Saturday, December 22, 2012

Wargames - Bandit

Time for some wargames. Bandit is the absolute beginner of beginner machines hosted on overthewire.org's wargame servers(http://www.overthewire.org/wargames/bandit/). But, it seems like a fun way to brush up on the basics of linux cli usage and port scanning, so I will go through them all here in this post. I'm not going to dump passwords here though(unless there are like a ton of requests), so you'll have to play though these yourself. Use the man pages as needed if this stuff is new to you. This stuff really will be second nature on future machines.

Level 1: cat the file in the current directory. GG.

Level 2: cat ./- . GG     (that's "cat dot-slash-dash"). The reason being that if you give simply "cat -", the cat program will think you are trying to pass it an option. Similarly, attempting to escape the '-' with slashes or quotes or anything of that nature won't work, as bash will simply strip those before passing the '-' to cat, which will still fail. Specifying the current directory is the best way to go

Level 3: cat plus tab auto completion. Or just backslash to escape the spaces. GG. I never said this article would actually be exciting:)

Level 4: cd into the inhere dir and ls -a to view hidden files. cat the hidden file. GG.

Level 5: cat ./-file0* to wild card and cat all the files at once. There's a pretty obvious password in there somewhere. Alternatively, you could use find with the option to specify an ascii file. Or to filter out binary(not-human readable) files as well.

Level 6: Now I actually have to man find to make this easier. I will search by the size option, and the command find -size 1033c gives the filename to cat.

Level 7: After reading the description I figure it's probably best to use a combination of find and grep. So, going once again off of the size of the file, I try the command find / -size 33c | grep 'bandit7'
which will, starting from the root of the server, find all files of size 33 bytes and then filter them by ones that have the string 'bandit7'. There are probably better ways, such as passing a group name parameter to find instead, but this works. Look though the output of that command, the file that you need to cat is in there somewhere.

Level 8: I bothered with a couple of man pages for sorting options...finally I just cat data.txt | grep "millionth". GG.

Level 9: After a couple of man page visits, uniq -u seems like the command I want to use, but running it directly on data.txt doesn't yield the expected results. Turns out uniq -u works only over a sorted list, at least in this context. Thus, sort it first and pipe it into uniq. Thus, the command is sort data.txt | uniq -u. Victory.

Level 10: Trying to cat the file through grep '=' returns some complaint about a binary file. Easy, just use strings data.txt to find all ascii strings in the binary file. GG

Level 11: base64 -d data.txt aaaaaaand we're off. GG

Level 12: ohhhh, ciphertext(the Krypton wargames will be better, I promise). I simply used a lookup table to reverse it by hand. Writing a basic program to perform the conversion would've been cake of course, but eh, sometimes it's fun to break these things by hand and pretend you are at Bletchley Park or something. Just remember, in 13ROT the "encryption" algo is it's own inverse. And leave the numbers as is.

Level 13: Lot's of stupidity in reversing the hexdump, and then uncompressing over and over. If you are motivated, have at it. If you just want to move on, as you don't really learn anything here, then here ya go: 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

Level 14: The basics of public key cryptography are something you should consider looking into briefly if you are not acquainted with it already. It's not necessary to beat this level or anything, but it's a very interesting bit of cs nonetheless. Anyways, here I have an ssh private key and want to log into bandit14. man ssh reveals the -i option, which enables one to specify a key file in lieu of a password at login. Since I'm already ssh'd into bandit as bandit13, I simply type: ssh -i sshkey.private bandit14@localhost, which beats the level. Alternatively, you could've used something like scp to copy the key file to your own machine, then ssh in from there, that way you wouldn't have to use localhost...not that it matters.

Level 15: Here I simply use a network utility to connect to a port on bandit, which in this case must be localhost. That is, you must already be ssh'd into bandit for this to work. I use netcat to bind to port 3000, with nc localhost 3000, then I simply past the level14 password after the connection is made, and it will dump the level15 password.

Level 16: In order to obtain the level16 password, I have to connect to port 30001 of localhost, which is expecting an ssl communication. The easiest way to establish this is using the openssl tool with the s_client option, which basically creates a simple ssl client, good enough for our purposes here.
openssl s_client -host localhost -port 30001
After some connection info flashes down the screen, I simply past the level15 password.

Level 17: This level was actually quite a bit of fun. First, start by man'ing nmap to get a feel for how port scanning works. From there, the command I execute is along the lines of: nmap -A -T4 -p31000-32000 localhost

Which dumps a list of 5 or so open ports. Several of which are running an echo client, so those can safely be ignored. There are two ports that appears to be running something that speaks ssl, so try connecting to those using the technique from level 16. Eventually, there is a dump of an RSA private key, so we now use the technique from level 14, copy this RSA key into a file in the /tmp directory, chmod it so that is has restricted permissions(say, chmod 700), and then ssh -i path_to_your_temp_file bandit17@localhost.

Once in, I dump the password from /etc/bandit_pass/bandit17, which looks like: xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn

Level 18: Simply diff the two files to print the line where they diverge.
kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd

Level 19: .bashrc is modified to log us out whenever we ssh in...so hell with bash, let's specify /bin/sh as our login shell.
ssh bandit18@bandit.labs.overthewire.org /bin/sh
then cat the readme file. GG.
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x

Level 20: The binary sitting in the current directory is setuid, which is something you should look into a bit if you are not familiar with it, as it is used a lot in several wargame simulations. The basic idea is that in a setuid program, you usually "run" as a more privileged user, so if you can take control of that program and say, spawn a shell, then you now own that user. Anyways, this one is far less glamorous. A simple strings lev_20_binary_file reveals an example string. It looks as though the program executes whatever program you give to it. So, predictably, I give "/bin/sh" and drop to a shell as bandit20. Simply cat the password file from here. Note use /bin/sh and not /bin/bash, as bash will drop effective setuid privileges. That is a very, very important fact to remember.
GbKksEFF4yrVs6il55v6gwY5aVje5f0j

Level 21: Simple netcat shenanigans. You will need 2 ssh sessions to pull off this level. Simply ssh in as bandit20 on one and open a listening netcat port via: nc -l localhost port#
then, from your other level20, simply connect to that port via: ./suconnect port#
now they are connected, so go back to the original nc instance(the one you used to open the port), and paste the level20 password, then hit enter to send it. You will receive the level21 password in return.
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr

Level 22: Looking at the cronjob, it appears to be executing the file /usr/bin/cronjob_bandit22. Upon cat'ing that file, it appears to be writing the contents of the level22 password into a file in the /tmp directory. Simply cat that file. GG
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

Level 23: Simply find the file the cron job is executing under /usr/bin. From there, simply copy the echo | md5 | cut command into a different shell, and run it with the $mytarget variable set to bandit23. This will produce an md5 digest, which you then append to /tmp and cat to read the password.
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

Level 24:Here the level24 cronjob is simply set to execute every file in the /var/spool/bandit24 directory. Predictably, this runs with level24 permissions, so if we can simply write a script that cat's the bandit24 password file into a place where we can read it, then we've won.
In order to do this, use the steps from the previous 2 levels to find where the cronjob is, and which program it is executing. Then, begin by writing a shell script in the /var/spool/bandit24 directory. Something like the following should do the trick:
#!/bin/bash
mkdir /tmp/saitou/lev24.txt
cat /etc/bandit_pass/bandit24 > /tmp/saitou/lev24.txt

Once the cron job runs, you'll have a lovely, although somewhat worthless(as level25 does not exist at the time of this writing) password for user bandit24 sitting in /tmp/saitou/lev24.txt.
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ

That's it for bandit. Hardly a harrowing experience. But still, it was nice to relearn some of the basics of port scanning and whatnot. Future wargames will be considerably more hackish I am thinking. I will probably go after Behemoth next, or maybe either Semtex or Vortex. Krypton or Maze will be thrown in for good measure at some point. Ja mata...

In the name of Turing
-G3n3s1s