Skip to content

Instantly share code, notes, and snippets.

@aklap

aklap/solutions.md

Last active January 16, 2017 08:36
Show Gist options
  • Save aklap/25144e83c7c18457e9eb29d733500d85 to your computer and use it in GitHub Desktop.
Save aklap/25144e83c7c18457e9eb29d733500d85 to your computer and use it in GitHub Desktop.
Download ZIP
bandit@overthewire
Raw
solutions.md

Bandit at overthewire.org

Levels 0-26. As of 5/24/16 there is no level 27.

Level 0

Login into remote server using ssh

Commandss:

ssh username@host 

The password is bandit0.

*SSH stands for "secure shell," an encrypted network protocol that allows a user to login to a remote network securely over an unsecured network.

Level 1

Find the password in the readme, use it to ssh into the next level

Commands:

View all the files. Note: In general, I use ls -la to see everything including hidden dotfiles. In this case it's not needed.

ls 

cat readme

Output the content of the readme file to stdout. Since it's just the password we can get away with using cat , otherwise if it was a lot of text we can use less or more .

*Learning to list all files in a directory, and output a file to stdout. Cat stands for concatenate files and print to stdout.

You can ssh into the next level by using ssh username@localhost

Level 2

Find the password in a file called "-"

Commands:

First  ls  to see all the files. "-" is the only one. You cannot do  cat - ; - is a special character used to mean stdin/stdout. When used with cat, bash doesn't recognize a filename but sees it as stdin. Go ahead, try to  cat -  to better understand the shell is waiting for your input.

The solutions is to prefix with  ./  meaning lookin in this level of the directory for file called -

cat ./-

*Note: you don't need to use all the Commandss that overthewire suggests in order to solve this level. You'll see they throw out red herrings in many levels.

Level 3

Find password in a file called spaces.

Commands:

cat spaces\ in\ this\ filename

*You can easily tab and let the shell do predictive text.

Level 4

Password hidden in /inhere

Commands:

ls -la

Shows all files in directory, including hidden dotfiles. We see a file called ".hidden"

cat .hidden  or  cat ./.hidden

Either works. The latter in bash will autofill using predictive text if you hit the tab key.

Level 5

Find password in the only human readable file in the directory inhere

Commands:

cd inhere 

ls -la 

find ./ -type f | xargs file | grep text

This last Commands is the most important. It means: find; in this directory; with the option to search for type f which is a file; pipe the result, and read items from stdin for file; pipe the result, look for string text.

Once you find the file

cat filename

Level 6

Find password in a file with certain specs.

Commands:

cd inhere 

ls -la 

find ./ -type f | xargs file | grep text | size -1033c

Find in this directory, a file; pipe result, read items from stdin for file; pipe result, look for the string 'text'; pipe result, look for a file with a size of 1033 bytes.

cat filename

Level 7

Look for a file with certain specs.*

Commands:

ls -la 

find ./ -user bandit7 -group bandit6 -size 33c 2>/dev/null

I cd'ed into the root directory; you could just say find / .

Find in this directory a file with the options: user = bandit7; group = bandit6; size = 33 bytes; any stderr (represented by '2'), redirect them (shovel) to /dev/null. The last bit is a way to get rid of garbage output, like files where permission is denied.

cat filename

Level 8

Grep with context a certain file*

Commands:

ls 

grep millionth data.txt

This works because grep looks for a match to the expression, then outputs the entire line where it's found. If the file was formatted differently we would have to use context flags like -B and -A and a number to get the text around the hit.

Level 9

Grep a file for a unique string

Commands:

cat filename | sort | uniq -u

Output a certain file; sort the output; print out only the unique string or line in the file (the flag -u).

Level 10

Find in a file the password, convert from base64

Commands:

strings filename

base64 encoding takes binary data and translates it to characters (64 of 'em). Useful when sending using protocols that may interpret the binary as control characters, as some protocols (hello telnet) are made for streaming text.

I don't like this level; you have to parse through the output with your eyeballs since password is on a totally different line and there's no hints. It's confusing.

Level 11

Decode file from base64

Commands:

base64 -d filename

Level 12

Learn about rot13!

Commands:

cat filename | tr [a-zA-Z] [n-za-mN-ZA-M]

Output a file; pipe results, translate a character set, (lowercase a to z, uppercase A to Z), to a character set beginning with the 13th letter of the alphabet, n, to z continue with a to m, doing the same for uppercase letters.

This is an example of a caesar's cipher, an early form of encryption using simple transposition. ROT13 has a nice history of usage in the early days of the internet by newsgroups.

Level 13

Reverse hexdump; extract, extract, extract..

Commands:

mkdir /tmp/name 
cd /tmp/name 
xxd -r data.txt > result 
file result 
zcat result > new_result 
file new_result 
bzip2 -d new_result 
ls 
file new_result.out 
zcat new_result.out > newer_result 
file newer_result 
tar -xvf newer_result 
tar -xvf data5.bin 
file data6.bin 
bzip2 -d data6.bin 
file data6.bin.out 
tar -xvf data6.bin.out 
file data8.bin.out 
zcat data8.bin.out

Success! As irritating as this level is, the repetition is good for you (and bad for your carpal tunnel). Get in the habit of looking at the details of files, and extracting them.

Level 13

Use ssh to get the next level password

Commands:

ssh -i sshkey.private bandit14@localhost 
cat /etc/bandit_pass/bandit14

The -i flag means identity; filename of the file holding your key; username@server. You drop into the bandit14 shell, and access the password file.

Level 14

Using the password we have, submit it to a specific port on localhost.

Commands:

telnet -l bandit15 localhost 30000 
password

I chose to use telnet since we are just sending a small string to the port.

Level 15

Connect to a sp. port using SSL

Commands: openssl s_client -connect localhost:30001 -ign_eof password

An intro to secure sockets layer (SSL), a network protocol for secure networking. The -ign_eof flag is needed because it means ignore the end of the file and keep the connection alive, otherwise you will get an error.

Protocol is OpenSSL; server to client, with option of connect; connect to a sp. port on localhost; ignore the end of file.

Level 16

Scan ports within in a range on sp. server; find the ones using SSL; find the only one that doesn't echo.

Commands: nmap -p 31000-32000 localhost -sV openssl s_client -connect localhost:31518 password openssl s_client -connect localhost:31790 password

touch /tmp/dir_name/sshkey.private 
chmod 600 sshkey.private 
cd /tmp/dir_name/ 
nano sshkey.private  (paste the your rsa key there, save, exit nano editor)
ssh -i sshkey.private bandit17@localhost

Intro to nmap for port scanning. The -sV flag will return what the server is running. I ignored anything listed as echo.

chmod 600 is necessary otherwise you'll get a bad permissions error when ssh'in into bandit17 shell. 600 is 'owner can r-w.'

Level 17

Get the diff between two files

Commands:

diff file1 file2 
ssh bandit18@localhost

Level 18

cat the password from a file before you're logged out

Commands:

ssh bandit18@localhost cat readme

The shell will execute Commandss before the connection closes out when they're concat'd.

Level 19

Get the password using a setuid binary file

Commands:

ls 
./bandit20-do 
./bandit20-do whoami 
./bandit20-do cat /etc/bandit_pass/bandit20

Similar to what we learned in a previous level that we can peek at files by cat'ing them. The setuid file gives access to level 20 permissions, and if we concatenate our Commandss we can cat the password we need.

Level 20

Use setuid and network daemon to get the password*

Commands:

Open 2 tabs in terminal as user bandit20.

In the first shell:

./suconnect

In the second shell:

nc -l portnumber

In the first shell:

./suconnect 12345

In the second shell: password for level 20

Using TCP as the protocol we use netcat to listen on a specific port and connect to it using the setuid binary. A daemon is any process that runs in the background and isn't under the direct control of the user.

Level 21

Explore /cron.d to find the script being executed and what it does.*

Commands:

cd /etc/cron.d 
ls -la 
cat ./cronjob_bandit22 
cat /usr/bin/cronjob_bandit22.sh 
cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

Understanding shell scripts: chmod 644 changes a file's permissions to be read/written by any user; & appends to a file; >/dev/null pushes the file into what I call the garbage directory.

Level 22

Same as above.*

cd /etc/cron.d 
cat cronjob_bandit23 
cat /usr/bin/cronjob_bandit23.sh 
echo I am user bandit23 | md5sum | cut -d ' ' -f 1 
cat /tmp/8ca319486bfbbc3663ea0fbe81326349

Level 23

Get the password using a cron job*

cat cronjob_bandit24 
cat /usr/bin/cronjob_bandit24.sh 
cd /tmp/dir_name 
touch script.sh 
chmod 777 script.sh 
nano script.sh

In the nano editor:

#!/bin/bash

cat /etc/bandit_pass/bandit24 >> /tmp/dir_name/bandit24

cp script.sh /var/spool/bandit24 
ls 
cat bandit24

Understanding shell scripts. The shell script in /var/spool/bandit24/ has access to all the bandit24 files--we don't as bandit23 which is why when we cd into that directory we can see there are many files but we don't have permission to view them. Since the script in that directory gets called regularly we can simply place a script to cat the bandit24 password file into that directory that gets executed by the cron script.

Level 24

Connect to a sp. port on localhost, brute force a pin to get password.*

Commands:

cd /tmp/dir_name/ 
touch script.sh 
chmod 777 -R script.sh  
nano script.sh 

In nano: 

#!/bin/bash/env ruby
password = "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ"
vals = (0..9).to_a
pins = vals.repeated_permutation(4).to_a

pins.each do |pin|
echo #{password} #{pin.join('')} | nc localhost 30002 >> result & 
end

ruby ./script.sh 
grep -A 1 Correct! result

This level was hard for me not because of the scripting because I ran into errors that would terminate my script before it was finished, particularly the error: [FATAL] Failed to create timer thread (errno: 11) and getting resource not available.

I chose to write the script in ruby; I wanted to use repeated permutation but could've just written a for loop. You can write a simple for loop in bash script with brace expansion or delimit your loop by initiating with 0 and ending with 9999.

Level 25

Commands:

ssh -i bandit26.sshkey bandit26@localhost

We get kicked out of the shell.

cd /etc/ 
cat passwd

Look for bandit 26

cat passwd | grep bandit26 
cat /usr/bin/showtext

resize terminal window to 30% or less

ssh -i bandit26.sshkey bandit26@localhost 
more 
v 
:e /etc/bandit_pass/bandit26

more Commands prevents us from being kicked out of the shell because the file is larger than can be displayed, so waits for input from the user before letting the rest of the file execute. While more waits for input we can give additional Commandss, like v. V opens the vi text editor, and we can give a Commands to read a certain file and get the password.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment