Create and run a shell script.
Host name is: bandit.labs.overthewire.org
User: bandit23
password: jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
Goal: A program is running automatically at regular intervals from
cron, the time-based job scheduler. Look in /etc/cron.d/ for
the configuration and see what command is being executed.
Commands used for this level:
ls -l - List information about all the file's and use a long listing format.
cat - used to view contents of a file.
whoami - print effective userid
mkdir -
cd -
vim -
Step 1.
Just like the last two levels we need to view /etc/cron.d/ directory.
Type ls -l /etc/cron.d/
Step 2.
We see a cronjob_bandit24 file so let's do a cat on it.
Type cat /etc/cron.d/cronjob_bandit24
We get bandit24 /usr/bin/cronjob_bandit24.sh as our output so lets take a look at what this script does.
Step 3.
Type cat /usr/bin/cronjob_bandit24.sh
myname=$(whoami)
cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in *;
do
echo "Handling $i"
./$i
rm -f $i
done
Step 4.
Looks like we have another script that sets uid to myname and executes and deletes all scripts in /var/spool/$myname.
Let's run the script and see what happens.
Type /usr/bin/cronjob_bandit24.sh
/usr/bin/cronjob_bandit24.sh: line 5: cd: /var/spool/bandit23: No such file or directory
Executing and deleting all scripts in /var/spool/bandit23:
Handling *
/usr/bin/cronjob_bandit24.sh: line 10: ./*: No such file or directory
Step 5.
Looks like the script changes to the directory /var/spool/bandit23 then executes and deletes all scripts but none are found. Let's create a script but put it in /var/spool/bandit24 that will cat the password file from where we have seen our passwords stored at /etc/bandit_pass/bandit24 out to a directory we will pick. By putting the script in bandit24 directory it will assign the myname to this script as uid of bandit24 who happens to have permission to cat this file. We currently do not have permission to cat that file being we are logged in as bandit23.
Type mkdir /tmp/bandit24
Hmm thats strange it says mkdir: cannot create directory '/tmp/bandit24': File exists
Okay lets cat that file.
cat /tmp/bandit24 and like that we have our password for the next level UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
This is obviously an error in the way this challenge is setup but it is cool to see you can sometimes accomplish your goal by just snooping around a bit when you find something that doesn't seem right. This file must have been created by another user and I guess all user have access to other users of overthewire files they create.
Let's continue our goal of creating a script and having it run.
Step 6.
Type mkdir -p /tmp/hxjump Your directory my still be there from previous levels if they have not reboot the server. The dash p will keep you from getting errors if the file exists already.
Then let's change to our directory and create our script.
cd /tmp/hxjump
Step 7.
Now let's create our script
vim bandit24.sh
Once in vi press a and copy and past the above and change our uid like below.
#!/bin/bash
cat /etc/bandit_pass/bandit24 >> /tmp/hxjump/level24
Pree Esc key to exiting editing mode and then type :wq
Step 8.
Now set read, write, and execute permissions on our file with chmod 777 bandit24.sh
Step 9.
Now we need to copy our script over to /var/spool/bandit24
cp bandit24.sh /var/spool/bandit24
The script will auto run because of cron, you may need to wait a minute before the next step shows our file.
Step 10.
Apparently this level appears to be broken as I can see my script is copied to /var/spool/bandit24 and after a minute is deleted from the /var/spool/bandit24 directory but no file is ever created in my tmp/hxjump directory. I have looked at other solutions and they all did basically the same thing I did for a script. At least I have the password for the next level. Maybe i'll come back to this level sometime if they ever fix it.
hexjump
A place where I note and share my experiences in computer sciences.
Tuesday, December 16, 2014
Monday, December 15, 2014
Bandit Level 22 to Level 23
View a created script and use the info to run a custom command.
Host name is: bandit.labs.overthewire.org
User: bandit22
password: Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
Goal: A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
Commands used for this level:
ls -l - List information about all the file's and use a long listing format.
cat - used to view contents of a file.
whoami - print effective userid
Step 1.
This looks exactly like the last level so let's follow what we did last level.
Type ls -l /etc/cron.d/
Just like last level we see a cronjob_bandit23 file
Step 2.
Let's cat that file
cat /etc/cron.d/cronjob_bandit23
We get the output to a file location that runs at /usr/bin/cronjob_bandit23.sh
Step 3.
Let's cat that file in step 2.
cat /usr/bin/cronjob_bandit23.sh
We see get another bin bash script
#!/bin/bash
myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
cat /etc/bandit_pass/$myname > /tmp/$mytarget
It looks like this script sends the output of a cat on
/etc/bandit_pass/$myname to /tmp/$mytarget
Step 4.
Again like before let's cat that copied file location to see what it has in it.
cat /tmp/$mytarget
This time we get /tmp/: Permission denied
Hmm looks like the $ may have blocked our full file location because it only shows /tmp/ in the output.
Let's go back and read our NOTE for the GOAL.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.
Ah $ is used for shell so let's read about shell scripts and we should try to execute the script to see what it does.
Step 5.
Type /usr/bin/cronjob_bandit23.sh
We get the output: Copying passwordfile /etc/bandit_pass/bandit22 to /tmp/8169b67bd894ddbb4412f91573b38db3
Step 6.
Let's cat that file location
cat /tmp/8169b67bd894ddbb4412f91573b38db3
We get our current password output. Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
Not what we want.
Step 7.
Let's go back and look at cronjob_bandit23.sh script
Type /usr/bin/cronjob_bandit23.sh
We get the output: Copying passwordfile /etc/bandit_pass/bandit22 to /tmp/8169b67bd894ddbb4412f91573b38db3 We missed something, see how it says bandit22, not what we want. We want bandit23 password. Let's look at how the script works again.
myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
cat /etc/bandit_pass/$myname > /tmp/$mytarget
That first part myname=$(whoami) sets myname to our name. Go ahead and do a whoami. It returns who we are logged in as bandit22.
The second part mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1) looks like the command that is run during this script where $myname is set to bandit22 and we know we want bandit23 password. Let's take that part of the script and replace the $myname part with bandit23 instead of letting the script set it to our current uid.
Type echo I am user bandit23 | md5sum | cut -d ' ' -f 1
We get 8ca319486bfbbc3663ea0fbe81326349 output.
Step 8.
Hmm that output above looks familiar lets do a cat on the output file.
Type cat /tmp/8ca319486bfbbc3663ea0fbe81326349
Look at that it looks like we have our next level password output:
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
Host name is: bandit.labs.overthewire.org
User: bandit22
password: Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
Goal: A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
Commands used for this level:
ls -l - List information about all the file's and use a long listing format.
cat - used to view contents of a file.
whoami - print effective userid
Step 1.
This looks exactly like the last level so let's follow what we did last level.
Type ls -l /etc/cron.d/
Just like last level we see a cronjob_bandit23 file
Step 2.
Let's cat that file
cat /etc/cron.d/cronjob_bandit23
We get the output to a file location that runs at /usr/bin/cronjob_bandit23.sh
Step 3.
Let's cat that file in step 2.
cat /usr/bin/cronjob_bandit23.sh
We see get another bin bash script
#!/bin/bash
myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
cat /etc/bandit_pass/$myname > /tmp/$mytarget
It looks like this script sends the output of a cat on
/etc/bandit_pass/$myname to /tmp/$mytarget
Step 4.
Again like before let's cat that copied file location to see what it has in it.
cat /tmp/$mytarget
This time we get /tmp/: Permission denied
Hmm looks like the $ may have blocked our full file location because it only shows /tmp/ in the output.
Let's go back and read our NOTE for the GOAL.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.
Ah $ is used for shell so let's read about shell scripts and we should try to execute the script to see what it does.
Step 5.
Type /usr/bin/cronjob_bandit23.sh
We get the output: Copying passwordfile /etc/bandit_pass/bandit22 to /tmp/8169b67bd894ddbb4412f91573b38db3
Step 6.
Let's cat that file location
cat /tmp/8169b67bd894ddbb4412f91573b38db3
We get our current password output. Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
Not what we want.
Step 7.
Let's go back and look at cronjob_bandit23.sh script
Type /usr/bin/cronjob_bandit23.sh
We get the output: Copying passwordfile /etc/bandit_pass/bandit22 to /tmp/8169b67bd894ddbb4412f91573b38db3 We missed something, see how it says bandit22, not what we want. We want bandit23 password. Let's look at how the script works again.
myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
cat /etc/bandit_pass/$myname > /tmp/$mytarget
That first part myname=$(whoami) sets myname to our name. Go ahead and do a whoami. It returns who we are logged in as bandit22.
The second part mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1) looks like the command that is run during this script where $myname is set to bandit22 and we know we want bandit23 password. Let's take that part of the script and replace the $myname part with bandit23 instead of letting the script set it to our current uid.
Type echo I am user bandit23 | md5sum | cut -d ' ' -f 1
We get 8ca319486bfbbc3663ea0fbe81326349 output.
Step 8.
Hmm that output above looks familiar lets do a cat on the output file.
Type cat /tmp/8ca319486bfbbc3663ea0fbe81326349
Look at that it looks like we have our next level password output:
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
Bandit Level 21 to Level 22
View cron jobs and find what the job is performing.
Host name is: bandit.labs.overthewire.org
User: bandit21
password: gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
Goal: A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
Commands used for this level:
ls -l - List information about all the file's and use a long listing format.
cat - used to view contents of a file.
Step 1.
From the goal we are given that a program is running regularly with cron and is configured in the /etc/cron.d/ directory. Lets check the man page of cron.
Type man cron and do a search with /cron.d
We see that cron is a daemon to execute scheduled commands and that cron reads the files in the /etc/cron.d directory. Let's look at that directory and see what files we have in it.
Type ls -l /etc/cron.d/
We see a bunch of files but we know we are looking for a cronjob and we are trying to get to level 22, so lets view the contents of cronjob22.
Step 2.
Type cat /etc/cron.d/cronjob_bandit22
We are given the output of: * * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
Given that lets go ahead and cat out that given file and see what it is.
Step 3.
Type cat /usr/bin/cronjob_bandit22.sh
We are given:
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
The #!/bin/bash means we have a bash script file
chmod 644 means only owner can write, others can read to the file at /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Then the last two lines cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv is what the script is doing. This line means it runs cat on /etc/bandit_pass/bandit22 and with the > sends that output to the file at /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Step 4.
With the above info all we need to do now is cat the file at /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Type cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv and we are given our next level pasword of: Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
Host name is: bandit.labs.overthewire.org
User: bandit21
password: gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
Goal: A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
Commands used for this level:
ls -l - List information about all the file's and use a long listing format.
cat - used to view contents of a file.
Step 1.
From the goal we are given that a program is running regularly with cron and is configured in the /etc/cron.d/ directory. Lets check the man page of cron.
Type man cron and do a search with /cron.d
We see that cron is a daemon to execute scheduled commands and that cron reads the files in the /etc/cron.d directory. Let's look at that directory and see what files we have in it.
Type ls -l /etc/cron.d/
We see a bunch of files but we know we are looking for a cronjob and we are trying to get to level 22, so lets view the contents of cronjob22.
Step 2.
Type cat /etc/cron.d/cronjob_bandit22
We are given the output of: * * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
Given that lets go ahead and cat out that given file and see what it is.
Step 3.
Type cat /usr/bin/cronjob_bandit22.sh
We are given:
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
The #!/bin/bash means we have a bash script file
chmod 644 means only owner can write, others can read to the file at /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Then the last two lines cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv is what the script is doing. This line means it runs cat on /etc/bandit_pass/bandit22 and with the > sends that output to the file at /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Step 4.
With the above info all we need to do now is cat the file at /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Type cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv and we are given our next level pasword of: Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
Bandit Level 20 to Level 21
Use netcat to create a client/server connection.
Host name is bandit.labs.overthewire.org
User: bandit20
password: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Goal: There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
Commands used for this level:
ls - List information about all the file's
nc -l - arbitrary TCP and UDP connections and listens, when used with -l to specify that nc should listen for an incoming connection rather than initiate a connection to a remote host.
echo - display a line of text
Step 1.
Type ls
We see the suconnect binary file which is described in the goal.
Step 2.
Type ./suconnect
We see we need to run the binary file suconnect with a port number. We also know we need to transmit a password of the current level to login to a open port. To do this we need to create a client/server connection using netcat.
Let's check the netcat man page.
Type man nc and page down to where it says Client/Server Model. This section gives us everything we need to create a client/server connection. We can test how this works on our own PC by opening two terminal windows. Let's give it a test.
Open two terminal windows on your PC and in the first one type exactly the command that is given under client/server model. Type nc -l 1234 nc is now listening on port 1234 for a connection. Now in the second window we can connect to that open port by typing nc localhost 1234 then go ahead and type something and it will be concatenated to the other terminal window and vice versa. With this test we now see that maybe if we open a listening port in one window and in the other we run our binary file on that open port that maybe we will get our next level password.
Step 3.
Let's start our netcat listening port and echo our current level password to it.
Type echo "GbKksEFF4yrVs6il55v6gwY5aVje5f0j" | nc -l 1234
By doing this we have started a listening port of 1234 (this can be any port # that is not in use) and upon a connection to echo our current password.
Now we need to open a second terminal connection to our level.
Step 4.
Open a second terminal window and connect to the level with:
Host name is bandit.labs.overthewire.org
User: bandit20
password: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Now just like our local test in step 2 we need to run our suconnect binary file to our open listening port of 1234 which is running in our first terminal window.
Type ./suconnect 1234
We get an output of:
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j this is our echoed password from the first terminal session we have running netcat in listening mode.
Password matches, sending next password and here we see the password matches and just like noted in the goal our next password is echoed back to our first terminal window. Now go back to our first open terminal window and you will see our next level password is displayed: gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
Note: Another way to accomplish this level without opening two windows is to run our first window in the background with the ampersand symbol (&) at the end of our first command like so: echo "GbKksEFF4yrVs6il55v6gwY5aVje5f0j" | nc -l 1234 &
Using the ampersand at the end of a command tells it to be run in the back ground. We could then run our commands for the second terminal in our current terminal while our netcat listening port runs in the background.
Host name is bandit.labs.overthewire.org
User: bandit20
password: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Goal: There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
Commands used for this level:
ls - List information about all the file's
nc -l - arbitrary TCP and UDP connections and listens, when used with -l to specify that nc should listen for an incoming connection rather than initiate a connection to a remote host.
echo - display a line of text
Step 1.
Type ls
We see the suconnect binary file which is described in the goal.
Step 2.
Type ./suconnect
We see we need to run the binary file suconnect with a port number. We also know we need to transmit a password of the current level to login to a open port. To do this we need to create a client/server connection using netcat.
Let's check the netcat man page.
Type man nc and page down to where it says Client/Server Model. This section gives us everything we need to create a client/server connection. We can test how this works on our own PC by opening two terminal windows. Let's give it a test.
Open two terminal windows on your PC and in the first one type exactly the command that is given under client/server model. Type nc -l 1234 nc is now listening on port 1234 for a connection. Now in the second window we can connect to that open port by typing nc localhost 1234 then go ahead and type something and it will be concatenated to the other terminal window and vice versa. With this test we now see that maybe if we open a listening port in one window and in the other we run our binary file on that open port that maybe we will get our next level password.
Step 3.
Let's start our netcat listening port and echo our current level password to it.
Type echo "GbKksEFF4yrVs6il55v6gwY5aVje5f0j" | nc -l 1234
By doing this we have started a listening port of 1234 (this can be any port # that is not in use) and upon a connection to echo our current password.
Now we need to open a second terminal connection to our level.
Step 4.
Open a second terminal window and connect to the level with:
Host name is bandit.labs.overthewire.org
User: bandit20
password: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Now just like our local test in step 2 we need to run our suconnect binary file to our open listening port of 1234 which is running in our first terminal window.
Type ./suconnect 1234
We get an output of:
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j this is our echoed password from the first terminal session we have running netcat in listening mode.
Password matches, sending next password and here we see the password matches and just like noted in the goal our next password is echoed back to our first terminal window. Now go back to our first open terminal window and you will see our next level password is displayed: gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
Note: Another way to accomplish this level without opening two windows is to run our first window in the background with the ampersand symbol (&) at the end of our first command like so: echo "GbKksEFF4yrVs6il55v6gwY5aVje5f0j" | nc -l 1234 &
Using the ampersand at the end of a command tells it to be run in the back ground. We could then run our commands for the second terminal in our current terminal while our netcat listening port runs in the background.
Friday, December 12, 2014
Bandit Level 19 to Level 20
Host name is bandit.labs.overthewire.org
User: bandit19
password: IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
Goal: To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used to setuid binary.
Commands used for this level:
ls -l - List information about all the file's and use a long listing format.
file - determine file type
cat - used to view contents of a file.
cd - change directory
Step 1.
After logging in type ls
You will see bandit20-do
Step 2.
Let's see what kind of file it is.
Type file bandit20-do
We see that it's a setuid ELF 32-bit LSB executable.
Step 3.
Let's get more info on the file.
Type ls -l
We see this output for our file.
-rwsr-x--- 1 bandit20 bandit19 7370 Nov 14 10:32 bandit20-do
We can break this down as follows:
- -rwsr-x--- permissions
- 1 : number of linked hard-links
- bandit20: owner of the file
- bandit19: to which group this file belongs to
- 7370: size
- Nov 14 10:32 modification/creation date and time
- bandit20-do: file/directory name
This means we, being user bandit19 can read and execute the file. Lets try running the file the way it is stated in the goal to see if we can find out how to use it to set our uid to bandit20.
Type ./bandit20-do (the ./ in front means current directory)
We get an out put of :
Run a command as another user.
Example: ./bandit20-do id
Step 4.
Let's try running the command again with the example.
Type ./bandit20-do id
We get the output of:
uid=11019(bandit19) gid=11019(bandit19) euid=11020(bandit20) groups=11020(bandit20),11019(bandit19)
uid is user id
gid is group id
euid is effective user id
groups is groups it belongs to
euid is used for permission checks in Linux. We cant just change to any EUID unless we are root.
Here are the rules:
- Changing to SUID or RUID is always ok
- If you are root (UID 0), you can change to any UID. This will set both EUID, RUID and SUID.
- Changing from root to any other UID
- RUID is set to according to your login.
- EUID is different from RUID only when running Set UID programs, like su
The point is that a Set UID program can switch between the UID of the user who invoked it (that would be us bandit19), and the owner of the executable (bandit20). Let's do one more thing and check the help info of the command.
Type ./bandit20-do --help
We get an output stating:
Set each NAME to VALUE in the environment and run COMMAND.
Step 5.
Let's run our bandit20-do with a cat command to where we are told the file is located (/etc/bandit_pass) and see if it let's us view the file.
Type ./bandit20-do cat /etc/bandit_pass
We are told that /etc/bandit_pass: Is a directory
Let's change to /etc/bandit_pass and see what the directory contains for files and pick what file we actually want to view.
Step 6.
Type cd /etc/bandit_pass
Then do an ls -l
It shows that bandit20 is the owner of the bandit20 file so let's go back to where our bandit20-do file is and run it again with bandit20 as our file to view.
Step 7.
Type cd ~
Then type ./bandit20-do cat /etc/bandit_pass/bandit20 and we get our password for the next level: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Wednesday, December 10, 2014
Bandit Level 18 to Level 19
Logging in with ssh without having .bashrc run.
Host name is bandit.labs.overthewire.org
User: bandit18
password: kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
Goal: The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.
Commands used for this level:
ssh - OpenSSH SSH client
/bin/sh - a way of launching an interactive shell usually bash
Step 1
Host name is bandit.labs.overthewire.org
User: bandit18
password: kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
Goal: The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.
Commands used for this level:
ssh - OpenSSH SSH client
/bin/sh - a way of launching an interactive shell usually bash
Well when we try and
login to this level the normal way we get immediately logged out, why
because the .bashrc file has been edited to do this to us. .bashrc is
a file normally read by interactive shells only
and can be edited to affect how our
interactive shell behaves. What we need to do is try logging in a
different way so we avoid having the .bashrc file run.
What we can do is
tell our ssh login to launch the Bourne again shell, also known as
bash instead of the regular shell. Bash only reads from the
/etc/profile, .bash_profile, .bash_login or .profile files, you can
read about that here.
We will tell ssh to
launch the bash shell instead of logging directly into bandit18 user
shell, which we know will launch that .bashrc file that logs us out.
We can do this by adding /bin/sh command to our ssh login with our
user info. Using /bin/sh is a standard way of launching the Bourne
again shell (bash) when writing script files. Most scripts start with
the hashbang (#!) followed by /bin/sh telling the script to first
start the bash shell. Our login should be simple enough now that we
know more.
We could just type
ssh bandit18@bandit.labs.overthewire.org
/bin/sh but we will not see a prompt because we are only requesting a
port to connect to. What we can do is force a connection to a tty
port with a -t added to ssh command.
Type ssh -t
bandit18@bandit.labs.overthewire.org
/bin/sh
Step 2.
We are now in and
can check if we see the readme file with ls.
Type ls
We see the readme
file so all we have to do is cat the file with cat readme and our
password for the next level is displayed:
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
Bandit Level 16 to 17 and 18
Using a port scanning tool to find open ports and copying and using a private ssh key to connect to a server. Then level 18 comparing files for differences.
Host name is bandit.labs.overthewire.org
User: bandit16
password: cluFn7wTiGryunymYOu4RcffSxQluehd
Goal: The password for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next password, the others will simply send back to you whatever you send to it.
Host name is bandit.labs.overthewire.org
User: bandit16
password: cluFn7wTiGryunymYOu4RcffSxQluehd
Goal: The password for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next password, the others will simply send back to you whatever you send to it.
Commands used for this level:
nmap - Network
exploration tool and security / port scanner
echo - display a line of text
nc - arbitrary TCP and UDP connections and listens (nc is short for netcat)
openssl
- OpenSSH SSH client (remote login program)
mkdir
- make directories.
cd
- change directory.
touch
- change file timestamps
vim
- Vi IMproved, a programmers text editor
Commands used for level 18:
ls - List information about the FILE's (the current directory by default).
diff - compare files line by line
Step 1.
First thing we need to do is find a way to scan ports in the given range from our goal. Linux has a tool for doing just that called nmap. Lets check the man page on nmap to see how it works and what it does.
Type man nmap
We see nmap is a
port scanner and that is exactly the tool we need. If we read further
down to SCAN TECHNIQUES section we see we have multiple options for
scanning. We know that first we want to find what ports are open for
a connection. We read that the sT option in this section is for
connect so that looks good for our first option. We also need to
select a range of ports to scan so if we read down further we see
that the -p option will let us select specific ports to scan or a
range even. We know we want to scan localhost and ports from 31000 to
32000 so lets put together our scan options. We will use nmap command
for our port scanner tool with -sT to attempt a connection, send that
to localhost with a port range of 31000-32000
Type nmap -sT
localhost -p31000-32000
We see we have 5
ports open 31046, 31518,
31691, 31790, and 31960 all with unknown service.
Step 2.
We now have 5 ports we can attempt to connect to and we know from our goal we need to find the port
that speaks SSL. We also know that the wrong ports will simply
echo back what we send them. Lets echo some text, pipe it to netcat
like in level 14, and use localhost with the each port number to see
what ports echo back our text and which ones give us an SSL response.
echo hello | nc
localhost 31046
gives
us our hello in return
echo hello | nc
localhost 31518
gives us an SSL
error
echo hello | nc
localhost 31691
gives
us our hello in return
echo hello | nc
localhost 31790
gives us an SSL
error
echo hello | nc
localhost 31960
gives
us our hello in return
Step 3.
We
know know we have two ports that reply with an SSL error.
Let's
hit those two ports with our password and our openssl tool like in
level 15.
echo
cluFn7wTiGryunymYOu4RcffSxQluehd | openssl s_client -quiet -connect
localhost:31518
It
looks like we have connected but it has replied our current password
like the other ports so lets try the other SSL port.
echo
cluFn7wTiGryunymYOu4RcffSxQluehd | openssl s_client -quiet -connect
localhost:31790
We
get a private RSA key in return instead
of the password. Not
exactly what we hoped for but we know what to do with the key from
previous levels.
Step 4.
Copy the RSA key, don't forget to get the whole
thing including the header and footer of the key. Now we need to save this private key and do exactly what
we did in level 13.
Lets create a directory under /tmp,
create a file and save our key to it. We can then use ssh to send
that key to the next level and get our password.
mkdir
/tmp/yourname
cd
/tmp/yourname
touch
sshkey.private
vim
sshkey.private
You
are now in vim editor and can paste your copied key.
Press
a first in vim to append the file.
Now paste the copied key into the
file. Once you've pasted the key
press esc key to exit editing
mode of vim and type :wq to write
and quit the editor. If you want more info on moving around in vi editor cheack the man page on it.
Step 5.
We can now do like we did in level 13 and use ssh to send the RSA privatekey to
bandit17
ssh
-i ./sshkey.private bandit17@localhost
We
are asked if we want to continue and we need to type yes
We
see we get an error stating; It is required that your private key
files are NOT accessible by others. What we need to do is change the
permission of our privatekey so it is not accessible by other users.
We can use chmod to do that.
Step 6.
Lets
read some about chmod options here.
We know we need to
only allow us, the owner of the file to read and write to it and
after reading the above link we see that chmod 600 will do that.
chmod
600 sshkey.private
Now do a ls -la to view read write permissions of our file.
Step 7.
Let's
try sending our privatekey again.
ssh
-i ./sshkey.private bandit17@localhost
We
are now into level 17 but we do
not have a password for the level so we need to get level 18
password.
Level
17 to 18
Compare two files
and find the difference.
Goal:
There are 2 files in the homedirectory: passwords.old
and passwords.new. The password for the next level is in
passwords.new and is the only line that has been
changed between passwords.old and passwords.new
Commands used in this level:
ls - List information about the FILE's (the current directory by default).
diff - compare files line by line
Step 1.
We need to
compare the two files and find the different line between the two
files. We can use the diff command to do that. Let's check the man
page of diff.
Type man diff
Type man diff
We see that
diff will compare files line by line and that is our exact goal.
Type diff
passwords.old passwords.new
We get the below output:
<
BS8bqB1kqkinKJjuxL6k072Qq9NRwQpR
---
> kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
Looks like
we have two options for passwords so lets try them on level 18.
Try the
first one and it doesn't work but the second password does and we
have our password for level 18: kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
Subscribe to:
Posts (Atom)