Posts

Login ssh : ssh bandit20@bandit.labs.overthewire -p 2220 password : 0qXahG8ZjOVMN9Ghs7iOWsCfZyXOUbYO Task : to get the next level password you have to connect to localhost on a port (not mentioned) , using the given setuid binary (suconnect). Theory The nc (netcat) command isn’t just for connecting to remote servers, as seen in [[bandit14|level 14]] it can also be used to create a simple TCP server using nc -l <port>. In this level, the provided setuid binary connects to a specified port on localhost and expects to receive a string (the password for bandit20). If the received string is correct, it responds by sending back the password for the next level. ...

Login ssh : ssh bandit19@bandit.labs.overthewire -p 2220 password : cGWpMaKXVwDUNgPAVJbWYuGHVn9zl3j8 Task : to get you next level password you have to figure out how to use the given setuid binary file Theory in linux you can always see the permission of files by typing the command ls -l, the common ones are -rwxrwxrwx where r is for reading w for writing x for executing they describe the permissions of the owner , user of the same group, other users suid is a special permission noted by s where it let u use a file with the same permissions as it’s owner. Solution I first run the given file with out argument : ./bandit20-do to get the way how to use it. then ./bandit20-do, and I got a list of options i can use : uid=11019(bandit19) gid=11019(bandit19) euid=11020(bandit20) groups=11019(bandit19) I noticed that the euid (effective user id) is the id of bandit20, that means this files will let us use files that bandit20 can use, i just needed to get the user password from ./etc/bandit_pass/bandit20 ...

Login ssh : ssh bandit10@bandit.labs.overthewire -p 2220 password : FGUW5ilLVJrxX9kMYMmlN4MgbpfMiqey Task : the password is inside a data.txt which is a base64 encoded file Theory Base64 is a binary-to-text encoding scheme. It can often be recognized by equal signs at the end of the data. However, this is not always the case. Linux has a command called base64 that allows for encoding and decoding in Base64. For decoding, we need to use the flag -d. Solution i decoded the file with : base64 -d data.txt

Login ssh : ssh bandit11@bandit.labs.overthewire -p 2220 password : dtR173fZKb0RRsDFSGsg2RWnpNVj3qRr Task : decode the text inside the file data.txt which is encoded with rot13 Theory rot13 is a simple old encoding algorithm where you just shit the letters by 13 positions Solution i used the command cat data.txt then used website called cyberChef and decode the content

Login ssh : ssh bandit12@bandit.labs.overthewire -p 2220 password : 7x16WNeHIi5YkIhWsfFIqoognUTyj9Q4 Task : the decompress a heavy compressed file to reach the password Theory Hexdumps are often used when we want to look at data that cannot be represented in strings and therefore is not readable, so it is easier to look at the hex values. A hexdump has three main columns. The first shows the address, the second the hex representation of the data on that address and the last shows the actual data as strings (with ‘.’ being hex values that cannot be represented as a string). Many hex editors exist just pick the one you like most. ...

Login ssh : ssh bandit13@bandit.labs.overthewire -p 2220 password : FO5dwFsc0cbaIiH0h8J2eUks2vdTDwAn Task : use a provided private key to connect to the next level, then find the password in the provided path /etc/bandit_pass/bandit14 Theory Until now, we have only logged into the remote machine using ssh with a password. An alternative to a password is using public-key cryptography. The public key is placed on the computers that should allow access (the remote host) to the user that owns the private key. Like with the password, it is important that only the user knows/owns the private key. The -i flag allows login with the private key. Solution connecting with the provided private key : ssh -i sshkey.private bandit14@localhost -p 2220 then use the cat command on the provided path to get the password

Login ssh : ssh bandit14@bandit.labs.overthewire -p 2220 password : MU4VWeTyJk8ROof1qqmcBPaLh7lDCPvS Task : submit the current level password to localhost on port 30000 to get the wanted password Theory it this level we gonna use the nc or netcat command which allows us to write and read data over a network connection it can be used for TCP and UDP the command is nc <server> <port> Solution we just need to do the following : nc loalhost 30000 then we will have the option to submit the current level password.

Login ssh : ssh bandit15@bandit.labs.overthewire -p 2220 password : 8xCjnmgoKbGLhHFAZlGE5Tmu4M2tKJQo Task : the password of the next level can be retrieved by submitting the current level password to localhost on port 30001 using the SSL encryption Theory SSL, or Secure Sockets Layer, is a security protocol that establishes an encrypted link between a web server and a browser, ensuring that all data passed between them remains private OpenSSL The command-line tool for using the OpenSSL cryptography library. It supports many sub-commands for encryption, certificates, SSL/TLS, etc. s_client A subcommand of openssl that acts as a generic SSL/TLS client. It allows you to connect to a server to test and inspect its SSL/TLS configuration. -connect <server>:<port> Specifies the host-name (or IP) and port of the server to connect to. The format is host:port. For example: -connect google.com:443 will attempt to initiate an SSL/TLS handshake with Google’s HTTPS server. Solution first i got the current level password , if you did not save it somewhere you can always find it in /etc/bandit_pass/bandit15 then i used the following command : openssl s_client -connect localhost:30001 after getting a response you’d submit the password to solve the level.

Login ssh : ssh bandit16@bandit.labs.overthewire -p 2220 password : kSkvUpMQ7lBYyCM4GBPvCvT1BfWRy0Dx Task : you can connect to the next level by submitting the current level password on localhost on a random port between 31000 and 32000 that uses ssl Theory nmap is a network scanner. It can do Host Discovery, Port Scanning, Version Detection (Service Detection) and a lot more. For this task, we use the flag -p to lets us choose which ports to scan. By default, nmap scans the top 1000 ports (not the first 1000 ports). Use -p- to scan all 65535 ports. The -sV flag lets us do a service/version detection scan. It is possible to make Nmap perform all possible scans with the -A flag this will take a while though. A full scan would have the following command: nmap -p- -A <host>, where <host> could be either an IP address or the name. Solution I used nmap to search for the right port : nmap -sV localhost -p 31000-32000 and this will be displayed : ...

Login ssh : ssh bandit17@bandit.labs.overthewire -p 2220 password : EReVavePLFHtFlFsjn3hyzMlvSuSAcRD Task : to get the next level password we have to find the updated line between the 2 provided files Theory the command diff is used to get any differences between 2 files Solution diff password.old password.new this command will give us the difference it finds where it will display the different lines in the order of the given files.