Over The wire (Bandit)
Over the wire - bandit :
To get to level 0 we need to simply SSH into Bandit with the username: bandit0 and password: bandit0
The password for the next level is stored in a file called readme located in the home directory. [email protected]:~$ cat readme
The password for the next level is stored in a file called - located in the home directory [email protected]:~$ cat ./-
The password for the next level is stored in a file called spaces in this filename located in the home directory [email protected]:~$ cat spaces in this filename
The password for the next level is stored in a hidden file in the inhere directory. [email protected]:~/inhere$ cat .hidden
The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.
[email protected]:~/inhere$ file ./-*
The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties: - human-readable - 1033 bytes in size - not executable
[email protected]:~/inhere$ find -type f -size 1033c
The password for the next level is stored somewhere on the server and has all of the following properties: - owned by user bandit7 - owned by group bandit6 - 33 bytes in size
[email protected]:~$ find / -user bandit7 -group bandit6 -size 32c 2>/dev/null
The password for the next level is stored in the file data.txt next to the word millionth
[email protected]:~$ awk '/^millionth/ {print $2;}' data.txt
The password for the next level is stored in the file data.txt and is the only line of text that occurs only once
[email protected]:~$ cat data.txt | sort | uniq -u
The password for the next level is stored in the file data.txt in one of the few human-readable strings, beginning with several ‘=’ characters.
[email protected]:~$ strings data.txt | grep "="
The password for the next level is stored in the file data.txt, which contains base64 encoded data
[email protected]:~$ echo VGhlIHBhc3N3b3JkIGlzIElGdWt3S0dzRlc4TU9xM0lSRnFyeEUxaHhUTkViVVBSCg== | base64 --decode
The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions
[email protected]:~$ echo Gur cnffjbeq vf 5Gr8L4qetPEsPk8htqjhRK8XSP6x2RHh | tr [a-zA-Z] [n-za-mN-ZA-M]
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the data file using cp, and rename it using mv (read the manpages!)
[email protected]:~$ mkdir /tmp/jhalon [email protected]:~$
xxd -r data.txt > /tmp/jhalon/file.bin [email protected]:/tmp/jhalon$ file file.bin
[email protected]:/tmp/jhalon$ file file.bin file.bin: gzip compressed data, was "data2.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression [email protected]:/tmp/jhalon$ zcat file.bin | file - /dev/stdin: bzip2 compressed data, block size = 900k [email protected]:/tmp/jhalon$ zcat file.bin | bzcat | file - /dev/stdin: gzip compressed data, was "data4.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression [email protected]:/tmp/jhalon$ zcat file.bin | bzcat | zcat | file - /dev/stdin: POSIX tar archive (GNU) [email protected]:/tmp/jhalon$ zcat file.bin | bzcat | zcat | tar xO | file - /dev/stdin: POSIX tar archive (GNU) [email protected]:/tmp/jhalon$ zcat file.bin | bzcat | zcat | tar xO | tar xO | file - /dev/stdin: bzip2 compressed data, block size = 900k [email protected]:/tmp/jhalon$ zcat file.bin | bzcat | zcat | tar xO | tar xO | bzcat | file - /dev/stdin: POSIX tar archive (GNU) [email protected]:/tmp/jhalon$ zcat file.bin | bzcat | zcat | tar xO | tar xO | bzcat | tar xO | file - /dev/stdin: gzip compressed data, was "data9.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression [email protected]:/tmp/jhalon$ zcat file.bin | bzcat | zcat | tar xO | tar xO | bzcat | tar xO | zcat | file - /dev/stdin: ASCII text
[email protected]:/tmp/jhalon$ zcat file.bin | bzcat | zcat | tar xO | tar xO | bzcat | tar xO | zcat
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
[email protected]:/tmp$ rm -rf jhalon
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on
[email protected]:~$ ssh -i sshkey.private [email protected]
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
[email protected]:~$ telnet localhost 30000
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command… [email protected]:~$
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
[email protected]:~$ nmap -p 31000-32000 -sV localhost [email protected]:~$
Great! So let’s copy the RSA Key (Don’t forget to get the Header and Footer) and create a new file in a tmp directory.
[email protected]:/tmp/jhalon$ nano sshkey.private [email protected]:/tmp/jhalon$ chmod 600 sshkey.private [email protected]:/tmp/jhalon$ ssh -i ./sshkey.private [email protected]
There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new
[email protected]:~$ diff passwords.new passwords.old
The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.
[email protected]:~# ssh [email protected] "bash --norc"
To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used to setuid binary.
[email protected]:~$ ./bandit20-do [email protected]:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
NOTE: To beat this level, you need to login twice: once to run the setuid command, and once to start a network daemon to which the setuid will connect.
NOTE 2: Try connecting to your own network daemon to see if it works as you think
[email protected]:~$ nc -l 32123 < /etc/bandit_pass/bandit20 [email protected]:~$ ./suconnect 32123
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
[email protected]:~$ cd /etc/cron.d/ [email protected]:/etc/cron.d$ cat cronjob_bandit22 [email protected]:/etc/cron.d$ cat /usr/bin/cronjob_bandit22.sh cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.
[email protected]:/etc/cron.d$ echo I am user bandit23 | md5sum | cut -d ' ' -f 1 [email protected]:/etc/cron.d$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…
[email protected]:/etc/cron.d$ cat cronjob_bandit24 [email protected]:/etc/cron.d$ cat /usr/bin/cronjob_bandit24.sh [email protected]:/etc/cron.d$ mkdir /tmp/jhalon [email protected]:/tmp/jhalon$ nano
#!/bin/bashcat /etc/bandit_pass/bandit24 > tmp/jhalon/pass
[email protected]:/tmp/jhalon$ cp script.sh /var/spool/bandit24 [email protected]:/tmp/jhalon$ cat /tmp/jhalon/pass
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.
[email protected]:~$ mkdir /tmp/jhalon [email protected]:~$ cd /tmp/jhalon [email protected]:/tmp/jhalon$ nano
#!/bin/bashpasswd="UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ"for a in {0-10000}doecho $passwd' '$a | nc localhost 30002 >> result &done
[email protected]:/tmp/jhalon$ chmod 755 script.sh [email protected]:/tmp/jhalon$ ./script.sh [email protected]:/tmp/jhalon$ sort result | uniq -u
Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.
[email protected]:~$ cat /etc/passwd | grep bandit26 [email protected]:~$ cat /usr/bin/showtext [email protected]:~$ ssh -i bandit26.sshkey [email protected] :r /etc/bandit_pass/bandit26 Enter
3rd jan
over the wire bandit walkthrough
On this level, we are not given any hints. We are on our own on this. So, we like to see what we have to work upon in the current directory. We ran ls command to find a script bandit27-do. Let’s execute the script to see if we get any message or hint. It does one better, it gives us an example. This script basically runs the command it is given as user bandit27. So now that we can run commands as user bandit27. Let’s read the password file located at /etc/bandit_pass/bandit27. Now that we have the password for the next level, we will login as bandit27 using SSH.
ls ./bandit27-do ./bandit27-do whoami ./bandit27-do cat /etc/bandit_pass/bandit27 ssh [email protected]
On this level, we are informed that there is a git repository and the password for that repository is the same password that was used to login in as user bandit27. We are required to clone the repository. Now we need to have the write permission to clone a repository. So, we create a directory in the tmp directory. After cloning let’s list all the file in the repo. We find a README file. Upon reading that file we get the password for the next level.
mkdir /tmp/pavan4 cd /tmp/pavan4 git clone ssh://[email protected]/home/bandit27-git/repo ls cd repo ls cat README
On this level, we are informed that there is a git repository and the password for that repository is the same password that was used to login in as user bandit28. We are required to clone the repository. Now we need to have the write permission to clone a repository. So, we create a directory in the tmp directory. After cloning let’s list all the file in the repo. We find a README file. Upon reading that file we see that password is hidden.
mkdir /tmp/pavan5 cd /tmp/pavan5 git clone ssh://[email protected]/home/bandit28-git/repo ls cd repo/ ls cat README.md
Maybe the password was inside the file but was removed. Good thing is that whenever a change is made in a git, a log entry is created. Let’s check that log, we can see that the author of git has made the latest commit named ‘fix info leak’. We need to check out this commit.
On this level, we are informed that there is a git repository and the password for that repository is the same password that was used to login in as user bandit29. We are required to clone the repository. Now we need to have the write permission to clone a repository. So, we create a directory in the tmp directory. Now we will clone the repository inside this directory.
mkdir /tmp/pavan6 cd /tmp/pavan6 git clone ssh://[email protected]/home/bandit29-git/repo
git branch -a git checkout dev cat README.md ssh [email protected]
On this level, we are informed that there is a git repository and the password for that repository is the same password that was used to login in as user bandit30. We are required to clone the repository. Now we need to have the write permission to clone a repository. So, we create a directory in the tmp directory. Now we will clone the repository inside this directory.
mkdir /tmp/pavan7 cd /tmp/pavan7 git clone ssh://[email protected]/home/bandit30-git/repo
After cloning let’s list all the file in the repo. We find a README file. Here we are told that it is an empty file. Now it’s time to enumerate this git. Git has the ability to tag specific points in a repository’s history as being important. We can enumerate that tag. On looking carefully, we find the tag secret. On reading that tag we find the password we were looking for on this level. Now that we have the password for the next level, we will login as bandit31 using SSH.
ls cd repo ls cat README.md git tag git show secret ssh [email protected]
On this level, we are informed that there is a git repository and the password for that repository is the same password that was used to login in as user bandit31. We are required to clone the repository. Now we need to have the write permission to clone a repository. So, we create a directory in the tmp directory. Now we will clone the repository inside this directory.
mkdir /tmp/pavan8 cd /tmp/pavan8 git clone ssh://[email protected]/home/bandit31-git/repo
Now we add the file to the repository and commit to that entry. And finally, push it into the origin branch. This step requires the password for the current user. As we can see in the given image that we have the password for the next level.
On reaching this level, we are greeted with a message “Welcome to the Uppercase shell”. To understand what it does, we ran ls command but we got an error. On close inspection of the error message, we understand that it states that the LS command is not found. It means that the shell converts my commands to Uppercase before executing. For this level, we are given a hint “it’s time for another escape”. This made us curious about escape characters. Upon brief research, we found that we can bypass this uppercase shell using an escape character ‘$0’. We were right. We got the bash. Let’s list all files using ls -al command. We see that the owner of uppercase is bandit33. So, we can access the /etc/bandit_pass/bandit33 file to get the password for the next level. After getting the password, we will login as bandit33 using SSH.
ls $0 ls -al cat /etc/bandit_pass/bandit33 ssh [email protected]
This is the final level for now as the bandit team is working on creating more levels. We connected to this level as use bandit33. After connecting we run ls command to see the list of files we have in the current directory. We see that we have a README file. On opening that file, we see the final flag and a brief message from the Over the Wire Team. This concludes this series for now. We will solve more levels as soon as Over the Wire team publishes more levels.