OverTheWire Bandit : Level 11 - 20 (Master Linux at Ease)

Level 10 -> 11

The password is in the?data.txt?but it’s encoded with?base64 .?Base64 is one of the most popular encoding techniques out there. To decode this, we can just google?base64 decoder?and we will find a tool to decode it. But as we are hacker pro max, let’s try it terminal way :3

cat data.txt | base64 -d?this command first cats out the content in the file and with the pipe | it immediately sends those content to base64 decoder. Finally shows us the decoded output on the screen.

Level 11 -> 12

This time the password is in?data.txt?but all the letters are rotated 13 positions. It means every letter is replaced with the next 13th letter of the alphabet. It’s very popular and called?rot13 cipher. Let’s ask google for a decoder and decode the text.

We found?rot13.com?and pasted the text, we got the answer.

Level 12 -> 13

Here we have a file that is “hex dump”. Now what does that mean ? Hex Dump simply means printing the hexadecimal value of the content inside a file. So if we do?cat data.txt?, we will see some Hex Values.

To reverse it we can use a tool?xxd?, it can reverse calculate the hex values and get the original file back from it.?xxd -r data.txt > reversed?here we told xxd to reverse the text and save the result in a new file named?reversed. But if we execute it, the promt says permission denied. That means we don’t have permission to write or to create a file in this current directory. Usually the?/tmp?directory holds permission for all users. Let’s go there. If we do?xxd -r data.txt > /tmp/reversed?, we can write to it but if we do?ls -la /tmp?it says permission denied.

Let’s check the permission for?/tmp directory?to see what’s going on. It says?-wt?which means we have the write permission but not read.

So let’s create our own directory under /tmp directory, that would be allowed because we can write in?/tmp?but at the same time, as that is our directory, we can read in that too. And we are successful !

Now after reversing the hex file, I did?file reversed?to see what kind of data is in the file. And it says the file is compressed with gzip. Let’s decompress it. To do that we first need to make the file has?.gz?extension.?mv reversed reversed.gz?and then decompress with?gz -d reversed.gz?and we got a new file also named?reversed.

If we do?file reversed?on the new file, we can see it is compressed with?bzip. Let’s decompress again. First we move the file to give it a new extension?.bz2?and then decompress it with?bzip2 -d reversed.bz2

Again we get a file named?reserved?and compressed with?gzip.?Let’s decompress it in the same way. Move the file with?.gz?extension and decompress it with?gzip?tool.

And this time we got a file back that is a?tar archive?file, another compression. Let’s change the extension to?.tar?and decompress with?tar -xvf?.?Here x means extract, v means verbose (detailed), f means it was an archive file.

The extracted file we got it?data5.bin?and it’s another?tar archived?file. Let’s do the same on this. Change extension and run?tar -xvf data.tar?, we got?data6.bin?with bzip2 compression.

You know the drill, change extension and extract. We got?data6?which is again a?tar compression.

Change the extension to tar and decomperss. We got?data8.bin

This is another gzip compressed file. Do the drill and we got another file named?data8 ,?if we do?file data8?we see it’s ASCII text means plain text. Let’s cat the file and we got our password !

Level 13 -> 14

This level teaches us to use?ssh private keys, sometimes they are named?id_rsa?too. This key is private so only you can have access to yours. While ssh ing into a machine, if you mention this private key owned by you, you don’t have to provide a password to login. The syntax is normal ssh syntax with an extra flag?-i .?It goes?ssh bandit14@localhost -p 2220 -i sshkey.private?,?here we did?localhost?as the hostname because we are logging into the same box we are at. If we wanted, we could have exited out of the box and use the key with?ssh [email protected] -p 2220 -i sshkey.private

Level 14 -> 15

Now in this level, we have to pass the current password to the port 30000. Let’s discuss about ports first. Think of your computer like a building. It has many rooms. All these rooms do handles different works or services. These are ports. As every building has an Address for others to find it, your computer has an Address too, it’s called IP Address. So whenever a piece of data is sent to you over the internet, It first gets to the building or the IP Address, then depending on what kind of data it has (emails, SSH connection, Website information), it goes to that room or that port. Remember we were doing the?ssh?command and specifying the?port with -p 2220 ??This part of the command simply tells the data to go to port 2220 because on the game server, port 2220 is handling the SSH Service.

To complete this round, we have to find the password first. Remember we logged in to this round with an SSH Key, not a password ? But luckily it was mentioned that the password for bandit14 user is in?/etc/bandit_pass/bandit14, so we can cat the file and get the password.

Now we have to hand this password to port 30000 on localhost (The computer we currently in). Let’s use the?Telnet service?for that. Telnet is also like SSH, it opens up a terminal for us to give commands to a computer. JQttfApK4SeyHwDlI9SXGR50qclOAil1

The syntax is simple,?telnet computer PORT_NO?and we got the password.

Level 15 -> 16

In this level, we have to transfer the current password to the port 30001 to get the next level’s password. But the catch is, we have to transfer it with?SSL Encryption.?Let’s talk about it.

When we send some data over HTTP, it is passed in clear text. This can be dangerous because if a hacker gets in the middle of the connection, he/she can read all your data. To prevent this, we encrypt the data, so that even if a hacker intercepts in the middle, will not be able to read the data. This encryption technology is called SSL Encryption. The websites that use this starts with?HTTPS?. The last?S?actually indicates that it’s secured.

If we want to pass a data to a port, we could use Telnet but again telnet is unsafe because in a this communication the data passes in cleartext. To solve this, let’s use SSL. To use SSL we can take the help of?OpenSSL?which is a library or tool in simple words that let us pass data with SSL encryption.

Syntax :?openssl s_client -connect HOSTNAME:PORT_NO

Let’s change the hostname to local host as we are connecting to the computer we are in right now. And the port to 30001. Then we will pass the current password to get the next level’s password.

Level 16 -> 17

This level, we have to find the ports that are listening from the range 31000–32000 and among them, the one that runs SSL Encryption is our target. We will pass our password to that port and get the next level’s password back.

We can use nmap to scan the ports.?nmap -p 31000-32000 localhost?let’s us scan the ports within range 31000–32000 of local host or the machine we are in right now. This gave us back those ports which are listening.

Now we have to find the ports that are running SSL encryption among these listening ones. To do this we can run nmap service scan on these ports. The service scan tells us what kind of service (SSL or not) is running on the ports.?nmap -p 31046,31518,31691,31790,31960 localhost -sV

The?-sV?flag actually does the service scan and tells us port 31518 and 31790 runs some sort of SSL. Notice that?port 31518?says?echo.?The echo command literally repeats back what we put in it. So this is not our port. We don’t want to hear the password that we already know. let’s try the other port?31790.?We can pass on the password just like the previous challenge.

openssl s_client -connect HostName:Port_no

And after providing the current password, we got a private SSH key. We already know how to SSH into a machine with an SSH key. So let’s do that and get to the next user.

Level 17 -> 18

This time we got two files. The?passwords.new?file has the password inside it. But the twist is that every line in these two files are same except the line that contains the password. So if we can identify the line which is different between the files, we will get the password. Let’s use a new command?diff

diff passwords.new passwords.old

This command finds that different line and prints it. Notice the output has two lines and the first line is started with an < key which is you can say a key pointing to the left. It means, the text after this key is from the first file name that we used in the command.

So in our command, we mentioned?passwords.new?first so the text following the?<?is from the?passwords.new?file.

So this must be the password for next level as the?passwords.new?contains the actual password.

Level 18 -> 19

This time we face a weird challenge. We have the password but when ever we login, it logs us out. So let’s use the black magic of SSH, executing commands with SSH without even loging in. To do this we have to write simple SSH syntax and add the command that we want to execute with it.

ssh?[email protected]?-p 2220 ‘cat ~/readme'

At the last part we mention the command in quotes that we want to?cat?the readme file in home directory.

Level 19 -> 20

This challenge teaches us about Setuid Binary. Let’s discuss that a little. In linux, there are multiple users. These users can have different privileges, for example the?root user?can pretty much do and access anything but a normal user can’t. Setuid provides a way for the low privileged user to do some actions as the owner of a file.

Let’s understand it with an example. Suppose the?root?user owns a binary file. No one else can execute that. But to get some work done, the root wants someone else to run that binary. The problem is, with the current privilege and permission no one other than root can do that. So in order to let someone else access that binary, root has to give it’s password to someone else so that that person can become root and execute the binary. But it’s extremely risky to giveaway credentials like this, right ? Only if there’s a way to give root permission for this one binary. Well there is :3

To solve this problem, root can simply add an extra bit of permission to the binary file, this new special permission will say that for only this command someone else can impersonate root and run the binary with root permissions. This special permission bit is called SUID bit. And it looks like changing the?x?part with an?s?in file permission.

Okay enough introduction, let’s now see what this binary does. It seems like we have to execute the binary and then do the command that we want with SUID permission. Let’s do?./bandit20-do cat /etc/bandit_pass/bandit20

Normally we would not have permission to view this file but with SUID Bit set binary, we can successfully cat the file and get the password for next user.