OverTheWire – Bandit – Level 0-25 – Writeup — Completed

This blogpost contains the solutions of how I solved the challenges of the OverTheWire Bandit category, this category of challenges are aimed at beginners to the wargaming concept. The purpose of this wargame is to solve the current level’s problem to find the password for the next level.

NOTE: Before getting to the actual write-ups, I’ve appended all the passwords with “*” to not give away the actual passwords.

Level 0 Level 1 Level 8 Level 12 Level 16 Level 20 Level 24
Level 1 Level 5 Level 9 Level 13 Level 17 Level 21 Level 25
Level 2 Level 6 Level 10 Level 14 Level 18 Level 22
Level 3 Level 5 Level 11 Level 15 Level 19 Level 23

Level 0

This was a simple challenge in which I had to log-in in via ssh to the target machine using the credentials “bandit0:bandit0” and then read the password from the file readme on the home directory. The password in the file is for the bandit1 user which is the user for the next level.


bandit0@melinda:~$ ls -lh
total 4.0K
-rw-r----- 1 bandit1 bandit0 33 Jun  6 13:59 readme
bandit0@melinda:~$ cat readme
********************************

Level 1

The goal for this level was the following “The password for the next level is stored in a file called – located in the home directory”. So in this level there is a file called “-” in the home directory and it contains the password for the next level.


bandit1@melinda:~$ ls -lh
total 4.0K
-rw-r----- 1 bandit2 bandit1 33 Jun  6 13:59 -
bandit1@melinda:~$ cat ./-
********************************

Again a very simple challenge, all I did was use “./” to the absolute path of the file.

Level 2

The goal for this level is the following “The password for the next level is stored in a file called spaces in this filename located in the home directory”, another challenge getting players of bandit use to working with Linux.


bandit2@melinda:~$ ls -lh
total 4.0K
-rw-r----- 1 bandit3 bandit2 33 Jun  6 13:59 spaces in this filename
bandit2@melinda:~$ cat ./spaces\ in\ this\ filename
********************************

Another challenge that doesn’t really need to be explained of what to do.

Level 3

The level goal for this level is “The password for the next level is stored in a hidden file in the inhere directory.”, again a very simple challenge for anyone with any Linux experience. For this challenge I’m going to add the “a” switch to my “ls” command which will display all files including hidden files and the by using “.” as part of the filename in Linux specifies that the file is a hidden file.

Example:

cat .example
this_file_was_a_hidden_file
cat ./.example
this_file_was_a_hidden_file


bandit3@melinda:~$ ls -lh
total 4.0K
drwxr-xr-x 2 root root 4.0K Jun  6 13:59 inhere
bandit3@melinda:~$ ls -lh inhere/
total 0
bandit3@melinda:~$ ls -lha inhere/
total 12K
drwxr-xr-x 2 root    root    4.0K Jun  6 13:59 .
drwxr-xr-x 3 root    root    4.0K Jun  6 13:59 ..
-rw-r----- 1 bandit4 bandit3   33 Jun  6 13:59 .hidden
bandit3@melinda:~$ cat ./inhere/.hidden
********************************

Level 4

The goal for this challenge is “The password for the next level is stored in the only human-readable file in the inhere directory.”


bandit4@melinda:~$ ls -lh
total 4.0K
drwxr-xr-x 2 root root 4.0K Jun  6 13:59 inhere
bandit4@melinda:~$ ls -lh inhere/
total 40K
-rw-r----- 1 bandit5 bandit4 33 Jun  6 13:59 -file00
-rw-r----- 1 bandit5 bandit4 33 Jun  6 13:59 -file01
-rw-r----- 1 bandit5 bandit4 33 Jun  6 13:59 -file02
-rw-r----- 1 bandit5 bandit4 33 Jun  6 13:59 -file03
-rw-r----- 1 bandit5 bandit4 33 Jun  6 13:59 -file04
-rw-r----- 1 bandit5 bandit4 33 Jun  6 13:59 -file05
-rw-r----- 1 bandit5 bandit4 33 Jun  6 13:59 -file06
-rw-r----- 1 bandit5 bandit4 33 Jun  6 13:59 -file07
-rw-r----- 1 bandit5 bandit4 33 Jun  6 13:59 -file08
-rw-r----- 1 bandit5 bandit4 33 Jun  6 13:59 -file09
inhere/-file04: RZ!N
inhere/-file05: ?-p#
inhere/-file07: ********************************
inhere/-file08: "Q 2B

For this challenge I used a command, “strings”, which was outside the list of commands that was given by overthewire.org which may be needed to complete this challenge. The reason why I used the “strings” command was I know this command will print any string it finds which is human-readable and without any switch modifiers by default will only print strings of 4 bytes or longer in length to the screen, since I know the password is 32 bytes in length this seemed like a better option then any that the designers have given. Using the “f” switch modifier I print the name of the file the string was pulled out from.

Level 5

The level goal for this level is “The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties: human-readable, 1033 bytes in size, not executable”

So for answering this challenge a simple use of the “find” command should all I need to use as I can use the command to find files of a specific size and type and etc.


bandit5@melinda:~$ ls -lh
total 4.0K
drwxr-x--- 22 root bandit5 4.0K Jun  6 13:59 inhere
bandit5@melinda:~$ ls -lh inhere/
total 80K
drwxr-x--- 2 root bandit5 4.0K Jun  6 13:59 maybehere00
drwxr-x--- 2 root bandit5 4.0K Jun  6 13:59 maybehere01
drwxr-x--- 2 root bandit5 4.0K Jun  6 13:59 maybehere02
drwxr-x--- 2 root bandit5 4.0K Jun  6 13:59 maybehere03
drwxr-x--- 2 root bandit5 4.0K Jun  6 13:59 maybehere04
drwxr-x--- 2 root bandit5 4.0K Jun  6 13:59 maybehere05
drwxr-x--- 2 root bandit5 4.0K Jun  6 13:59 maybehere06
drwxr-x--- 2 root bandit5 4.0K Jun  6 13:59 maybehere07
drwxr-x--- 2 root bandit5 4.0K Jun  6 13:59 maybehere08
drwxr-x--- 2 root bandit5 4.0K Jun  6 13:59 maybehere09
drwxr-x--- 2 root bandit5 4.0K Jun  6 13:59 maybehere10
drwxr-x--- 2 root bandit5 4.0K Jun  6 13:59 maybehere11
drwxr-x--- 2 root bandit5 4.0K Jun  6 13:59 maybehere12
drwxr-x--- 2 root bandit5 4.0K Jun  6 13:59 maybehere13
drwxr-x--- 2 root bandit5 4.0K Jun  6 13:59 maybehere14
drwxr-x--- 2 root bandit5 4.0K Jun  6 13:59 maybehere15
drwxr-x--- 2 root bandit5 4.0K Jun  6 13:59 maybehere16
drwxr-x--- 2 root bandit5 4.0K Jun  6 13:59 maybehere17
drwxr-x--- 2 root bandit5 4.0K Jun  6 13:59 maybehere18
drwxr-x--- 2 root bandit5 4.0K Jun  6 13:59 maybehere19
bandit5@melinda:~$ find ./* -size 1033c -readable ! -perm /111
./inhere/maybehere07/.file2
bandit5@melinda:~$ cat ./inhere/maybehere07/.file2
********************************

Very simple use of the “find” command in Linux, just looked for a size of 1033 bytes in length and was readable, the output from this was the file seen above, but I wanted to search for all 3 criteria instead of 2 out of the 3, so this meant searching for non-executable. With a quick Google search I found that the use of “! -perm /111” will find a file not executable by anyone.

Level 6

This level goal builds on the previous level, there is a file somewhere on the server and have the following characteristics:

  1. owned by user bandit7
  2. owned by group bandit6
  3. 33 bytes in size

so using the find command again I went to work.


bandit6@melinda:~$ find / -size 33c -group bandit6 -user bandit7
/var/lib/dpkg/info/bandit7.password
bandit6@melinda:~$ cat /var/lib/dpkg/info/bandit7.password
********************************

This was a very simple challenge, though please note I’ve cleaned up my output as I had a lot of files displayed with the “Permission denied” error but I only cared about the file shown above.

Level 7

This level the challenge was to find the password in the file called “data.txt” which was next to the word “millionth”, time to pipe the output from cat of the file into grep searching for “millionth”.


bandit7@melinda:~$ ls -lh
total 4.0M
-rw-r----- 1 bandit8 bandit7 4.0M Jun  6 13:59 data.txt
bandit7@melinda:~$ cat data.txt |grep "millionth"
millionth    ********************************

Level 8

This was an interesting challenge, the goal was to the find the password instead the file “data.txt”, the password line only occurs once in the file. So simply again cat the file and pipe it into the command “sort” and then pipe the output from sort into the command “uniq” with the switch operator “-u” to find the unique string.


bandit8@melinda:~$ ls -lh
total 36K
-rw-r----- 1 bandit9 bandit8 33K Jun  6 13:59 data.txt
bandit8@melinda:~$ cat data.txt |sort |uniq -u
********************************

Level 9

So the password for the next level is stored within the file called “data.txt” which contains only a few lines of human-readable strings starting with the character “=”, let’s find it.


bandit9@melinda:~$ ls -lh
total 20K
-rw-r----- 1 bandit10 bandit9 19K Jun  6 13:59 data.txt
bandit9@melinda:~$ strings data.txt |grep "="
Rj=G
========== the
=qy9g
,========== passwordc
========== is
=9-5
O=p~
#r=t!
7e}=eG
========== ********************************
uXI/{I=VPO=
6'Q|_=Vt
:={!
yd=6

I decided the best way to solve this problem was to use the “strings” command again and pipe the output to grep searching for the “=” character.

Level 10

The password for the next level is stored in the file “data.txt” which contains base64 encoded data.


bandit10@melinda:~$ ls -lh
total 4.0K
-rw-r----- 1 bandit11 bandit10 69 Jun  6 13:59 data.txt
bandit10@melinda:~$ cat data.txt
VGhlIHBhc3N3b3JkIGlzIElGdWt3S0dzRlc4TU9xM0lSRnFyeEUxaHhUTkViVVBSCg==
bandit10@melinda:~$ base64 -d data.txt
The password is ********************************

This was a simple challenge, normally I would’ve jumped to python to decode the base64 string, but I decided to use the “base64” command in Linux to decode the string.

Level 11

The goal for this level is the password is stored in the data.txt file and all lowercase and uppercase letters have been rotated by 13 potions, looking at the hint for ROT13 on Wikipedia I found the answer.


bandit11@melinda:~$ ls -lh
total 4.0K
-rw-r----- 1 bandit12 bandit11 49 Jun  6 13:59 data.txt
bandit11@melinda:~$ cat data.txt
Gur cnffjbeq vf 5Gr8L4qetPEsPk8htqjhRK8XSP6x2RHh
bandit11@melinda:~$ cat data.txt| tr 'A-Za-z' 'N-ZA-Mn-za-m'
The password is ********************************

Level 12

The goal for this challenge was to read the file data.txt file which contains a hexdump of a file that has been compressed several times. It was suggested for this level to make a directory in the /tmp directory to work in and copy the hexdump file to this location.


bandit12@melinda:~$ mkdir -p /tmp/41414141
bandit12@melinda:~$ cp ./data.txt /tmp/41414141

Now after making the temporary directory and copying the file I can begin on working on the challenge for this level. So before beginning I decided to have a look at the new command in the “Commands you may need to solve this level” section which was the command “xxd”, this command allows to turn hex data into a binary file, by doing this I would be able to convert the hex data in the “data.txt” file into the binary file it represented.


bandit12@melinda:/tmp/41414141$ file data.txt
data.txt: ASCII text
bandit12@melinda:/tmp/41414141$ xxd -r data.txt data2
bandit12@melinda:/tmp/41414141$ file data2
data2: gzip compressed data, was "data2.bin", from Unix, last modified: Thu Jun  6 13:59:44 2013, max compression

Ok so the binary file is a gzip compressed file, so lets use gzip to decompress the file, in this section I used zcat instead of gzip to decompress the file


bandit12@melinda:/tmp/41414141$ zcat -d data2 > data3
bandit12@melinda:/tmp/41414141$ file data3
data3: bzip2 compressed data, block size = 900k

Once I had decompressed the gzip file, it turns out the file compressed by gzip was a bzip archive, using bzip I decompressed to the next level.


bandit12@melinda:/tmp/41414141$ bzip2 -d data3
bzip2: Can't guess original name for data3 -- using data3.out
bandit12@melinda:/tmp/41414141$ file data3.out
data3.out: gzip compressed data, was "data4.bin", from Unix, last modified: Thu Jun  6 13:59:43 2013, max compression

After decompressing the next level reveals another gzip archieve, using the same method before I decompressed the archive.


bandit12@melinda:/tmp/41414141$ zcat -d data3.out > data4
bandit12@melinda:/tmp/41414141$ file data4
data4: POSIX tar archive (GNU)

After decompressing the gzip file I was give a tar archive, unpacked to give me another tar archive another file as shown below.


bandit12@melinda:/tmp/41414141$ tar xvf data4
data5.bin
bandit12@melinda:/tmp/41414141$ file data5.bin
data5.bin: POSIX tar archive (GNU)
bandit12@melinda:/tmp/41414141$ tar -xvf data5.bin
data6.bin
bandit12@melinda:/tmp/41414141$ file data6.bin
data6.bin: bzip2 compressed data, block size = 900k

Unpacking the two tar archives I found another bzip archive, using the same method before I decompressed the bzip archive.


bandit12@melinda:/tmp/41414141$ bzip2 -d data6.bin
bzip2: Can't guess original name for data6.bin -- using data6.bin.out
bandit12@melinda:/tmp/41414141$ file data6.bin.out
data6.bin.out: POSIX tar archive (GNU)

And now I’m back to working with a tar archive, again repeat the step above for unpacking tar archives for this new file.


bandit12@melinda:/tmp/41414141$ tar -xvf data6.bin.out
data8.bin
bandit12@melinda:/tmp/41414141$ file data8.bin
data8.bin: gzip compressed data, was "data9.bin", from Unix, last modified: Thu Jun  6 13:59:43 2013, max compression

The file archived with the data6 tar archive was a gzip archive file, again using zcat I decompressed the file.


bandit12@melinda:/tmp/41414141$ zcat -d data8.bin > data9.bin
bandit12@melinda:/tmp/41414141$ file data9.bin
data9.bin: ASCII text
bandit12@melinda:/tmp/41414141$ cat data9.bin
The password is ********************************

After decompressing and unpacking all those archives I eventually was able to get to an ASCII file which contained the password for the next level.

Level 13

So the goal for this level is to get to the password which is located in “/etc/bandit_pass/bandit14” which can only be read by the user bandit14. We are also told that we are given the SSH private keys that can be used to login to the next level. This challenge is very simple and just tests the wargamer’s knowledge of the SSH command.


bandit13@melinda:~$ ls -lh
total 4.0K
-rw-r----- 1 bandit14 bandit13 1.7K Jun  6 13:59 sshkey.private
bandit13@melinda:~$ ssh -i sshkey.private bandit14@localhost
bandit14@melinda:~$ cat /etc/bandit_pass/bandit14
********************************

Level 14

The goal for this level is to connect to port 30,000 on the localhost and submit the password for the current level which if correct will return the password for the next level. Time to start using the Netcat command!


bandit14@melinda:~$ nc -vvn 127.0.0.1 30000
Connection to 127.0.0.1 30000 port [tcp/*] succeeded!
********************************
Correct!
********************************

Level 15

This level has the same challenge was level 14 but this time SSL encryption has been added into the mix.


bandit15@melinda:~$ openssl s_client -connect 127.0.0.1:30001
CONNECTED(00000003)
depth=0 CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = localhost
verify return:1
---
Certificate chain
0 s:/CN=localhost
i:/CN=localhost
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICpDCCAYwCCQDDVcPYicjxQjANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDEwls
b2NhbGhvc3QwHhcNMTMwNjA2MTM1ODM3WhcNMjMwNjA0MTM1ODM3WjAUMRIwEAYD
VQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDF
Id/8XRfPayS8u+XfqkXQq3QawTEmxcxQw4TiLKlnqLqsl02U3dUIBqSJu1LQE8lf
/eez2KF9Nse9cXqty6M6J9/515b+xaLfkAV1q97JwO1BfciJDiWqjPerMcikUb0d
zTnDFSpWpnrTjLqlquSWrgRxMffmGi+6x7lsWp8EOAIrFhxadYgTskVUslsgtwBP
dVtDG3OZSa8uyD6LJMCgMpaIs0nI1AS8yWWRnBPP6tujJV9x5JI8GYuC1OB9hsYT
+J7ZMkQ5soOXi9TIuyQSfavH27z44uMF3g4fB6i9l2KNFeKkuq1JVM+HbrXfSlf3
+Gtm/+hO/jlKzGw+pmobAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAF0ah9QUPxRM
cCNaZ2Bb+IkBXbj1esk92Hv7H4uYIionJl2f+8M6/YgGNhBI4C1r82Hwbi9DwVYs
kztth6DQIBw3KnNLyoKfYmEz6+Azko5rIefeJoHEBdD41tMqmBd8jWi5+hUbkeLr
8A0wzwi/mVQP4xBZ5cELDEaC2MFCi20X4APFFYeXEMjEYwTwADdADiQ52ezle0zr
iSZ10PUmxqjE4NCYo8feZ7emRcAozZElyF9JjoHfXSSiEViELPU2Wb9ygljYz2Hy
AGDcpE2FIGZRiHk+PT2tHD92bp4BeyZsh52pYvItJie3owdIQoQASfperclRvcyn
mNrjHPUubAc=
-----END CERTIFICATE-----
subject=/CN=localhost
issuer=/CN=localhost
---
No client certificate CA names sent
---
SSL handshake has read 1272 bytes and written 375 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : SSLv3
Cipher    : DHE-RSA-AES256-SHA
Session-ID: 13A1F0F4454F9D7804B93568F45396536D290786FE83AEC5FDAEFFEE107D7554
Session-ID-ctx:
Master-Key: 272C92BF1A9394F391FE8431902612449C4D58EB139C79F779D0ADEA14D0F3C06036308DE8D371E45B06FAC53955466C
Key-Arg   : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1383818468
Timeout   : 300 (sec)
Verify return code: 18 (self signed certificate)
---
********************************
HEARTBEATING
read R BLOCK
read:errno=0

I was a bit puzzled at this staged as I thought I had done everything right and so I was expected to get the password for the bandit16 user, eventually I went back to the webpage for this level to see if I had missed anything, which I had! I missed the hint “Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -quiet and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…“, so I ran the same command again but included the -quiet switch in my command to execute.


bandit15@melinda:~$ openssl s_client -connect 127.0.0.1:30001 -quiet
depth=0 CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = localhost
verify return:1
********************************
Correct!
********************************
read:errno=0

Level 16

Again the goal of this level builds on the previous challenge, we have to preform the same action as before but this time we don’t know the actual port to connect to but instead we know the port to connect to lies within the port range of 31000 to 32000, using nmap we can quickly identify the port we need.


bandit16@melinda:~$ nmap -p 31000-32000 localhost

Starting Nmap 5.21 ( http://nmap.org ) at 2013-11-07 10:39 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0012s latency).
Not shown: 996 closed ports
PORT      STATE SERVICE
31046/tcp open  unknown
31518/tcp open  unknown
31691/tcp open  unknown
31790/tcp open  unknown
31960/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds

So from the nmap scan we have identified that there are 5 listening ports within range of ports from 31000 to 32000 but only one of these ports support SSL encryption, I decided instead of manually testing each port until I found the correct port I would instead use nmap’s script engine to test for SSL encryption on ports. I identified a script which would perform my task, ssl-enum-ciper, but when I looked on the bandit wargame server this script wasn’t included, which means my automated approach for scanning for SSL was not going to work which means I have to default to manual testing.


bandit16@melinda:~$ openssl s_client -connect 127.0.0.1:31046 -quiet
140737354069664:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:749:
bandit16@melinda:~$ openssl s_client -connect 127.0.0.1:31518 -quiet
depth=0 CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = localhost
verify return:1
********************************
********************************
bandit16@melinda:~$ openssl s_client -connect 127.0.0.1:31691 -quiet
140737354069664:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:749:
bandit16@melinda:~$ openssl s_client -connect 127.0.0.1:31790 -quiet
depth=0 CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = localhost
verify return:1
********************************
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----

read:errno=0
bandit16@melinda:~$

I eventually found the correct port to be 31790 and when I entered the password for the current level I was given a private key, now what to do well what about if I use the private key to connect to server with the user bandit17 and the ssh private key.


bandit16@melinda:/tmp/test1111$ vi sshkey.private
bandit16@melinda:/tmp/test1111$ chmod 600 sshkey.private
bandit16@melinda:/tmp/test1111$ ssh -i ./sshkey.private bandit17@localhost
bandit17@melinda:~$

Level 17

There are two files in the home directory for user bandit17, password.new & password.old, the password for the next level is passwords.new and is the only line that is changed between the two files. To begin with I did a quick Google search and learnt of the diff command which can be used to compare two files together for changes.


bandit17@melinda:~$ ls -lh
total 8.0K
-rw-r----- 1 bandit18 bandit17 3.3K Jun  6 13:59 passwords.new
-rw-r----- 1 bandit18 bandit17 3.3K Jun  6 13:59 passwords.old
bandit17@melinda:~$ diff passwords.new passwords.old
42c42
< ********************************
---
> ********************************

The top string is the correct password for bandit18.

Level 18

The goal for this level is to read the password stored in the readme file in the home directory, but whenever you attempt to login you are logged straight out with SSH, this is because of a modification made to the .bashrc file.


root@kali:~# ssh bandit.labs.overthewire.org -l bandit18
bandit18@bandit.labs.overthewire.org's password:
Byebye !
Connection to bandit.labs.overthewire.org closed.

At this point I was thinking ok now what, I decided to have a look at the man pages for the SSH command for ideas, and then I found the solution straight away. With the SSH command you can specify a command to be executed as soon as you login.


root@kali:~# ssh bandit.labs.overthewire.org -l bandit18 cat readme
bandit18@bandit.labs.overthewire.org's password:
********************************

Level 19

To gain access to the next level, level 20, I need to use the setuid binary in the home directory.


bandit19@melinda:~$ ls -lh
total 8.0K
-rwsr-x--- 1 bandit20 bandit19 7.1K Jun  6 13:59 bandit20-do
bandit19@melinda:~$ ./bandit20-do
Run a command as another user.
Example: ./bandit20-do id
bandit19@melinda:~$ ./bandit20-do id
uid=11019(bandit19) gid=11019(bandit19) euid=11020(bandit20) groups=11020(bandit20),11019(bandit19)
bandit19@melinda:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
********************************

As shown above this was a simple privilege escalation challenge, running the binary with no arguments shows the usage of the binary and gives an example of using the id command. Running the binary with the id command as the argument shows that it runs with the effective user and group id of bandit20, which means it runs with privileges of bandit20. So I replace the id command with the cat command and attempted to cat out the contents of the password file for bandit20.

Level 20

The goal for this level is there a setuid binary in the home directory that connects to a specified port by the user on the localhost and reads a line of text from the connection and compares the password from the previous with the user entered password, if a match occurs the next level password is displayed back to the user.

The netcat command to be used to connect and also listen for TCP connections of specific ports, so using netcat I set up a listening port on 4445 and then used the binary to connect to the port.


Shell #1
nc -l 4445
[level20_password]
********************************

shell #2
bandit20@melinda:~$ ./suconnect 4445
Read: [level20_password]
Password matches, sending next password

level 21

The goal for this level tells us there is a program running automatically at regular intervals from cron, by looking in the /etc/cron.d for the configuration to work out what this program is.


bandit21@melinda:~$ ls -lh /etc/cron.d/
total 112K
-rw-r--r-- 1 root root  52 Oct 22 08:53 boobiesbot-check
-rw-r--r-- 1 root root 355 Nov 18  2011 cron-apt
-rw-r--r-- 1 root root  61 Jun  6 13:59 cronjob_bandit22
-rw-r--r-- 1 root root  62 Jun  6 13:59 cronjob_bandit23
-rw-r--r-- 1 root root  61 Jun  6 13:59 cronjob_bandit24
-rw-r--r-- 1 root root  35 Jun  6 13:59 eloi0
-rw-r--r-- 1 root root  35 Jun  6 13:59 eloi1
-rw-r--r-- 1 root root  49 Oct 22 08:53 hintbot-check
-rw------- 1 root root 233 Jun  6 14:00 manpage3_resetpw_job
-rw-r--r-- 1 root root  54 Sep 30 22:14 natas-session-toucher
-rw-r--r-- 1 root root  49 Sep 30 22:07 natas-stats
-r--r----- 1 root root  47 Sep 30 22:07 natas25_cleanup
-r--r----- 1 root root  47 Sep 30 22:07 natas26_cleanup
-rw-r--r-- 1 root root 544 Mar 11  2013 php5
-rw-r--r-- 1 root root  58 Jun  6 14:01 semtex0-32
-rw-r--r-- 1 root root  58 Jun  6 14:01 semtex0-64
-rw-r--r-- 1 root root  59 Jun  6 14:01 semtex0-ppc
-rw-r--r-- 1 root root  36 Jun  6 14:01 semtex10
-rw-r--r-- 1 root root 143 Jun  6 14:01 semtex12
-rw-r--r-- 1 root root  35 Jun  6 14:01 semtex5
-rw-r--r-- 1 root root  29 Jun  6 14:01 semtex6
-rw-r--r-- 1 root root  96 Jun  6 14:01 semtex8
-rw-r--r-- 1 root root 134 Jun  6 14:01 semtex9
-rw-r--r-- 1 root root 396 Dec 16  2011 sysstat
-rw-r--r-- 1 root root  29 Jun  6 14:01 vortex0
-rw-r--r-- 1 root root  30 Jul  2 16:00 vortex20
-rw-r--r-- 1 root root  50 Oct 22 08:53 vulnbot0-check
-rw-r--r-- 1 root root  50 Oct 22 08:53 vulnbot1-check

Based on the output above I determine the job I was looking for was the cronjob_bandit22, now to find the password.


bandit21@melinda:~$ cat /etc/cron.d/cronjob_bandit22
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
bandit21@melinda:~$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
bandit21@melinda:~$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
********************************

So I identified the job being ran, which was calling a script called cronjob_bandit22.sh located in the /usr/bin/ directory, having a look at the contents of the script it is putting the contents of the password file for bandit22 in a file in the /tmp directory, by using the cat command I can print the password out.

Level 22

This is again another program running based on cron, based on the output from the previous level I assumed this program would be cronjob_bandit23, with this in mind I searched for the location of the script and found it in the /usr/bin directory.


bandit22@melinda:~$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash

myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)

echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"

cat /etc/bandit_pass/$myname > /tmp/$mytarget

So I for this challenge I need to work out the name of the directory the password is being put into, this was done by using the following command “echo I am user bandit23 | md5sum | cut -d ‘ ‘ -f 1”.


bandit22@melinda:~$ echo I am user bandit23 | md5sum | cut -d ' ' -f 1
8ca319486bfbbc3663ea0fbe81326349
bandit22@melinda:~$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
********************************

Level 23

Again there is another program scheduled to by cron, again in the level 21 output I saw another program to be cronjob_bandit24 which points to a script called cronjob_bandit24.sh in the /usr/bin directory.


#!/bin/bash

myname=$(whoami)

cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in *;
do
echo "Handling $i"
./$i
rm -f $i
done

So I need to print the contents of the directory /var/spool/bandit24 before the cronjob_bandit24.sh script deletes the contents of the directory. To do this I need to write a simple bash script which will cat the contents of the file /etc/bandit_pass/bandit24 to a file in a temporary directory  file, the reason why this will work is because before the file is deleted it is going to be executed.


bandit23@melinda:~$ mkdir -p /tmp/test2222
bandit23@melinda:~$ cd /tmp/test2222
bandit23@melinda:/tmp/test2222$ vi bandit24_dump.sh
bandit23@melinda:/tmp/test2222$ cat bandit24_dump.sh
#!/bin/bash
mkdir -p /tmp/test3333
cat /etc/bandit_pass/bandit24 /tmp/test3333/password.txt
bandit23@melinda:/tmp/test2222$ chmod 7777 bandit24_dump.sh
bandit23@melinda:/tmp/test2222$ cp bandit24_dump.sh /var/spool/bandit24/
bandit23@melinda:/tmp/test2222$ cat /tmp/test3333/password.txt
********************************

Level 24

At this moment level 25 does not exist yet.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s