OverTheWire:Bandit
Bandit Level 0
The goal of this level is for you to log into the game using SSH. The host to which you need to connect isbandit.labs.overthewire.org, on port 2220. The username is bandit0and the password is bandit0. Once logged in, go to the Level 1page to find out how to beat Level 1.
◼sshでサーバにに接続 サーバ名:bandit.labs.overthewire.org / ログイン名:bandit0 / パスワード:bandit0
% ssh bandit0@bandit.labs.overthewire.org -p 2220
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit0@bandit.labs.overthewire.org's password: bandit0
Bandit Level 0 → Level 1
The password for the next level is stored in a file calledreadmelocated in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.
◼readmeファイルを表示
bandit0@bandit:~$ ls -l
total 4
-rw-r----- 1 bandit1 bandit0 33 Dec 28 14:34 readme
bandit0@bandit:~$ cat readme
boJ9jbbUNNfktd78OOpsqOltutMc3MY1
Bandit Level 1 → Level 2
The password for the next level is stored in a file called -located in the home directory
◼"-"ファイルを表示
bandit1@bandit:~$ ls -l
total 4
-rw-r----- 1 bandit2 bandit1 33 Dec 28 14:34 -
bandit1@bandit:~$ cat ./-
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
Bandit Level 2 → Level 3
The password for the next level is stored in a file called spaces in this filenamelocated in the home directory
◼スペースの有るファイル名を指定し表示
bandit2@bandit:~$ ls -l
total 4
-rw-r----- 1 bandit3 bandit2 33 Dec 28 14:34 spaces in this filename
bandit2@bandit:~$ cat "spaces in this filename"
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
Bandit Level 3 → Level 4
The password for the next level is stored in a hidden file in theinheredirectory.
◼"."で始まるファイル名を指定し表示
bandit3@bandit:~$ ls -la inhere/
total 12
drwxr-xr-x 2 root root 4096 Dec 28 14:34 .
drwxr-xr-x 3 root root 4096 Dec 28 14:34 ..
-rw-r----- 1 bandit4 bandit3 33 Dec 28 14:34 .hidden
bandit3@bandit:~$ cat inhere/.hidden
pIwrPrtPN36QITSp3EQaw936yaFoFgAB
Bandit Level 4 → Level 5
The password for the next level is stored in the only human-readable file in the inheredirectory. Tip: if your terminal is messed up, try the “reset” command.
◼human-readable file を探してファイルを表示
bandit4@bandit:~$ ls -l
total 4
drwxr-xr-x 2 root root 4096 Dec 28 14:34 inhere
bandit4@bandit:~$ ls -l inhere/
total 40
-rw-r----- 1 bandit5 bandit4 33 Dec 28 14:34 -file00
-rw-r----- 1 bandit5 bandit4 33 Dec 28 14:34 -file01
-rw-r----- 1 bandit5 bandit4 33 Dec 28 14:34 -file02
-rw-r----- 1 bandit5 bandit4 33 Dec 28 14:34 -file03
-rw-r----- 1 bandit5 bandit4 33 Dec 28 14:34 -file04
-rw-r----- 1 bandit5 bandit4 33 Dec 28 14:34 -file05
-rw-r----- 1 bandit5 bandit4 33 Dec 28 14:34 -file06
-rw-r----- 1 bandit5 bandit4 33 Dec 28 14:34 -file07
-rw-r----- 1 bandit5 bandit4 33 Dec 28 14:34 -file08
-rw-r----- 1 bandit5 bandit4 33 Dec 28 14:34 -file09
bandit4@bandit:~$ file inhere/-file0*
inhere/-file00: data
inhere/-file01: data
inhere/-file02: data
inhere/-file03: data
inhere/-file04: data
inhere/-file05: data
inhere/-file06: data
inhere/-file07: ASCII text
inhere/-file08: data
inhere/-file09: data
bandit4@bandit:~$ cat inhere/-file07
koReBOKuIDDepwhWk7jZC0RTdopnAYKh
Bandit Level 5 → Level 6
The password for the next level is stored in a file somewhere under the inheredirectory and has all of the following properties:
- human-readable
- 1033 bytes in size
- not executable
◼inhereディレクト配下で1033bytesのファイルを検索し表示
bandit5@bandit:~$ find inhere/ -size 1033c
inhere/maybehere07/.file2
bandit5@bandit:~$ cat inhere/maybehere07/.file2
DXjZPULLxYr17uwoI01bNLQbtFemEgo7
Bandit Level 6 → Level 7
The password for the next level is stored somewhere on the serverand has all of the following properties:
- owned by user bandit7
- owned by group bandit6
- 33 bytes in size
◼全ディレクトリから user:bandit7 / group:bandit6 / size:33bytsを検索し表示
bandit6@bandit:~$ find / -user bandit7 -group bandit6 -size 33c | grep bandit7
find: '/etc/ssl/private': Permission denied
find: '/etc/polkit-1/localauthority': Permission denied
find: '/run/lxcfs': Permission denied
find: '/run/user/11002': Permission denied
find: '/run/user/11019': Permission denied
find: '/run/user/11004': Permission denied
find: '/run/user/11021': Permission denied
find: '/run/user/11008': Permission denied
find: '/run/user/11001': Permission denied
find: '/run/user/11010': Permission denied
find: '/run/user/11023': Permission denied
find: '/run/user/11024': Permission denied
find: '/run/user/11012': Permission denied
find: '/run/user/11022': Permission denied
find: '/run/user/11020': Permission denied
find: '/run/user/11015': Permission denied
find: '/run/user/11025': Permission denied
find: '/run/user/11016': Permission denied
find: '/run/user/11014': Permission denied
find: '/run/user/11011': Permission denied
find: '/run/user/11017': Permission denied
find: '/run/user/11013': Permission denied
find: '/run/user/11000': Permission denied
find: '/run/user/11005': Permission denied
find: '/run/sudo': Permission denied
find: '/run/log/journal/0d8e66480c320675a338622759f86ace': Permission denied
find: '/run/lvm': Permission denied
find: '/run/systemd/inaccessible': Permission denied
find: '/run/lock/lvm': Permission denied
find: '/dev/mqueue': Permission denied
find: '/dev/shm': Permission denied
find: '/lost+found': Permission denied
find: '/root': Permission denied
find: '/opt/splunkforwarder/etc/auth': Permission denied
find: '/opt/splunkforwarder/etc/apps/learned/local': Permission denied
find: '/opt/splunkforwarder/var': Permission denied
find: '/home/bandit5/inhere': Permission denied
find: '/var/log': Permission denied
find: '/var/lib/puppet': Permission denied
find: '/var/lib/apt/lists/partial': Permission denied
/var/lib/dpkg/info/bandit7.password
find: '/var/lib/polkit-1': Permission denied
find: '/var/spool/rsyslog': Permission denied
find: '/var/spool/bandit24': Permission denied
find: '/var/spool/cron/atspool': Permission denied
find: '/var/spool/cron/atjobs': Permission denied
find: '/var/spool/cron/crontabs': Permission denied
find: '/var/crash': Permission denied
find: '/var/tmp': Permission denied
find: '/var/cache/apt/archives/partial': Permission denied
find: '/var/cache/ldconfig': Permission denied
find: '/tmp': Permission denied
find: '/sys/fs/fuse/connections/39': Permission denied
find: '/sys/kernel/debug': Permission denied
find: '/proc/tty/driver': Permission denied
find: '/proc/31197/task/31197/fd/6': No such file or directory
find: '/proc/31197/task/31197/fdinfo/6': No such file or directory
find: '/proc/31197/fd/5': No such file or directory
find: '/proc/31197/fdinfo/5': No such file or directory
bandit6@bandit:~$ cat /var/lib/dpkg/info/bandit7.password
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs
Bandit Level 7 → Level 8
The password for the next level is stored in the file data.txtnext to the word millionth
◼word:"millionth"をdata.txtから検索
bandit7@bandit:~$ grep millionth data.txt
millionth cvX2JJa4CFALtqS87jk27qwqGhBM9plV
Bandit Level 8 → Level 9
The password for the next level is stored in the file data.txtand is the only line of text that occurs only once
◼1回だけ出現するテキスト行を表示
bandit8@bandit:~$ sort data.txt | uniq -u
UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR
Bandit Level 9 → Level 10
The password for the next level is stored in the file data.txtin one of the few human-readable strings, beginning with several ‘=’ characters.
◼human-readable で"="で始まる
bandit9@bandit:~$ strings data.txt | grep "^="
=-VW+
========== theP`
========== password
========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
Bandit Level 10 → Level 11
The password for the next level is stored in the file data.txt, which contains base64 encoded data
bandit10@bandit:~$ base64 -d data.txt
The password is
Bandit Level 11 → Level 12
The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions
◼ROT13(シーザ暗号)を解く
bandit11@bandit:~$ cat data.txt
Gur cnffjbeq vf 5Gr8L4qetPEsPk8htqjhRK8XSP6x2RHh
bandit11@bandit:~$ python3
Python 3.5.2 (default, Nov 23 2017, 16:37:01)
Type "help", "copyright", "credits" or "license" for more information.
>>> import codecs
>>> codecs.decode('Gur cnffjbeq vf 5Gr8L4qetPEsPk8htqjhRK8XSP6x2RHh', 'rot13')
'The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu'
Bandit Level 12 → Level 13
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)
◼繰り返し圧縮された16進ダンプされたファイルを変換、解凍
*xxd -r :16進ダンプからバイナリ形式に変換
*file:形式を確認
*mv:でファイル名を変更する
*gzip / bzip2 / tar / bz2 圧縮・解凍
bandit12@bandit:~$ mkdir/tmp/pass
bandit12@bandit:~$ cp -p data.txt /tmp/pass/data.txt
bandit12@bandit:~$ cd /tmp/pass
bandit12@bandit:/tmp/pass$ ls -l
total 4
-rw-r----- 1 bandit12 bandit12 2646 Dec 28 14:34 data.txt
bandit12@bandit:/tmp/pass$ xxd -r data.txt > data1
bandit12@bandit:/tmp/pass$ ls
data.txt data1
bandit12@bandit:/tmp/pass$ file data1
data1: gzip compressed data, was "data2.bin", last modified: Thu Dec 28 13:34:36 2017, max compression, from Unix
bandit12@bandit:/tmp/pass$ mv data1 data1.gz
bandit12@bandit:/tmp/pass$ gzip -d data1.gz
bandit12@bandit:/tmp/pass$ ls
data.txt data1
bandit12@bandit:/tmp/pass$ file data1
data1: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/pass$ ls -l
total 8
-rw-r----- 1 bandit12 bandit12 2646 Dec 28 14:34 data.txt
-rw-rw-r-- 1 bandit12 bandit12 585 May 21 15:16 data1.gz2
bandit12@bandit:/tmp/pass$ bzip2 -d data1.gz2
bzip2: Can't guess original name for data1.gz2 -- using data1.gz2.out
bandit12@bandit:/tmp/pass$ ls
data.txt data1.gz2.out
bandit12@bandit:/tmp/pass$ mv data4.gzip data4.gz
bandit12@bandit:/tmp/pass$ ls
data.txt data4.gz
bandit12@bandit:/tmp/pass$ gzip -d data4.gz
bandit12@bandit:/tmp/pass$ ls
data.txt data4
bandit12@bandit:/tmp/pass$ file data4
data4: POSIX tar archive (GNU)
bandit12@bandit:/tmp/pass$ mv data4 data4.tar
bandit12@bandit:/tmp/pass$ tar -xvf data4.tar
data5.bin
bandit12@bandit:/tmp/pass$ file data5.bin
data5.bin: POSIX tar archive (GNU)
bandit12@bandit:/tmp/pass$ mv data5.bin data5.tar
bandit12@bandit:/tmp/pass$ tar -xvf data5.tar
data6.bin
bandit12@bandit:/tmp/pass$ file data6.bin
data6.bin: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/pass$ mv data6.bin data6.bz2
bandit12@bandit:/tmp/pass$ bzip2 -d data6.bz2
bandit12@bandit:/tmp/pass$ ls
data.txt data4.tar data5.tar data6
bandit12@bandit:/tmp/pass$ file data6
data6: POSIX tar archive (GNU)
bandit12@bandit:/tmp/pass$ mv data6 data6.tar
bandit12@bandit:/tmp/pass$ tar -xvf data6.tar
data8.bin
bandit12@bandit:/tmp/pass$ file data8.bin
data8.bin: gzip compressed data, was "data9.bin", last modified: Thu Dec 28 13:34:36 2017, max compression, from Unix
bandit12@bandit:/tmp/pass$ mv data8.bin data8.gz
bandit12@bandit:/tmp/pass$ gzip -d data8.gz
bandit12@bandit:/tmp/pass$ ls
data.txt data4.tar data5.tar data6.tar data8
bandit12@bandit:/tmp/pass$ file data8
data8: ASCII text
bandit12@bandit:/tmp/pass$ cat data8
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
Bandit Level 13 → Level 14
The password for the next level is stored in/etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level.Note:localhostis a hostname that refers to the machine you are working on
◼sshコマンド -iオプション:接続に使用する公開鍵ファイルを指定する
bandit13@bandit:~$ ssh -i sshkey.private bandit14@localhost
bandit14@bandit:~$ cat /etc/bandit_pass/bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Bandit Level 14 → Level 15
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
◼対象ホストに対しポートを指定して、クライアントと疎通確認
bandit14@bandit:~$ nc localhost 30000 < /etc/bandit_pass/bandit14
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr
Bandit Level 15 → Level 16
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhostusing SSL encryption.
Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…
◼SSLで指定サーバに接続 openssl s_client:sslで指定サーバに接続 / -connect:サーバへ接続 / -quiet:SSL/TLSを省略し、HTTPリクエスト・レスポンスを中心に見る セッションと認証情報の表示を抑止する
bandit15@bandit:~$ cat /etc/bandit_pass/bandit15 | openssl s_client -quiet -connect localhost:30001
depth=0 CN = bandit
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = bandit
verify return:1
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehd
Bandit Level 16 → Level 17
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
◼サーバの空きポートを探し、SSL接続可能なポートを探す
bandit16@bandit:~$ nmap -p 31000-32000 localhost
Starting Nmap 7.01 ( https://nmap.org ) at 2018-05-21 15:37 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00018s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 996 closed ports
PORT STATE SERVICE
31046/tcp open unknown
31518/tcp open unknown
31691/tcp open unknown
31790/tcp open unknown
31960/tcp open unknown
bandit16@bandit:~$ cat /etc/bandit_pass/bandit16 | nc localhost 31046
cluFn7wTiGryunymYOu4RcffSxQluehd
bandit16@bandit:~$ cat /etc/bandit_pass/bandit16 | nc localhost 31518
bandit16@bandit:~$ cat /etc/bandit_pass/bandit16 | nc localhost 31691
cluFn7wTiGryunymYOu4RcffSxQluehd
bandit16@bandit:~$ cat /etc/bandit_pass/bandit16 | nc localhost 31790
bandit16@bandit:~$ cat /etc/bandit_pass/bandit16 | nc localhost 31960
cluFn7wTiGryunymYOu4RcffSxQluehd
bandit16@bandit:~$ cat /etc/bandit_pass/bandit16 | openssl s_client -quiet -connect localhost:31790 > /tmp/key/bandit16key
depth=0 CN = bandit
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = bandit
verify return:1
bandit16@bandit:~$ cat /tmp/key/bandit16key
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----
bandit16@bandit:~$ ls -l /tmp/key
total 4
-rw-rw-r-- 1 bandit16 bandit16 1685 May 21 15:47 bandit16key
bandit16@bandit:~$ chmod 600 /tmp/key/bandit16key
bandit16@bandit:~$ ls -l /tmp/key
total 4
-rw------- 1 bandit16 bandit16 1685 May 21 15:47 bandit16key
bandit16@bandit:~$ ssh -i /tmp/key/bandit16key bandit17@localhost
bandit17@bandit:~$ cat /etc/bandit_pass/bandit17
xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn
Bandit Level 17 → Level 18
There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is inpasswords.newand is the only line that has been changed betweenpasswords.old and passwords.new
◼2つのファイルの違うところを探す
bandit17@bandit:~$ ls
passwords.new passwords.old
bandit17@bandit:~$ diff passwords.new passwords.old
42c42
< kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
---
> 6vcSC74ROI95NqkKaeEC2ABVMDX9TyUr
bandit17@bandit:~$
Bandit Level 18 → Level 19
The password for the next level is stored in a file readmein the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.
◼Login後直ぐに、Log Outさせられるので、Loginnと同時に"readme"ファイルを表示
% ssh bandit18@bandit.labs.overthewire.org -p 2220 cat readme
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit18@bandit.labs.overthewire.org's password:
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
Bandit Level 19 → Level 20
To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.
■実行ファイルを実行、”Example: ./bandit20-do id"実行時引数が必要なようなので、、iパスワードを引数にし実行
bandit19@bandit:~$ file bandit20-do
bandit20-do: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=1c05d80e62cd205a3497b870e8294402424a4f7c, not stripped
bandit19@bandit:~$ ./bandit20-do
Run a command as another user.
Example: ./bandit20-do id
bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Bandit Level 20 → Level 21
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
■実行ファイルを確認。実行してみる。ローカルホストに適当なポートで接続し、パスワードを読み込ませる。同ポートで実行ファイルを実行し、パスワードを比較して正しければ次のパスワードが表示される。
bandit20@bandit:~$ ls -l
total 8
-rwsr-x--- 1 bandit21 bandit20 8044 Dec 28 14:34 suconnect
bandit20@bandit:~$ file suconnect
suconnect: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=4039bf634dd9dbc0a432b05c2af97658f2f59614, not stripped
bandit20@bandit:~$ ./suconnect
Usage: ./suconnect <portnumber>
This program will connect to the given port on localhost using TCP. If it receives the correct password from the other side, the next password is transmitted back.
bandit20@bandit:~$ nc -l 8000 < /etc/bandit_pass/bandit20 &
[1] 30692
bandit20@bandit:~$ ./suconnect 8000
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Password matches, sending next password
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
Bandit Level 21 → Level 22
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
■"/etc/cron.d/"配下のファイルを確認。"/usr/bin/cronjob_bandit22.sh"内を確認。パスワードが書き込まれるファイルを表示。
bandit21@bandit:~$ ls -l /etc/cron.d
total 16
-rw-r--r-- 1 root root 120 Dec 28 14:34 cronjob_bandit22
-rw-r--r-- 1 root root 122 Dec 28 14:34 cronjob_bandit23
-rw-r--r-- 1 root root 120 Dec 28 14:34 cronjob_bandit24
-rw-r--r-- 1 root root 190 Oct 31 2017 popularity-contest
bandit21@bandit:~$ cat /etc/cron.d/*
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
@reboot bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
4 22 * * * root test -x /etc/cron.daily/popularity-contest && /etc/cron.daily/popularity-contest --crond
bandit21@bandit:~$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
bandit21@bandit:~$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
Bandit Level 22 → Level 23
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.
■"/etc/cron.d"内のbandit23ファイルから該当シェルを確認し、内容を確認、実行。表示されたターゲット名のファイルを確認
bandit22@bandit:~$ ls -l /etc/cron.d
total 16
-rw-r--r-- 1 root root 120 Dec 28 14:34 cronjob_bandit22
-rw-r--r-- 1 root root 122 Dec 28 14:34 cronjob_bandit23
-rw-r--r-- 1 root root 120 Dec 28 14:34 cronjob_bandit24
-rw-r--r-- 1 root root 190 Oct 31 2017 popularity-contest
bandit22@bandit:~$ cat /etc/cron.d/cronjob_bandit23
@reboot bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
bandit22@bandit:~$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash
myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
cat /etc/bandit_pass/$myname > /tmp/$mytarget
bandit22@bandit:~$ echo I am user bandit23 | md5sum | cut -d ' ' -f 1
8ca319486bfbbc3663ea0fbe81326349
bandit22@bandit:~$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
Bandit Level 23 → Level 24
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…