# Over the wire - Bandit ## Important notes File transversal * ./ represents the current directory * ../ represents the parent directory * / is pathname of the root directory * using 2>/dev/null to remove error messages output (cleaning output) ### Level 4 Here the directories included numerous files of unreadable format, task was to find and read the only human readable file. Theres a dash in file name which renders it essential to call the file using "./-file07" to include the full path. ![](https://2068334946-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fow1iM27u7disHeJiSlBC%2Fuploads%2FCq8auj0BoPaHtRRQJtbf%2Fimage.png?alt=media\&token=3060d0a8-0403-46af-8a4e-a1bf7e865225) ### Level 5 (find) Using Find for finding files ``` 1. Finding by file size b – 512-byte blocks (this is the default if no suffix is used) c – bytes w – two-byte words k – Kilobytes M – Megabytes G – Gigabytes # find command to search for files greater than 10MB but smaller than 20MB: find . -size +10M -size -20M # find files in /etc directory greater than 5MB and print its file size 2. Finding by file name find ./directory_name -name sample.txt OR *.txt 3. finding empty directories find ./directory_name -empty 4. Search for text within files find ./ type f -name "*.txt" -exec grep 'TEXT_OF_INTEREST' {} \; This command print lines which have ‘Geek’ in them and ‘-type f’ specifies the input type is a file. 5. Search non executable files find ./ -type f ! -executable ``` ![](https://2068334946-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fow1iM27u7disHeJiSlBC%2Fuploads%2FU6P3Ore8CSqdbdHCXW1x%2Fimage.png?alt=media\&token=1f53a3f9-aea1-4910-862d-d0c6ab3039c5) ### Bandit 6 Remember to use 2>/dev/null to remove error outputs Specifying 2>/dev/null will **filter out the errors so that they will not be output to your console**. In more detail: 2 represents the error descriptor, which is where errors are written to. By default they are printed out on the console. /dev/null is the standard Linux device where you send output that you want ignored. ![](https://2068334946-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fow1iM27u7disHeJiSlBC%2Fuploads%2F6h66iEKPiXHLwfD1nkYP%2Fimage.png?alt=media\&token=0110a2c9-af9a-4562-a076-b211754ce714) Bandit 7 SSH password: HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs ### Bandit 7 ![](https://2068334946-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fow1iM27u7disHeJiSlBC%2Fuploads%2FIw9FpfO7m3qftyb5K0X1%2Fimage.png?alt=media\&token=718bb652-cf01-457f-8d8b-7eef93a5ba73) ### Bandit 8 Password: cvX2JJa4CFALtqS87jk27qwqGhBM9plV #### Learnings {% tabs %} {% tab title="sort" %} 1.sort Command * used to sort a file, arranging the records in a particular order. By default, the sort command sorts file assuming the contents are ASCII. * Using options in the sort command can also be used to sort numerically. It supports sorting alphabetically, in reverse order, by number, by month, and can also remove duplicates. * Blank space is default field separator * -r reverse order; -n numerical order; -k to sort certain columns (-k 2 will sort second column); -u will remove duplicates; -M sorts by month (jan, feb) {% endtab %} {% tab title="uniq" %} **uniq command** * The **uniq** command in Linux is a command line utility that reports or filters out the repeated lines in a file. \ **uniq** is the tool that helps to detect the adjacent duplicate lines and also deletes the duplicate lines. **uniq** filters out the adjacent matching lines from the input file(that is required as an argument) and writes the filtered data to the output file . OPTIONS * **-c – -count :** It tells how many times a line was repeated by displaying a number as a prefix with the line. * **-d – -repeated :** It only prints the repeated lines and not the lines which aren’t repeated. * **-D – -all-repeated\[=METHOD] :** It prints all duplicate lines and METHOD can be any of the following: * **none :** Do not delimit duplicate lines at all. This is the default. * **prepend :** Insert a blank line before each set of duplicated lines. * **separate :** Insert a blank line between each set of duplicated lines. * **-f N – -skip-fields(N) :** It allows you to skip N fields(a field is a group of characters, delimited by whitespace) of a line before determining uniqueness of a line. * **-i – -ignore case :** By default, comparisons done are case sensitive but with this option case insensitive comparisons can be made. * **-s N – -skip-chars(N) :** It doesn’t compares the first N characters of each line while determining uniqueness. This is like the -f option, but it skips individual characters rather than fields. * **-u – -unique :** It allows you to print only unique lines. * **-z – -zero-terminated :** It will make a line end with 0 byte(NULL), instead of a newline. * **-w N – -check-chars(N) :** It only compares N characters in a line. * **– – help :** It displays a help message and exit. * **– – version :** It displays version information and exit. {% endtab %} {% endtabs %} ![](https://2068334946-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fow1iM27u7disHeJiSlBC%2Fuploads%2FCRWIGBdUaSvBOCPu5fyu%2Fimage.png?alt=media\&token=f96b1fe6-2039-4512-9fc2-bafcc16f0b4a) ### Bandit 9 Password: UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters. ![](https://2068334946-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fow1iM27u7disHeJiSlBC%2Fuploads%2FBU5foJ3Chh0eCFaExq3Q%2Fimage.png?alt=media\&token=5ddd3fc6-8ae8-4924-b760-b30ab87ce1f7) ### Bandit 10 password : truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk ![](https://2068334946-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fow1iM27u7disHeJiSlBC%2Fuploads%2FGg4qBhvzpDh6u6IJ6Lj1%2Fimage.png?alt=media\&token=b948ccb7-60c6-4780-9207-c5d14ddc65e1) ### Bandit 11 ``` >> cat data.txt | tr '[A-Za-z]' '[N-ZA-Mn-za-m]' # convert A-Z to N-Z shift down by 13 spaces ``` ### Bandit 12 Password : 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu Given a hexdump compressed file, isolate the ASCII password First create a working directory ![](https://2068334946-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fow1iM27u7disHeJiSlBC%2Fuploads%2FlXbL1rTCeUjEWTV0pQJh%2Fimage.png?alt=media\&token=c108b3ac-26a2-4603-a030-a2309bdfca15) Remember to use file command at every stage to identify type of zip * `xxd -r data.txt` : Reverse the hexdump : gzip compressed data, was "data2.bin", last modified: Thu May 7 18:14:30 2020, max compression, from Unix * `zcat reversed_hexdump` > outfile : bzip2 compressed data 900k Zcat is a **command line utility for viewing the contents of a compressed file** without literally uncompressing it. It expands a compressed file to standard output allowing you to have a look at its contents. In addition, zcat is identical to running gunzip -c command. * tried to bzip2 -d : unable to guess original name * zcat again : POSIX tar archive (GNU) * tar -xvf : got data5.bin, another POSIX tar archive (GNU) * tar -xvf again : got data6.bin (bzip2 compressed data) * bzip2 -d failed, cant get original name, using data6.bin.out * file to find out data6.bin.out is a POSIC tar archive again ... * tar -xvf to get data8.bin * zcat data8.bin to get password! ### Bandit 13 (Entry to 14 - 16 from here, network transversal) 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL private ssh key given, use `ssh bandit14@localhost - i sshkey.private` ### Bandit 14 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e ![SSH, telnet failed, so netcat](https://2068334946-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fow1iM27u7disHeJiSlBC%2Fuploads%2FQ2XfhhIRW9ZxhxzL8XNe%2Fimage.png?alt=media\&token=0804c8e5-41ce-4974-bab0-8e9894ca726e) ### Bandit 15 (SSL and TLS) Password : BfMYroe26WYalil77FoDi9qh59eK5xNr The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption. Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign\_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command… Learnings (man openssl for manual help) * to connect to SSL server : openssl s\_client localhost:30001 * s\_client -help for more info ``` OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and related cryptography standards required by them. The openssl program is a command line tool for using the various cryptography functions of OpenSSL's crypto library from the shell. It can be used for o Creation and management of private keys, public keys and parameters o Public key cryptographic operations o Creation of X.509 certificates, CSRs and CRLs o Calculation of Message Digests o Encryption and Decryption with Ciphers o SSL/TLS Client and Server Tests o Handling of S/MIME signed or encrypted mail o Time Stamp requests, generation and verification ``` Theory: * `echo "YOUR TEXT HERE" | openssl s_client -connect host:port -ign_eof` to send string and get the response from the server ![Pass : cluFn7wTiGryunymYOu4RcffSxQluehd](https://2068334946-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fow1iM27u7disHeJiSlBC%2Fuploads%2Fb4NpKQtJGu5ViixhHJJE%2Fimage.png?alt=media\&token=c7e79fd9-f977-4574-a6e6-b185756b3229) ### Bandit 16 (ssh to bandit 17 using private key) cluFn7wTiGryunymYOu4RcffSxQluehd nmap enumeration : out of four ports from 31000 to 32000, only 31790/tcp does not merely echo (ssl/unknown) * Save the private key into editor file * chmod 600 * ssh to bandit 17 using private key ![](https://2068334946-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fow1iM27u7disHeJiSlBC%2Fuploads%2FN9bYKX8nfchl3M2gKN87%2Fimage.png?alt=media\&token=40c11dab-99d7-4995-b36d-ecbb787f0034) ### Bandit 17 (using diff to compare file differences) Pass for Bandit 18 SSH : kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd ![passwords.old : w0Yfolrc5bwjS4qw5mq1nnQi6mF03bii](https://2068334946-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fow1iM27u7disHeJiSlBC%2Fuploads%2FjeKQGWJik7QFbSSpOhkw%2Fimage.png?alt=media\&token=783b8758-8da7-4278-825f-022fe1d68b8c) ### Bandit 18 The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.