Home Bandit level 15 to 20 - Walkthrough
Post
Cancel

Bandit level 15 to 20 - Walkthrough

Posted Apr 20, 2023
By Yassir Lassiry
7 min read

Continuing where we left of…

Level 15 –> 16

Level credentials

  • username : bandit15
  • password : jN2kgmIXJ6fShzhT2avhotn4Zcka6tnt

Level goal

The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.

Level solution

As we have seen in the previous level, nc allows us to exchange data between a client and a server, but in plaintext.

Meaning all data exchanged is not encrypted.

openssl is a command-line utility for cryptography and SSL/TLS protocols. It can be used to establish a basic network connection using the s_client option. Here’s an example of how to use openssl as a simple network client:

1

openssl s_client -connect <hostname>:<port>

Let’s try it out.

1

bandit15@bandit:~$ openssl s_client localhost:30001

Okey, the standard input is open, let’s type our password.

1
2
3
4
5
6

jN2kgmIXJ6fShzhT2avhotn4Zcka6tnt
Correct!
JQttfApK4SeyHwDlI9SXGR50qclOAil1

closed

We got our password 😃

JQttfApK4SeyHwDlI9SXGR50qclOAil1

Level 16 –> 17

Level credentials

  • username : bandit16
  • password : JQttfApK4SeyHwDlI9SXGR50qclOAil1

Level goal

The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.

Level solution

First, we need to scan the host for open ports within the range 31000 to 32000.

Port scanning is a technique used to discover which ports on a networked device are open and listening for connections.

We can use nmap to scan for open ports.

1
2

# example
nmap -p <port_range> <hostname>
  • hostname : localhost
  • port range : 31000 to 32000

Let’s try it !

1
2
3
4
5
6
7
8
9
10
11
12
13

bandit16@bandit:~$ nmap -p 31000-32000 localhost
Starting Nmap 7.80 ( https://nmap.org ) at 2023-04-20 17:28 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000094s latency).
Not shown: 996 closed ports
PORT      STATE SERVICE
31046/tcp open  unknown
31518/tcp open  unknown
31691/tcp open  unknown
31790/tcp open  unknown
31960/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds

We have just made a basic scan, not bad but it doesn’t provide us with much information other than the actual open ports.

Let’s now detecte services using the -sV option.

1
2
3
4
5
6
7
8
9

bandit16@bandit:~$  nmap -sV -p 31000-32000 localhost
...
PORT      STATE SERVICE     REASON  VERSION
31046/tcp open  echo        syn-ack
31518/tcp open  ssl/echo    syn-ack
31691/tcp open  echo        syn-ack
31790/tcp open  ssl/unknown syn-ack
31960/tcp open  echo        syn-ack
...

Hmmm, we’ve got 2 ports that use ssl, but one of them has the echo service , which will just print what it gets as input.

With that said, the promising port is 31790.

Let’s use our skills aquiered from the previous level to connect to it using openssl !

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

bandit16@bandit:~$ openssl s_client localhost:31790
...
JQttfApK4SeyHwDlI9SXGR50qclOAil1
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----

closed

We got our ssh key 😃

Level 17 –> 18

Level credentials

  • username : bandit18
  • password : SSH key from the previous level

Level goal

There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new

Level solution

This level is pretty straight forward. We are going to be using diff.

diff is a command-line utility used for comparing two files or directories and showing the differences between them.

1
2
3
4
5
6
7

bandit17@bandit:~$ ls
passwords.new  passwords.old
bandit17@bandit:~$ diff passwords.old passwords.new
42c42
< f9wS9ZUDvZoo3PooHgYuuWdawDFvGld2
---
> hga5tuuCLF6fFzUpnagiMN8ssu9LFrdg

We got our password 😃

hga5tuuCLF6fFzUpnagiMN8ssu9LFrdg

Level 18 –> 19

Level credentials

  • username : bandit18
  • password : hga5tuuCLF6fFzUpnagiMN8ssu9LFrdg

Level goal

The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.

Level solution

This is fun !

When we try to log in, we get disconnected immediately. How can we possibly solve the challenge if we can’t even connect to it ??

Now, what you need to understand is when you log in to a linux session, the default behavior is to execute your login shell, which will read your .bashrc file.

In our case, .bashrc has a script that makes us disconnect.

Now you are wondering if we can log in without loading .bashrc. Yes we can and here is how :

1
2

┌──(yariss㉿Kali-VM)-[~]
└─$ ssh -t bandit18@bandit.labs.overthewire.org -p 2220  bash --noprofile --norc

Explanation

The -t option forces the allocation of a pseudo-tty, which is required for an interactive shell. The --noprofile and --norc options tell bash not to read the system-wide or user-specific initialization files, respectively.

Now we have a terminal, we can read readme.

1
2

bash-5.1$ cat readme
awhqfNnAbc1naukrpqDYcF95h7HoMTrC

Out of curiosity, let’s see what the content of .bashrc is

1
2
3
4

bash-5.1$ cat .bashrc
...
echo 'Byebye !'
exit 0

Haa ! exit 0 is the evil command that was forcing us to disconnect, good to know !

We got our password 😃

awhqfNnAbc1naukrpqDYcF95h7HoMTrC

Level 19 –> 20

Level credentials

  • username : bandit19
  • password : awhqfNnAbc1naukrpqDYcF95h7HoMTrC

Level goal

To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.

Level solution

SUID (Set User ID) is a special permission bit that can be set on executable files in Unix/Linux file systems. When a file with the SUID bit is executed, it runs with the permissions of the file’s owner, rather than the permissions of the user who is executing the file. This allows users to execute certain programs with elevated privileges, even if they do not have the necessary permissions themselves.

1
2
3
4

bandit19@bandit:~$ ls
bandit20-do
bandit19@bandit:~$ ls -l bandit20-do
-rwsr-x--- 1 bandit20 bandit19 14876 Feb 21 22:03 bandit20-do

In our case, the owner of the binary is bandit20, and has the SUID bit set, meaning that we can execute it as if we were bandit20.

Now what does this binary do exactly ? Let’s execute it to find out.

1
2
3

bandit19@bandit:~$ ./bandit20-do
Run a command as another user.
  Example: ./bandit20-do id

Hmm, let’s try the example

1
2
3
4

bandit19@bandit:~$ ./bandit20-do id
uid=11019(bandit19) gid=11019(bandit19) euid=11020(bandit20) groups=11019(bandit19)
bandit19@bandit:~$ id
uid=11019(bandit19) gid=11019(bandit19) groups=11019(bandit19)

We can notice something strange, our euid is bandit20.

EUID stands for Effective User ID. When a program is executed with the SUID bit set, the EUID of the process is set to the owner of the program, rather than the user who is executing the program.

How can we leverage that ? We can try to execute cat /etc/bandit_pass/bandit20 using bandit20-do, since our euid will be the same as the file’s owner (bandit20).

1
2

bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
VxCazJaVykI6W36BkBU0mJTCM8rR95XT

We got our password 😃

VxCazJaVykI6W36BkBU0mJTCM8rR95XT

CTF-WRITEUPS, OverTheWire- Bandit
linux bandit
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents

Bandit level 10 to 15 - Walkthrough

Bandit level 20 to 25 - Walkthrough