OverTheWire Bandit Wargame Level 10–20: My Step-by-Step Solutions
This is the second review about Over the wire : Bandit wargames.
While I studying python3, I explored various area of IT and became interested in cybersecurity.
Then I found the Bandit wargames and totally got hooked.
Starting today, I'll write down how I cleared each level of the wargames. This will be a way for me to improve both computer skills and English writing skills.
Please let me know if I use any awkward expressions or provide incorrect information.
If you need more details about Bandit wargames, please check this link : http://www.overthewire.org/wargames
21. Bandit Level 20 → Level 21
Level Goal
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
NOTE: Try connecting to your own network daemon to see if it works as you think
Commands you may need to solve this level
ssh, nc, cat, bash, screen, tmux, Unix ‘job control’ (bg, fg, jobs, &, CTRL-Z, …)
How I solved it
I used
ls
first to find a setuid binary, and I found thesuconnect
file.
Next, I excuted./suconnect
to see how to use it.
After that, I opened another terminal emulator and logged into the
bandit20
account again.(At first, I made a mistake by not logging into thebandit20
account)
In the second terminal, I rannc -nlvp 12345
and entered current level's password when prompted.
The-nlvp
option is a combination of four options:-n
means "Do not resolce DNS(use raw IP)",-l
put Netcat in listen mode,-v
enables verbose ouput, and-p
specifies the port number.
Back in the first terminal, I ran
./suconnect 12345
, which connected to the Netcat server and sent the password for the next level.
As a result, I received the password for level 20 in the second terinal and I used it to log in successfully.
22. Bandit Level 21 → Level 22
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
Commands you may need to solve this level
cron, crontab, crontab(5) (use “man 5 crontab” to access this)
How I solved it
I started by using the
ls
command to check the files in current directory, but there was nothing there.
Next, I moved into the/etc/cron.d
directory using thecd
command.
Then I ranls -l
to view the files in the directory along with their permissions.
I found a file namedcronjob_bandit22
, and I read it using thecat
command.
The file indicated that when the cron job runs, it execute a script calledcronjob_bandit22.sh
.
So I usedcat
again to read thecronjob_bandit22.sh
file.
From the script, I learned that it write the password for the next level to a specific file:/tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
.
So I rancat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
to read the password.
As a result, I got the password for level 22, so I successfully logged into the next level.
23. Bandit Level 22 → Level 23
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.
Commands you may need to solve this level
cron, crontab, crontab(5) (use “man 5 crontab” to access this)
How I solved it
I ran
cd /etc/cron.d
and usedls
to check th files in the current directory.
Then I enteredcat cronjob_bandit23
to read the file. It indicated that a cronjub runs a script calledcronjob_bandit23.sh
.
So I usedcat
again to read the 'cronjob_bandit23.sh` file.
From the script, I learned that it copy the file to a sepcific path using the current user's name.
I copied the code in the script and created a new file named
key23.sh
using thevi
command.
I replaced$(whoami)
withbandit23
in the script to make it work manually.
After saving the file, I changed it's permissions to 777 using
chmod
, and then executed it.
The password for 23 level was copied to/tmp/8ca319486bfbbc3663ea0fbe813263491
.
Finally, I rancat /tmp/8ca319486bfbbc3663ea0fbe81326349
to read the password.
As a result, I got the password for level 23.
24. Bandit Level 23 → Level 24 (I spent so much time in this level!!)
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…
Commands you may need to solve this level
chmod, cron, crontab, crontab(5) (use “man 5 crontab” to access this)
How I solved it
I ran
cd /etc/cron.d
and used thels
command to check the files in the current directory.
I found a file namedcronjob_bandit24
, so I enteredcat cronjob_bandit24
to read it.
The file indicated that a cronjob excutes a script calledcronjob_bandit24.sh
.
By the way, the*****
format represents the cron schedule: miniute, hour, day of month, month, day of week, respectively.
I usedcat
again to read the 'cronjob_bandit24.shfile.
/var/spool/bandit24/foo`.
From the script, I learn that it executes and deletes all files in a specific specific directory---in this case,
I moved into
/var/stool/bandit24/foo
derectory usingcd
and I tried to use thels
command, but I couldn't, because I had no permission.
Because I wanted to creat a shell-script, I used theecho
command, which immediately wries a string to a file:echo "cat /etc/bandit_pass/bandit24 > /tmp/passwd24" > sank24.sh
(I could have used thevi
command as before, but I chooseecho
this time because it was simpler.)
Then, I and changed permissions ofsank24.sh
to 777 usingchmod
, so the cronjob could execute it.
I confirmed the permission usingls -l
, then waited. Eventually,sank24.sh
was deleted by the cronjob, andpasswd24
appeared int the/tmp
directory.
Finally, thepasswd24
file was appeared, and I successfully got the password for the next level by reading it.
25. Bandit Level 24 → Level 25
Level Goal
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.
You do not need to create new connections each time
How I solved it
It was obvious that I had to write code that automatically submits this level's password along with all possible 4-digit pincodes.
So, I ranmkdir /tmp/sank25
to make a working directory, and moved into it.
Since Python3 was the most familiar programing language to me, I decided to use it. I checked the path ofpython3
usingwhich python3.
auto.py` with the following content:
Then I create a Python script named!/usr/bin/python3
for i in range(10000):
a = "gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8 "
b = f"{i:04d}"
print(a+b)
After saving the file, I tried to excute it, but Oops! I got a "permission denied" error.
So, I changed permissions of theauto.py
script usingchmod
. Then tried again.
The code worked! So I ran./auto.py | nc localhost 30002
to find the password for the next level.
My command worked successfully, so got the password.
Then I realized that using
grep
would help filter the output more clearly.
So I entered./auto.py | nc localhost 30002
and addgrep -v
with|
symbol. The-v
option meansinvert match
, so it helps to select nonmatching lines.
That was how I retrieved the password for the next level. I then used it to log into Level 25.
I’m continuing with higher levels, and I’ll post my solutions step by step.
If you find this helpful or want to follow along, feel free to leave a comment!
Top comments (0)