7 minutes
Bandit (10 -> 20)
Info ¶
From the OverTheWire website:
The wargames offered by the OverTheWire community can help you to learn and practice security concepts in the form of fun-filled games.
~ OverTheWire.org
Bandit ¶
Bandit is the first series of challenges and it’s recommended to start with these.
The Bandit wargame is aimed at absolute beginners. It will teach the basics needed to be able to play other wargames.
~ OverTheWire.org
Make sure you following along on the website to get more info on the goal of the challenges and the skills that you’ll learn from them.
Always first try to do a challenge yourself.
You’ll learn more and might find methodologies or techniques that work better for you.
This write-up contains the solution of levels 10 to 20.
Need to go back for levels 0 to 10?
Level 10 -> 11 ¶
Connect with the OverTheWire infrastructure using the credentials retrieved in the previous level.
$ ssh bandit10@bandit.labs.overthewire.org -p 2220
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit10@bandit.labs.overthewire.org's password:
bandit10@bandit:~$ base64 -d data.txt
The password is IF##########PR
Level 11 -> Level 12 ¶
This is basically ROT13. So to “reverse” this, we need to apply another round of ROT13 to the data.
bandit11@bandit:~$ cat data.txt | tr 'a-zA-Z' 'n-za-mN-ZA-N'
The password is 5T##########Uu
Level 12 -> Level 13 ¶
As suggested by the level description, we first copy the data.txt file to a folder in /tmp/ where we can create and move files.
bandit12@bandit:~$ mkdir /tmp/sequr
bandit12@bandit:~$ cd /tmp/sequr
bandit12@bandit:/tmp/sequr$ cp ~/data.txt .
data.txt contains a hexdump, which we can easily confirm.
bandit12@bandit:/tmp/sequr$ head data.txt
00000000: 1f8b 0808 d7d2 c55b 0203 6461 7461 322e .......[..data2.
00000010: 6269 6e00 013c 02c3 fd42 5a68 3931 4159 bin..<...BZh91AY
00000020: 2653 591d aae5 9800 001b ffff de7f 7fff &SY.............
Reverse the hexdump, which gives us a gzip compressed container.
bandit12@bandit:/tmp/sequr$ xxd -r data.txt > data-dedumped
bandit12@bandit:/tmp/sequr$ file data-dedumped
data-dedumped: gzip compressed data, was "data2.bin", last modified: Tue Oct 16 12:00:23 2018, max compres
sion, from Unix
Decompress to get a bzip2 compressed container.
bandit12@bandit:/tmp/sequr$ mv data-dedumped data.gz
bandit12@bandit:/tmp/sequr$ gunzip data.gz
bandit12@bandit:/tmp/sequr$ file data
data: bzip2 compressed data, block size = 900k
Decompress again (gzip).
bandit12@bandit:/tmp/sequr$ bzip2 -d data
bzip2: Can't guess original name for data -- using data.out
bandit12@bandit:/tmp/sequr$ file data.out
data.out: gzip compressed data, was "data4.bin", last modified: Tue Oct 16 12:00:23 2018, max compression, from Unix
bandit12@bandit:/tmp/sequr$ mv data.out data.gz
bandit12@bandit:/tmp/sequr$ gunzip data.gz
bandit12@bandit:/tmp/sequr$ file data
bandit12@bandit:/tmp/sequr$ mv data data.tar
bandit12@bandit:/tmp/sequr$ tar -xf data.tar
bandit12@bandit:/tmp/sequr$ file data5.bin
data5.bin: POSIX tar archive (GNU)
bandit12@bandit:/tmp/sequr$ tar -xf data5.bin
bandit12@bandit:/tmp/sequr$ file data6.bin
data6.bin: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/sequr$ bzip2 -d data6.bin
bzip2: Can't guess original name for data6.bin -- using data6.bin.out
bandit12@bandit:/tmp/sequr$ file data6.bin.out
data6.bin.out: POSIX tar archive (GNU)
bandit12@bandit:/tmp/sequr$ tar -xf data6.bin.out
bandit12@bandit:/tmp/sequr$ file data8.bin
data8.bin: gzip compressed data, was "data9.bin", last modified: Tue Oct 16 12:00:23 2018, max compression, from Unix
bandit12@bandit:/tmp/sequr$ mv data8.{bin,gz}
bandit12@bandit:/tmp/sequr$ gzip -d data8.gz
bandit12@bandit:/tmp/sequr$ file data8
data8: ASCII text
bandit12@bandit:/tmp/sequr$ cat data8
The password is 8Z##########YL
Should have automated this somehow …
Level 13 -> Level 14 ¶
We get a private SSH key for bandit14. So copy this to your local system.
bandit13@bandit:~$ cat sshkey.private
-----BEGIN RSA PRIVATE KEY-----
[...]
Make sure you set the permissions right (i.e. only the owner should be able to read it), otherwise OpenSSH will refuse to use your key.
$ chmod 600 bandit14_ssh.private
$ ssh -i bandit14_ssh.private bandit14@bandit.labs.overthewire.org -p 2220
bandit14@bandit:~$ cat /etc/bandit_pass/bandit14
4w##########3e
Level 14 -> Level 15 ¶
We can use netcat (nc) to openen a network connection to a specific port.
Once the connection is opened, we enter the required data. The server then responds with the next level’s password.
bandit14@bandit:~$ nc localhost 30000
4w##########3e
Correct!
Bf##########xNr
Level 15 -> Level 16 ¶
Since the service on this port uses SSL encryption, we’ll need to use a client that’s capable of setting up such a connection. OpenSSL provides such a client.
bandit14@bandit:~$ openssl s_client -connect localhost:30001
CONNECTED(00000003)
depth=0 CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = localhost
verify return:1
---
[...]
Extended master secret: yes
---
Bf##########Nr
Correct!
cl##########hd
closed
Level 16 -> Level 17 ¶
First get the open ports
bandit14@bandit:~$ nmap -v -p 31000-32000 --open localhost
[...]
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00021s latency).
Not shown: 999 closed ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
31518/tcp open unknown
31790/tcp open unknown
Then check the services they are running.
Note: you could actually immediately add the service scan (-sV) to the first scan.
bandit14@bandit:~$ nmap -v -sV -p 31518,31790 localhost
[...]
Host is up (0.00023s latency).
Not shown: 999 closed ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
31518/tcp open ssl/echo
31790/tcp open ssl/unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port31790-TCP:V=7.40%T=SSL%I=7%D=1/9%Time=5E17044C%P=x86_64-pc-linux-gn
SF:u%r(GenericLines,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20cur
SF:rent\x20password\n")%r(GetRequest,31,"Wrong!\x20Please\x20enter\x20the\
[...]
Port 31518 is running the echo service, which basically just returns whatever you send to it (hence: echo).
Port 31790 is running a SSL service nmap doesn’t recognize (it failed to grab a banner and/or didn’t recognize it). In the output you can see the “fail” strings which are returned if you send it an incorrect password.
Connect using openssl again. This time we get a SSH private key back.
bandit14@bandit:~$ openssl s_client -connect localhost:31790
CONNECTED(00000003)
depth=0 CN = localhost
[...]
---
cl##########hd
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
[...]
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----
closed
Level 17 -> Level 18 ¶
First connect using the private key from the last level.
$ ssh -i bandit17_ssh.private bandit17@bandit.labs.overthewire.org -p 2220
We need to find the line that is _diff_erent between the two files.
Lines starting with a < are present in FILE1 but not in FILE2.
Lines starting with a > are present in FILE2 but not in FILE1.
bandit17@bandit:~$ diff passwords.old passwords.new
42c42
< hlbSBPAWJmL6WFDb06gpTx1pPButblOA
---
> kf##########Yd
Level 18 -> Level 19 ¶
Notice the note at the previous level:
NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19
~ OverTheWire.org
This is exactly what happens when we try to SSH to the lab as bandit18.
$ ssh bandit18@bandit.labs.overthewire.org -p 2220
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
[...]
Enjoy your stay!
Byebye !
Connection to bandit.labs.overthewire.org closed.
The level’s description mentions that someone modified the .bashrc file to automatically log us out of a SSH connection..bashrc is a configuration file used by the Bash shell, which is the default shell on many systems.
Let’s ignore .bashrc by not using Bash as our shell. Let’s use regular shell instead.
Note that we don’t get the usual Prompt String (PS1) showing our username and path. However, we are still connected to the system and can execute commands.
$ ssh bandit18@bandit.labs.overthewire.org -p 2220 /bin/sh
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit18@bandit.labs.overthewire.org's password:
ls # command
readme # output
cat readme # command
Iu##########5x # output
An alternative would’ve been not to connect interactively, but use something like SCP (Secure File Copy), which is like FTP (File Transfer Protocol) but over Secure Shell (SSH). However, this level states that you should be able to finish it by only using SSH, ls and cat.
$ scp -P 2220 bandit18@bandit.labs.overthewire.org:readme ./
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit18@bandit.labs.overthewire.org's password:
readme 100% 33 1.2KB/s 00:00
$ cat readme
Iu##########5x
Level 19 -> Level 20 ¶
A setuid binary executes within the context of the user defined by the setuid. As such we can access a file which can only be read by bandit20 as the setuid binary executes under the privileges of that user.
This binary simply executes the commands passed as parameter, so we simply print the content of the password file.
bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
Gb##########0j