The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
解密
bandit15@bandit:~$ nmap -p31000-32000 localhost
Starting Nmap 7.40 ( https://nmap.org ) at 2019-09-07 16:57 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00019s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
31518/tcp open unknown
31790/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds
bandit15@bandit:~$ openssl s_client -host localhost -port 31790
....
---
BfMYroe26WYalil77FoDi9qh59eK5xNr
Wrong! Please enter the correct current password
closed
知识点
-
nmap
命令是强大的网络扫描工具,在这里使用参数-p
来指定需要扫描端口的区间范围; -
openssl s_client
用于建立TLS链接;