5 July 2022

Pentesting Fun Stuff

following the cyber security path…

Bandit

6 years ago n0w4n

Introduction

The Bandit wargame is aimed at absolute beginners. It will teach the basics needed to be able to play other wargames.

Location

http://overthewire.org/wargames/bandit/

Bandit 0 –> 1

Level Goal
The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH to log into that level and continue the game.
Commands you may need to solve this level
ls, cd, cat, file, du, find

bandit0@melinda:~$ pwd
/home/bandit0
bandit0@melinda:~$ ls
readme
bandit0@melinda:~$ cat readme
boJ9jbbUNNfktd78OOpsqOltutMc3MY1

Bandit 1 –> 2

Level Goal
The password for the next level is stored in a file called – located in the home directory
Commands you may need to solve this level
ls, cd, cat, file, du, find

bandit1@melinda:~$ pwd
/home/bandit1
bandit1@melinda:~$ ls -lah
total 24K
-rw-r-----   1 bandit2 bandit1   33 Nov 14  2014 -
drwxr-xr-x   2 root    root    4.0K Nov 14  2014 .
drwxr-xr-x 172 root    root    4.0K Jul 10 14:12 ..
-rw-r--r--   1 root    root     220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root    root    3.6K Apr  9  2014 .bashrc
-rw-r--r--   1 root    root     675 Apr  9  2014 .profile
bandit1@melinda:~$ cat ./-
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

Bandit 2 –> 3

Level Goal
The password for the next level is stored in a file called spaces in this filename located in the home directory
Commands you may need to solve this level
ls, cd, cat, file, du, find

bandit2@melinda:~$ pwd
/home/bandit2
bandit2@melinda:~$ ls -lah
total 24K
drwxr-xr-x   2 root    root    4.0K Nov 14  2014 .
drwxr-xr-x 172 root    root    4.0K Jul 10 14:12 ..
-rw-r--r--   1 root    root     220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root    root    3.6K Apr  9  2014 .bashrc
-rw-r--r--   1 root    root     675 Apr  9  2014 .profile
-rw-r-----   1 bandit3 bandit2   33 Nov 14  2014 spaces in this filename
bandit2@melinda:~$ cat "spaces in this filename"
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

Bandit 3 –> 4

Level Goal
The password for the next level is stored in a hidden file in the inhere directory.
Commands you may need to solve this level
ls, cd, cat, file, du, find

bandit3@melinda:~$ ls -aRl
.:
total 24
drwxr-xr-x   3 root root 4096 Nov 14  2014 .
drwxr-xr-x 172 root root 4096 Jul 10 14:12 ..
-rw-r--r--   1 root root  220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root root 3637 Apr  9  2014 .bashrc
-rw-r--r--   1 root root  675 Apr  9  2014 .profile
drwxr-xr-x   2 root root 4096 Nov 14  2014 inhere
./inhere:
total 12
drwxr-xr-x 2 root    root    4096 Nov 14  2014 .
drwxr-xr-x 3 root    root    4096 Nov 14  2014 ..
-rw-r----- 1 bandit4 bandit3   33 Nov 14  2014 .hidden
bandit3@melinda:~$ cat ./inhere/.hidden
pIwrPrtPN36QITSp3EQaw936yaFoFgAB

Bandit 4 –> 5

Level Goal
The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.
Commands you may need to solve this level
ls, cd, cat, file, du, find

bandit4@melinda:~$ ls -aRl
.:
total 24
drwxr-xr-x   3 root root 4096 Nov 14  2014 .
drwxr-xr-x 172 root root 4096 Jul 10 14:12 ..
-rw-r--r--   1 root root  220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root root 3637 Apr  9  2014 .bashrc
-rw-r--r--   1 root root  675 Apr  9  2014 .profile
drwxr-xr-x   2 root root 4096 Oct 19 06:48 inhere
./inhere:
total 48
-rw-r----- 1 bandit5 bandit4   33 Nov 14  2014 -file00
-rw-r----- 1 bandit5 bandit4   33 Nov 14  2014 -file01
-rw-r----- 1 bandit5 bandit4   33 Nov 14  2014 -file02
-rw-r----- 1 bandit5 bandit4   33 Nov 14  2014 -file03
-rw-r----- 1 bandit5 bandit4   33 Nov 14  2014 -file04
-rw-r----- 1 bandit5 bandit4   33 Nov 14  2014 -file05
-rw-r----- 1 bandit5 bandit4   33 Nov 14  2014 -file06
-rw-r----- 1 bandit5 bandit4   33 Nov 14  2014 -file07
-rw-r----- 1 bandit5 bandit4   33 Nov 14  2014 -file08
-rw-r----- 1 bandit5 bandit4   33 Nov 14  2014 -file09
drwxr-xr-x 2 root    root    4096 Oct 19 06:48 .
drwxr-xr-x 3 root    root    4096 Nov 14  2014 ..
bandit4@melinda:~$ cat ./inhere/-f*
;�-i�(��z��У��ޘ��8鑾?�@c
                              O8�L��c�Ч7�zb~��ף���U��g�f�4�6+>"��B�Vx��d��;de�O�:n����8S��Ѕ[�/q�(��@��M�.�t����+��5�`�¶R
�1*6C�u#Nr���hZ����P�邚���{#��TP��6�]��X:����!��>P�
d{����ҏH���xX|�koReBOKuIDDepwhWk7jZC0RTdopnAYKh
#[:*���?��j���U�

Bandit 5 –> 6

Level Goal
The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties: – human-readable – 1033 bytes in size – not executable
Commands you may need to solve this level
ls, cd, cat, file, du, find

bandit5@melinda:~$ find ./inhere -size 1033c
./inhere/maybehere07/.file2
bandit5@melinda:~$ cat ./inhere/maybehere07/.file2
DXjZPULLxYr17uwoI01bNLQbtFemEgo7

Bandit 6 –> 7

Level Goal
The password for the next level is stored somewhere on the server and has all of the following properties: – owned by user bandit7 – owned by group bandit6 – 33 bytes in size
Commands you may need to solve this level
ls, cd, cat, file, du, find, grep

bandit6@melinda:~$ find / -size 33c -user bandit7 -group bandit6 2>/dev/null
/var/lib/dpkg/info/bandit7.password
bandit6@melinda:~$ cat /var/lib/dpkg/info/bandit7.password
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

Bandit 7 –> 8

Level Goal
The password for the next level is stored in the file data.txt next to the word millionth
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd

bandit7@melinda:/$ find / -type f -exec grep -l millionth {} + 2>dev/null
/proc/374/task/374/cmdline
/home/bandit7/data.txt
/usr/lib/perl/5.18.2/Time/HiRes.pm
/usr/share/dict/american-english
bandit7@melinda:/$ cat /home/bandit7/data.txt | grep millionth
millionth	cvX2JJa4CFALtqS87jk27qwqGhBM9plV

Bandit 8 –> 9

Level Goal
The password for the next level is stored in the file data.txt and is the only line of text that occurs only once
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd

bandit8@melinda:~$ sort data.txt | uniq -u
UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR

Bandit 9 –> 10

Level Goal
The password for the next level is stored in the file data.txt in one of the few human-readable strings, beginning with several ‘=’ characters.
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd

bandit9@melinda:~$ strings data.txt | grep "=="
I========== the6
========== password
========== ism
========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk

Bandit 10 –> 11

Level Goal
The password for the next level is stored in the file data.txt, which contains base64 encoded data
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd

bandit10@melinda:~$ cat data.txt | base64 -d
The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

Bandit 11 –> 12

Level Goal
The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd

bandit11@melinda:~$ cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'
The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

Bandit 12 –> 13

Level Goal
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd, mkdir, cp, mv

bandit12@melinda:~$ cd /tmp
bandit12@melinda:/tmp$ mkdir n13mant
bandit12@melinda:/tmp$ cd n13mant
bandit12@melinda:/tmp/n13mant$ cp /home/bandit12/data.txt .`
bandit12@melinda:/tmp/n13mant$ xxd -r data.txt data.bin
bandit12@melinda:/tmp/n13mant$ file data.bin
data.bin: gzip compressed data, was "data2.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression
bandit12@melinda:/tmp/n13mant$ zcat data.bin | file -
/dev/stdin: bzip2 compressed data, block size = 900k
bandit12@melinda:/tmp/n13mant$ zcat data.bin | bzcat | file -
/dev/stdin: gzip compressed data, was "data4.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression
bandit12@melinda:/tmp/n13mant$ zcat data.bin | bzcat | zcat | file -
/dev/stdin: POSIX tar archive (GNU)
bandit12@melinda:/tmp/n13mant$ zcat data.bin | bzcat | zcat | tar xO | file -
/dev/stdin: POSIX tar archive (GNU)
bandit12@melinda:/tmp/n13mant$ zcat data.bin | bzcat | zcat | tar xO | tar xO | file -
/dev/stdin: bzip2 compressed data, block size = 900k
bandit12@melinda:/tmp/n13mant$ zcat data.bin | bzcat | zcat | tar xO | tar xO | bzcat | file -
/dev/stdin: POSIX tar archive (GNU)
bandit12@melinda:/tmp/n13mant$ zcat data.bin | bzcat | zcat | tar xO | tar xO | bzcat | tar xO | file -
/dev/stdin: gzip compressed data, was "data9.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression
bandit12@melinda:/tmp/n13mant$ zcat data.bin | bzcat | zcat | tar xO | tar xO | bzcat | tar xO | zcat | file -
/dev/stdin: ASCII text
bandit12@melinda:/tmp/n13mant$ zcat data.bin | bzcat | zcat | tar xO | tar xO | bzcat | tar xO | zcat
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

Bandit 13 –> 14

Level Goal
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on
Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap

ssh bandit14@localhost -i ~/sshkey.private

Bandit 14 –> 15

Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap

bandit14@melinda:~$ cat /etc/bandit_pass/bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
bandit14@melinda:~$ nc 127.0.0.1 30000
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr

Bandit 15 –> 16

Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…
Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap

bandit15@melinda:~$ openssl s_client -connect 127.0.0.1:30001
[.....SNIP.....]
SSL-Session:
    Protocol  : SSLv3
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 5FDFACEC4E62460EC764BADD6B67427F38DCF0CB81AAE5842F10D1FAD42101FA
    Session-ID-ctx:
    Master-Key: 1C406358D3B1657EFC0462D7EB40ACC59C43F354A49F330AC83DC87CE26610D198CCCD415AC04A7976AF00287A8236B0
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1479382529
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
BfMYroe26WYalil77FoDi9qh59eK5xNr
HEARTBEATING
read R BLOCK
read:errno=0

Like the description said….use option ‘-ign_eof’.

bandit15@melinda:~$ openssl s_client -connect 127.0.0.1:30001 -ign_eof
[.....SNIP.....]
SSL-Session:
 Protocol : SSLv3
 Cipher : DHE-RSA-AES256-SHA
 Session-ID: 88ABDF58DCCE6B9EDA7239B341F6C870F66D825BEFD4F1A649450A94DB3379A8
 Session-ID-ctx:
 Master-Key: D8144BB9C00E67BA8BFD957218AA463D8D9F69758DFDA09B1B5C5A81F7F20E57C07CC37BC8737F9068E0BE74D4F4CC01
 Key-Arg : None
 PSK identity: None
 PSK identity hint: None
 SRP username: None
 Start Time: 1479383048
 Timeout : 300 (sec)
 Verify return code: 18 (self signed certificate)
---
BfMYroe26WYalil77FoDi9qh59eK5xNr
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehd

Level 16 –> 17

Level Goal
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap

bandit16@melinda:~$ openssl s_client -connect 127.0.0.1:31790 -ign_eof
[.....SNIP.....]
SSL-Session:
    Protocol  : SSLv3
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 1F920AD285BE63215E25B0C81978DF0156485C7FBA938A3FAD0F7353F8770ABD
    Session-ID-ctx:
    Master-Key: 651F331E9EF2A11B5288A4B3FBBD6B73D4B0C5917CCCAE08006D0FBF6E24C5DA5DE91587FB11CDEED2F84E93557F1DF1
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1479383980
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
cluFn7wTiGryunymYOu4RcffSxQluehd
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----

The private key is not pasephrase protected. Save it in a text file for later use.

Bandit 17 –> 18

Level Goal
There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new
NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19
Commands you may need to solve this level
cat, grep, ls, diff
When logging in to this level, use the private key from the previous session.

bandit17@melinda:~$ vim -d passwords.old passwords.new
[....SNIP.....]
kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd

Bandit 18 –> 19

Level Goal
The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.
Commands you may need to solve this level
ssh, ls, cat
When using Bitvise SSH you can grab the ‘readme’ file from the server and read it.
Another solution is to set-up Putty with a remode command:  /bin/bash -norc .
Here ‘/bin/bash’ is telling putty what shell to send the remote command and the option –norc tells the terminal we’re opening to ignore the .bashrc “profile” file. And bypassing this doesn’t initialize the script that logs us out.

Bandit 19 –> 20

Level Goal
To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.

bandit19@melinda:~$ ./bandit20-do
Run a command as another user.
bandit19@melinda:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0j

Level 20 –> 21

Level Goal
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
NOTE: To beat this level, you need to login twice: once to run the setuid command, and once to start a network daemon to which the setuid will connect.
NOTE 2: Try connecting to your own network daemon to see if it works as you think
Commands you may need to solve this level
ssh, nc, cat

bandit20@melinda:~$ ls -lah
total 28K
drwxr-xr-x   2 root     root     4.0K Nov 14  2014 .
drwxr-xr-x 172 root     root     4.0K Jul 10 14:12 ..
-rw-r--r--   1 root     root      220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root     root     3.6K Apr  9  2014 .bashrc
-rw-r--r--   1 root     root      675 Apr  9  2014 .profile
-rwsr-x---   1 bandit21 bandit20 7.9K Nov 14  2014 suconnect

Step 1 – Terminal 1 – Start listener

bandit20@melinda:~$ nc -lvnp 31337
Listening on [0.0.0.0] (family 0, port 31337)

Step 1 – Terminal 2 – Execute binary

bandit20@melinda:~$ ./suconnect 31337

Step 2 – Terminal 1 – Enter password from last level

GbKksEFF4yrVs6il55v6gwY5aVje5f0j
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr

Level 21 –> 22

Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
Commands you may need to solve this level
cron, crontab, crontab(5) (use “man 5 crontab” to access this)

bandit21@melinda:/etc/cron.d$ cat cronjob_bandit22
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
bandit21@melinda:/usr/bin$cd /usr/bin
bandit21@melinda:/usr/bin$ cat cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
bandit21@melinda:/usr/bin$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

 Level 22 –> 23

Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.
Commands you may need to solve this level
cron, crontab, crontab(5) (use “man 5 crontab” to access this)

bandit22@melinda:/etc/cron.d$ cat cronjob_bandit23
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
bandit22@melinda:/etc/cron.d$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash
myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
cat /etc/bandit_pass/$myname > /tmp/$mytarget
bandit22@melinda:/etc/cron.d$ echo "I am user bandit23" | md5sum | cut -d ' ' -f 1
8ca319486bfbbc3663ea0fbe81326349
bandit22@melinda:/etc/cron.d$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

 Level 23 –> 24

Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…
Commands you may need to solve this level
cron, crontab, crontab(5) (use “man 5 crontab” to access this)

bandit23@melinda:/etc/cron.d$ cat cronjob_bandit24
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
bandit23@melinda:/etc/cron.d$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash
myname=$(whoami)
cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
do
    if [ "$i" != "." -a "$i" != ".." ];
    then
        echo "Handling $i"
        timeout -s 9 60 "./$i"
        rm -f "./$i"
    fi
done

The cronjob runs all the scripts in ‘/var/spool/bandit24’.

bandit23@melinda:/$ cd /var/spool/bandit24
bandit23@melinda:/var/spool/bandit24$ ls -lah
total 153K
drwxrwxr-x 2 bandit24 bandit23 148K Nov 23 08:24 .
drwxr-xr-x 6 root     root     4.0K May  3  2015 ..

There is write permission for me in this folder. Let’s add some script to be executed by the cronjob script.

bandit23@melinda:~$ mkdir /tmp/31337
bandit23@melinda:/tmp$ cd /tmp/31337
bandit23@melinda:/tmp/31337$ vi passwd.sh
#!/bin/bash
mkdir /tmp/31337-2
cat /etc/bandit_pass/bandit24 > /tmp/31337-2/passwd
~
bandit23@melinda:/tmp/31337$ chmod 777 passwd.sh && cp passwd.sh /var/spool/bandit24

Now to wait for the cronjob to run.

bandit23@melinda:~$ cd /tmp/31337-2
-bash: cd: /tmp/31337-2: No such file or directory
bandit23@melinda:~$ cd /tmp/31337-2
bandit23@melinda:/tmp/31337-2$ ls
passwd
bandit23@melinda:/tmp/31337-2$ cat passwd
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ

 Level 24 –> 25

Level Goal
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pin-code except by going through all of the 10000 combinations, called brute-forcing.

bandit24@melinda:/tmp/31337$ for i in $(seq -w 0000 9999); do echo "Brute-forcing $i"; echo "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i" | nc 127.0.0.1 30002; done

After some waiting, I got the password for the next and final level.

Brute-forcing 0001
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
Wrong! Please enter the correct pincode. Try again.
Exiting.
[.....SNIP.....]
Brute-forcing 5669
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
Correct!
The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG

Level 25 –> 26

Level Goal
Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.
Commands you may need to solve this level
ssh, cat, more, vi, ls, id, pwd

bandit25@melinda:~$ ls
bandit26.sshkey
bandit25@melinda:~$ ssh -i bandit26.sshkey bandit26@localhost
Could not create directory '/home/bandit25/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is 05:3a:1c:25:35:0a:ed:2f:cd:87:1c:f6:fe:69:e4:f6.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit25/.ssh/known_hosts).
This is the OverTheWire game server. More information on http://www.overthewire.org/wargames
Please note that wargame usernames are no longer level<X>, but wargamename<X>
e.g. vortex4, semtex2, ...
Note: at this moment, blacksun is not available.
 ,----.. ,----, .---.
 / / \ ,/ .`| /. ./|
 / . : ,` .' : .--'. ' ;
 . / ;. \ ; ; / /__./ \ : |
 . ; / ` ; .'___,/ ,' .--'. ' \' .
 ; | ; \ ; | | : | /___/ \ | ' '
 | : | ; | ' ; |.'; ; ; \ \; :
 . | ' ' ' : `----' | | \ ; ` |
 ' ; \; / | ' : ; . \ .\ ;
 \ \ ', / | | ' \ \ ' \ |
 ; : / ' : | : ' |--"
 \ \ .' ; |.' \ \ ;
 www. `---` ver '---' he '---" ire.org
Welcome to the OverTheWire games machine!
If you find any problems, please report them to Steven on
irc.overthewire.org.
--[ Playing the games ]--
 This machine holds several wargames.
 If you are playing "somegame", then:
 * USERNAMES are somegame0, somegame1, ...
 * Most LEVELS are stored in /somegame/.
 * PASSWORDS for each level are stored in /etc/somegame_pass/.
 Write-access to homedirectories is disabled. It is advised to create a
 working directory with a hard-to-guess name in /tmp/. You can use the
 command "mktemp -d" in order to generate a random and hard to guess
 directory in /tmp/. Read-access to both /tmp/ and /proc/ is disabled
 so that users can not snoop on eachother.
 Please play nice:
 * don't leave orphan processes running
 * don't leave exploit-files laying around
 * don't annoy other players
 * don't post passwords or spoilers
 * again, DONT POST SPOILERS!
 This includes writeups of your solution on your blog or website!
--[ Tips ]--
 This machine has a 64bit processor and many security-features enabled
 by default, although ASLR has been switched off. The following
 compiler flags might be interesting:
 -m32 compile for 32bit
 -fno-stack-protector disable ProPolice
 -Wl,-z,norelro disable relro
 In addition, the execstack tool can be used to flag the stack as
 executable on ELF binaries.
 Finally, network-access is limited for most levels by a local
 firewall.
--[ Tools ]--
 For your convenience we have installed a few usefull tools which you can find
 in the following locations:
 * peda (https://github.com/longld/peda.git) in /usr/local/peda/
 * gdbinit (https://github.com/gdbinit/Gdbinit) in /usr/local/gdbinit/
 * pwntools (https://github.com/Gallopsled/pwntools) in /usr/src/pwntools/
 * radare2 (http://www.radare.org/) should be in $PATH
--[ More information ]--
 For more information regarding individual wargames, visit
 http://www.overthewire.org/wargames/
 For questions or comments, contact us through IRC on
 irc.overthewire.org.
 _ _ _ _ ___ __
 | | | (_) | |__ \ / /
 | |__ __ _ _ __ __| |_| |_ ) / /_
 | '_ \ / _` | '_ \ / _` | | __| / / '_ \
 | |_) | (_| | | | | (_| | | |_ / /| (_) |
 |_.__/ \__,_|_| |_|\__,_|_|\__|____\___/
Connection to localhost closed.

Connection from bandit25 to bandit26 was easy indeed. Unfortunately the connection is broken immediately.
The hint said the shell in bandit26 wasn’t  /bin/bash, but something else.

bandit25@melinda:~$ cat /etc/passwd | grep bandit26
bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext
bandit25@melinda:~$ cat /usr/bin/showtext
#!/bin/sh
more ~/text.txt
exit 0

Ok, so in this case there is no /bin/bash, but a shell script that uses the more function. To trigger  more I need to adjust my window when connecting with ssh.

bandit25@melinda:~$ ssh -i bandit26.sshkey bandit26@localhost

level25_ssh
When looking at man more there is a interesting part.
vim
text_only
Once inside vim use :r /etc/bandit_pass/bandit26
flag

Level 26 –> 27

At this moment, level 27 does not exist yet.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.