Level Goal

The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.


Password: cluFn7wTiGryunymYOu4RcffSxQluehd

Okey dokey. So now we have to find active ports in range 31000 to 32000. I know what you’re thinking, how the hell do we do that?

Simples. nmap with a port range.

So now we have five ports potentially containing the password. We need to find which ones have SSL. nmap can give us some more information.

So only ports 31518 and 31790 are running SSL. We were informed by the level goal that all but one port will echo input back to you. It seems 31790 doesn’t echo, but actually has output. So let’s try that. Remember to use -ign_eof to actually get a response and -quiet to remove the random crap.

Uuuuuuuuuurgh, another private key. Use your favourite text editor to create a file called sshkey.private. The name doesn’t matter, it’s more for consistency.