bandit level 13
The next challenge seems to change direction a little. We’re told that the password is located in /etc/bandit_pass/bandit14, and it’s only readable by bandit14. We are, however, provided with an ssh key that we can use to log in as bandit14. I chose to cat the contents and then add the private key to my local machine. Using the following command, we can derive the public key from the private key file: ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub. The -f switch specifies the private key file, and the -y switch outputs the public key. With this complete, we can now ssh to the bandit server as bandit14.
user@compy ~
$ ssh-keygen -y -f ./id_rsa > ~/.ssh/id_rsa.pub
user@compy ~
$ ssh -p 2220 [email protected]
_ _ _ _
| |__ __ _ _ __ __| (_) |_
| '_ \ / _` | '_ \ / _` | | __|
| |_) | (_| | | | | (_| | | |_
|_.__/ \__,_|_| |_|\__,_|_|\__|
a http://www.overthewire.org wargame.
Welcome to Ubuntu 14.04 LTS (GNU/Linux 4.4.0-71-generic x86_64)
* Documentation: https://help.ubuntu.com/
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
bandit14@bandit:~$ ls
bandit14@bandit:~$
bandit level 9
Moving from level 9 to 10 involves finding a string inside the data.txt file that begins with several “=” characters. Inspecting the data file reveals that there appears to be quite a bit of data mixed in with the text. Using the strings command, we can pick out the text. From there we can simply grep for any string that contains more at least 2 equal characters in a row.
bandit9@bandit:~$ strings data.txt | grep -E "={2}"
J========== the
========== password
========== is
W==========XXXXXXXXXXXXXXXXXXX (actual password not shown)
bandit9@bandit:~$
bandit level 8
The next challenge asks us to find a word that occurs exactly once in the data.txt file. We can accomplish this using sort and uniq. We cat the data file and pipe the results to sort, which doesn’t need any switches. We then pipe the sorted strings to uniq and give the command the -c switch, which prefixes the string with the number of times that string is present. Finally, we use grep to look for the line with a count of one.
bandit8@bandit:~$ cat data.txt | sort | uniq -c | grep "1 "
1 XXXXXXXXXXXXXXXXXXXXX (actual password not shown)
bandit8@bandit:~$
bandit level 7
The description for the next challenge tells us that the password is the file called data.txt next to the word millionth. A simple grep through the file gets us the password.
bandit7@bandit:~$ ls
data.txt
bandit7@bandit:~$ grep millionth data.txt
millionth XXXXXXXXXXXXXXXXXXXXXXXX(actual password not shown)
bandit7@bandit:~$
bandit level 6
The instructions for this level ask us to find a file with the following attributes:
- owned by user bandit7
- owned by group bandit6
- 33 bytes in size
Unlike the prior challenge, this file can be anywhere on the file system. After another trip to the man pages, this appears to be solveable by throwing in a couple of switches for the group and users. We redirect stderror to /dev/null in order to cut out the noise of find complaining about files it doesn’t have permission to.
bandit6@bandit:~$ find / -size 33c -group bandit6 -user bandit7 2>/dev/null
/var/lib/dpkg/info/bandit7.password
bandit6@bandit:~$ cat /var/lib/dpkg/info/bandit7.password
XXXXXXXXXXXXXXXXXX (actual password not shown)
bandit6@bandit:~$
bandit level 5
The next challenge stipulates that there’s a file in the “inhere” directory with the following attributes:
- human-readable
- 1033 bytes in size
- not executable
Honestly, my knowledge of the find command is pretty lacking. I always have to hit the man pages when I need to do anything beyond a simple find / -name somefile.txt. After browsing through the manual for a while I came up with the following. I wasn’t really sure what the exact definition of “human readable” was, and nothing in the man page stuck out to me in terms of identifying that attribute. Decided to use a similar solution to previous problems and used the file command to look for the ASCII string. Perhaps could’ve done that through the exec find switch?
bandit5@bandit:~$ find ./inhere -size 1033c \! -executable | xargs -I fl file fl | grep ASCII
./inhere/maybehere07/.file2: ASCII text, with very long lines
bandit5@bandit:~$ cd ./inhere/maybehere07/
bandit5@bandit:~/inhere/maybehere07$ cat .file2
XXXXXXXXXXXXXXXXXXX (actual password not shown)
bandit5@bandit:~/inhere/maybehere07$
bandit level 4
The next stage tells us the password is in the only human readable file inside the “inhere” directory. The first thing I thought of was using the file command to inspect everything in the dir and find something that was text. I was foiled for a second due to all of the files starting with a dash, but got around that by using xargs.
bandit4@bandit:~$ ls
inhere
bandit4@bandit:~$ cd inhere/
bandit4@bandit:~/inhere$ ls
-file00 -file01 -file02 -file03 -file04 -file05 -file06 -file07 -file08 -file09
bandit4@bandit:~/inhere$ file *
file: Cannot open `ile00' (No such file or directory).
file: Cannot open `ile01' (No such file or directory).
file: Cannot open `ile02' (No such file or directory).
file: Cannot open `ile03' (No such file or directory).
file: Cannot open `ile04' (No such file or directory).
file: Cannot open `ile05' (No such file or directory).
file: Cannot open `ile06' (No such file or directory).
file: Cannot open `ile07' (No such file or directory).
file: Cannot open `ile08' (No such file or directory).
file: Cannot open `ile09' (No such file or directory).
bandit4@bandit:~/inhere$ ls | xargs -I fl file ./fl
./-file00: data
./-file01: data
./-file02: data
./-file03: data
./-file04: data
./-file05: data
./-file06: data
./-file07: ASCII text
./-file08: data
./-file09: data
bandit4@bandit:~/inhere$ cat ./-file07
XXXXXXXXXXXXXXXXXXXXXXXX (actual password not shown)
bandit4@bandit:~/inhere$
bandit level 3
The next level involves getting the password from a hidden file inside the “inhere” directory. A little trip to the man pages will help us figure out what switches we need for listing hidden files.
bandit3@bandit:~$ ls
inhere
bandit3@bandit:~$ cd inhere/
bandit3@bandit:~/inhere$ ls -asl
total 12
4 drwxr-xr-x 2 root root 4096 Jun 15 11:41 .
4 drwxr-xr-x 4 bandit3 bandit3 4096 Sep 6 21:32 ..
4 -rw-r----- 1 bandit4 bandit3 33 Jun 15 11:41 .hidden
bandit3@bandit:~/inhere$ cat .hidden
XXXXXXXXXXXXXXXXXXXX (actual password not shown)
bandit3@bandit:~/inhere$
bandit level 2
Moving from level 2 to 3 involves getting the password from a file with spaces in the filename. Not a problem.
bandit2@bandit:~$ ls
spaces in this filename
bandit2@bandit:~$ cat "spaces in this filename"
XXXXXXXXXXXXXXXXXXXXXX (actual password not shown)
bandit2@bandit:~$
bandit level 12
The level tells us that a hexdumped file has been compressed multiple times, and we need to decompress it in order to get the password. We first created a directory under /tmp and copied the data.txt file there. Using the xxd command, we can take the data.txt file and convert it back into the compressed file. Using the file command we can inspect the
result and figure out what command we need to use. I suppose there could be a way of automating this, but I just manually uncompressed the file each time until I got down to the original ascii text.
bandit12@bandit:/tmp/bandit12$ xxd -r data.txt > data
bandit12@bandit:/tmp/bandit12$ ls
data data.txt
bandit12@bandit:/tmp/bandit12$ file data
data: gzip compressed data, was "data2.bin", from Unix, last modified: Thu Jun 15 11:40:53 2017, max compression
bandit12@bandit:/tmp/bandit12$ mv data data.gz
bandit12@bandit:/tmp/bandit12$ gunzip data.gz
bandit12@bandit:/tmp/bandit12$ ls
data data.txt
bandit12@bandit:/tmp/bandit12$ file data
data: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/bandit12$ bzip2 -d data
bzip2: Can't guess original name for data -- using data.out
bandit12@bandit:/tmp/bandit12$ file data.out
data.out: gzip compressed data, was "data4.bin", from Unix, last modified: Thu Jun 15 11:40:53 2017, max compression
bandit12@bandit:/tmp/bandit12$ mv data.out data.gz
bandit12@bandit:/tmp/bandit12$ gunzip data.gz
bandit12@bandit:/tmp/bandit12$ ls
data data.txt
bandit12@bandit:/tmp/bandit12$ file data
data: POSIX tar archive (GNU)
bandit12@bandit:/tmp/bandit12$ tar -xvf data
data5.bin
bandit12@bandit:/tmp/bandit12$ file data5.bin
data5.bin: POSIX tar archive (GNU)
bandit12@bandit:/tmp/bandit12$ tar -xvf data5.bin
data6.bin
bandit12@bandit:/tmp/bandit12$ file data6.bin
data6.bin: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/bandit12$ bzip2 -d data6.bin
bzip2: Can't guess original name for data6.bin -- using data6.bin.out
bandit12@bandit:/tmp/bandit12$ ls
data data.txt data5.bin data6.bin.out
bandit12@bandit:/tmp/bandit12$ file data6.bin.out
data6.bin.out: POSIX tar archive (GNU)
bandit12@bandit:/tmp/bandit12$ tar -xvf data6.bin.out
data8.bin
bandit12@bandit:/tmp/bandit12$ file data8.bin
data8.bin: gzip compressed data, was "data9.bin", from Unix, last modified: Thu Jun 15 11:40:53 2017, max compression
bandit12@bandit:/tmp/bandit12$ mv data8.bin data8.gz
bandit12@bandit:/tmp/bandit12$ gunzip data8.gz
bandit12@bandit:/tmp/bandit12$ ls
data data.txt data5.bin data6.bin.out data8
bandit12@bandit:/tmp/bandit12$ file data8
data8: ASCII text
bandit12@bandit:/tmp/bandit12$ cat data8
The password is XXXXXXXXXXXXXXXXXX (actual password not shown)
bandit12@bandit:/tmp/bandit12$