Category Archives: Labs

DracOS Environment – My Build Lab

My role on team require me to build specific environment to do development. As you know DracOS is a LFS-based linux distribution, means we build it from ground up. We are not remastering or modify another distro. A pure linux tailored for our need.

My development lab is simple. All the build is done on virtual machine, I choose VirtualBox. Two virtual machines are needed. The first VM is Builder while the second one is Target. The Target is the final product of DracOS which can be boot on (theoretically) any environment. So Target will be a VM for running tests. On development process, Target would be mounted to Builder. Builder will do all the works. Basically Builder will build two things: tools and Target.

In this article I will describe the setting I use to create build environment (version 1). This version has not integrated with much stuffs but works for first phase.

Virtual Machines Specification

Builder

  • Arch Linux template
  • Processors: 4 CPUs
  • RAM 4096 MB (4GB)
  • HDD
    • /dev/sda (8GB) Builder.vdi
      • /dev/sda1 – / (4GB) ext4
      • /dev/sda2 – (1GB) swap
      • /dev/sda3 – /tools (3GB) ext4
    • /dev/sdb  (mounted Target.vdi)

Target

  • Arch Linux template
  • Processors 1 CPUs
  • RAM 1024 MB (1GB)
  • HDD
    • /dev/sda (20GB) Target.vdi
      • /dev/sda1 – / (10GB) ext4 for 64bit branch
      • /dev/sda2 – / (10GB) ext4 for 32bit branch

As you see, Target will be mounted to Builder.

I choose Arch Linux because I need lightweight distro to do the job.

At this point, my lab is deviate a little from LFS build environment. The LFS guide recommended to make a partition for LFS with tools as a part of LFS partition. In my lab, I separate both tools and sources in Builder machine and bind them to Target if necessary. This way I won’t need to remove things.

Setup Target

The setup we do is to create proper partition. I know we could do this on Builder, but I decide to separate the two things so we can clearly see each roles and functions.

Boot ArchLinux ISO. Once we are prompted, run fdisk to partition.

target# fdisk /dev/sda

My final partition layout would be like this

target# fdisk -l /dev/sda
Disk /dev/sda: 20GiB, 21474836480 bytes, 41943040 sectors
Units: sectors of 1 * 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xdcef6fd

Device    Boot     Start       End  Sectors Size Id Type
/dev/sda1           2048  20973567 20971520  10G 83 Linux
/dev/sda2       20973568  41943039 20969472  10G 83 Linux

Then we format each partition.

target# mkfs.ext4 /dev/sda1
target# mkfs.ext4 /dev/sda2

Shutdown

target# shutdown -h -P now

Setup Builder

I will divide the process into three sections: prepare, install, builder. Each phase has it’s own purpose and identified by the name before the prompt.

I don’t create user other than lfs. This user is comply with LFS guide and would be the only user in system (other than root).

Actually, this is not much different to typical Arch Linux installation.

Prepare Phase

Prepare environment before doing installation.

US keymap is OK for me so nothing to change.

Make sure network is up and we can ping to internet.

prepare# ping archlinux.org

Update the system clock. Synchronize with NTP to ensure system clock is accurate.

prepare# timedatectl set-ntp true
prepare# timedatectl status

Part the dist, make following partitions

target# fdisk -l /dev/sda
Disk /dev/sda: 8GiB, 8589934592 bytes, 16777216 sectors
Units: sectors of 1 * 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x99be88fc

Device    Boot     Start       End  Sectors Size Id Type
/dev/sda1           2048   8390655  8388608  4G 83 Linux
/dev/sda2        8390656  10487807  2097152  1G 82 Linux swap / Solaris
/dev/sda3       10487808  16777215  6289400  3G 83 Linux

and format them

prepare# mkfs.ext4 /dev/sda1
prepare# mkfs.ext4 /dev/sda3
prepare# mkswap /dev/sda2
prepare# swapon /dev/sda2

mount the file systems.

prepare# mount /dev/sda1 /mnt
prepare# mkdir /mnt/tools
prepare# mkdir /mnt/sources
prepare# mount /dev/sda3 /mnt/tools

Install Phase

Select mirrors. All packages downloaded from mirrors so we need to make sure selecting correcting server. Nearby servers are preferred. Open /etc/pacman.d/mirrorlist and start rearranging.

Strap minimum installation

install# pacstrap /mnt base

generate fstab with current condition

install# genfstab -U /mnt >> /mnt/etc/fstab

then chroot

install# arch-chroot /mnt

Set the timezone. Here we also generate /etc/adjtime.

install(chroot)# ln -s /usr/share/zoneinfo/Asia/Jakarta /etc/localtime

Uncomment en-US.UTF-8 UTF-8 and other needed localization in /etc/locale.gen. Then generate them with.

install(chroot)# locale-gen

Change hostname and hosts.

install(chroot)# echo "Builder" > /etc/hostname
install(chroot)# echo "127.0.0.1    builder.localdomain   builder" >> /etc/hosts

creating new initramfs is usually not required. However I jsut want to make sure.

install(chroot)# mkinitcpio -p linux

Change root password.

install(chroot)# passwd

Create new username lfs for development only.

groupadd lfs
useradd -m -g lfs -k /dev/null -s /bin/bash lfs
passwd lfs

Update repository

install(chroot)# grub -Syy
install(chroot)# grub -S sudo

Install bootloader. I choose GRUB. (see this)

install(chroot)# pacman -S grub-pc
install(chroot)# grub-install --target=i386-pc /dev/sda
install(chroot)# grub-mkconfig -o /boot/grub/grub/cfg

Enable networking services.

install(chroot)# systemctl enable dhcpcd
install(chroot)# systemctl start dhcpcd

Reboot, make sure our base system is installed and ready to use.

install(chroot)# reboot

Builder Phase

Install linux header. This is important for building DKMS modules. We also need base-devel for building process so it’s a crucial component.

builder# pacman -S net-tools pkgfile base-devel

Leveraging CLI to do all stuffs is interesting. However I need to produce script and stuffs for development process thus I install GUI.

builder# pacman -S xf86-video-vesa   # let test X window system when we don't have Virtualbox guest addition installed yet
builder# pacman -S alsa-utils
builder# pacman -S xorg-server xorg-server-utils xorg-xinit
builder# pacman -S ttf-dejavu ttf-droid ddf-inconsolata
builder# pacman -S terminus-font
builder# pacman -S xorg-twm xorg-xclock xterm
builder# pacman -S xfce xfce4-goodies

Next create virtualbox modules so we can interact with Builder from host system

builder# pacman -S virtualbox-guest-utils

builder# nano /etc/modules-load.d/virtualbox.conf
	vboxguest
	vboxsf
	vboxvideo

builder# systemctl enable vboxservice.service

Install and configure some tools

builder# pacman -S git
builder# pacman -S python

The post DracOS Environment – My Build Lab appeared first on Xathrya.ID.

Docker Lab – Docker, Apache, MySQL, PHP (DAMP)

This lab might be used for my upcoming workshop.

The goal of this lab is to setup “LAMP” environment on top of docker ecosystem. Technically speaking we will use simple containers on single docker host. Although the title is about DAMP (Docker, Apache, MySQL, PHP) in practice we will spawn two containers, which are:

  1. MySQL Container – where data reside.
  2. WordPress Container – where actual wordpress application run

I do hope you have know basic docker before proceeding.

Step

Planning

Our lab is simple wordpress with MySQL backend. Both MySQL and WordPress will use latest version. Nothing special here.

We don’t want to use default password therefore we will override them.

Creating Lab Network

The reason we create new network is for isolation. This is optional, we can use default network provided by docker. But the goal for new lab network is to give every container in lab ability to communicate with each other without affecting other lab (and containers there).

docker network create --driver bridge lab1-damp

This network lab should reside on same Docker host. If we are using swarm, consider using overlay network.

Generate Password

We need two strong password. One for MySQL root password. Another one for WordPress user. This two password will be passed to containers through environment variable. You can generate any string as password and export them in the end.

export ROOT_PASSWORD=<my super secure mysql root password>
export WORDPRESS_PASSWORD=<my super secure wordpress password>

Make sure you replace the password with your own.

Spawn MySQL Container

We will override four configuration. They are exposed as “environment variable” by docker which we can change.

docker run -d --name mysql \
--env MYSQL_ROOT_PASSWORD=${ROOT_PASSWORD} \
--env MYSQL_USER=wordpress \
--env MYSQL_PASSWORD=${WORDPRESS_PASSWORD}\
--env MYSQL_DATABASE=wordpress \
--net lab1-damp \
mysql

The configurations that we override is self explaining.

We are detaching the container so the container would run in “background” when we can do something else.

Verify that the container is running

docker ps

Spawn WordPress Container

WordPress is PHP application, that way WP is running on top of web server and PHP interpreter. Technically speaking our container would have Apache HTTPD and PHP installed so we only concern about our WordPress.

docker run -d -p 80:80 --name wordpress \
--env WORDPRESS_DB_HOST=mysql:3306 \
--env WORDPRESS_DB_USER=wordpress \
--env WORDPRESS_DB_PASSWORD=${WORDPRESS_PASSWORD} \
--env WORDPRESS_DB_DATABASE=wordpress \
--net lab1-damp \
wordpress

We expose this container’s port 80 and map it to our port 80. As we know WordPress need MySQL instance so we provide pointer to our container with WORDPRESS_DB_HOST environment.

To verify the container is running, again:

docker ps

we can also try to check it.

docker exec -ti wordpress bash

We are now connected to wordpress instance by tty. Specifically, we are running new process which is bash on container. To exit, give command exit.

Configure

Use browser and go to http://localhost and you would see famous WordPress installation page, something like this. Just do your configuration.

screen-shot-2016-10-19-at-01-01-53

Challenge

  1. Inspect the wordpress container. Can you open the page with its IP address instead of localhost?
  2. Stop mysql, will wordpress run normally? Try starting mysql to confirm it.
  3. Remove mysql and create new mysql container without MYSQL_PASSWORD set. Restart wordpress. Will it successfully run? Try omit other.
  4. Exec bash on wordpress. Can you find the www directory? Try creating a file to confirm it.
  5. Exec bash on mysql. Can you find the data directory?

The post Docker Lab – Docker, Apache, MySQL, PHP (DAMP) appeared first on Xathrya.ID.

Ringzer0team CTF Writeup – ELF Crackme 1 – Time to Learning x86 ASM & gdb

Register yourself if you have not yet.

Access the challenge at http://ringzer0team.com/challenges/11

Download the subject,  the checksum:

  • f6816b590d2021a16ba8005aa235e6a3 (md5)
  • b8c18db3e4678e09683e3b20e9004d1183c2420b (sha1)

The challenge clearly instruct as to utilize GDB. In this case, I have customize my GDB using init script which can be downloaded from my github.

After downloading the binary, ran ‘file’ then ‘readelf’ to get some initial information about the file.

# file 88eb31060c4abd0931878bf7d2dd8c1a
88eb31060c4abd0931878bf7d2dd8c1a: ELF 32-bit LSB  executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=a5f44b829c4727ed369f823f19d575087673f34e, not stripped

# readelf -h 88eb31060c4abd0931878bf7d2dd8c1a
ELF Header:
  Magic:   7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 
  Class:                             ELF32
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           Intel 80386
  Version:                           0x1
  Entry point address:               0x8048380
  Start of program headers:          52 (bytes into file)
  Start of section headers:          4508 (bytes into file)
  Flags:                             0x0
  Size of this header:               52 (bytes)
  Size of program headers:           32 (bytes)
  Number of program headers:         9
  Size of section headers:           40 (bytes)
  Number of section headers:         30
  Section header string table index: 27

We know the entrypoint which is 0x8048380 and certain that the file is ELF32.

Load the binary to GDB, we use Intel syntax instead of AT&T syntax and break to entrypoint. We then run the binary so we can reach our breakpoint.

# gdb 88eb31060c4abd0931878bf7d2dd8c1a
gdb$ set disassembly-flavor intel
gdb$ break *0x8048380
gdb$ run

If you are using my .gdbinit script you can see the all the registers. If not, see the disassembly of $eip and let’s analyze the code.

gdb$ disassemble $eip

See the code and learn that there are interesting parts.

...
   0x080484ae <+66>:	mov    DWORD PTR [eax],0x47414c46
   0x080484b4 <+72>:	mov    DWORD PTR [eax+0x4],0x3930342d
   0x080484bb <+79>:	mov    WORD PTR [eax+0x8],0x32
...
   0x080484e9 <+125>:	mov    DWORD PTR [eax],0x75393438
   0x080484ef <+131>:	mov    DWORD PTR [eax+0x4],0x6a326f69
   0x080484f6 <+138>:	mov    WORD PTR [eax+0x8],0x66
...
   0x08048530 <+196>:	mov    DWORD PTR [eax],0x6a736c6b
   0x08048536 <+202>:	mov    DWORD PTR [eax+0x4],0x6c6b34

All of them are pushing the code into some region of memory pointed by eax. It’s ASCII, if you know. Let’s search it in our ASCII table.

0x47414c46   ==> GALF
0x3930342d   ==> 904-
0x32         ==> 2
...
0x75393438   ==> u948
0x6a326f69   ==> j2oi
0x66         ==> f
...
0x6a736c6b   ==> jslk
0x6c6b34     ==> lk4

Well, it doesn’t make sense, unless you remember they are pushed in reverse order for each word. So, the flag would be

FLAG-4092849uio2jfklsj4kl

Submit the flag!

The post Ringzer0team CTF Writeup – ELF Crackme 1 – Time to Learning x86 ASM & gdb appeared first on Xathrya.ID.

OverTheWire.org Wargames – Bandit – Level 20 to Level 29

Initially I post the password in this article. When I move the article here from old site, I think I should remove it.

OverTheWire.org is one of good site offer WarGames. In this context, WarGame is a game specifically designed to help people learn and practice security concepts in the form of fun-filled game. One of wargame category provided by OverTheWire is Bandit category which is aimed at absolute beginners.

This writeup contains solutions of the OverTheWire challenges Bandit category which I solved. The solutions written here is for level 20 above.

Jump Table

How to Play

Bandit, like other games, is organized in levels. We start playing at level 0 and try to “beat” or “finish” it. Finishing a level results in information on how to start the next level. Every level beaten will give clue how to start next level.

There are several things you can try when you are unsure how to continue:

  • First, if you know a command, but don’t know how to use it, try the manual (man page) by entering “man <command>” (without the quotes). e.g. if you know about the “ls” command, type: man ls. The “man” command also has a manual, try it. Press q to quit the man command.
  • Second, if there is no man page, the command might be a shell built-in. In that case use the “help <X>” command. E.g. help cd
  • Also, your favorite search-engine is your friend.
  • Lastly, if you are still stuck, you can join us on IRC

Level 20

ssh bandit20@bandit.labs.overthewire.org

pass:

There exist an executable file “suconnect”. It makes a connection to localhost on the port we specify as commandline argument. It then reads a line of text from the connection and compares it to the password in the current level. If the password is correct, it will transmit the password for level 21.

All we need to do is run nc listening on a random port, then connect to it with suconnect. Then we send the password throuch the nc session and suconnect sends back the new password.

nc -l 13510 < /etc/bandit_pass/bandit20 &
./suconnect 13510

Level 21

ssh bandit21@bandit.labs.overthewire.org

pass:

There is a cron job that we need to look at. In /etc/cron.d there exist some cron files, but our objective is cronjob_bandit22 which look promising. Investigate it to see what this script do.

The script will execute a script on /usr/bin/cronjob_bandit22.sh which will dump /etc/bandit_pass/bandit22 to /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv file.

cat /etc/cron.d/cronjob_bandit22
cat /usr/bin/cronjob_bandit22.sh
cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

Level 22

ssh bandit22@bandit.labs.overthewire.org

pass:

Another cronjob. This time, the script used by cronjob is copying /etc/bandit_pass/bandit23 as something in /tmp. There’s no need for you to figure out the filename, we can always recreate the condition.

cat /etc/cron.d/cronjob_bandit23
cat /usr/bin/cronjob_bandit23.sh
cat /tmp/$(echo I am user bandit23 | md5sum | cut -d ' ' -f 1)

Level 23

ssh bandit23@bandit.labs.overthewire.org

pass:

Another cronjob.

In this level, we need to create our own shell script to run. The cronjob script will execute (and later delete) scripts on /var/spool/bandit24. That way, we can create a script on that directory which dump password from /etc/bandit_pass/bandit24 to anywhere we desire. We just need to make sure the script is executable.

The script we create:

#!/bin/bash

cat /etc/bandit_pass/bandit24 > /tmp/bandit24xathpass

Then we do:

chmod 777 /etc/bandit_pass/bandit24
cat /tmp/bandit24xathpass

Level 24

ssh bandit24@bandit.labs.overthewire.org

pass:

Another tedious level.

There exist a service running on port 30002. It asks two words: password for bandit25 and secret number 4-digit pincode. Those two words are separate by a space. Our only option is bruteforcing all 10000 combinations.

This is one line command but arranged in multiline for clarity.

for i in {0000..9999}; do 
    echo $i; 
    echo "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i" | nc localhost 30002 | grep -v "separated|Wrong|Exit" >> /tmp/xathrya25.brute; 
    done && cat /tmp/xathrya25.brute

Level 25

ssh bandit25@bandit.labs.overthewire.org

pass:

Not Available Yet.

Level 26

ssh bandit26@bandit.labs.overthewire.org

pass:

Not Available Yet.

Level 27

ssh bandit27@bandit.labs.overthewire.org

pass:

Not Available Yet.

Level 28

ssh bandit28@bandit.labs.overthewire.org

pass:

Not Available Yet.

Level 29

ssh bandit29@bandit.labs.overthewire.org

pass:

Not Available Yet.

The post OverTheWire.org Wargames – Bandit – Level 20 to Level 29 appeared first on Xathrya.ID.

OverTheWire.org Wargames – Bandit – Level 10 to Level 19

Initially I post the password in this article. When I move the article here from old site, I think I should remove it.

OverTheWire.org is one of good site offer WarGames. In this context, WarGame is a game specifically designed to help people learn and practice security concepts in the form of fun-filled game. One of wargame category provided by OverTheWire is Bandit category which is aimed at absolute beginners.

This writeup contains solutions of the OverTheWire challenges Bandit category which I solved. The solutions written here is for level 10 to level 19.

Jump Table

How to Play

Bandit, like other games, is organized in levels. We start playing at level 0 and try to “beat” or “finish” it. Finishing a level results in information on how to start the next level. Every level beaten will give clue how to start next level.

There are several things you can try when you are unsure how to continue:

  • First, if you know a command, but don’t know how to use it, try the manual (man page) by entering “man <command>” (without the quotes). e.g. if you know about the “ls” command, type: man ls. The “man” command also has a manual, try it. Press q to quit the man command.
  • Second, if there is no man page, the command might be a shell built-in. In that case use the “help <X>” command. E.g. help cd
  • Also, your favorite search-engine is your friend.
  • Lastly, if you are still stuck, you can join us on IRC

Level 10

ssh bandit10@bandit.labs.overthewire.org

pass:

File data.txt is indeed a plaintext. However the password is encoded with base64 inside. Decoding is simple using base64 utility.

base64 -d data.txt

Level 11

ssh bandit11@bandit.labs.overthewire.org

pass:

The password is written inside data.txt. This time is is encrypted by ROT13 (or Caesar Cipher). It means every character in the text has been rotated 13 letters. We can use tr utility to reverse it.

cat data.txt | tr '[A-Za-z]' '[N-ZA-Mn-za-m]'

Level 12

ssh bandit12@bandit.labs.overthewire.org

pass:

This problem is not hard, but tedious. The direction gives us information that the data has been compressed several way and we need to decompress it accordingly. However we cannot use home directory, thus we use /tmp dirctory to store temporary file.

mkdir /tmp/secretbase
cp ~/data.txt /tmp/secretbase/data.txt
cd /tmp/secretbase
xxd -r data.txt > data.bin
file data.bin
mv data.bin data.gz
gzip -d data.gz
file data
mv data data.bz2
bzip2 -d data.bz2
file data
mv data data.gz
gzip -d data.gz
file data
tar -xvf data
file data5.bin
tar -xvf data5.bin
bzip2 -d data6.bin
file data6.bin.out
tar -xvf data6.bin.out
file data8.bin
mv data8.bin.out
file data8.bin
mv data8.bin data8.gz
gzip -d data8.gz
file data8
cat data8

Level 13

ssh bandit13@bandit.labs.overthewire.org

pass:

It is quite simple. When we login to account bandit13, we see a private SSH Key in the home directory. Supply SSH utility with it to login as bandit14. After that, we aim at /etc/bandit_pass directory and search for /etc/bandit_pass/bandit14 to know the password for bandit14 password. Here is how we do that:

ssh bandit14@localhost -i sshkey.private
cat /etc/bandit_pass/bandit14

Level 14

ssh bandit14@bandit.labs.overthewire.org

pass:

In this level our objective is to submit our current password to the server on port 30000. A simple command using netcat can be used here.

cat /etc/bandit_pass/bandit14 | nc localhost 30000

Level 15

ssh bandit15@bandit.labs.overthewire.org

pass:

Similar to level14, we need to send our current password to port 30001. However, this time we need to use SSL.

cat /etc/bandit_pass/bandit15 | openssl s_client -quiet -connect localhost:30001

Another solution:

ncat --ssl localhost 30001
# (paste password for level15)

Level 16

ssh bandit16@bandit.labs.overthewire.org

pass:

The direction gives us a range of ports, 31000-32000. Our target port is using SSL and will give us the next password if we supply with our current password. First we need to port scan it to detect which port is active. We also use nmap to scan service version if possible.

nmap -p31000-32000 localhost -sV

Here we have several open ports:

Starting Nmap 6.40 ( http://nmap.org ) at 2014-12-13 23:03 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00100s latency).
Not shown: 996 closed ports
PORT      STATE SERVICE VERSION
31046/tcp open  echo
31518/tcp open  msdtc   Microsoft Distributed Transaction Coordinator (error)
31691/tcp open  echo
31790/tcp open  msdtc   Microsoft Distributed Transaction Coordinator (error)
31960/tcp open  echo
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.31 seconds

However 31046, 31691, and 31960 is out, since those are echo or SSH server. The possible ones are 31518 and 31790, so we will just try both of them.

cat /etc/bandit_pass/bandit16 | openssl s_client -quiet -connect localhost:31518

Port 31518 doesn’t gives anything back so our hope is now 31790.

cat /etc/bandit_pass/bandit16 | openssl s_client -quiet -connect localhost:31790

We get a RSA private key, save the key as /tmp/bandit17.passkey then login to bandit17 and get the password.

ssh bandit14@localhost -i sshkey.private
cat /etc/bandit_pass/bandit14

Level 17

ssh bandit17@bandit.labs.overthewire.org

pass:

We are given two files: password.old and password.new. The new password is the only line different between two, so we can use diff to find it.

diff password.new password.old

Level 18

ssh bandit18@bandit.labs.overthewire.org

pass:

Someone has modified .bashrc to immediately log us out when we are trying to login. We can run commands as we login and then see the password stored in ~/readme.

ssh bandit18@bandit.labs.overthewire.org -t 'cat readme'

Level 19

ssh bandit19@bandit.labs.overthewire.org

pass:

In this level we are given setuid binary in the home directory. We don’t know yet what to do so we see the usage by run it without arguments. After learning how to run it, we can use it for our purpose.

./bandit20-do cat /etc/bandit_pass/bandit20

The post OverTheWire.org Wargames – Bandit – Level 10 to Level 19 appeared first on Xathrya.ID.

OverTheWire.org Wargames – Bandit – Level 0 to Level 9

Initially I post the password in this article. When I move the article here from old site, I think I should remove it.

OverTheWire.org is one of good site offer WarGames. In this context, WarGame is a game specifically designed to help people learn and practice security concepts in the form of fun-filled game. One of wargame category provided by OverTheWire is Bandit category which is aimed at absolute beginners.

This writeup contains solutions of the OverTheWire challenges Bandit category which I solved. The solutions written here is for level 0 to level 9.

Jump Table

How to Play

Bandit, like other games, is organized in levels. We start playing at level 0 and try to “beat” or “finish” it. Finishing a level results in information on how to start the next level. Every level beaten will give clue how to start next level.

There are several things you can try when you are unsure how to continue:

  • First, if you know a command, but don’t know how to use it, try the manual (man page) by entering “man <command>” (without the quotes). e.g. if you know about the “ls” command, type: man ls. The “man” command also has a manual, try it. Press q to quit the man command.
  • Second, if there is no man page, the command might be a shell built-in. In that case use the “help <X>” command. E.g. help cd
  • Also, your favorite search-engine is your friend.
  • Lastly, if you are still stuck, you can join us on IRC

Level 0

ssh bandit0@bandit.labs.overthewire.org

pass: bandit0

The simplest challenge. You only need to login to the system via SSH. Once you are in, get the password for next level by:

cat readme

Level 1

ssh bandit1@bandit.labs.overthewire.org

pass:

Another simple challenge. Once you are login, you will notice a file on home directory named ‘-‘. Since the dash is a special character, we need special treatment.

cat ./-

Level 2

ssh bandit2@bandit.labs.overthewire.org

pass:

Another simple challenge. Once you are login, you will notice a file on home directory named “spaces in this filename” (without quote). There are spaces in the filename, so we need extra treatment. There are two ways to solve this: write the filename in the quote, use escape character. Pick one.

cat "spaces in this filename"
cat spaces in this filename

Level 3

ssh bandit3@bandit.labs.overthewire.org

pass:

There is a folder called inhere. It apperas blank at the first glance. However it’s not the case, there is a hidden file there.

cd inhere
ls -la
cat .hidden

Level 4

ssh bandit4@bandit.labs.overthewire.org

pass:

Still, there is a directory called inhere. There we have few files inside. The direction said, password is the only human readable file, so with the file command we can see that the only ASCII text file is “-file07”

cd inhere
file ./*
cat "file07"

Level 5

ssh bandit5@bandit.labs.overthewire.org

pass:

A folder with a bunch of folders inside, recursively. The direction told us the file containing password is 1033 bytes and we have to find a file with specific size.

cd inhere
find . -type f -size 1033c
cat ./maybehere07/.file2

Another solution:

cd inhere
ls -Rla . | awk '/:$/&&f{s=$0;f=0}
    /:$/&&!f{sub(/:$/,"");s=$0;f=1;next}
    NF&&f{ print s"/"$0 }' | grep 1033

Level 6

ssh bandit6@bandit.labs.overthewire.org

pass:

Nothing on our home directory. The file is located somewhere on the server with the user bandit7 and the group bandit6. It also has 33 byets in size.

find / -type f -user bandit7 -group bandit6 -size 33c 2> /dev/null
cat /var/lib/dpkg/info/bandit7.password

Another solution:

ls -Rla / | awk '/:$/&&f{s=$0;f=0}
    /:$/&&!f{sub(/:$/,"");s=$0;f=1;next}
    NF&&f{ print s"/"$0 }' | grep '33|bandit5'

Level 7

ssh bandit7@bandit.labs.overthewire.org

pass:

There is a file called data.txt in our home directory. It is a huge file we need to parse through. The password is located next to word millionth. We can simply use grep to solve this.

grep "millionth" data.txt

Level 8

ssh bandit8@bandit.labs.overthewire.org

pass:

Password is found on the only unique line in the file data.txt. We can use sort and uniq to find it.

sort data.txt | uniq -u

Level 9

ssh bandit9@bandit.labs.overthewire.org

pass:

Now it’s on binary file. We can’t easily grep through it. However we can use strings then grep through it. The direction said that the password is on one of the only lines beginning with an equal sign.

strings data.txt | grep =

The post OverTheWire.org Wargames – Bandit – Level 0 to Level 9 appeared first on Xathrya.ID.