ssh into the server
ssh [email protected] -p 2220cat the readme file
cat readme
bandit1 from the readme filecat - file
- is usually used to provide flags in the command so is a special file type in linux. This file can read by providing the full path to the file.
cat ./-
cat file with spaces
` `(whitespace) generally acts as a delimiter in bash. So escape character is used when there’s a whitespace between the filename in linux.
cat spaces\ in\ this\ filename
The password for the next level is stored in a hidden file in the inhere directory.
inhere/ and used ls -la to list all the files in the inhere dir.cat .hidden to cat out the password of bandit4The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.
file ./* which gave the output as: bandit4@bandit:~/inhere$ file ./*
./-file00: data
./-file01: data
./-file02: data
./-file03: data
./-file04: data
./-file05: data
./-file06: data
./-file07: ASCII text
./-file08: data
./-file09: data
-file07 like we did in Level2The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:
human-readable
1033 bytes in size
not executable
Since the size is specified as 1033 bytes, filtering on the basis of size can be a great option.
find ./ -size 1033c to find the file of appropriate size.The password for the next level is stored somewhere on the server and has all of the following properties:
owned by user bandit7
owned by group bandit6
33 bytes in size
To filter using the above mentioned properties used the command find.
find / -size 33c -group bandit6 -user bandit7 2>/dev/null to get:
bandit6@bandit:~$ find / -size 33c -group bandit6 -user bandit7 2>/dev/null
/var/lib/dpkg/info/bandit7.password
/var/lib/dpkg/info/bandit7.password to find the password of bandit7The password for the next level is stored in the file data.txt next to the word millionth
grep to get the line of millionth and strings to get the results faster.strings data.txt | grep "millionth" to get the password.The password for the next level is stored in the file data.txt and is the only line of text that occurs only once
Need to echo out data that is not repeated.
Solution: Sort out the data alphabetically, and filter the unique text.
cat data.txt | sort | uniq -u
The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters.
One of the few human-readable strings gives a refrence to using strings.
preceded by several '=' characters. gives a refrence of filtering out the characters which has multiple = on the same line.
strings data.txt | grep -E '(=)\1{2,}'
strings gives the output which is human-readable only.grep -E '(=)\1{2,}' gives line which has the repeating character = more than 2 times in a line. bandit9@bandit:~$ strings data.txt | grep -E '(=)\1{2,}'
========== the*2i"4
========== password
Z)========== is
&========== <key-here>
The password for the next level is stored in the file data.txt, which contains base64 encoded data
Using base64 decode would be a great option.
cat data.txt | base64 -d to get:
bandit10@bandit:~$ cat data.txt | base64 -d
The password is <key-here>
The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions
This is a rot-13 problem. Using tr to translate the regex expression to rotate the alphabetical characters by 13 chars. using tr to translate the regex character can be of use.
cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'
tr 'A-Za-z' 'N-ZA-Mn-za-m' is used to translate the characters from A-Za-z to N-ZA-Mn-za-m, which is a rotation of 13 characters(Rot-13).The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)
bzip2,gzip,tar to extract the files compressed from various formats.
bandit12@bandit:/tmp/folder/copy.txt$ xxd -r data.txt > newDat
bandit12@bandit:/tmp/folder/copy.txt$ ls
data.txt file hexdump.gz newDat
bandit12@bandit:/tmp/folder/copy.txt$ file newDat
newDat: gzip compressed data, was "data2.bin", last modified: Thu May 7 18:14:30 2020, max compression, from Unix
bandit12@bandit:/tmp/folder/copy.txt$ mv newDat newDat.gz
bandit12@bandit:/tmp/folder/copy.txt$ gzip -d newDat.gz
bandit12@bandit:/tmp/folder/copy.txt$ ls
data.txt file hexdump.gz newDat
bandit12@bandit:/tmp/folder/copy.txt$ file newDat
newDat: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/folder/copy.txt$ mv newDat newDat.bz2
bandit12@bandit:/tmp/folder/copy.txt$ bzip2 -d newDat.bz2
bandit12@bandit:/tmp/folder/copy.txt$ file newDat
newDat: gzip compressed data, was "data4.bin", last modified: Thu May 7 18:14:30 2020, max compression, from Unix
bandit12@bandit:/tmp/folder/copy.txt$ mv newDat newDat.gz
bandit12@bandit:/tmp/folder/copy.txt$ gzip -d newDat.gz
bandit12@bandit:/tmp/folder/copy.txt$ file newDat
newDat: POSIX tar archive (GNU)
bandit12@bandit:/tmp/folder/copy.txt$ mv newDat newDat.tar
bandit12@bandit:/tmp/folder/copy.txt$ tar -vxf newDat.tar
data5.bin
bandit12@bandit:/tmp/folder/copy.txt$ mv data5.bin data5.tar
bandit12@bandit:/tmp/folder/copy.txt$ tar -vxf data5.tar
data6.bin
bandit12@bandit:/tmp/folder/copy.txt$ file data6.bin
data6.bin: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/folder/copy.txt$ mv data6.bin data6.bz2
bandit12@bandit:/tmp/folder/copy.txt$ bzip2 -d data6.bz2
bandit12@bandit:/tmp/folder/copy.txt$ ls
data5.tar data6 data.txt file hexdump.gz newDat.tar
bandit12@bandit:/tmp/folder/copy.txt$ file data6
data6: POSIX tar archive (GNU)
bandit12@bandit:/tmp/folder/copy.txt$ mv data6 data6.tar
bandit12@bandit:/tmp/folder/copy.txt$ tar -xvf data6.tar
data8.bin
bandit12@bandit:/tmp/folder/copy.txt$ file data8.bin
data8.bin: gzip compressed data, was "data9.bin", last modified: Thu May 7 18:14:30 2020, max compression, from Unix
bandit12@bandit:/tmp/folder/copy.txt$ mv data8.bin data8.gz
bandit12@bandit:/tmp/folder/copy.txt$ gzip -d data8.gz
bandit12@bandit:/tmp/folder/copy.txt$ ls
data5.tar data6.tar data8 data.txt file hexdump.gz newDat.tar
bandit12@bandit:/tmp/folder/copy.txt$ file data8
data8: ASCII text
bandit12@bandit:/tmp/folder/copy.txt$ cat data8
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on
Looking at the files in the home directory, there was a ssh.privatekey which was a private key of ssh.
Copied the private key and made it -rw------- and used it in ssh to get access to the bandit14 user in the server using the command ssh -i ssh.privatekey [email protected] -p 2220.
Having a look at /etc/bandit_pass/bandit14, could retrive the password.
ssh -i ssh.privatekey [email protected] -p 2220
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
Used the password above from /etc/bandit_pass/bandit14 and passed it in localhost:30000 127.0.0.1:30000 using cat /etc/bandit_pass/bandit14 | nc 127.0.0.1 30000
cat /etc/bandit_pass/bandit14 | nc 127.0.0.1 30000
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…
Since SSL encryption is required for this one, openssl is probably used. Exploring the internet, found that openssl s_client is used to sign a certificate.
Using cat /etc/bandit_pass/bandit15 | openssl s_client -connect 127.0.0.1:30001, it was found that the connection was made to the server by signing the data with ssl. Using the -quiet method, the information of the certs were hidden and the response was seen clear.
cat /etc/bandit_pass/bandit15 | openssl s_client -connect 127.0.0.1:30001 -quiet was used to finally get the response from the server.
cat /etc/bandit_pass/bandit15 | openssl s_client -connect 127.0.0.1:30001 -quietThe credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
Used nmap to scan around the ports nmap -sC 127.0.0.1 -p31000-32000 to find the ports which resulted in:
bandit16@bandit:~$ nmap -sC 127.0.0.1 -p31000-32000
Starting Nmap 7.40 ( https://nmap.org ) at 2022-06-03 19:22 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00045s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
31046/tcp open unknown
31518/tcp filtered unknown
31691/tcp open unknown
31790/tcp open unknown
31960/tcp open unknown
Further getting to the port using nmap -sV 127.0.0.1 -p31046,31518,31691,31790,31960 which resulted in:
bandit16@bandit:~$ nmap -sV 127.0.0.1 -p31046,31518,31691,31790,31960
Starting Nmap 7.40 ( https://nmap.org ) at 2022-06-03 19:24 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00026s latency).
PORT STATE SERVICE VERSION
31046/tcp open echo
31518/tcp filtered unknown
31691/tcp open echo
31790/tcp open ssl/unknown
31960/tcp open echo
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port31790-TCP:V=7.40%T=SSL%I=7%D=6/3%Time=629A43F2%P=x86_64-pc-linux-gn
SF:u%r(GenericLines,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20cur
SF:rent\x20password\n")%r(GetRequest,31,"Wrong!\x20Please\x20enter\x20the\
SF:x20correct\x20current\x20password\n")%r(HTTPOptions,31,"Wrong!\x20Pleas
SF:e\x20enter\x20the\x20correct\x20current\x20password\n")%r(RTSPRequest,3
SF:1,"Wrong!\x20Please\x20enter\x20the\x20correct\x20current\x20password\n
SF:")%r(Help,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20current\x2
SF:0password\n")%r(SSLSessionReq,31,"Wrong!\x20Please\x20enter\x20the\x20c
SF:orrect\x20current\x20password\n")%r(TLSSessionReq,31,"Wrong!\x20Please\
SF:x20enter\x20the\x20correct\x20current\x20password\n")%r(Kerberos,31,"Wr
SF:ong!\x20Please\x20enter\x20the\x20correct\x20current\x20password\n")%r(
SF:FourOhFourRequest,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20cu
SF:rrent\x20password\n")%r(LPDString,31,"Wrong!\x20Please\x20enter\x20the\
SF:x20correct\x20current\x20password\n")%r(LDAPSearchReq,31,"Wrong!\x20Ple
SF:ase\x20enter\x20the\x20correct\x20current\x20password\n")%r(SIPOptions,
SF:31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20current\x20password\
SF:n");
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 90.87 seconds
which made the confirmation that the port we were seeking was port 31790. So used cat /etc/bandit_pass/bandit16 | openssl s_client -connect 127.0.0.1:31790 -quiet and got a ssh private key and used this technique to get access to bandit17.
nmap -sC 127.0.0.1 -p31000-32000nmap -sV 127.0..01 -p31046,31518,31691,31790,31960cat /etc/bandit_pass/bandit16 | openssl s_client -connect 127.0.0.1:31790 -quietThere are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new
NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19
diff passwords.old passwords.new
The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.
ssh [email protected] -p 2220 "cat readme"To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.
Found that there was a file bandit20-do which would execute command as bandit20. Read the password of bandit20 using ./bandit20-do cat /etc/bandit_pass/bandit20
./bandit20-do cat /etc/bandit_pass/bandit20There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
For giving the line of input after connecting to the port by the port, we set a nc listening port. So, got ssh from two terminals and was listening to one of the terminal on the port 52550 and used suconnect to connect to that port.
Terminal 1:
bandit20@bandit:~$ nc -nvlp 52550
listening on [any] 52550 ...
Terminal2:
bandit20@bandit:~$ ./suconnect 52550
Terminal 1:
bandit20@bandit:~$ nc -nvlp 52550
listening on [any] 52550 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 41858
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Terminal2:
bandit20@bandit:~$ ./suconnect 52550
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Password matches, sending next password
Terminal 1:
bandit20@bandit:~$ nc -nvlp 52550
listening on [any] 52550 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 41858
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
Got the password of bandit21
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
bandit21@bandit:~$ cat /etc/cron
cron.d/ cron.daily/ cron.hourly/ cron.monthly/ crontab cron.weekly/
bandit21@bandit:~$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
bandit21@bandit:~$ ls -la /etc/cron.d
total 36
drwxr-xr-x 2 root root 4096 Jul 11 2020 .
drwxr-xr-x 87 root root 4096 May 14 2020 ..
-rw-r--r-- 1 root root 62 May 14 2020 cronjob_bandit15_root
-rw-r--r-- 1 root root 62 Jul 11 2020 cronjob_bandit17_root
-rw-r--r-- 1 root root 120 May 7 2020 cronjob_bandit22
-rw-r--r-- 1 root root 122 May 7 2020 cronjob_bandit23
-rw-r--r-- 1 root root 120 May 14 2020 cronjob_bandit24
-rw-r--r-- 1 root root 62 May 14 2020 cronjob_bandit25_root
-rw-r--r-- 1 root root 102 Oct 7 2017 .placeholder
bandit21@bandit:~$ cat /etc/cron.d/cronjob_bandit22
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
bandit21@bandit:~$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
bandit21@bandit:~$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
<key:here>
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.
bandit22@bandit:~$ ls
bandit22@bandit:~$ cat /etc/cron.d/cronjob_bandit23
@reboot bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
bandit22@bandit:~$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash
myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
cat /etc/bandit_pass/$myname > /tmp/$mytarget
bandit22@bandit:~$ ls /tmp/
ls: cannot open directory '/tmp/': Permission denied
bandit22@bandit:~$ whoami
bandit22
bandit22@bandit:~$ echo I am user bandit23 | md5sum | cut -d ' ' -f 1
8ca319486bfbbc3663ea0fbe81326349
bandit22@bandit:~$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
<key:here>
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…
bandit23@bandit:/tmp$ vim /var/spool/bandit24/new.sh
bandit23@bandit:/tmp$ chmod 555 /var/spool/bandit24/new.sh
bandit23@bandit:/tmp$ cat bandit24_pass.txt
cat: bandit24_pass.txt: No such file or directory
bandit23@bandit:/tmp$ cat bandit24_pass.txt
<key:here>
Bash Script of new.sh here:
#!/bin/bash
cat /etc/bandit_pass/bandit24 > /tmp/bandit24_pass.txt
chmod 777 /tmp/bandit24_pass.txt