CTF

OverTheWire – BANDIT

ethical-hackers-for-businesses-articleLEVEL 0

Connect to  bandit.labs.overthewire.org on port 2220 with username bandit0 and password bandit0. Find the password for level 1 from readme file in home directory.

# ssh -p 2220 bandit0@bandit.labs.overthewire.org
# cd ~
# more readme
boJ9jbbUNNfktd78OOpsqOltutMc3MY1

LEVEL 1

Password for next level is stored in – file in home directory.

# ssh -p 2220 bandit1@bandit.labs.overthewire.org
# more ./-
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

LEVEL 2

Password for next level is in the file called “spaces in this filename

# ssh -p 2220 bandit2@bandit.labs.overthewire.org
# more spaces\ in\ this\ filename
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

LEVEL 3

Password for next level is stored in a hidden file in directory inhere.

# ssh -p 2220 bandit3@bandit.labs.overthewire.org
# cd ~/inhere
# ls -aul
# more .hidden
pIwrPrtPN36QITSp3EQaw936yaFoFgAB

LEVEL 4

Password for next level is stored in a human readable file in inhere directory

# ssh -p 2220 bandit4@bandit.labs.overthewire.org
# file ~/inhere/./-* | grep ASCII
# more ~/inhere/-file07
koReBOKuIDDepwhWk7jZC0RTdopnAYKh

Level 5

Password for next level is stored in a file somewhere under inhere directory that is human readable, 1033 bytes in size and is not executable

# ssh -p 2220 bandit5@bandit.labs.overthewire.org
# find ~/inhere/ -size 1033c -type f
# more ./maybehere07/.file2
DXjZPULLxYr17uwoI01bNLQbtFemEgo7

Level 6

Password for next level is stored somewhere on server in a file that is owned by user bandit7 and group bandit6 and is 33 byte in size.

# ssh -p 2220 bandit6@bandit.labs.overthewire.org
# find / -size 33c -user bandit7 -group bandit6 2>/dev/null
# more /var/lib/dpkg/info/bandit7.password
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

LEVEL 7

Password for next level is stored in file data.txt next to word millionth

# ssh -p 2220 bandit7@bandit.labs.overthewire.org
# more data.txt | grep millionth
cvX2JJa4CFALtqS87jk27qwqGhBM9plV

LEVEL 8

Password for next level is stored in a file data.txt in a line that occurs only once

# ssh -p 2220 bandit8@bandit.labs.overthewire.org
# more data.txt | sort | uniq -c | grep "1 "
1 UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR

LEVEL 9

Password for next level is in file data.txt prefixed by several characters of “=”

# ssh -p 2220 bandit9@bandit.labs.overthewire.org
# strings data.txt | grep '='
truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk

LEVEL 10

Password for next level is stored in file data.txt in base64 encoded format.

# ssh -p 2220 bandit10@bandit.labs.overthewire.org
# more data.txt 
VGhlIHBhc3N3b3JkIGlzIElGdWt3S0dzRlc4TU9xM0lSRnFyeEUxaHhUTkViVVBSCg==
# python
>> import base64
>> encoded_pass = "VGhlIHBhc3N3b3JkIGlzIElGdWt3S0dzRlc4TU9xM0lSRnFyeEUxaHhUTkViVVBSCg=="
>> base64.b64decode(encoded_pass);
'The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR\n'

LEVEL 11

Password for next level is stored in a file data.txt where all txt has been rotated by 13 characters (ROT13 encryption)

# ssh -p 2220 bandit11@bandit.labs.overthewire.org
# more data.txt
Gur cnffjbeq vf 5Gr8L4qetPEsPk8htqjhRK8XSP6x2RHh
USE ROT13.com TO DECRYPT IT, OR DO AS BELOW.
# echo Gur cnffjbeq vf 5Gr8L4qetPEsPk8htqjhRK8XSP6x2RHh | tr [a-zA-Z] [n-za-mN-ZA-M]
The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

LEVEL 12

Password for next level is stored in data.txt, which is a hexdump of a file that is repeatedly compressed.

# ssh -p 2220 bandit12@bandit.labs.overthewire.org
# mkdir /tmp/hacker/
# xxd -r data.txt > /tmp/hacker/compressed_file
# cd /tmp/hacker
# file compressed_file
compressed_file: gzip compressed data, was "data2.bin", last modified: Mon Nov 13 14:58:07 2017, max compression, from Unix
# zcat compressed_file | file -
/dev/stdin: bzip2 compressed data, block size = 900k
# zcat compressed_file | bzcat| file -
/dev/stdin: gzip compressed data, was "data4.bin", last modified: Mon Nov 13 14:58:07 2017, max compression, from Unix
# zcat compressed_file | bzcat| zcat| file -
/dev/stdin: POSIX tar archive (GNU)
# zcat compressed_file | bzcat| zcat| tar xO |file -
/dev/stdin: POSIX tar archive (GNU)
# zcat compressed_file | bzcat| zcat| tar xO | tar xO|file -
/dev/stdin: bzip2 compressed data, block size = 900k
# zcat compressed_file | bzcat| zcat| tar xO | tar xO|bzcat |file -
/dev/stdin: POSIX tar archive (GNU)
# zcat compressed_file | bzcat| zcat | tar xO | tar xO | bzcat | tar xO | file -
/dev/stdin: gzip compressed data, was "data9.bin", last modified: Mon Nov 13 14:58:07 2017, max compression, from Unix
# zcat compressed_file | bzcat| zcat | tar xO | tar xO | bzcat | tar xO | zcat | file -
/dev/stdin: ASCII text
# zcat compressed_file | bzcat| zcat | tar xO | tar xO | bzcat | tar xO | zcat
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

 

LEVEL 13

Password for next level is stored in  /etc/bandit_pass/bandit14 and can only be read by user bandit14. You will get SSH private key for next level, not the password.

# ssh -p 2220 bandit13@bandit.labs.overthewire.org
# ssh -i sshkey.private bandit14@localhost
bandit14@bandit:~$ more /etc/bandit_pass/bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e

LEVEL 14

The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.

# ssh -p 2220 bandit14@bandit.labs.overthewire.org
# telnet localhost 30000
BfMYroe26WYalil77FoDi9qh59eK5xNr

 

LEVEL 15

Password for next level be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.

# ssh -p 2220 bandit15@bandit.labs.overthewire.org
# openssl s_client -ign_eof -connect localhost:30001
---
 Verify return code: 18 (self signed certificate)
---
BfMYroe26WYalil77FoDi9qh59eK5xNr
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehd

LEVEL 16

Submit the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.

# ssh -p 2220 bandit16@bandit.labs.overthewire.org
# nmap -p 31000-32000 -sV localhost
PORT STATE SERVICE VERSION
31046/tcp open echo
31518/tcp open ssl/echo
31691/tcp open echo
31790/tcp open ssl/unknown
31960/tcp open echo

# openssl s_client -ign_eof -connect localhost:31518
# openssl s_client -ign_eof -connect localhost:31790
cluFn7wTiGryunymYOu4RcffSxQluehd
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----

Copy private key to a file in tmp directory.

#chmod 600 priv17.key
# ssh -i priv17.key bandit17@localhost

LEVEL 17

There are two files in home directory password.old and password.new. The password.new contains the password for next level. Both files differ by one line.

bandit17@bandit:~$ diff passwords.new passwords.old
42c42
< kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
---
> 7cDk1R96wgw11eEuTk1zgbjAindhpUA5
bandit17@bandit:~$ ssh bandit18@localhost
bandit18@localhost's password: kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
Byebye !

 

LEVEL 18

Someone has modified .bashrc to log you out when logged in with ssh

# ssh bandit18@bandit.labs.overthewire.org "bash --norc"
ls
cat readme
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x

LEVEL 19

To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.

— will update from here soon!

Advertisements

Categories: CTF, OverTheWire

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s