Category Archives: ctf

OverTheWire.org Wargames – Bandit – Level 20 to Level 29

OverTheWire.org is one of good site offer WarGames. In this context, WarGame is a game specifically designed to help people learn and practice security concepts in the form of fun-filled game. One of wargame category provided by OverTheWire is Bandit category which is aimed at absolute beginners.

This writeup contains solutions of the OverTheWire challenges Bandit category which I solved. The solutions written here is for level 20 above.

Jump Table

How to Play

Bandit, like other games, is organized in levels. We start playing at level 0 and try to “beat” or “finish” it. Finishing a level results in information on how to start the next level. Every level beaten will give clue how to start next level.

There are several things you can try when you are unsure how to continue:

  • First, if you know a command, but don’t know how to use it, try the manual (man page) by entering “man <command>” (without the quotes). e.g. if you know about the “ls” command, type: man ls. The “man” command also has a manual, try it. Press q to quit the man command.
  • Second, if there is no man page, the command might be a shell built-in. In that case use the “help <X>” command. E.g. help cd
  • Also, your favorite search-engine is your friend.
  • Lastly, if you are still stuck, you can join us on IRC

Level 20

ssh bandit20@bandit.labs.overthewire.org

pass: GbKksEFF4yrVs6il55v6gwY5aVje5f0j

There exist an executable file “suconnect”. It makes a connection to localhost on the port we specify as commandline argument. It then reads a line of text from the connection and compares it to the password in the current level. If the password is correct, it will transmit the password for level 21.

All we need to do is run nc listening on a random port, then connect to it with suconnect. Then we send the password throuch the nc session and suconnect sends back the new password.

nc -l 13510 < /etc/bandit_pass/bandit20 &
./suconnect 13510

Level 21

ssh bandit21@bandit.labs.overthewire.org

pass: gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr

There is a cron job that we need to look at. In /etc/cron.d there exist some cron files, but our objective is cronjob_bandit22 which look promising. Investigate it to see what this script do.

The script will execute a script on /usr/bin/cronjob_bandit22.sh which will dump /etc/bandit_pass/bandit22 to /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv file.

cat /etc/cron.d/cronjob_bandit22
cat /usr/bin/cronjob_bandit22.sh
cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

Level 22

ssh bandit22@bandit.labs.overthewire.org

pass: Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

Another cronjob. This time, the script used by cronjob is copying /etc/bandit_pass/bandit23 as something in /tmp. There’s no need for you to figure out the filename, we can always recreate the condition.

cat /etc/cron.d/cronjob_bandit23
cat /usr/bin/cronjob_bandit23.sh
cat /tmp/$(echo I am user bandit23 | md5sum | cut -d ' ' -f 1)

Level 23

ssh bandit23@bandit.labs.overthewire.org

pass: jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

Another cronjob.

In this level, we need to create our own shell script to run. The cronjob script will execute (and later delete) scripts on /var/spool/bandit24. That way, we can create a script on that directory which dump password from /etc/bandit_pass/bandit24 to anywhere we desire. We just need to make sure the script is executable.

The script we create:

#!/bin/bash

cat /etc/bandit_pass/bandit24 > /tmp/bandit24xathpass

Then we do:

chmod 777 /etc/bandit_pass/bandit24
cat /tmp/bandit24xathpass

Level 24

ssh bandit24@bandit.labs.overthewire.org

pass: UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ

Another tedious level.

There exist a service running on port 30002. It asks two words: password for bandit25 and secret number 4-digit pincode. Those two words are separate by a space. Our only option is bruteforcing all 10000 combinations.

This is one line command but arranged in multiline for clarity.

for i in {0000..9999}; do 
    echo $i; 
    echo "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i" | nc localhost 30002 | grep -v "separated|Wrong|Exit" >> /tmp/xathrya25.brute; 
    done && cat /tmp/xathrya25.brute

Level 25

ssh bandit25@bandit.labs.overthewire.org

pass: uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG

Not Available Yet.

Level 26

ssh bandit26@bandit.labs.overthewire.org

pass:

Not Available Yet.

Level 27

ssh bandit27@bandit.labs.overthewire.org

pass:

Not Available Yet.

Level 28

ssh bandit28@bandit.labs.overthewire.org

pass:

Not Available Yet.

Level 29

ssh bandit29@bandit.labs.overthewire.org

pass:

Not Available Yet.

OverTheWire.org Wargames – Bandit – Level 10 to Level 19

OverTheWire.org is one of good site offer WarGames. In this context, WarGame is a game specifically designed to help people learn and practice security concepts in the form of fun-filled game. One of wargame category provided by OverTheWire is Bandit category which is aimed at absolute beginners.

This writeup contains solutions of the OverTheWire challenges Bandit category which I solved. The solutions written here is for level 10 to level 19.

Jump Table

How to Play

Bandit, like other games, is organized in levels. We start playing at level 0 and try to “beat” or “finish” it. Finishing a level results in information on how to start the next level. Every level beaten will give clue how to start next level.

There are several things you can try when you are unsure how to continue:

  • First, if you know a command, but don’t know how to use it, try the manual (man page) by entering “man <command>” (without the quotes). e.g. if you know about the “ls” command, type: man ls. The “man” command also has a manual, try it. Press q to quit the man command.
  • Second, if there is no man page, the command might be a shell built-in. In that case use the “help <X>” command. E.g. help cd
  • Also, your favorite search-engine is your friend.
  • Lastly, if you are still stuck, you can join us on IRC

Level 10

ssh bandit10@bandit.labs.overthewire.org

pass: truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk

File data.txt is indeed a plaintext. However the password is encoded with base64 inside. Decoding is simple using base64 utility.

base64 -d data.txt

Level 11

ssh bandit11@bandit.labs.overthewire.org

pass: IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

The password is written inside data.txt. This time is is encrypted by ROT13 (or Caesar Cipher). It means every character in the text has been rotated 13 letters. We can use tr utility to reverse it.

cat data.txt | tr '[A-Za-z]' '[N-ZA-Mn-za-m]'

Level 12

ssh bandit12@bandit.labs.overthewire.org

pass: 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

This problem is not hard, but tedious. The direction gives us information that the data has been compressed several way and we need to decompress it accordingly. However we cannot use home directory, thus we use /tmp dirctory to store temporary file.

mkdir /tmp/secretbase
cp ~/data.txt /tmp/secretbase/data.txt
cd /tmp/secretbase
xxd -r data.txt > data.bin
file data.bin
mv data.bin data.gz
gzip -d data.gz
file data
mv data data.bz2
bzip2 -d data.bz2
file data
mv data data.gz
gzip -d data.gz
file data
tar -xvf data
file data5.bin
tar -xvf data5.bin
bzip2 -d data6.bin
file data6.bin.out
tar -xvf data6.bin.out
file data8.bin
mv data8.bin.out
file data8.bin
mv data8.bin data8.gz
gzip -d data8.gz
file data8
cat data8

Level 13

ssh bandit13@bandit.labs.overthewire.org

pass: 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

It is quite simple. When we login to account bandit13, we see a private SSH Key in the home directory. Supply SSH utility with it to login as bandit14. After that, we aim at /etc/bandit_pass directory and search for /etc/bandit_pass/bandit14 to know the password for bandit14 password. Here is how we do that:

ssh bandit14@localhost -i sshkey.private
cat /etc/bandit_pass/bandit14

Level 14

ssh bandit14@bandit.labs.overthewire.org

pass: 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e

In this level our objective is to submit our current password to the server on port 30000. A simple command using netcat can be used here.

cat /etc/bandit_pass/bandit14 | nc localhost 30000

Level 15

ssh bandit15@bandit.labs.overthewire.org

pass: BfMYroe26WYalil77FoDi9qh59eK5xNr

Similar to level14, we need to send our current password to port 30001. However, this time we need to use SSL.

cat /etc/bandit_pass/bandit15 | openssl s_client -quiet -connect localhost:30001

Another solution:

ncat --ssl localhost 30001
# (paste password for level15)

Level 16

ssh bandit16@bandit.labs.overthewire.org

pass: cluFn7wTiGryunymYOu4RcffSxQluehd

The direction gives us a range of ports, 31000-32000. Our target port is using SSL and will give us the next password if we supply with our current password. First we need to port scan it to detect which port is active. We also use nmap to scan service version if possible.

nmap -p31000-32000 localhost -sV

Here we have several open ports:

Starting Nmap 6.40 ( http://nmap.org ) at 2014-12-13 23:03 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00100s latency).
Not shown: 996 closed ports
PORT      STATE SERVICE VERSION
31046/tcp open  echo
31518/tcp open  msdtc   Microsoft Distributed Transaction Coordinator (error)
31691/tcp open  echo
31790/tcp open  msdtc   Microsoft Distributed Transaction Coordinator (error)
31960/tcp open  echo
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.31 seconds

However 31046, 31691, and 31960 is out, since those are echo or SSH server. The possible ones are 31518 and 31790, so we will just try both of them.

cat /etc/bandit_pass/bandit16 | openssl s_client -quiet -connect localhost:31518

Port 31518 doesn’t gives anything back so our hope is now 31790.

cat /etc/bandit_pass/bandit16 | openssl s_client -quiet -connect localhost:31790

We get a RSA private key, save the key as /tmp/bandit17.passkey then login to bandit17 and get the password.

ssh bandit14@localhost -i sshkey.private
cat /etc/bandit_pass/bandit14

Level 17

ssh bandit17@bandit.labs.overthewire.org

pass: xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn

We are given two files: password.old and password.new. The new password is the only line different between two, so we can use diff to find it.

diff password.new password.old

Level 18

ssh bandit18@bandit.labs.overthewire.org

pass: kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd

Someone has modified .bashrc to immediately log us out when we are trying to login. We can run commands as we login and then see the password stored in ~/readme.

ssh bandit18@bandit.labs.overthewire.org -t 'cat readme'

Level 19

ssh bandit19@bandit.labs.overthewire.org

pass: IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x

In this level we are given setuid binary in the home directory. We don’t know yet what to do so we see the usage by run it without arguments. After learning how to run it, we can use it for our purpose.

./bandit20-do cat /etc/bandit_pass/bandit20

OverTheWire.org Wargames – Bandit – Level 0 to Level 9

OverTheWire.org is one of good site offer WarGames. In this context, WarGame is a game specifically designed to help people learn and practice security concepts in the form of fun-filled game. One of wargame category provided by OverTheWire is Bandit category which is aimed at absolute beginners.

This writeup contains solutions of the OverTheWire challenges Bandit category which I solved. The solutions written here is for level 0 to level 9.

Jump Table

How to Play

Bandit, like other games, is organized in levels. We start playing at level 0 and try to “beat” or “finish” it. Finishing a level results in information on how to start the next level. Every level beaten will give clue how to start next level.

There are several things you can try when you are unsure how to continue:

  • First, if you know a command, but don’t know how to use it, try the manual (man page) by entering “man <command>” (without the quotes). e.g. if you know about the “ls” command, type: man ls. The “man” command also has a manual, try it. Press q to quit the man command.
  • Second, if there is no man page, the command might be a shell built-in. In that case use the “help <X>” command. E.g. help cd
  • Also, your favorite search-engine is your friend.
  • Lastly, if you are still stuck, you can join us on IRC

Level 0

ssh bandit0@bandit.labs.overthewire.org

pass: bandit0

The simplest challenge. You only need to login to the system via SSH. Once you are in, get the password for next level by:

cat readme

Level 1

ssh bandit1@bandit.labs.overthewire.org

pass: boJ9jbbUNNfktd78OOpsqOltutMc3MY1

Another simple challenge. Once you are login, you will notice a file on home directory named ‘-‘. Since the dash is a special character, we need special treatment.

cat ./-

Level 2

ssh bandit2@bandit.labs.overthewire.org

pass: CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

Another simple challenge. Once you are login, you will notice a file on home directory named “spaces in this filename” (without quote). There are spaces in the filename, so we need extra treatment. There are two ways to solve this: write the filename in the quote, use escape character. Pick one.

cat "spaces in this filename"
cat spaces in this filename

Level 3

ssh bandit3@bandit.labs.overthewire.org

pass: UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

There is a folder called inhere. It apperas blank at the first glance. However it’s not the case, there is a hidden file there.

cd inhere
ls -la
cat .hidden

Level 4

ssh bandit4@bandit.labs.overthewire.org

pass: pIwrPrtPN36QITSp3EQaw936yaFoFgAB

Still, there is a directory called inhere. There we have few files inside. The direction said, password is the only human readable file, so with the file command we can see that the only ASCII text file is “-file07″

cd inhere
file ./*
cat "file07"

Level 5

ssh bandit5@bandit.labs.overthewire.org

pass: koReBOKuIDDepwhWk7jZC0RTdopnAYKh

A folder with a bunch of folders inside, recursively. The direction told us the file containing password is 1033 bytes and we have to find a file with specific size.

cd inhere
find . -type f -size 1033c
cat ./maybehere07/.file2

Another solution:

cd inhere
ls -Rla . | awk '/:$/&&f{s=$0;f=0}
    /:$/&&!f{sub(/:$/,"");s=$0;f=1;next}
    NF&&f{ print s"/"$0 }' | grep 1033

Level 6

ssh bandit6@bandit.labs.overthewire.org

pass: DXjZPULLxYr17uwoI01bNLQbtFemEgo7

Nothing on our home directory. The file is located somewhere on the server with the user bandit7 and the group bandit6. It also has 33 byets in size.

find / -type f -user bandit7 -group bandit6 -size 33c 2> /dev/null
cat /var/lib/dpkg/info/bandit7.password

Another solution:

ls -Rla / | awk '/:$/&&f{s=$0;f=0}
    /:$/&&!f{sub(/:$/,"");s=$0;f=1;next}
    NF&&f{ print s"/"$0 }' | grep '33|bandit5'

Level 7

ssh bandit7@bandit.labs.overthewire.org

pass: HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

There is a file called data.txt in our home directory. It is a huge file we need to parse through. The password is located next to word millionth. We can simply use grep to solve this.

grep "millionth" data.txt

Level 8

ssh bandit8@bandit.labs.overthewire.org

pass: cvX2JJa4CFALtqS87jk27qwqGhBM9plV

Password is found on the only unique line in the file data.txt. We can use sort and uniq to find it.

sort data.txt | uniq -u

Level 9

ssh bandit9@bandit.labs.overthewire.org

pass: UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR

Now it’s on binary file. We can’t easily grep through it. However we can use strings then grep through it. The direction said that the password is on one of the only lines beginning with an equal sign.

strings data.txt | grep =