Overthewire – Bandit 15 -> Bandit 20 (Part 4)
# Information:
CTF Name: Overthewire
CTF Challenge: Bandit
Challenge Category: Linux
Challenge Points: Easy – for absolute beginners
# Used Tools:
- SSH (to access the challenge)
- Linux Terminal (that is what we have)
# Challenges:
Bandit 15 -> Bandit 16
Main URL: Bandit 15 -> Bandit 16
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…
# Writeup
Ok this was an interesting one. I found out that we have to connect using SSL encryption. Well, after some search I found that nmap as a command which is ncat that allows us to specify the encryption protocol as ssl, the host and the port, as such:
bandit15@bandit:~$ ncat --ssl 127.0.0.1 30001
Afterwards I simply inserted the level’s password and got the following:
bandit15@bandit:~$ ncat --ssl 127.0.0.1 30001
BfMYroe26WYalil77FoDi9qh59eK5xNr
Correct!
********************************
And we get the flag:
Bandit 16 -> Bandit 17
Main URL: Bandit 16 -> Bandit 17
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
# Writeup
Ok this also was an interesting one. What I first did was to find all open ports between 31000 and 32000, to do so I used nmap as such:
bandit16@bandit:~$ nmap -p 31000-32000 127.0.0.1
Starting Nmap 7.40 ( https://nmap.org ) at 2021-08-18 11:43 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00022s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
31046/tcp open unknown
31518/tcp open unknown
31691/tcp open unknown
31790/tcp open unknown
31960/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds
It seems that ports 31046, 31518, 31691, 31790 and 31960 are open, now I needed to know which of those speak SSL. To know if they speak SSL I used the openssl command for each port.
bandit16@bandit:~$ openssl s_client -connect 127.0.0.1:port <- Use each port to test.
One example of the command:
As you can see we have 2 images, the first one is the first part of the output of the command above for the port 31518, and the second is the bottom of the output. At the bottom I was able to insert input, however, in this particular case all that happened was the fact that the output was printed back to me, nothing interesting for this one.
I tried for all the ports and I was able to get a private key on the port 31790, checkout the image:
The flag to the level is an SSH private key.
But once you can enter the bandit17 machine you can get the flag in /etc/bandit_pass/bandit17.
And we get the flag:
Bandit 17 -> Bandit 18
Main URL: Bandit 17 -> Bandit 18
There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new
NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19
# Writeup
To access the machine I had to use an ssh private key, so I used the method described in challenge bandit 13 -> bandit 14.
Moving on…
This challenged turned out to be quite simple.
What I did was simply run the diff command as such:
bandit16@bandit:~$ diff passwords.old passwords.new
42c42
< w0Yfolrc5bwjS4qw5mq1nnQi6mF03bii
---
> kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
And we get the flag:
Bandit 18 -> Bandit 19
Main URL: Bandit 18 -> Bandit 19
The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.
# Writeup
As in most of the previous challenges we have to use the same command:
mregra on Cyber:~$ ssh [email protected] -p 2220
After putting the flag from the previous challenge as the password we are in… Oh wait! No we got the following message:
Byebye !
Connection to bandit.labs.overthewire.org closed.
Let’s analyze the challenge description, it might help. In this one we have the following description:
"The password for the next level is stored in a file readme in the homedirectory.
Unfortunately, someone has modified .bashrc to log you out when you log in with SSH."
Ok, so we now know that we will automatically get logged out, but, after some online search i was able to find out that it is possible to run bash commands via ssh, knowing this I decided to give it a try. First I tried the following:
mregra on Cyber:~$ ssh [email protected] -p 2220 ls
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
[email protected]'s password:
readme
mregra on Cyber:~$
We have a file readme in the home directory. We can try to cat its contents, according to the description, the flag is inside! So I simply ran the command:
mregra on Cyber:~$ ssh [email protected] -p 2220 cat readme
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
[email protected]'s password:
*******************************
mregra on Cyber:~$
And we get the flag:
Bandit 19 -> Bandit 20
Main URL: Bandit 19 -> Bandit 20
To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.
# Writeup
When I accessed the machine I ran the command ls to check the contents of the home directory, and inside there was simply an executable file named bandit20-do.
I ran the executable to check what it did, see image:
As you can see this command simply runs any bash command. I decided to check the file’s owner ID and group ID.
So, this file is owned by bandit20 and it belongs to the group bandit19, which permits us to run the executable as bandit20!!!
We know from previous challenges that the passwords of all challenges are under /etc/bandit_pass/ and each user can only read its password. However, in this case, we have an executable that will allow us to “impersonate” user bandit20 and get its password!!
To read the password for bandit19 what I did was simply cat the contents of /etc/bandit_pass/bandit20 with the executable, as such:
bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
********************************
And we get the flag:
Thank you very much for reading!
Cheers,
MRegra