Walk-through guide with examples for the OverTheWire Bandit game
Needs: Web browser + puTTY
User/Pass: bandit0 Connect: bandit.labs.overthewire.org
Needs: Notepad (for storing found passwords)
Needs: Web browser (for searching for information)
maybehere07/.file2
File properties: owned by bandit7
(user) & bandit6
(group) and 33 bytes in size
find / -type f -size 33c -exec ls -lh {} \; 2>/dev/null
Pass: /var/lib/dpkg/info/bandit7.password
(Odd note: -perm
)
Needs: Pipes & Redirects
grep "millionth" data.txt
Password is in data.txt
- only line that occurs once
sort data.txt | uniq -u
Password is in data.txt
- one of few human readable
- beginning with serveral "=" characters
strings data.txt | grep "="
Password is in data.txt
- contains base64 encoded data
base64 -d data.txt
Password is in data.txt
- all lowercase (a-z) & uppercase (A-Z) letters rotates by 13 positions
ROT13 ==
[A-Z]
->[N-ZA-M]
tr [a-z] [n-za-m] < data.txt | tr [A-Z] [N-ZA-M]
OR
tr [a-zA-Z] [n-za-mN-ZA-M] < data.txt
Password is in data.txt
- hexdump of a file that has been repeatedly compressed
Hint: create
/tmp
directory,cp
file and rename - Read
hexdump
on wikipedia
itOS - 67 bytes
hexdump -n 8 -c
Use the above code to look for a magic number at the start of the file
Use 'file
' to check compression information
Password stored in /etc/bandit_pass/bandit14
- Only readable by
bandit14
Note: Aim to get private SSH key
- localhost is hostname
ssh -i sshkey.private -l bandit14 localhost
Password retrieved by submitting level 14 password to port 30000 on localhost
telnet localhost 30000
- pass level 14 password
Password retrieved by submitting level 15 password to port 30001 on localhost using SSL encryption
Note: Use -quiet
and read "Connected Commands"
openssl s_client -connect localhost:30001
Nota Bene: Can not start line with 'R
', 'Q
', or 'B
' because the connection will be closed
- Add space to start
Password retrieved by submitting level 16 password to port on localhost in range of 31000 to 32000
- Find ports that are listening
- Find which do/don't do SSL Note: Only 1 server will give next password, others parrot what is sent
nmap -A -p31000-32000 localhost
Ports | Service |
---|---|
31046 | echo |
31518 | msdtc <- SSL <- echos |
31691 | echo |
31790 | msdtc <- SSL |
31960 | echo |
(Get RAS private key)
Use ssh from level 16 using RSA key
Note: chmod 600 id_rsa
ssh -i id_rsa -l bandit17 localhost
sdiff -s passwords.new passwords.old
Note: .bashrc
modified to log me out when logging in with SSH
- Due to level 19
ssh -l bandit18 localhost cat readme
- The command run after connecting is
cat readme
- Could use '
-t
' to then open/bin/sh
to get terminal
Use setuid
binary in home directoy
Password can be found in /etc/bandit_pass
after having used the setuid
binary
./bandit20-do cat /etc/bandit_pass/bandit20
setuid
binary in the home directory
- makes connection to localhost on port specified as commandline argument
- then reads line to text from connection & compares it to password in previous level (
bandit20
) - if password correct, transmits pass for
bandit21
Note: Need to login twice
- Run
setuid
command - Start network daemon to which
setuid
will connect
Note: Try connecting to own network daemon to see how it orks
Port: 4312 Service: rwhois (interesting)
./suconnect < $(nc -l 4828)
Send: cat /etc/bandit_pass/bandit20 | nc localhost 4828
Echo with ncat
ncat -b -l -p 4828 -c 'while true; do echo $(cat /etc/bandit_pass/bandit20); done'
nc -l 4828
+$ bandit pass lvl20
./suconnect 4828
cron job
; examine /etc/cron.d
Note: Examine who has owner/group privilege for what files
test
- check file types and compare values
-x FILE
=> FILE exists & execute (or search) permission is granted
test -x /usr/sbin/cron-apt && /usr/sbin/cron-apt /etc/cron-apt/config2
- Does not go anywhere
/usr/bin/cronjob_bandit22.sh &> /dev/null
- Shows cat of pass to temp file
cron job
; examine /etc/cron.d/
Examine /etc/cron.d/cronjob_bandit23
/usr/bin/cronjob_bandit23.sh &> /dev/null
$(echo I am user bandit23 | md5sum | cut -d' ' -f 1)
- file name for tmp file that holds
bandit23
password
cron job
; examine /etc/cron.d/
Note: Will need to write own shell-script
- Nota Bene: Shell script removed once executed, therefore keep copy around
Examine /etc/cron.d/cronjob_bandit24
/usr/bind/cronjob_bandit24.sh &> /dev/null
- Executes & deletes al scripts in
/var/spool/$(whoami)
for file in *
- Bash performs filename expansion on epxressions that globbing recognizes
If the
[list]
in a for loop contains wild card (* and ?) used in filename expression, then globbing takes place Note: Strings containing * will not match filenames that start with a dot - The "*" in the previous for loop expands into a list of all files in the current directory
Note: There is no /var/spool/bandit23
BUT there is a /var/spool/bandit24
- How to run as
bandit24
???
#!/bin/bash
cat /etc/bandit_pass/bandit24 > /home/bandit23/pass.txt
(If not make file with password as name
&>
redirects both stdout
& stderr
Nota Bene: Cronjob is able to write to /tmp/
not able for bandit23
owned directories
Port listening on 30002 and will give you password for bandit25
- Need to give
bandit24pass
+ 4 digit code
Note: No way to retrieve passcode, needs to brute-force
Most likely needs script to attempt all 10,000 combinations (separate passbandit24 & passcode by space)
Use modifiers? - "%#04d
"
Use seq
command
-w
flag - equalize width by padding with leading zeros
Make the following in /tmp/
#!/bin/bash
B24PASS=$(echo "bandit24pass")
for i in $(seq -w 9999); do
echo "$B24PASS $i" | nc localhost 30002
done
scriptRun | nc localhost 30002 > localfile.txt
- Then look through for bandit25 pass???
Need to determine shell used by bandit26
- Not
/bin/bash
Note: Figure out how to log onto shell via ssh
Idea: Look through /etc/passwd
(password) file to determine shell attached to user bandit26
- bandit26 ->
/usr/bind/showtext
/usr/bin/showtext
calls more
on file ~/text.txt
- uses
#!/bin/sh
<= different shell**!!!**
- Get more in a restricted window (e.g. get the
--More--
) - Press the '
h
' key to enter the help menu - Use
!<cmd>
or:!<cmd>
to execute<cmd>
in subshell- Try
cat /etc/bandit_pass/bandit26
- Try
[ ] Attempt to write to /tmp/
file??
- Failed
- Press '
v
' to open an editor - Use
:r /etc/bandit_pass/bandit26
- Password should now appear on the current line in the editor
- Essentially replacing the current line with the contents of
/etc/bandit_pass/bandit26
- Essentially replacing the current line with the contents of
At this moment level 27 does not exist