Bandit
Introduction
The Bandit wargame is aimed at absolute beginners. It will teach the basics needed to be able to play other wargames.
Location
http://overthewire.org/wargames/bandit/
Bandit 0 –> 1
Level Goal
The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH to log into that level and continue the game.
Commands you may need to solve this level
ls, cd, cat, file, du, find
1 2 3 4 5 6 |
bandit0@melinda:~$ pwd /home/bandit0 bandit0@melinda:~$ ls readme bandit0@melinda:~$ cat readme boJ9jbbUNNfktd78OOpsqOltutMc3MY1 |
Bandit 1 –> 2
Level Goal
The password for the next level is stored in a file called – located in the home directory
Commands you may need to solve this level
ls, cd, cat, file, du, find
1 2 3 4 5 6 7 8 9 10 11 12 |
bandit1@melinda:~$ pwd /home/bandit1 bandit1@melinda:~$ ls -lah total 24K -rw-r----- 1 bandit2 bandit1 33 Nov 14 2014 - drwxr-xr-x 2 root root 4.0K Nov 14 2014 . drwxr-xr-x 172 root root 4.0K Jul 10 14:12 .. -rw-r--r-- 1 root root 220 Apr 9 2014 .bash_logout -rw-r--r-- 1 root root 3.6K Apr 9 2014 .bashrc -rw-r--r-- 1 root root 675 Apr 9 2014 .profile bandit1@melinda:~$ cat ./- CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9 |
Bandit 2 –> 3
Level Goal
The password for the next level is stored in a file called spaces in this filename located in the home directory
Commands you may need to solve this level
ls, cd, cat, file, du, find
1 2 3 4 5 6 7 8 9 10 11 12 |
bandit2@melinda:~$ pwd /home/bandit2 bandit2@melinda:~$ ls -lah total 24K drwxr-xr-x 2 root root 4.0K Nov 14 2014 . drwxr-xr-x 172 root root 4.0K Jul 10 14:12 .. -rw-r--r-- 1 root root 220 Apr 9 2014 .bash_logout -rw-r--r-- 1 root root 3.6K Apr 9 2014 .bashrc -rw-r--r-- 1 root root 675 Apr 9 2014 .profile -rw-r----- 1 bandit3 bandit2 33 Nov 14 2014 spaces in this filename bandit2@melinda:~$ cat "spaces in this filename" UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK |
Bandit 3 –> 4
Level Goal
The password for the next level is stored in a hidden file in the inhere directory.
Commands you may need to solve this level
ls, cd, cat, file, du, find
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
bandit3@melinda:~$ ls -aRl .: total 24 drwxr-xr-x 3 root root 4096 Nov 14 2014 . drwxr-xr-x 172 root root 4096 Jul 10 14:12 .. -rw-r--r-- 1 root root 220 Apr 9 2014 .bash_logout -rw-r--r-- 1 root root 3637 Apr 9 2014 .bashrc -rw-r--r-- 1 root root 675 Apr 9 2014 .profile drwxr-xr-x 2 root root 4096 Nov 14 2014 inhere ./inhere: total 12 drwxr-xr-x 2 root root 4096 Nov 14 2014 . drwxr-xr-x 3 root root 4096 Nov 14 2014 .. -rw-r----- 1 bandit4 bandit3 33 Nov 14 2014 .hidden bandit3@melinda:~$ cat ./inhere/.hidden pIwrPrtPN36QITSp3EQaw936yaFoFgAB |
Bandit 4 –> 5
Level Goal
The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.
Commands you may need to solve this level
ls, cd, cat, file, du, find
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
bandit4@melinda:~$ ls -aRl .: total 24 drwxr-xr-x 3 root root 4096 Nov 14 2014 . drwxr-xr-x 172 root root 4096 Jul 10 14:12 .. -rw-r--r-- 1 root root 220 Apr 9 2014 .bash_logout -rw-r--r-- 1 root root 3637 Apr 9 2014 .bashrc -rw-r--r-- 1 root root 675 Apr 9 2014 .profile drwxr-xr-x 2 root root 4096 Oct 19 06:48 inhere ./inhere: total 48 -rw-r----- 1 bandit5 bandit4 33 Nov 14 2014 -file00 -rw-r----- 1 bandit5 bandit4 33 Nov 14 2014 -file01 -rw-r----- 1 bandit5 bandit4 33 Nov 14 2014 -file02 -rw-r----- 1 bandit5 bandit4 33 Nov 14 2014 -file03 -rw-r----- 1 bandit5 bandit4 33 Nov 14 2014 -file04 -rw-r----- 1 bandit5 bandit4 33 Nov 14 2014 -file05 -rw-r----- 1 bandit5 bandit4 33 Nov 14 2014 -file06 -rw-r----- 1 bandit5 bandit4 33 Nov 14 2014 -file07 -rw-r----- 1 bandit5 bandit4 33 Nov 14 2014 -file08 -rw-r----- 1 bandit5 bandit4 33 Nov 14 2014 -file09 drwxr-xr-x 2 root root 4096 Oct 19 06:48 . drwxr-xr-x 3 root root 4096 Nov 14 2014 .. bandit4@melinda:~$ cat ./inhere/-f* ;�-i�(��z��У��ޘ��8鑾?�@c O8�L��c�Ч7�zb~��ף���U��g�f�4�6+>"��B�Vx��d��;de�O�:n����8S��Ѕ[�/q�(��@��M�.�t����+��5�`�¶R �1*6C�u#Nr���hZ����P�邚���{#��TP��6�]��X:����!��>P� d{����ҏH���xX|�koReBOKuIDDepwhWk7jZC0RTdopnAYKh #[:*���?��j���U� |
Bandit 5 –> 6
Level Goal
The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties: – human-readable – 1033 bytes in size – not executable
Commands you may need to solve this level
ls, cd, cat, file, du, find
1 2 3 4 |
bandit5@melinda:~$ find ./inhere -size 1033c ./inhere/maybehere07/.file2 bandit5@melinda:~$ cat ./inhere/maybehere07/.file2 DXjZPULLxYr17uwoI01bNLQbtFemEgo7 |
Bandit 6 –> 7
Level Goal
The password for the next level is stored somewhere on the server and has all of the following properties: – owned by user bandit7 – owned by group bandit6 – 33 bytes in size
Commands you may need to solve this level
ls, cd, cat, file, du, find, grep
1 2 3 4 |
bandit6@melinda:~$ find / -size 33c -user bandit7 -group bandit6 2>/dev/null /var/lib/dpkg/info/bandit7.password bandit6@melinda:~$ cat /var/lib/dpkg/info/bandit7.password HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs |
Bandit 7 –> 8
Level Goal
The password for the next level is stored in the file data.txt next to the word millionth
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
1 2 3 4 5 6 7 |
bandit7@melinda:/$ find / -type f -exec grep -l millionth {} + 2>dev/null /proc/374/task/374/cmdline /home/bandit7/data.txt /usr/lib/perl/5.18.2/Time/HiRes.pm /usr/share/dict/american-english bandit7@melinda:/$ cat /home/bandit7/data.txt | grep millionth millionth cvX2JJa4CFALtqS87jk27qwqGhBM9plV |
Bandit 8 –> 9
Level Goal
The password for the next level is stored in the file data.txt and is the only line of text that occurs only once
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
1 2 |
bandit8@melinda:~$ sort data.txt | uniq -u UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR |
Bandit 9 –> 10
Level Goal
The password for the next level is stored in the file data.txt in one of the few human-readable strings, beginning with several ‘=’ characters.
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
1 2 3 4 5 |
bandit9@melinda:~$ strings data.txt | grep "==" I========== the6 ========== password ========== ism ========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk |
Bandit 10 –> 11
Level Goal
The password for the next level is stored in the file data.txt, which contains base64 encoded data
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
1 2 |
bandit10@melinda:~$ cat data.txt | base64 -d The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR |
Bandit 11 –> 12
Level Goal
The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
1 2 |
bandit11@melinda:~$ cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m' The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu |
Bandit 12 –> 13
Level Goal
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd, mkdir, cp, mv
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
bandit12@melinda:~$ cd /tmp bandit12@melinda:/tmp$ mkdir n13mant bandit12@melinda:/tmp$ cd n13mant bandit12@melinda:/tmp/n13mant$ cp /home/bandit12/data.txt .` bandit12@melinda:/tmp/n13mant$ xxd -r data.txt data.bin bandit12@melinda:/tmp/n13mant$ file data.bin data.bin: gzip compressed data, was "data2.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression bandit12@melinda:/tmp/n13mant$ zcat data.bin | file - /dev/stdin: bzip2 compressed data, block size = 900k bandit12@melinda:/tmp/n13mant$ zcat data.bin | bzcat | file - /dev/stdin: gzip compressed data, was "data4.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression bandit12@melinda:/tmp/n13mant$ zcat data.bin | bzcat | zcat | file - /dev/stdin: POSIX tar archive (GNU) bandit12@melinda:/tmp/n13mant$ zcat data.bin | bzcat | zcat | tar xO | file - /dev/stdin: POSIX tar archive (GNU) bandit12@melinda:/tmp/n13mant$ zcat data.bin | bzcat | zcat | tar xO | tar xO | file - /dev/stdin: bzip2 compressed data, block size = 900k bandit12@melinda:/tmp/n13mant$ zcat data.bin | bzcat | zcat | tar xO | tar xO | bzcat | file - /dev/stdin: POSIX tar archive (GNU) bandit12@melinda:/tmp/n13mant$ zcat data.bin | bzcat | zcat | tar xO | tar xO | bzcat | tar xO | file - /dev/stdin: gzip compressed data, was "data9.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression bandit12@melinda:/tmp/n13mant$ zcat data.bin | bzcat | zcat | tar xO | tar xO | bzcat | tar xO | zcat | file - /dev/stdin: ASCII text bandit12@melinda:/tmp/n13mant$ zcat data.bin | bzcat | zcat | tar xO | tar xO | bzcat | tar xO | zcat The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL |
Bandit 13 –> 14
Level Goal
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on
Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap
1 |
ssh bandit14@localhost -i ~/sshkey.private |
Bandit 14 –> 15
Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap
1 2 3 4 5 6 |
bandit14@melinda:~$ cat /etc/bandit_pass/bandit14 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e bandit14@melinda:~$ nc 127.0.0.1 30000 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e Correct! BfMYroe26WYalil77FoDi9qh59eK5xNr |
Bandit 15 –> 16
Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…
Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
bandit15@melinda:~$ openssl s_client -connect 127.0.0.1:30001 [.....SNIP.....] SSL-Session: Protocol : SSLv3 Cipher : DHE-RSA-AES256-SHA Session-ID: 5FDFACEC4E62460EC764BADD6B67427F38DCF0CB81AAE5842F10D1FAD42101FA Session-ID-ctx: Master-Key: 1C406358D3B1657EFC0462D7EB40ACC59C43F354A49F330AC83DC87CE26610D198CCCD415AC04A7976AF00287A8236B0 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1479382529 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- BfMYroe26WYalil77FoDi9qh59eK5xNr HEARTBEATING read R BLOCK read:errno=0 |
Like the description said….use option ‘-ign_eof’.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
bandit15@melinda:~$ openssl s_client -connect 127.0.0.1:30001 -ign_eof [.....SNIP.....] SSL-Session: Protocol : SSLv3 Cipher : DHE-RSA-AES256-SHA Session-ID: 88ABDF58DCCE6B9EDA7239B341F6C870F66D825BEFD4F1A649450A94DB3379A8 Session-ID-ctx: Master-Key: D8144BB9C00E67BA8BFD957218AA463D8D9F69758DFDA09B1B5C5A81F7F20E57C07CC37BC8737F9068E0BE74D4F4CC01 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1479383048 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- BfMYroe26WYalil77FoDi9qh59eK5xNr Correct! cluFn7wTiGryunymYOu4RcffSxQluehd |
Level 16 –> 17
Level Goal
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 |
bandit16@melinda:~$ openssl s_client -connect 127.0.0.1:31790 -ign_eof [.....SNIP.....] SSL-Session: Protocol : SSLv3 Cipher : DHE-RSA-AES256-SHA Session-ID: 1F920AD285BE63215E25B0C81978DF0156485C7FBA938A3FAD0F7353F8770ABD Session-ID-ctx: Master-Key: 651F331E9EF2A11B5288A4B3FBBD6B73D4B0C5917CCCAE08006D0FBF6E24C5DA5DE91587FB11CDEED2F84E93557F1DF1 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1479383980 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- cluFn7wTiGryunymYOu4RcffSxQluehd Correct! -----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama +TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT 8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM 77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3 vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY= -----END RSA PRIVATE KEY----- |
The private key is not pasephrase protected. Save it in a text file for later use.
Bandit 17 –> 18
Level Goal
There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new
NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19
Commands you may need to solve this level
cat, grep, ls, diff
When logging in to this level, use the private key from the previous session.
1 2 3 |
bandit17@melinda:~$ vim -d passwords.old passwords.new [....SNIP.....] kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd |
Bandit 18 –> 19
Level Goal
The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.
Commands you may need to solve this level
ssh, ls, cat
When using Bitvise SSH you can grab the ‘readme’ file from the server and read it.
Another solution is to set-up Putty with a remode command:
/bin/bash -norc .
Here ‘/bin/bash’ is telling putty what shell to send the remote command and the option –norc tells the terminal we’re opening to ignore the .bashrc “profile” file. And bypassing this doesn’t initialize the script that logs us out.
Bandit 19 –> 20
Level Goal
To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.
1 2 3 4 |
bandit19@melinda:~$ ./bandit20-do Run a command as another user. bandit19@melinda:~$ ./bandit20-do cat /etc/bandit_pass/bandit20 GbKksEFF4yrVs6il55v6gwY5aVje5f0j |
Level 20 –> 21
Level Goal
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
NOTE: To beat this level, you need to login twice: once to run the setuid command, and once to start a network daemon to which the setuid will connect.
NOTE 2: Try connecting to your own network daemon to see if it works as you think
Commands you may need to solve this level
ssh, nc, cat
1 2 3 4 5 6 7 8 |
bandit20@melinda:~$ ls -lah total 28K drwxr-xr-x 2 root root 4.0K Nov 14 2014 . drwxr-xr-x 172 root root 4.0K Jul 10 14:12 .. -rw-r--r-- 1 root root 220 Apr 9 2014 .bash_logout -rw-r--r-- 1 root root 3.6K Apr 9 2014 .bashrc -rw-r--r-- 1 root root 675 Apr 9 2014 .profile -rwsr-x--- 1 bandit21 bandit20 7.9K Nov 14 2014 suconnect |
Step 1 – Terminal 1 – Start listener
1 2 |
bandit20@melinda:~$ nc -lvnp 31337 Listening on [0.0.0.0] (family 0, port 31337) |
Step 1 – Terminal 2 – Execute binary
1 |
bandit20@melinda:~$ ./suconnect 31337 |
Step 2 – Terminal 1 – Enter password from last level
1 2 |
GbKksEFF4yrVs6il55v6gwY5aVje5f0j gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr |
Level 21 –> 22
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
Commands you may need to solve this level
cron, crontab, crontab(5) (use “man 5 crontab” to access this)
1 2 3 4 5 6 7 8 9 |
bandit21@melinda:/etc/cron.d$ cat cronjob_bandit22 * * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null bandit21@melinda:/usr/bin$cd /usr/bin bandit21@melinda:/usr/bin$ cat cronjob_bandit22.sh #!/bin/bash chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv bandit21@melinda:/usr/bin$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI |
Level 22 –> 23
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.
Commands you may need to solve this level
cron, crontab, crontab(5) (use “man 5 crontab” to access this)
1 2 3 4 5 6 7 8 9 10 11 12 |
bandit22@melinda:/etc/cron.d$ cat cronjob_bandit23 * * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null bandit22@melinda:/etc/cron.d$ cat /usr/bin/cronjob_bandit23.sh #!/bin/bash myname=$(whoami) mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1) echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget" cat /etc/bandit_pass/$myname > /tmp/$mytarget bandit22@melinda:/etc/cron.d$ echo "I am user bandit23" | md5sum | cut -d ' ' -f 1 8ca319486bfbbc3663ea0fbe81326349 bandit22@melinda:/etc/cron.d$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349 jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n |
Level 23 –> 24
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…
Commands you may need to solve this level
cron, crontab, crontab(5) (use “man 5 crontab” to access this)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
bandit23@melinda:/etc/cron.d$ cat cronjob_bandit24 * * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null bandit23@melinda:/etc/cron.d$ cat /usr/bin/cronjob_bandit24.sh #!/bin/bash myname=$(whoami) cd /var/spool/$myname echo "Executing and deleting all scripts in /var/spool/$myname:" for i in * .*; do if [ "$i" != "." -a "$i" != ".." ]; then echo "Handling $i" timeout -s 9 60 "./$i" rm -f "./$i" fi done |
The cronjob runs all the scripts in ‘/var/spool/bandit24’.
1 2 3 4 5 |
bandit23@melinda:/$ cd /var/spool/bandit24 bandit23@melinda:/var/spool/bandit24$ ls -lah total 153K drwxrwxr-x 2 bandit24 bandit23 148K Nov 23 08:24 . drwxr-xr-x 6 root root 4.0K May 3 2015 .. |
There is write permission for me in this folder. Let’s add some script to be executed by the cronjob script.
1 2 3 4 5 6 7 8 |
bandit23@melinda:~$ mkdir /tmp/31337 bandit23@melinda:/tmp$ cd /tmp/31337 bandit23@melinda:/tmp/31337$ vi passwd.sh #!/bin/bash mkdir /tmp/31337-2 cat /etc/bandit_pass/bandit24 > /tmp/31337-2/passwd ~ bandit23@melinda:/tmp/31337$ chmod 777 passwd.sh && cp passwd.sh /var/spool/bandit24 |
Now to wait for the cronjob to run.
1 2 3 4 5 6 7 |
bandit23@melinda:~$ cd /tmp/31337-2 -bash: cd: /tmp/31337-2: No such file or directory bandit23@melinda:~$ cd /tmp/31337-2 bandit23@melinda:/tmp/31337-2$ ls passwd bandit23@melinda:/tmp/31337-2$ cat passwd UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ |
Level 24 –> 25
Level Goal
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pin-code except by going through all of the 10000 combinations, called brute-forcing.
1 |
bandit24@melinda:/tmp/31337$ for i in $(seq -w 0000 9999); do echo "Brute-forcing $i"; echo "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i" | nc 127.0.0.1 30002; done |
After some waiting, I got the password for the next and final level.
1 2 3 4 5 6 7 8 9 |
Brute-forcing 0001 I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space. Wrong! Please enter the correct pincode. Try again. Exiting. [.....SNIP.....] Brute-forcing 5669 I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space. Correct! The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG |
Level 25 –> 26
Level Goal
Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.
Commands you may need to solve this level
ssh, cat, more, vi, ls, id, pwd
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 |
bandit25@melinda:~$ ls bandit26.sshkey bandit25@melinda:~$ ssh -i bandit26.sshkey bandit26@localhost Could not create directory '/home/bandit25/.ssh'. The authenticity of host 'localhost (127.0.0.1)' can't be established. ECDSA key fingerprint is 05:3a:1c:25:35:0a:ed:2f:cd:87:1c:f6:fe:69:e4:f6. Are you sure you want to continue connecting (yes/no)? yes Failed to add the host to the list of known hosts (/home/bandit25/.ssh/known_hosts). This is the OverTheWire game server. More information on http://www.overthewire.org/wargames Please note that wargame usernames are no longer level<X>, but wargamename<X> e.g. vortex4, semtex2, ... Note: at this moment, blacksun is not available. ,----.. ,----, .---. / / \ ,/ .`| /. ./| / . : ,` .' : .--'. ' ; . / ;. \ ; ; / /__./ \ : | . ; / ` ; .'___,/ ,' .--'. ' \' . ; | ; \ ; | | : | /___/ \ | ' ' | : | ; | ' ; |.'; ; ; \ \; : . | ' ' ' : `----' | | \ ; ` | ' ; \; / | ' : ; . \ .\ ; \ \ ', / | | ' \ \ ' \ | ; : / ' : | : ' |--" \ \ .' ; |.' \ \ ; www. `---` ver '---' he '---" ire.org Welcome to the OverTheWire games machine! If you find any problems, please report them to Steven on irc.overthewire.org. --[ Playing the games ]-- This machine holds several wargames. If you are playing "somegame", then: * USERNAMES are somegame0, somegame1, ... * Most LEVELS are stored in /somegame/. * PASSWORDS for each level are stored in /etc/somegame_pass/. Write-access to homedirectories is disabled. It is advised to create a working directory with a hard-to-guess name in /tmp/. You can use the command "mktemp -d" in order to generate a random and hard to guess directory in /tmp/. Read-access to both /tmp/ and /proc/ is disabled so that users can not snoop on eachother. Please play nice: * don't leave orphan processes running * don't leave exploit-files laying around * don't annoy other players * don't post passwords or spoilers * again, DONT POST SPOILERS! This includes writeups of your solution on your blog or website! --[ Tips ]-- This machine has a 64bit processor and many security-features enabled by default, although ASLR has been switched off. The following compiler flags might be interesting: -m32 compile for 32bit -fno-stack-protector disable ProPolice -Wl,-z,norelro disable relro In addition, the execstack tool can be used to flag the stack as executable on ELF binaries. Finally, network-access is limited for most levels by a local firewall. --[ Tools ]-- For your convenience we have installed a few usefull tools which you can find in the following locations: * peda (https://github.com/longld/peda.git) in /usr/local/peda/ * gdbinit (https://github.com/gdbinit/Gdbinit) in /usr/local/gdbinit/ * pwntools (https://github.com/Gallopsled/pwntools) in /usr/src/pwntools/ * radare2 (http://www.radare.org/) should be in $PATH --[ More information ]-- For more information regarding individual wargames, visit http://www.overthewire.org/wargames/ For questions or comments, contact us through IRC on irc.overthewire.org. _ _ _ _ ___ __ | | | (_) | |__ \ / / | |__ __ _ _ __ __| |_| |_ ) / /_ | '_ \ / _` | '_ \ / _` | | __| / / '_ \ | |_) | (_| | | | | (_| | | |_ / /| (_) | |_.__/ \__,_|_| |_|\__,_|_|\__|____\___/ Connection to localhost closed. |
Connection from bandit25 to bandit26 was easy indeed. Unfortunately the connection is broken immediately.
The hint said the shell in bandit26 wasn’t
/bin/bash, but something else.
1 2 3 4 5 6 |
bandit25@melinda:~$ cat /etc/passwd | grep bandit26 bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext bandit25@melinda:~$ cat /usr/bin/showtext #!/bin/sh more ~/text.txt exit 0 |
Ok, so in this case there is no /bin/bash, but a shell script that uses the more function. To trigger more I need to adjust my window when connecting with ssh.
1 |
bandit25@melinda:~$ ssh -i bandit26.sshkey bandit26@localhost |
When looking at
man more there is a interesting part.
Once inside vim use
:r /etc/bandit_pass/bandit26
Level 26 –> 27
At this moment, level 27 does not exist yet.