rtmoran.org — Cybersecurity and Linux Resource

CategoryOverTheWire – Bandit

Over the Wire’s Bandit Challenge – Level 20

Level 20 – bandit – overthewire

Level Instructions:

“There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).

NOTE: Try connecting to your own network daemon to see if it works as you think”

Continue reading “Over the Wire’s Bandit Challenge – Level 20”

Over the Wire’s Bandit Challenge – Level 19

Level 19 – bandit – overthewire

Level Instructions:

“To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.”


bandit19@bandit:~$ ls -la
total 28
drwxr-xr-x  2 root     root     4096 Dec 28  2017 .
drwxr-xr-x 42 root     root     4096 Jul 22 18:42 ..
-rw-r--r--  1 root     root      220 Sep  1  2015 .bash_logout
-rw-r--r--  1 root     root     3771 Sep  1  2015 .bashrc
-rw-r--r--  1 root     root      655 Jun 24  2016 .profile
-rwsr-x---  1 bandit20 bandit19 7408 Dec 28  2017 bandit20-do
bandit19@bandit:~$ ./bandit20-do
Run a command as another user.
  Example: ./bandit20-do id
bandit19@bandit:~$ ./bandit20-do id
uid=11019(bandit19) gid=11019(bandit19) euid=11020(bandit20) groups=11019(bandit19)
bandit19@bandit:~$ cat /etc/bandit_pass/bandit20
cat: /etc/bandit_pass/bandit20: Permission denied
bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0j

Printing the contents of the home directory reveals an executable, ‘bandit20-do’, with setuid flag set.  Running the command without passing an argument reveals a bit of information into the programs function.

Continue reading “Over the Wire’s Bandit Challenge – Level 19”

Over the Wire’s Bandit Challenge – Level 18

Level 18 – bandit – overthewire

Level Instructions:

“The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.”


bandit17@bandit:~$ ssh bandit18@localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
...
...
...
Byebye !
Connection to localhost closed.
bandit17@bandit:~$ ssh bandit18@localhost cat readme
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
...
...
...
bandit18@localhost's password:
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x

As hinted in the instructions for level 17 upon logging into bandit18 we receive a ‘Byebye !’ message right before our connection is automatically terminated.

Since we know that the password resides in a readme file within the home directory, we can append ‘cat readme’ to our connection command to print the contents of that file before our connection is terminated.

Over the Wire’s Bandit Challenge – Level 17

Level Instructions:

“There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new

NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19.”


bandit17@bandit:~$ ls -la
total 40
drwxr-xr-x  3 root     root     4096 Dec 28  2017 .
drwxr-xr-x 42 root     root     4096 Jul 22 18:42 ..
-rw-r-----  1 bandit17 bandit17   33 Dec 28  2017 .bandit16.password
-rw-r--r--  1 root     root      220 Sep  1  2015 .bash_logout
-rw-r--r--  1 root     root     3771 Sep  1  2015 .bashrc
-rw-r--r--  1 root     root      655 Jun 24  2016 .profile
drwxr-xr-x  2 root     root     4096 Dec 28  2017 .ssh
-rw-r-----  1 bandit17 bandit17 1704 Dec 28  2017 .ssl-cert-snakeoil.key
-rw-r-----  1 bandit18 bandit17 3300 Dec 28  2017 passwords.new
-rw-r-----  1 bandit18 bandit17 3300 Dec 28  2017 passwords.old
bandit17@bandit:~$ diff passwords.old passwords.new
42c42
< 6vcSC74ROI95NqkKaeEC2ABVMDX9TyUr
---
> kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd

Using the ‘diff’ command we can compare the contents of passwords.old and passwords.new.

The command will print the comparable differences between the files, revealing line ‘ kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd ‘; our password for bandit18.

Over the Wire’s Bandit Challenge – Level 16

Level Instructions:

“The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.”


bandit16@bandit:~$ nmap -sV -A -p 31000-32000 localhost | grep open
31046/tcp open  echo
31518/tcp open  ssl/echo
31691/tcp open  echo
31790/tcp open  ssl/unknown
31960/tcp open  echo
bandit16@bandit:~$ openssl s_client -connect localhost:31790 -quiet
depth=0 CN = bandit
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = bandit
verify return:1
cluFn7wTiGryunymYOu4RcffSxQluehd
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----
bandit16@bandit:~$ mkdir /tmp/rtm2
bandit16@bandit:~$ nano /tmp/rtm2/sshkey

[PASTE CONTENTS OF PRIVATE KEY INTO EMPTY FILE]

bandit16@bandit:~$ chmod 600 /tmp/rtm2/sshkey
bandit16@bandit:~$ ssh -i /tmp/rtm2/sshkey bandit17@localhost

We begin by performing an Nmap scan for services running on open ports between 31000 and 32000.  The output is piped through grep for the sake of neatness.

We find five ports reported open, three of which report their services as echo.  Not what we’re interested in.  We also find two ssl services listening, however, one is also running echo.

We attempt to make a connection with port 31790, inputing the previous password, and we are returned with what appears to be the private ssh key for bandit17!

Before we can use it to access bandit17, we first need to create a new directory within /tmp. Using nano (or your preferred text editor) we create a new text file within and paste the contents of the private ssh key into the empty file.

If we attempt from here to now login to bandit17, using the ssh key file we just created, we will be met with an error.  Without first locking down the permissions of the ssh key file using ‘chmod’, we will be returned with an “Unprotected Private Key File!” warning.  Modifying the permissions to 600 will remedy this issue.

Over the Wire’s Bandit Challenge – Level 15

Level Instructions:

“The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.

Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…”


bandit15@bandit:~$ openssl s_client -connect localhost:30001 -quiet
depth=0 CN = bandit
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = bandit
verify return:1
BfMYroe26WYalil77FoDi9qh59eK5xNr
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehd

We use the command ‘openssl’ to establish a secure connection over port 30001.  The directions hint at possible output errors you may receive and points to appending your command with ‘-ign_eof’ which prevents the connection from being terminated once end of file is reached in the input.  Above I used the switch ‘-quiet’ for it not only implicitly passes the ‘-ign_eof” switch, but also inhibits the printing of session and certificate information, cleaning up the output a bit for this particular task.

Over the Wire’s Bandit Challenge – Level 14

Level Instructions:

“The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.”


bandit14@bandit:~$ cat /etc/bandit_pass/bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
bandit14@bandit:~$ nc localhost 30000
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr

First, we need to print out the password to the current user bandit14.  The location of the password /etc/bandit_pass/bandit14 was revealed in the previous challenge.  Next we can establish a connection with localhost:30000 using either netcat or telnet.  We paste the current password, once connected, and the password for bandit15 is returned.

Over the Wire’s Bandit Challenge – Level 13

Level Instructions:

“The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on.”


bandit13@bandit:~$ ls -la
total 24
drwxr-xr-x  2 root     root     4096 Dec 28  2017 .
drwxr-xr-x 42 root     root     4096 Jul 22 18:42 ..
-rw-r--r--  1 root     root      220 Sep  1  2015 .bash_logout
-rw-r--r--  1 root     root     3771 Sep  1  2015 .bashrc
-rw-r--r--  1 root     root      655 Jun 24  2016 .profile
-rw-r-----  1 bandit14 bandit13 1679 Dec 28  2017 sshkey.private
bandit13@bandit:~$ ssh -i ./sshkey.private bandit14@localhost

In level 13, as instructed, we are not provided with a password to access bandit14.  We are, however, provided with the private ssh key which can be used in lieu of a login password by passing the switch ‘-i [location of private ssh key]’

Over the Wire’s Bandit Challenge – Level 12

Level Instructions:

“The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!).”


bandit12@bandit:~$ ls -la
total 24
drwxr-xr-x  2 root     root     4096 Dec 28  2017 .
drwxr-xr-x 42 root     root     4096 Jul 22 18:42 ..
-rw-r--r--  1 root     root      220 Sep  1  2015 .bash_logout
-rw-r--r--  1 root     root     3771 Sep  1  2015 .bashrc
-rw-r--r--  1 root     root      655 Jun 24  2016 .profile
-rw-r-----  1 bandit13 bandit12 2646 Dec 28  2017 data.txt
bandit12@bandit:~$ mkdir /tmp/rtm
bandit12@bandit:~$ cp data.txt /tmp/rtm
bandit12@bandit:~$ cd /tmp/rtm
bandit12@bandit:/tmp/rtm$ file data.txt
data.txt: ASCII text
bandit12@bandit:/tmp/rtm$ xxd -r data.txt > data_rev
bandit12@bandit:/tmp/rtm$ file data_rev
data_rev: gzip compressed data, was "data2.bin", last modified: Thu Dec 28 13:34:36 2017, 
   max compression, from Unix
bandit12@bandit:/tmp/rtm$ zcat data_rev > data_zcat
bandit12@bandit:/tmp/rtm$ file data_zcat
data_zcat: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/rtm$ bzip2 -d data_zcat
bzip2: Can't guess original name for data_zcat -- using data_zcat.out
bandit12@bandit:/tmp/rtm$ file data_zcat.out
data_zcat.out: gzip compressed data, was "data4.bin", last modified: Thu Dec 28 13:34:36 
   2017, max compression, from Unix
bandit12@bandit:/tmp/rtm$ zcat data_zcat.out > data4
bandit12@bandit:/tmp/rtm$ file data4
data4: POSIX tar archive (GNU)
bandit12@bandit:/tmp/rtm$ tar -xvf data4
data5.bin
bandit12@bandit:/tmp/rtm$ file data5.bin
data5.bin: POSIX tar archive (GNU)
bandit12@bandit:/tmp/rtm$ tar -xvf data5.bin
data6.bin
bandit12@bandit:/tmp/rtm$ file data6.bin
data6.bin: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/rtm$ bzip2 -d data6.bin
bzip2: Can't guess original name for data6.bin -- using data6.bin.out
bandit12@bandit:/tmp/rtm$ file data6.bin.out
data6.bin.out: POSIX tar archive (GNU)
bandit12@bandit:/tmp/rtm$ tar -xvf data6.bin.out
data8.bin
bandit12@bandit:/tmp/rtm$ file data8.bin
data8.bin: gzip compressed data, was "data9.bin", last modified: Thu Dec 28 13:34:36 2017, 
   max compression, from Unix
bandit12@bandit:/tmp/rtm$ zcat data8.bin > data8_zcat
bandit12@bandit:/tmp/rtm$ file data8_zcat
data8_zcat: ASCII text
bandit12@bandit:/tmp/rtm$ cat data8_zcat
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

As mentioned in the instructions, the password for bandit13 resides in data.txt and has been repeatedly  compressed.  First, we create a directory within /tmp to allow us space to work and a location to which we have write privileges to copy data.txt.  Next, we will essentially repeat a process in which we check the file type using the ‘file’ command, and then extract the contents of the file using tools dependent on the output of the file type.

‘xxd -r’ is used to revert from hexdump to binary.
If the output of the file is tar, extract using ‘tar -xvf’; if the output is bzip2, use ‘bzip2 -d’; zip, zcat.

Over the Wire’s Bandit Challenge – Level 11

Level 11 – bandit – overthewire

Level Instructions:

“The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions.”


bandit11@bandit:~$ ls -la
total 24
drwxr-xr-x  2 root     root     4096 Dec 28  2017 .
drwxr-xr-x 42 root     root     4096 Jul 22 18:42 ..
-rw-r--r--  1 root     root      220 Sep  1  2015 .bash_logout
-rw-r--r--  1 root     root     3771 Sep  1  2015 .bashrc
-rw-r--r--  1 root     root      655 Jun 24  2016 .profile
-rw-r-----  1 bandit12 bandit11   49 Dec 28  2017 data.txt
bandit11@bandit:~$ cat data.txt
Gur cnffjbeq vf 5Gr8L4qetPEsPk8htqjhRK8XSP6x2RHh
bandit11@bandit:~$ cat data.txt | tr [:alpha:] 'N-ZA-Mn-za-m'
The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

The password in level 11 has been encrypted by ROT13, a process that advances each letter character by 13.  By piping the contents of the file into the tr (translate) command we can first specify the types of characters we would like to translate (all alphanumerical; A-Za-z) and secondly order how we would like those characters transposed (A-Za-z –>> N-ZA-Mn-za-m).