Previous Level: Level 16
ssh firstname.lastname@example.org -p 2220
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
A little bit of Theory
Port scanning is a method to find open ports on a host. A port can be seen as an address for a specific service. Every computer has ports with the numbers 0 to 65535. Some services have standard ports, like HTTP/80 or SSH/22. An open port means that the host offers a service to the network on this port.
Nmap is a network scanner. It can do Host Discovery, Port Scanning, Version Detection (Service Detection) and a lot more. For this task, the
-p flag is important. This flag lets us choose which ports to scan. By default, Nmap scans the top 1000 ports (not the first 1000 ports). Use
-p- to scan all 65535 ports. The
-sV flag lets us do a service/version detection scan. It is possible to make Nmap perform all possible scans with the
-A flag this will take a while though. A full scan would have the following command:
nmap -p- -A <host>, where
<host> could be either an IP address or the name.
This level also uses SSL again, which was described in Level 16.
First, we need to find open ports between 31000 to 32000 on localhost and check what services are running on them. I used the service discovery from
nmap. (This task could be split by first finding open ports and then doing the service discovery only on these ports. This could be faster.)
nmap tells us that five ports are open. Only two ports (31518 and 31790) use SSL. Nmap also tells us that port 31518 runs only the echo service. The promising port seems to be port 31790, which runs an unknown service.
Now we use OpenSSL again to connect to this port on localhost and send the password.
The result is a private SSH key. So, we create a file (I called it ‘sshkey17.private’) to put the key into and like in Level 14, we need to make sure that the file only has permissions for the user.
Next Level: Level 18