https://overthewire.org/wargames/
Bandit 0
cat readme
boJ9jbbUNNfktd78OOpsqOltutMc3MY1
Bandit 1
So the password is boJ9jbbUNNfktd78OOpsqOltutMc3MY1
cat ./-
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
The trickery here is that the cat
program probably interprets the dash
character.
Bandit 2
cat "spaces in this filename"
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
Bandit 3
cat inhere/.hidden
pIwrPrtPN36QITSp3EQaw936yaFoFgAB
Bandit 4
I ran the file
command until it said it found an ASCII file.
file inhere/-file*
cat inhere/-file07
inhere/-file00: data
inhere/-file01: data
inhere/-file02: data
inhere/-file03: data
inhere/-file04: data
inhere/-file05: data
inhere/-file06: data
inhere/-file07: ASCII text
inhere/-file08: data
inhere/-file09: data
koReBOKuIDDepwhWk7jZC0RTdopnAYKh
Bandit 5
My first thought is to use the find
command. It can probably filter on
all the attributes mentioned. When I Google for “find not executable
linux” I find people looking for the solution to the exact OverTheWire
level. Oh well:
find inhere/ -type f -size 1033c ! -executable
inhere/maybehere07/.file2
I look at the file with xxd
:
xxd inhere/maybehere07/.file2
00000000: 4458 6a5a 5055 4c4c 7859 7231 3775 776f DXjZPULLxYr17uwo
00000010: 4930 3162 4e4c 5162 7446 656d 4567 6f37 I01bNLQbtFemEgo7
00000020: 0a20 2020 2020 2020 2020 2020 2020 2020 .
00000030: 2020 2020 2020 2020 2020 2020 2020 2020
00000040: 2020 2020 2020 2020 2020 2020 2020 2020
00000050: 2020 2020 2020 2020 2020 2020 2020 2020
00000060: 2020 2020 2020 2020 2020 2020 2020 2020
00000070: 2020 2020 2020 2020 2020 2020 2020 2020
00000080: 2020 2020 2020 2020 2020 2020 2020 2020
00000090: 2020 2020 2020 2020 2020 2020 2020 2020
000000a0: 2020 2020 2020 2020 2020 2020 2020 2020
000000b0: 2020 2020 2020 2020 2020 2020 2020 2020
000000c0: 2020 2020 2020 2020 2020 2020 2020 2020
000000d0: 2020 2020 2020 2020 2020 2020 2020 2020
000000e0: 2020 2020 2020 2020 2020 2020 2020 2020
000000f0: 2020 2020 2020 2020 2020 2020 2020 2020
00000100: 2020 2020 2020 2020 2020 2020 2020 2020
00000110: 2020 2020 2020 2020 2020 2020 2020 2020
00000120: 2020 2020 2020 2020 2020 2020 2020 2020
00000130: 2020 2020 2020 2020 2020 2020 2020 2020
00000140: 2020 2020 2020 2020 2020 2020 2020 2020
00000150: 2020 2020 2020 2020 2020 2020 2020 2020
00000160: 2020 2020 2020 2020 2020 2020 2020 2020
00000170: 2020 2020 2020 2020 2020 2020 2020 2020
00000180: 2020 2020 2020 2020 2020 2020 2020 2020
00000190: 2020 2020 2020 2020 2020 2020 2020 2020
000001a0: 2020 2020 2020 2020 2020 2020 2020 2020
000001b0: 2020 2020 2020 2020 2020 2020 2020 2020
000001c0: 2020 2020 2020 2020 2020 2020 2020 2020
000001d0: 2020 2020 2020 2020 2020 2020 2020 2020
000001e0: 2020 2020 2020 2020 2020 2020 2020 2020
000001f0: 2020 2020 2020 2020 2020 2020 2020 2020
00000200: 2020 2020 2020 2020 2020 2020 2020 2020
00000210: 2020 2020 2020 2020 2020 2020 2020 2020
00000220: 2020 2020 2020 2020 2020 2020 2020 2020
00000230: 2020 2020 2020 2020 2020 2020 2020 2020
00000240: 2020 2020 2020 2020 2020 2020 2020 2020
00000250: 2020 2020 2020 2020 2020 2020 2020 2020
00000260: 2020 2020 2020 2020 2020 2020 2020 2020
00000270: 2020 2020 2020 2020 2020 2020 2020 2020
00000280: 2020 2020 2020 2020 2020 2020 2020 2020
00000290: 2020 2020 2020 2020 2020 2020 2020 2020
000002a0: 2020 2020 2020 2020 2020 2020 2020 2020
000002b0: 2020 2020 2020 2020 2020 2020 2020 2020
000002c0: 2020 2020 2020 2020 2020 2020 2020 2020
000002d0: 2020 2020 2020 2020 2020 2020 2020 2020
000002e0: 2020 2020 2020 2020 2020 2020 2020 2020
000002f0: 2020 2020 2020 2020 2020 2020 2020 2020
00000300: 2020 2020 2020 2020 2020 2020 2020 2020
00000310: 2020 2020 2020 2020 2020 2020 2020 2020
00000320: 2020 2020 2020 2020 2020 2020 2020 2020
00000330: 2020 2020 2020 2020 2020 2020 2020 2020
00000340: 2020 2020 2020 2020 2020 2020 2020 2020
00000350: 2020 2020 2020 2020 2020 2020 2020 2020
00000360: 2020 2020 2020 2020 2020 2020 2020 2020
00000370: 2020 2020 2020 2020 2020 2020 2020 2020
00000380: 2020 2020 2020 2020 2020 2020 2020 2020
00000390: 2020 2020 2020 2020 2020 2020 2020 2020
000003a0: 2020 2020 2020 2020 2020 2020 2020 2020
000003b0: 2020 2020 2020 2020 2020 2020 2020 2020
000003c0: 2020 2020 2020 2020 2020 2020 2020 2020
000003d0: 2020 2020 2020 2020 2020 2020 2020 2020
000003e0: 2020 2020 2020 2020 2020 2020 2020 2020
000003f0: 2020 2020 2020 2020 2020 2020 2020 2020
00000400: 2020 2020 2020 2020 20
There’s a lot of crap besides the ASCII. I use strings
to only capture
the bits that can be interpreted as ASCII:
strings inhere/maybehere07/.file2
DXjZPULLxYr17uwoI01bNLQbtFemEgo7
Bandit 6
Seems like I should use the find
command again. Maybe find /
something.
I read the find
manual to find these arguments:
-user uname
-group
After running it a few times, I come up with this solution:
cat $(find / -type f -size 33c -user bandit7 -group bandit6 2>&1 | grep -v "Permission denied\|No such")
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs
Bandit 7
I looked at the file with vi
and found the word. Then used grep
:
grep millionth data.txt | cut -f2
cvX2JJa4CFALtqS87jk27qwqGhBM9plV
Bandit 8
I have some experience with these commands (parsing log files and such), so it was not so difficult.
sort data.txt | uniq -u
UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR
Bandit 9
Inspected the file with strings
and found the password.
strings data.txt | grep "^=" | tail -n 1 | cut -d" " -f2
truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
Bandit 10
base64 -d
:
base64 -d data.txt | cut -d " " -f4
IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR
Bandit 11
Using tr
to shift the characters:
cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'
The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu
I want to try it in Python:
cat data.txt
Gur cnffjbeq vf 5Gr8L4qetPEsPk8htqjhRK8XSP6x2RHh
import codecs
flag = "Gur cnffjbeq vf 5Gr8L4qetPEsPk8htqjhRK8XSP6x2RHh"
print(codecs.encode(flag, 'rot_13'))
The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu
I guess we could use CyberChef too.
Bandit 12
Now it’s starting to get quite challenging for me. My initial plan:
- Convert hexdump back to binary with
xxd
- I already know this from my blog post on bits
- Look at the magic bytes (file signatures) for knowing what
compression has been used, maybe using the
file
command
cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'
I did all the decompression manually by discovering the compression
with file
. For some reason, gunzip
wants the file extension to be
.gz
. I wonder why. Can use -S
to override.
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
After that, I starting thinking about doing it all on the fly:
xxd -r data.txt | gzip -dc | bzip2 -dc | gzip -dc | tar xvf - -O | tar xvf - -O | bzip2 -dc | tar xvf - -O | gzip -dc
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
I’m surprised it works.
I googled xxd -r data.txt | gzip -dc
and found a gist using the same
technique.
I like that he shows how to run it straight through SSH:
ssh -p 2220 bandit12@bandit.labs.overthewire.org 'xxd -r data.txt | gzip -dc | bzip2 -d -c | gzip -dc | tar -xO | tar -xO | bzip2 -d -c | tar -xO | gzip -dc'
By doing this, I realized that I could remove some options. So it’s always useful to compare solutions. Nice way to learn. Did some more searching and found some nice resources:
- https://www.youtube.com/watch?v=WVazel70ZzM&list=PL1H1sBF1VAKUsYdQd94dO9MgSaY2p1AJ4&index=4
- https://github.com/USCGA/writeups/tree/master/overthewire/bandit/level12
By doing this, I also learned that you can use the sshpass -p <file>
command to pass a password into ssh
. So you can see how much you can
learn by following the rabbit. John Hammond always saves the flag in a
file named bandit12
etc. He ends up doing the decompression by hand.
Bandit 13
I’m copying over the private file:
sshpass -p "8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL" scp -P 2220 bandit13@bandit.labs.overthewire.org:sshkey.private sshkey.private
After that:
chmod 600 sshkey.private
ssh -i sshkey.private bandit14@bandit.labs.overthewire.org -p 2220 "cat /etc/bandit_pass/bandit14 "
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Bandit 14
nc
to the rescue. I think telnet
might be possible too?
echo "4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e" | nc 127.0.0.1 30000 | grep .
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr
Bandit 15
I have no idea what to do here. Thinking of using:
openssl
- Python with
socket
andssl
- Sources
With openssl
:
echo "BfMYroe26WYalil77FoDi9qh59eK5xNr" | openssl s_client -connect localhost:30001 -ign_eof -quiet | grep .
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehd
Quite happy that I also got it to work in Python:
import socket
import ssl
password = b"BfMYroe26WYalil77FoDi9qh59eK5xNr"
hostname = "localhost"
context = ssl.create_default_context()
context.check_hostname = False
context.verify_mode = ssl.CERT_NONE
with socket.create_connection((hostname, 30001)) as sock:
with context.wrap_socket(sock, server_hostname=hostname) as ssock:
ssock.sendall(password + b"\n")
data = ssock.recv(1024)
print(data.decode("UTF-8").strip())
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehd
Bandit 16
I want to do this in Python too, cause I suspect I can build on the same concepts later.
I Google how to do a port range scan on localhost.
nmap -p31000-32000 localhost
Starting Nmap 7.40 ( https://nmap.org ) at 2019-10-20 23:47 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00026s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
31518/tcp filtered unknown
31790/tcp open unknown
31960/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 1.26 seconds
Python port scanner thing.
import socket
for port in range(31000, 32000):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(1)
result = sock.connect_ex(("localhost", port))
if 0 == result:
print("Port: {} Open".format(port))
sock.close()
Port: 31790 Open
Port: 31960 Open
Not too happy about these results. But I suspect 31518 is SSL because this silly port scanner can’t find it.