Post

Bandit 11 ~ 20

bandit11

1
2
The password for the next level is stored in the file data.txt,
where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions
1
2
3
4
bandit11@bandit:~$ cat data.txt
Gur cnffjbeq vf 5Gr8L4qetPEsPk8htqjhRK8XSP6x2RHh

The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

bandit12

1
2
3
4
5
6
The password for the next level is stored in the file data.txt, 
which is a hexdump of a file that has been repeatedly compressed. 
For this level it may be useful to create a directory under /tmp 
in which you can work using mkdir. 
For example: mkdir /tmp/myname123. 
Then copy the datafile using cp, and rename it using mv (read the manpages!)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
bandit12@bandit:~$ mkdir /tmp/fuck
bandit12@bandit:~$ cp data.txt /tmp/fuck
bandit12@bandit:/tmp/fuck$ xxd -r data.txt > first
bandit12@bandit:/tmp/fuck$ ls
data.txt  first
bandit12@bandit:/tmp/fuck$ file first
first: gzip compressed data, was "data2.bin", last modified: #redacted
bandit12@bandit:/tmp/fuck$ mv first first.gz
bandit12@bandit:/tmp/fuck$ ls
data.txt  first.gz
bandit12@bandit:/tmp/fuck$ gzip -d first.gz
bandit12@bandit:/tmp/fuck$ ls
data.txt  first
bandit12@bandit:/tmp/fuck$ file first
first: bzip2 compressed data, block size = 900k

위 과정을 반복
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

bandit13

1
2
3
4
5
The password for the next level is stored in /etc/bandit_pass/bandit14 
and can only be read by user bandit14. 
For this level, you don’t get the next password, but you get a private SSH key 
that can be used to log into the next level. 
Note: localhost is a hostname that refers to the machine you are working on
1
2
3
bandit13@bandit:~$ ssh -i sshkey.private bandit14@localhost
bandit14@bandit:~$ cat  /etc/bandit_pass/bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e

bandit14

1
2
The password for the next level can be retrieved by submitting the password 
of the current level to port 30000 on localhost.
1
2
3
4
5
6
7
8
9
bandit14@bandit:~$ telnet localhost 30000
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr

Connection closed by foreign host.

bandit15

1
2
The password for the next level can be retrieved by submitting the password 
of the current level to port 30001 on localhost using SSL encryption.
1
2
3
4
5
bandit15@bandit:~$ openssl s_client -connect localhost:30001
#redacted
BfMYroe26WYalil77FoDi9qh59eK5xNr
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehd

bandit16

1
2
3
4
5
6
The credentials for the next level can be retrieved by submitting the password 
of the current level to a port on localhost in the range 31000 to 32000. 
First find out which of these ports have a server listening on them.
Then find out which of those speak SSL and which don’t. 
There is only 1 server that will give the next credentials, 
the others will simply send back to you whatever you send to it.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
bandit16@bandit:~$ nmap -p31000-32000 localhost

Starting Nmap 7.40 ( https://nmap.org ) at 2020-07-11 20:46 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00023s latency).
Not shown: 995 closed ports
PORT      STATE    SERVICE
31046/tcp open     unknown
31518/tcp open     unknown
31691/tcp open     unknown
31790/tcp open     unknown
31960/tcp open     unknown
31999/tcp filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 1.27 seconds

openss1 s_client -connect localhost:31790에서 SSL을 확인하였고, 
플래그를 보내면 개인키를 보내줌.

키 값을 /tmp 디렉토리에 아무 디렉토리나 생성 후 옮긴 뒤 ssh를 하면 다음과 같은 문구를 봄.
WARNING: UNPROTECTED PRIVATE KEY FILE!
이것은 권한이 없는 사람이 개인키를 참조 미 사용할 수 없어야 되서 나타나는 경고임.

bandit16@bandit:/tmp/shit$ chmod 600 next
bandit16@bandit:/tmp/shit$ ssh -i next bandit17@localhost
bandit17@bandit:~$

bandit17

1
2
3
There are 2 files in the homedirectory: passwords.old and passwords.new. 
The password for the next level is in passwords.new 
and is the only line that has been changed between passwords.old and passwords.new
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
bandit17@bandit:~$ diff -d passwords.old passwords.new
42c42
< w0Yfolrc5bwjS4qw5mq1nnQi6mF03bii
---
> kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
bandit17@bandit:~$ diff -c passwords.old passwords.new
*** passwords.old       2020-05-07 20:14:35.376729786 +0200
--- passwords.new       2020-05-07 20:14:35.528729706 +0200
***************
*** 39,45 ****
  sydIUj42mUfYK9xw1S9aPPB72rgagnxh
  pcpkwztEjxg5EK0HABjmEvGUSCSdQW4F
  LlomcOUT6d7lA2cJrYhCEhCChKCPrRao
! w0Yfolrc5bwjS4qw5mq1nnQi6mF03bii
  TVzFbgWpqUPE4fwAJPCz4rT7GemAZUjz
  WCETP1i90TZJSbKZ24ly5rhNKva8sSdy
  2o4oJXwgWyWIdKb9WpNDFUcWXlcghSzR
--- 39,45 ----
  sydIUj42mUfYK9xw1S9aPPB72rgagnxh
  pcpkwztEjxg5EK0HABjmEvGUSCSdQW4F
  LlomcOUT6d7lA2cJrYhCEhCChKCPrRao
! kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
  TVzFbgWpqUPE4fwAJPCz4rT7GemAZUjz
  WCETP1i90TZJSbKZ24ly5rhNKva8sSdy
  2o4oJXwgWyWIdKb9WpNDFUcWXlcghSzR

bandit18

1
The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.

처음엔 ssh bandit18@localhost | cat readme로 해보았는데 bandit18@localhost's password:만 뜨고 플래그는 안떴음.

1
2
3
bandit17@bandit:~$ ssh bandit18@localhost cat readme
bandit18@localhost's password:
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x

bandit19

1
2
3
4
To gain access to the next level, you should use the setuid binary in the home 
directory. Execute it without arguments to find out how to use it. 
The password for this level can be found in the usual place (/etc/bandit_pass), 
after you have used the setuid binary.
1
2
bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0j

bandit20

1
2
3
4
5
There is a setuid binary in the homedirectory that does the following: 
it makes a connection to localhost on the port you specify as a commandline argument.
It then reads a line of text from the connection and compares it to the password in
the previous level (bandit20). 
If the password is correct, it will transmit the password for the next level bandit21.
1
2
bandit20@bandit:~$ nc -l -p 14000
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
1
2
3
4
5
putty로 들어가서 해주면 다음과 같음.

bandit20@bandit:~$ ./suconnect 14000
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Password matches, sending next password
1
2
3
bandit20@bandit:~$ nc -l -p 14000
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
This post is licensed under CC BY 4.0 by the author.