Bandit – Pentesting Fun Stuff

Introduction

The Bandit wargame is aimed at absolute beginners. It will teach the basics needed to be able to play other wargames.

Location

Bandit 0 –> 1

Level Goal
The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH to log into that level and continue the game.
Commands you may need to solve this level
ls, cd, cat, file, du, find

bandit0@melinda:~$ pwd

/home/bandit0

bandit0@melinda:~$ ls

readme

bandit0@melinda:~$ cat readme

boJ9jbbUNNfktd78OOpsqOltutMc3MY1

Bandit 1 –> 2

Level Goal
The password for the next level is stored in a file called – located in the home directory
Commands you may need to solve this level
ls, cd, cat, file, du, find

bandit1@melinda:~$ pwd

/home/bandit1

bandit1@melinda:~$ ls -lah

total 24K

-rw-r----- 1 bandit2 bandit1 33 Nov 14 2014 -

drwxr-xr-x 2 root root 4.0K Nov 14 2014 .

drwxr-xr-x 172 root root 4.0K Jul 10 14:12 ..

-rw-r--r-- 1 root root 220 Apr 9 2014 .bash_logout

-rw-r--r-- 1 root root 3.6K Apr 9 2014 .bashrc

-rw-r--r-- 1 root root 675 Apr 9 2014 .profile

bandit1@melinda:~$ cat ./-

CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

Bandit 2 –> 3

Level Goal
The password for the next level is stored in a file called spaces in this filename located in the home directory
Commands you may need to solve this level
ls, cd, cat, file, du, find

bandit2@melinda:~$ pwd

/home/bandit2

bandit2@melinda:~$ ls -lah

total 24K

drwxr-xr-x 2 root root 4.0K Nov 14 2014 .

drwxr-xr-x 172 root root 4.0K Jul 10 14:12 ..

-rw-r--r-- 1 root root 220 Apr 9 2014 .bash_logout

-rw-r--r-- 1 root root 3.6K Apr 9 2014 .bashrc

-rw-r--r-- 1 root root 675 Apr 9 2014 .profile

-rw-r----- 1 bandit3 bandit2 33 Nov 14 2014 spaces in this filename

bandit2@melinda:~$ cat "spaces in this filename"

UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

Bandit 3 –> 4

Level Goal
The password for the next level is stored in a hidden file in the inhere directory.
Commands you may need to solve this level
ls, cd, cat, file, du, find

bandit3@melinda:~$ ls -aRl

total 24

drwxr-xr-x 3 root root 4096 Nov 14 2014 .

drwxr-xr-x 172 root root 4096 Jul 10 14:12 ..

-rw-r--r-- 1 root root 220 Apr 9 2014 .bash_logout

-rw-r--r-- 1 root root 3637 Apr 9 2014 .bashrc

-rw-r--r-- 1 root root 675 Apr 9 2014 .profile

drwxr-xr-x 2 root root 4096 Nov 14 2014 inhere

./inhere:

total 12

drwxr-xr-x 2 root root 4096 Nov 14 2014 .

drwxr-xr-x 3 root root 4096 Nov 14 2014 ..

-rw-r----- 1 bandit4 bandit3 33 Nov 14 2014 .hidden

bandit3@melinda:~$ cat ./inhere/.hidden

pIwrPrtPN36QITSp3EQaw936yaFoFgAB

Bandit 4 –> 5

Level Goal
The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.
Commands you may need to solve this level
ls, cd, cat, file, du, find

bandit4@melinda:~$ ls -aRl

total 24

drwxr-xr-x 3 root root 4096 Nov 14 2014 .

drwxr-xr-x 172 root root 4096 Jul 10 14:12 ..

-rw-r--r-- 1 root root 220 Apr 9 2014 .bash_logout

-rw-r--r-- 1 root root 3637 Apr 9 2014 .bashrc

-rw-r--r-- 1 root root 675 Apr 9 2014 .profile

drwxr-xr-x 2 root root 4096 Oct 19 06:48 inhere

./inhere:

total 48

-rw-r----- 1 bandit5 bandit4 33 Nov 14 2014 -file00

-rw-r----- 1 bandit5 bandit4 33 Nov 14 2014 -file01

-rw-r----- 1 bandit5 bandit4 33 Nov 14 2014 -file02

-rw-r----- 1 bandit5 bandit4 33 Nov 14 2014 -file03

-rw-r----- 1 bandit5 bandit4 33 Nov 14 2014 -file04

-rw-r----- 1 bandit5 bandit4 33 Nov 14 2014 -file05

-rw-r----- 1 bandit5 bandit4 33 Nov 14 2014 -file06

-rw-r----- 1 bandit5 bandit4 33 Nov 14 2014 -file07

-rw-r----- 1 bandit5 bandit4 33 Nov 14 2014 -file08

-rw-r----- 1 bandit5 bandit4 33 Nov 14 2014 -file09

drwxr-xr-x 2 root root 4096 Oct 19 06:48 .

drwxr-xr-x 3 root root 4096 Nov 14 2014 ..

bandit4@melinda:~$ cat ./inhere/-f*

;�-i�(��z��У��ޘ��8鑾?�@c

O8�L��c�Ч7�zb~��ף��U��g�f�4�6+>"��B�Vx��d��;de�O�:n��8S��Ѕ[�/q�(��@��M�.�t��+��5�`�¶R

�1*6C�u#Nr��hZ��P�邚��{#��TP��6�]��X:��!��>P�

d{��ҏH��xX|�koReBOKuIDDepwhWk7jZC0RTdopnAYKh

#[:*��?��j��U�

Bandit 5 –> 6

Level Goal
The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties: – human-readable – 1033 bytes in size – not executable
Commands you may need to solve this level
ls, cd, cat, file, du, find

bandit5@melinda:~$ find ./inhere -size 1033c

./inhere/maybehere07/.file2

bandit5@melinda:~$ cat ./inhere/maybehere07/.file2

DXjZPULLxYr17uwoI01bNLQbtFemEgo7

Bandit 6 –> 7

Level Goal
The password for the next level is stored somewhere on the server and has all of the following properties: – owned by user bandit7 – owned by group bandit6 – 33 bytes in size
Commands you may need to solve this level
ls, cd, cat, file, du, find, grep

bandit6@melinda:~$ find / -size 33c -user bandit7 -group bandit6 2>/dev/null

/var/lib/dpkg/info/bandit7.password

bandit6@melinda:~$ cat /var/lib/dpkg/info/bandit7.password

HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

Bandit 7 –> 8

Level Goal
The password for the next level is stored in the file data.txt next to the word millionth
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd

bandit7@melinda:/$ find / -type f -exec grep -l millionth {} + 2>dev/null

/proc/374/task/374/cmdline

/home/bandit7/data.txt

/usr/lib/perl/5.18.2/Time/HiRes.pm

/usr/share/dict/american-english

bandit7@melinda:/$ cat /home/bandit7/data.txt | grep millionth

millionth cvX2JJa4CFALtqS87jk27qwqGhBM9plV

Bandit 8 –> 9

Level Goal
The password for the next level is stored in the file data.txt and is the only line of text that occurs only once
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd

1 2	bandit8@melinda:~$ sort data.txt \| uniq -u UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR

Bandit 9 –> 10

Level Goal
The password for the next level is stored in the file data.txt in one of the few human-readable strings, beginning with several ‘=’ characters.
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd

bandit9@melinda:~$ strings data.txt | grep "=="

I========== the6

========== password

========== ism

========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk

Bandit 10 –> 11

Level Goal
The password for the next level is stored in the file data.txt, which contains base64 encoded data
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd

1 2	bandit10@melinda:~$ cat data.txt \| base64 -d The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

Bandit 11 –> 12

Level Goal
The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd

1 2	bandit11@melinda:~$ cat data.txt \| tr 'A-Za-z' 'N-ZA-Mn-za-m' The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

Bandit 12 –> 13

Level Goal
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd, mkdir, cp, mv

bandit12@melinda:~$ cd /tmp

bandit12@melinda:/tmp$ mkdir n13mant

bandit12@melinda:/tmp$ cd n13mant

bandit12@melinda:/tmp/n13mant$ cp /home/bandit12/data.txt .`

bandit12@melinda:/tmp/n13mant$ xxd -r data.txt data.bin

bandit12@melinda:/tmp/n13mant$ file data.bin

data.bin: gzip compressed data, was "data2.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression

bandit12@melinda:/tmp/n13mant$ zcat data.bin | file -

/dev/stdin: bzip2 compressed data, block size = 900k

bandit12@melinda:/tmp/n13mant$ zcat data.bin | bzcat | file -

/dev/stdin: gzip compressed data, was "data4.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression

bandit12@melinda:/tmp/n13mant$ zcat data.bin | bzcat | zcat | file -

/dev/stdin: POSIX tar archive (GNU)

bandit12@melinda:/tmp/n13mant$ zcat data.bin | bzcat | zcat | tar xO | file -

/dev/stdin: POSIX tar archive (GNU)

/dev/stdin: bzip2 compressed data, block size = 900k

/dev/stdin: POSIX tar archive (GNU)

/dev/stdin: gzip compressed data, was "data9.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression

/dev/stdin: ASCII text

The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

Bandit 13 –> 14

Level Goal
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on
Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap

1	ssh bandit14@localhost -i ~/sshkey.private

Bandit 14 –> 15

Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap

bandit14@melinda:~$ cat /etc/bandit_pass/bandit14

4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e

bandit14@melinda:~$ nc 127.0.0.1 30000

4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e

Correct!

BfMYroe26WYalil77FoDi9qh59eK5xNr

Bandit 15 –> 16

Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…
Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap

bandit15@melinda:~$ openssl s_client -connect 127.0.0.1:30001

[.....SNIP.....]

SSL-Session:

Protocol : SSLv3

Cipher : DHE-RSA-AES256-SHA

Session-ID: 5FDFACEC4E62460EC764BADD6B67427F38DCF0CB81AAE5842F10D1FAD42101FA

Session-ID-ctx:

Master-Key: 1C406358D3B1657EFC0462D7EB40ACC59C43F354A49F330AC83DC87CE26610D198CCCD415AC04A7976AF00287A8236B0

Key-Arg : None

PSK identity: None

PSK identity hint: None

SRP username: None

Start Time: 1479382529

Timeout : 300 (sec)

Verify return code: 18 (self signed certificate)

---

BfMYroe26WYalil77FoDi9qh59eK5xNr

HEARTBEATING

read R BLOCK

read:errno=0

Like the description said….use option ‘-ign_eof’.

bandit15@melinda:~$ openssl s_client -connect 127.0.0.1:30001 -ign_eof

[.....SNIP.....]

SSL-Session:

Protocol : SSLv3

Cipher : DHE-RSA-AES256-SHA

Session-ID: 88ABDF58DCCE6B9EDA7239B341F6C870F66D825BEFD4F1A649450A94DB3379A8

Session-ID-ctx:

Master-Key: D8144BB9C00E67BA8BFD957218AA463D8D9F69758DFDA09B1B5C5A81F7F20E57C07CC37BC8737F9068E0BE74D4F4CC01

Key-Arg : None

PSK identity: None

PSK identity hint: None

SRP username: None

Start Time: 1479383048

Timeout : 300 (sec)

Verify return code: 18 (self signed certificate)

---

BfMYroe26WYalil77FoDi9qh59eK5xNr

Correct!

cluFn7wTiGryunymYOu4RcffSxQluehd

Level 16 –> 17

Level Goal
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap

bandit16@melinda:~$ openssl s_client -connect 127.0.0.1:31790 -ign_eof

[.....SNIP.....]

SSL-Session:

Protocol : SSLv3

Cipher : DHE-RSA-AES256-SHA

Session-ID: 1F920AD285BE63215E25B0C81978DF0156485C7FBA938A3FAD0F7353F8770ABD

Session-ID-ctx:

Master-Key: 651F331E9EF2A11B5288A4B3FBBD6B73D4B0C5917CCCAE08006D0FBF6E24C5DA5DE91587FB11CDEED2F84E93557F1DF1

Key-Arg : None

PSK identity: None

PSK identity hint: None

SRP username: None

Start Time: 1479383980

Timeout : 300 (sec)

Verify return code: 18 (self signed certificate)

---

cluFn7wTiGryunymYOu4RcffSxQluehd

Correct!

-----BEGIN RSA PRIVATE KEY-----

MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ

imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ

Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu

DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW

JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX

x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD

KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl

J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd

d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC

YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A

vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama

+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT

8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx

SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd

HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt

SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A

R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi

Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg

R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu

L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni

blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU

YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM

77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b

dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3

vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=

-----END RSA PRIVATE KEY-----

The private key is not pasephrase protected. Save it in a text file for later use.

Bandit 17 –> 18

Level Goal
There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new
NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19
Commands you may need to solve this level
cat, grep, ls, diff
When logging in to this level, use the private key from the previous session.

bandit17@melinda:~$ vim -d passwords.old passwords.new

[....SNIP.....]

kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd

Bandit 18 –> 19

Level Goal
The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.
Commands you may need to solve this level
ssh, ls, cat
When using Bitvise SSH you can grab the ‘readme’ file from the server and read it.
Another solution is to set-up Putty with a remode command: /bin/bash -norc .
Here ‘/bin/bash’ is telling putty what shell to send the remote command and the option –norc tells the terminal we’re opening to ignore the .bashrc “profile” file. And bypassing this doesn’t initialize the script that logs us out.

Bandit 19 –> 20

Level Goal
To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.

bandit19@melinda:~$ ./bandit20-do

Run a command as another user.

bandit19@melinda:~$ ./bandit20-do cat /etc/bandit_pass/bandit20

GbKksEFF4yrVs6il55v6gwY5aVje5f0j

Level 20 –> 21

Level Goal
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
NOTE: To beat this level, you need to login twice: once to run the setuid command, and once to start a network daemon to which the setuid will connect.
NOTE 2: Try connecting to your own network daemon to see if it works as you think
Commands you may need to solve this level
ssh, nc, cat

bandit20@melinda:~$ ls -lah

total 28K

drwxr-xr-x 2 root root 4.0K Nov 14 2014 .

drwxr-xr-x 172 root root 4.0K Jul 10 14:12 ..

-rw-r--r-- 1 root root 220 Apr 9 2014 .bash_logout

-rw-r--r-- 1 root root 3.6K Apr 9 2014 .bashrc

-rw-r--r-- 1 root root 675 Apr 9 2014 .profile

-rwsr-x--- 1 bandit21 bandit20 7.9K Nov 14 2014 suconnect

Step 1 – Terminal 1 – Start listener

1 2	bandit20@melinda:~$ nc -lvnp 31337 Listening on [0.0.0.0] (family 0, port 31337)

Step 1 – Terminal 2 – Execute binary

1	bandit20@melinda:~$ ./suconnect 31337

Step 2 – Terminal 1 – Enter password from last level

1 2	GbKksEFF4yrVs6il55v6gwY5aVje5f0j gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr

Level 21 –> 22

bandit21@melinda:/etc/cron.d$ cat cronjob_bandit22

* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null

bandit21@melinda:/usr/bin$cd /usr/bin

bandit21@melinda:/usr/bin$ cat cronjob_bandit22.sh

#!/bin/bash

chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

bandit21@melinda:/usr/bin$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

Level 22 –> 23

Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.
Commands you may need to solve this level
cron, crontab, crontab(5) (use “man 5 crontab” to access this)

bandit22@melinda:/etc/cron.d$ cat cronjob_bandit23

* * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null

bandit22@melinda:/etc/cron.d$ cat /usr/bin/cronjob_bandit23.sh

#!/bin/bash

myname=$(whoami)

mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)

echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"

cat /etc/bandit_pass/$myname > /tmp/$mytarget

bandit22@melinda:/etc/cron.d$ echo "I am user bandit23" | md5sum | cut -d ' ' -f 1

8ca319486bfbbc3663ea0fbe81326349

bandit22@melinda:/etc/cron.d$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349

jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

Level 23 –> 24

Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…
Commands you may need to solve this level
cron, crontab, crontab(5) (use “man 5 crontab” to access this)

bandit23@melinda:/etc/cron.d$ cat cronjob_bandit24

* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null

bandit23@melinda:/etc/cron.d$ cat /usr/bin/cronjob_bandit24.sh

#!/bin/bash

myname=$(whoami)

cd /var/spool/$myname

echo "Executing and deleting all scripts in /var/spool/$myname:"

for i in * .*;

if [ "$i" != "." -a "$i" != ".." ];

then

echo "Handling $i"

timeout -s 9 60 "./$i"

rm -f "./$i"

done

The cronjob runs all the scripts in ‘/var/spool/bandit24’.

bandit23@melinda:/$ cd /var/spool/bandit24

bandit23@melinda:/var/spool/bandit24$ ls -lah

total 153K

drwxrwxr-x 2 bandit24 bandit23 148K Nov 23 08:24 .

drwxr-xr-x 6 root root 4.0K May 3 2015 ..

There is write permission for me in this folder. Let’s add some script to be executed by the cronjob script.

bandit23@melinda:~$ mkdir /tmp/31337

bandit23@melinda:/tmp$ cd /tmp/31337

bandit23@melinda:/tmp/31337$ vi passwd.sh

#!/bin/bash

mkdir /tmp/31337-2

cat /etc/bandit_pass/bandit24 > /tmp/31337-2/passwd

bandit23@melinda:/tmp/31337$ chmod 777 passwd.sh && cp passwd.sh /var/spool/bandit24

Now to wait for the cronjob to run.

bandit23@melinda:~$ cd /tmp/31337-2

-bash: cd: /tmp/31337-2: No such file or directory

bandit23@melinda:~$ cd /tmp/31337-2

bandit23@melinda:/tmp/31337-2$ ls

passwd

bandit23@melinda:/tmp/31337-2$ cat passwd

UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ

Level 24 –> 25

Level Goal
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pin-code except by going through all of the 10000 combinations, called brute-forcing.

1	bandit24@melinda:/tmp/31337$ for i in $(seq -w 0000 9999); do echo "Brute-forcing $i"; echo "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i" \| nc 127.0.0.1 30002; done

After some waiting, I got the password for the next and final level.

Brute-forcing 0001

I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.

Wrong! Please enter the correct pincode. Try again.

Exiting.

[.....SNIP.....]

Brute-forcing 5669

I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.

Correct!

The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG

Level 25 –> 26

Level Goal
Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.
Commands you may need to solve this level
ssh, cat, more, vi, ls, id, pwd

bandit25@melinda:~$ ls

bandit26.sshkey

bandit25@melinda:~$ ssh -i bandit26.sshkey bandit26@localhost

Could not create directory '/home/bandit25/.ssh'.

The authenticity of host 'localhost (127.0.0.1)' can't be established.

ECDSA key fingerprint is 05:3a:1c:25:35:0a:ed:2f:cd:87:1c:f6:fe:69:e4:f6.

Are you sure you want to continue connecting (yes/no)? yes

Failed to add the host to the list of known hosts (/home/bandit25/.ssh/known_hosts).

This is the OverTheWire game server. More information on http://www.overthewire.org/wargames

Please note that wargame usernames are no longer level<X>, but wargamename<X>

e.g. vortex4, semtex2, ...

Note: at this moment, blacksun is not available.

,----.. ,----, .---.

/ / \ ,/ .`| /. ./|

/ . : ,` .' : .--'. ' ;

. / ;. \ ; ; / /__./ \ : |

. ; / ` ; .'___,/ ,' .--'. ' \' .

; | ; \ ; | | : | /___/ \ | ' '

| : | ; | ' ; |.'; ; ; \ \; :

. | ' ' ' : `----' | | \ ; ` |

' ; \; / | ' : ; . \ .\ ;

\ \ ', / | | ' \ \ ' \ |

; : / ' : | : ' |--"

\ \ .' ; |.' \ \ ;

www. `---` ver '---' he '---" ire.org

Welcome to the OverTheWire games machine!

If you find any problems, please report them to Steven on

irc.overthewire.org.

--[ Playing the games ]--

This machine holds several wargames.

If you are playing "somegame", then:

* USERNAMES are somegame0, somegame1, ...

* Most LEVELS are stored in /somegame/.

* PASSWORDS for each level are stored in /etc/somegame_pass/.

Write-access to homedirectories is disabled. It is advised to create a

working directory with a hard-to-guess name in /tmp/. You can use the

command "mktemp -d" in order to generate a random and hard to guess

directory in /tmp/. Read-access to both /tmp/ and /proc/ is disabled

so that users can not snoop on eachother.

Please play nice:

* don't leave orphan processes running

* don't leave exploit-files laying around

* don't annoy other players

* don't post passwords or spoilers

* again, DONT POST SPOILERS!

This includes writeups of your solution on your blog or website!

--[ Tips ]--

This machine has a 64bit processor and many security-features enabled

by default, although ASLR has been switched off. The following

compiler flags might be interesting:

-m32 compile for 32bit

-fno-stack-protector disable ProPolice

-Wl,-z,norelro disable relro

In addition, the execstack tool can be used to flag the stack as

executable on ELF binaries.

Finally, network-access is limited for most levels by a local

firewall.

--[ Tools ]--

For your convenience we have installed a few usefull tools which you can find

in the following locations:

* peda (https://github.com/longld/peda.git) in /usr/local/peda/

* gdbinit (https://github.com/gdbinit/Gdbinit) in /usr/local/gdbinit/

* pwntools (https://github.com/Gallopsled/pwntools) in /usr/src/pwntools/

* radare2 (http://www.radare.org/) should be in $PATH

--[ More information ]--

For more information regarding individual wargames, visit

http://www.overthewire.org/wargames/

For questions or comments, contact us through IRC on

irc.overthewire.org.

_ _ _ _ ___ __

| | | (_) | |__ \ / /

| |__ __ _ _ __ __| |_| |_ ) / /_

| '_ \ / _` | '_ \ / _` | | __| / / '_ \

| |_) | (_| | | | | (_| | | |_ / /| (_) |

|_.__/ \__,_|_| |_|\__,_|_|\__|____\___/

Connection to localhost closed.

Connection from bandit25 to bandit26 was easy indeed. Unfortunately the connection is broken immediately.
The hint said the shell in bandit26 wasn’t /bin/bash, but something else.

bandit25@melinda:~$ cat /etc/passwd | grep bandit26

bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext

bandit25@melinda:~$ cat /usr/bin/showtext

#!/bin/sh

more ~/text.txt

exit 0

Ok, so in this case there is no /bin/bash, but a shell script that uses the more function. To trigger more I need to adjust my window when connecting with ssh.

1	bandit25@melinda:~$ ssh -i bandit26.sshkey bandit26@localhost

level25_ssh
When looking at man more there is a interesting part.
vim
text_only
Once inside vim use :r /etc/bandit_pass/bandit26

Level 26 –> 27

At this moment, level 27 does not exist yet.

Introduction

Location

Bandit 0 –> 1

Bandit 1 –> 2

Bandit 2 –> 3

Bandit 3 –> 4

Bandit 4 –> 5

Bandit 5 –> 6

Bandit 6 –> 7

Bandit 7 –> 8

Bandit 8 –> 9

Bandit 9 –> 10

Bandit 10 –> 11

Bandit 11 –> 12

Bandit 12 –> 13

Bandit 13 –> 14

Bandit 14 –> 15

Bandit 15 –> 16

Level 16 –> 17

Bandit 17 –> 18

Bandit 18 –> 19

Bandit 19 –> 20

Level 20 –> 21

Level 21 –> 22

Level 22 –> 23

Level 23 –> 24

Level 24 –> 25

Level 25 –> 26

Level 26 –> 27

Leave a Reply Cancel reply