DEV Community

San Kang
San Kang

Posted on • Edited on

[Write Up] Bandit Wargame Clear Log (Level 20 - 25)

OverTheWire Bandit Wargame Level 10–20: My Step-by-Step Solutions

This is the second review about Over the wire : Bandit wargames.
While I studying python3, I explored various area of IT and became interested in cybersecurity.
Then I found the Bandit wargames and totally got hooked.
Starting today, I'll write down how I cleared each level of the wargames. This will be a way for me to improve both computer skills and English writing skills.
Please let me know if I use any awkward expressions or provide incorrect information.

If you need more details about Bandit wargames, please check this link : http://www.overthewire.org/wargames


21. Bandit Level 20 → Level 21

Level Goal
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).

NOTE: Try connecting to your own network daemon to see if it works as you think

Commands you may need to solve this level
ssh, nc, cat, bash, screen, tmux, Unix ‘job control’ (bg, fg, jobs, &, CTRL-Z, …)

How I solved it

I used ls first to find a setuid binary, and I found the suconnect file.
Next, I excuted ./suconnect to see how to use it.

Image description

After that, I opened another terminal emulator and logged into the bandit20 account again.(At first, I made a mistake by not logging into thebandit20 account)
In the second terminal, I ran nc -nlvp 12345 and entered current level's password when prompted.
The -nlvp option is a combination of four options: -n means "Do not resolce DNS(use raw IP)", -l put Netcat in listen mode, -v enables verbose ouput, and -p specifies the port number.

Image description

Back in the first terminal, I ran ./suconnect 12345, which connected to the Netcat server and sent the password for the next level.

Image description

As a result, I received the password for level 20 in the second terinal and I used it to log in successfully.

Image description


22. Bandit Level 21 → Level 22

Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

Commands you may need to solve this level
cron, crontab, crontab(5) (use “man 5 crontab” to access this)

How I solved it

I started by using the ls command to check the files in current directory, but there was nothing there.
Next, I moved into the /etc/cron.d directory using the cd command.
Then I ran ls -l to view the files in the directory along with their permissions.
I found a file named cronjob_bandit22, and I read it using the cat command.
The file indicated that when the cron job runs, it execute a script called cronjob_bandit22.sh.
So I used cat again to read the cronjob_bandit22.sh file.
From the script, I learned that it write the password for the next level to a specific file: /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv.
So I ran cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv to read the password.
As a result, I got the password for level 22, so I successfully logged into the next level.

Image description


23. Bandit Level 22 → Level 23

Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.

Commands you may need to solve this level
cron, crontab, crontab(5) (use “man 5 crontab” to access this)

How I solved it

I ran cd /etc/cron.d and used ls to check th files in the current directory.
Then I entered cat cronjob_bandit23 to read the file. It indicated that a cronjub runs a script called cronjob_bandit23.sh.
So I used cat again to read the 'cronjob_bandit23.sh` file.
From the script, I learned that it copy the file to a sepcific path using the current user's name.

Image description

I copied the code in the script and created a new file named key23.sh using the vi command.
I replaced $(whoami) with bandit23 in the script to make it work manually.

Image description

Image description

After saving the file, I changed it's permissions to 777 using chmod, and then executed it.
The password for 23 level was copied to /tmp/8ca319486bfbbc3663ea0fbe813263491.
Finally, I ran cat /tmp/8ca319486bfbbc3663ea0fbe81326349 to read the password.
As a result, I got the password for level 23.

Image description


24. Bandit Level 23 → Level 24 (I spent so much time in this level!!)

Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!

NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…

Commands you may need to solve this level
chmod, cron, crontab, crontab(5) (use “man 5 crontab” to access this)

How I solved it

I ran cd /etc/cron.d and used the ls command to check the files in the current directory.
I found a file named cronjob_bandit24, so I entered cat cronjob_bandit24 to read it.
The file indicated that a cronjob excutes a script called cronjob_bandit24.sh.
By the way, the ***** format represents the cron schedule: miniute, hour, day of month, month, day of week, respectively.
I used cat again to read the 'cronjob_bandit24.sh file.
From the script, I learn that it executes and deletes all files in a specific specific directory---in this case,
/var/spool/bandit24/foo`.

Image description

I moved into /var/stool/bandit24/foo derectory using cd and I tried to use the ls command, but I couldn't, because I had no permission.
Because I wanted to creat a shell-script, I used the echo command, which immediately wries a string to a file: echo "cat /etc/bandit_pass/bandit24 > /tmp/passwd24" > sank24.sh
(I could have used the vi command as before, but I choose echo this time because it was simpler.)
Then, I and changed permissions of sank24.sh to 777 using chmod, so the cronjob could execute it.
I confirmed the permission using ls -l, then waited. Eventually, sank24.sh was deleted by the cronjob, and passwd24 appeared int the /tmp directory.
Finally, the passwd24 file was appeared, and I successfully got the password for the next level by reading it.

Image description


25. Bandit Level 24 → Level 25

Level Goal
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.
You do not need to create new connections each time

How I solved it

It was obvious that I had to write code that automatically submits this level's password along with all possible 4-digit pincodes.
So, I ran mkdir /tmp/sank25 to make a working directory, and moved into it.
Since Python3 was the most familiar programing language to me, I decided to use it. I checked the path of python3 using which python3.
Then I create a Python script named
auto.py` with the following content:

!/usr/bin/python3

for i in range(10000):
a = "gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8 "
b = f"{i:04d}"
print(a+b)

Image description

Image description

After saving the file, I tried to excute it, but Oops! I got a "permission denied" error.
So, I changed permissions of the auto.py script using chmod. Then tried again.
The code worked! So I ran ./auto.py | nc localhost 30002 to find the password for the next level.
My command worked successfully, so got the password.

Image description

Image description

Image description

Then I realized that using grep would help filter the output more clearly.
So I entered ./auto.py | nc localhost 30002 and add grep -v with | symbol. The -v option means invert match, so it helps to select nonmatching lines.
That was how I retrieved the password for the next level. I then used it to log into Level 25.

Image description


I’m continuing with higher levels, and I’ll post my solutions step by step.
If you find this helpful or want to follow along, feel free to leave a comment!

Top comments (0)