rtmoran.org — Cybersecurity and Linux Resource

Tagoverthewire

Over the Wire’s Bandit Challenge – Level 17

Level Instructions:

“There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new

NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19.”


bandit17@bandit:~$ ls -la
total 40
drwxr-xr-x  3 root     root     4096 Dec 28  2017 .
drwxr-xr-x 42 root     root     4096 Jul 22 18:42 ..
-rw-r-----  1 bandit17 bandit17   33 Dec 28  2017 .bandit16.password
-rw-r--r--  1 root     root      220 Sep  1  2015 .bash_logout
-rw-r--r--  1 root     root     3771 Sep  1  2015 .bashrc
-rw-r--r--  1 root     root      655 Jun 24  2016 .profile
drwxr-xr-x  2 root     root     4096 Dec 28  2017 .ssh
-rw-r-----  1 bandit17 bandit17 1704 Dec 28  2017 .ssl-cert-snakeoil.key
-rw-r-----  1 bandit18 bandit17 3300 Dec 28  2017 passwords.new
-rw-r-----  1 bandit18 bandit17 3300 Dec 28  2017 passwords.old
bandit17@bandit:~$ diff passwords.old passwords.new
42c42
< 6vcSC74ROI95NqkKaeEC2ABVMDX9TyUr
---
> kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd

Using the ‘diff’ command we can compare the contents of passwords.old and passwords.new.

The command will print the comparable differences between the files, revealing line ‘ kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd ‘; our password for bandit18.

Over the Wire’s Bandit Challenge – Level 16

Level Instructions:

“The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.”


bandit16@bandit:~$ nmap -sV -A -p 31000-32000 localhost | grep open
31046/tcp open  echo
31518/tcp open  ssl/echo
31691/tcp open  echo
31790/tcp open  ssl/unknown
31960/tcp open  echo
bandit16@bandit:~$ openssl s_client -connect localhost:31790 -quiet
depth=0 CN = bandit
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = bandit
verify return:1
cluFn7wTiGryunymYOu4RcffSxQluehd
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----
bandit16@bandit:~$ mkdir /tmp/rtm2
bandit16@bandit:~$ nano /tmp/rtm2/sshkey

[PASTE CONTENTS OF PRIVATE KEY INTO EMPTY FILE]

bandit16@bandit:~$ chmod 600 /tmp/rtm2/sshkey
bandit16@bandit:~$ ssh -i /tmp/rtm2/sshkey bandit17@localhost

We begin by performing an Nmap scan for services running on open ports between 31000 and 32000.  The output is piped through grep for the sake of neatness.

We find five ports reported open, three of which report their services as echo.  Not what we’re interested in.  We also find two ssl services listening, however, one is also running echo.

We attempt to make a connection with port 31790, inputing the previous password, and we are returned with what appears to be the private ssh key for bandit17!

Before we can use it to access bandit17, we first need to create a new directory within /tmp. Using nano (or your preferred text editor) we create a new text file within and paste the contents of the private ssh key into the empty file.

If we attempt from here to now login to bandit17, using the ssh key file we just created, we will be met with an error.  Without first locking down the permissions of the ssh key file using ‘chmod’, we will be returned with an “Unprotected Private Key File!” warning.  Modifying the permissions to 600 will remedy this issue.

Over the Wire’s Bandit Challenge – Level 15

Level Instructions:

“The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.

Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…”


bandit15@bandit:~$ openssl s_client -connect localhost:30001 -quiet
depth=0 CN = bandit
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = bandit
verify return:1
BfMYroe26WYalil77FoDi9qh59eK5xNr
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehd

We use the command ‘openssl’ to establish a secure connection over port 30001.  The directions hint at possible output errors you may receive and points to appending your command with ‘-ign_eof’ which prevents the connection from being terminated once end of file is reached in the input.  Above I used the switch ‘-quiet’ for it not only implicitly passes the ‘-ign_eof” switch, but also inhibits the printing of session and certificate information, cleaning up the output a bit for this particular task.

Over the Wire’s Bandit Challenge – Level 14

Level Instructions:

“The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.”


bandit14@bandit:~$ cat /etc/bandit_pass/bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
bandit14@bandit:~$ nc localhost 30000
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr

First, we need to print out the password to the current user bandit14.  The location of the password /etc/bandit_pass/bandit14 was revealed in the previous challenge.  Next we can establish a connection with localhost:30000 using either netcat or telnet.  We paste the current password, once connected, and the password for bandit15 is returned.

Over the Wire’s Bandit Challenge – Level 13

Level Instructions:

“The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on.”


bandit13@bandit:~$ ls -la
total 24
drwxr-xr-x  2 root     root     4096 Dec 28  2017 .
drwxr-xr-x 42 root     root     4096 Jul 22 18:42 ..
-rw-r--r--  1 root     root      220 Sep  1  2015 .bash_logout
-rw-r--r--  1 root     root     3771 Sep  1  2015 .bashrc
-rw-r--r--  1 root     root      655 Jun 24  2016 .profile
-rw-r-----  1 bandit14 bandit13 1679 Dec 28  2017 sshkey.private
bandit13@bandit:~$ ssh -i ./sshkey.private bandit14@localhost

In level 13, as instructed, we are not provided with a password to access bandit14.  We are, however, provided with the private ssh key which can be used in lieu of a login password by passing the switch ‘-i [location of private ssh key]’

Over the Wire’s Bandit Challenge – Level 12

Level Instructions:

“The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!).”


bandit12@bandit:~$ ls -la
total 24
drwxr-xr-x  2 root     root     4096 Dec 28  2017 .
drwxr-xr-x 42 root     root     4096 Jul 22 18:42 ..
-rw-r--r--  1 root     root      220 Sep  1  2015 .bash_logout
-rw-r--r--  1 root     root     3771 Sep  1  2015 .bashrc
-rw-r--r--  1 root     root      655 Jun 24  2016 .profile
-rw-r-----  1 bandit13 bandit12 2646 Dec 28  2017 data.txt
bandit12@bandit:~$ mkdir /tmp/rtm
bandit12@bandit:~$ cp data.txt /tmp/rtm
bandit12@bandit:~$ cd /tmp/rtm
bandit12@bandit:/tmp/rtm$ file data.txt
data.txt: ASCII text
bandit12@bandit:/tmp/rtm$ xxd -r data.txt > data_rev
bandit12@bandit:/tmp/rtm$ file data_rev
data_rev: gzip compressed data, was "data2.bin", last modified: Thu Dec 28 13:34:36 2017, 
   max compression, from Unix
bandit12@bandit:/tmp/rtm$ zcat data_rev > data_zcat
bandit12@bandit:/tmp/rtm$ file data_zcat
data_zcat: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/rtm$ bzip2 -d data_zcat
bzip2: Can't guess original name for data_zcat -- using data_zcat.out
bandit12@bandit:/tmp/rtm$ file data_zcat.out
data_zcat.out: gzip compressed data, was "data4.bin", last modified: Thu Dec 28 13:34:36 
   2017, max compression, from Unix
bandit12@bandit:/tmp/rtm$ zcat data_zcat.out > data4
bandit12@bandit:/tmp/rtm$ file data4
data4: POSIX tar archive (GNU)
bandit12@bandit:/tmp/rtm$ tar -xvf data4
data5.bin
bandit12@bandit:/tmp/rtm$ file data5.bin
data5.bin: POSIX tar archive (GNU)
bandit12@bandit:/tmp/rtm$ tar -xvf data5.bin
data6.bin
bandit12@bandit:/tmp/rtm$ file data6.bin
data6.bin: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/rtm$ bzip2 -d data6.bin
bzip2: Can't guess original name for data6.bin -- using data6.bin.out
bandit12@bandit:/tmp/rtm$ file data6.bin.out
data6.bin.out: POSIX tar archive (GNU)
bandit12@bandit:/tmp/rtm$ tar -xvf data6.bin.out
data8.bin
bandit12@bandit:/tmp/rtm$ file data8.bin
data8.bin: gzip compressed data, was "data9.bin", last modified: Thu Dec 28 13:34:36 2017, 
   max compression, from Unix
bandit12@bandit:/tmp/rtm$ zcat data8.bin > data8_zcat
bandit12@bandit:/tmp/rtm$ file data8_zcat
data8_zcat: ASCII text
bandit12@bandit:/tmp/rtm$ cat data8_zcat
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

As mentioned in the instructions, the password for bandit13 resides in data.txt and has been repeatedly  compressed.  First, we create a directory within /tmp to allow us space to work and a location to which we have write privileges to copy data.txt.  Next, we will essentially repeat a process in which we check the file type using the ‘file’ command, and then extract the contents of the file using tools dependent on the output of the file type.

‘xxd -r’ is used to revert from hexdump to binary.
If the output of the file is tar, extract using ‘tar -xvf’; if the output is bzip2, use ‘bzip2 -d’; zip, zcat.

Over the Wire’s Bandit Challenge – Level 11

Level 11 – bandit – overthewire

Level Instructions:

“The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions.”


bandit11@bandit:~$ ls -la
total 24
drwxr-xr-x  2 root     root     4096 Dec 28  2017 .
drwxr-xr-x 42 root     root     4096 Jul 22 18:42 ..
-rw-r--r--  1 root     root      220 Sep  1  2015 .bash_logout
-rw-r--r--  1 root     root     3771 Sep  1  2015 .bashrc
-rw-r--r--  1 root     root      655 Jun 24  2016 .profile
-rw-r-----  1 bandit12 bandit11   49 Dec 28  2017 data.txt
bandit11@bandit:~$ cat data.txt
Gur cnffjbeq vf 5Gr8L4qetPEsPk8htqjhRK8XSP6x2RHh
bandit11@bandit:~$ cat data.txt | tr [:alpha:] 'N-ZA-Mn-za-m'
The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

The password in level 11 has been encrypted by ROT13, a process that advances each letter character by 13.  By piping the contents of the file into the tr (translate) command we can first specify the types of characters we would like to translate (all alphanumerical; A-Za-z) and secondly order how we would like those characters transposed (A-Za-z –>> N-ZA-Mn-za-m).

Over the Wire’s Bandit Challenge – Level 10

Level 10 – bandit – overthewire

Level Instructions:

“The password for the next level is stored in the file data.txt, which contains base64 encoded data.”


bandit10@bandit:~$ ls -la
total 24
drwxr-xr-x  2 root     root     4096 Dec 28  2017 .
drwxr-xr-x 42 root     root     4096 Jul 22 18:42 ..
-rw-r--r--  1 root     root      220 Sep  1  2015 .bash_logout
-rw-r--r--  1 root     root     3771 Sep  1  2015 .bashrc
-rw-r--r--  1 root     root      655 Jun 24  2016 .profile
-rw-r-----  1 bandit11 bandit10   69 Dec 28  2017 data.txt
bandit10@bandit:~$ cat data.txt
VGhlIHBhc3N3b3JkIGlzIElGdWt3S0dzRlc4TU9xM0lSRnFyeEUxaHhUTkViVVBSCg==
bandit10@bandit:~$ cat data.txt | base64 -d
The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

The password in level 10 has been encoded in base64, as detailed in the instructions.  Printing the contents of data.txt reveals a seemingly random string of characters appended with “==”.  By piping the contents of the file into base64 with the switch -d we are able to decrypt the password for level 11.

Over the Wire’s Bandit Challenge – Level 9

Level 09 – bandit – overthewire

Level Instructions:

“The password for the next level is stored in the file data.txt in one of the few human-readable strings, beginning with several ‘=’ characters.”


bandit9@bandit:~$ ls -la
total 40
drwxr-xr-x  2 root     root     4096 Dec 28  2017 .
drwxr-xr-x 42 root     root     4096 Jul 22 18:42 ..
-rw-r--r--  1 root     root      220 Sep  1  2015 .bash_logout
-rw-r--r--  1 root     root     3771 Sep  1  2015 .bashrc
-rw-r--r--  1 root     root      655 Jun 24  2016 .profile
-rw-r-----  1 bandit10 bandit9 19379 Dec 28  2017 data.txt
bandit9@bandit:~$ file data.txt
data.txt: data
bandit9@bandit:~$ strings data.txt | grep "=="
========== theP`
========== password
L========== isA
========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk

Because the majority of data.txt is not human readable, as revealed by the instructions, we use the command ‘strings’ to access the contents of the file, piping its output into grep, and filtering out those lines with “==”.

Over the Wire’s Bandit Challenge – Level 8

Level 08 – bandit – overthewire

Level Instructions:

“The password for the next level is stored in the file data.txt and is the only line of text that occurs only once”


bandit8@bandit:~$ ls -la
total 56
drwxr-xr-x  2 root    root     4096 Dec 28  2017 .
drwxr-xr-x 42 root    root     4096 Jul 22 18:42 ..
-rw-r--r--  1 root    root      220 Sep  1  2015 .bash_logout
-rw-r--r--  1 root    root     3771 Sep  1  2015 .bashrc
-rw-r--r--  1 root    root      655 Jun 24  2016 .profile
-rw-r-----  1 bandit9 bandit8 33033 Dec 28  2017 data.txt
bandit8@bandit:~$ cat data.txt | sort | uniq -u
UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR

This time we are piping the contents of the data.txt file first through the sort command and secondly into the uniq command to print only unique entries in the sorted text.