Please Ctrl+F to find your desired level.
Level 14 -> Level 15
Level Goal11/31
The password for the next level can be retrieved by submitting the password of the current level
to port 30000 on localhost.
bandit14@bandit:~$ cat /etc/bandit_pass/bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
This is the current level password.
Now, to find the password of the next level.
bandit14@bandit:~$ telnet localhost 30000
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr
Connection closed by foreign host.
The password for the next level is BfMYroe26WYalil77FoDi9qh59eK5xNr
We can ssh bandit15@localhost
Level Goal
The password for the next level can be retrieved by submitting the password of the current level
to port 30001 on localhost using SSL encryption.
Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the
“CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also
works in this version of that command…
bandit15@bandit:~$ cat /etc/bandit_pass/bandit15
BfMYroe26WYalil77FoDi9qh59eK5xNr
This is the password of the current level(Bandit15).
bandit15@bandit:~$ openssl s_client -connect localhost:30001 -ign_eof
CONNECTED(00000003)
depth=0 CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = localhost
verify return:1
---
Certificate chain
0 s:/CN=localhost
i:/CN=localhost
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICBjCCAW+gAwIBAgIEDU18oTANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDDAls
b2NhbGhvc3QwHhcNMjAwNTA3MTgxNTQzWhcNMjEwNTA3MTgxNTQzWjAUMRIwEAYD
VQQDDAlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAK3CPNFR
FEypcqUa8NslmIMWl9xq53Cwhs/fvYHAvauyfE3uDVyyX79Z34Tkot6YflAoufnS
+puh2Kgq7aDaF+xhE+FPcz1JE0C2bflGfEtx4l3qy79SRpLiZ7eio8NPasvduG5e
pkuHefwI4c7GS6Y7OTz/6IpxqXBzv3c+x93TAgMBAAGjZTBjMBQGA1UdEQQNMAuC
CWxvY2FsaG9zdDBLBglghkgBhvhCAQ0EPhY8QXV0b21hdGljYWxseSBnZW5lcmF0
ZWQgYnkgTmNhdC4gU2VlIGh0dHBzOi8vbm1hcC5vcmcvbmNhdC8uMA0GCSqGSIb3
DQEBBQUAA4GBAC9uy1rF2U/OSBXbQJYuPuzT5mYwcjEEV0XwyiX1MFZbKUlyFZUw
rq+P1HfFp+BSODtk6tHM9bTz+p2OJRXuELG0ly8+Nf/hO/mYS1i5Ekzv4PL9hO8q
PfmDXTHs23Tc7ctLqPRj4/4qxw6RF4SM+uxkAuHgT/NDW1LphxkJlKGn
-----END CERTIFICATE-----
subject=/CN=localhost
issuer=/CN=localhost
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1019 bytes and written 269 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: FD97D9A0D13E0FF4449C11DE26BA610291D1B2BA73C76E6A5EE9A6C9A23551B2
Session-ID-ctx:
Master-Key:
B260917031DE976E36B212AED740EDDF54F182309B60D152D45516DC50DEDC8C979ABB80058A45636BE21BEFA69E0EC5
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - aa 02 e6 3a 2e 0b c8 5d-6f 54 4a 1b 5a e0 2c 0e ...:...]oTJ.Z.,.
13/31
0010 - 9a 38 88 6c 16 a3 54 5f-1f bf 38 0b 32 39 d7 4b .8.l..T_..8.29.K
0020 - 55 33 18 cd 4e c0 18 9f-ac 69 6b cf 8f ed d5 d2 U3..N....ik.....
0030 - 66 00 8c 91 b7 85 e0 a9-02 b3 14 54 3a 0d 3b d9 f..........T:.;.
0040 - 39 f3 51 70 51 81 37 fd-2a fa ae 5e a2 07 1e 48 9.QpQ.7.*..^...H
0050 - c8 03 17 52 3c e0 a7 3c-d0 7c ac b8 33 7b f9 0f ...R<..<.|..3{..
0060 - 9d 60 c7 0e 5c d9 9c 8a-21 e9 7c 79 00 e2 21 b4 .`..\...!.|y..!.
0070 - c2 f7 0f e2 9e 7c c7 10-d5 7d 78 36 5d ba 26 d7 .....|...}x6].&.
0080 - ff de b7 73 e0 2c 7d d4-90 3d 23 b9 b6 0d 72 59 ...s.,}..=#...rY
0090 - cf 36 84 c1 24 f6 c1 9e-62 d8 cf f5 c7 f5 71 bd .6..$...b.....q.
Start Time: 1591981210
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
Extended master secret: yes
---
BfMYroe26WYalil77FoDi9qh59eK5xNr
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehd
closed
-ign_eof to inhibit shutting the connection when the end of file is reached in the input.'
Password of next level: cluFn7wTiGryunymYOu4RcffSxQluehd
---
Certificate chain
0 s:/CN=localhost
i:/CN=localhost
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICBjCCAW+gAwIBAgIEDU18oTANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDDAls
b2NhbGhvc3QwHhcNMjAwNTA3MTgxNTQzWhcNMjEwNTA3MTgxNTQzWjAUMRIwEAYD
VQQDDAlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAK3CPNFR
FEypcqUa8NslmIMWl9xq53Cwhs/fvYHAvauyfE3uDVyyX79Z34Tkot6YflAoufnS
+puh2Kgq7aDaF+xhE+FPcz1JE0C2bflGfEtx4l3qy79SRpLiZ7eio8NPasvduG5e
pkuHefwI4c7GS6Y7OTz/6IpxqXBzv3c+x93TAgMBAAGjZTBjMBQGA1UdEQQNMAuC
CWxvY2FsaG9zdDBLBglghkgBhvhCAQ0EPhY8QXV0b21hdGljYWxseSBnZW5lcmF0
ZWQgYnkgTmNhdC4gU2VlIGh0dHBzOi8vbm1hcC5vcmcvbmNhdC8uMA0GCSqGSIb3
DQEBBQUAA4GBAC9uy1rF2U/OSBXbQJYuPuzT5mYwcjEEV0XwyiX1MFZbKUlyFZUw
rq+P1HfFp+BSODtk6tHM9bTz+p2OJRXuELG0ly8+Nf/hO/mYS1i5Ekzv4PL9hO8q
PfmDXTHs23Tc7ctLqPRj4/4qxw6RF4SM+uxkAuHgT/NDW1LphxkJlKGn
-----END CERTIFICATE-----
subject=/CN=localhost
issuer=/CN=localhost
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1019 bytes and written 269 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: FD97D9A0D13E0FF4449C11DE26BA610291D1B2BA73C76E6A5EE9A6C9A23551B2
Session-ID-ctx:
Master-Key:
B260917031DE976E36B212AED740EDDF54F182309B60D152D45516DC50DEDC8C979ABB80058A45636BE21BEFA69E0EC5
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - aa 02 e6 3a 2e 0b c8 5d-6f 54 4a 1b 5a e0 2c 0e ...:...]oTJ.Z.,.
13/31
0010 - 9a 38 88 6c 16 a3 54 5f-1f bf 38 0b 32 39 d7 4b .8.l..T_..8.29.K
0020 - 55 33 18 cd 4e c0 18 9f-ac 69 6b cf 8f ed d5 d2 U3..N....ik.....
0030 - 66 00 8c 91 b7 85 e0 a9-02 b3 14 54 3a 0d 3b d9 f..........T:.;.
0040 - 39 f3 51 70 51 81 37 fd-2a fa ae 5e a2 07 1e 48 9.QpQ.7.*..^...H
0050 - c8 03 17 52 3c e0 a7 3c-d0 7c ac b8 33 7b f9 0f ...R<..<.|..3{..
0060 - 9d 60 c7 0e 5c d9 9c 8a-21 e9 7c 79 00 e2 21 b4 .`..\...!.|y..!.
0070 - c2 f7 0f e2 9e 7c c7 10-d5 7d 78 36 5d ba 26 d7 .....|...}x6].&.
0080 - ff de b7 73 e0 2c 7d d4-90 3d 23 b9 b6 0d 72 59 ...s.,}..=#...rY
0090 - cf 36 84 c1 24 f6 c1 9e-62 d8 cf f5 c7 f5 71 bd .6..$...b.....q.
Start Time: 1591981210
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
Extended master secret: yes
---
BfMYroe26WYalil77FoDi9qh59eK5xNr
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehd
closed
-ign_eof to inhibit shutting the connection when the end of file is reached in the input.'
Password of next level: cluFn7wTiGryunymYOu4RcffSxQluehd
Level 16 -> Level 17
Level Goal
The credentials for the next level can be retrieved by submitting the password of the current
level to a port on localhost in the range 31000 to 32000. First find out which of these ports have
a server listening on them. Then find out which of those speak SSL and which don’t. There is
only 1 server that will give the next credentials, the others will simply send back to you
whatever you send to it.
First, to find out which port is open between 31000-32000 using nmap
bandit16@bandit:~$ nmap -A localhost -p31000-32000
Starting Nmap 7.40 ( https://nmap.org ) at 2020-06-12 19:02 CEST
Stats: 0:01:29 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 100.00% done; ETC: 19:04 (0:00:00 remaining)
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00024s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
14/31
31046/tcp open echo
31518/tcp open ssl/echo
| ssl-cert: Subject: commonName=localhost
| Subject Alternative Name: DNS:localhost
| Not valid before: 2020-05-14T12:03:38
|_Not valid after: 2021-05-14T12:03:38
|_ssl-date: TLS randomness does not represent time
31691/tcp open echo
31790/tcp open ssl/unknown
| fingerprint-strings:
| FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, Kerberos,
LDAPSearchReq, LPDString, RTSPRequest, SIPOptions, SSLSessionReq, TLSSessionReq:
|_ Wrong! Please enter the correct current password
| ssl-cert: Subject: commonName=localhost
| Subject Alternative Name: DNS:localhost
| Not valid before: 2020-05-14T12:03:38
|_Not valid after: 2021-05-14T12:03:38
|_ssl-date: TLS randomness does not represent time
31960/tcp open echo
Nmap done: 1 IP address (1 host up) scanned in 89.79 seconds
We see that 31790 is open with ssl, connecting to this port
bandit16@bandit:~$ openssl s_client -connect localhost:31790
We find a RSA key
-----BEGIN CERTIFICATE-----
MIICBjCCAW+gAwIBAgIEUnONgjANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDDAls
b2NhbGhvc3QwHhcNMjAwNTE0MTIwMzM4WhcNMjEwNTE0MTIwMzM4WjAUMRIwEAYD
VQQDDAlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALOw+M6/
qSBJExGueg6T0HQRqfr80ysnqbuIAeQJ3VOwXg3BB8u7HtlA6JUrvQy66TWw5szi
uLBAyCffNHMx7Y2DF6L2vdSTxoOuDTLynRj7Xrw4f39NbgezfpfPbOd7/m3qNpcG
766Y46MT8w8j144VKK6qWhkBl9CPy8E2/frdAgMBAAGjZTBjMBQGA1UdEQQNMAuC
CWxvY2FsaG9zdDBLBglghkgBhvhCAQ0EPhY8QXV0b21hdGljYWxseSBnZW5lcmF0
ZWQgYnkgTmNhdC4gU2VlIGh0dHBzOi8vbm1hcC5vcmcvbmNhdC8uMA0GCSqGSIb3
DQEBBQUAA4GBAEj2rWLwLHxQMk8uuUTFHnXrtnpXP3GDch8zdUbiln4chTISKG9O
akG/gohigTEo9V3PupKcaO/zXqAbuB6iaJxOEezuLEmoGAMThHqeXusLNEPtYl5N
nM/qYplbcQtOqvYYODdP9N5dQFa54xkNmkP7oPiQkOFFKIucVzpxwzuo
-----END CERTIFICATE-----
We can use this key to login to the next level
bandit16@bandit:~$ mkdir /tmp/azid
bandit16@bandit:~$ cd /tmp/azid
bandit16@bandit:/tmp/azid$ nano temp.key
Save the key in this in a file and use it to log into the next level
15/31
bandit16@bandit:~$ ssh -i temp.key bandit17@localhost
bandit17@bandit:~$ cat /etc/bandit_pass/bandit17
xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn
Password for next level: xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn
Level Goal
The credentials for the next level can be retrieved by submitting the password of the current
level to a port on localhost in the range 31000 to 32000. First find out which of these ports have
a server listening on them. Then find out which of those speak SSL and which don’t. There is
only 1 server that will give the next credentials, the others will simply send back to you
whatever you send to it.
First, to find out which port is open between 31000-32000 using nmap
bandit16@bandit:~$ nmap -A localhost -p31000-32000
Starting Nmap 7.40 ( https://nmap.org ) at 2020-06-12 19:02 CEST
Stats: 0:01:29 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 100.00% done; ETC: 19:04 (0:00:00 remaining)
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00024s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
14/31
31046/tcp open echo
31518/tcp open ssl/echo
| ssl-cert: Subject: commonName=localhost
| Subject Alternative Name: DNS:localhost
| Not valid before: 2020-05-14T12:03:38
|_Not valid after: 2021-05-14T12:03:38
|_ssl-date: TLS randomness does not represent time
31691/tcp open echo
31790/tcp open ssl/unknown
| fingerprint-strings:
| FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, Kerberos,
LDAPSearchReq, LPDString, RTSPRequest, SIPOptions, SSLSessionReq, TLSSessionReq:
|_ Wrong! Please enter the correct current password
| ssl-cert: Subject: commonName=localhost
| Subject Alternative Name: DNS:localhost
| Not valid before: 2020-05-14T12:03:38
|_Not valid after: 2021-05-14T12:03:38
|_ssl-date: TLS randomness does not represent time
31960/tcp open echo
Nmap done: 1 IP address (1 host up) scanned in 89.79 seconds
We see that 31790 is open with ssl, connecting to this port
bandit16@bandit:~$ openssl s_client -connect localhost:31790
We find a RSA key
-----BEGIN CERTIFICATE-----
MIICBjCCAW+gAwIBAgIEUnONgjANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDDAls
b2NhbGhvc3QwHhcNMjAwNTE0MTIwMzM4WhcNMjEwNTE0MTIwMzM4WjAUMRIwEAYD
VQQDDAlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALOw+M6/
qSBJExGueg6T0HQRqfr80ysnqbuIAeQJ3VOwXg3BB8u7HtlA6JUrvQy66TWw5szi
uLBAyCffNHMx7Y2DF6L2vdSTxoOuDTLynRj7Xrw4f39NbgezfpfPbOd7/m3qNpcG
766Y46MT8w8j144VKK6qWhkBl9CPy8E2/frdAgMBAAGjZTBjMBQGA1UdEQQNMAuC
CWxvY2FsaG9zdDBLBglghkgBhvhCAQ0EPhY8QXV0b21hdGljYWxseSBnZW5lcmF0
ZWQgYnkgTmNhdC4gU2VlIGh0dHBzOi8vbm1hcC5vcmcvbmNhdC8uMA0GCSqGSIb3
DQEBBQUAA4GBAEj2rWLwLHxQMk8uuUTFHnXrtnpXP3GDch8zdUbiln4chTISKG9O
akG/gohigTEo9V3PupKcaO/zXqAbuB6iaJxOEezuLEmoGAMThHqeXusLNEPtYl5N
nM/qYplbcQtOqvYYODdP9N5dQFa54xkNmkP7oPiQkOFFKIucVzpxwzuo
-----END CERTIFICATE-----
We can use this key to login to the next level
bandit16@bandit:~$ mkdir /tmp/azid
bandit16@bandit:~$ cd /tmp/azid
bandit16@bandit:/tmp/azid$ nano temp.key
Save the key in this in a file and use it to log into the next level
15/31
bandit16@bandit:~$ ssh -i temp.key bandit17@localhost
bandit17@bandit:~$ cat /etc/bandit_pass/bandit17
xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn
Password for next level: xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn
Level 17 -> Level 18
Level Goal
There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the
next level is in passwords.new and is the only line that has been changed between
passwords.old and passwords.new
NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is
related to the next level, bandit19
bandit17@bandit:~$ ls
passwords.new passwords.old
bandit17@bandit:~$ diff passwords.old passwords.new
42c42
< w0Yfolrc5bwjS4qw5mq1nnQi6mF03bii
---
> kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
Password to next level: kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
On logging into bandit18 we get
Byebye!
Connection to localhost closed.
This is related to the next level
Level Goal
There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the
next level is in passwords.new and is the only line that has been changed between
passwords.old and passwords.new
NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is
related to the next level, bandit19
bandit17@bandit:~$ ls
passwords.new passwords.old
bandit17@bandit:~$ diff passwords.old passwords.new
42c42
< w0Yfolrc5bwjS4qw5mq1nnQi6mF03bii
---
> kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
Password to next level: kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
On logging into bandit18 we get
Byebye!
Connection to localhost closed.
This is related to the next level
Level 18 -> Level 19
Level Goal
The password for the next level is stored in a file readme in the homedirectory. Unfortunately,
someone has modified .bashrc to log you out when you log in with SSH.
We use
bandit17@bandit:~$ ssh bandit18@localhost -T
We will use the -T parameter to disable the pseudo -tty allocation.
We get a shell and we will ls and cat to find the password
For more information regarding individual wargames, visit
http://www.overthewire.org/wargames/
For support, questions or comments, contact us through IRC on
irc.overthewire.org #wargames.
Enjoy your stay!
ls
readme
cat readme
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
Password to next level: IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
Level Goal
The password for the next level is stored in a file readme in the homedirectory. Unfortunately,
someone has modified .bashrc to log you out when you log in with SSH.
We use
bandit17@bandit:~$ ssh bandit18@localhost -T
We will use the -T parameter to disable the pseudo -tty allocation.
We get a shell and we will ls and cat to find the password
For more information regarding individual wargames, visit
http://www.overthewire.org/wargames/
For support, questions or comments, contact us through IRC on
irc.overthewire.org #wargames.
Enjoy your stay!
ls
readme
cat readme
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
Password to next level: IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
Level 19 -> Level 20
Level Goal
To gain access to the next level, you should use the setuid binary in the homedirectory. Execute
it without arguments to find out how to use it. The password for this level can be found in the
usual place (/etc/bandit_pass), after you have used the setuid binary.
setuid and setgid (short for "set user ID" and "set group ID") are Unix access rights flags that
allow users to run an executable with the permissions of the executable's owner or group
respectively and to change behaviour in directories. They are often used to allow users on a
computer system to run programs with temporarily elevated privileges in order to perform a
specific task. While the assumed user id or group id privileges provided are not always elevated,
at a minimum they are specific.
17/31
This is basic privilege escalation
bandit19@bandit:~$ ls
bandit20-do
bandit19@bandit:~$ ls -la
total 28
drwxr-xr-x 2 root root 4096 May 7 20:14 .
drwxr-xr-x 41 root root 4096 May 7 20:14 ..
-rwsr-x--- 1 bandit20 bandit19 7296 May 7 20:14 bandit20-do
We see that we can execute it as bandit20
bandit19@bandit:~$ ./bandit20-do
Run a command as another user.
Example: ./bandit20-do id
bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Password to next level: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Level Goal
To gain access to the next level, you should use the setuid binary in the homedirectory. Execute
it without arguments to find out how to use it. The password for this level can be found in the
usual place (/etc/bandit_pass), after you have used the setuid binary.
setuid and setgid (short for "set user ID" and "set group ID") are Unix access rights flags that
allow users to run an executable with the permissions of the executable's owner or group
respectively and to change behaviour in directories. They are often used to allow users on a
computer system to run programs with temporarily elevated privileges in order to perform a
specific task. While the assumed user id or group id privileges provided are not always elevated,
at a minimum they are specific.
17/31
This is basic privilege escalation
bandit19@bandit:~$ ls
bandit20-do
bandit19@bandit:~$ ls -la
total 28
drwxr-xr-x 2 root root 4096 May 7 20:14 .
drwxr-xr-x 41 root root 4096 May 7 20:14 ..
-rwsr-x--- 1 bandit20 bandit19 7296 May 7 20:14 bandit20-do
We see that we can execute it as bandit20
bandit19@bandit:~$ ./bandit20-do
Run a command as another user.
Example: ./bandit20-do id
bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Password to next level: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Level 20 -> Level 21
Level Goal
There is a setuid binary in the homedirectory that does the following: it makes a connection to
localhost on the port you specify as a commandline argument. It then reads a line of text from
the connection and compares it to the password in the previous level (bandit20). If the
password is correct, it will transmit the password for the next level (bandit21).
NOTE: Try connecting to your own network daemon to see if it works as you think
bandit20@bandit:~$ ls -la
-rwsr-x--- 1 bandit21 bandit20 12088 May 7 20:14 suconnect
bandit20@bandit:~$ ./suconnect
Usage: ./suconnect <portnumber>
This program will connect to the given port on localhost using TCP. If it receives the correct
password from the other side, the next password is transmitted back.
In another tab set up a nc listen
#nc -lvp 1234
and on this tab
#./suconnect 1234
18/31
The password to the next level: gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
Level Goal
There is a setuid binary in the homedirectory that does the following: it makes a connection to
localhost on the port you specify as a commandline argument. It then reads a line of text from
the connection and compares it to the password in the previous level (bandit20). If the
password is correct, it will transmit the password for the next level (bandit21).
NOTE: Try connecting to your own network daemon to see if it works as you think
bandit20@bandit:~$ ls -la
-rwsr-x--- 1 bandit21 bandit20 12088 May 7 20:14 suconnect
bandit20@bandit:~$ ./suconnect
Usage: ./suconnect <portnumber>
This program will connect to the given port on localhost using TCP. If it receives the correct
password from the other side, the next password is transmitted back.
In another tab set up a nc listen
#nc -lvp 1234
and on this tab
#./suconnect 1234
18/31
The password to the next level: gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
Level 21 -> Level 22
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler.
Look in /etc/cron.d/ for the configuration and see what command is being executed.
Read this: https://opensource.com/article/17/11/how-use-cron-linux
bandit21@bandit:~$ cd /etc/cron.d/
bandit21@bandit:/etc/cron.d$ ls
cronjob_bandit15_root cronjob_bandit22 cronjob_bandit24
cronjob_bandit17_root cronjob_bandit23 cronjob_bandit25_root
bandit21@bandit:/etc/cron.d$ cat cronjob_bandit22
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
bandit21@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
bandit21@bandit:/etc/cron.d$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
The password to the next level: Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
The password to the next level: Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler.
Look in /etc/cron.d/ for the configuration and see what command is being executed.
Read this: https://opensource.com/article/17/11/how-use-cron-linux
bandit21@bandit:~$ cd /etc/cron.d/
bandit21@bandit:/etc/cron.d$ ls
cronjob_bandit15_root cronjob_bandit22 cronjob_bandit24
cronjob_bandit17_root cronjob_bandit23 cronjob_bandit25_root
bandit21@bandit:/etc/cron.d$ cat cronjob_bandit22
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
bandit21@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
bandit21@bandit:/etc/cron.d$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
The password to the next level: Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
The password to the next level: Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
Level 22 -> Level 23
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler.
Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this
level is intentionally made easy to read. If you are having problems understanding what it does,
try executing it to see the debug information it prints.
19/31
bandit22@bandit:/etc/cron.d$ ls
cronjob_bandit15_root cronjob_bandit22 cronjob_bandit24
cronjob_bandit17_root cronjob_bandit23 cronjob_bandit25_root
bandit22@bandit:/etc/cron.d$ cat cronjob_bandit23
@reboot bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
bandit22@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash
myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
cat /etc/bandit_pass/$myname > /tmp/$mytarget
bandit22@bandit:/etc/cron.d$ echo I am user bandit23 | md5sum | cut -d ' ' -f1
8ca319486bfbbc3663ea0fbe81326349
bandit22@bandit:/etc/cron.d$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
Password to next level: jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler.
Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this
level is intentionally made easy to read. If you are having problems understanding what it does,
try executing it to see the debug information it prints.
19/31
bandit22@bandit:/etc/cron.d$ ls
cronjob_bandit15_root cronjob_bandit22 cronjob_bandit24
cronjob_bandit17_root cronjob_bandit23 cronjob_bandit25_root
bandit22@bandit:/etc/cron.d$ cat cronjob_bandit23
@reboot bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
bandit22@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash
myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
cat /etc/bandit_pass/$myname > /tmp/$mytarget
bandit22@bandit:/etc/cron.d$ echo I am user bandit23 | md5sum | cut -d ' ' -f1
8ca319486bfbbc3663ea0fbe81326349
bandit22@bandit:/etc/cron.d$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
Password to next level: jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
Level 23 -> Level 24
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler.
Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and
you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to
keep a copy around…
bandit23@bandit:~$ cd /etc/cron.d/
bandit23@bandit:/etc/cron.d$ ls
20/31
cronjob_bandit15_root cronjob_bandit22 cronjob_bandit24
cronjob_bandit17_root cronjob_bandit23 cronjob_bandit25_root
bandit23@bandit:/etc/cron.d$ cat cronjob_bandit24
@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
bandit23@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash
myname=$(whoami)
cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
do
if [ "$i" != "." -a "$i" != ".." ];
then
echo "Handling $i"
owner="$(stat --format "%U" ./$i)"
if [ "${owner}" = "bandit23" ]; then
timeout -s 9 60 ./$i
fi
rm -f ./$i
fi
done
We have to create our own script to copy the contents of the /bandit_pass/bandit24 file
we have to also run the script from the /var/spool/bandit24 folder
Create a temp file
bandit23@bandit:/etc/cron.d$ cd /tmp/
bandit23@bandit:/tmp$ mkdir azid
bandit23@bandit:/tmp$ cd azid
bandit23@bandit:/tmp/azid$ nano myScript.sh
Script:
!/bin/bash
cat /etc/bandit_pass/bandit24 >> /tmp/azid/pw24
Change permissions and make it executable:
bandit23@bandit:/tmp/azid$ chmod 777 myScript.sh
bandit23@bandit:/tmp/azid$ chmod 777 /tmp/azid
Now copy it to /var/spool/bandit24/
21/31
bandit23@bandit:/tmp/azid$ cp myScript.sh /var/spool/bandit24
bandit23@bandit:/tmp/azid$ chmod 777 /tmp/azid
bandit23@bandit:/tmp/azid$ ls
myScript.sh pw24
bandit23@bandit:/tmp/azid$ cat pw24
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
The password to the next level: UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler.
Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and
you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to
keep a copy around…
bandit23@bandit:~$ cd /etc/cron.d/
bandit23@bandit:/etc/cron.d$ ls
20/31
cronjob_bandit15_root cronjob_bandit22 cronjob_bandit24
cronjob_bandit17_root cronjob_bandit23 cronjob_bandit25_root
bandit23@bandit:/etc/cron.d$ cat cronjob_bandit24
@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
bandit23@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash
myname=$(whoami)
cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
do
if [ "$i" != "." -a "$i" != ".." ];
then
echo "Handling $i"
owner="$(stat --format "%U" ./$i)"
if [ "${owner}" = "bandit23" ]; then
timeout -s 9 60 ./$i
fi
rm -f ./$i
fi
done
We have to create our own script to copy the contents of the /bandit_pass/bandit24 file
we have to also run the script from the /var/spool/bandit24 folder
Create a temp file
bandit23@bandit:/etc/cron.d$ cd /tmp/
bandit23@bandit:/tmp$ mkdir azid
bandit23@bandit:/tmp$ cd azid
bandit23@bandit:/tmp/azid$ nano myScript.sh
Script:
!/bin/bash
cat /etc/bandit_pass/bandit24 >> /tmp/azid/pw24
Change permissions and make it executable:
bandit23@bandit:/tmp/azid$ chmod 777 myScript.sh
bandit23@bandit:/tmp/azid$ chmod 777 /tmp/azid
Now copy it to /var/spool/bandit24/
21/31
bandit23@bandit:/tmp/azid$ cp myScript.sh /var/spool/bandit24
bandit23@bandit:/tmp/azid$ chmod 777 /tmp/azid
bandit23@bandit:/tmp/azid$ ls
myScript.sh pw24
bandit23@bandit:/tmp/azid$ cat pw24
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
The password to the next level: UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
Level 24 -> Level 25
Bandit Level 24 → Level 25
Level Goal
A daemon is listening on port 30002 and will give you the password for bandit25 if given the
password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the
pincode except by going through all of the 10000 combinations, called brute-forcing.
bandit24@bandit:~$ mkdir /tmp/azid
bandit24@bandit:~$ cd /tmp/azid
bandit24@bandit:/tmp/azid$ nano script.sh
Unable to create directory /home/bandit24/.nano: Permission denied
It is required for saving/loading search history or cursor positions.
Press Enter to continue
bandit24@bandit:/tmp/azid$ cat script.sh
#!/bin/bash
for i in {0..9}
do
for j in {0..9}
do
for k in {0..9}
do
for n in {0..9}
do
echo $(cat /etc/bandit_pass/bandit24) $i$j$k$n >> result
done
done
done
bandit24@bandit:/tmp/azid$ chmod 777 script.sh
bandit24@bandit:/tmp/azid$ ./script.sh
22/31
bandit24@bandit:/tmp/azid$ sort -u result
Correct!
The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG
Password for next level: uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG
Bandit Level 24 → Level 25
Level Goal
A daemon is listening on port 30002 and will give you the password for bandit25 if given the
password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the
pincode except by going through all of the 10000 combinations, called brute-forcing.
bandit24@bandit:~$ mkdir /tmp/azid
bandit24@bandit:~$ cd /tmp/azid
bandit24@bandit:/tmp/azid$ nano script.sh
Unable to create directory /home/bandit24/.nano: Permission denied
It is required for saving/loading search history or cursor positions.
Press Enter to continue
bandit24@bandit:/tmp/azid$ cat script.sh
#!/bin/bash
for i in {0..9}
do
for j in {0..9}
do
for k in {0..9}
do
for n in {0..9}
do
echo $(cat /etc/bandit_pass/bandit24) $i$j$k$n >> result
done
done
done
bandit24@bandit:/tmp/azid$ chmod 777 script.sh
bandit24@bandit:/tmp/azid$ ./script.sh
22/31
bandit24@bandit:/tmp/azid$ sort -u result
Correct!
The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG
Password for next level: uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG
Comments
Post a Comment