Time for some wargames. Bandit is the absolute beginner of beginner
machines hosted on overthewire.org's wargame
servers(http://www.overthewire.org/wargames/bandit/). But, it seems like
a fun way to brush up on the basics of linux cli usage and port
scanning, so I will go through them all here in this post. I'm not going
to dump passwords here though(unless there are like a ton of requests),
so you'll have to play though these yourself. Use the man pages as
needed if this stuff is new to you. This stuff really will be second
nature on future machines.
Level 1: cat the file in the current directory. GG.
Level
2: cat ./- . GG (that's "cat dot-slash-dash"). The reason being
that if you give simply "cat -", the cat program will think you are
trying to pass it an option. Similarly, attempting to escape the '-'
with slashes or quotes or anything of that nature won't work, as bash
will simply strip those before passing the '-' to cat, which will still
fail. Specifying the current directory is the best way to go
Level
3: cat plus tab auto completion. Or just backslash to escape the
spaces. GG. I never said this article would actually be exciting:)
Level 4: cd into the inhere dir and ls -a to view hidden files. cat the hidden file. GG.
Level
5: cat ./-file0* to wild card and cat all the files at once. There's a
pretty obvious password in there somewhere. Alternatively, you could use
find with the option to specify an ascii file. Or to filter out
binary(not-human readable) files as well.
Level 6: Now I
actually have to man find to make this easier. I will search by the
size option, and the command find -size 1033c gives the filename to cat.
Level
7: After reading the description I figure it's probably best to use a
combination of find and grep. So, going once again off of the size of
the file, I try the command find / -size 33c | grep 'bandit7'
which
will, starting from the root of the server, find all files of size 33
bytes and then filter them by ones that have the string 'bandit7'. There
are probably better ways, such as passing a group name parameter to
find instead, but this works. Look though the output of that command,
the file that you need to cat is in there somewhere.
Level 8: I bothered with a couple of man pages for sorting options...finally I just cat data.txt | grep "millionth". GG.
Level
9: After a couple of man page visits, uniq -u seems like the command I
want to use, but running it directly on data.txt doesn't yield the
expected results. Turns out uniq -u works only over a sorted list, at
least in this context. Thus, sort it first and pipe it into uniq. Thus,
the command is sort data.txt | uniq -u. Victory.
Level
10: Trying to cat the file through grep '=' returns some complaint about
a binary file. Easy, just use strings data.txt to find all ascii
strings in the binary file. GG
Level 11: base64 -d data.txt aaaaaaand we're off. GG
Level
12: ohhhh, ciphertext(the Krypton wargames will be better, I promise). I
simply used a lookup table to reverse it by hand. Writing a basic
program to perform the conversion would've been cake of course, but eh,
sometimes it's fun to break these things by hand and pretend you are at
Bletchley Park or something. Just remember, in 13ROT the "encryption"
algo is it's own inverse. And leave the numbers as is.
Level
13: Lot's of stupidity in reversing the hexdump, and then uncompressing
over and over. If you are motivated, have at it. If you just want to
move on, as you don't really learn anything here, then here ya go:
8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
Level 14: The basics
of public key cryptography are something you should consider looking
into briefly if you are not acquainted with it already. It's not
necessary to beat this level or anything, but it's a very interesting
bit of cs nonetheless. Anyways, here I have an ssh private key and want
to log into bandit14. man ssh reveals the -i option, which enables one
to specify a key file in lieu of a password at login. Since I'm already
ssh'd into bandit as bandit13, I simply type: ssh -i sshkey.private
bandit14@localhost, which beats the level. Alternatively, you could've
used something like scp to copy the key file to your own machine, then
ssh in from there, that way you wouldn't have to use localhost...not
that it matters.
Level 15: Here I simply use a network
utility to connect to a port on bandit, which in this case must be
localhost. That is, you must already be ssh'd into bandit for this to
work. I use netcat to bind to port 3000, with nc localhost 3000, then I
simply past the level14 password after the connection is made, and it
will dump the level15 password.
Level 16: In order to
obtain the level16 password, I have to connect to port 30001 of
localhost, which is expecting an ssl communication. The easiest way to
establish this is using the openssl tool with the s_client option, which
basically creates a simple ssl client, good enough for our purposes
here.
openssl s_client -host localhost -port 30001
After some connection info flashes down the screen, I simply past the level15 password.
Level
17: This level was actually quite a bit of fun. First, start by man'ing
nmap to get a feel for how port scanning works. From there, the command
I execute is along the lines of: nmap -A -T4 -p31000-32000 localhost
Which
dumps a list of 5 or so open ports. Several of which are running an
echo client, so those can safely be ignored. There are two ports that
appears to be running something that speaks ssl, so try connecting to
those using the technique from level 16. Eventually, there is a dump of
an RSA private key, so we now use the technique from level 14, copy this
RSA key into a file in the /tmp directory, chmod it so that is has
restricted permissions(say, chmod 700), and then ssh -i
path_to_your_temp_file bandit17@localhost.
Once in, I dump the password from /etc/bandit_pass/bandit17, which looks like: xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn
Level 18: Simply diff the two files to print the line where they diverge.
kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
Level 19: .bashrc is modified to log us out whenever we ssh in...so hell with bash, let's specify /bin/sh as our login shell.
ssh bandit18@bandit.labs.overthewire.org /bin/sh
then cat the readme file. GG.
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
Level 20: The binary sitting in the current directory is setuid, which is something you should look into a bit if you are not familiar with it, as it is used a lot in several wargame simulations. The basic idea is that in a setuid program, you usually "run" as a more privileged user, so if you can take control of that program and say, spawn a shell, then you now own that user. Anyways, this one is far less glamorous. A simple strings lev_20_binary_file reveals an example string. It looks as though the program executes whatever program you give to it. So, predictably, I give "/bin/sh" and drop to a shell as bandit20. Simply cat the password file from here. Note use /bin/sh and not /bin/bash, as bash will drop effective setuid privileges. That is a very, very important fact to remember.
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Level 21: Simple netcat shenanigans. You will need 2 ssh sessions to pull off this level. Simply ssh in as bandit20 on one and open a listening netcat port via: nc -l localhost port#
then, from your other level20, simply connect to that port via: ./suconnect port#
now they are connected, so go back to the original nc instance(the one you used to open the port), and paste the level20 password, then hit enter to send it. You will receive the level21 password in return.
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
Level 22: Looking at the cronjob, it appears to be executing the file /usr/bin/cronjob_bandit22. Upon cat'ing that file, it appears to be writing the contents of the level22 password into a file in the /tmp directory. Simply cat that file. GG
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
Level 23: Simply find the file the cron job is executing under /usr/bin. From there, simply copy the echo | md5 | cut command into a different shell, and run it with the $mytarget variable set to bandit23. This will produce an md5 digest, which you then append to /tmp and cat to read the password.
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
Level 24:Here the level24 cronjob is simply set to execute every file in the /var/spool/bandit24 directory. Predictably, this runs with level24 permissions, so if we can simply write a script that cat's the bandit24 password file into a place where we can read it, then we've won.
In order to do this, use the steps from the previous 2 levels to find where the cronjob is, and which program it is executing. Then, begin by writing a shell script in the /var/spool/bandit24 directory. Something like the following should do the trick:
#!/bin/bash
mkdir /tmp/saitou/lev24.txt
cat /etc/bandit_pass/bandit24 > /tmp/saitou/lev24.txt
Once the cron job runs, you'll have a lovely, although somewhat worthless(as level25 does not exist at the time of this writing) password for user bandit24 sitting in /tmp/saitou/lev24.txt.
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
That's it for bandit. Hardly a harrowing experience. But still, it was nice to relearn some of the basics of port scanning and whatnot. Future wargames will be considerably more hackish I am thinking. I will probably go after Behemoth next, or maybe either Semtex or Vortex. Krypton or Maze will be thrown in for good measure at some point. Ja mata...
In the name of Turing
-G3n3s1s
