Monday, July 24, 2017

WarGames - OverTheWire




Bandit Level 0 -> 1




Recently I’ve been obsessed with a wargaming site called overthewire.org. At the time of this writing I have made it through a few of the servers already, but I will post my solutions to the entry level server they offer, “Bandit”. This is also the recommended place to start if you are new to the site. You should already be familiar with basic Linux commands before attempting this wargame. However, the first page of Bandit explains what to do if you don’t know a command. You do need to use a bit of your own intuition to figure out how to make it from one level to the next.
I have been through a good handful of wargaming sites in the past and I find this one to be of good quality with an interesting variety of servers to play. For those who don’t know what a wargame is, a wargame in hacking is a security challenge in which one must exploit a vulnerability in a system or application or gain access to a computer system. Most of the servers here are about program exploitation on the Linux platform. We do not have to be on a Linux system to play these. But why not? If you have access to a Linux box, a real terminal is the way to go. Puttyis the way to go on Windows.  But I digress, use my posted solutions to learn and understand the levels or compare with your own solutions. Enjoy!
Level 0:
We simply ssh to bandit0@bandit.labs.overthewire.org using the password bandit0 and we are in our shell.
Level 0 -> 1:
Once in, we can see that the readme file is in our home directory. Simply “cat” it and grab the password for level1.
1
2
3
4
bandit0@melissa:~$ ls
readme
bandit0@melissa:~$ cat readme
boJ9jbbUNNfktd78OOpsqOltutMc3MY1
Level 1-> 2:
We are told that the password is in a file called “-“. We need to delimit the dash to read it.
1
2
3
4
bandit1@melissa:~$ ls
-
bandit1@melissa:~$ cat ./-
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
Level 2 ->3:
This time we simply need to read a file with spaces in it’s name. Let’s surround the file name in quotes.
1
2
3
4
bandit2@melissa:~$ ls
spaces in this filename
bandit2@melissa:~$ cat "spaces in this filename"
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
Level 3->4:
We are told the file we need is in a hidden file in the inhere directory.
1
2
3
4
5
6
7
8
9
10
bandit3@melissa:~$ ls
inhere
bandit3@melissa:~$ cd inhere
bandit3@melissa:~/inhere$ ls -la
total 12
drwxr-xr-x 2 root    root    4096 2012-05-10 23:51 .
drwxr-xr-x 3 root    root    4096 2012-05-10 23:51 ..
-rw-r----- 1 bandit4 bandit3   33 2012-05-10 23:51 .hidden
bandit3@melissa:~/inhere$ cat .hidden
pIwrPrtPN36QITSp3EQaw936yaFoFgAB
Level 4 ->5:
We are told the password is somewhere in the inhere directory and is the only human readable file in the directory. Let’s see what file types we have.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
bandit4@melissa:~$ ls
inhere
bandit4@melissa:~$ cd inhere
bandit4@melissa:~/inhere$ ls -la
total 48
drwxr-xr-x 2 root    root    4096 2012-05-10 23:51 .
drwxr-xr-x 3 root    root    4096 2012-05-10 23:51 ..
-rw-r----- 1 bandit5 bandit4   33 2012-05-10 23:51 -file00
-rw-r----- 1 bandit5 bandit4   33 2012-05-10 23:51 -file01
-rw-r----- 1 bandit5 bandit4   33 2012-05-10 23:51 -file02
-rw-r----- 1 bandit5 bandit4   33 2012-05-10 23:51 -file03
-rw-r----- 1 bandit5 bandit4   33 2012-05-10 23:51 -file04
-rw-r----- 1 bandit5 bandit4   33 2012-05-10 23:51 -file05
-rw-r----- 1 bandit5 bandit4   33 2012-05-10 23:51 -file06
-rw-r----- 1 bandit5 bandit4   33 2012-05-10 23:51 -file07
-rw-r----- 1 bandit5 bandit4   33 2012-05-10 23:51 -file08
-rw-r----- 1 bandit5 bandit4   33 2012-05-10 23:51 -file09
bandit4@melissa:~/inhere$ file ./-*
./-file00: data
./-file01: data
./-file02: data
./-file03: data
./-file04: data
./-file05: data
./-file06: data
./-file07: ASCII text
./-file08: data
./-file09: data
bandit4@melissa:~/inhere$ cat ./-file07
koReBOKuIDDepwhWk7jZC0RTdopnAYKh
Level 5-> 6:
This is similar to the previous, except we have some more file attributes to look for. As well as more files to look through.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
bandit5@melissa:~$ ls
inhere
bandit5@melissa:~$ cd inhere
bandit5@melissa:~/inhere$ ls -la
total 88
drwxr-x--- 22 root bandit5 4096 2012-05-10 23:51 .
drwxr-xr-x  3 root root    4096 2012-05-10 23:51 ..
drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere00
drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere01
drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere02
drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere03
drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere04
drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere05
drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere06
drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere07
drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere08
drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere09
drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere10
drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere11
drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere12
drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere13
drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere14
drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere15
drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere16
drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere17
drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere18
drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere19
bandit5@melissa:~/inhere$ find ./ -size 1033c
./maybehere07/.file2
bandit5@melissa:~/inhere$ cat ./maybehere07/.file2
DXjZPULLxYr17uwoI01bNLQbtFemEgo7
Level 6->7:
The file can be anywhere on the server, but we are given it’s attributes. This is a job for find. The command attached to the end gets rid of garbage returns and allows viewing of our password file amongst several others with the same attributes.
1
2
3
4
bandit6@melissa:~$ find / -user bandit7 -group bandit6 -size 33c 2>/dev/null
/var/lib/dpkg/info/bandit7.password
bandit6@melissa:~$ cat /var/lib/dpkg/info/bandit7.password
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs
Level 7->8:
The password for the next level is stored in the file data.txt next to the word millionth. We can pipe cat to grep for this.
1
2
3
4
bandit7@melissa:~$ ls
data.txt
bandit7@melissa:~$ cat data.txt | grep millionth
millionth       cvX2JJa4CFALtqS87jk27qwqGhBM9plV
Level 8->9:
Here we need to find a unique line among many. We can pipe a few commands together to do this. Note the commands do need to be in this order.
1
2
3
4
bandit8@melissa:~$ ls
data.txt
bandit8@melissa:~$ cat data.txt | sort | uniq -u
UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR
Level 9->10:
The password for the next level is stored in the file data.txt among of few lines of human-readable strings starting with ‘=’ characters.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
bandit9@melissa:~$ ls
data.txt
bandit9@melissa:~$ strings data.txt | grep '='
========== the
R=ev2,
NF=!^
M5Q=
========== password
TuI@=
========== iss
c       =$
w=RO
eD=p
jR=JlB
G========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
:=*1p
KA=%
We can see our password string amongst our output.
Level 10->11:
The password for the next level is stored in the file data.txt, which contains base64 encoded data. We need to decode the file.
1
2
3
4
bandit10@melissa:~$ ls
data.txt
bandit10@melissa:~$ base64 -d data.txt
The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR
Level 11->12:
The password is encoded using simple rot13 encryption. There are many options to solve this including using various scripting languages and simply using an online rot13 decoder. Let’s try a solution in our shell.
1
2
3
4
bandit11@melissa:~$ ls
data.txt
bandit11@melissa:~$ cat data.txt | tr a-zA-Z n-za-mN-ZA-M
The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu
That command is given on the wikipedia page for rot13
Level 12->13:
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it is necessary to create a directory under /tmp in which you can work using mkdir. We need to decompress and check the file over and over again until we get the right format.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
bandit12@melissa:~$ ls
data.txt
bandit12@melissa:~$ file data.txt
data.txt: ASCII text
bandit12@melissa:~$ mkdir /tmp/stw
bandit12@melissa:~$ cd /tmp/stw
bandit12@melissa:/tmp/stw$ xxd -r ~/data.txt > data.txt
bandit12@melissa:/tmp/stw$ file data.txt
data.txt: gzip compressed data, was "data2.bin", from Unix, last modified: Thu May 10 23:52:05 2012, max compression
bandit12@melissa:/tmp/stw$ zcat data.txt > dataNew
bandit12@melissa:/tmp/stw$ ls
dataNew  data.txt
bandit12@melissa:/tmp/stw$ file dataNew
dataNew: bzip2 compressed data, block size = 900k
bandit12@melissa:/tmp/stw$ bzip2 -d dataNew
bzip2: Can't guess original name for dataNew -- using dataNew.out
bandit12@melissa:/tmp/stw$ ls
dataNew.out  data.txt
bandit12@melissa:/tmp/stw$ file dataNew.out
dataNew.out: gzip compressed data, was "data4.bin", from Unix, last modified: Thu May 10 23:52:05 2012, max compression
bandit12@melissa:/tmp/stw$ zcat dataNew.out > evenNewer
bandit12@melissa:/tmp/stw$ ls
dataNew.out  data.txt  evenNewer
bandit12@melissa:/tmp/stw$ file evenNewer
evenNewer: POSIX tar archive (GNU)
bandit12@melissa:/tmp/stw$ tar -xvf evenNewer
data5.bin
bandit12@melissa:/tmp/stw$ file data5.bin
data5.bin: POSIX tar archive (GNU)
bandit12@melissa:/tmp/stw$ tar -xvf data5.bin
data6.bin
bandit12@melissa:/tmp/stw$ file data6.bin
data6.bin: bzip2 compressed data, block size = 900k
bandit12@melissa:/tmp/stw$ bzip2 -d data6.bin
bzip2: Can't guess original name for data6.bin -- using data6.bin.out
bandit12@melissa:/tmp/stw$ ls
data5.bin  data6.bin.out  dataNew.out  data.txt  evenNewer
bandit12@melissa:/tmp/stw$ file data6.bin.out
data6.bin.out: POSIX tar archive (GNU)
bandit12@melissa:/tmp/stw$ tar -xvf data6.bin.out
data8.bin
bandit12@melissa:/tmp/stw$ file data8.bin
data8.bin: gzip compressed data, was "data9.bin", from Unix, last modified: Thu May 10 23:52:05 2012, max compression
bandit12@melissa:/tmp/stw$ zcat data8.bin > lost
bandit12@melissa:/tmp/stw$ ls
data5.bin  data6.bin.out  data8.bin  dataNew.out  data.txt  evenNewer  lost
bandit12@melissa:/tmp/stw$ file lost
lost: ASCII English text
bandit12@melissa:/tmp/stw$ cat lost
The password is <strong>8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL</strong>
At last, we have our password.
Level 13->14:
This one switches things up a little. The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. We need to borrow an SSH key to move on.
1
2
3
4
5
6
7
8
9
10
bandit13@melissa:~$ ls
sshkey.private
bandit13@melissa:~$ ssh -i sshkey.private bandit14@localhost
Could not create directory '/home/bandit13/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
RSA key fingerprint is 9d:09:d9:46:84:df:f9:dd:cc:7c:dc:49:a0:95:b2:10.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit13/.ssh/known_hosts).
bandit14@melissa:~$ cat /etc/bandit_pass/bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
And just like that, we are dumped into bandit14’s shell.
Level 14->15:
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost. Here we have a lesson in telnet. Basically, we will use telnet to connect to localhost on port 30000 and enter the password while we are still in bandit14’s shell.
1
2
3
4
5
6
7
8
9
bandit14@melissa:~$ telnet localhost 30000
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr
 
Connection closed by foreign host.
Level 15->16:



No comments:

Post a Comment

Get Unlimited Free Trials Using a "Real" Fake Credit Card Number

When I see the words "free trial," I know I'm probably going to have to whip out my credit card and enter in the number to ...