Category Archives: overthewire bandit

OverTheWire.org Wargames – Bandit – Level 10 to Level 19

Initially I post the password in this article. When I move the article here from old site, I think I should remove it.

OverTheWire.org is one of good site offer WarGames. In this context, WarGame is a game specifically designed to help people learn and practice security concepts in the form of fun-filled game. One of wargame category provided by OverTheWire is Bandit category which is aimed at absolute beginners.

This writeup contains solutions of the OverTheWire challenges Bandit category which I solved. The solutions written here is for level 10 to level 19.

Jump Table

How to Play

Bandit, like other games, is organized in levels. We start playing at level 0 and try to “beat” or “finish” it. Finishing a level results in information on how to start the next level. Every level beaten will give clue how to start next level.

There are several things you can try when you are unsure how to continue:

  • First, if you know a command, but don’t know how to use it, try the manual (man page) by entering “man <command>” (without the quotes). e.g. if you know about the “ls” command, type: man ls. The “man” command also has a manual, try it. Press q to quit the man command.
  • Second, if there is no man page, the command might be a shell built-in. In that case use the “help <X>” command. E.g. help cd
  • Also, your favorite search-engine is your friend.
  • Lastly, if you are still stuck, you can join us on IRC

Level 10

ssh bandit10@bandit.labs.overthewire.org

pass:

File data.txt is indeed a plaintext. However the password is encoded with base64 inside. Decoding is simple using base64 utility.

base64 -d data.txt

Level 11

ssh bandit11@bandit.labs.overthewire.org

pass:

The password is written inside data.txt. This time is is encrypted by ROT13 (or Caesar Cipher). It means every character in the text has been rotated 13 letters. We can use tr utility to reverse it.

cat data.txt | tr '[A-Za-z]' '[N-ZA-Mn-za-m]'

Level 12

ssh bandit12@bandit.labs.overthewire.org

pass:

This problem is not hard, but tedious. The direction gives us information that the data has been compressed several way and we need to decompress it accordingly. However we cannot use home directory, thus we use /tmp dirctory to store temporary file.

mkdir /tmp/secretbase
cp ~/data.txt /tmp/secretbase/data.txt
cd /tmp/secretbase
xxd -r data.txt > data.bin
file data.bin
mv data.bin data.gz
gzip -d data.gz
file data
mv data data.bz2
bzip2 -d data.bz2
file data
mv data data.gz
gzip -d data.gz
file data
tar -xvf data
file data5.bin
tar -xvf data5.bin
bzip2 -d data6.bin
file data6.bin.out
tar -xvf data6.bin.out
file data8.bin
mv data8.bin.out
file data8.bin
mv data8.bin data8.gz
gzip -d data8.gz
file data8
cat data8

Level 13

ssh bandit13@bandit.labs.overthewire.org

pass:

It is quite simple. When we login to account bandit13, we see a private SSH Key in the home directory. Supply SSH utility with it to login as bandit14. After that, we aim at /etc/bandit_pass directory and search for /etc/bandit_pass/bandit14 to know the password for bandit14 password. Here is how we do that:

ssh bandit14@localhost -i sshkey.private
cat /etc/bandit_pass/bandit14

Level 14

ssh bandit14@bandit.labs.overthewire.org

pass:

In this level our objective is to submit our current password to the server on port 30000. A simple command using netcat can be used here.

cat /etc/bandit_pass/bandit14 | nc localhost 30000

Level 15

ssh bandit15@bandit.labs.overthewire.org

pass:

Similar to level14, we need to send our current password to port 30001. However, this time we need to use SSL.

cat /etc/bandit_pass/bandit15 | openssl s_client -quiet -connect localhost:30001

Another solution:

ncat --ssl localhost 30001
# (paste password for level15)

Level 16

ssh bandit16@bandit.labs.overthewire.org

pass:

The direction gives us a range of ports, 31000-32000. Our target port is using SSL and will give us the next password if we supply with our current password. First we need to port scan it to detect which port is active. We also use nmap to scan service version if possible.

nmap -p31000-32000 localhost -sV

Here we have several open ports:

Starting Nmap 6.40 ( http://nmap.org ) at 2014-12-13 23:03 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00100s latency).
Not shown: 996 closed ports
PORT      STATE SERVICE VERSION
31046/tcp open  echo
31518/tcp open  msdtc   Microsoft Distributed Transaction Coordinator (error)
31691/tcp open  echo
31790/tcp open  msdtc   Microsoft Distributed Transaction Coordinator (error)
31960/tcp open  echo
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.31 seconds

However 31046, 31691, and 31960 is out, since those are echo or SSH server. The possible ones are 31518 and 31790, so we will just try both of them.

cat /etc/bandit_pass/bandit16 | openssl s_client -quiet -connect localhost:31518

Port 31518 doesn’t gives anything back so our hope is now 31790.

cat /etc/bandit_pass/bandit16 | openssl s_client -quiet -connect localhost:31790

We get a RSA private key, save the key as /tmp/bandit17.passkey then login to bandit17 and get the password.

ssh bandit14@localhost -i sshkey.private
cat /etc/bandit_pass/bandit14

Level 17

ssh bandit17@bandit.labs.overthewire.org

pass:

We are given two files: password.old and password.new. The new password is the only line different between two, so we can use diff to find it.

diff password.new password.old

Level 18

ssh bandit18@bandit.labs.overthewire.org

pass:

Someone has modified .bashrc to immediately log us out when we are trying to login. We can run commands as we login and then see the password stored in ~/readme.

ssh bandit18@bandit.labs.overthewire.org -t 'cat readme'

Level 19

ssh bandit19@bandit.labs.overthewire.org

pass:

In this level we are given setuid binary in the home directory. We don’t know yet what to do so we see the usage by run it without arguments. After learning how to run it, we can use it for our purpose.

./bandit20-do cat /etc/bandit_pass/bandit20

The post OverTheWire.org Wargames – Bandit – Level 10 to Level 19 appeared first on Xathrya.ID.

OverTheWire.org Wargames – Bandit – Level 0 to Level 9

Initially I post the password in this article. When I move the article here from old site, I think I should remove it.

OverTheWire.org is one of good site offer WarGames. In this context, WarGame is a game specifically designed to help people learn and practice security concepts in the form of fun-filled game. One of wargame category provided by OverTheWire is Bandit category which is aimed at absolute beginners.

This writeup contains solutions of the OverTheWire challenges Bandit category which I solved. The solutions written here is for level 0 to level 9.

Jump Table

How to Play

Bandit, like other games, is organized in levels. We start playing at level 0 and try to “beat” or “finish” it. Finishing a level results in information on how to start the next level. Every level beaten will give clue how to start next level.

There are several things you can try when you are unsure how to continue:

  • First, if you know a command, but don’t know how to use it, try the manual (man page) by entering “man <command>” (without the quotes). e.g. if you know about the “ls” command, type: man ls. The “man” command also has a manual, try it. Press q to quit the man command.
  • Second, if there is no man page, the command might be a shell built-in. In that case use the “help <X>” command. E.g. help cd
  • Also, your favorite search-engine is your friend.
  • Lastly, if you are still stuck, you can join us on IRC

Level 0

ssh bandit0@bandit.labs.overthewire.org

pass: bandit0

The simplest challenge. You only need to login to the system via SSH. Once you are in, get the password for next level by:

cat readme

Level 1

ssh bandit1@bandit.labs.overthewire.org

pass:

Another simple challenge. Once you are login, you will notice a file on home directory named ‘-‘. Since the dash is a special character, we need special treatment.

cat ./-

Level 2

ssh bandit2@bandit.labs.overthewire.org

pass:

Another simple challenge. Once you are login, you will notice a file on home directory named “spaces in this filename” (without quote). There are spaces in the filename, so we need extra treatment. There are two ways to solve this: write the filename in the quote, use escape character. Pick one.

cat "spaces in this filename"
cat spaces in this filename

Level 3

ssh bandit3@bandit.labs.overthewire.org

pass:

There is a folder called inhere. It apperas blank at the first glance. However it’s not the case, there is a hidden file there.

cd inhere
ls -la
cat .hidden

Level 4

ssh bandit4@bandit.labs.overthewire.org

pass:

Still, there is a directory called inhere. There we have few files inside. The direction said, password is the only human readable file, so with the file command we can see that the only ASCII text file is “-file07”

cd inhere
file ./*
cat "file07"

Level 5

ssh bandit5@bandit.labs.overthewire.org

pass:

A folder with a bunch of folders inside, recursively. The direction told us the file containing password is 1033 bytes and we have to find a file with specific size.

cd inhere
find . -type f -size 1033c
cat ./maybehere07/.file2

Another solution:

cd inhere
ls -Rla . | awk '/:$/&&f{s=$0;f=0}
    /:$/&&!f{sub(/:$/,"");s=$0;f=1;next}
    NF&&f{ print s"/"$0 }' | grep 1033

Level 6

ssh bandit6@bandit.labs.overthewire.org

pass:

Nothing on our home directory. The file is located somewhere on the server with the user bandit7 and the group bandit6. It also has 33 byets in size.

find / -type f -user bandit7 -group bandit6 -size 33c 2> /dev/null
cat /var/lib/dpkg/info/bandit7.password

Another solution:

ls -Rla / | awk '/:$/&&f{s=$0;f=0}
    /:$/&&!f{sub(/:$/,"");s=$0;f=1;next}
    NF&&f{ print s"/"$0 }' | grep '33|bandit5'

Level 7

ssh bandit7@bandit.labs.overthewire.org

pass:

There is a file called data.txt in our home directory. It is a huge file we need to parse through. The password is located next to word millionth. We can simply use grep to solve this.

grep "millionth" data.txt

Level 8

ssh bandit8@bandit.labs.overthewire.org

pass:

Password is found on the only unique line in the file data.txt. We can use sort and uniq to find it.

sort data.txt | uniq -u

Level 9

ssh bandit9@bandit.labs.overthewire.org

pass:

Now it’s on binary file. We can’t easily grep through it. However we can use strings then grep through it. The direction said that the password is on one of the only lines beginning with an equal sign.

strings data.txt | grep =

The post OverTheWire.org Wargames – Bandit – Level 0 to Level 9 appeared first on Xathrya.ID.