OverTheWire Bandit Wargame Level 10–20: My Step-by-Step Solutions
This is the second review about Over the wire : Bandit wargames.
While I studying python3, I explored various area of IT and became interested in cybersecurity.
Then I found the Bandit wargames and totally got hooked.
Starting today, I'll write down how I cleared each level of the wargames. This will be a way for me to improve both computer skills and English writing skills.
Please let me know if I use any awkward expressions or provide incorrect information.
If you need more details about Bandit wargames, please check this link : http://www.overthewire.org/wargames
21. Bandit Level 20 → Level 21
Level Goal
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
NOTE: Try connecting to your own network daemon to see if it works as you think
Commands you may need to solve this level
ssh, nc, cat, bash, screen, tmux, Unix ‘job control’ (bg, fg, jobs, &, CTRL-Z, …)
How I solved it
I used
lsfirst to find a setuid binary, and I found thesuconnectfile.
Next, I excuted./suconnectto see how to use it.
After that, I opened another terminal emulator and logged into the
bandit20account again.(At first, I made a mistake by not logging into thebandit20account)
In the second terminal, I rannc -nlvp 12345and entered current level's password when prompted.
The-nlvpoption is a combination of four options:-nmeans "Do not resolce DNS(use raw IP)",-lput Netcat in listen mode,-venables verbose ouput, and-pspecifies the port number.
Back in the first terminal, I ran
./suconnect 12345, which connected to the Netcat server and sent the password for the next level.
As a result, I received the password for level 20 in the second terinal and I used it to log in successfully.
22. Bandit Level 21 → Level 22
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
Commands you may need to solve this level
cron, crontab, crontab(5) (use “man 5 crontab” to access this)
How I solved it
I started by using the
lscommand to check the files in current directory, but there was nothing there.
Next, I moved into the/etc/cron.ddirectory using thecdcommand.
Then I ranls -lto view the files in the directory along with their permissions.
I found a file namedcronjob_bandit22, and I read it using thecatcommand.
The file indicated that when the cron job runs, it execute a script calledcronjob_bandit22.sh.
So I usedcatagain to read thecronjob_bandit22.shfile.
From the script, I learned that it write the password for the next level to a specific file:/tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv.
So I rancat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgvto read the password.
As a result, I got the password for level 22, so I successfully logged into the next level.
23. Bandit Level 22 → Level 23
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.
Commands you may need to solve this level
cron, crontab, crontab(5) (use “man 5 crontab” to access this)
How I solved it
I ran
cd /etc/cron.dand usedlsto check th files in the current directory.
Then I enteredcat cronjob_bandit23to read the file. It indicated that a cronjub runs a script calledcronjob_bandit23.sh.
So I usedcatagain to read the 'cronjob_bandit23.sh` file.
From the script, I learned that it copy the file to a sepcific path using the current user's name.
I copied the code in the script and created a new file named
key23.shusing thevicommand.
I replaced$(whoami)withbandit23in the script to make it work manually.
After saving the file, I changed it's permissions to 777 using
chmod, and then executed it.
The password for 23 level was copied to/tmp/8ca319486bfbbc3663ea0fbe813263491.
Finally, I rancat /tmp/8ca319486bfbbc3663ea0fbe81326349to read the password.
As a result, I got the password for level 23.
24. Bandit Level 23 → Level 24 (I spent so much time in this level!!)
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…
Commands you may need to solve this level
chmod, cron, crontab, crontab(5) (use “man 5 crontab” to access this)
How I solved it
I ran
cd /etc/cron.dand used thelscommand to check the files in the current directory.
I found a file namedcronjob_bandit24, so I enteredcat cronjob_bandit24to read it.
The file indicated that a cronjob excutes a script calledcronjob_bandit24.sh.
By the way, the*****format represents the cron schedule: miniute, hour, day of month, month, day of week, respectively.
I usedcatagain to read the 'cronjob_bandit24.shfile./var/spool/bandit24/foo`.
From the script, I learn that it executes and deletes all files in a specific specific directory---in this case,
I moved into
/var/stool/bandit24/fooderectory usingcdand I tried to use thelscommand, but I couldn't, because I had no permission.
Because I wanted to creat a shell-script, I used theechocommand, which immediately wries a string to a file:echo "cat /etc/bandit_pass/bandit24 > /tmp/passwd24" > sank24.sh
(I could have used thevicommand as before, but I chooseechothis time because it was simpler.)
Then, I and changed permissions ofsank24.shto 777 usingchmod, so the cronjob could execute it.
I confirmed the permission usingls -l, then waited. Eventually,sank24.shwas deleted by the cronjob, andpasswd24appeared int the/tmpdirectory.
Finally, thepasswd24file was appeared, and I successfully got the password for the next level by reading it.
25. Bandit Level 24 → Level 25
Level Goal
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.
You do not need to create new connections each time
How I solved it
It was obvious that I had to write code that automatically submits this level's password along with all possible 4-digit pincodes.
So, I ranmkdir /tmp/sank25to make a working directory, and moved into it.
Since Python3 was the most familiar programing language to me, I decided to use it. I checked the path ofpython3usingwhich python3.auto.py` with the following content:
Then I create a Python script named!/usr/bin/python3
for i in range(10000):
a = "gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8 "
b = f"{i:04d}"
print(a+b)
After saving the file, I tried to excute it, but Oops! I got a "permission denied" error.
So, I changed permissions of theauto.pyscript usingchmod. Then tried again.
The code worked! So I ran./auto.py | nc localhost 30002to find the password for the next level.
My command worked successfully, so got the password.
Then I realized that using
grepwould help filter the output more clearly.
So I entered./auto.py | nc localhost 30002and addgrep -vwith|symbol. The-voption meansinvert match, so it helps to select nonmatching lines.
That was how I retrieved the password for the next level. I then used it to log into Level 25.
I’m continuing with higher levels, and I’ll post my solutions step by step.
If you find this helpful or want to follow along, feel free to leave a comment!
Top comments (0)