Bandit (English)

This is a brief solution for all levels of Bandit | OverTheWire

Bandit 0>1:

• Sign in with SSH: ssh bandit0@bandit.labs.overthewire.org -p 2220
• List the contents of the current directory: ls
• Read the readme file and obtain the password for the next level: cat

Bandit 1>2:

• Ssh  in
• List the content of the current directory
• Cat the content of the file by cat < - , you use this technique to cat the contents if the file name starts with (-)

Bandit 2>3:

• To cat the contents of a file that has spaces in its name, just put the name of the file between quotation marks “ ”

Bandit 3>4:

• cd to the inhere directory
• ls -a to view the hidden files
• cat .hidden

Bandit 4>5:

• Cat the contents of each file using cat < “filename” until you find the answer.

Bandit 5>6:

• Cd to the inhere folder
• Find the file with the specified characteristics using find . -type f -size 1033c ! -executable

Bandit 6>7:

• Find the file with the specified characteristics using find / -type f -user bandit7 -group bandit6 -size 33c

Bandit 7>8:

• In order to simply find the password you are looking for, use the strings command. This command looks for printable strings in a file. A string is any sequence of 4 or more printable characters that end with a new-line. 
• So, you will string the file then pipe it to a grep command to print the line that contains “millionth” using strings data.txt | grep "millionth".

Bandit 8>9:

• To solve this you need to sort the data in the data.txt file and then count it. This is simply done by sort data.txt | uniq -c , sort will first sort the file in alphabetical order, then we will grep the output into uniq -c to prefix lines by the number of occurrences.

Bandit 9>10:

• strings data.txt | grep "=="

Bandit 10>11:

• The data is encoded, so you simply decode it base64 -d data.txt

Bandit 11>12:

• Go to cyberchef and choose Rot13 then pase the contents of the data.txt file. This will reveal the password for the next level.

Bandit 12>13:

• Before working, this lab needs a lot of creating and modifying of files, so we will change the working directory to be /tmp, because we have the permissions to read and write on it.
• The file is a hexdump file, the first step is to reverse it using xxd -r /home/bandit12/data.txt > data
• If the file is a gzip file, then we will change the extension to be .gz and decompress it using -d.
• If the file is a bzip2 file, then the extension needs to be .bz2 and to decompress it we will use -d.
• If the file is a tar file, the extension will be .tar and to decompress it we will use xf option.

Bandit 13>14:

• In this level you are provided with the private key, so simply just add it to your ssh connection command by using the -i flag. ssh bandit14@localhost -i sshkey.private -p 2220. Here there is no need to change the permission of the key to be 400 because it is already set.

Bandit 14>15:

• First view the bandit14 password using cat /etc/bandit_pass/bandit14
• Then submit it to port 3000 using nc localhost 30000

Bandit 15>16:

Submit the password by using ncat --ssl localhost 30001

Bandit 16>17:

• First do an nmap scan to figure the open ports nmap localhost -p 31000-32000 -sV

• From the results of the scan you can see that the ports that run ssl are 31518 and 31790. Connect to both of them and see what returns to you the ssh private key ncat --ssl localhost 31790
• Save the ssh key into a file and change its permissions chmod 400

Bandit 17>18:

• Access the level by ssh bandit17@bandit.labs.overthewire.org -p 2220 -i /tmp/sshprivatekey
• Spot the difference between the two files using diff passwords.new password.old then copy the password.

*Note: if you run a normal diff then :

• < - denotes lines in file1
• > - denotes lines in file2

Bandit 18>19:

• At this level, you simply send your command with your ssh connection between quotation marks. ssh bandit18@bandit.labs.overthewire.org -p 2220 'cat readme’.

Bandit 19>20:

• Setuid, which stands for set user ID on execution, is a special type of file permissions in Unix and Unix-like operating systems. It is a security tool that permits users to run certain programs with escalated privileges. When an executable file's setuid permission is set, users may execute that program with a level of access that matches the user who owns the file.
• ./bandit20-do cat /etc/bandit_pass/bandit20

Bandit 20>21:

• First you set up a listener using nc to listen for the connection that will come from the setuid file.

• Then you connect to this listener using the setuid file. Once you receive the connection into your listener, paste in the password for the current level. The setuid will read this line and send you the correct password back.

Bandit 21>22:

• List the current cron jobs by ls /etc/cron.d. you will find the cron job for bandit 22. view it using cat.

• Here we have a cron job set for bandit22 that run at each reboot and every minute. The next step is to view its content by catting /usr/bin/cronjob_bandit22.sh.

• This is a bash script that takes the bandit22 password and paste it into a file in temp. before that changes this file permissions to be read and write for bandit22 and only read for the rest of users. Simply you just need to cat the contents of the file in tmp to retrieve the password.

Bandit 22>23:

• Go to /etc/cron.d and look for bandit23 because this is the level you want to go to. If you viewed the bandit23 cronjob you will find that it is a script:

 #!/bin/bash

 myname=$(whoami)

mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)

 echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"

 cat /etc/bandit_pass/$myname > /tmp/$mytarget

• myname will store bandit23 as it is the owner of this script.
• The echo I am user $myname | md5sum | cut -d ' ' -f 1 (supposing that $myname = bandit23) command, will output 8ca319486bfbbc3663ea0fbe81326349 which is the value of $mytarget.
• As the /etc/bandit_pass/bandit23 is copied to /tmp/ 8ca319486bfbbc3663ea0fbe81326349, then if you catted this file you will get the password for the next level.

Bandit 23>24:

• In this level, you have this script in the cronjobs:

 #!/bin/bash

 myname=$(whoami)

 cd /var/spool/$myname/foo || exit 1

echo "Executing and deleting all scripts in /var/spool/$myname/foo:"

for i in * .*;

do

    if [ "$i" != "." -a "$i" != ".." ];

    then

        echo "Handling $i"

        owner="$(stat --format "%U" ./$i)"

        if [ "${owner}" = "bandit23" ]; then

            timeout -s 9 60 ./$i

        fi

        rm -rf ./$i

    fi

done

• myname will be bandit24.
• This script simply takes every file owned by bandit23 in  /var/spool/bandit24/foo and execute it then delete it (all files will be deleted, but only files owned by bandit23 will be executed), this happens every minute.
• for i in * .* means for every file with any extension.
• if [ "$i" != "." -a "$i" != ".." ]; this if statement makes sure the directories . and .. , which are representing the current and previous folders, are ignored.
• Then there is a command to check if the file owner = bandit23: (owner="$(stat --format "%U" ./$i)" this command extracts the owner of the file from the stat command output.
• if [ "${owner}" = "bandit23" ];). If this is true, then the file will be executed.

Now you need to create a script and save it into the /var/spool/bandit24/foo folder for it to be executed.

First go to /tmp and create a directory and make it accessible for all, this way you will allow bandit24 to write into your folder. cd /tmp, mkdir asmaa, chmod 777 asmaa.

• Now you need to create a script that copies the bandit24 password and save it into your new folder in a new file. Script:

 #!/bin/bash

cat /etc/bandit_pass/bandit24 > /tmp/asmaa/password24

•  Save the script with any name like (getPass.sh). Then, make the script executable chmod +x getPass.sh. now you need to transfer the file cp /tmp/asmaa/getPass.sh /var/spool/bandit24/foo .
• Wait tell the minute ends as the cronjob runs every minute. Then you should be able to see a new file in your folder called password24 as you specified in the script.

Bandit 24>25:

• In this level, you need to write a script that will iterate through all 10000 possibilities. because you have 4 digits, each digit can hold 10 values (0 through 9), 10^4=10000. After creating the script save it with .sh extension and change its permissions into executable.

 #!/bin/bash

 bandit24pass=VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar

 for pin in {0000..9999}; do

        echo "$bandit24pass $pin"

done | nc localhost 30002

•  This code will iterate through all 10000 possibilities then it will print bandit24 password along with the pin code separated by a space. After that, this output will be piped into the daemon listening on port 30002. The program will continue running until it finds the correct one and it will stop.

Bandit 25>26:

This level is so simple. Just list the contents of the home directory, copy the key and save into your system. Use this key to sign into bandit26 after changing its permissions into 400 using ssh bandit26@bandit.labs.overthewire.org -p 2220 -i /tmp/sshprivatekey

Bandit 26>27:

• When you sign into this level, the shell will immediately log you out. To overcome this, we will use the buffer of the more command. To make this buffer appear, you need to reduce the size of the terminal significantly and make the font very large. This way you will get a more buffer. 

• Now click v on the keyboard to get a text editor. Then use this text editor to spawn a shell by :set shell=/bin/bash , press enter, :shell. Now you will get a bash shell for user bandit26.
• In bandit26’s home directory, you will find two files. One has the art of the level, and the other is a setuid binary for user bandit27, which will do a command that you give to it as an argument with the privileges of bandit27. Simply ./bandit27-do cat /etc/bandit_pass/bandit27.

Bandit 27>28:

• Go to /tmp and create a directory to clone the repository in. git clone 'ssh://bandit27-git@localhost:2220/home/bandit27-git/repo'.
• cd repo, cat README.

Bandit 28>29:

• After cloning the repository and catting the contents of README.md file. You will notice that the password is all in xxx. This shows that it might have been edited. To confirm that git log, will show the previous logs.
• To show the contents of a log, take the SHA1 value next to the commit and git show [SHA1]. 

*Note: The green in the log content means that this part has been added, and the red means that it has been deleted.

• If you viewed the second commit, the one with the ‘add missing data’ you will find the password for the next level.

Bandit 29>30:

• Clone the git repository. Cd to the repo directory, if you read the README.md file you will see the sentence “no password in production!”, this note makes you think about branches. You can know what branch you are in by git branch. You will see that you are in the master branch, this branch is the branch that is downloaded locally. View the remote branches by git branch -a.
• Check the other branches. You can check a branch by git checkout [branch name]. This will switch you to the other branch. Now switch to the development branch and check it. git checkout remotes/origin/dev.
• git log then git show [SHA1]. show the commit for the file with the note “add data needed for development”. You will find the new password there.

Bandit 30>31:

• In this level, you won’t get a thing by checking the logs or the branches. So, you can then check the git internals. Whenever you clone a repository you will get a hidden folder called .git. cd .git.
• If you cat the packed-refs file you will find the same SHA1 value as the one you git by typing git log. But there is another one refs/tags/secret. Git show the SHA1 value for this commit and you will have the password for the next level.

Bandit 31>32:

• Based on the README.md file in the repo directory you need to push a file to the remote repository. You can do that by first checking if the branch is as they want (master?) by checking git branch.
• Create a file called key.txt and set the contents as specified “May I come in?”.
• If you tried to git add key.txt it will show a message that tells you this path is ignored by one of your .gitignore files. A gitignore file contains the files that will not be noted in any commits or pushes you want to make to your repository. To overcome this just add -f option to force it. so git add key.txt -f.
• Then add your commit by git commit, then write whatever you want (All done!!).
• Then git push then yes.  Give the password and you will get the password for the next level.

Bandit 32>33:

• In this level, you need to escape the Upper-Case shell. Just use the special value $0 and get a shell.
• List the contents of the current directory. You will find a setuid file called uppershell which is owned by bandit33, and thus has its privileges. We want to benefit from this and cat the contents of the bandit33 password file. So rerun this file to get the Upper-Case shell back, thus getting the privileges of bandit33.

*Note: you don’t need to rerun the file. I only just did this to explain. You can immediately retrieve the password of bandit33 after step 1.

• If you use the special variable $0 you will get a shell with the privileges of bandit33. To make sure run the command whoami.
• Now you can output the password for bandit33 by cat /etc/bandit_pass/bandit33.

Bandit 33>34:

·       This level does not exist yet.