2.2.Bandit level 10 to 20 (Overthewire)
Today we will complete the old report boxes to continue playing : Bandit Level 0 ToBandit Level 10
Bandit Level 10 â Level 11
The password for the next level is stored in the file data.txt, which contains base64 encoded data .
To sign up : ssh bandit10@bandit.labs.overthewire.org -p 2220
Password : G7w8LIi6J3kTb8A7j9LgrywtEUlyyp6s
The command base64 -d date.txt is used to decode a Base64-encoded file named date.txt . Base64 is a binary-to-text encoding scheme that is commonly used to transmit data over the internet, such as email attachments. The -d flag tells the base64 command to decode the file.
Password, letâs go to the next level .
Bandit Level 11 â Level 12
The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions
To sign up : ssh bandit11@bandit.labs.overthewire.org -p 2220
Password : 6zPeziLdR2RKNdNYFNb6nVCKzphlXHBM
Yes, the game is starting to take some thought .
After searching Rot13 on Wikipedia , and using Google to find out the solution, I found one of the best solutions , Refer the attached resources for more information on the tr command :
To decode ROT13 on the Linux command line, you can use the tr command with the following syntax:
Here is the password .
Since we know we know that the characters in the data are rotated by 13 characters , In this command:
-
tr : The tr command for translating or deleting characters.
-
â[N-ZA-Mn-za-m]â : The first character set, representing the ROT13-encrypted characters.
-
â[A-Za-z]â : The second character set, representing the corresponding ROT13-decoded characters.
Bandit Level 12 â Level 13
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)
To sign up : ssh bandit12@bandit.labs.overthewire.org -p 2220
Password : JVNBBFSmZwKKOP0XbFXOoW8chDz5yVRv
When doing the first things .
-mkdir used to create a new directory.
-cp copies files.
The xxd command is particularly useful for debugging purposes when examining binary files or manipulating binary data. It provides a clear representation of the dataâs binary representation and enables modifications or conversions to the desired format.
The -r option in the xxd command specifically indicates the reverse operation, where the command attempts to convert a hexadecimal dump back into its original binary form. This is useful for reconstructing binary data from its hexadecimal representation, which is often used in various file formats or transmissions.
In essence, the xxd -r command allows you to take a hexadecimal dump, which is a text representation of binary data, and convert it back into the original binary format, making it easier to interpret and manipulate the data as needed.
We can see that the file has been compressed using qzip so we can decompress the data , The command is mv DATE DATE.gz used to move a file named DATE to a new name DATA.gz and compress it using the gzip algorithm. The mv command stands for "move" and is used to rename or move files and directories. The .gz extension indicates that the file is compressed using the gzip algorithm, a common compression format for Unix-like systems , The gunzip command is used to decompress gzip-compressed files.
The bunzip2 command is used to decompress files that have been compressed using the bzip2 algorithm. Bzip2 is a popular compression algorithm that is known for its high compression ratio and relatively fast decompression speed.
The command tar xvf DATE is used to extract the contents of a tar archive named DATE to the current directory. The tar command is a versatile tool for creating, extracting, and managing tar archives, which are commonly used to store and transfer files.
Options:
x : Extract the contents of the archive.\ v : Verbose mode, displaying additional information during operation.\ f : Specify the archive file to operate on.
As a reminder, The file command is typically used to identify the type of unknown files or to verify the format of known files. Itâs particularly useful in troubleshooting situations where file type mismatches or data corruption might occur.
The purpose of all this is to learn how to use pressure .
As a reminder, The mv command is a versatile tool in Unix-like operating systems that performs various operations on files and directories, primarily moving, renaming, and deleting them. Itâs a fundamental command widely used in file management tasks and scripting.
Yes, finish the new password .
Bandit Level 13 â Level 14
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you donât get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on :
To sign up : ssh bandit13@bandit.labs.overthewire.org -p 2220
Password : wbWdlBxEir4CaE8LaPhauuOo6pwRmrDw
So far there is no mystery .
PEM (Privacy Enhanced Mail) is a format for storing RSA private keys. RSA is a public-key cryptography algorithm widely used for secure communication and data exchange. PEM is a text-based format that encodes the binary RSA private key data using Base64 encoding and wraps it within specific header and footer lines. This format makes it easier to handle and transmit RSA private keys in various contexts, such as email attachments or configuration files.
This is where the problems started .
The command ssh -i sshkey.private bandit14\@local is used to establish an SSH connection to the user bandit14 on the local machine using the private key sshkey.private. SSH (Secure Shell) is a cryptographic protocol that allows for secure remote login and data transfer between two computers. It provides a secure channel over an insecure network, enabling users to communicate and manage files remotely without compromising security.
Here a lot of things were searched and created, so we used scp .
Password here : wbWdlBxEir4CaE8LaPhauuOo6pwRmrDw
You can refer here to know more information phoenixnap.com
scp -P 2220bandit13@bandit.labs.overthewire.org:sshkey.private . is used to securely copy a file named sshkey.private from the user bandit13 on the remote machine bandit.labs.overthewire.org to the current directory on the local machine. SCP (Secure Copy) is a file transfer protocol that utilizes SSH to securely transfer files between two machines.
Hereâs a breakdown of the command:
scp : Invokes the SCP client program.
-P 2220 : Specifies the non-standard SSH port 2220 to connect to the remote server. The default SSH port is 22.
bandit13@bandit.labs.overthewire.org : Identifies the remote user bandit13 on the remote machine bandit.labs.overthewire.org.
:sshkey.private : Specifies the source file sshkey.private on the remote machine to be copied.
. : Indicates the destination directory on the local machine, which is the current directory represented by .
The command chmod 700 sshkey.private is used to change the permissions of the file sshkey.private to 700. This means that only the owner of the file (the user who created it) will have read, write, and execute permissions for the file. No other users or groups will have any access to the file. This is a common practice for protecting private keys, as it ensures that only the authorized person can use the key to decrypt sensitive data.
Here is a breakdown of the command:
chmod : This is the command to change file permissions.\ 700 : This is the octal number that represents the permissions to set for the file. The first digit (7) represents the ownerâs permissions, the second digit (0) represents the groupâs permissions, and the third digit (0) represents the permissions for other users.\ sshkey.private: This is the name of the file whose permissions are being changed.
After modifying the permissions on my device, we were able to access the device using sshkey.private .
Welcome to the new password
Bandit Level 14 â Level 15
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
To sign up : ssh bandit14@bandit.labs.overthewire.org -p 2220
Password : fGrHPx402xGC7U7rXKDaxiWFTOiF0ENq
It needs some thought .
nc localhost 30000 is used to establish a TCP connection to the localhost on port 30000 using the netcat utility. Netcat, often abbreviated as nc, is a versatile networking tool that can be used for various purposes, including creating TCP and UDP connections, transferring files, and sending and receiving data over a network.
The command syntax for netcat is:
nc [options] :\ Where:
options : Specify various options that control the behavior of netcat.\  : The hostname or IP address of the host to connect to.\  : The port number on the host to connect to.\ In the case of nc localhost 30000, the command is attempting to connect to the local machine (localhost) on port 30000. This can be useful for testing network connectivity or communicating with a service running on the local machine that listens on port 30000.
Without additional context or knowledge of the specific service running on port 30000, itâs difficult to determine the exact purpose or outcome of executing this command. It could be used to send data to a local server, receive data from a local server, or establish a backdoor connection to the local machine.
Here, after we opened a connection to NC, we entered the password for the path in game number 13, so enter the password for the next game.
Bandit Level 15 â Level 16
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
Helpful note: Getting âHEARTBEATINGâ and âRead R BLOCKâ? Use -ign_eof and read the âCONNECTED COMMANDSâ section in the manpage. Next to âRâ and âQâ, the âBâ command also works in this version of that commandâŚ
To sign up : ssh bandit15@bandit.labs.overthewire.org -p 2220
Password : jN2kgmIXJ6fShzhT2avhotn4Zcka6tnt
After a little searching and thinking, I found this path for the current level: /etc/bandit_pass/bandit15Â .
openssl s_client -connect localhost:30001 is used to establish an SSL/TLS connection to the local machine (localhost) on port 30001 using the OpenSSL library. OpenSSL is a widely used toolkit for cryptography and secure communication, providing various tools for handling certificates, generating keys, and establishing secure connections.
The s_client command specifically is used for testing SSL/TLS connections and analyzing the server's SSL/TLS certificate and handshake process. It initiates a connection to the specified remote server and examines the server's response to determine if the connection is secure and the server's certificate is valid.
In this case, the command is attempting to connect to the local machine (localhost) on port 30001, which is usually reserved for unprivileged ports. Itâs possible that a local application or service is listening on this port and using SSL/TLS encryption for secure communication.
Executing this command will typically display the following information:
-
Connection details: The established SSL/TLS connection parameters, including the protocol version, cipher suite, and session ID.
-
Serverâs certificate: The serverâs SSL/TLS certificate information, including its issuer, validity period, and subject details.
-
Handshake negotiation: The steps involved in the SSL/TLS handshake process, including the exchange of messages and cryptographic keys.
-
Connection termination: The closing of the SSL/TLS connection and any additional information that might be relevant.
-
The specific output may vary depending on the serverâs configuration and the version of OpenSSL being used.
-
The
openssl s_clientcommand is a valuable tool for troubleshooting SSL/TLS connectivity issues and verifying the security of servers. It allows users to assess the server's certificate validity, encryption strength, and overall SSL/TLS configuration.
We pasted the password from inside the file during the connection .
The method worked and we extracted the password for the next round. If you want to know more about openssl, visit OpenSSL .
Bandit Level 16 â Level 17
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which donât. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
To sign up : ssh bandit16@bandit.labs.overthewire.org -p 2220
Password : JQttfApK4SeyHwDlI9SXGR50qclOAil1
Now I had to resort to nmap, so look at that The Best Nmap Cheat Sheet | Zero To Mastery to know more :
We find out which server ports it is listening on.
31518/tcp open ssl/echo , 31790/tcp open ssl/unknown
Just the beginning .
After adding the first password that we found .
When I was unable to create a file to save the password in, I had to find another way, so I did the following:
But we didnât have powers here either for that .
We saved the key, entered a file in our host
I switched the connection along using â ssh -i pry_Key bandit17@bandit.labs.overthewire.org -p 2220 â\ But it did not work and I was asked for a password, so I have to modify the permissions until I reach the optimal solution.
After several attempts, these are the appropriate permissions .
We succeeded, my friend .
Hereâs the goal .
Bandit Level 17 â Level 18
There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new
NOTE: if you have solved this level and see âByebye!â when trying to log into bandit18, this is related to the next level, bandit19
From here I actually started using the instructions , Commands you may need to solve this level :
cat, grep, ls, diff
To sign up : ssh bandit17@bandit.labs.overthewire.org -p 2220
Password : VwOSWtCA7lRKkTfbr2IDh6awj9RNZM5e
diff :
The command diff passwords.old passwords.new is used to compare the contents of two files named passwords.old and passwords.new line by line and display the differences between them. It is a common practice to compare old and new password files to identify any changes that have been made to user passwords.
Hereâs a breakdown of the command:
diff : This is the command to compare the contents of two files.\ passwords.old : This is the name of the first file to compare. It is assumed to contain the old passwords.\ passwords.new : This is the name of the second file to compare. It is assumed to contain the new passwords.\ When you execute this command, you will see the output of the diff command, which will show you the lines that have been added, removed, or changed between the two files.
The second is the password :
Itâs âByebye!â, itâs the right target
Bandit Level 18 â Level 19
The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.
To sign up : ssh bandit18@bandit.labs.overthewire.org -p 2220\ Password : hga5tuuCLF6fFzUpnagiMN8ssu9LFrdg
When you log in with the correct password, it will exit you, again with the word Enjoy your stay!
Byebye!\ Connection to bandit.labs.overthewire.org closed.
This time we should have used a man ssh
The command â ssh bandit18@bandit.labs.overthewire.org -p 2220 ls â is used to connect to the Bandit Level 18 machine on the OverTheWire network using SSH and list the contents of the current directory.
Itâs the password .
Bandit Level 19 â Level 20
To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.
Helpful Reading Material : setuid on Wikipedia .
To sign up : ssh bandit19@bandit.labs.overthewire.org -p 2220\ Password : awhqfNnAbc1naukrpqDYcF95h7HoMTrC
The command â ./bandit20-do cat /etc/bandit_pass/bandit20 âis used to execute the bandit20-do setuid binary and read the contents of the /etc/bandit_pass/bandit20 file. Setuid binaries are executables that run with the privileges of the fileâs owner, even if they are run by a different user. In this case, the bandit20-do binary is owned by the bandit20 user, so it can read the /etc/bandit_pass/bandit20 file, which is normally only accessible to the bandit20 user.
Hereâs a breakdown of the command:
./ : Indicates that the bandit20-do binary is located in the current directory.\ bandit20-do: The name of the setuid binary to execute.\ cat : A command that reads the contents of a file and prints them to the standard output.\ /etc/bandit_pass/bandit20 : The path to the file to read.\ -When you execute this command, the bandit20-do binary will read the contents of the /etc/bandit_pass/bandit20 file and print them to the standard output. The /etc/bandit_pass/bandit20 file contains the password for the bandit20 user.
Bandit Level 20 â Level 21
To sign up : ssh bandit20@bandit.labs.overthewire.org -p 2220\ Password : VxCazJaVykI6W36BkBU0mJTCM8rR95XT
We have reached level 20\ We will meet you in the future, my friend
đŹ "Control the code, and you control the world." đ From wiping metadata to gaining root access â every step is documented and my goal is to deeply understand the system, not just hack!
See You Soon
AS Cyber â)).