In search of shorter, easier challenges I came across https://overthewire.org which has various “wargames” on it, the easiest apparently being the Bandit challenge. It looks to be different than proper virtualised networks to hack into but maybe interesting and I should learn some basics that no doubt I’m missing.
Bandit Level O
The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org, on port 2220. The username is bandit0 and the password is bandit0. Once logged in, go to the Level 1 page to find out how to beat Level 1.
OK so just need to know how to ssh into a box, look around and cat a file to see its contents:
root@kali2017-1:~# ssh bandit0@bandit.labs.overthewire.org -p 2220
bandit0@bandit:~$ ls readme bandit0@bandit:~$ cat readme boJ9jbbUNNfktd78OOpsqOltutMc3MY1 bandit0@bandit:~$
Now we use the string in the readme file for the password to ssh into the next level.
Bandit Level 1
bandit1@bandit:~$ ls -
OK I’ll admit it, I don’t know what a – file means in linux and cat doesn’t like it since it looks like an option. Looked it up and the best answer seems to be to stick the old ./ in front of it:
bandit1@bandit:~$ cat ./- CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9 bandit1@bandit:~$
It occurred to me that whilst I know to use ./ when linux can’t find scripts/exes, I don’t actually know why. Turns out that the . means the current directory so ./ is telling linux to look there as opposed to the locations in the PATH environmental variable. Makes sense.
Bandit Level 2
bandit2@bandit:~$ ls spaces in this filename
I know linux is like Windows in this respect and you have to put the whole name in “”s
bandit2@bandit:~$ cat "spaces in this filename" UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
However attempting tab completion shows another way:
bandit2@bandit:~$ cat spaces\ in\ this\ filename UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
the \ is an “escape character” meaning ignore the next character (the space). Kinda knew that.
Bandit Level 3
Ooh the excitement! This time there’s a directory called “inhere”. But when you get in there, there’s nothing. Those crafty devils.
bandit3@bandit:~/inhere$ ls bandit3@bandit:~/inhere$ ls -a . .. .hidden bandit3@bandit:~/inhere$ cat .hidden pIwrPrtPN36QITSp3EQaw936yaFoFgAB bandit3@bandit:~/inhere$
ls -a means list “all” including hidden files. I notice it includes . and .. so that adds to the .\ meaning “in this directory” thing I mentioned above. Also of interest is the name .hidden – putting a dot in front of a file hides it. Didn’t know that.
Whilst I’m at it, I found this table of ls options. Bound to be useful in mo.
option | description |
---|---|
ls -a | list all files including hidden file starting with ‘.’ |
ls –color | colored list [=always/never/auto] |
ls -d | list directories – with ‘ */’ |
ls -F | add one char of */=>@| to enteries |
ls -i | list file’s inode index number |
ls -l | list with long format – show permissions |
ls -la | list long format including hidden files |
ls -lh | list long format with readable file size |
ls -ls | list with long format with file size |
ls -r | list in reverse order |
ls -R | list recursively directory tree |
ls -s | list file size |
ls -S | sort by file size |
ls -t | sort by time & date |
ls -X | sort by extension name |
Bandit Level 4
bandit4@bandit:~/inhere$ ls -a -file00 -file02 -file04 -file06 -file08 . -file01 -file03 -file05 -file07 -file09 .. bandit4@bandit:~/inhere$
So a load of -files. It’s gonna be annoying to ./-file00 and so on. Might actually read the level goal here “The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command. Commands you may need to solve this level: ls, cd, cat, file, du, find”
I don’t know what “file” or “du” even do so better look them up:
The file
command determines the file type of a file. It reports the file type in human readable format (e.g. ‘ASCII text’) or MIME type (e.g. ‘text/plain; charset=us-ascii’). Says this guy
That would seem to fit the bill.
bandit4@bandit:~/inhere$ file ./-file00 ./-file00: Non-ISO extended-ASCII text, with CR line terminators, with escape sequences bandit4@bandit:~/inhere$
But that’s just as annoying as cat each one so need to do all of them at once. Some kind of * based action required.
bandit4@bandit:~/inhere$ file ./* ./-file00: Non-ISO extended-ASCII text, with CR line terminators, with escape sequences ./-file01: data ./-file02: data ./-file03: data ./-file04: data ./-file05: data ./-file06: data ./-file07: ASCII text ./-file08: data ./-file09: data bandit4@bandit:~/inhere$
bandit4@bandit:~/inhere$ cat ./-file07 koReBOKuIDDepwhWk7jZC0RTdopnAYKh
Bandit Level 5
“The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties: human-readable, 1033 bytes in size and not executable”
There are a load of folders each containing multiple files. Need an automated way. Time to check out the find command. https://www.ducea.com/2008/02/12/linux-tips-find-all-files-of-a-particular-size/ shows the way. Not sure about all the exec stuff but 1033c means 1033 bytes so:
bandit5@bandit:~/inhere$ find /home/ -type f -size 1033c /home/bandit5/inhere/maybehere07/.file2
Now cat it:
bandit5@bandit:~/inhere$ cat ./maybehere07/.file2 DXjZPULLxYr17uwoI01bNLQbtFemEgo7
Bandit 6
Level Goal
The password for the next level is stored somewhere on the server and has all of the following properties:
- owned by user bandit7
- owned by group bandit6
- 33 bytes in size
Commands you may need to solve this level
ls, cd, cat, file, du, find, grep
From the last level we know that the find command will search for a file if we tell if which directory to start at, give it -type f (for file) and then the parameters. This time there are more parameters. But first we need to cd to the root directory as there are no files/folders in the one we’re in. From there:
bandit6@bandit:/$ ls README.txt boot dev home lib32 libx32 mnt proc run srv tmp var bin d etc lib lib64 media opt root sbin sys usr bandit6@bandit:/$ find / -type f -size 33c -user bandit7 -group bandit6 find: `/var/log': Permission denied find: `/var/lib/php5': Permission denied find: `/var/spool/bandit24': Permission denied find: `/var/spool/cron/crontabs': Permission denied find: `/var/spool/rsyslog': Permission denied find: `/var/cache/ldconfig': Permission denied find: `/var/tmp': Permission denied find: `/tmp': Permission denied find: `/etc/ssl/private': Permission denied find: `/run/lock': Permission denied find: `/d': Permission denied find: `/home/bandit5/inhere': Permission denied find: `/root': Permission denied find: `/proc/tty/driver': Permission denied find: `/proc/1/task/1/fd': Permission denied find: `/proc/1/task/1/fdinfo': Permission denied find: `/proc/1/task/1/ns': Permission denied find: `/proc/1/fd': Permission denied find: `/proc/1/map_files': Permission denied find: `/proc/1/fdinfo': Permission denied find: `/proc/1/ns': Permission denied find: `/proc/12/task/12/fd': Permission denied find: `/proc/12/task/12/fdinfo': Permission denied find: `/proc/12/task/12/ns': Permission denied
So whilst it’s searching, we have a problem in that it’s throwing up tons of Permission denied errors which makes the output annoying and less useful. I do remember linux has a method of discarding errors. https://bash.cyberciti.biz/guide//dev/null_discards_unwanted_output explains it and gives us command 2>/dev/null which sends error messages to the data black-hole that is dev/null:
bandit6@bandit:/$ find / -type f -size 33c -user bandit7 -group bandit6 2>dev/null /var/lib/dpkg/info/bandit7.password ^C bandit6@bandit:/$ cat /var/lib/dpkg/info/bandit7.password HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs bandit6@bandit:/$
Bandit 7
Level Goal
The password for the next level is stored in the file data.txt next to the word millionth
This great guide on grep basics says “-n
: print the line number of where matches were found”
bandit7@bandit:~$ grep -n millionth data.txt 33835:millionth cvX2JJa4CFALtqS87jk27qwqGhBM9plV bandit7@bandit:~$
Getting a bit fancier you can just show the password by piping the output to awk and telling that to print the 2nd element, given the separator is a space, which awk recognises by default:
bandit7@bandit:~$ grep -n millionth data.txt | awk '{print $2}' cvX2JJa4CFALtqS87jk27qwqGhBM9plV bandit7@bandit:~$
Powerful stuff this linux.
Leave a Reply