalil77FoDi***eK5xNr
Correct!
cluFn7wT***yunymYOu4RcffSxQluehd
Method 2: Using ncat
bandit15@bandit:~$ ncat — ssl localhost 30001
BfMYroe26WYalil77FoDi9***eK5xNr
Correct!
cluFn*****unymYOu4RcffSxQluehd
