Tue. Oct 20th, 2020

Pentesting Fun Stuff

following the cyber security path…

Bandit

Introduction

The Bandit wargame is aimed at absolute beginners. It will teach the basics needed to be able to play other wargames.

Location

http://overthewire.org/wargames/bandit/

Bandit 0 –> 1

Level Goal
The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH to log into that level and continue the game.
Commands you may need to solve this level
ls, cd, cat, file, du, find

Bandit 1 –> 2

Level Goal
The password for the next level is stored in a file called – located in the home directory
Commands you may need to solve this level
ls, cd, cat, file, du, find

Bandit 2 –> 3

Level Goal
The password for the next level is stored in a file called spaces in this filename located in the home directory
Commands you may need to solve this level
ls, cd, cat, file, du, find

Bandit 3 –> 4

Level Goal
The password for the next level is stored in a hidden file in the inhere directory.
Commands you may need to solve this level
ls, cd, cat, file, du, find

Bandit 4 –> 5

Level Goal
The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.
Commands you may need to solve this level
ls, cd, cat, file, du, find

Bandit 5 –> 6

Level Goal
The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties: – human-readable – 1033 bytes in size – not executable
Commands you may need to solve this level
ls, cd, cat, file, du, find

Bandit 6 –> 7

Level Goal
The password for the next level is stored somewhere on the server and has all of the following properties: – owned by user bandit7 – owned by group bandit6 – 33 bytes in size
Commands you may need to solve this level
ls, cd, cat, file, du, find, grep

Bandit 7 –> 8

Level Goal
The password for the next level is stored in the file data.txt next to the word millionth
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd

Bandit 8 –> 9

Level Goal
The password for the next level is stored in the file data.txt and is the only line of text that occurs only once
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd

Bandit 9 –> 10

Level Goal
The password for the next level is stored in the file data.txt in one of the few human-readable strings, beginning with several ‘=’ characters.
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd

Bandit 10 –> 11

Level Goal
The password for the next level is stored in the file data.txt, which contains base64 encoded data
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd

Bandit 11 –> 12

Level Goal
The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd

Bandit 12 –> 13

Level Goal
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd, mkdir, cp, mv

Bandit 13 –> 14

Level Goal
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on
Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap

Bandit 14 –> 15

Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap

Bandit 15 –> 16

Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…
Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap

Like the description said….use option ‘-ign_eof’.

Level 16 –> 17

Level Goal
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap

The private key is not pasephrase protected. Save it in a text file for later use.

Bandit 17 –> 18

Level Goal
There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new
NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19
Commands you may need to solve this level
cat, grep, ls, diff
When logging in to this level, use the private key from the previous session.

Bandit 18 –> 19

Level Goal
The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.
Commands you may need to solve this level
ssh, ls, cat
When using Bitvise SSH you can grab the ‘readme’ file from the server and read it.
Another solution is to set-up Putty with a remode command:   /bin/bash -norc .
Here ‘/bin/bash’ is telling putty what shell to send the remote command and the option –norc tells the terminal we’re opening to ignore the .bashrc “profile” file. And bypassing this doesn’t initialize the script that logs us out.

Bandit 19 –> 20

Level Goal
To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.

Level 20 –> 21

Level Goal
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
NOTE: To beat this level, you need to login twice: once to run the setuid command, and once to start a network daemon to which the setuid will connect.
NOTE 2: Try connecting to your own network daemon to see if it works as you think
Commands you may need to solve this level
ssh, nc, cat

Step 1 – Terminal 1 – Start listener

Step 1 – Terminal 2 – Execute binary

Step 2 – Terminal 1 – Enter password from last level

Level 21 –> 22

Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
Commands you may need to solve this level
cron, crontab, crontab(5) (use “man 5 crontab” to access this)

 Level 22 –> 23

Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.
Commands you may need to solve this level
cron, crontab, crontab(5) (use “man 5 crontab” to access this)

 Level 23 –> 24

Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…
Commands you may need to solve this level
cron, crontab, crontab(5) (use “man 5 crontab” to access this)

The cronjob runs all the scripts in ‘/var/spool/bandit24’.

There is write permission for me in this folder. Let’s add some script to be executed by the cronjob script.

Now to wait for the cronjob to run.

 Level 24 –> 25

Level Goal
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pin-code except by going through all of the 10000 combinations, called brute-forcing.

After some waiting, I got the password for the next and final level.

Level 25 –> 26

Level Goal
Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.
Commands you may need to solve this level
ssh, cat, more, vi, ls, id, pwd

Connection from bandit25 to bandit26 was easy indeed. Unfortunately the connection is broken immediately.
The hint said the shell in bandit26 wasn’t   /bin/bash, but something else.

Ok, so in this case there is no /bin/bash, but a shell script that uses the more function. To trigger   more I need to adjust my window when connecting with ssh.

level25_ssh
When looking at  man more there is a interesting part.
vim
text_only
Once inside vim use  :r /etc/bandit_pass/bandit26
flag

Level 26 –> 27

At this moment, level 27 does not exist yet.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.