Overthewire – Bandit 10 -> Bandit 15 (Part 3)
# Information:
CTF Name: Overthewire
CTF Challenge: Bandit
Challenge Category: Linux
Challenge Points: Easy – for absolute beginners
# Used Tools:
- SSH (to access the challenge)
- Linux Terminal (that is what we have)
# Challenges:
Bandit 10 -> Bandit 11
Main URL: Bandit 10 -> Bandit 11
The password for the next level is stored in the file data.txt, which contains base64 encoded data
# Writeup
Step 1
The first step is the ssh access which is the same in every step, unless we need to use private key access, but if that is the case I will explain. Because of this fact, if you need to see how to perform the first step check out my latest posts here and here.
Step 2
In this one we have yet again the data.txt file. Inside it we can see a base64 string. We know it is base64 because it ends with two equal signs (which is common for base 64 encoding).
To decode it and get the flag, we can cat the contents of the file and piped them into the command base64 –decode, as such:
bandit10@bandit:$ cat data.txt | base64 --decode
And we get the flag:
Bandit 11 -> Bandit 12
Main URL: Bandit 11 -> Bandit 12
The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions.
# Writeup
In this one we have yet again the data.txt file. Inside it we can see a weird string. We know it is rotated by 13 positions. This is a form of “encryption” known as ROT13.
After googling for a while I found the regex combination that allows me to reverse this. The final command I used was:
bandit11@bandit:~$ cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'
And we get the flag:
Bandit 12 -> Bandit 13
Main URL: Bandit 12 -> Bandit 13
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!).
# Writeup
This was a different challenge. First time I worked with compressed files this way, and with different compressed programs, well a funny way overall.
For starters I did as suggested and created a “working directory” under /tmp by running the command:
bandit12@bandit:~$ mkdir /tmp/working_dir
Then I copied the data.txt file, that is in the home directory, into this new directory I just created by running the command:
bandit12@bandit:~$ cp data.txt /tmp/working_dir
And finally I moved to that file:
bandit12@bandit:~$ cd /tmp/working_dir
Now we have everything to start cracking!
First we have to get the file from the hexdump, we know from the description that data.txt is the hexdump of a file… To get the file we can run the command:
bandit12@bandit:/tmp/working_dir$ xxd -r data.txt data
The -r flag reverses the hexdump and restores the file.
Now we have a file called data. We need to figure out the correct compression used, to do so, we simply have to run the command:
bandit12@bandit:/tmp/working_dir$ file data
data: gzip compressed data, was "data2.bin", last modified: Thu May 7 18:14:30 2020, max compression, from Unix
Apparently this file was originally gzip. To be able to extract its contents we have to first rename it and then extract, see the full command below:
bandit12@bandit:/tmp/working_dir$ mv data data.gz && gzip -dk data.gz && ls
data data.gz data.txt
We have a new data file!! Let’s see the file type of this one:
bandit12@bandit:/tmp/working_dir$ file data
data: bzip2 compressed data, block size = 900k
So this time is bzip2, after searching online I discovered that the extension is bz2. The process is the same as for gzip, first rename the file, then open it, as such:
bandit12@bandit:/tmp/working_dir$ mv data data.bz2 && bzip2 -dk data.bz2 && ls
data data.bz2 data.gz data.txt
A new data file. This process goes on for a few more times, and finally we get to this:
bandit12@bandit:/tmp/working_dir$ mv data8.bin data.gz && gzip -dk data.gz && ls
data data.bz2 data.gz data.tar.gz data.txt
Another data file, but this time, when I ran the file data the output was not a compressed file, instead:
bandit12@bandit:/tmp/working_dir$ mfile data
data: ASCII text
A text file!! Could this be the flag? After perform the cat command on the file I got the flag:
Bandit 13 -> Bandit 14
Main URL: Bandit 13 -> Bandit 14
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on.
# Writeup
Ok this is a interesting one. It looks like it is different from the rest. No password, instead a private SSH key? In the home directory after listing the contents I found a file: shkey.private
I decided to cat its contents and I saw a private key. This is what we need to access the next level!!
I copied its contents to a file on my machine. Well to make sure this is correct and that this is the way to access the next level I had to try. To do so I searched online for a while.
I searched for “How to access ssh with private key” and I found a few links with useful information. And in the end I decided to try this set of commands:
First I need to give full writing and reading permissions to the file where I stored the private key, as such:
mregra on Cyber:~$ chmod 600 sshkey.private
Now we can run the ssh command:
mregra on Cyber:~$ ssh -i sshkey.private [email protected] -p 2220
Note: You need to be in the folder where sshkey.private is stored, otherwise you may need to provide the full path.
And with this we got access to the next level!!
I decided to get the flag anyway, which is in /etc/bandit_pass/bandit14. This flag might be important for the next level.
And with this we got access to the next level!!
And we get the flag:
Bandit 14 -> Bandit 15
Main URL: Bandit 14 -> Bandit 15
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
# Writeup
Step 1
The access to this level can be done in 2 different ways. Or the same way we always did in the challenges before, on with the private key that we got on the previous challenge. See the process for both in the challenges before.
Step 2
To discover the protocol running on that port and which other port was open I ran the command:
bandit14@bandit:~$ nmap 127.0.0.1
Starting Nmap 7.40 ( https://nmap.org ) at 2021-08-13 09:09 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00034s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
30000/tcp open ndmps
Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds
Ok so we have a port running the service ndmps over tcp. I decided to try to use netcat to get the flag, as such:
bandit14@bandit:~$ nc localhost 30000
After this I simply clicked enter and got this error:
Wrong! Please enter the correct current password
Ok now we know we have to insert the password for this level, that according to the previous one is on the file /etc/bandit_pass/bandit14. I tried again and got the flag:
bandit14@bandit:~$ nc localhost 30000
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e <- This is the flag for the current level
Correct!
********************************
And we get the flag:
Thank you very much for reading!
Cheers,
MRegra
One Reply to “Overthewire – Bandit 10 -> Bandit 15 (Part 3)”