Tuesday, December 16, 2014

Bandit Level 23 to Level 24

Create and run a shell script.

Host name is: bandit.labs.overthewire.org 
User: bandit23
password: jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

Goal: A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

Commands used for this level:
ls -l - List information about all the file's and use a long listing format.
cat - used to view contents of a file.
whoami - print effective userid
mkdir -
cd - 
vim - 

Step 1.
Just like the last two levels we need to view /etc/cron.d/ directory.
Type ls -l /etc/cron.d/

Step 2. 
We see a cronjob_bandit24 file so let's do a cat on it.
Type cat /etc/cron.d/cronjob_bandit24
We get bandit24 /usr/bin/cronjob_bandit24.sh as our output so lets take a look at what this script does.


Step 3.
Type cat /usr/bin/cronjob_bandit24.sh 

myname=$(whoami)

cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in *;
do
    echo "Handling $i"
    ./$i
    rm -f $i
done

Step 4.
Looks like we have another script that sets uid to myname and executes and deletes all scripts in /var/spool/$myname.
Let's run the script and see what happens.
Type  /usr/bin/cronjob_bandit24.sh 

/usr/bin/cronjob_bandit24.sh: line 5: cd: /var/spool/bandit23: No such file or directory
Executing and deleting all scripts in /var/spool/bandit23:
Handling *
/usr/bin/cronjob_bandit24.sh: line 10: ./*: No such file or directory


Step 5.
Looks like the script changes to the directory /var/spool/bandit23 then executes and deletes all scripts but none are found. Let's create a script but put it in /var/spool/bandit24 that will cat the password file from where we have seen our passwords stored at /etc/bandit_pass/bandit24 out to a directory we will pick. By putting the script in bandit24 directory it will assign the myname to this script as uid of bandit24 who happens to have permission to cat this file. We currently do not have permission to cat that file being we are logged in as bandit23.

Type mkdir /tmp/bandit24
Hmm thats strange it says mkdir: cannot create directory '/tmp/bandit24': File exists
Okay lets cat that file.
cat /tmp/bandit24 and like that we have our password for the next level UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ

This is obviously an error in the way this challenge is setup but it is cool to see you can sometimes accomplish your goal by just snooping around a bit when you find something that doesn't seem right. This file must have been created by another user and I guess all user have access to other users of overthewire files they create.

Let's continue our goal of creating a script and having it run.

Step 6.
Type mkdir -p /tmp/hxjump  Your directory my still be there from previous levels if they have not reboot the server. The dash p will keep you from getting errors if the file exists already.

Then let's change to our directory and create our script.
cd /tmp/hxjump

Step 7.
Now let's create our script
vim bandit24.sh
Once in vi press a and copy and past the above and change our uid like below.
#!/bin/bash

cat /etc/bandit_pass/bandit24 >> /tmp/hxjump/level24


Pree Esc key to exiting editing mode and then type :wq

Step 8.
Now set read, write, and execute permissions on our file with chmod 777 bandit24.sh

Step 9.
Now we need to copy our script over to /var/spool/bandit24
cp bandit24.sh /var/spool/bandit24 
The script will auto run because of cron, you may need to wait a minute before the next step shows our file.


Step 10.
Apparently this level appears to be broken as I can see my script is copied to /var/spool/bandit24 and after a minute is deleted from the /var/spool/bandit24 directory but no file is ever created in my tmp/hxjump directory. I have looked at other solutions and they all did basically the same thing I did for a script. At least I have the password for the next level. Maybe i'll come back to this level sometime if they ever fix it.

Monday, December 15, 2014

Bandit Level 22 to Level 23

View a created script and use the info to run a custom command.

Host name is: bandit.labs.overthewire.org 
User: bandit22
password: Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

Goal: A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

Commands used for this level:
ls -l - List information about all the file's and use a long listing format.
cat - used to view contents of a file.
whoami - print effective userid

Step 1.
This looks exactly like the last level so let's follow what we did last level.
Type ls -l /etc/cron.d/
Just like last level we see a cronjob_bandit23 file
 

Step 2.
Let's cat that file
cat /etc/cron.d/cronjob_bandit23
We get the output to a file location that runs at /usr/bin/cronjob_bandit23.sh

Step 3.
Let's cat that file in step 2.
cat /usr/bin/cronjob_bandit23.sh
We see get another bin bash script
#!/bin/bash

myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)

echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"

cat /etc/bandit_pass/$myname > /tmp/$mytarget
 

It looks like this script sends the output of a cat on
/etc/bandit_pass/$myname to /tmp/$mytarget

Step 4.
Again like before let's cat that copied file location to see what it has in it.
cat /tmp/$mytarget
This time we get /tmp/: Permission denied
Hmm looks like the $ may have blocked our full file location because it only shows /tmp/ in the output.
Let's go back and read our NOTE for the GOAL.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.
Ah $ is used for shell so let's read about shell scripts and we should try to execute the script to see what it does.

Step 5.
Type /usr/bin/cronjob_bandit23.sh
We get the output: Copying passwordfile /etc/bandit_pass/bandit22 to /tmp/8169b67bd894ddbb4412f91573b38db3

Step 6.
Let's cat that file location  
cat /tmp/8169b67bd894ddbb4412f91573b38db3
We get our current password output. Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
Not what we want.


Step 7.
Let's go back and look at cronjob_bandit23.sh script 
Type /usr/bin/cronjob_bandit23.sh
We get the output: Copying passwordfile /etc/bandit_pass/bandit22 to /tmp/8169b67bd894ddbb4412f91573b38db3 We missed something, see how it says bandit22, not what we want. We want bandit23 password. Let's look at how the script works again.

myname=$(whoami)  
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)

echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"

cat /etc/bandit_pass/$myname > /tmp/$mytarget

That first part myname=$(whoami) sets myname to our name. Go ahead and do a whoami. It returns who we are logged in as bandit22.

The second part mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1) looks like the command that is run during this script where $myname is set to bandit22 and we know we want bandit23 password. Let's take that part of the script and replace the $myname part with bandit23 instead of letting the script set it to our current uid.
Type echo I am user bandit23 | md5sum | cut -d ' ' -f 1
We get 8ca319486bfbbc3663ea0fbe81326349 output.

Step 8. 
Hmm that output above looks familiar lets do a cat on the output file.
Type cat /tmp/8ca319486bfbbc3663ea0fbe81326349
Look at that it looks like we have our next level password output:
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n


Bandit Level 21 to Level 22

View cron jobs and find what the job is performing.

Host name is: bandit.labs.overthewire.org 
User: bandit21
password: gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr

Goal: A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

Commands used for this level:
ls -l - List information about all the file's and use a long listing format.
cat - used to view contents of a file.

Step 1.
From the goal we are given that a program is running regularly with cron and is configured in the /etc/cron.d/ directory. Lets check the man page of cron.
Type man cron and do a search with /cron.d
We see that cron is a daemon to execute scheduled commands and that cron reads the files in the /etc/cron.d directory. Let's look at that directory and see what files we have in it. 
Type ls -l /etc/cron.d/
We see a bunch of files but we know we are looking for a cronjob and we are trying to get to level 22, so lets view the contents of cronjob22.

Step 2.
Type cat /etc/cron.d/cronjob_bandit22
We are given the output of: * * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
Given that lets go ahead and cat out that given file and see what it is.


Step 3.
Type cat /usr/bin/cronjob_bandit22.sh
We are given:
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv


The #!/bin/bash means we have a bash script file

chmod 644 means only owner can write, others can read to the file at /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

Then the last two lines cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv is what the script is doing. This line means it runs cat on /etc/bandit_pass/bandit22 and with the > sends that output to the file at /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

Step 4.
With the above info all we need to do now is cat the file at /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

Type cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv and we are given our next level pasword of: Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

Bandit Level 20 to Level 21

Use netcat to create a client/server connection.

Host name is bandit.labs.overthewire.org 
User: bandit20
password: GbKksEFF4yrVs6il55v6gwY5aVje5f0j

Goal: There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).

Commands used for this level:
ls - List information about all the file's
nc -l - arbitrary TCP and UDP connections and listens, when used with -l to specify that nc should listen for an incoming connection rather than initiate a connection to a remote host.
echo - display a line of text

Step 1.
Type ls
We see the suconnect binary file which is described in the goal.

Step 2.
Type ./suconnect
We see we need to run the binary file suconnect with a port number. We also know we need to transmit a password of the current level to login to a open port. To do this we need to create a client/server connection using netcat.
Let's check the netcat man page. 
Type man nc and page down to where it says Client/Server Model. This section gives us everything we need to create a client/server connection. We can test how this works on our own PC by opening two terminal windows. Let's give it a test.
Open two terminal windows on your PC and in the first one type exactly the command that is given under client/server model. Type nc -l 1234 nc is now listening on port 1234 for a connection. Now in the second window we can connect to that open port by typing nc localhost 1234 then go ahead and type something and it will be concatenated to the other terminal window and vice versa. With this test we now see that maybe if we open a listening port in one window and in the other we run our binary file on that open port that maybe we will get our next level password.

Step 3.
Let's start our netcat listening port and echo our current level password to it.
Type echo "GbKksEFF4yrVs6il55v6gwY5aVje5f0j" | nc -l 1234
By doing this we have started a listening port of 1234 (this can be any port # that is not in use) and upon a connection to echo our current password.
Now we need to open a second terminal connection to our level.

Step 4.
Open a second terminal window and connect to the level with: 
Host name is bandit.labs.overthewire.org 
User: bandit20
password: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Now just like our local test in step 2 we need to run our suconnect binary file to our open listening port of 1234 which is running in our first terminal window.
Type ./suconnect 1234
We get an output of:
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j this is our echoed password from the first terminal session we have running netcat in listening mode.
Password matches, sending next password and here we see the password matches and just like noted in the goal our next password is echoed back to our first terminal window. Now go back to our first open terminal window and you will see our next level password is displayed: gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr

Note: Another way to accomplish this level without opening two windows is to run our first window in the background with the ampersand symbol (&) at the end of our first command like so: echo "GbKksEFF4yrVs6il55v6gwY5aVje5f0j" | nc -l 1234 &
Using the ampersand at the end of a command tells it to be run in the back ground. We could then run our commands for the second terminal in our current terminal while our netcat listening port runs in the background.


 

Friday, December 12, 2014

Bandit Level 19 to Level 20

Run a program that changes your user id and then view a file.

Host name is bandit.labs.overthewire.org 
User: bandit19
password: IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x

Goal: To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used to setuid binary.

Commands used for this level:
ls -l - List information about all the file's and use a long listing format.
file - determine file type
cat - used to view contents of a file.
cd - change directory

Step 1.
After logging in type ls
You will see bandit20-do

Step 2.
Let's see what kind of file it is.
Type file bandit20-do 
We see that it's a setuid ELF 32-bit LSB executable.

Step 3. 
Let's get more info on the file.
Type ls -l
We see this output for our file.

-rwsr-x---   1 bandit20 bandit19 7370 Nov 14 10:32 bandit20-do
We can break this down as follows:

  • -rwsr-x--- permissions
  • 1 : number of linked hard-links
  • bandit20: owner of the file
  • bandit19: to which group this file belongs to
  • 7370: size
  • Nov 14 10:32 modification/creation date and time
  • bandit20-do: file/directory name 
Permission are broken down into three octets. First octet ( -rws ) defines a permission for a file owner. In this case owner has read, write permissions, and s means that the 'sticky bit' (suid) is enabled, so this file will be executed with root permissions. Second part ( r-x ) defines read and execute permissions defined for a group. The last part ( --- ) defines nothing set for others ( everyone else ).

This means we, being user bandit19 can read and execute the file. Lets try running the file the way it is stated in the goal to see if we can find out how to use it to set our uid to bandit20.
Type ./bandit20-do  (the ./ in front means current directory)
We get an out put of :
 Run a command as another user.
  Example: ./bandit20-do id


Step 4.
Let's try running the command again with the example.
Type ./bandit20-do id
We get the output of:
uid=11019(bandit19) gid=11019(bandit19) euid=11020(bandit20) groups=11020(bandit20),11019(bandit19)

uid is user id
gid is group id
euid is effective user id
groups is groups it belongs to

euid is used for permission checks in Linux. We cant just change to any EUID unless we are root.
Here are the rules:
- Changing to SUID or RUID is always ok
- If you are root (UID 0), you can change to any UID. This will set both EUID,         RUID and SUID.
- Changing from root to any other UID
- RUID is set to according to your login.
- EUID is different from RUID only when running Set UID programs, like su

The point is that a Set UID program can switch between the UID of the user who invoked it (that would be us bandit19), and the owner of the executable (bandit20). Let's do one more thing and check the help info of the command.
Type ./bandit20-do --help
We get an output stating:
Set each NAME to VALUE in the environment and run COMMAND.

Step 5.
Let's run our bandit20-do with a cat command to where we are told the file is located (/etc/bandit_pass) and see if it let's us view the file.
Type ./bandit20-do cat /etc/bandit_pass
We are told that /etc/bandit_pass: Is a directory
Let's change to /etc/bandit_pass and see what the directory contains for files and pick what file we actually want to view.

Step 6.
Type cd /etc/bandit_pass
Then do an ls -l
It shows that bandit20 is the owner of the bandit20 file so let's go back to where our bandit20-do file is and run it again with bandit20 as our file to view. 

Step 7.
Type cd ~
Then type ./bandit20-do cat /etc/bandit_pass/bandit20 and we get our password for the next level: GbKksEFF4yrVs6il55v6gwY5aVje5f0j


Wednesday, December 10, 2014

Bandit Level 18 to Level 19

Logging in with ssh without having .bashrc run.
 
Host name is bandit.labs.overthewire.org 
User: bandit18
password: kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd

Goal: The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.

Commands used for this level:
ssh - OpenSSH SSH client
/bin/sh - a way of launching an interactive shell usually bash

Step 1
Well when we try and login to this level the normal way we get immediately logged out, why because the .bashrc file has been edited to do this to us. .bashrc is a file normally read by interactive shells only and can be edited to affect how our interactive shell behaves. What we need to do is try logging in a different way so we avoid having the .bashrc file run.
What we can do is tell our ssh login to launch the Bourne again shell, also known as bash instead of the regular shell. Bash only reads from the /etc/profile, .bash_profile, .bash_login or .profile files, you can read about that here
We will tell ssh to launch the bash shell instead of logging directly into bandit18 user shell, which we know will launch that .bashrc file that logs us out. We can do this by adding /bin/sh command to our ssh login with our user info. Using /bin/sh is a standard way of launching the Bourne again shell (bash) when writing script files. Most scripts start with the hashbang (#!) followed by /bin/sh telling the script to first start the bash shell. Our login should be simple enough now that we know more.
We could just type ssh bandit18@bandit.labs.overthewire.org /bin/sh but we will not see a prompt because we are only requesting a port to connect to. What we can do is force a connection to a tty port with a -t added to ssh command.
Type ssh -t bandit18@bandit.labs.overthewire.org /bin/sh

Step 2.
We are now in and can check if we see the readme file with ls.
Type ls
We see the readme file so all we have to do is cat the file with cat readme and our password for the next level is displayed: IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x

Bandit Level 16 to 17 and 18

Using a port scanning tool to find open ports and copying and using a private ssh key to connect to a server. Then level 18 comparing files for differences.
 
Host name is bandit.labs.overthewire.org 
User: bandit16
password: cluFn7wTiGryunymYOu4RcffSxQluehd

Goal: The password for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next password, the others will simply send back to you whatever you send to it.


Commands used for this level:
nmap - Network exploration tool and security / port scanner
echo - display a line of text
nc - arbitrary TCP and UDP connections and listens (nc is short for netcat)
openssl - OpenSSH SSH client (remote login program)
mkdir - make directories.
cd - change directory.
touch - change file timestamps
vim - Vi IMproved, a programmers text editor

Commands used for level 18:
ls - List information about the FILE's (the current directory by default).
diff - compare files line by line

Step 1.
First thing we need to do is find a way to scan ports in the given range from our goal. Linux has a tool for doing just that called nmap. Lets check the man page on nmap to see how it works and what it does.
Type man nmap

We see nmap is a port scanner and that is exactly the tool we need. If we read further down to SCAN TECHNIQUES section we see we have multiple options for scanning. We know that first we want to find what ports are open for a connection. We read that the sT option in this section is for connect so that looks good for our first option. We also need to select a range of ports to scan so if we read down further we see that the -p option will let us select specific ports to scan or a range even. We know we want to scan localhost and ports from 31000 to 32000 so lets put together our scan options. We will use nmap command for our port scanner tool with -sT to attempt a connection, send that to localhost with a port range of 31000-32000

Type nmap -sT localhost -p31000-32000
We see we have 5 ports open 31046, 31518, 31691, 31790, and 31960 all with unknown service. 

Step 2.
We now have 5 ports we can attempt to connect to and we know from our goal we need to find the port that speaks SSL. We also know that the wrong ports will simply echo back what we send them. Lets echo some text, pipe it to netcat like in level 14, and use localhost with the each port number to see what ports echo back our text and which ones give us an SSL response.
echo hello | nc localhost 31046

gives us our hello in return

echo hello | nc localhost 31518

gives us an SSL error

echo hello | nc localhost 31691

gives us our hello in return

echo hello | nc localhost 31790

gives us an SSL error

echo hello | nc localhost 31960

gives us our hello in return


Step 3.
We know know we have two ports that reply with an SSL error.
Let's hit those two ports with our password and our openssl tool like in level 15.
echo cluFn7wTiGryunymYOu4RcffSxQluehd | openssl s_client -quiet -connect localhost:31518
It looks like we have connected but it has replied our current password like the other ports so lets try the other SSL port.
echo cluFn7wTiGryunymYOu4RcffSxQluehd | openssl s_client -quiet -connect localhost:31790
We get a private RSA key in return instead of the password. Not exactly what we hoped for but we know what to do with the key from previous levels. 

Step 4.
Copy the RSA key, don't forget to get the whole thing including the header and footer of the key. Now we need to save this private key and do exactly what we did in level 13.
Lets create a directory under /tmp, create a file and save our key to it. We can then use ssh to send that key to the next level and get our password.
mkdir /tmp/yourname
cd /tmp/yourname
touch sshkey.private
vim sshkey.private
You are now in vim editor and can paste your copied key.
Press a first in vim to append the file. 
Now paste the copied key into the file. Once you've pasted the key press esc key to exit editing mode of vim and type :wq to write and quit the editor. If you want more info on moving around in vi editor cheack the man page on it. 

Step 5.
We can now do like we did in level 13 and use ssh to send the RSA privatekey to bandit17
ssh -i ./sshkey.private bandit17@localhost
We are asked if we want to continue and we need to type yes
We see we get an error stating; It is required that your private key files are NOT accessible by others. What we need to do is change the permission of our privatekey so it is not accessible by other users. We can use chmod to do that. 

Step 6.
Lets read some about chmod options here.
We know we need to only allow us, the owner of the file to read and write to it and after reading the above link we see that chmod 600 will do that.
chmod 600 sshkey.private
Now do a ls -la to view read write permissions of our file.

Step 7.
Let's try sending our privatekey again.
ssh -i ./sshkey.private bandit17@localhost
We are now into level 17 but we do not have a password for the level so we need to get level 18 password.

Level 17 to 18

Compare two files and find the difference.

Goal: There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new

Commands used in this level:
ls - List information about the FILE's (the current directory by default).
diff - compare files line by line

Step 1.
We need to compare the two files and find the different line between the two files. We can use the diff command to do that. Let's check the man page of diff.
Type man diff
We see that diff will compare files line by line and that is our exact goal.
Type diff passwords.old passwords.new
We get the below output: 
< BS8bqB1kqkinKJjuxL6k072Qq9NRwQpR
---
> kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
Looks like we have two options for passwords so lets try them on level 18.
Try the first one and it doesn't work but the second password does and we have our password for level 18: kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd