Over the wire - Bandit

Here I document the challenges provided by over the wire.org for Linux learning

Important notes

File transversal

• ./ represents the current directory

• ../ represents the parent directory

• / is pathname of the root directory

• using 2>/dev/null to remove error messages output (cleaning output)

Level 4

Here the directories included numerous files of unreadable format, task was to find and read the only human readable file. Theres a dash in file name which renders it essential to call the file using "./-file07" to include the full path.

Level 5 (find)

Using Find for finding files

1. Finding by file size
b – 512-byte blocks (this is the default if no suffix is used)
c – bytes
w – two-byte words
k – Kilobytes
M – Megabytes
G – Gigabytes

# find command to search for files greater than 10MB but smaller than 20MB:
find . -size +10M -size -20M
# find files in /etc directory greater than 5MB and print its file size

2. Finding by file name
find ./directory_name -name sample.txt OR *.txt

3. finding empty directories
find ./directory_name -empty

4. Search for text within files
find ./ type f -name "*.txt" -exec grep 'TEXT_OF_INTEREST' {} \;
This command print lines which have ‘Geek’ in them and ‘-type f’ specifies the input type is a file.

5. Search non executable files
find ./ -type f ! -executable

Bandit 6

Remember to use 2>/dev/null to remove error outputs

Specifying 2>/dev/null will filter out the errors so that they will not be output to your console. In more detail: 2 represents the error descriptor, which is where errors are written to. By default they are printed out on the console. /dev/null is the standard Linux device where you send output that you want ignored.

Bandit 7 SSH password: HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

Bandit 7

Bandit 8

Password: cvX2JJa4CFALtqS87jk27qwqGhBM9plV

Learnings

sort

1.sort Command

• used to sort a file, arranging the records in a particular order. By default, the sort command sorts file assuming the contents are ASCII.

• Using options in the sort command can also be used to sort numerically. It supports sorting alphabetically, in reverse order, by number, by month, and can also remove duplicates.

• Blank space is default field separator

• -r reverse order; -n numerical order; -k to sort certain columns (-k 2 will sort second column); -u will remove duplicates; -M sorts by month (jan, feb)

uniq

uniq command

• The uniq command in Linux is a command line utility that reports or filters out the repeated lines in a file. uniq is the tool that helps to detect the adjacent duplicate lines and also deletes the duplicate lines. uniq filters out the adjacent matching lines from the input file(that is required as an argument) and writes the filtered data to the output file .

OPTIONS

• -c – -count : It tells how many times a line was repeated by displaying a number as a prefix with the line.

• -d – -repeated : It only prints the repeated lines and not the lines which aren’t repeated.

• -D – -all-repeated[=METHOD] : It prints all duplicate lines and METHOD can be any of the following:

  • none : Do not delimit duplicate lines at all. This is the default.

  • prepend : Insert a blank line before each set of duplicated lines.

  • separate : Insert a blank line between each set of duplicated lines.

• -f N – -skip-fields(N) : It allows you to skip N fields(a field is a group of characters, delimited by whitespace) of a line before determining uniqueness of a line.

• -i – -ignore case : By default, comparisons done are case sensitive but with this option case insensitive comparisons can be made.

• -s N – -skip-chars(N) : It doesn’t compares the first N characters of each line while determining uniqueness. This is like the -f option, but it skips individual characters rather than fields.

• -u – -unique : It allows you to print only unique lines.

• -z – -zero-terminated : It will make a line end with 0 byte(NULL), instead of a newline.

• -w N – -check-chars(N) : It only compares N characters in a line.

• – – help : It displays a help message and exit.

• – – version : It displays version information and exit.

Bandit 9

Password: UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR

The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters.

Bandit 10

password : truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk

Bandit 11

>> cat data.txt | tr '[A-Za-z]' '[N-ZA-Mn-za-m]' 
# convert A-Z to N-Z shift down by 13 spaces

Bandit 12

Password : 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

Given a hexdump compressed file, isolate the ASCII password

First create a working directory

Remember to use file command at every stage to identify type of zip

• xxd -r data.txt : Reverse the hexdump : gzip compressed data, was "data2.bin", last modified: Thu May 7 18:14:30 2020, max compression, from Unix

• zcat reversed_hexdump > outfile : bzip2 compressed data 900k

Zcat is a command line utility for viewing the contents of a compressed file without literally uncompressing it. It expands a compressed file to standard output allowing you to have a look at its contents. In addition, zcat is identical to running gunzip -c command.

• tried to bzip2 -d : unable to guess original name

• zcat again : POSIX tar archive (GNU)

• tar -xvf : got data5.bin, another POSIX tar archive (GNU)

• tar -xvf again : got data6.bin (bzip2 compressed data)

• bzip2 -d failed, cant get original name, using data6.bin.out

• file to find out data6.bin.out is a POSIC tar archive again ...

• tar -xvf to get data8.bin

• zcat data8.bin to get password!

Bandit 13 (Entry to 14 - 16 from here, network transversal)

8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

private ssh key given, use ssh bandit14@localhost - i sshkey.private

Bandit 14

4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e

SSH, telnet failed, so netcat

Bandit 15 (SSL and TLS)

https://www.feistyduck.com/library/openssl-cookbook/online/ch-testing-with-openssl.html

Password : BfMYroe26WYalil77FoDi9qh59eK5xNr

The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.

Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…

Learnings (man openssl for manual help)

• to connect to SSL server : openssl s_client localhost:30001

• s_client -help for more info

  OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and related cryptography standards
   required by them.

   The openssl program is a command line tool for using the various cryptography functions of OpenSSL's crypto library from the shell.  It can be used for

    o  Creation and management of private keys, public keys and parameters
    o  Public key cryptographic operations
    o  Creation of X.509 certificates, CSRs and CRLs
    o  Calculation of Message Digests
    o  Encryption and Decryption with Ciphers
    o  SSL/TLS Client and Server Tests
    o  Handling of S/MIME signed or encrypted mail
    o  Time Stamp requests, generation and verification

Theory:

• echo "YOUR TEXT HERE" | openssl s_client -connect host:port -ign_eof to send string and get the response from the server

Pass : cluFn7wTiGryunymYOu4RcffSxQluehd

Bandit 16 (ssh to bandit 17 using private key)

cluFn7wTiGryunymYOu4RcffSxQluehd

nmap enumeration : out of four ports from 31000 to 32000, only 31790/tcp does not merely echo (ssl/unknown)

• Save the private key into editor file

• chmod 600

• ssh to bandit 17 using private key

Bandit 17 (using diff to compare file differences)

Pass for Bandit 18 SSH : kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd

passwords.old : w0Yfolrc5bwjS4qw5mq1nnQi6mF03bii

Bandit 18

The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.