The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don\u2019t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.<\/p>\n
bandit15@bandit:~$ nmap -p31000-32000 localhost\n\nStarting Nmap 7.40 ( https:\/\/nmap.org ) at 2019-09-07 16:57 CEST\nNmap scan report for localhost (127.0.0.1)\nHost is up (0.00019s latency).\nNot shown: 999 closed ports\nPORT STATE SERVICE\n31518\/tcp open unknown\n31790\/tcp open unknown\n\nNmap done: 1 IP address (1 host up) scanned in 0.07 seconds\n\nbandit15@bandit:~$ openssl s_client -host localhost -port 31790\n\n....\n\n---\nBfMYroe26WYalil77FoDi9qh59eK5xNr\nWrong! Please enter the correct current password\nclosed\n\n<\/code><\/pre>\n\n\u77e5\u8bc6\u70b9<\/h2>\n\n- \n
nmap<\/code>\u547d\u4ee4\u662f\u5f3a\u5927\u7684\u7f51\u7edc\u626b\u63cf\u5de5\u5177\uff0c\u5728\u8fd9\u91cc\u4f7f\u7528\u53c2\u6570-p<\/code>\u6765\u6307\u5b9a\u9700\u8981\u626b\u63cf\u7aef\u53e3\u7684\u533a\u95f4\u8303\u56f4\uff1b<\/li>\n- \n
openssl s_client<\/code>\u7528\u4e8e\u5efa\u7acbTLS\u94fe\u63a5\uff1b<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don\u2019t. There is only … <\/p>\n