circusmonkey404's Security Site

Bandit 26 Objectives Bandit Level 25 → Level 26Level GoalLogging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not  /bin/bash , but something else. Find out what it is, how it works and how to break out of it. Solution This one is crazy and I could get about 60% there just with my knowledge but had to cheat and google solution to find out how to solve it so Here is what I did by myself before resulting to other write ups let's check the etc/passwd to see what the default shell for bandit 26 is $ cat /etc/passwd bandit23:x:11023:11023:bandit level 23:/home/bandit23:/bin/bash bandit24:x:11024:11024:bandit level 24:/home/bandit24:/bin/bash bandit25:x:11025:11025:bandit level 25:/home/bandit25:/bin/bash bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext bandit27:x:11027:11027:bandit level 27:/home/bandit27:/bin/bash bandit28:x:11028:11028:bandit level 28:/home/bandit28:/bin/bash Well the defulat shell is not /

Bandit 25 Objectives A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing. Solution a bit frustrated with this one I spent way to long on this because my connect to the daemon would time out. I was only getting to around try 7000 and of course the correct port was beyond that First I generate a pass list to throw at netcat ​I've started with just 8000 - 9999 #! /bin/bash hash=UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ for i in {8000..9999} do echo $hash $i > pass.txt done which generates a pass.txt file with lines like this in it UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 9978 UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 9979 UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 9980 UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 9981 UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 9982 UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 9983 Uo

Bandit 24 Objectives Level GoalA program is running automatically at regular intervals from  cron , the time-based job scheduler. Look in  /etc/cron.d/  for the configuration and see what command is being executed. NOTE:  This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level! NOTE 2:  Keep in mind that your shell script is removed once executed, so you may want to keep a copy around… Solution  alets check out the cron.d and see whats there bandit23@bandit:~$ ls /etc/cron.d cronjob_bandit22  cronjob_bandit23  cronjob_bandit24 cool lets see whats in the cronjob bandit23@bandit:~$ cat /etc/cron.d/cronjob_bandit24 @reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null * * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null ok lets check that file in /usr/bin bandit23@bandit:~$ cat /usr/bin/cronjob_bandit24.sh #!/bin/bash myname=$(whoami) cd /var/spool/$m

Bandit 23 Objectives Level GoalA program is running automatically at regular intervals from  cron , the time-based job scheduler. Look in  /etc/cron.d/  for the configuration and see what command is being executed. NOTE:  Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints. Solution ok so another level dealing with cron jobs lets see what files we have to work with ​bandit22@bandit:~$ ls Nothing in home directory let's check the cron.d bandit22@bandit:~$ ls /etc/cron.d cronjob_bandit22  cronjob_bandit23  cronjob_bandit24 cool so there is another cronjob_bandit23 let's check that file bandit22@bandit:~$ cat /etc/cron.d/cronjob_bandit23 @reboot bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null * * * * * bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/

Bandit 22 Objective A program is running automatically at regular intervals from  cron , the time-based job scheduler. Look in  /etc/cron.d/  for the configuration and see what command is being executed. Solution lets see what's in cron.d bandit21@bandit:~$ cd  /etc/cron.d bandit21@bandit:/etc/cron.d$ ls cronjob_bandit22  cronjob_bandit23  cronjob_bandit24 cool there is a file called cronjob_bandit22 lets see whats inside bandit21@bandit:/etc/cron.d$ cat cronjob_bandit22 @reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null * * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null ok lets see whats in that file #!/bin/bash chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv let's decode that a bit ok there is a chmod which change the permissions for a file in the tmp directory named  t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv which give the owner of the file read/write but

Bandit 21 Objectives There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21). Solution At first I thought there was already an open port with the application to send the password to. bandit20@bandit:~$ ls suconnect after running nmap and connecting to all the ports, I couldn't find one that would supply the password..... so  let's role our own we'll use netcat to setup a listener on a port we create that sends the password when connected to, then point their application in the home directory to connect to it and hopefully get our next password. This does require two ssh sessions SSH Server  bandit20@bandit:~$ echo GbKksEFF4yrVs6il55v6gwY5aVje5f0j | netcat

Bandit 20 Objectives Level GoalTo gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary. Solution lets see what the ./bandit20-do..... does bandit19@bandit:~$ ./bandit20-do aaaa env: ‘aaaa’: No such file or directory ok so it takes some input  ..... lets see what ls does? bandit19@bandit:~$ ./bandit20-do ls bandit20-do ok so it looks like it runs what ever command we throw at it. Let's try to cat into the password file for level 20 bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20 GbKksEFF4yrVs6il55v6gwY5aVje5f0j cool so that wasn't too hard once again we are going to skip the python version of this level .... or maybe we will I'm not sure.. is there any python below here? if not then I skipped it if so I felt a little too bad skippin

Bandit 19 Objectives Level GoalThe password for the next level is stored in a file  readme  in the homedirectory. Unfortunately, someone has modified  .bashrc  to log you out when you log in with SSH. Solution let's launch ssh using the bash on my system and not the bash of the ssh system  ssh bandit18@bandit.labs.overthewire.org -p 2220 bash This is a OverTheWire game server. More information on http://www.overthewire.org/wargames bandit18@bandit.labs.overthewire.org's password: ls readme cat readme IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x ​ ** I can't really think of a good way to do this with python other than os.system  which just feels like cheating at this point**

Bandit 18 Objectives There are 2 files in the homedirectory:  passwords.old and passwords.new . The password for the next level is in  passwords.new  and is the only line that has been changed between  passwords.old and passwords.new NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19 Solution let's grep with some switches - F ,   -- fixed - strings  Interpret  PATTERN as a list of fixed strings ,  separated by newlines ,  any of which is to be matched .   - x ,   -- line - regexp  Select  only those matches that exactly match the whole line . - f  ,   -- file = FILE  Obtain  patterns from FILE ,  one per line .   The  empty file contains zero patterns ,  and therefore matches nothing . -v ,   -- invert - match  Invert  the sense of matching ,  to select non - matching lines . bandit17@bandit:~$ grep -Fxvf passwords.old passwords.new kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd now in python &g

Bandit 17 Objectives The credentials for the next level can be retrieved by submitting the password of the current level to  a port on localhost in the range 31000 to 32000 . First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it. Solution lets see which ports have anything active bandit16@bandit:~$ nmap localhost -p 31000-32000 Starting Nmap 7.40 ( https://nmap.org ) at 2019-05-30 20:45 CEST Nmap scan report for localhost (127.0.0.1) Host is up (0.00021s latency). Not shown: 1000 closed ports PORT      STATE SERVICE 31790/tcp open  unknown Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds Okay only one port lets see if it is ssl bandit16@bandit:~$ openssl s_client -connect localhost:31790 CONNECTED(00000003) depth=0 CN = localhost verify error:num=18:self signed certi