Ref:
Bandit Level 14
Level Goal The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
Commands you may need to solve this level ssh, telnet, nc, openssl, s_client, nmap
Helpful Reading Material
SSH
1
2
| ssh bandit14@bandit.labs.overthewire.org -p 2220
MU4VWeTyJk8ROof1qqmcBPaLh7lDCPvS
|
Telnet
1
2
| bandit14@bandit:~$
telnet --help
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
| Usage: telnet [OPTION...] [HOST [PORT]]
Login to remote system HOST (optionally, on service port PORT)
General options:
-4, --ipv4 use only IPv4
-6, --ipv6 use only IPv6
-8, --binary use an 8-bit data transmission
-a, --login attempt automatic login
-b, --bind=ADDRESS bind to specific local ADDRESS
-c, --no-rc do not read the user's .telnetrc file
-d, --debug turn on debugging
-e, --escape=CHAR use CHAR as an escape character
-E, --no-escape use no escape character
-K, --no-login do not automatically login to the remote system
-l, --user=USER attempt automatic login as USER
-L, --binary-output use an 8-bit data transmission for output only
-n, --trace=FILE record trace information into FILE
-r, --rlogin use a user-interface similar to rlogin
Encryption control:
-x, --encrypt encrypt the data stream, if possible
Authentication and Kerberos options:
-k, --realm=REALM obtain tickets for the remote host in REALM
instead of the remote host's realm
-X, --disable-auth=ATYPE disable type ATYPE authentication
-?, --help give this help list
--usage give a short usage message
-V, --version print program version
|
Command
1
2
| bandit14@bandit:~$
telnet localhost 30000
|
Output
1
2
3
| Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
|
Paste the password
1
2
3
| MU4VWeTyJk8ROof1qqmcBPaLh7lDCPvS
Correct!
8xCjnmgoKbGLhHFAZlGE5Tmu4M2tKJQo
|
NC
1
2
| bandit14@bandit:~$
nc --help
|
Output
1
2
3
4
5
6
| nc: invalid option -- '-'
usage: nc [-46CDdFhklNnrStUuvZz] [-I length] [-i interval] [-M ttl]
[-m minttl] [-O length] [-P proxy_username] [-p source_port]
[-q seconds] [-s sourceaddr] [-T keyword] [-V rtable] [-W recvlimit]
[-w timeout] [-X proxy_protocol] [-x proxy_address[:port]]
[destination] [port]
|
Command
1
2
| bandit14@bandit:~$
nc localhost 30000
|
Paste the current password
1
| MU4VWeTyJk8ROof1qqmcBPaLh7lDCPvS
|
Output
1
2
| Correct!
8xCjnmgoKbGLhHFAZlGE5Tmu4M2tKJQo
|
OpenSSL
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
| bandit14@bandit:~$ openssl --help
help:
Standard commands
asn1parse ca ciphers cmp
cms crl crl2pkcs7 dgst
dhparam dsa dsaparam ec
ecparam enc engine errstr
fipsinstall gendsa genpkey genrsa
help info kdf list
mac nseq ocsp passwd
pkcs12 pkcs7 pkcs8 pkey
pkeyparam pkeyutl prime rand
rehash req rsa rsautl
s_client s_server s_time sess_id
smime speed spkac srp
storeutl ts verify version
x509
Message Digest commands (see the `dgst' command for more details)
blake2b512 blake2s256 md4 md5
rmd160 sha1 sha224 sha256
sha3-224 sha3-256 sha3-384 sha3-512
sha384 sha512 sha512-224 sha512-256
shake128 shake256 sm3
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
| Cipher commands (see the `enc' command for more details)
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb
aes-256-cbc aes-256-ecb aria-128-cbc aria-128-cfb
aria-128-cfb1 aria-128-cfb8 aria-128-ctr aria-128-ecb
aria-128-ofb aria-192-cbc aria-192-cfb aria-192-cfb1
aria-192-cfb8 aria-192-ctr aria-192-ecb aria-192-ofb
aria-256-cbc aria-256-cfb aria-256-cfb1 aria-256-cfb8
aria-256-ctr aria-256-ecb aria-256-ofb base64
bf bf-cbc bf-cfb bf-ecb
bf-ofb camellia-128-cbc camellia-128-ecb camellia-192-cbc
camellia-192-ecb camellia-256-cbc camellia-256-ecb cast
cast-cbc cast5-cbc cast5-cfb cast5-ecb
cast5-ofb des des-cbc des-cfb
des-ecb des-ede des-ede-cbc des-ede-cfb
des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb
des-ede3-ofb des-ofb des3 desx
rc2 rc2-40-cbc rc2-64-cbc rc2-cbc
rc2-cfb rc2-ecb rc2-ofb rc4
rc4-40 seed seed-cbc seed-cfb
seed-ecb seed-ofb sm4-cbc sm4-cfb
sm4-ctr sm4-ecb sm4-ofb
|
Command
1
| openssl s_client -connect localhost:30000
|
Paste the password + Enter
NMap
1
2
3
| bandit14@bandit:~$
nmap localhost
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-04-07 22:38 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00014s latency).
Not shown: 993 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
1111/tcp open lmsocialserver
1840/tcp open netopia-vo2
4321/tcp open rwhois
8000/tcp open http-alt
30000/tcp open ndmps
50001/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
bandit14@bandit:~$
|
Command
1
2
| bandit14@bandit:~$
nmap -p 30000 -sV localhost
|
1
2
3
4
5
| Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-04-07 22:40 UTC
Stats: 0:00:26 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 0.00% done
[4]+ Stopped nmap -p 30000 -sV localhost
|
