Level goal: There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).

NOTE: To beat this level, you need to login twice: once to run the setuid command, and once to start a network daemon to which the setuid will connect.

NOTE 2: Try connecting to your own network daemon to see if it works as you think

 

In this level, basically we need to setup a listener service to listen on any port, and then use the binary submit this level’s password to it. If It is correct, it will provide the password to the next level.

First, let’s check what are the ports opened.

Now you setup your own listener which echo the current level password when any clients connected.

Now you setup another terminal and try to check if the service is there (of course it will be there) and perform testing by trying to connect,

Notice that nmap port scan has detected the service at port 60000 which you have set up in the other terminal? Now, use the suconnect binary to establish connectivity to port 60000

Password matches, now the next password is sent to the server listener.

The password to gain access to the next level is gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr.

Level goal: To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used to setuid binary.

In this level, we will be working on a file which has its setuid set.

bandit19@melinda:~$ file bandit20-do
bandit20-do: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=08e74b8e092a91103efaab7916d75f08b887ab4d, not stripped

It’s interesting because it allows us to run a command or do anything as bandit20.

bandit19@melinda:~$ ./bandit20-do
Run a command as another user.
Example: ./bandit20-do id
bandit19@melinda:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0j

The password to gain access to the next level is GbKksEFF4yrVs6il55v6gwY5aVje5f0j.

Level goal: The password for the next level is stored in a file readme in the home directory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.

In this level, we need to connect using the ssh -t. The -t parameter basically opens a pseudo-tty within the session, with output in the same screen. The ssh session closes when the command completes. This way, you can quickly run a command before the connectivity closes and kicks you out with a “Byebye!”.

bandit17@melinda:~$ ssh -t bandit18@localhost cat readme
 The authenticity of host 'localhost (127.0.0.1)' can't be established.
 ECDSA key fingerprint is 05:3a:1c:25:35:0a:ed:2f:cd:87:1c:f6:fe:69:e4:f6.
 {... REMOVED ...}
 Permissions 0640 for '/home/bandit17/.ssh/id_rsa' are too open.
 It is required that your private key files are NOT accessible by others.
 This private key will be ignored.
 bad permissions: ignore key: /home/bandit17/.ssh/id_rsa
 bandit18@localhost's password:
 readme
 Connection to localhost closed.

Next, we run the same commands to check what is in the “readme” file.

bandit18@localhost's password:
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
Connection to localhost closed.

The password to gain access to the next level is IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x.

Level goal: There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.newand is the only line that has been changed between passwords.old and passwords.new

NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19.

Here you see 2 password files. As the hint goes, New vs Old, the first thing to come to mind is to perform the diff function.

bandit17@melinda:~$ diff passwords.new passwords.old
42c42
< kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
---
> BS8bqB1kqkinKJjuxL6k072Qq9NRwQpR

The password is kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd. To verify whether this is the correct password, we will follow the hint, which is to try to connect to bandit18 and see if we see the “Byebye!” message.

The password to gain access to the next level is kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd.

Level goal: The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it

This level require us to have basic understanding in port scanning and identifying the services. First, let’s perform a port scan to identify the open ports between the range of 31000 to 32000.

bandit16@melinda:~$ nmap localhost -p31000-32000

Starting Nmap 6.40 ( http://nmap.org ) at 2016-09-10 14:17 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00088s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
31046/tcp open unknown
31518/tcp open unknown
31691/tcp open unknown
31790/tcp open unknown
31960/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds

Now there we have shortlisted only 5 ports with services, we will test if it is configured to accept normal connectivity or restricted to only SSL connectivity. For instance, we can do it using the following command,

bandit16@melinda:~$ echo test | nc -v localhost 31046
Connection to localhost 31046 port [tcp/*] succeeded!
test

We see that port 31046 is able to accept non-SSL connection, which means that this is not our target. Let’s check out the other 4 ports as well.

Now, we will focus on the 2 ports which produced error output because they are configured to restrict connectivity to SSL only. We will now try to connect using openssl with s_client option, to check if there is any correct output.

bandit16@melinda:~$ echo cluFn7wTiGryunymYOu4RcffSxQluehd | openssl s_client -quiet -connect localhost:31790
depth=0 CN = li190-250.members.linode.com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = li190-250.members.linode.com
verify return:1
Correct!
{ ... RSA PRIVATE KEY ... }

The private key for accessing the next level is stored in port 31790! Now, I have to save this RSA private key into a file and then use it to connect to the next level.

After you’re done with the “copy and paste”, try to connect, you should encounter an error message, which is a good learning point with regards to RSA keys permissions,

The fix is very simple, simply modify the file permission and set it as 400 and you are good to go!

There you go, you are in!