I know it’s been way too long, since I wrote an article. I was just too busy with my studies. Anyway, lets jump right in. I started this blog to help people get their footing in bug bounty on various platforms and what exactly to test for. However, this doesn’t address the basics required to actually build up the potential or sheer patience required to help achieve it. Well, here we go …
→ Over The Wire is a platform to develop basics of security concepts using
games as a medium. It has various wargames and their internal levels are designed in terms of increasing difficulty for each level to pass on.
→ Wargames include:
1. Bandit
2. Natas
3. Leviathan
4. Krypton
5. Narnia
6. Behemoth
7. Utumno
8. Maze
9. Vortex
10. Manpage
→ Each wargame specializes in teaching a particular security concept. We
will solve each and every wargame including it’s internal levels and cover important concepts if necessary.
→ Check out the webpage below:
Requirements:
1. Download VMWare or Virtual Box.
2. Download ISO files for any linux distributions i.e. Debian, Ubuntu or Kali
Linux. Here, we are going to use kali linux to complete all war games.
Note: You can use any linux distribution. Using Kali Linux is not mandatory.
3. An SSH Client. Open SSH would probably be fine. It’s pre-installed.
Note for VMs: You may fail to connect to overthewire.org via SSH with a “broken pipe error” when the network adapter for the VM is configured to use NAT mode. Adding the setting
IPQoS throughput
to/etc/ssh/ssh_config
should resolve the issue. If this does not solve your issue, the only option then is to change the adapter to Bridged mode.
Credits: The above text has been extracted directly from the site:
https://overthewire.org/wargames/bandit/
Bandit:
— — — — — — -
→ Fire up the VM and let’s get going lads.
Level 0:
→ Accessing to level 0 is easy. Fire up the terminal and SSH your way into it as shown in the below image.
→ You need to connect to host, i.e. bandit0@bandit.labs.overthewire.org and to port 2220 to establish initial connections through SSH.
→ Head over to the web page and you can find the password as “bandit0” and enter the same in terminal. You will see a shell as below.
Level 0 → Level 1:
→ Run the command named “ls” to see the files listed in a particular
directory.
→ Users can find a file named “readme”. You can either open the file in
editors or if you need to see the contents of the file run the “cat”
command as shown below.
Level 1 → Level 2:
→ As mentioned in Level 0, connect to the host i.e.
bandit1@bandit.labs.overthewire.org and copy paste the password on previous level to get access.
→ A file named “-” can be found using “ls” command. Using “cat <filename>” command, user can see the password to the next level.
Level 2 → Level 3:
→ Continue as mentioned in the above steps, i.e. ssh your way into next
level by copy pasting the password so on and so forth.
→ Using “ls” command, first we iterate through all the files. In this case, there is a file called “spaces in the filename”. In order to see the contents, use “cat” command and proceed to the next level.
Level 3 → Level 4:
→ Proceed to use the same command to see the directory structure i.e
“ls” command. In this case, we move into another folder called “inhere”.
→ Use “cd” command to move into the folder. Upon running the “ls” command, user can’t see any files associated with it. Use “ls -hal” command to see the hidden files.
NOTE:
Flag “-h” is used to help read the data in human readable form.
Flag “-l” is used to list the directories content.
Flag “-a” is used to show hidden directories.
The below diagram shows the user accessing hidden files.
Level 4 → Level 5:
→ Go to next level as shown in the previous scenarios. Here, we have a
directory called “inhere”. Move into the directory using “cd” command.
Try to list all files present using “ls” command.
→ We are searching specifically for text files. Since, there are a total of 9 files, we need to come up with a query or we can manually search all the files i.e. [ -file00 to -file09 ]. The query is written below:
find . |xargs file {} \; |grep “ASCII text”
→ There are different queries one could try. I just happen to be using this
one.
Level 5 → Level 6:
→ Proceed to the next level. Here, we are searching for a specific file with
following attributes:
- human-readable
- 1033 bytes in size
- not executable
→ Moving into every directory and checking all the file contents would be
time consuming. So, we use a simple query as shown below:
find ./inhere -readable -size 1033c \! -executable
The below figure depicts the same.
Level 6 → Level 7:
In this level, we are searching for specific attributes:
- owned by user bandit7
- owned by group bandit6
- 33 bytes in size
→ The user permissions of user bandit 7 is not in sodoers file. To confirm,
we run the command “umask” which is useful for deciding permissions on files and directories. The below image confirms the notion that “umask” value is “0002” which is the default mask for non root users i.e. default users.
→ To satisfy above conditions, we use the following query:
find / -user bandit7 -group bandit6 -size 33c 2>/dev/null
→ The expression “2>/dev/null” is to ignore errors. Since, we encounter errors while running the above query, we need not display all errors on the terminals and hence will be redirected to “/dev/null/” where it doesn’t return anything.
Level 7 → Level 8:
→ In this level, we need to find the corresponding password to the word “millionth” in a file called “data.txt”.
→ In the above image, the text file “data.txt” is 4.0MB. Finding a word in this huge pile is difficult. So, here we need to use “grep” command.
Level 8 → Level 9:
→ Here, we have a text file named “data.txt”. We need to find out a unique line of characters with repeatable patterns of same line. Here, we use “sort” and “uniq” commands.
→ First, we need to use “sort” command which sorts all the lines in alphabetical order and then we need to use “uniq” to filter out duplicate lines. “uniq -u” command is used to ensure that only unique lines are printed.
Level 9 → Level 10:
→ We have a text file named “data.txt”. It contains both strings and
numbers which is pretty difficult to read, beginning with “=” sign.
→ We use a combination of queries i.e. first, we need to sort out plain text and then the output of the first command should be “grepped” with “=” sign. The following query looks like:
cat data.txt | strings | grep ^=
Level 10 → Level 11:
→ The file named as “data.txt” has base 64 encoded data. To decode it, use
“base64 decode” command. The query is as follows:
cat data.txt | base64 _ _decode
Level 11 → Level 12:
→ The password is stored in the file “data.txt” where all lowercase and uppercase letters have been rotated by 13 positions. We can manually decrypt it or write a command.
→ Usually switching 13 positions is similar to ROT13 algorithm. To decode
it, we can write the following command:
cat data.txt | tr ‘[A-Za-z]’ ‘[N-ZA-Mn-za-m]’
Level 12 → Level 13:
→ Here, “data.txt” is a file where the password is stored and is actually a hexdump of a file that is compressed repeatedly. To solve this, first we need to create a folder under “tmp” directory. So, run “mkdir /tmp/predator”.
→ After creating the folder, copy the contents of “data.txt” file to new directory using “cp” command, i.e “cp data.txt /tmp/predator”.
→ Then, we need to decrypt hexdump file using “xxd” command. The
whole command is xxd -r data.txt > myfile” where “myfile” is the folder
which contains decrypted hexdump file. Keep on decrypting it and see the
compression the file used using “file” command as in “find prey”. Since, it
is compressed multiple times, keep on doing until you see the word “ASCII
text”.
Level 13 → Level 14:
→ The password is stored in “/etc/bandit_pass/bandit14”. Using private SSH key, we can log into next level.
Command: ssh -i sshkey.private bandit14@localhost
Level 14 → Level 15:
→ We need to connect to remote host i.e.
“ssh bandit14@bandit.labs.overthewire.org -p 2220”. Enter the password of bandit 14 and listen into localhost using “nc” command.
→ “nc” command creates a TCP connection if given a hostname or port
number.
Level 15 → Level 16:
→ The password can be retrieved by submitting password of the current level to port 30001 on local host using SSL.
→ To connect to a server, we use the following command syntax:
“openssl s_client -connect <www.abcd.com>:port_number”
→ In this case, we use “openssl s_client -connect localhost:30001”.
→ After connecting to the respective port, enter password for the current
level.
Level 16 → Level 17:
→ First, we need to scan ports in the range 31000 to 32000 and find if the ports are open or not. Then try and SSL your way into as shown in above levels.
Command: “nmap localhost -p31000–32000”
→ Through trial and error method, SSH your way into all ports which are
open. Here, port number “31790” is connected.
→ Now, scroll down and paste your current level password and you will be
presented an RSA private key with which we will login to the next level i.e
“bandit17".
→ Save the RSA private key to your local system using the name
“bandit17.key.” using vim editor.
→ Now, SSH your way into bandit17 using “bandit17.key” file using command:
“sudo ssh -i bandit17.key bandit17@bandit.labs.overthewire.org -p 2220"
→ Using “ls” command, we can observe two files namely, “passwords.new” and “passwords.old”. Open the two files and you will see a bunch of passwords with some duplications.
→ To remove duplications, use “diff” command i.e. “diff passwords.new passwords.old” which gives us two unique passwords and if you try to login both attempts would be unsuccessful.
→ If we consider all the solved levels, we can observe that all passwords are stored in the “/etc/bandit_pass” folder. Using “cd” command, move to the folder and type “ls” to see the files available.
→ We can see that there are files ranging from “bandit0" to “bandit33". Since, we are trying to find password for bandit17, use “cat” command to see the contents of the file and Voila there it is. You little devil.
Adios. Until next time.
Upcoming Articles: Level 17 → Level 34