Over The wire (Bandit)
Over the wire - bandit :
To get to level 0 we need to simply SSH into Bandit with the username: bandit0 and password: bandit0
The password for the next level is stored in a file called readme located in the home directory. bandit0@melinda:~$ cat readme
The password for the next level is stored in a file called - located in the home directory bandit1@melinda:~$ cat ./-
The password for the next level is stored in a file called spaces in this filename located in the home directory bandit1@melinda:~$ cat spaces in this filename
The password for the next level is stored in a hidden file in the inhere directory. bandit3@melinda:~/inhere$ cat .hidden
The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.
The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties: - human-readable - 1033 bytes in size - not executable
The password for the next level is stored somewhere on the server and has all of the following properties: - owned by user bandit7 - owned by group bandit6 - 33 bytes in size
The password for the next level is stored in the file data.txt next to the word millionth
The password for the next level is stored in the file data.txt and is the only line of text that occurs only once
The password for the next level is stored in the file data.txt in one of the few human-readable strings, beginning with several ‘=’ characters.
The password for the next level is stored in the file data.txt, which contains base64 encoded data
The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the data file using cp, and rename it using mv (read the manpages!)
bandit12@melinda:~$ mkdir /tmp/jhalon bandit12@melinda:~$
bandit12@melinda:/tmp/jhalon$ file file.bin file.bin: gzip compressed data, was "data2.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression bandit12@melinda:/tmp/jhalon$ zcat file.bin | file - /dev/stdin: bzip2 compressed data, block size = 900k bandit12@melinda:/tmp/jhalon$ zcat file.bin | bzcat | file - /dev/stdin: gzip compressed data, was "data4.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression bandit12@melinda:/tmp/jhalon$ zcat file.bin | bzcat | zcat | file - /dev/stdin: POSIX tar archive (GNU) bandit12@melinda:/tmp/jhalon$ zcat file.bin | bzcat | zcat | tar xO | file - /dev/stdin: POSIX tar archive (GNU) bandit12@melinda:/tmp/jhalon$ zcat file.bin | bzcat | zcat | tar xO | tar xO | file - /dev/stdin: bzip2 compressed data, block size = 900k bandit12@melinda:/tmp/jhalon$ zcat file.bin | bzcat | zcat | tar xO | tar xO | bzcat | file - /dev/stdin: POSIX tar archive (GNU) bandit12@melinda:/tmp/jhalon$ zcat file.bin | bzcat | zcat | tar xO | tar xO | bzcat | tar xO | file - /dev/stdin: gzip compressed data, was "data9.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression bandit12@melinda:/tmp/jhalon$ zcat file.bin | bzcat | zcat | tar xO | tar xO | bzcat | tar xO | zcat | file - /dev/stdin: ASCII text
bandit12@melinda:/tmp$ rm -rf jhalon
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command… bandit15@melinda:~$
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
bandit16@melinda:~$ nmap -p 31000-32000 -sV localhost bandit16@melinda:~$
Great! So let’s copy the RSA Key (Don’t forget to get the Header and Footer) and create a new file in a tmp directory.
bandit16@melinda:/tmp/jhalon$ nano sshkey.private bandit16@melinda:/tmp/jhalon$ chmod 600 sshkey.private bandit16@melinda:/tmp/jhalon$ ssh -i ./sshkey.private bandit17@localhost
There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new
The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.
To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used to setuid binary.
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
NOTE: To beat this level, you need to login twice: once to run the setuid command, and once to start a network daemon to which the setuid will connect.
NOTE 2: Try connecting to your own network daemon to see if it works as you think
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…
bandit23@melinda:/etc/cron.d$ cat cronjob_bandit24 bandit23@melinda:/etc/cron.d$ cat /usr/bin/cronjob_bandit24.sh bandit23@melinda:/etc/cron.d$ mkdir /tmp/jhalon bandit23@melinda:/tmp/jhalon$ nano
#!/bin/bashcat /etc/bandit_pass/bandit24 > tmp/jhalon/pass
bandit23@melinda:/tmp/jhalon$ cp script.sh /var/spool/bandit24 bandit23@melinda:/tmp/jhalon$ cat /tmp/jhalon/pass
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.
bandit24@melinda:~$ mkdir /tmp/jhalon bandit24@melinda:~$ cd /tmp/jhalon bandit24@melinda:/tmp/jhalon$ nano
#!/bin/bashpasswd="UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ"for a in {0-10000}doecho $passwd' '$a | nc localhost 30002 >> result &done
bandit24@melinda:/tmp/jhalon$ chmod 755 script.sh bandit24@melinda:/tmp/jhalon$ ./script.sh bandit24@melinda:/tmp/jhalon$ sort result | uniq -u
Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.
3rd jan
over the wire bandit walkthrough
On this level, we are not given any hints. We are on our own on this. So, we like to see what we have to work upon in the current directory. We ran ls command to find a script bandit27-do. Let’s execute the script to see if we get any message or hint. It does one better, it gives us an example. This script basically runs the command it is given as user bandit27. So now that we can run commands as user bandit27. Let’s read the password file located at /etc/bandit_pass/bandit27. Now that we have the password for the next level, we will login as bandit27 using SSH.
On this level, we are informed that there is a git repository and the password for that repository is the same password that was used to login in as user bandit27. We are required to clone the repository. Now we need to have the write permission to clone a repository. So, we create a directory in the tmp directory. After cloning let’s list all the file in the repo. We find a README file. Upon reading that file we get the password for the next level.
On this level, we are informed that there is a git repository and the password for that repository is the same password that was used to login in as user bandit28. We are required to clone the repository. Now we need to have the write permission to clone a repository. So, we create a directory in the tmp directory. After cloning let’s list all the file in the repo. We find a README file. Upon reading that file we see that password is hidden.
Maybe the password was inside the file but was removed. Good thing is that whenever a change is made in a git, a log entry is created. Let’s check that log, we can see that the author of git has made the latest commit named ‘fix info leak’. We need to check out this commit.
On this level, we are informed that there is a git repository and the password for that repository is the same password that was used to login in as user bandit29. We are required to clone the repository. Now we need to have the write permission to clone a repository. So, we create a directory in the tmp directory. Now we will clone the repository inside this directory.
On this level, we are informed that there is a git repository and the password for that repository is the same password that was used to login in as user bandit30. We are required to clone the repository. Now we need to have the write permission to clone a repository. So, we create a directory in the tmp directory. Now we will clone the repository inside this directory.
After cloning let’s list all the file in the repo. We find a README file. Here we are told that it is an empty file. Now it’s time to enumerate this git. Git has the ability to tag specific points in a repository’s history as being important. We can enumerate that tag. On looking carefully, we find the tag secret. On reading that tag we find the password we were looking for on this level. Now that we have the password for the next level, we will login as bandit31 using SSH.
On this level, we are informed that there is a git repository and the password for that repository is the same password that was used to login in as user bandit31. We are required to clone the repository. Now we need to have the write permission to clone a repository. So, we create a directory in the tmp directory. Now we will clone the repository inside this directory.
Now we add the file to the repository and commit to that entry. And finally, push it into the origin branch. This step requires the password for the current user. As we can see in the given image that we have the password for the next level.
On reaching this level, we are greeted with a message “Welcome to the Uppercase shell”. To understand what it does, we ran ls command but we got an error. On close inspection of the error message, we understand that it states that the LS command is not found. It means that the shell converts my commands to Uppercase before executing. For this level, we are given a hint “it’s time for another escape”. This made us curious about escape characters. Upon brief research, we found that we can bypass this uppercase shell using an escape character ‘$0’. We were right. We got the bash. Let’s list all files using ls -al command. We see that the owner of uppercase is bandit33. So, we can access the /etc/bandit_pass/bandit33 file to get the password for the next level. After getting the password, we will login as bandit33 using SSH.
This is the final level for now as the bandit team is working on creating more levels. We connected to this level as use bandit33. After connecting we run ls command to see the list of files we have in the current directory. We see that we have a README file. On opening that file, we see the final flag and a brief message from the Over the Wire Team. This concludes this series for now. We will solve more levels as soon as Over the Wire team publishes more levels.