Browse Category

Write-ups

OverTheWire: Bandit Level 21 to Level 22

Level goal: A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed

This level is very simple, as hinted by the clue, just navigate to the /etc/cron.d directory and look for the files, you will noticed the cronjob_bandit22 files.

When opened to view the content of the cronjob, it seems that the job basically triggers a script located at /usr/bin/cronjob_bandit22.sh

bandit21_3

To more accurately grep the files and read its content, we can perform the following grep,

ls -l | grep cronjob

Below are the list of files.

bandit21_2

Since cronjob_bandit22.sh is the only file which is related to this level, let’s view its content.

bandit21@melinda:/usr/bin$ cat cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

Now we know that the password is stored in the /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

bandit21_3

bandit21@melinda:/usr/bin$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

The password to gain access to the next level is Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI.

OverTheWire: Bandit Level 20 to Level 21

Level goal: There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).

NOTE: To beat this level, you need to login twice: once to run the setuid command, and once to start a network daemon to which the setuid will connect.

NOTE 2: Try connecting to your own network daemon to see if it works as you think

 

In this level, basically we need to setup a listener service to listen on any port, and then use the binary submit this level’s password to it. If It is correct, it will provide the password to the next level.

First, let’s check what are the ports opened.

bandit20_1

Now you setup your own listener which echo the current level password when any clients connected.

bandit20_2

Now you setup another terminal and try to check if the service is there (of course it will be there) and perform testing by trying to connect,

bandit20_3

Notice that nmap port scan has detected the service at port 60000 which you have set up in the other terminal? Now, use the suconnect binary to establish connectivity to port 60000

bandit20_4

Password matches, now the next password is sent to the server listener.

bandit20_6

The password to gain access to the next level is gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr.

OverTheWire: Bandit Level 19 to Level 20

bandit19_1

Level goal: To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used to setuid binary.

In this level, we will be working on a file which has its setuid set.

bandit19@melinda:~$ file bandit20-do
bandit20-do: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=08e74b8e092a91103efaab7916d75f08b887ab4d, not stripped

It’s interesting because it allows us to run a command or do anything as bandit20.

bandit19@melinda:~$ ./bandit20-do
Run a command as another user.
Example: ./bandit20-do id
bandit19@melinda:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0j

bandit19_2

The password to gain access to the next level is GbKksEFF4yrVs6il55v6gwY5aVje5f0j.

OverTheWire: Bandit Level 18 to Level 19

bandit18_1

Level goal: The password for the next level is stored in a file readme in the home directory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.

In this level, we need to connect using the ssh -t. The -t parameter basically opens a pseudo-tty within the session, with output in the same screen. The ssh session closes when the command completes. This way, you can quickly run a command before the connectivity closes and kicks you out with a “Byebye!”.

bandit17@melinda:~$ ssh -t bandit18@localhost cat readme
 The authenticity of host 'localhost (127.0.0.1)' can't be established.
 ECDSA key fingerprint is 05:3a:1c:25:35:0a:ed:2f:cd:87:1c:f6:fe:69:e4:f6.
 {... REMOVED ...}
 Permissions 0640 for '/home/bandit17/.ssh/id_rsa' are too open.
 It is required that your private key files are NOT accessible by others.
 This private key will be ignored.
 bad permissions: ignore key: /home/bandit17/.ssh/id_rsa
 bandit18@localhost's password:
 readme
 Connection to localhost closed.

Next, we run the same commands to check what is in the “readme” file.

bandit18@localhost's password:
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
Connection to localhost closed.

The password to gain access to the next level is IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x.

OverTheWire: Bandit Level 17 to Level 18

bandit17_1

Level goal: There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.newand is the only line that has been changed between passwords.old and passwords.new

NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19.

Here you see 2 password files. As the hint goes, New vs Old, the first thing to come to mind is to perform the diff function.

bandit17@melinda:~$ diff passwords.new passwords.old
42c42
< kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
---
> BS8bqB1kqkinKJjuxL6k072Qq9NRwQpR

The password is kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd. To verify whether this is the correct password, we will follow the hint, which is to try to connect to bandit18 and see if we see the “Byebye!” message.

bandit17_2

The password to gain access to the next level is kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd.