circusmonkey404's Security Site

Bandit 16 Objectives Level GoalThe password for the next level can be retrieved by submitting the password of the current level to  port 30001 on localhost  using SSL encryption. Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command… Solution bandit15@bandit:~$ echo BfMYroe26WYalil77FoDi9qh59eK5xNr | openssl s_client -ign_eof -connect localhost:30001 CONNECTED(00000003) depth=0 CN = localhost verify error:num=18:self signed certificate verify return:1 depth=0 CN = localhost verify return:1 --- Certificate chain  0 s:/CN=localhost    i:/CN=localhost --- Server certificate -----BEGIN CERTIFICATE----- MIICBjCCAW+gAwIBAgIEBadydTANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDDAls b2NhbGhvc3QwHhcNMTkwMjI3MDg1MTQ5WhcNMjAwMjI3MDg1MTQ5WjAUMRIwEAYD VQQDDAlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMyEZzRA +5ll7Ap2bwla+8x39mTviZKqrjnmLuTZj

Bandit 15 Objectives The password for the next level can be retrieved by submitting the password of the current level to  port 30000 on localhost . Solution bandit14@bandit:~$ nmap -p 30000 localhost Starting Nmap 7.40 ( https://nmap.org ) at 2019-05-28 22:23 CEST Nmap scan report for localhost (127.0.0.1) Host is up (0.00011s latency). PORT      STATE SERVICE 30000/tcp open  ndmps ok so there is an open TCP port on 3000 bandit14@bandit:~$ nc localhost 30000 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e Correct! BfMYroe26WYalil77FoDi9qh59eK5xNr Let's script this in python import os os.system("echo 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e | netcat localhost 30000") Correct! BfMYroe26WYalil77FoDi9qh59eK5xNr ** I know this is kind of cheating with python. I fought for a while with trying to create a socket connection to port 3000 and sending the pass that way but I couldn't get it working..... maybe I'll revisit this later**

Bandit 14 Objectives Level GoalThe password for the next level is stored in  /etc/bandit_pass/bandit14 and can only be read by user bandit14 . For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level.  Note:   localhost  is a hostname that refers to the machine you are working on Solution bandit13@bandit:~$ ssh -q -i ./sshkey.private bandit14@127.0.0.1  cat /etc/bandit_pass/bandit14 The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established. ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc. Are you sure you want to continue connecting (yes/no)? yes 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e let's figure out how to script in in python os.system("ssh -q -i ./sshkey.private bandit14@127.0.0.1  cat /etc/bandit_pass/bandit14") >>> os.system("ssh -q -i ./sshkey.private bandit14@127.0.0.1  cat /etc/bandit_pass/bandit14") The authenticity o

Bandit 13 Objectives The password for the next level is stored in the file  data.txt , which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!) Solution First lets copy the file to a temporary directory so we can manipulate it bandit12@bandit:~$ mkdir /tmp/asbandit12 bandit12@bandit:~$ cp data.txt /tmp/asbandit12 bandit12@bandit:~$ cd /tmp/asbandit12 bandit12@bandit:/tmp/asbandit12$ ls data.txt now lets convert the hexdump back to its original file  ​ bandit12@bandit:/tmp/asbandit12$ xxd -r data.txt data.bin bandit12@bandit:/tmp/asbandit12$ ls data.bin  data.txt so now if we check the file type for the reverted data.bin file <bandit12@bandit:/tmp/asbandit12$ file data.bin data.bin: gzip compressed data, was "data2.bin", last modified: Tu

Bandit 12 Objective The password for the next level is stored in the file  data.txt , where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions Solution This level has the password in data.txt but it has been encrypted with a Cesar cipher with a 13 position shift.  This is also called ROT13 if you wanna google around for it. we can read the file and pipe it into the translate command 'tr' the basic syntax is tr 'original  dataset' 'translated dataset' so to decode the syntax a bit more The Original data set is A-Z in uppercase and a-z in lower case but we want it to translate where the alphabet is shifted over 13 chacters so a becomes n, b becomes o..... and so on so the translated data set is broken out to N-ZA-M  for upper case so use the alphabet in this order where the first letter of the alphabet is N and the last letter is M and then the same thing for lowercase characters bandit11@bandit:~$ cat  data.txt

Bandit 11 Objectives Level GoalThe password for the next level is stored in the file  data.txt , which contains base64 encoded data Solution This one can be completed by using the base64 function in linux with the -d switch to decode bandit10@bandit:~$ base64 -d data.txt The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR now python import base64 with open("data.txt") as f:  contents = f.read()  decoded = base64.decodestring(contents)  print(decoded) >>> import base64 >>> >>> with open("data.txt") as f: ...  contents = f.read() ...  decoded = base64.decodestring(contents) ...  print(decoded) ... The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

Bandit 10 Objective Level GoalThe password for the next level is stored in the file  data.txt  in one of the few human-readable strings, beginning with several ‘=’ characters Solution so we need to find text in the data.txt file that has several == characther. first I tried just a grep for == in data.txt bandit9@bandit:~$ grep  "==" data.txt Binary file data.txt matches grep complains that is a binary file not a text file so let try again with the -a switch here is the man about grep for -a -a, --text Process a binary file as if it were text; this is equivalent to the --binary-files=text option. ***edited out some the results to make it more readable bandit9@bandit:~$ grep -a "==" data.txt       g͇�#/y�ڹc4|�"�X����m���Y��GB7�ճ&�ե��p����s#�k&K��1��s��֯F�B0�2========== the�X�#��!�n�~�                                                                                          '(U�#O�TӲ��T�m����z��*�S\���g���M&T����þ========== pa

Bandit 9 Objectives Level Goal The password for the next level is stored in the file  data.txt  and is the only line of text that occurs only once Solution let's cat the file sort it and find unique lines bandit8@bandit:~$ cat data.txt | sort |uniq -u UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR that was pretty easy now let's python that thing.. ​ with open("data.txt") as f:  orig = list(f)  filtered = [x for x in orig if orig.count(x)==1]  print("".join(filtered)) >>> with open("data.txt") as f: ...  orig = list(f) ...  filtered = [x for x in orig if orig.count(x)==1] ...  print("".join(filtered)) ... UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR

Bandit 8 Objective Level GoalThe password for the next level is stored in the file  data.txt  next to the word  millionth Solution this one is not to difficult using just bash I wrote this grep to search for the word 'millionth' in the text file bandit7@bandit:~$ grep 'millionth' data.txt millionth cvX2JJa4CFALtqS87jk27qwqGhBM9plV Bingo password for the next level is ​ cvX2JJa4CFALtqS87jk27qwqGhBM9plV Now let's figure it out with python ​ with open("data.txt") as openfile:     for line in openfile:             if "millionth" in line:                 print line millionth cvX2JJa4CFALtqS87jk27qwqGhBM9plV

Bandit 7 Objectives Level GoalThe password for the next level is stored  somewhere on the server  and has all of the following properties: owned by user bandit7 owned by group bandit6 33 bytes in size Solution so we are looking for a file owned by user bandit7 and group bandit 6 somwhere on the server...... I started by cd .. all the way up to root with the comman find * -user bandit7 -group bandit6 bandit6@bandit:/$ find * -user bandit7 -group bandit6 find: ‘boot/lost+found’: Permission denied find: ‘cgroup2/csessions’: Permission denied find: ‘etc/ssl/private’: Permission denied find: ‘etc/lvm/backup’: Permission denied find: ‘etc/lvm/archive’: Permission denied find: ‘etc/polkit-1/localauthority’: Permission denied find: ‘home/bandit28-git’: Permission denied find: ‘home/bandit30-git’: Permission denied find: ‘home/bandit31-git’: Permission denied find: ‘home/bandit5/inhere’: Permission denied find: ‘home/bandit27-git’: Permission denied find: ‘home/bandit29-git’: