"The wargames offered by the OverTheWire community can help you to learn and practice security concepts in the form of fun-filled games.
To find out more about a certain wargame, just visit its page linked from the menu on the left." - quoted from OverTheWire - Wargames
As suggested by OTW community, we should start from the Bandit -> Leviathan/Natas/Kypton -> Narnia -> Behemoth -> Utumno -> Maze ... I get thrilled and excited by just looking at the wargames' title.
Without any delay, let's start... I personally love to SSH to my Kali box using Putty and play through the games simply because I can copy paste easily. Well, the playing method it's up to you, but it have to be in a Linux box.
Level 0
Input password: bandit0 (Given as a starter!)
Level 0 → Level 1
Level Goal
The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH to log into that level and continue the game.
bandit0@melinda:~$ ls
readme
bandit0@melinda:~$ cat readme
boJ9jbbUNNfktd78OOpsqOltutMc3MY1
Level 1 → Level 2
Level Goal
The password for the next level is stored in a file called - located in the home directory
bandit1@melinda:~$ cat ./-
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
Level 2 → Level 3
Level Goal
The password for the next level is stored in a file called spaces in this filename located in the home directory
bandit2@melinda:~$ cat spaces\ in\ this\ filename
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
Level 3 → Level 4
Level Goal
The password for the next level is stored in a hidden file in the inhere directory.
bandit3@melinda:~$ cd inhere/
bandit3@melinda:~/inhere$ ls -la
total 12
drwxr-xr-x 2 root root 4096 Jun 6 2013 .
drwxr-xr-x 3 root root 4096 Jun 6 2013 ..
-rw-r----- 1 bandit4 bandit3 33 Jun 6 2013 .hidden
bandit3@melinda:~/inhere$ cat .hidden
pIwrPrtPN36QITSp3EQaw936yaFoFgAB
Level 4 → Level 5
Level Goal
The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the "reset" command.
bandit4@melinda:~/inhere$ cat ./-file07
koReBOKuIDDepwhWk7jZC0RTdopnAYKh
Level 5 → Level 6
Level Goal
The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:
human-readable
1033 bytes in size
not executable
bandit5@melinda:~/inhere$ find -size 1033c
./maybehere07/.file2
bandit5@melinda:~/inhere$ cat ./maybehere07/.file2
DXjZPULLxYr17uwoI01bNLQbtFemEgo7
Level 6 → Level 7
Level Goal
The password for the next level is stored somewhere on the server and has all of the following properties:
owned by user bandit7
owned by group bandit6
33 bytes in size
bandit6@melinda:~$ find / -user bandit7 -group bandit6 -size 33c 2>/dev/null
/var/lib/dpkg/info/bandit7.password
bandit6@melinda:~$ cat /var/lib/dpkg/info/bandit7.password
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs
Level 7 → Level 8
Level Goal
The password for the next level is stored in the file data.txt next to the word millionth
bandit7@melinda:~$ cat data.txt | grep millionth
millionth cvX2JJa4CFALtqS87jk27qwqGhBM9plV
Level 8 → Level 9
Level Goal
The password for the next level is stored in the file data.txt and is the only line of text that occurs only once
bandit8@melinda:~$ sort data.txt | uniq -u
UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR
Level 9 → Level 10
Level Goal
The password for the next level is stored in the file data.txt among of few lines of human-readable strings starting with '=' characters.
bandit9@melinda:~$ strings data.txt | grep '='
Rj=G
========== the
=qy9g
,========== passwordc
========== is
=9-5
O=p~
#r=t!
7e}=eG
========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
uXI/{I=VPO=
6'Q|_=Vt
:={!
yd=6
Level 10 → Level 11
Level Goal
The password for the next level is stored in the file data.txt, which contains base64 encoded data
bandit10@melinda:~$ base64 -d data.txt
The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR
Level 11 → Level 12
Level Goal
The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions
bandit11@melinda:~$ cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'
The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu
Level 12 → Level 13
Level Goal
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)
bandit12@melinda:~$ mkdir /tmp/tempwork && cp data.txt /tmp/tempwork/data.txt
bandit12@melinda:/tmp/tempwork$ xxd -r data.txt dataNew
bandit12@melinda:/tmp/tempwork$ mv dataNew dataNew.gz
bandit12@melinda:/tmp/tempwork$ gzip -d dataNew.gz
bandit12@melinda:/tmp/tempwork$ bzip2 -d dataNew
bandit12@melinda:/tmp/tempwork$ mv dataNew.out dataNew.gz
bandit12@melinda:/tmp/tempwork$ gzip -d dataNew.gz
bandit12@melinda:/tmp/tempwork$ tar -xvf dataNew
bandit12@melinda:/tmp/tempwork$ tar -xvf data5.bin
bandit12@melinda:/tmp/tempwork$ bzip2 -d data6.bin
bandit12@melinda:/tmp/tempwork$ tar -xvf data6.bin.out
bandit12@melinda:/tmp/tempwork$ mv data8.bin data.gz
bandit12@melinda:/tmp/tempwork$ gzip -d data.gz
bandit12@melinda:/tmp/tempwork$ cat data
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
Level 13 → Level 14
Level Goal
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don't get the next password, but you get a private SSH key that can be used to log into the next level.
Note: localhost is a hostname that refers to the machine you are working on
bandit13@melinda:~$ ssh -i sshkey.private bandit14@localhost
bandit14@melinda:~$ cat /etc/bandit_pass/bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Level 14 → Level 15
Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
bandit14@melinda:~$ nc localhost 30000
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr
Level 15 → Level 16
Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
Helpful note: Getting "HEARTBEATING" and "Read R BLOCK"? Use -quiet and read the "CONNECTED COMMANDS" section in the manpage. Next to 'R' and 'Q', the 'B' command also works in this version of that command...
bandit15@melinda:~$ openssl s_client -connect localhost:30001 -quiet
depth=0 CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = localhost
verify return:1
BfMYroe26WYalil77FoDi9qh59eK5xNr
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehd
Level 16 → Level 17
Level Goal
The password for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don't. There is only 1 server that will give the next password, the others will simply send back to you whatever you send to it.
bandit16@melinda:~$ nmap -p 31000-32000 localhost
bandit16@melinda:~$ openssl s_client -connect localhost:31790 -quiet
bandit16@melinda:~$ mkdir /tmp/myworkplace && cd /tmp/myworkplace
bandit16@melinda:/tmp/myworkplace$ touch ssh.private17
bandit16@melinda:/tmp/myworkplace$ vim ssh.private17
bandit16@melinda:/tmp/myworkplace$ chmod 700 ssh.private17
bandit16@melinda:/tmp/myworkplace$ ssh -i ssh.private17 bandit17@localhost
Level 17 → Level 18
Level Goal
There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new
bandit17@melinda:~$ diff passwords.old passwords.new
42c42
> PRjrhDcANrVM6em57fPnFp4Tcq8gvwzK
---
> kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
Level 18 → Level 19
Level Goal
The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.
root@kali:~# ssh bandit18@bandit.labs.overthewire.org cat readme
bandit18@bandit.labs.overthewire.org's password:
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
Level 19 → Level 20
Level Goal
To gain access to the next level, you should use the setuid binary in the homedirectory. Execute is without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used to setuid binary.
bandit19@melinda:~$ ./bandit20-do id
uid=11019(bandit19) gid=11019(bandit19) euid=11020(bandit20) groups=11020(bandit20),11019(bandit19)
bandit19@melinda:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Level 20 → Level 21
Level Goal
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
NOTE: To beat this level, you need to login twice: once to run the setuid command, and once to start a network daemon to which the setuid will connect.
NOTE 2: Try connecting to your own network daemon to see if it works as you think
bandit20@melinda:~$ nc -l localhost 1337
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
bandit20@melinda:~$ ./suconnect 1337
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Password matches, sending next password
Level 21 → Level 22
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
bandit21@melinda:/etc/cron.d$ cat cronjob_bandit22
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh & > /dev/null
bandit21@melinda:/etc/cron.d$ cat /usr/bin/cronjob_bandit22.sh
bandit21@melinda:/etc/cron.d$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
Level 22 → Level 23
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.
bandit22@melinda:/etc/cron.d$ cat cronjob_bandit23
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
bandit22@melinda:/etc/cron.d$ cat /usr/bin/cronjob_bandit23.sh
bandit22@melinda:/etc/cron.d$ echo I am user bandit23 | md5sum | cut -d ' ' -f 1
8ca319486bfbbc3663ea0fbe81326349
bandit22@melinda:/etc/cron.d$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
Level 23 → Level 24
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around...
bandit23@melinda:/etc/cron.d$ cat cronjob_bandit24
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
bandit23@melinda:/etc/cron.d$ cat /usr/bin/cronjob_bandit24.sh
bandit23@melinda:/etc/cron.d$ cd /var/spool/bandit24
bandit23@melinda:/var/spool/bandit24$ touch getpass.sh
bandit23@melinda:/var/spool/bandit24$ vim getpass.sh
bandit23@melinda:/var/spool/bandit24$ cat getpass.sh
#!/bin/bash
#
# A simple script copy password to tmp directory
mkdir /tmp/passhere
cat /etc/bandit_pass/bandit24 > /tmp/passhere/readmepass.txt
echo "Copied successfully!"
bandit23@melinda:/var/spool/bandit24$ chmod 777 getpass.sh
bandit23@melinda:/var/spool/bandit24$ cat /tmp/passhere/readmepass.txt
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
Level 24 → Level 25
At this moment, level 25 does not exist yet.
Yay! Pwned!
Link to bandit wargame -> Here
No comments:
Post a Comment