OverTheWire: Bandit

In search of shorter, easier challenges I came across https://overthewire.org which has various “wargames” on it, the easiest apparently being the Bandit challenge. It looks to be different than proper virtualised networks to hack into but maybe interesting and I should learn some basics that no doubt I’m missing.

Bandit Level O

The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org, on port 2220. The username is bandit0 and the password is bandit0. Once logged in, go to the Level 1 page to find out how to beat Level 1.

OK so just need to know how to ssh into a box, look around and cat a file to see its contents:

root@kali2017-1:~# ssh bandit0@bandit.labs.overthewire.org -p 2220

bandit0@bandit:~$ ls  
readme
bandit0@bandit:~$ cat readme
boJ9jbbUNNfktd78OOpsqOltutMc3MY1
bandit0@bandit:~$ 

Now we use the string in the readme file for the password to ssh into the next level.

Bandit Level 1

bandit1@bandit:~$ ls
-

OK I’ll admit it, I don’t know what a – file means in linux and cat doesn’t like it since it looks like an option. Looked it up and the best answer seems to be to stick the old ./ in front of it:

bandit1@bandit:~$ cat ./- 
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
bandit1@bandit:~$ 

It occurred to me that whilst I know to use ./ when linux can’t find scripts/exes, I don’t actually know why. Turns out that the . means the current directory so ./ is telling linux to look there as opposed to the locations in the PATH environmental variable. Makes sense.

Bandit Level 2

bandit2@bandit:~$ ls
spaces in this filename

I know linux is like Windows in this respect and you have to put the whole name in “”s

bandit2@bandit:~$ cat "spaces in this filename"
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

However attempting tab completion shows another way:

bandit2@bandit:~$ cat spaces\ in\ this\ filename 
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

the \ is an “escape character” meaning ignore the next character (the space). Kinda knew that.

Bandit Level 3

Ooh the excitement! This time there’s a directory called “inhere”. But when you get in there, there’s nothing. Those crafty devils.

bandit3@bandit:~/inhere$ ls
bandit3@bandit:~/inhere$ ls -a
.  ..  .hidden
bandit3@bandit:~/inhere$ cat .hidden
pIwrPrtPN36QITSp3EQaw936yaFoFgAB
bandit3@bandit:~/inhere$

ls -a means list “all” including hidden files. I notice it includes . and .. so that adds to the .\ meaning “in this directory” thing I mentioned above.  Also of interest is the name .hidden – putting a dot in front of a file hides it. Didn’t know that.

Whilst I’m at it, I found this table of ls options. Bound to be useful in mo.

Bandit Level 4

bandit4@bandit:~/inhere$ ls -a
-file00  -file02  -file04  -file06  -file08  .
-file01  -file03  -file05  -file07  -file09  ..
bandit4@bandit:~/inhere$ 

So a load of -files. It’s gonna be annoying to ./-file00 and so on. Might actually read the level goal here “The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command. Commands you may need to solve this level: ls, cd, cat, file, du, find”

I don’t know what “file” or “du” even do so better look them up:

The file command determines the file type of a file. It reports the file type in human readable format (e.g. ‘ASCII text’) or MIME type (e.g. ‘text/plain; charset=us-ascii’). Says this guy

That would seem to fit the bill.

bandit4@bandit:~/inhere$ file ./-file00
./-file00: Non-ISO extended-ASCII text, with CR line terminators, with escape sequences
bandit4@bandit:~/inhere$ 

But that’s just as annoying as cat each one so need to do all of them at once. Some kind of * based action required.

bandit4@bandit:~/inhere$ file ./*      
./-file00: Non-ISO extended-ASCII text, with CR line terminators, with escape sequences
./-file01: data
./-file02: data
./-file03: data
./-file04: data
./-file05: data
./-file06: data
./-file07: ASCII text
./-file08: data
./-file09: data
bandit4@bandit:~/inhere$ 

bandit4@bandit:~/inhere$ cat ./-file07
koReBOKuIDDepwhWk7jZC0RTdopnAYKh

Bandit Level 5

“The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties: human-readable, 1033 bytes in size and not executable”

There are a load of folders each containing multiple files. Need an automated way. Time to check out the find command. https://www.ducea.com/2008/02/12/linux-tips-find-all-files-of-a-particular-size/ shows the way. Not sure about all the exec stuff but 1033c means 1033 bytes so:

bandit5@bandit:~/inhere$ find /home/ -type f -size 1033c
/home/bandit5/inhere/maybehere07/.file2

Now cat it:

bandit5@bandit:~/inhere$ cat ./maybehere07/.file2
DXjZPULLxYr17uwoI01bNLQbtFemEgo7

Bandit 6

Level Goal

The password for the next level is stored somewhere on the server and has all of the following properties:

• owned by user bandit7
• owned by group bandit6
• 33 bytes in size

Commands you may need to solve this level

ls, cd, cat, file, du, find, grep

From the last level we know that the find command will search for a file if we tell if which directory to start at, give it -type f (for file) and then the parameters. This time there are more parameters.  But first we need to cd to the root directory as there are no files/folders in the one we’re in. From there:

bandit6@bandit:/$ ls
README.txt  boot  dev  home  lib32  libx32  mnt  proc  run   srv  tmp  var
bin         d     etc  lib   lib64  media   opt  root  sbin  sys  usr
bandit6@bandit:/$ find / -type f -size 33c -user bandit7 -group bandit6 
find: `/var/log': Permission denied
find: `/var/lib/php5': Permission denied
find: `/var/spool/bandit24': Permission denied
find: `/var/spool/cron/crontabs': Permission denied
find: `/var/spool/rsyslog': Permission denied
find: `/var/cache/ldconfig': Permission denied
find: `/var/tmp': Permission denied
find: `/tmp': Permission denied
find: `/etc/ssl/private': Permission denied
find: `/run/lock': Permission denied
find: `/d': Permission denied
find: `/home/bandit5/inhere': Permission denied
find: `/root': Permission denied
find: `/proc/tty/driver': Permission denied
find: `/proc/1/task/1/fd': Permission denied
find: `/proc/1/task/1/fdinfo': Permission denied
find: `/proc/1/task/1/ns': Permission denied
find: `/proc/1/fd': Permission denied
find: `/proc/1/map_files': Permission denied
find: `/proc/1/fdinfo': Permission denied
find: `/proc/1/ns': Permission denied
find: `/proc/12/task/12/fd': Permission denied
find: `/proc/12/task/12/fdinfo': Permission denied
find: `/proc/12/task/12/ns': Permission denied

So whilst it’s searching, we have a problem in that it’s throwing up tons of Permission denied errors which makes the output annoying and less useful. I do remember linux has a method of discarding errors. https://bash.cyberciti.biz/guide//dev/null_discards_unwanted_output explains it and gives us command 2>/dev/null which sends error messages to the data black-hole that is dev/null:

bandit6@bandit:/$ find / -type f -size 33c -user bandit7 -group bandit6 2>dev/null
/var/lib/dpkg/info/bandit7.password
^C
bandit6@bandit:/$ cat /var/lib/dpkg/info/bandit7.password 
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs
bandit6@bandit:/$ 

Bandit 7

Level Goal

The password for the next level is stored in the file data.txt next to the word millionth

This great guide on grep basics says “-n: print the line number of where matches were found”

bandit7@bandit:~$ grep -n millionth data.txt
33835:millionth	cvX2JJa4CFALtqS87jk27qwqGhBM9plV
bandit7@bandit:~$ 

Getting a bit fancier you can just show the password by piping the output to awk and telling that to print the 2nd element, given the separator is a space, which awk recognises by default:

bandit7@bandit:~$ grep -n millionth data.txt | awk '{print $2}'
cvX2JJa4CFALtqS87jk27qwqGhBM9plV
bandit7@bandit:~$ 

Powerful stuff this linux.

To be continued as time allows….