Overthewire – Bandit 10 -> Bandit 15 (Part 3)

# Information:

CTF Name: Overthewire

CTF Challenge: Bandit

Challenge Category: Linux

Challenge Points: Easy – for absolute beginners

# Used Tools:

  • SSH (to access the challenge)
  • Linux Terminal (that is what we have)

# Challenges:

Bandit 10 -> Bandit 11

Main URL: Bandit 10 -> Bandit 11

The password for the next level is stored in the file data.txt, which contains base64 encoded data

# Writeup

Step 1

The first step is the ssh access which is the same in every step, unless we need to use private key access, but if that is the case I will explain. Because of this fact, if you need to see how to perform the first step check out my latest posts here and here.

Step 2

In this one we have yet again the data.txt file. Inside it we can see a base64 string. We know it is base64 because it ends with two equal signs (which is common for base 64 encoding).

To decode it and get the flag, we can cat the contents of the file and piped them into the command base64 –decode, as such:

 bandit10@bandit:$ cat data.txt | base64 --decode

And we get the flag:

Show flag
IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

Bandit 11 -> Bandit 12

Main URL: Bandit 11 -> Bandit 12

The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions.

# Writeup

In this one we have yet again the data.txt file. Inside it we can see a weird string. We know it is rotated by 13 positions. This is a form of “encryption” known as ROT13.

After googling for a while I found the regex combination that allows me to reverse this. The final command I used was:

bandit11@bandit:~$ cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'

And we get the flag:

Show flag
5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

Bandit 12 -> Bandit 13

Main URL: Bandit 12 -> Bandit 13

The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!).

# Writeup

This was a different challenge. First time I worked with compressed files this way, and with different compressed programs, well a funny way overall.

For starters I did as suggested and created a “working directory” under /tmp by running the command:

bandit12@bandit:~$ mkdir /tmp/working_dir

Then I copied the data.txt file, that is in the home directory, into this new directory I just created by running the command:

bandit12@bandit:~$ cp data.txt /tmp/working_dir

And finally I moved to that file:

bandit12@bandit:~$ cd /tmp/working_dir

Now we have everything to start cracking!
First we have to get the file from the hexdump, we know from the description that data.txt is the hexdump of a file… To get the file we can run the command:

bandit12@bandit:/tmp/working_dir$ xxd -r data.txt data

The -r flag reverses the hexdump and restores the file.

Now we have a file called data. We need to figure out the correct compression used, to do so, we simply have to run the command:

bandit12@bandit:/tmp/working_dir$ file data
data: gzip compressed data, was "data2.bin", last modified: Thu May  7 18:14:30 2020, max compression, from Unix

Apparently this file was originally gzip. To be able to extract its contents we have to first rename it and then extract, see the full command below:

bandit12@bandit:/tmp/working_dir$ mv data data.gz && gzip -dk data.gz && ls
data  data.gz  data.txt

We have a new data file!! Let’s see the file type of this one:

bandit12@bandit:/tmp/working_dir$ file data
data: bzip2 compressed data, block size = 900k

So this time is bzip2, after searching online I discovered that the extension is bz2. The process is the same as for gzip, first rename the file, then open it, as such:

bandit12@bandit:/tmp/working_dir$ mv data data.bz2 && bzip2 -dk data.bz2 && ls
data  data.bz2  data.gz  data.txt

A new data file. This process goes on for a few more times, and finally we get to this:

bandit12@bandit:/tmp/working_dir$ mv data8.bin data.gz && gzip -dk data.gz && ls
data  data.bz2  data.gz  data.tar.gz  data.txt

Another data file, but this time, when I ran the file data the output was not a compressed file, instead:

bandit12@bandit:/tmp/working_dir$ mfile data
data: ASCII text

A text file!! Could this be the flag? After perform the cat command on the file I got the flag:

Show flag
8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

Bandit 13 -> Bandit 14

Main URL: Bandit 13 -> Bandit 14

The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on.

# Writeup

Ok this is a interesting one. It looks like it is different from the rest. No password, instead a private SSH key? In the home directory after listing the contents I found a file: shkey.private

I decided to cat its contents and I saw a private key. This is what we need to access the next level!!

I copied its contents to a file on my machine. Well to make sure this is correct and that this is the way to access the next level I had to try. To do so I searched online for a while.

I searched for “How to access ssh with private key” and I found a few links with useful information. And in the end I decided to try this set of commands:

First I need to give full writing and reading permissions to the file where I stored the private key, as such:

 mregra on Cyber:~$ chmod 600 sshkey.private

Now we can run the ssh command:

 mregra on Cyber:~$ ssh -i sshkey.private [email protected] -p 2220

Note: You need to be in the folder where sshkey.private is stored, otherwise you may need to provide the full path.

And with this we got access to the next level!!

I decided to get the flag anyway, which is in /etc/bandit_pass/bandit14. This flag might be important for the next level.

And with this we got access to the next level!!

And we get the flag:

Show flag
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e

Bandit 14 -> Bandit 15

Main URL: Bandit 14 -> Bandit 15

The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.

# Writeup

Step 1

The access to this level can be done in 2 different ways. Or the same way we always did in the challenges before, on with the private key that we got on the previous challenge. See the process for both in the challenges before.

Step 2

To discover the protocol running on that port and which other port was open I ran the command:

bandit14@bandit:~$ nmap 127.0.0.1
Starting Nmap 7.40 ( https://nmap.org ) at 2021-08-13 09:09 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00034s latency).
Not shown: 998 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
30000/tcp open  ndmps

Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds

Ok so we have a port running the service ndmps over tcp. I decided to try to use netcat to get the flag, as such:

bandit14@bandit:~$ nc localhost 30000

After this I simply clicked enter and got this error:

Wrong! Please enter the correct current password

Ok now we know we have to insert the password for this level, that according to the previous one is on the file /etc/bandit_pass/bandit14. I tried again and got the flag:

bandit14@bandit:~$ nc localhost 30000
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e       <- This is the flag for the current level
Correct!
********************************

And we get the flag:

Show flag
BfMYroe26WYalil77FoDi9qh59eK5xNr

Thank you very much for reading!

Cheers,

MRegra


Share this post:

Popular posts

One Reply to “Overthewire – Bandit 10 -> Bandit 15 (Part 3)”

Leave a Reply

Your email address will not be published. Required fields are marked *