The Goal
The credentials for the next level can be retrieved by submitting the current password to a port on localhost in the range 31000 to 32000. One of the listening ports speaks SSL/TLS and returns the next credentials. The others echo back whatever you send.
Scanning the Port Range
nmap can scan a range of ports to find which ones are open:
bandit16@bandit:~$ nmap localhost -p 31000-32000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-02-06 05:45 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00022s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE
31046/tcp open unknown
31518/tcp open unknown
31691/tcp open unknown
31790/tcp open unknown
31960/tcp open unknown
Finding the Right Port
Testing each open port with ncat --ssl, port 31790 responds to the current
password with a private RSA key instead of echoing it back:
bandit16@bandit:~$ ncat -v --ssl localhost 31790
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Subject: CN=SnakeOil
Ncat: Issuer: CN=SnakeOil
Ncat: SHA-1 fingerprint: 323A F3B1 4FC7 1B0F F71A 1931 8FF3 62A1 49AC 735A
Ncat: Certificate verification failed (self-signed certificate).
Ncat: SSL connection to 127.0.0.1:31790.
Ncat: SHA-1 fingerprint: 323A F3B1 4FC7 1B0F F71A 1931 8FF3 62A1 49AC 735A
password
Correct!
-----BEGIN RSA PRIVATE KEY-----
[RSA private key content omitted]
-----END RSA PRIVATE KEY-----
Using the Key
The private key is saved locally, permissions are set with chmod 600, and
it is used to SSH into bandit17. The bandit17 password can then be read from
/etc/bandit_pass/bandit17:
bandit17@bandit:~$ cd /etc/bandit_pass/
bandit17@bandit:/etc/bandit_pass$ cat bandit17
password
Commands Covered
nmap host -p range, scan a range of ports on a hostncat -v --ssl host port, connect over SSL and interact with the service