Browse Tag

unix

OverTheWire: Bandit Level 22 to Level 23

Level goal: A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints

bandit22_1

Like what we have done in the previous level, let’s navigate to the /etc/cron.d path and check the cronjob files.

Notice that cronjob_bandit23 is will be running the /usr/bin/cronjob_bandit23.sh script? Let’s view its content.

[email protected]:/etc/cron.d$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash

myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)

echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"

cat /etc/bandit_pass/$myname > /tmp/$mytarget

 

Yes, you have guessed correct. When this script is being run, it will write the currently logged-on user’s password into a file.

bandit22_2

The file name is basically a md5 hash of “echo I am user bandit22 | md5sum | cut –d ‘ ‘ –f 1”

Since we need the password of bandit23, let’s manually run the hash and use its hash as the directory name. The password might be there, provided that someone with the bandit23 credentials has already ran this script (they probably have).

bandit22_3

The password to gain access to the next level is jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n.

OverTheWire: Bandit Level 21 to Level 22

Level goal: A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed

This level is very simple, as hinted by the clue, just navigate to the /etc/cron.d directory and look for the files, you will noticed the cronjob_bandit22 files.

When opened to view the content of the cronjob, it seems that the job basically triggers a script located at /usr/bin/cronjob_bandit22.sh

bandit21_3

To more accurately grep the files and read its content, we can perform the following grep,

ls -l | grep cronjob

Below are the list of files.

bandit21_2

Since cronjob_bandit22.sh is the only file which is related to this level, let’s view its content.

[email protected]:/usr/bin$ cat cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

Now we know that the password is stored in the /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

bandit21_3

[email protected]:/usr/bin$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

The password to gain access to the next level is Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI.

OverTheWire: Bandit Level 20 to Level 21

Level goal: There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).

NOTE: To beat this level, you need to login twice: once to run the setuid command, and once to start a network daemon to which the setuid will connect.

NOTE 2: Try connecting to your own network daemon to see if it works as you think

 

In this level, basically we need to setup a listener service to listen on any port, and then use the binary submit this level’s password to it. If It is correct, it will provide the password to the next level.

First, let’s check what are the ports opened.

bandit20_1

Now you setup your own listener which echo the current level password when any clients connected.

bandit20_2

Now you setup another terminal and try to check if the service is there (of course it will be there) and perform testing by trying to connect,

bandit20_3

Notice that nmap port scan has detected the service at port 60000 which you have set up in the other terminal? Now, use the suconnect binary to establish connectivity to port 60000

bandit20_4

Password matches, now the next password is sent to the server listener.

bandit20_6

The password to gain access to the next level is gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr.

OverTheWire: Bandit Level 19 to Level 20

bandit19_1

Level goal: To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used to setuid binary.

In this level, we will be working on a file which has its setuid set.

[email protected]:~$ file bandit20-do
bandit20-do: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=08e74b8e092a91103efaab7916d75f08b887ab4d, not stripped

It’s interesting because it allows us to run a command or do anything as bandit20.

[email protected]:~$ ./bandit20-do
Run a command as another user.
Example: ./bandit20-do id
[email protected]:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0j

bandit19_2

The password to gain access to the next level is GbKksEFF4yrVs6il55v6gwY5aVje5f0j.

OverTheWire: Bandit Level 18 to Level 19

bandit18_1

Level goal: The password for the next level is stored in a file readme in the home directory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.

In this level, we need to connect using the ssh -t. The -t parameter basically opens a pseudo-tty within the session, with output in the same screen. The ssh session closes when the command completes. This way, you can quickly run a command before the connectivity closes and kicks you out with a “Byebye!”.

[email protected]:~$ ssh -t [email protected] cat readme
 The authenticity of host 'localhost (127.0.0.1)' can't be established.
 ECDSA key fingerprint is 05:3a:1c:25:35:0a:ed:2f:cd:87:1c:f6:fe:69:e4:f6.
 {... REMOVED ...}
 Permissions 0640 for '/home/bandit17/.ssh/id_rsa' are too open.
 It is required that your private key files are NOT accessible by others.
 This private key will be ignored.
 bad permissions: ignore key: /home/bandit17/.ssh/id_rsa
 [email protected]'s password:
 readme
 Connection to localhost closed.

Next, we run the same commands to check what is in the “readme” file.

[email protected]'s password:
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
Connection to localhost closed.

The password to gain access to the next level is IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x.