Info

From the OverTheWire website :

The wargames offered by the OverTheWire community can help you to learn and practice security concepts in the form of fun-filled games.

~ OverTheWire.org

Bandit

Bandit is the first series of challenges and it’s recommended to start with these.

The Bandit wargame is aimed at absolute beginners. It will teach the basics needed to be able to play other wargames.

~ OverTheWire.org

Make sure you following along on the website to get more info on the goal of the challenges and the skills that you’ll learn from them.

Always first try to do a challenge yourself.
You’ll learn more and might find methodologies or techniques that work better for you.

This write-up contains the solution of levels 10 to 20.
Need to go back for levels 0 to 10 ?

Level 10 -> 11

Connect with the OverTheWire infrastructure using the credentials retrieved in the previous level.

$ ssh bandit10@bandit.labs.overthewire.org -p 2220                
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
                          
bandit10@bandit.labs.overthewire.org's password:
bandit10@bandit:~$ base64 -d data.txt 
The password is IF##########PR

Level 11 -> Level 12

This is basically ROT13. So to “reverse” this, we need to apply another round of ROT13 to the data.

bandit11@bandit:~$ cat data.txt | tr 'a-zA-Z' 'n-za-mN-ZA-N'
The password is 5T##########Uu

Level 12 -> Level 13

As suggested by the level description, we first copy the data.txt file to a folder in /tmp/ where we can create and move files.

bandit12@bandit:~$ mkdir /tmp/sequr
bandit12@bandit:~$ cd /tmp/sequr
bandit12@bandit:/tmp/sequr$ cp ~/data.txt .

data.txt contains a hexdump, which we can easily confirm.

bandit12@bandit:/tmp/sequr$ head data.txt 
00000000: 1f8b 0808 d7d2 c55b 0203 6461 7461 322e  .......[..data2.
00000010: 6269 6e00 013c 02c3 fd42 5a68 3931 4159  bin..<...BZh91AY
00000020: 2653 591d aae5 9800 001b ffff de7f 7fff  &SY.............

Reverse the hexdump, which gives us a gzip compressed container.

bandit12@bandit:/tmp/sequr$ xxd -r data.txt > data-dedumped
bandit12@bandit:/tmp/sequr$ file data-dedumped 
data-dedumped: gzip compressed data, was "data2.bin", last modified: Tue Oct 16 12:00:23 2018, max compres
sion, from Unix

Decompress to get a bzip2 compressed container.

bandit12@bandit:/tmp/sequr$ mv data-dedumped data.gz
bandit12@bandit:/tmp/sequr$ gunzip data.gz
bandit12@bandit:/tmp/sequr$ file data
data: bzip2 compressed data, block size = 900k

Decompress again (gzip).

bandit12@bandit:/tmp/sequr$ bzip2 -d data
bzip2: Can't guess original name for data -- using data.out
bandit12@bandit:/tmp/sequr$ file data.out 
data.out: gzip compressed data, was "data4.bin", last modified: Tue Oct 16 12:00:23 2018, max compression, from Unix
bandit12@bandit:/tmp/sequr$ mv data.out data.gz
bandit12@bandit:/tmp/sequr$ gunzip data.gz
bandit12@bandit:/tmp/sequr$ file data
bandit12@bandit:/tmp/sequr$ mv data data.tar
bandit12@bandit:/tmp/sequr$ tar -xf data.tar
bandit12@bandit:/tmp/sequr$ file data5.bin 
data5.bin: POSIX tar archive (GNU)
bandit12@bandit:/tmp/sequr$ tar -xf data5.bin
bandit12@bandit:/tmp/sequr$ file data6.bin 
data6.bin: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/sequr$ bzip2 -d data6.bin
bzip2: Can't guess original name for data6.bin -- using data6.bin.out
bandit12@bandit:/tmp/sequr$ file data6.bin.out 
data6.bin.out: POSIX tar archive (GNU)
bandit12@bandit:/tmp/sequr$ tar -xf data6.bin.out
bandit12@bandit:/tmp/sequr$ file data8.bin 
data8.bin: gzip compressed data, was "data9.bin", last modified: Tue Oct 16 12:00:23 2018, max compression, from Unix
bandit12@bandit:/tmp/sequr$ mv data8.{bin,gz}
bandit12@bandit:/tmp/sequr$ gzip -d data8.gz
bandit12@bandit:/tmp/sequr$ file data8
data8: ASCII text
bandit12@bandit:/tmp/sequr$ cat data8
The password is 8Z##########YL

Should have automated this somehow …

Level 13 -> Level 14

We get a private SSH key for bandit14. So copy this to your local system.

bandit13@bandit:~$ cat sshkey.private 
-----BEGIN RSA PRIVATE KEY-----
[...]

Make sure you set the permissions right (i.e. only the owner should be able to read it), otherwise OpenSSH will refuse to use your key.

$ chmod 600 bandit14_ssh.private
$ ssh -i bandit14_ssh.private bandit14@bandit.labs.overthewire.org -p 2220
bandit14@bandit:~$ cat /etc/bandit_pass/bandit14
4w##########3e

Level 14 -> Level 15

We can use netcat (nc) to openen a network connection to a specific port.

Once the connection is opened, we enter the required data. The server then responds with the next level’s password.

bandit14@bandit:~$ nc localhost 30000
4w##########3e
Correct!
Bf##########xNr

Level 15 -> Level 16

Since the service on this port uses SSL encryption, we’ll need to use a client that’s capable of setting up such a connection. OpenSSL provides such a client.

bandit14@bandit:~$ openssl s_client -connect localhost:30001                                                                                                                                  
CONNECTED(00000003)                                                                                                                                                                           
depth=0 CN = localhost                                                                                                                                                                        
verify error:num=18:self signed certificate                                                                                                                                                   
verify return:1                                                                                                                                                                               
depth=0 CN = localhost                                                                                                                                                                        
verify return:1                                                                                                                                                                               
---
[...]
    Extended master secret: yes
---
Bf##########Nr
Correct!
cl##########hd

closed

Level 16 -> Level 17

First get the open ports

bandit14@bandit:~$ nmap -v -p 31000-32000 --open localhost
[...]
Nmap scan report for localhost (127.0.0.1)                                                                                                                                                    
Host is up (0.00021s latency).                                                                                                                                                                
Not shown: 999 closed ports                                                                                                                                                                   
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit                                                                                                                   
PORT      STATE SERVICE                                                                                                                                                                       
31518/tcp open  unknown                                                                                                                                                                       
31790/tcp open  unknown

Then check the services they are running.
Note: you could actually immediately add the service scan (-sV) to the first scan.

bandit14@bandit:~$ nmap -v -sV -p 31518,31790 localhost
[...]
Host is up (0.00023s latency).                                                                                                                                                                
Not shown: 999 closed ports                                                                                                                                                                   
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit                                                                                                                   
PORT      STATE SERVICE     VERSION                                                                                                                                                           
31518/tcp open  ssl/echo                                                                                                                                                                      
31790/tcp open  ssl/unknown                                                                                                                                                                   
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :                  
SF-Port31790-TCP:V=7.40%T=SSL%I=7%D=1/9%Time=5E17044C%P=x86_64-pc-linux-gn                                                                                                                    
SF:u%r(GenericLines,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20cur                                                                                                                    
SF:rent\x20password\n")%r(GetRequest,31,"Wrong!\x20Please\x20enter\x20the\
[...]

Port 31518 is running the echo service, which basically just returns whatever you send to it (hence: echo).
Port 31790 is running a SSL service nmap doesn’t recognize (it failed to grab a banner and/or didn’t recognize it). In the output you can see the “fail” strings which are returned if you send it an incorrect password.

Connect using openssl again. This time we get a SSH private key back.

bandit14@bandit:~$ openssl s_client -connect localhost:31790                                                                                                                                  
CONNECTED(00000003)                                                                                                                                                                           
depth=0 CN = localhost
[...]
---                                                                                                                                                                                           
cl##########hd                                                                                                                                                              
Correct!                                                                                                                                                                                      
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
[...]
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=            
-----END RSA PRIVATE KEY-----                                                                  
                                                                                               
closed

Level 17 -> Level 18

First connect using the private key from the last level.

$ ssh -i bandit17_ssh.private bandit17@bandit.labs.overthewire.org -p 2220

We need to find the line that is _diff_erent between the two files.

Lines starting with a < are present in FILE1 but not in FILE2.
Lines starting with a > are present in FILE2 but not in FILE1.

bandit17@bandit:~$ diff passwords.old passwords.new 
42c42
< hlbSBPAWJmL6WFDb06gpTx1pPButblOA
---
> kf##########Yd

Level 18 -> Level 19

Notice the note at the previous level:

NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19

~ OverTheWire.org

This is exactly what happens when we try to SSH to the lab as bandit18.

$ ssh bandit18@bandit.labs.overthewire.org -p 2220                                                                                                                                        
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
[...]
  Enjoy your stay!

Byebye !
Connection to bandit.labs.overthewire.org closed.

The level’s description mentions that someone modified the .bashrc file to automatically log us out of a SSH connection.
.bashrc is a configuration file used by the Bash shell, which is the default shell on many systems.

Let’s ignore .bashrc by not using Bash as our shell. Let’s use regular shell instead.
Note that we don’t get the usual Prompt String (PS1) showing our username and path. However, we are still connected to the system and can execute commands.

$ ssh bandit18@bandit.labs.overthewire.org -p 2220 /bin/sh
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

bandit18@bandit.labs.overthewire.org's password: 
ls # command
readme # output
cat readme # command
Iu##########5x # output

An alternative would’ve been not to connect interactively, but use something like SCP (Secure File Copy), which is like FTP (File Transfer Protocol) but over Secure Shell (SSH). However, this level states that you should be able to finish it by only using SSH, ls and cat.

$ scp -P 2220 bandit18@bandit.labs.overthewire.org:readme ./
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

bandit18@bandit.labs.overthewire.org's password: 
readme                    100%   33     1.2KB/s   00:00
$ cat readme 
Iu##########5x

Level 19 -> Level 20

A setuid binary executes within the context of the user defined by the setuid. As such we can access a file which can only be read by bandit20 as the setuid binary executes under the privileges of that user.

This binary simply executes the commands passed as parameter, so we simply print the content of the password file.

bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
Gb##########0j