Yang Hu
Machine Learning Engineer | San Francisco, CA
Today is Christmas. Let’s spend some quality time practicing basic Linux commands for absolutely beginners! I’m doing Bandit, the first serise of the Wargame.
# Level 5 -> 6
bandit5@bandit:~$ cat $(find -size 1033c)
# Level 6 -> 7
# search current dir -> nothing
bandit6@bandit:~$ find -size 33c -group bandit6
# search /home -> a few Permission denied errors
bandit6@bandit:~$ find .. -size 33c -group bandit6
find: ‘../bandit31-git’: Permission denied
find: ‘../drifter8/chroot’: Permission denied
find: ‘../drifter6/data’: Permission denied
find: ‘../bandit27-git’: Permission denied
find: ‘../bandit5/inhere’: Permission denied
find: ‘../bandit30-git’: Permission denied
find: ‘../bandit29-git’: Permission denied
find: ‘../bandit28-git’: Permission denied
find: ‘../ubuntu’: Permission denied
# exclude entries with permission denied -> nothing
bandit6@bandit:~$ find .. -size 33c -group bandit6 2>&1 -ls | grep -v 'Permission denied'
# search the root dir / -> ding ding ding
bandit6@bandit:~$ find / -size 33c -group bandit6 2>&1 -ls | grep -v 'Permission denied'
517684 4 -r-------- 1 bandit6 bandit6 33 Oct 5 06:19 /etc/bandit_pass/bandit6
77124 4 -rw-r----- 1 bandit7 bandit6 33 Oct 5 06:19 /var/lib/dpkg/info/bandit7.password
(omitting some errors...)
bandit6@bandit:~$ cat /var/lib/dpkg/info/bandit7.password
# Level 7 -> 8
bandit7@bandit:~$ cat data.txt | grep millionth
# Level 8 -> 9
bandit8@bandit:~$ sort data.txt | uniq -u
# Level 9 -> 10
# hint 1: man strings, don't "cat" and try to delete non-readable chars
# hint 2: preceded by several ‘=’ characters -> '^=+' means a pattern that starts with one or more "="
bandit9@bandit:~$ strings data.txt | grep -E '^=+'
# Level 10 -> 11
bandit10@bandit:~$ base64 -d data.txt
# Level 11 -> 12
# hint: man tr
bandit11@bandit:~$ cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'
# Level 12 -> 13
# hint: file <File Name> to check the compression type (gzip, tar, bzip2)
# if POSIX tar archive: tar xvf <File Name>
# if gzip: gzip -d <File Name>.gz
# if bzip2: bzip2 -d <File Name>
# Level 13 -> 14
# password is stored in a file only readable to bandit14
bandit13@bandit:~$ find /etc/bandit_pass/ -user bandit14 -ls
517564 4 -r-------- 1 bandit14 bandit14 33 Oct 5 06:19 /etc/bandit_pass/bandit14
# I detoured a bit here because of the problem description mentioned "localhost",
# I thought there's a way for me to directly SSH to localhost with current bandit13 user.
bandit13@bandit:~$ exit
# secure cp the sshkey.private to local
$ scp -P 2220 bandit13@bandit.labs.overthewire.org:/home/bandit13/sshkey.private .
$ ssh bandit14@bandit.labs.overthewire.org -p 2220 -i sshkey.private
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for 'sshkey.private' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
# restrict ssh key permissions
$ chmod 400 ./sshkey.private
$ ls -l ./sshkey.private
-r-------- 1 user root 1679 Dec 25 23:03 ./sshkey.private
# re-run the last ssh command
$ !ssh
Note: This is the point where you can safely take a break without worrying losing the PW to resume to your last level, since you have a valid SSH key on your host.
# Level 14 -> 15
# hint: re-read previous level problem descriptionto find out the password for bandit14
bandit14@bandit:~$ telnet localhost 30000
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
****redacted (PW of bandit14)****
Correct!
****redacted (PW of bandit15)****
# Level 15 -> 16
# man openssl
# man s_client
# man openssl-s_client
bandit15@bandit:~$ openssl s_client localhost:30001
# Level 16 -> 17
bandit16@bandit:~$ nmap localhost -p31000-32000
Starting Nmap 7.80 ( https://nmap.org ) at 2023-12-26 08:03 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00012s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
31046/tcp open unknown
31518/tcp open unknown
31691/tcp open unknown
31790/tcp open unknown
31960/tcp open unknown
# nmap can also help you test what protocol a port accepts, but it is SLOW!
# I'd recommend take each port from above list and try them one by one to safe time
# for example:
bandit16@bandit:~$ nmap localhost -p31046 -A -T4 -v
# Level 17 -> 18
# man diff
# Level 18 -> 19;
# hint: ssh accepts commands as args
$ ssh bandit18@bandit.labs.overthewire.org -p 2220 /bin/bash << EOF
(some commands here...)
EOF
# Level 19 -> 20
# ./bandit20-do <command>
# Level 20 -> 21
# append & at the end of a command to run it in the background.
# use 'fg' to bring background processes to foreground
# Level 21 -> 22
# I like this problem the most so far!