# Bandit over the wire challenge ### Level 0 -> 1 --- Password để đến level tiếp theo nằm trong file readme, nên ta chỉ cần sử dụng ``` cat readme ``` Output: ``` NH2SXQwcBdpmTEzi3bvBHMM9H66vVXjL ``` ### Level 1 -> 2 --- Password nằm trong file có tên "-". Nếu sử dụng `cat -`, option `-` là bảo lệnh cat đọc standard input, nên ta phải sử dụng ``` cat <- ``` ``` rRGizSaX8Mk1RTb1CNQoXTcYZWU6lgzi ``` ### Level 2 -> 3 --- >**The password for the next level is stored in a file called spaces in this filename** Nếu sử dụng `cd spaces in this filename`, terminal sẽ cho rằng từng khoảng trắng là một args, nên ta phải cho vào ngoặc kép `""` ``` cat "spaces in this filename" ``` ``` aBZ0W5EmUfAf7kHTQeOwd8bauFJ2lAiG ``` ### Level 3 -> 4 --- >**The password for the next level is stored in a file called spaces in this filename located in the home directory** `cd inhere` sau đó sử dụng `ls`, không có gì hiện ra. Vì file đó là file ẩn, ta có thể sử dụng `ls -la` hoặc `ls -a`. ```bash= bandit3@bandit:~/inhere$ ls -la total 12 drwxr-xr-x 2 root root 4096 Oct 5 06:19 . drwxr-xr-x 3 root root 4096 Oct 5 06:19 .. -rw-r----- 1 bandit4 bandit3 33 Oct 5 06:19 .hidden ``` Và ta có thể dùng `cat .hidden` ``` 2EW7BBsr6aMMoJ2HjW067dm8EgX26xNe ``` ### Level 4 -> 5 --- >**The password for the next level is stored in the only human-readable file in the inhere directory** Sau khi `cd inhere`, ta có một loạt file bắt đầu bằng `-file{num}`. ```bash= bandit4@bandit:~/inhere$ ls -file00 -file01 -file02 -file03 -file04 -file05 -file06 -file07 -file08 -file09 ``` Vì password là *human-readable file* nên có thể đơn giản sử dụng `grep` với regex là `.*` >"."" matches any character (except for line terminators) >"*" matches the previous token between zero and unlimited times, as many times as possible, giving back as needed (greedy) ``` grep -r -e ".*" ``` ```bash= grep: -file01: binary file matches grep: -file02: binary file matches grep: -file08: binary file matches grep: -file06: binary file matches grep: -file00: binary file matches grep: -file04: binary file matches grep: -file05: binary file matches -file07:lrIWWI6bB37kxfiCQZqUdOIYfr6eEeqR grep: -file03: binary file matches grep: -file09: binary file matches ``` ### Level 5 -> 6 --- >The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties: human-readable 1033 bytes in size not executable Đơn giản ta có thể sử dụng `file` với args là `-type f`, `-readable`, `-size 1033`, *not executable* -> `! -executable` ```bash= bandit5@bandit:~/inhere$ find -type f -readable -size 1033c ! -executable ./maybehere07/.file2 bandit5@bandit:~/inhere$ cat ./maybehere07/.file2 ``` ``` P4L4vucdmLnm8I7Vl7jG1ApGSfjYKqJU ``` ### Level 6 -> 7 --- >The password for the next level is stored somewhere on the server and has all of the following properties: owned by user bandit7 owned by group bandit6 33 bytes in size Tương tự như level trên, với args là `-size 33c -user bandit7 -group bandit6` ``` find / -size 33c -user bandit7 -group bandit6 ``` Output: ```bash= find: ‘/etc/ssl/private’: Permission denied find: ‘/etc/polkit-1/localauthority’: Permission denied find: ‘/etc/sudoers.d’: Permission denied find: ‘/etc/multipath’: Permission denied find: ‘/root’: Permission denied ... ``` File cần tìm sẽ nằm đâu đó trong đống kia, nên ta có thể thêm arg `2>/dev/null`. * Default, `0` là stdin (standard input), `1` là stdout (standard output) và `2` là stderr (standard error) * ">" là redirection operator, ta sẽ chuyển error output về `/dev/null` * `/dev/null` là một file mà sẽ loại bỏ tất cả data trong đó ```bash= bandit6@bandit:~$ find / -size 33c -user bandit7 -group bandit6 2>/dev/null /var/lib/dpkg/info/bandit7.password bandit6@bandit:~$ cat /var/lib/dpkg/info/bandit7.password ``` ``` z7WtoNQU2XfjmMtWA8u5rN4vzqu4v99S ``` ### Level 7 -> 8 --- >The password for the next level is stored in the file data.txt next to the word millionth Sử dụng `grep data.txt` với arg `-e "millionth"`, ta được kết quả: ``` millionth TESKZC0XvTetK0S9xNwm25STk5iWrBvP ``` ### Level 8 -> 9 --- >The password for the next level is stored in the file data.txt and is the only line of text that occurs only once Với level này ta có thể sử dụng `uniq` với arg `-u` (*only print unique lines*) để tìm dòng nào chỉ xuất hiện một lần. ``` sort data.txt | uniq -u ``` > "|" là pipe, ta có thể sort data.txt và chuyển qua uniq bằng cái này ``` EN632PlfYiZbn3PhVK3XOGSlNInNE00t ``` ### Level 9 -> 10 --- >The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters. Bằng cách sử dụng pipe như level trước, ta có thể dùng `strings data.txt` và pass qua grep với regex arg: `={2,}[\w]*` >Vì trong gợi ý có *preceded by several ‘=’ characters* nên ta có thể dùng `={2,}`, nghĩa là sẽ match nếu dấu "=" được đặt liên tục 2 hoặc nhiều hơn, `[\w]*` sẽ match *`any word character (equivalent to [a-zA-Z0-9_])`* ``` strings data.txt | grep -E '={2,}[\w]*' ``` ``` x]T========== theG)" ========== passwordk^ ========== is ========== G7w8LIi6J3kTb8A7j9LgrywtEUlyyp6s ``` ### Level 10 -> 11 --- >The password for the next level is stored in the file data.txt, which contains base64 encoded data Decode base64 khá đơn giản, chỉ cần `strings data.txt` và pass vào `base64` với arg `-d` (decode) ``` strings data.txt | base64 -d ``` ``` The password is 6zPeziLdR2RKNdNYFNb6nVCKzphlXHBM ``` ### Level 11 -> 12 --- >The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions *Rotated by 13 position* thì chắc chắn là rot13 cipher. Theo nguồn tìm hiểu được trên [StackOverflow](https://stackoverflow.com/questions/5442436/using-rot13-and-tr-command-for-having-an-encrypted-email-address) thì ta có thể sử dụng `tr`: ``` strings data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m' ``` ``` The password is JVNBBFSmZwKKOP0XbFXOoW8chDz5yVRv ``` ### Level 12 -> 13 --- >The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!) Vì không thể tạo directory như thông thường nên ta phải sử dụng `mktemp -d` với tên bất kì theo như luật của server. > Write-access to homedirectories is disabled. It is advised to create a working directory with a hard-to-guess name in /tmp/. You can use the command "mktemp -d" in order to generate a random and hard to guess directory in /tmp/. ```= bandit12@bandit:~$ mktemp -d /tmp/tmp.ljvQ4CV2XE bandit12@bandit:~$ cp data.txt /tmp/tmp.ljvQ4CV2XE bandit12@bandit:~$ cd /tmp/tmp.ljvQ4CV2XE bandit12@bandit:/tmp/tmp.ljvQ4CV2XE$ mv data.txt data ``` Vì file `data.txt` là hexdump của một file đã bị nén nhiều lần, nên ta phải dùng `xxd -r data data2` để convert từ hexdump lại thành binary data. ```= bandit12@bandit:/tmp/tmp.ljvQ4CV2XE$ xxd -r data data2 bandit12@bandit:/tmp/tmp.ljvQ4CV2XE$ ls data data2 bandit12@bandit:/tmp/tmp.ljvQ4CV2XE$ xxd data2 ``` Sử dụng `xxd` với data2: ``` 00000000: 1f8b 0808 6855 1e65 0203 6461 7461 322e ....hU.e..data2. 00000010: 6269 6e00 013d 02c2 fd42 5a68 3931 4159 bin..=...BZh91AY 00000020: 2653 5948 1b32 0200 0019 ffff faee cff7 &SYH.2.......... ``` Có thể thấy ở ngay dòng đầu, các bytes là `1f 8b`, sử dụng [wikipedia](https://en.wikipedia.org/wiki/List_of_file_signatures) để tìm signatures, ta thấy dó là signature của **GZIP** (.gz) ```= bandit12@bandit:/tmp/tmp.ljvQ4CV2XE$ mv data2 data2.gz bandit12@bandit:/tmp/tmp.ljvQ4CV2XE$ gzip -d data2.gz bandit12@bandit:/tmp/tmp.ljvQ4CV2XE$ xxd data2 00000000: 425a 6839 3141 5926 5359 481b 3202 0000 BZh91AY&SYH.2... 00000010: 19ff fffa eecf f7f6 ffe4 f7bf bcff ffbf ................ 00000020: f7ff b939 ff7f fbbd 31ee ffb9 fbfb bbb9 ...9....1....... 00000030: bff7 7fb0 013b 2cd1 000d 03d2 0068 680d .....;,......hh. ``` Tiếp tục đối chiếu các bytes đầu với wikipedia, được kết quả `42 5A 68` là của **Bzip2** (.bz2) ``` bandit12@bandit:/tmp/tmp.ljvQ4CV2XE$ mv data2 data2.bz2 bandit12@bandit:/tmp/tmp.ljvQ4CV2XE$ bzip2 -d data2.bz2 bandit12@bandit:/tmp/tmp.ljvQ4CV2XE$ xxd data2 00000000: 1f8b 0808 6855 1e65 0203 6461 7461 342e ....hU.e..data4. 00000010: 6269 6e00 edd1 cf4b 1461 1cc7 f187 711d bin....K.a....q. ``` Unzip bằng gzip lần nữa ```= bandit12@bandit:/tmp/tmp.ljvQ4CV2XE$ mv data2 data2.gz bandit12@bandit:/tmp/tmp.ljvQ4CV2XE$ gzip -d data2.gz bandit12@bandit:/tmp/tmp.ljvQ4CV2XE$ cat data2 data5.bin0000644000000000000000000002400014507452550011247 0ustar rootrootdata6.bin00006440000000000000000000000331145074J!�1����&�2i6��I�P⸮2���@�@4��k�ʀ@��8M|�V1@��P����2[j.�v'�1�⸮s���TTI��V�*�A�^O ``` Output nhìn vẫn chưa đúng lắm, nên mình sử dụng `xxd data2 | head` (head chỉ show 10 dòng đầu) ``` 00000000: 6461 7461 352e 6269 6e00 0000 0000 0000 data5.bin....... 00000010: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000030: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000040: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000050: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000060: 0000 0000 3030 3030 3634 3400 3030 3030 ....0000644.0000 00000070: 3030 3000 3030 3030 3030 3000 3030 3030 000.0000000.0000 00000080: 3030 3234 3030 3000 3134 3530 3734 3532 0024000.14507452 00000090: 3535 3000 3031 3132 3437 0020 3000 0000 550.011247. 0... ``` Cái bytes đầu tiên là `3030`, đó là file **tar**. ```= bandit12@bandit:/tmp/tmp.ljvQ4CV2XE$ mv data2 data2.tar bandit12@bandit:/tmp/tmp.ljvQ4CV2XE$ tar -xf data2.tar bandit12@bandit:/tmp/tmp.ljvQ4CV2XE$ ls data2.tar data3 data5.bin data.gz tmp bandit12@bandit:/tmp/tmp.ljvQ4CV2XE$ xxd data5.bin | head 00000000: 6461 7461 362e 6269 6e00 0000 0000 0000 data6.bin....... 00000010: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000030: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000040: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000050: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000060: 0000 0000 3030 3030 3634 3400 3030 3030 ....0000644.0000 00000070: 3030 3000 3030 3030 3030 3000 3030 3030 000.0000000.0000 00000080: 3030 3030 3333 3100 3134 3530 3734 3532 0000331.14507452 00000090: 3535 3000 3031 3132 3531 0020 3000 0000 550.011251. 0... ``` ```= bandit12@bandit:/tmp/tmp.ljvQ4CV2XE$ mv data5.bin data_.tar bandit12@bandit:/tmp/tmp.ljvQ4CV2XE$ tar -xf data_.tar bandit12@bandit:/tmp/tmp.ljvQ4CV2XE$ ls data2.tar data3 data6.bin data.gz data_.tar tmp bandit12@bandit:/tmp/tmp.ljvQ4CV2XE$ xxd data6.bin | head 00000000: 425a 6839 3141 5926 5359 0403 8894 0000 BZh91AY&SY...... 00000010: 8bff dfdc 5c80 41c0 6ff7 e000 f1a3 8076 ....\.A.o......v ``` Vẫn là bzip2 :v ```= bandit12@bandit:/tmp/tmp.ljvQ4CV2XE$ mv data6.bin data6.bz2 bandit12@bandit:/tmp/tmp.ljvQ4CV2XE$ bzip2 -d data6.bz2 bandit12@bandit:/tmp/tmp.ljvQ4CV2XE$ xxd data6 |head 00000000: 6461 7461 382e 6269 6e00 0000 0000 0000 data8.bin....... 00000010: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000030: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000040: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000050: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000060: 0000 0000 3030 3030 3634 3400 3030 3030 ....0000644.0000 00000070: 3030 3000 3030 3030 3030 3000 3030 3030 000.0000000.0000 00000080: 3030 3030 3131 3700 3134 3530 3734 3532 0000117.14507452 00000090: 3535 3000 3031 3132 3535 0020 3000 0000 550.011255. 0... ``` `30 30` = tar lần nữa. ```= bandit12@bandit:/tmp/tmp.ljvQ4CV2XE$ mv data6 data6.tar bandit12@bandit:/tmp/tmp.ljvQ4CV2XE$ tar -xf data6.tar bandit12@bandit:/tmp/tmp.ljvQ4CV2XE$ xxd data8.bin 00000000: 1f8b 0808 6855 1e65 0203 6461 7461 392e ....hU.e..data9. 00000010: 6269 6e00 0bc9 4855 2848 2c2e 2ecf 2f4a bin...HU(H,.../J 00000020: 51c8 2c56 284f 0a4f c971 aa70 cd2c 3271 Q.,V(O.O.q.p.,2q 00000030: 4e74 b5f0 490c c848 2c2d f5cf 372b 280f Nt..I..H,-..7+(. 00000040: ca2d 7229 e702 00dc ec75 4731 0000 00 .-r).....uG1... ``` ```= bandit12@bandit:/tmp/tmp.ljvQ4CV2XE$ mv data8.bin data8.gz bandit12@bandit:/tmp/tmp.ljvQ4CV2XE$ gzip -d data8.gz bandit12@bandit:/tmp/tmp.ljvQ4CV2XE$ ls data2.tar data3 data6.tar data8 data.gz data_.tar tmp bandit12@bandit:/tmp/tmp.ljvQ4CV2XE$ cat data8 The password is wbWdlBxEir4CaE8LaPhauuOo6pwRmrDw ``` ``` wbWdlBxEir4CaE8LaPhauuOo6pwRmrDw ``` ### Level 13 -> 14 --- >The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on Login vào bandit 13, ``` bandit13@bandit:~$ ls sshkey.private ``` Sau khi tìm hiểu [StackOverFlow](https://stackoverflow.com/questions/30553428/copying-files-from-server-to-local-computer-using-ssh), mình sử dụng: ``` scp -P 2220 bandit13@bandit.labs.overthewire.org:sshkey.private . ``` Với "." là directory hiện tại. Tìm hiểu ssh bằng `ssh --help`, mình thấy arg `-i` để sử dụng *identity_file*. ``` ssh -i sshkey.private bandit14@bandit.labs.overthewire.org -p 2220 ``` Được thông báo: ```= @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0640 for 'sshkey.private' are too open. ``` Với [Link này](https://stackoverflow.com/questions/9270734/ssh-permissions-are-too-open), bằng cách sử dụng `chmod 600 ~/.ssh/id_rsa` để có thể làm *read-writable* bởi mình, đăng nhập lại vào level 14 ``` ┌──(sech㉿sech)-[~] └─$ chmod 600 sshkey.private ┌──(sech㉿sech)-[~] └─$ ssh -i sshkey.private bandit14@bandit.labs.overthewire.org -p 2220 bandit14@bandit:~$ cat /etc/bandit_pass/bandit14 ``` ``` fGrHPx402xGC7U7rXKDaxiWFTOiF0ENq ``` ### Level 14 -> 15 --- >The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost. Gợi ý có chỉ ra là phải dùng password ở level 14 và connect vào localhost ở port 30000, chúng ta có thể sử dụng `telnet` hoặc `nc` để connect. ``` bandit14@bandit:~$ nc localhost 30000 fGrHPx402xGC7U7rXKDaxiWFTOiF0ENq Correct! ``` ``` jN2kgmIXJ6fShzhT2avhotn4Zcka6tnt ``` ### Level 15 -> 16 --- >The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption. Sử dụng SSl encryption bằng `openssl` và search được [Nguồn này](https://serverfault.com/questions/476068/can-netcat-talk-to-an-encrypted-port) ``` openssl s_client -connect localhost:30001 -ign_eof ``` ```= ... read R BLOCK jN2kgmIXJ6fShzhT2avhotn4Zcka6tnt Correct! ``` ``` JQttfApK4SeyHwDlI9SXGR50qclOAil1 ``` ### Level 16 -> 17 --- >The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it. Sau một vài tìm kiếm để scan port bằng `nc`, mình tìm thấy [bài này](https://www.cyberciti.biz/faq/linux-port-scanning/), sử dụng `nc -z -v {host-name-here} {port-range-here}` ``` nc -z -v localhost 31000-32000 2>&1 | grep succeeded ``` Trong đó,`2>&1` là "redirect `stderr` to a file named 1" ([Stack](https://stackoverflow.com/questions/818255/what-does-21-mean)) và pass qua pipe để sử dụng grep để sort những kết quả đã thành công. ```bash= Connection to localhost (127.0.0.1) 31046 port [tcp/*] succeeded! Connection to localhost (127.0.0.1) 31518 port [tcp/*] succeeded! Connection to localhost (127.0.0.1) 31691 port [tcp/*] succeeded! Connection to localhost (127.0.0.1) 31790 port [tcp/*] succeeded! Connection to localhost (127.0.0.1) 31960 port [tcp/*] succeeded! ``` Còn lại là brute hết đống port trên. Thêm gợi ý là `There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.` Đến port `31790` ra được output: ```bash= bandit16@bandit:~$ openssl s_client -connect localhost:31790 -ign_eof JQttfApK4SeyHwDlI9SXGR50qclOAil1 Correct! -----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlO.... -----END RSA PRIVATE KEY----- ``` [Link tải key](https://too.lewd.se/86f00a0c2a87_key) Và sử dụng private key đó để vào level 17 ```bash= ┌──(sech㉿sech)-[~] └─$ chmod 600 key ┌──(sech㉿sech)-[~] └─$ ssh -i key bandit17@bandit.labs.overthewire.org -p 2220 ``` ### Level 17 -> 18 --- >There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new Sử dụng `diff` để so sánh các dòng giữa 2 file ```bash= bandit17@bandit:~$ diff passwords.new passwords.old 42c42 < hga5tuuCLF6fFzUpnagiMN8ssu9LFrdg --- > p6ggwdNHncnmCNxuAt0KtKVq185ZU7AW ``` Và pwd nằm ở passwords.new ``` hga5tuuCLF6fFzUpnagiMN8ssu9LFrdg ``` ### Level 18 -> 19 --- >The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH. Mình thử sử dụng `scp` để copy file `readme` nhưng vẫn bị logout trước khi kịp send file ```= ┌──(sech㉿sech)-[~] └─$ scp -P 2220 bandit18@bandit.labs.overthewire.org:/home/readme . kex_exchange_identification: Connection closed by remote host Connection closed by 51.20.13.48 port 2220 scp: Connection closed ``` Sau khi làm một vài tìm kiếm và được [this](https://stackoverflow.com/questions/18522647/run-ssh-and-immediately-execute-command): `ssh destination -t 'command; bash -l'` ``` ssh bandit18@bandit.labs.overthewire.org -p 2220 -t 'cat readme' ``` ``` awhqfNnAbc1naukrpqDYcF95h7HoMTrC ``` ### Level 19 -> 20 --- >To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary. Với gợi ý trên, sau khi login vào level 19 ```bash= bandit19@bandit:~$ ls bandit20-do bandit19@bandit:~$ ./bandit20-do Run a command as another user. Example: ./bandit20-do id ``` Có vẻ file trên là để sử dụng command bằng user khác. Sử dụng để so sánh output giữa example và user bình thường ``` bandit19@bandit:~$ ./bandit20-do id uid=11019(bandit19) gid=11019(bandit19) euid=11020(bandit20) groups=11019(bandit19) bandit19@bandit:~$ id uid=11019(bandit19) gid=11019(bandit19) groups=11019(bandit19) ``` Password nằm trong `/etc/bandit_pass` nên mình sử dụng `bandit20-do` để xem trước folder ```bash= bandit19@bandit:~$ ./bandit20-do ls /etc/bandit_pass/ bandit0 bandit11 bandit14 bandit17 bandit2 bandit22 bandit25 bandit28 bandit30 bandit33 bandit6 bandit9 bandit1 bandit12 bandit15 bandit18 bandit20 bandit23 bandit26 bandit29 bandit31 bandit4 bandit7 bandit10 bandit13 bandit16 bandit19 bandit21 bandit24 bandit27 bandit3 bandit32 bandit5 bandit8 ``` Bằng cách sử dụng grep giống như ở level 4, thông qua `bandit20-do`: ``` bandit19@bandit:~$ ./bandit20-do grep -nr ".*" /etc/bandit_pass/ 2>/dev/null ``` *-nr*: [nguồn](https://stackoverflow.com/questions/4121803/how-can-i-use-grep-to-find-a-word-inside-a-folder) ``` /etc/bandit_pass/bandit20:1:VxCazJaVykI6W36BkBU0mJTCM8rR95XT ``` ### Level 20 -> 21 --- >There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21). Với `suconnect`, nó sẽ tạo một connection đến local host với port mình đưa ra, và sẽ đọc dòng text từ connection đó (tức localhost hiện tại) và so sánh. Vậy tất cả những gì ta cần làm là tạo port listener bằng nc và cho chạy ở background (từ `Unix ‘job control’ (bg, fg, jobs, &, CTRL-Z, …)` trên gợi ý). ```bash= bandit20@bandit:~$ echo 'VxCazJaVykI6W36BkBU0mJTCM8rR95XT' | nc -l -p 2221 & [1] 3606503 ``` Tạo listener bằng arg `-l` để đặt mode là listening và arg `&` sẽ cho chạy ở bg. ``` bandit20@bandit:~$ ./suconnect 2221 Read: VxCazJaVykI6W36BkBU0mJTCM8rR95XT Password matches, sending next password NvEJF7oVjkddltPSrdKEFOllh9V1IBcq ``` ``` NvEJF7oVjkddltPSrdKEFOllh9V1IBcq ``` ### Level 21 -> 22 --- >A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed. Đầu tiên thửu vào `/etc/cron.d/` ```bash= bandit21@bandit:cd /etc/cron.d/ bandit21@bandit:/etc/cron.d$ ls cronjob_bandit15_root cronjob_bandit22 cronjob_bandit24 e2scrub_all sysstat cronjob_bandit17_root cronjob_bandit23 cronjob_bandit25_root otw-tmp-dir ``` Do co nhiều file nên mình dùng `grep -r -e ".*"` để đọc tất cả file một lần. ```bash= bandit21@bandit:/etc/cron.d$ grep -r -e ".*" cronjob_bandit22:@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null cronjob_bandit22:* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null cronjob_bandit24:@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null cronjob_bandit24:* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null cronjob_bandit17_root:* * * * * root /usr/bin/cronjob_bandit17_root.sh &> /dev/null e2scrub_all:30 3 * * 0 root test -e /run/systemd/system || SERVICE_MODE=1 /usr/lib/x86_64-linux-gnu/e2fsprogs/e2scrub_all_cron e2scrub_all:10 3 * * * root test -e /run/systemd/system || SERVICE_MODE=1 /sbin/e2scrub_all -A -r sysstat:# The first element of the path is a directory where the debian-sa1 sysstat:# script is located sysstat:PATH=/usr/lib/sysstat:/usr/sbin:/usr/sbin:/usr/bin:/sbin:/bin sysstat: sysstat:# Activity reports every 10 minutes everyday sysstat:5-55/10 * * * * root command -v debian-sa1 > /dev/null && debian-sa1 1 1 sysstat: sysstat:# Additional run at 23:59 to rotate the statistics file sysstat:59 23 * * * root command -v debian-sa1 > /dev/null && debian-sa1 60 2 cronjob_bandit15_root:* * * * * root /usr/bin/cronjob_bandit15_root.sh &> /dev/null .placeholder:# DO NOT EDIT OR REMOVE .placeholder:# This file is a simple placeholder to keep dpkg from removing this directory grep: otw-tmp-dir: Permission denied cronjob_bandit23:@reboot bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null cronjob_bandit23:* * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null cronjob_bandit25_root:* * * * * root /usr/bin/cronjob_bandit25_root.sh &> /dev/null ``` Để ý là ở bandit 22, 24 và 17 là chạy file shell script, nên mình thử đọc từng file một ```bash= bandit21@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit22.sh #!/bin/bash chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv bandit21@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit24.sh cat: /usr/bin/cronjob_bandit24.sh: Permission denied bandit21@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit17_root.sh cat: /usr/bin/cronjob_bandit17_root.sh: Permission denied ``` Ở `/usr/bin/cronjob_bandit22.sh` là thay đổi quyền của `/tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv` và đưa content của `/etc/bandit_pass/bandit22` vào file đó. Vậy password đến level sau chỉ cần đọc file `tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv` ```bash= bandit21@bandit:/etc/cron.d$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv ``` ``` WdDozAdTM2z9DiFEQ2mGlwngMfj4EZff ``` ### Level 22 -> 23 --- >A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed. Bài này cũng giống như bài trên. đầu tiên mình vào `/etc/cron.d/` rồi đọc thử `cronjob_bandit23` ```bash= bandit22@bandit:/etc/cron.d$ cat cronjob_bandit23 @reboot bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null * * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null bandit22@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit23.sh #!/bin/bash myname=$(whoami) mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1) echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget" cat /etc/bandit_pass/$myname > /tmp/$mytarget ``` Chạy thử `cronjob_bandit23.sh` output: ```= bandit22@bandit:/etc/cron.d$ . /usr/bin/cronjob_bandit23.sh Copying passwordfile /etc/bandit_pass/bandit22 to /tmp/8169b67bd894ddbb4412f91573b38db3 ``` Script sẽ copy content từ `myname` (lúc này là bandit22) đến `mytarget`. Ở `mytarget` sẽ echo một dòng text và đưa qua pipe để lấy md5sum. Vậy chúng ta có thể sử dụng command giống trên, nhưng thay đổi user thành `bandit23` để lấy pass ```bash= bandit22@bandit:/etc/cron.d$ echo 'I am user bandit23' | md5sum | cut -d ' ' -f 1 8ca319486bfbbc3663ea0fbe81326349 bandit22@bandit:/etc/cron.d$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349 QYw0Y2aiA672PsMmh9puTQuhoz8SyR2G ``` ``` QYw0Y2aiA672PsMmh9puTQuhoz8SyR2G ``` ### Level 23 -> 24 --- >A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed. Thực hiện bước như bài trước ```bash= bandit23@bandit:~$ ls bandit23@bandit:~$ cd /etc/cron.d/ bandit23@bandit:/etc/cron.d$ ls cronjob_bandit15_root cronjob_bandit22 cronjob_bandit24 e2scrub_all sysstat cronjob_bandit17_root cronjob_bandit23 cronjob_bandit25_root otw-tmp-dir bandit23@bandit:/etc/cron.d$ cat cronjob_bandit24 @reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null * * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null bandit23@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit24.sh #!/bin/bash myname=$(whoami) cd /var/spool/$myname/foo echo "Executing and deleting all scripts in /var/spool/$myname/foo:" for i in * .*; do if [ "$i" != "." -a "$i" != ".." ]; then echo "Handling $i" owner="$(stat --format "%U" ./$i)" if [ "${owner}" = "bandit23" ]; then timeout -s 9 60 ./$i fi rm -f ./$i fi done ``` Có dòng echo *Executing and deleting all scripts in /var/spool/\$myname/foo*, kết hợp với đề bài thì có lẽ ta phải tạo một shell script và đặt trong */var/spool/$myname/foo*, bằng cách nào đó sử dụng quyền của bandit24 để đọc pass. Đầu tiên ta phải tạo được một file mà có quyền read + write. Vì không đủ quyền để tạo một file nên ta dùng `mktemp` để lưu trữ output ```bash= bandit23@bandit:/etc/cron.d$ mktemp /tmp/tmp.FogemGiwC1 bandit23@bandit:/etc/cron.d$ chmod 777 /tmp/tmp.FogemGiwC1 ``` >NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around… Sử dụng `mktemp -d` để tạo dictionary tạm thời và `nano a.sh` để bắt đầu script. ```bash= bandit23@bandit:/etc/cron.d$ mktemp -d /tmp/tmp.q9As7qaAoQ bandit23@bandit:/etc/cron.d$ cd /tmp/tmp.q9As7qaAoQ bandit23@bandit:/tmp/tmp.q9As7qaAoQ$ nano a.sh ``` và sử dụng code sau trong `a.sh` ```bash= cat /etc/bandit_pass/bandit24 > /tmp/tmp.FogemGiwC1 ``` Đặt tất cả quyển cho a.sh bằng `chmod 777 a.sh` và dùng `cp a.sh /var/spool/bandit24/foo/a.sh` để di chuyển lên folder exec. Vì trong script `cronjob_bandit24.sh` có đoạn `for i in * .*;` là sẽ loop qua tất cả dicts nên ta chỉ cần spam `cat /var/spool/bandit24/foo/a.sh` để biết script đã bị xoá chưa, nếu rồi thì có thể đọc file tmp đã tạo trước đó. ```bash bandit23@bandit:/tmp/tmp.q9As7qaAoQ$ cat /var/spool/bandit24/foo/a.sh cat /etc/bandit_pass/bandit24 > /tmp/tmp.FogemGiwC1 bandit23@bandit:/tmp/tmp.q9As7qaAoQ$ cat /var/spool/bandit24/foo/a.sh cat /etc/bandit_pass/bandit24 > /tmp/tmp.FogemGiwC1 bandit23@bandit:/tmp/tmp.q9As7qaAoQ$ cat /var/spool/bandit24/foo/a.sh cat /etc/bandit_pass/bandit24 > /tmp/tmp.FogemGiwC1 bandit23@bandit:/tmp/tmp.q9As7qaAoQ$ cat /var/spool/bandit24/foo/a.sh cat: /var/spool/bandit24/foo/a.sh: No such file or directory bandit23@bandit:/tmp/tmp.q9As7qaAoQ$ cat /tmp/tmp.FogemGiwC1 VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar ``` ``` VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar ``` ### Level 24 -> 25 --- >A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing. You do not need to create new connections each time Đầu tiên là tạo một dict bằng `mktemp -d` để có thể viết script trong đó ```= bandit24@bandit:mktemp -d /tmp/tmp.AQpSRRUmUE bandit24@bandit:cd /tmp/tmp.AQpSRRUmUE bandit24@bandit:/tmp/tmp.AQpSRRUmUE$ nano a.sh ``` Mình có làm ra một script mà sẽ loop từ 1-10000 rồi truyền vào localhost bằng pipe ```bash= #!/bin/bash for i in {1..10000}; do echo VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar $i | nc localhost 30002 done ``` Tuy nhiên, cách này sẽ cực kì tốn thời gian vì sau khi trả output, host sẽ chờ vài giây rồi mới exit, thực hiện loop tiếp theo. ```= bandit24@bandit:/tmp/tmp.AQpSRRUmUE$ . a.sh I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space. Wrong! Please enter the correct pincode. Try again. Timeout. Exiting. I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space. Wrong! Please enter the correct pincode. Try again. ... ``` Sau khi gg và tìm được [this](https://subscription.packtpub.com/book/cloud-and-networking/9781785286216/8/ch08lvl1sec67/piping-the-output-of-a-loop-to-a-linux-command) và chỉnh sửa lại script ```bash= #!/bin/bash for i in {1..10000}; do echo VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar $i done | nc localhost 30002 ``` ```= Wrong! Please enter the correct pincode. Try again. Wrong! Please enter the correct pincode. Try again. Correct! The password of user bandit25 is p7TaowMYrmu23Ol8hiZh9UvD0O9hpx8d Exiting. ``` ``` p7TaowMYrmu23Ol8hiZh9UvD0O9hpx8d ``` ### Level 25 -> 26 --- >Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it. Thông thường shell sẽ ở `/bin/bash`, nhưng ở lv26 lại là *một chỗ nào đó khác*. Để xác thực lại, mình sử dụng `grep -r -nr / -e "/bin/bash" 2>/dev/null` ```= ... /etc/passwd:50:bandit21:x:11021:11021:bandit level 21:/home/bandit21:/bin/bash /etc/passwd:51:bandit22:x:11022:11022:bandit level 22:/home/bandit22:/bin/bash /etc/passwd:52:bandit23:x:11023:11023:bandit level 23:/home/bandit23:/bin/bash /etc/passwd:53:bandit24:x:11024:11024:bandit level 24:/home/bandit24:/bin/bash /etc/passwd:54:bandit25:x:11025:11025:bandit level 25:/home/bandit25:/bin/bash /etc/passwd:56:bandit27:x:11027:11027:bandit level 27:/home/bandit27:/bin/bash /etc/passwd:57:bandit28:x:11028:11028:bandit level 28:/home/bandit28:/bin/bash /etc/passwd:58:bandit29:x:11029:11029:bandit level 29:/home/bandit29:/bin/bash ... ``` Hoàn toàn không có shell của bandit26. Và tìm shell của bandit26: ```= bandit25@bandit:~$ grep -r -nr / -e "bandit26" 2>/dev/null /etc/subuid-:21:bandit26:1410720:65536 /etc/subgid-:21:bandit26:1410720:65536 /etc/subgid:21:bandit26:1410720:65536 /etc/passwd:55:bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext /etc/subuid:21:bandit26:1410720:65536 /etc/passwd-:55:bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext /etc/group-:81:bandit26:x:11026: /etc/group:81:bandit26:x:11026: ``` ```= bandit25@bandit:~$ ls /usr/bin/showtext /usr/bin/showtext bandit25@bandit:~$ cat /usr/bin/showtext #!/bin/sh export TERM=linux exec more ~/text.txt exit 0 ``` Ở level 26 sử dụng `more` để display text.txt. ***- [more](https://man7.org/linux/man-pages/man1/more.1.html)***: *more is a filter for paging through text one screenful at a time | Interactive commands for more are based on vi(1).* và  Vậy chúng ta có thể truy cập vào vim thông qua `more` **nếu** lệnh `more` không thể hiển thị hết, và sử dụng `v` để vào vim. Nhưng vào được vim rồi thì làm gì? đó là [this](https://github.com/cardboard-iguana/hacking-notes/blob/main/Notes/Set%20a%20Shell%20in%20ViM.md) >*vi and ViM can be set to override the default $SHELL using :set shell=/bin/bash.* Sử dụng `:set shell=/bin/bash` và `:shell` để vào current shell, tiếp đó là `cat etc/bandit_pass/bandit26` để lấy pass của level này. ``` c7GvcKlw9mC7aUQaPx7nwFstuAIBw1o1 ``` ### Level 26 -> 27 --- >Good job getting a shell! Now hurry and grab the password for bandit27! Bên trong bandit26 có `bandit27-do`, sử dụng nó để đọc pass tại level 27 ```bash= bandit26@bandit:~$ ls bandit27-do text.txt bandit26@bandit:~$ ./bandit27-do cat /etc/bandit_pass/bandit27 YnQpBuifNMas1hcUFk70ZmqkhUU2EuaS ``` ``` YnQpBuifNMas1hcUFk70ZmqkhUU2EuaS ``` ### Level 27 -> 28 --- >There is a git repository at ssh://bandit27-git@localhost/home/bandit27-git/repo via the port 2220. The password for the user bandit27-git is the same as for the user bandit27. Clone the repository and find the password for the next level. Login vào level 27 và clone repo bằng cú pháp `git clone ssh://git@mydomain.example:[port]/gitolite-admin` ```bash= bandit27@bandit:~$ mktemp -d /tmp/tmp.RkuKOdw5lV bandit27@bandit:~$ cd /tmp/tmp.RkuKOdw5lV bandit27@bandit:/tmp/tmp.RkuKOdw5lV$ git clone ssh://bandit27-git@localhost:2220/home/bandit27-git/repo Cloning into 'repo'... ... bandit27-git@localhost's password: remote: Enumerating objects: 3, done. remote: Counting objects: 100% (3/3), done. remote: Compressing objects: 100% (2/2), done. remote: Total 3 (delta 0), reused 0 (delta 0), pack-reused 0 Receiving objects: 100% (3/3), done. bandit27@bandit:/tmp/tmp.RkuKOdw5lV$ ls repo bandit27@bandit:/tmp/tmp.RkuKOdw5lV$ cd repo bandit27@bandit:/tmp/tmp.RkuKOdw5lV/repo$ ls README bandit27@bandit:/tmp/tmp.RkuKOdw5lV/repo$ cat README The password to the next level is: AVanL161y9rsbcJIsFHuw35rjaOM19nR ``` ``` AVanL161y9rsbcJIsFHuw35rjaOM19nR ``` ### Level 28 -> 29 --- >There is a git repository at ssh://bandit28-git@localhost/home/bandit28-git/repo via the port 2220. The password for the user bandit28-git is the same as for the user bandit28. Clone the repository and find the password for the next level. Clone như level trước, đọc file README thì lần này chỉ có: ```= bandit28@bandit:/tmp/tmp.W61pJmhVAM/repo$ ls README.md bandit28@bandit:/tmp/tmp.W61pJmhVAM/repo$ cat README.md # Bandit Notes Some notes for level29 of bandit. ## credentials - username: bandit29 - password: xxxxxxxxxx ``` Đọc lại git ở [man7](https://man7.org/linux/man-pages/man1/git.1.html), mình để ý có 2 high-level command là [git-log(1)](https://man7.org/linux/man-pages/man1/git-log.1.html) và [git-notes(1)](https://man7.org/linux/man-pages/man1/git-notes.1.html). Test note: ```= bandit28@bandit:/tmp/tmp.W61pJmhVAM/repo$ git notes show error: no note found for object 14f754b3ba6531a2b89df6ccae6446e8969a41f3. bandit28@bandit:/tmp/tmp.W61pJmhVAM/repo$ git notes show README.md fatal: failed to resolve 'README.md' as a valid ref. ``` Chuyển qua log: ```bash= bandit28@bandit:/tmp/tmp.W61pJmhVAM/repo$ git log README.md commit 14f754b3ba6531a2b89df6ccae6446e8969a41f3 (HEAD -> master, origin/master, origin/HEAD) Author: Morla Porla <morla@overthewire.org> Date: Thu Oct 5 06:19:41 2023 +0000 fix info leak commit f08b9cc63fa1a4602fb065257633c2dae6e5651b Author: Morla Porla <morla@overthewire.org> Date: Thu Oct 5 06:19:41 2023 +0000 add missing data commit a645bcc508c63f081234911d2f631f87cf469258 Author: Ben Dover <noone@overthewire.org> Date: Thu Oct 5 06:19:41 2023 +0000 initial commit of README.md ``` Sử dụng arg `-p` (hoặc `--patch`) để xem tất cả content của log: ```bash= bandit28@bandit:/tmp/tmp.W61pJmhVAM/repo$ git log --patch README.md commit 14f754b3ba6531a2b89df6ccae6446e8969a41f3 (HEAD -> master, origin/master, origin/HEAD) Author: Morla Porla <morla@overthewire.org> Date: Thu Oct 5 06:19:41 2023 +0000 fix info leak diff --git a/README.md b/README.md index b302105..5c6457b 100644 --- a/README.md +++ b/README.md @@ -4,5 +4,5 @@ Some notes for level29 of bandit. ## credentials - username: bandit29 -- password: tQKvmcwNYcFS6vmPHIUSI3ShmsrQZK8S +- password: xxxxxxxxxx commit f08b9cc63fa1a4602fb065257633c2dae6e5651b Author: Morla Porla <morla@overthewire.org> Date: Thu Oct 5 06:19:41 2023 +0000 add missing data diff --git a/README.md b/README.md : ... ``` ``` tQKvmcwNYcFS6vmPHIUSI3ShmsrQZK8S ``` ### Level 29 -> 30 --- >There is a git repository at ssh://bandit29-git@localhost/home/bandit29-git/repo via the port 2220. The password for the user bandit29-git is the same as for the user bandit29. Clone the repository and find the password for the next level. Check lại log của file README.md ```= commit 4364630b3b27c92aff7b36de7bb6ed2d30b60f88 (HEAD -> master, origin/master, origin/HEAD) Author: Ben Dover <noone@overthewire.org> Date: Thu Oct 5 06:19:43 2023 +0000 fix username diff --git a/README.md b/README.md index 2da2f39..1af21d3 100644 --- a/README.md +++ b/README.md @@ -3,6 +3,6 @@ Some notes for bandit30 of bandit. ## credentials -- username: bandit29 +- username: bandit30 - password: <no passwords in production!> commit fca34ddb7d1ff1f78df36538252aea650b0b040d Author: Ben Dover <noone@overthewire.org> Date: Thu Oct 5 06:19:43 2023 +0000 initial commit of README.md diff --git a/README.md b/README.md new file mode 100644 index 0000000..2da2f39 --- /dev/null +++ b/README.md ``` Không có gì đặc biệt, sau khi thử nhiều command của git, đến `git status` ``` bandit29@bandit:/tmp/tmp.uEtYMfREOm/repo$ git status On branch master Your branch is up to date with 'origin/master'. nothing to commit, working tree clean ``` Có lẽ còn nhiều branch khác ngoài `origin/master`? ```bash= bandit29@bandit:/tmp/tmp.uEtYMfREOm/repo$ git branch -a * master remotes/origin/HEAD -> origin/master remotes/origin/dev remotes/origin/master remotes/origin/sploits-dev ``` Vậy là ngoài origin thì còn 3 branch khác, sử dụng `git checkout dev` để chuyển qua branch `dev` ``` bandit29@bandit:/tmp/tmp.uEtYMfREOm/repo$ git checkout dev Branch 'dev' set up to track remote branch 'dev' from 'origin'. Switched to a new branch 'dev' bandit29@bandit:/tmp/tmp.uEtYMfREOm/repo$ ls code README.md bandit29@bandit:/tmp/tmp.uEtYMfREOm/repo$ cat code/ cat: code/: Is a directory bandit29@bandit:/tmp/tmp.uEtYMfREOm/repo$ ls code/ gif2ascii.py bandit29@bandit:/tmp/tmp.uEtYMfREOm/repo$ cat code/gif2ascii.py bandit29@bandit:/tmp/tmp.uEtYMfREOm/repo$ cat README.md # Bandit Notes Some notes for bandit30 of bandit. ## credentials - username: bandit30 - password: xbhV3HpNGlTIdnjUrdAlPzc2L6y9EOnS ``` ``` xbhV3HpNGlTIdnjUrdAlPzc2L6y9EOnS ``` ### Level 30 -> 31 --- >There is a git repository at ssh://bandit30-git@localhost/home/bandit30-git/repo via the port 2220. The password for the user bandit30-git is the same as for the user bandit30. Clone the repository and find the password for the next level. Làm lại các bước như level vừa rồi, không thu được gì cả. Sau đó mình thử mò trong file ẩn `.git` ```= ... bandit30@bandit:/tmp/tmp.RUPqNaTRuf/repo/.git$ ls objects/info/ bandit30@bandit:/tmp/tmp.RUPqNaTRuf/repo/.git$ ls objects/pack/ pack-5dd047e45dd131498476a052c2995fd1aae73453.idx pack-5dd047e45dd131498476a052c2995fd1aae73453.pack bandit30@bandit:/tmp/tmp.RUPqNaTRuf/repo/.git$ cat packed-refs # pack-refs with: peeled fully-peeled sorted d39631d73f786269b895ae9a7b14760cbf40a99f refs/remotes/origin/master 831aac2e2341f009e40e46392a4f5dd318483019 refs/tags/secret ``` Có một điều đáng lưu ý ở dòng cuối có `refs/tags/secret`. Sử dụng `git show <obj>` để xem tag đó ```bash= bandit30@bandit:/tmp/tmp.RUPqNaTRuf/repo$ git show secret OoffzGDlzhAlerFJ2cAiz1D41JW1Mhmt ``` ``` OoffzGDlzhAlerFJ2cAiz1D41JW1Mhmt ``` ### Level 31 -> 32 --- >There is a git repository at ssh://bandit31-git@localhost/home/bandit31-git/repo via the port 2220. The password for the user bandit31-git is the same as for the user bandit31. Clone the repository and find the password for the next level. Đọc phần `README.md` ``` bandit31@bandit:/tmp/tmp.m4gd4vLepJ/repo$ cat README.md This time your task is to push a file to the remote repository. Details: File name: key.txt Content: 'May I come in?' Branch: master ``` Task lần này là phải commit `key.txt` lên branch master. ```= bandit31@bandit:/tmp/tmp.m4gd4vLepJ/repo$ touch key.txt bandit31@bandit:/tmp/tmp.m4gd4vLepJ/repo$ echo 'May I come in?' > key.txt bandit31@bandit:/tmp/tmp.m4gd4vLepJ/repo$ cat key.txt May I come in? bandit31@bandit:/tmp/tmp.m4gd4vLepJ/repo$ git add key.txt The following paths are ignored by one of your .gitignore files: key.txt hint: Use -f if you really want to add them. hint: Turn this message off by running hint: "git config advice.addIgnoredFile false" bandit31@bandit:/tmp/tmp.m4gd4vLepJ/repo$ git add key.txt -f bandit31@bandit:/tmp/tmp.m4gd4vLepJ/repo$ git commit -m " " Aborting commit due to empty commit message. bandit31@bandit:/tmp/tmp.m4gd4vLepJ/repo$ git commit -m "a" [master fc6207f] a 1 file changed, 1 insertion(+) create mode 100644 key.txt bandit31@bandit:/tmp/tmp.m4gd4vLepJ/repo$ git push origin master ... remote: ### Attempting to validate files... #### remote: remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo. remote: remote: Well done! Here is the password for the next level: remote: rmCBvG56y58BXzv98yZGdO7ATVL5dW8y remote: remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo. remote: To ssh://localhost:2220/home/bandit31-git/repo ! [remote rejected] master -> master (pre-receive hook declined) error: failed to push some refs to 'ssh://localhost:2220/home/bandit31-git/repo' ``` ``` rmCBvG56y58BXzv98yZGdO7ATVL5dW8y ``` ### Level 32 -> 33 --- >After all this git stuff its time for another escape. Good luck! ```= ┌──(sech㉿sech)-[~] └─$ ssh bandit32@bandit.labs.overthewire.org -p 2220 -t 'ls' _ _ _ _ | |__ __ _ _ __ __| (_) |_ | '_ \ / _` | '_ \ / _` | | __| | |_) | (_| | | | | (_| | | |_ |_.__/ \__,_|_| |_|\__,_|_|\__| This is an OverTheWire game server. More information on http://www.overthewire.org/wargames bandit32@bandit.labs.overthewire.org's password: WELCOME TO THE UPPERCASE SHELL >> ls sh: 1: LS: Permission denied >> exit sh: 1: EXIT: Permission denied ``` Với từ khoá *escape* và *custom shell*, mình có tìm thấy một [bài viết về nó](https://0xffsec.com/handbook/shells/restricted-shells/): >*The env command returns information about the current SHELL and PATH. If it’s not available, try echoing $0 and $PATH separately.* ``` bandit32@bandit.labs.overthewire.org's password: WELCOME TO THE UPPERCASE SHELL >> sudo -l sh: 1: SUDO: Permission denied >> $PATH sh: 1: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin: not found >> $0 $ ls uppershell $ cat /etc/bandit_pass/bandit32 cat: /etc/bandit_pass/bandit32: Permission denied $ cat /etc/bandit_pass/bandit33 odHo63fHiFqcWWJG9rLiLDtPm45KzUKy ``` ``` odHo63fHiFqcWWJG9rLiLDtPm45KzUKy ``` ### Level 33 -> 34 --- ``` Congratulations on solving the last level of this game! At this moment, there are no more levels to play in this game. However, we are constantly working on new levels and will most likely expand this game with more levels soon. Keep an eye out for an announcement on our usual communication channels! In the meantime, you could play some of our other wargames. If you have an idea for an awesome new level, please let us know! ```