bandit wargames:

31 January 2018

this is kinda fun

gonna be going 2 northsec this year and 2 prep, i’ve been checking out the bandit challenges:

Lvl 0:

$ ssh bandit.labs.overthewire.org -p 2220 -l bandit0
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit0@bandit.labs.overthewire.org's password:

bandit0

bandit0@bandit:~$ cat readme
boJ9jbbUNNfktd78OOpsqOltutMc3MY1

Lvl 1:

bandit1@bandit:~$ cat ./-
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

Lvl 2:

bandit2@bandit:~$ cat ./spaces\ in\ this\ filename
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

Lvl 3:

bandit3@bandit:~$ cat inhere/.hidden
pIwrPrtPN36QITSp3EQaw936yaFoFgAB

Lvl 4:

bandit4@bandit:~$ file inhere/*
inhere/-file00: data
inhere/-file01: data
inhere/-file02: data
inhere/-file03: data
inhere/-file04: data
inhere/-file05: data
inhere/-file06: data
inhere/-file07: ASCII text
inhere/-file08: data
inhere/-file09: data
bandit4@bandit:~$ cat inhere/-file07
koReBOKuIDDepwhWk7jZC0RTdopnAYKh

Lvl 5:

ok, let’s do this one at a time:

  1. not executable
    find ./* ! -executable

  2. 1033 bytes
    find ./* -syze 1033c c is for bytes obvz ;/

  3. human-readible
    this one’s a lil harder… what i ended up doing was something like:
    find ./* -exec file {} +

which, when it’s all strung together gives us:

bandit5@bandit:~$ find ./inhere/* -type f -size 1033c ! -executable -exec file {} +
./inhere/maybehere07/.file2: ASCII text, with very long lines

bandit5@bandit:~$ cat ./inhere/maybehere07/.file2
DXjZPULLxYr17uwoI01bNLQbtFemEgo7

Lvl 6:

bandit6@bandit:~$ find / -size 33c -user bandit7 -group bandit6 2> /dev/null | xargs cat
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

Lvl 7:

bandit7@bandit:~$ grep millionth data.txt
millionth	cvX2JJa4CFALtqS87jk27qwqGhBM9plV

Lvl 8:

bandit8@bandit:~$ cat data.txt | sort | uniq -u
UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR

Lvl 9:

bandit9@bandit:~$ strings data.txt | grep -e '^==*'
=-VW+
========== theP`
========== password
========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLkf

Lvl 10:

bandit10@bandit:~$ cat data.txt | base64 -d
The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

Lvl 11:

bandit11@bandit:~$ cat data.txt  | tr '[a-zA-Z]' '[n-za-mN-ZA-M]'
The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

Lvl 12:

this awful string of cmds basically just comes of running xxd/gunzip/bunzip/tar and then file on the output:

bandit12@bandit:/tmp$ xxd -r data.txt | gunzip | bunzip2 | gunzip | tar xfO - | tar xfO - | bunzip2 | tar xvfO - | gunzip
data8.bin
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

note: -O (capital o) flag tells tar to pass the result as a stream in stdout

Lvl 13:

bandit13@bandit:~$ ssh bandit14@localhost -i sshkey.private cat /etc/bandit_pass/bandit14
Could not create directory '/home/bandit13/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes

Failed to add the host to the list of known hosts (/home/bandit13/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e

Lvl 14:

bandit14@bandit:~$ telnet localhost 30000
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr

Connection closed by foreign host.

Lvl 15:

at least 40 wtfs involved in deducing this guy:

bandit15@bandit:~$ openssl s_client -connect localhost:30001  -ign_eof -quiet
depth=0 CN = bandit
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = bandit
verify return:1
BfMYroe26WYalil77FoDi9qh59eK5xNr
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehd

Lvl 16:

had 2 do this one in two parts w a lot of trial n error :(

1st is to check which ports are open in the range provided:

bandit15@bandit:~$ nmap localhost -p 31000-32000

Starting Nmap 7.01 ( https://nmap.org ) at 2018-03-25 19:50 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00018s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 996 closed ports
PORT      STATE SERVICE
31046/tcp open  unknown
31518/tcp open  unknown
31691/tcp open  unknown
31790/tcp open  unknown
31960/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds

not bad. now we can check each of those ports for who is responding

bandit16@bandit:~$ openssl s_client -ign_eof -quiet -connect localhost:31790
depth=0 CN = bandit
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = bandit
verify return:1
cluFn7wTiGryunymYOu4RcffSxQluehd
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----

Lvl 17:

let’s log in with that last key:

$ echo -e '-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----' > /tmp/testkey

$ chmod 600 /tmp/testkey
$ ssh bandit.labs.overthewire.org -p 2220 -l bandit17 -i /tmp/testkey

the rest is pretty simple:

bandit17@bandit:~$ diff passwords.old passwords.new
42c42
< 6vcSC74ROI95NqkKaeEC2ABVMDX9TyUr
---
> kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd

Lvl 18:

$ ssh bandit.labs.overthewire.org -p 2220 -l bandit18 cat readme
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit18@bandit.labs.overthewire.org's password:
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x

Lvl 19:

bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0j

Lvl 20:

this one’s worth at least 20 wtfs

bandit20@bandit:~$ echo 'GbKksEFF4yrVs6il55v6gwY5aVje5f0j' | nc -l -p 9999 &
[1] 19094
bandit20@bandit:~$ ./suconnect 9999
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Password matches, sending next password
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
[1]+  Done                    echo 'GbKksEFF4yrVs6il55v6gwY5aVje5f0j' | nc -l -p 9999

Lvl 21:

bandit21@bandit:~$ crontab -e
crontabs/bandit21/: fdopen: Permission deniedbandit21@bandit:~$
bandit21@bandit:~$ cat /etc/cron.d/cronjob_bandit2*
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
@reboot bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null

bandit21@bandit:~$ /usr/bin/cronjob_bandit22.sh
chmod: changing permissions of '/tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv': Operation not permitted
/usr/bin/cronjob_bandit22.sh: line 3: /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv: Permission denied

bandit21@bandit:~$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

Lvl 22:

bandit22@bandit:~$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash

myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)

echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"

cat /etc/bandit_pass/$myname > /tmp/$mytarget

bandit22@bandit:~$ echo 'I am user bandit23' | md5sum
8ca319486bfbbc3663ea0fbe81326349  -

bandit22@bandit:~$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

Lvl 23:

bandit23@bandit:~$ mkdir /tmp/itsalmostdoneeee
bandit23@bandit:~$ chmod 777 /tmp/itsalmostdoneeee
bandit23@bandit:/tmp/itsalmostdoneeee$ cd !$
cd /tmp/itsalmostdoneeee
bandit23@bandit:/tmp/itsalmostdoneeee$ vim thisisiitt
...
bandit23@bandit:/tmp/itsalmostdoneeee$ cat thisisiitt
#!/bin/bash
cat /etc/bandit_pass/bandit24 > /tmp/itsalmostdoneeee/hahahaha
chown bandit23:bandit23 /tmp/itsalmostdoneeee/hahahaha

bandit23@bandit:/tmp/itsalmostdoneeee$ cp thisisiitt /var/spool/bandit24/
bandit23@bandit:/tmp/itsalmostdoneeee$ # wait a minute...
bandit23@bandit:/tmp/itsalmostdoneeee$ ls
hahahaha thisisiitt

bandit23@bandit:/tmp/itsalmostdoneeee$ cat hahahaha
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ

Lvl 24:

this was fun

bandit24@bandit:~$ cd /tmp/
bandit24@bandit:/tmp$ mkdir bruttt
bandit24@bandit:/tmp$ cd !$
cd bruttt
bandit24@bandit:/tmp/bruttt$ vim brutty

#!/bin/bash
pass="UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ"
touch dictionary
for i in {0000..9999}; do
    echo $pass $i >> dictionary
done
bandit24@bandit:/tmp/bruttt$ chmod +x brutty
bandit24@bandit:/tmp/bruttt$ ls -la
bandit24@bandit:/tmp/bruttt$ ls
brutty dicto
bandit24@bandit:/tmp/bruttt$ cat dicto | nc localhost 30002
...
Wrong! Please enter the correct pincode. Try again.
Wrong! Please enter the correct pincode. Try again.
Wrong! Please enter the correct pincode. Try again.
Wrong! Please enter the correct pincode. Try again.
Correct!
The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG

Exiting.

Lvl 25:

there’s an ssh key, a 4-digit pin and the password for bandit24. what tttttffff?

bandit25@bandit:~$ cat /etc/passwd | grep bandit26
bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext
bandit25@bandit:~$ cat /usr/bin/showtext
#!/bin/sh

export TERM=linux

more ~/text.txt
exit 0

u ssh into bandit26 and you what? type the pin? 5440? no

do you enter the password for bandit24? no

apparently, you now have to make your terminal tiny. like <=4 horizontal lines high. then when you try and ssh in, that more cmd will kick in and drop you into a pager. from here you can hit v to get open the showtext file in vim and check out bandit26’s pass with :e /etc/bandit_pass/bandit26.

i feel like a lot of these are more riddles than computer problems really
like ok if you maybe weren’t obtuse about the way you described the challenge, it wouldn’t be so difficult, ya?

at the same time, i could totally see this having been some kind of zero day hack in like the 80s probably performed with the halp of a powerglove that is so bad

TBC