Overthewire – Bandit 15 -> Bandit 20 (Part 4)

# Information:

CTF Name: Overthewire

CTF Challenge: Bandit

Challenge Category: Linux

Challenge Points: Easy – for absolute beginners

# Used Tools:

  • SSH (to access the challenge)
  • Linux Terminal (that is what we have)

# Challenges:

Bandit 15 -> Bandit 16

Main URL: Bandit 15 -> Bandit 16

The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.

Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…

# Writeup

Ok this was an interesting one. I found out that we have to connect using SSL encryption. Well, after some search I found that nmap as a command which is ncat that allows us to specify the encryption protocol as ssl, the host and the port, as such:

bandit15@bandit:~$ ncat --ssl 127.0.0.1 30001

Afterwards I simply inserted the level’s password and got the following:

bandit15@bandit:~$ ncat --ssl 127.0.0.1 30001
BfMYroe26WYalil77FoDi9qh59eK5xNr
Correct!
********************************

And we get the flag:

Show flag
cluFn7wTiGryunymYOu4RcffSxQluehd

Bandit 16 -> Bandit 17

Main URL: Bandit 16 -> Bandit 17

The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.

# Writeup

Ok this also was an interesting one. What I first did was to find all open ports between 31000 and 32000, to do so I used nmap as such:

bandit16@bandit:~$ nmap -p 31000-32000 127.0.0.1

Starting Nmap 7.40 ( https://nmap.org ) at 2021-08-18 11:43 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00022s latency).
Not shown: 996 closed ports
PORT      STATE SERVICE
31046/tcp open  unknown
31518/tcp open  unknown
31691/tcp open  unknown
31790/tcp open  unknown
31960/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds

It seems that ports 31046, 31518, 31691, 31790 and 31960 are open, now I needed to know which of those speak SSL. To know if they speak SSL I used the openssl command for each port.

bandit16@bandit:~$ openssl s_client -connect 127.0.0.1:port         <- Use each port to test.

One example of the command:

As you can see we have 2 images, the first one is the first part of the output of the command above for the port 31518, and the second is the bottom of the output. At the bottom I was able to insert input, however, in this particular case all that happened was the fact that the output was printed back to me, nothing interesting for this one.

I tried for all the ports and I was able to get a private key on the port 31790, checkout the image:

The flag to the level is an SSH private key.

But once you can enter the bandit17 machine you can get the flag in /etc/bandit_pass/bandit17.

And we get the flag:

Show flag
xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn

Bandit 17 -> Bandit 18

Main URL: Bandit 17 -> Bandit 18

There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new

NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19

# Writeup

To access the machine I had to use an ssh private key, so I used the method described in challenge bandit 13 -> bandit 14.

Moving on…

This challenged turned out to be quite simple.

What I did was simply run the diff command as such:

bandit16@bandit:~$ diff passwords.old passwords.new
42c42
< w0Yfolrc5bwjS4qw5mq1nnQi6mF03bii
---
> kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd

And we get the flag:

Show flag
kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd

Bandit 18 -> Bandit 19

Main URL: Bandit 18 -> Bandit 19

The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.

# Writeup

As in most of the previous challenges we have to use the same command:

 mregra on Cyber:~$ ssh [email protected] -p 2220

After putting the flag from the previous challenge as the password we are in… Oh wait! No we got the following message:

 Byebye !
 Connection to bandit.labs.overthewire.org closed.

Let’s analyze the challenge description, it might help. In this one we have the following description:

"The password for the next level is stored in a file readme in the homedirectory. 
Unfortunately, someone has modified .bashrc to log you out when you log in with SSH."

Ok, so we now know that we will automatically get logged out, but, after some online search i was able to find out that it is possible to run bash commands via ssh, knowing this I decided to give it a try. First I tried the following:

 mregra on Cyber:~$ ssh [email protected] -p 2220 ls
 This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

 [email protected]'s password:
 readme
 mregra on Cyber:~$

We have a file readme in the home directory. We can try to cat its contents, according to the description, the flag is inside! So I simply ran the command:

 mregra on Cyber:~$ ssh [email protected] -p 2220 cat readme
 This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

 [email protected]'s password:
 *******************************
 mregra on Cyber:~$

And we get the flag:

Show flag
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x

Bandit 19 -> Bandit 20

Main URL: Bandit 19 -> Bandit 20

To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.

# Writeup

When I accessed the machine I ran the command ls to check the contents of the home directory, and inside there was simply an executable file named bandit20-do.

I ran the executable to check what it did, see image:

As you can see this command simply runs any bash command. I decided to check the file’s owner ID and group ID.

So, this file is owned by bandit20 and it belongs to the group bandit19, which permits us to run the executable as bandit20!!!

We know from previous challenges that the passwords of all challenges are under /etc/bandit_pass/ and each user can only read its password. However, in this case, we have an executable that will allow us to “impersonate” user bandit20 and get its password!!

To read the password for bandit19 what I did was simply cat the contents of /etc/bandit_pass/bandit20 with the executable, as such:

bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
********************************

And we get the flag:

Show flag
GbKksEFF4yrVs6il55v6gwY5aVje5f0j

Thank you very much for reading!

Cheers,

MRegra


Share this post:

Popular posts

Leave a Reply

Your email address will not be published. Required fields are marked *