bandit level 23
This one took me a shamefully long time to complete, mostly because it’s getting late and I’m not running at 100%. We’re inspecting another cron job. This one appears to look for scripts in /var/spool/bandit24, and if it finds any, executes them and then removes them from the system. This can obviously be exploited to read the password from /etc/bandit_pass/bandit24. The easiest way to do this is to create a simple one line script to cat the contents of the password file to our home directory.
I wrote the script, set the permissions and then copied it over. But nothing happened… After several more tries, double checking my sytax in the script and looking for bugs, the problem turned out to be the permissons on my home directory. Changing them to 777 (obviously not something that is normally advisable), it worked.
bandit23@bandit:~$ vim getit
bandit23@bandit:~$ chmod 777 getit
bandit23@bandit:~$ chmod 777 /home/bandit23/
bandit23@bandit:~$ cp getit /var/spool/bandit24/
.
.
Time passes
.
.
bandit23@bandit:~$ ls
bandit24.pass getit
bandit23@bandit:~$ cat bandit24.pass
XXXXXXXXXXXXXXXXXX
bandit level 22
We’re looking at another cronjob this time, cronjob_bandit23. We check the file and find that it appears to be copying the contents of the bandit23 password file to /tmp under a filename that’s derived from the MD5 sum of a string that includes the current user’s name. Based on the cronjob config, the job runs as bandit23, so we can figure out the md5 sum by manually running the command in the script and then substituting the bandit23 string in directly.
bandit22@bandit:/etc/cron.d$ vim cronjob_bandit23
bandit22@bandit:/etc/cron.d$ mytarget=$(echo I am user bandit23 | md5sum | cut -d ' ' -f 1)
bandit22@bandit:/etc/cron.d$ echo $mytarget
XXXXXXXXXXXXXXXXXXX
bandit22@bandit:/etc/cron.d$ cat /tmp/XXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXX
bandit22@bandit:/etc/cron.d$
bandit level 21
We’re told that a cronjob is executing at regular intervals, and we’re to investigate. Looking in /etc/cron.d shows a script called cronjob_bandit22. That looks promising. When we inspect the script, we see that it’s executing /usr/bin/cronjob_bandit22.sh. We try to execute it ourselves, but get an error message about write permissions. However, the error message points to an interesting file. After we try to cat that, we get the password for the next level.
bandit21@bandit:~$ cd /etc/cron.d
bandit21@bandit:/etc/cron.d$ ls
cron-apt cronjob_bandit22 cronjob_bandit23 cronjob_bandit24 php5
bandit21@bandit:/etc/cron.d$ cat cronjob_bandit22
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
bandit21@bandit:/etc/cron.d$ /usr/bin/cronjob_bandit22.sh
chmod: changing permissions of '/tmp/XXXXXXXXXXXXXXXXXXXXX': Operation not permitted
/usr/bin/cronjob_bandit22.sh: line 3: /tmpXXXXXXXXXXXXXXXXXXX: Permission denied
bandit21@bandit:/etc/cron.d$ cd /tmp/
bandit21@bandit:/tmp$ ls
ls: cannot open directory .: Permission denied
bandit21@bandit:/tmp$ cat /tmpXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXX
bandit21@bandit:/tmp$
bandit level 20
The instructions include a note about how the docker infrastructure makes this challenge more difficult. We’re told that there’s a setuid binary in our home directory that will connect back to localhost on the port of our choosing. Once it gets a connection, it will expect the program on the other end to give it a string. It will compare this string to the current level 20 password, and if they match, will return the password for level 21.
Supposedly, docker makes this more difficult because each connection to the server spawns a new environment, which means that setting up a listening program could apparently result in some problems. We cannot set a listening program in one session and then telnet into the same box on another session and invoke the executable. However, I got around this by setting nc listening on a port and appending an ampersand to the command, which has the process continue executing in the background. With the server now waiting, I invoked the program.
bandit20@bandit:~$ cat "/etc/bandit_pass/bandit20" | nc -p 6666 -l&
[1] 112
bandit20@bandit:~$ ./
.cache/ suconnect
bandit20@bandit:~$ ./suconnect 6666
Read: XXXXXXXXXXXXXXXXXXXXXXX
Password matches, sending next password
XXXXXXXXXXXXXXXXXXXXXXXXXXXX
[1]+ Done cat "/etc/bandit_pass/bandit20" | nc -p 6666 -l
bandit20@bandit:~$
bandit level 19
This challenge tells us that there’s a setuid binary in our home directory, and that we need to use it read the password from /etc/bandit_pass/bandit20. We’re instructed to execute it in order to figure out how to use the utility. Trying to run it tells us that executes a command as another user, which makes sense. It gives the following usage: Example: ./bandit20-do id. I was confused as to what exactly “id” referred to. Was it the user ID I wanted to execute the command as? Was it the actual numerical ID? After fiddling around for a bit, the answer was apparently much more straight forward.
bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
XXXXXXXXXXXXXXXXXXXX
bandit19@bandit:~$
bandit level 18
On this level, we’re told that the password is in the readme file of our home directory. Sounds simple enough. However, there’s a command in the bashrc file that logs us out immediately after we’re authenticated. We can get around that by piping commands to ssh. I believe that this works because the shell that gets spawned on the server is not in interactive mode when we pipe input to ssh.
$ echo "cat ./readme" | ssh -p 2220 [email protected]
Pseudo-terminal will not be allocated because stdin is not a terminal.
_ _ _ _
| |__ __ _ _ __ __| (_) |_
| '_ \ / _` | '_ \ / _` | | __|
| |_) | (_| | | | | (_| | | |_
|_.__/ \__,_|_| |_|\__,_|_|\__|
a http://www.overthewire.org wargame.
[email protected]'s password:
Welcome to Ubuntu 14.04 LTS (GNU/Linux 4.4.0-71-generic x86_64)
* Documentation: https://help.ubuntu.com/
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
bandit level 17
We’re told that there are two files in the home directory, passwords.old and passwords.new. The password for level 18 is the only line that’s different between the two. This can be easily found using the diff utility:
bandit17@bandit:~$ diff passwords.old passwords.new
42c42
< XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
---
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
bandit level 16
This level asks us to find open ports between 31000 and 32000 and figure out which ones are listening. Once we find the open ports, we need to submit the current level password in order to get the next one. We’re told that some of the serviecs will simply repeat whatever we send it, but the real one will give us the next password. Additionally, some of them are using ssl. Based on the hint, we seem to be intended to port scan the box. However, given that we already have command line access, it seems to be much easier to use netstat (note:I realize that the normal net-tools have been deprecated, but I can’t be arsed to look up the replacement commands at the moment, or to even check whether this box has them installed):
bandit16@bandit:~$ netstat -A inet -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:31960 *:* LISTEN
tcp 0 0 *:31518 *:* LISTEN
tcp 0 0 127.0.0.11:36319 *:* LISTEN
tcp 0 0 *:31046 *:* LISTEN
tcp 0 0 *:31691 *:* LISTEN
tcp 0 0 *:2220 *:* LISTEN
tcp 0 0 *:31790 *:* LISTEN
tcp 0 0 *:30000 *:* LISTEN
tcp 0 0 *:30001 *:* LISTEN
tcp 0 0 *:auth *:* LISTEN
tcp 0 0 *:30002 *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
udp 0 0 127.0.0.11:48614 *:*
bandit16@bandit:~$
Alright, so now we know which ports are open. Lets connect to them and see what we can find.
bandit16@bandit:~$ telnet 127.0.0.1 31960
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXX
Nope
bandit16@bandit:~$ telnet 127.0.0.1 31518
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
XXXXXXXXXXXXXXXXXXXXX
ERROR
140737354053280:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:351:
Connection closed by foreign host.
bandit16@bandit:~$
Looks like we’ve found one using open ssl.
bandit16@bandit:~$ openssl s_client -ign_eof -connect 127.0.0.1:31518
CONNECTED(00000003)
depth=0 CN = a9678380ab81
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = a9678380ab81
verify return:1
---
Certificate chain
0 s:/CN=a9678380ab81
i:/CN=a9678380ab81
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICvjCCAaagAwIBAgIJAO6iKan6EbNwMA0GCSqGSIb3DQEBCwUAMBcxFTATBgNV
BAMTDGE5Njc4MzgwYWI4MTAeFw0xNzA2MTUxMTI3MjVaFw0yNzA2MTMxMTI3MjVa
MBcxFTATBgNVBAMTDGE5Njc4MzgwYWI4MTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBALOcuRCY9evp5X6Ooe8oyq4qRECAXplyMejybRRPNnRAz+wwRMJs
y/hoHUZVRCVmww95xPdwl1pCiHBGoApvDGMacYS4SH58/76WGfOxBzTat+hdPIzq
H4FZMWbH/H3MzAWvEUmz8uQDlettwIGro7yYT3c1oZ3BBDWTj93769mJ/+FxaVGa
DiwX0l5XGB2qNoDBYwXaIhDa85nu5Sgs+nOYz++3ISafVr0V7XnheS5l0TCqDQRp
HBNwF0V3GFC9RawTIrboe4LJ6ZLDa41jCTUpq1S6Zmwedeqp63D+dnRtGst/l/7g
iVcoeYZmts2LjKc/5FlL4h3vr3O+oiAzFdcCAwEAAaMNMAswCQYDVR0TBAIwADAN
BgkqhkiG9w0BAQsFAAOCAQEAHEh77j3hSkLXLLQ40hvF7HMP5gFl9oj1q45cQblb
zm4nMbmDOeiRclzeZ5JDnfr7W6PXnBfwLR5svhIc9CEtUDc0clJToK0iF8TT8ucy
ZB6F28/PAvTwvpAzIgLj9JnsJU8kJvJA6WCKTz7QJxXVGNT8qbk5DQw1THm0Ed38
U6o3hbqgvP7p5mK5F+m6yuo7oBlsVPu/c4YZJkMbbvf/IxQSD/j8ZPFGYVBdwRIf
FGLZsRlt9CgC/FjYc19XBTe75nqjkxNeuD+6sP7MCn+Pp5j6h6ULthDJaD8dhvDu
IF0zPWm885s6xG6xt74lFp2GOFJyayP0AlRu7iA1uUoS7g==
-----END CERTIFICATE-----
subject=/CN=a9678380ab81
issuer=/CN=a9678380ab81
---
No client certificate CA names sent
---
SSL handshake has read 1682 bytes and written 637 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : DHE-RSA-AES256-SHA
Session-ID: D027A3F5BC416F4792E6B4B2822B43D9C456A8FF6BEEF4C9A389F11EEF18D1C4
Session-ID-ctx:
Master-Key: 60DEB19DC1872EF939F8E2D83E85BC410CA191A3D936D896813FA38152739EEEE861588781E3258320F5A273948E2A0B
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1504830754
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXX
^C
Narp.
After many attempts later
bandit16@bandit:~$ openssl s_client -ign_eof -connect 127.0.0.1:XXXXXX
CONNECTED(00000003)
depth=0 CN = a9678380ab81
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = a9678380ab81
verify return:1
---
Certificate chain
0 s:/CN=a9678380ab81
i:/CN=a9678380ab81
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICvjCCAaagAwIBAgIJAO6iKan6EbNwMA0GCSqGSIb3DQEBCwUAMBcxFTATBgNV
BAMTDGE5Njc4MzgwYWI4MTAeFw0xNzA2MTUxMTI3MjVaFw0yNzA2MTMxMTI3MjVa
MBcxFTATBgNVBAMTDGE5Njc4MzgwYWI4MTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBALOcuRCY9evp5X6Ooe8oyq4qRECAXplyMejybRRPNnRAz+wwRMJs
y/hoHUZVRCVmww95xPdwl1pCiHBGoApvDGMacYS4SH58/76WGfOxBzTat+hdPIzq
H4FZMWbH/H3MzAWvEUmz8uQDlettwIGro7yYT3c1oZ3BBDWTj93769mJ/+FxaVGa
DiwX0l5XGB2qNoDBYwXaIhDa85nu5Sgs+nOYz++3ISafVr0V7XnheS5l0TCqDQRp
HBNwF0V3GFC9RawTIrboe4LJ6ZLDa41jCTUpq1S6Zmwedeqp63D+dnRtGst/l/7g
iVcoeYZmts2LjKc/5FlL4h3vr3O+oiAzFdcCAwEAAaMNMAswCQYDVR0TBAIwADAN
BgkqhkiG9w0BAQsFAAOCAQEAHEh77j3hSkLXLLQ40hvF7HMP5gFl9oj1q45cQblb
zm4nMbmDOeiRclzeZ5JDnfr7W6PXnBfwLR5svhIc9CEtUDc0clJToK0iF8TT8ucy
ZB6F28/PAvTwvpAzIgLj9JnsJU8kJvJA6WCKTz7QJxXVGNT8qbk5DQw1THm0Ed38
U6o3hbqgvP7p5mK5F+m6yuo7oBlsVPu/c4YZJkMbbvf/IxQSD/j8ZPFGYVBdwRIf
FGLZsRlt9CgC/FjYc19XBTe75nqjkxNeuD+6sP7MCn+Pp5j6h6ULthDJaD8dhvDu
IF0zPWm885s6xG6xt74lFp2GOFJyayP0AlRu7iA1uUoS7g==
-----END CERTIFICATE-----
subject=/CN=a9678380ab81
issuer=/CN=a9678380ab81
---
No client certificate CA names sent
---
SSL handshake has read 1682 bytes and written 637 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : DHE-RSA-AES256-SHA
Session-ID: 7B3086995FFE2B6D2F18ADC3D9748A14022EE9730552666C56760F18F77B964C
Session-ID-ctx:
Master-Key: C9F1B24A5600937DDF8A737560DF51D105045A67D2599A95A1A05F82EB05D01532CA559CFE6D2A3AD8CD0666301C345E
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1504830986
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
XXXXXXXXXXXXXXXXXXXXXXXX
Correct!
-----BEGIN RSA PRIVATE KEY-----
..... Contents of key
-----END RSA PRIVATE KEY-----
read:errno=0
bandit16@bandit:~$
bandit level 15
Similar to the last level, we’re asked to connect to port 30001 on localhost and submit the current password, only this time using ssl. This can be easily accomplished using s_client. As per the hint, we have to specify the -ign_eof switch, otherwise the client seems to disconnnect before getting the reply.
bandit15@bandit:~$ man s_client
bandit15@bandit:~$ openssl s_client -ign_eof -connect 127.0.0.1:30001
CONNECTED(00000003)
depth=0 CN = a9678380ab81
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = a9678380ab81
verify return:1
---
Certificate chain
0 s:/CN=a9678380ab81
i:/CN=a9678380ab81
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICvjCCAaagAwIBAgIJAO6iKan6EbNwMA0GCSqGSIb3DQEBCwUAMBcxFTATBgNV
BAMTDGE5Njc4MzgwYWI4MTAeFw0xNzA2MTUxMTI3MjVaFw0yNzA2MTMxMTI3MjVa
MBcxFTATBgNVBAMTDGE5Njc4MzgwYWI4MTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBALOcuRCY9evp5X6Ooe8oyq4qRECAXplyMejybRRPNnRAz+wwRMJs
y/hoHUZVRCVmww95xPdwl1pCiHBGoApvDGMacYS4SH58/76WGfOxBzTat+hdPIzq
H4FZMWbH/H3MzAWvEUmz8uQDlettwIGro7yYT3c1oZ3BBDWTj93769mJ/+FxaVGa
DiwX0l5XGB2qNoDBYwXaIhDa85nu5Sgs+nOYz++3ISafVr0V7XnheS5l0TCqDQRp
HBNwF0V3GFC9RawTIrboe4LJ6ZLDa41jCTUpq1S6Zmwedeqp63D+dnRtGst/l/7g
iVcoeYZmts2LjKc/5FlL4h3vr3O+oiAzFdcCAwEAAaMNMAswCQYDVR0TBAIwADAN
BgkqhkiG9w0BAQsFAAOCAQEAHEh77j3hSkLXLLQ40hvF7HMP5gFl9oj1q45cQblb
zm4nMbmDOeiRclzeZ5JDnfr7W6PXnBfwLR5svhIc9CEtUDc0clJToK0iF8TT8ucy
ZB6F28/PAvTwvpAzIgLj9JnsJU8kJvJA6WCKTz7QJxXVGNT8qbk5DQw1THm0Ed38
U6o3hbqgvP7p5mK5F+m6yuo7oBlsVPu/c4YZJkMbbvf/IxQSD/j8ZPFGYVBdwRIf
FGLZsRlt9CgC/FjYc19XBTe75nqjkxNeuD+6sP7MCn+Pp5j6h6ULthDJaD8dhvDu
IF0zPWm885s6xG6xt74lFp2GOFJyayP0AlRu7iA1uUoS7g==
-----END CERTIFICATE-----
subject=/CN=a9678380ab81
issuer=/CN=a9678380ab81
---
No client certificate CA names sent
---
SSL handshake has read 1682 bytes and written 637 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : DHE-RSA-AES256-SHA
Session-ID: D76E31697DFDE7B7C75CA639E5EC867DE9752DD1135380AA4B58ECD66C21BE67
Session-ID-ctx:
Master-Key: 3017399D665D26DDDD7CEC7561E9B2A7074D74EC0C35D58638531F610475915FBB008548ACD8099A57FB2767C9B26F2A
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1504828427
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
XXXXXXXXXXXXXXXXXXXXXXXXXX (password for bandit15)
Correct!
XXXXXXXXXXXXXXXXXXXXXXXXX (password for bandit16)
read:errno=0
bandit15@bandit:~$
bandit level 14
The next level asks us to connect to port 30000 on localhost and submit the password for the current level. The telnet command was available, so it seemed to be the quickest method of getting this done.
bandit14@bandit:~$ cd /etc/bandit_pass/
bandit14@bandit:/etc/bandit_pass$ cat bandit14
XXXXXXXXXXXX (actual password not shown)
bandit14@bandit:/etc/bandit_pass$
bandit14@bandit:/etc/bandit_pass$ telnet 127.0.0.1 30000
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
XXXXXXXXXXXXXXXXXXXXX
Correct!
XXXXXXXXXXXXXXXXXXXXX
Connection closed by foreign host.
bandit14@bandit:/etc/bandit_pass$