yang hu

Yang Hu

Machine Learning Engineer | San Francisco, CA

Today is Christmas. Let’s spend some quality time practicing basic Linux commands for absolutely beginners! I’m doing Bandit, the first serise of the Wargame.

# Level 5 -> 6
bandit5@bandit:~$ cat $(find -size 1033c)

# Level 6 -> 7
# search current dir -> nothing
bandit6@bandit:~$ find -size 33c -group bandit6

# search /home -> a few Permission denied errors
bandit6@bandit:~$ find .. -size 33c -group bandit6
find: ‘../bandit31-git’: Permission denied
find: ‘../drifter8/chroot’: Permission denied
find: ‘../drifter6/data’: Permission denied
find: ‘../bandit27-git’: Permission denied
find: ‘../bandit5/inhere’: Permission denied
find: ‘../bandit30-git’: Permission denied
find: ‘../bandit29-git’: Permission denied
find: ‘../bandit28-git’: Permission denied
find: ‘../ubuntu’: Permission denied

# exclude entries with permission denied -> nothing
bandit6@bandit:~$ find .. -size 33c -group bandit6 2>&1 -ls | grep -v 'Permission denied'

# search the root dir / -> ding ding ding
bandit6@bandit:~$ find / -size 33c -group bandit6 2>&1 -ls | grep -v 'Permission denied'
    517684      4 -r--------   1 bandit6  bandit6        33 Oct  5 06:19 /etc/bandit_pass/bandit6
     77124      4 -rw-r-----   1 bandit7  bandit6        33 Oct  5 06:19 /var/lib/dpkg/info/bandit7.password
    (omitting some errors...)

bandit6@bandit:~$ cat /var/lib/dpkg/info/bandit7.password

# Level 7 -> 8
bandit7@bandit:~$ cat data.txt | grep millionth

# Level 8 -> 9
bandit8@bandit:~$ sort data.txt | uniq -u

# Level 9 -> 10
# hint 1: man strings, don't "cat" and try to delete non-readable chars
# hint 2: preceded by several ‘=’ characters -> '^=+' means a pattern that starts with one or more "="
bandit9@bandit:~$ strings data.txt | grep -E '^=+'

# Level 10 -> 11
bandit10@bandit:~$ base64 -d data.txt

# Level 11 -> 12
# hint: man tr
bandit11@bandit:~$ cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'

# Level 12 -> 13
# hint: file <File Name> to check the compression type (gzip, tar, bzip2)
# if POSIX tar archive: tar xvf <File Name>
# if gzip: gzip -d <File Name>.gz
# if bzip2: bzip2 -d <File Name>

# Level 13 -> 14
# password is stored in a file only readable to bandit14
bandit13@bandit:~$ find /etc/bandit_pass/ -user bandit14 -ls
   517564      4 -r--------   1 bandit14 bandit14       33 Oct  5 06:19 /etc/bandit_pass/bandit14

# I detoured a bit here because of the problem description mentioned "localhost",
# I thought there's a way for me to directly SSH to localhost with current bandit13 user.

bandit13@bandit:~$ exit

# secure cp the sshkey.private to local
$ scp -P 2220 bandit13@bandit.labs.overthewire.org:/home/bandit13/sshkey.private .
$ ssh bandit14@bandit.labs.overthewire.org -p 2220 -i sshkey.private
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for 'sshkey.private' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.

# restrict ssh key permissions
$ chmod 400 ./sshkey.private
$ ls -l ./sshkey.private
-r--------  1 user  root  1679 Dec 25 23:03 ./sshkey.private

# re-run the last ssh command
$ !ssh

Note: This is the point where you can safely take a break without worrying losing the PW to resume to your last level, since you have a valid SSH key on your host.

# Level 14 -> 15
# hint: re-read previous level problem descriptionto find out the password for bandit14

bandit14@bandit:~$ telnet localhost 30000
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
****redacted (PW of bandit14)****
Correct!
****redacted (PW of bandit15)****

# Level 15 -> 16
# man openssl
# man s_client
# man openssl-s_client
bandit15@bandit:~$ openssl s_client localhost:30001

# Level 16 -> 17
bandit16@bandit:~$ nmap localhost -p31000-32000
Starting Nmap 7.80 ( https://nmap.org ) at 2023-12-26 08:03 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00012s latency).
Not shown: 996 closed ports
PORT      STATE SERVICE
31046/tcp open  unknown
31518/tcp open  unknown
31691/tcp open  unknown
31790/tcp open  unknown
31960/tcp open  unknown

# nmap can also help you test what protocol a port accepts, but it is SLOW!
# I'd recommend take each port from above list and try them one by one to safe time
# for example:
bandit16@bandit:~$ nmap localhost -p31046 -A -T4 -v

# Level 17 -> 18
# man diff

# Level 18 -> 19;
# hint: ssh accepts commands as args
$ ssh bandit18@bandit.labs.overthewire.org -p 2220 /bin/bash << EOF
    (some commands here...)
    EOF

# Level 19 -> 20
# ./bandit20-do <command>

# Level 20 -> 21
# append & at the end of a command to run it in the background.
# use 'fg' to bring background processes to foreground

# Level 21 -> 22
# I like this problem the most so far!