OverTheWire[.com] Bandit Walkthrough - JUST HINT, NO SPOILERS

overthewire bandit walkthrough - JUST HINT, NO SPOILERS, just all the hints you need.

I made this walkthrough for people like me, i needed some help here and there, but didnt want the spoiler, and even some blogs like https://www.yalpski.net/ (mentioned with appreciation) that have the solution collapsed, there is no help if i dont know what to do, just need some pointers.

so lets go
game portal is http://overthewire.org/wargames/bandit/

Bandit
The bandit  game is mostly introduction to ssh, bash shell and their tricks


Pre Level 0: Connect to SSH

If you use linux, your command is "ssh" and thats it.
For windows you'll need to download a software, it's in the Level 0 hints (wikihow)
eventually you need to learn more about the ssh command, but the basic is that connection is defined as "ssh <user>@<domain> -p <port>"
CTRL+C to break process, CTRL+D to exit from current user's shell
I wrote this one down since i couldn't find a nice page just explaining this with using a port.


general hints

 - The commands stated in each level will be enough to pass the level after learning them.
 - Unlike other games, this game gives you INSTRUCTIONS every level in the portal.
 - PASSWORDS for each level are stored in /etc/bandit_pass/banditX.
 - "mktemp -d" generate random hard guess dir in /tmp/.


Level 0: most basic commands

The most basic command to see whats going on is are "ls" and "cat", and you should finish the level with these 2.


Level 1: special character file name 

You'll need to google how to hanlde a file named only "-" / dash / minus.
the point is that its an operator of the bash shell (that black thing you type commands in), so you need a way to overcome it.
There are 2 links under "Helpful Reading Material" in the portal, with all you need.


Level 2: spaces

"Helpful Reading Material" in the portal have all you need.


Level 3: hidden files

As stated in the INSTRUCTIONS, you need to learn how see and read a hidden file.
Your new commands is "cd", but time to get deeper with "ls"


Level 4: human-readable file

You have a little recap about reading files starting with a dash.
But the main lesson here is to decide which file matches the demand of "human-readable file".
1st thing 1st, learn the "file" command, until you can get to run it with each file, and then all the files, then, see the exceptional one, and learn about them, and why its the 1st condition for a "human-readable file".


Level 5: find 

this one is all about mastering a bit the "find" command.
google how to implement each of the 3 conditions in the INSTRUCTIONS, and then learn to concat them.
AFTER that, "find" has some expressions like "-readable"


Level 6: find by Permissions

permissions are divided to 2 perspectives, user permissions, and group permissions.
every user has its own private permissions on files and directories, and every user belong to a group which have its own permissions on the same files and directories, and the creator can change the permissions for the group associated with it.

to see my groups just type "groups"

again there are 3 conditions to meet in the INSTRUCTIONS, just learn how to implement each one and then concat them


Level 7: grep

INSTRUCTIONS states password is in data.txt next to the word millionth
most basic "grep" use.


Level 8: uniq

You need to learn 3 things here, 1st is about chaining commands with the pipeline, as in the "Helpful Reading Material".
Next, this level is solved with 2 commands you need to learn good, "uniq" and "sort". (use "-nr")
P.S. i think the long list of commands suggested is a mistake.


Level 9: working with binary

INSTRUCTIONS state the password is near a couple of "==", but trying to query the file, you'll see its a binary file (type of data).
So you 1st need learn about the "strings" command, then with "grep" you can finish the level.


Level 10: base64

"base64" command.


Level 11: text transformation

this is introduction to the "tr" command.
reading about Rot13 cipher as in the "Helpful Reading Material" will tell you what you need to google, dont worry its an easy 1-liner.


Level 12: hexdump and de-compression tools

use "mktemp -d" to generate a folder for yourself and "cp" command is the copy command.
you need to "unhexdump" (reverse xxd) it, then keep testing file-type with "file" command each time uncompress it with the appropriate tool, and its needs.


Level 13: ssh rsa private key

The annoying part is to find simple docs about using rsa file with ssh, its "ssh -i <filename> <user>@<domain>". another thing, stated in the INSTRUCTIONS, is when you are in a machine already, you are already in the domain, so @<domain> wont work, instead reference yourself.
P.S. when you are in bandit14 user, you can read his password from /etc/bandit_pass/bandit14


Level 14: send data

1st, read your own level password, remember where they all are? (from the hints)
2nd choose one of the commands in the INSTRUCTIONS and learn how to send data.
I think "nc" is the easiest one here after "telnet", and i used "nc" all the way in the rest of the levels.


Level 15: SSL

1st read what is SSL if you don't know it, you'll need to know it for now and later.
"openssl" is our command for the level, since "nc" can't SSL, and beyond some googling you'll need you will also need this reference about openssl with s_client, and also "-ign_eof" here.
when you succeed do it with "-quiet" and read about it.


Level 16: nmap

Although i think this can be done with "nc" and "telnet", not sure, this one is really about learning "nmap".

More hints needed:
 - Learn about adding "--script" to "nmap", there you will find your filter.
 - There are 2 good port, but only 1 with what you need....
 - google "The authenticity of host can't be established" when you get to it, and understand why you should just ignore it.
 - 2nd error you'll meet means the rsa key must be user only permissions, no other permissions for group. Learn and solve with command "chmod"


Level 17: diff

"diff" command.


Level 18: bad .bashrc

This one i could barely find a clue ever AFTER i went reading the answer,
The answer is reading about "-t" and/or "-T" (different) options of "ssh" command, and here is a good source.

diff between pty and tty
tty is a "real" terminal.
pty is a "fake" terminal, which means its a program to accept commands and takes them to the real terminal and returns an answer. thats what ssh does.

Thing is..
When you connect with ssh, you open yourself a SHELL, and default one is the BASH SHELL and there is a default config file for that, /bin/sh, and every user can have one of its own named ".bashrc" and can also contain some auto-run commands when you connect.
The bandit18 .bashrc file accept your login and then closed it.
its a file for

PS i couldnt connect from my terminal, only from bandits17's terminal as bandit18@localhost



MORE, INFO, SPOILER ALERT

I know i said no spoilers, and this is not a really real spoiler, but reading this you'll get the answer so this is for later reading or in case you actually missed it.



-T is "Disable pseudo-terminal allocation", meaning go to "real" terminal.
"ssh -T <user>@<domain>"

-t is forcing the "fake" terminal with something, like immediately running another command (say, "file readme") or taking config from another file, like the default one ("/bin/sh").
"ssh -t <user>@<domain> <command or config file>"


Level 19: elevated privileges

The reading in "Helpful Reading Material" is way over-technical so let me sum it for you.
With "ls" we immediately see a red file. read about colors meaning in terminal.
"ls -l" you will see the "x", for executable, and the "s" for... elevated privileges, meaning its running with its owner privileges, bandit20, and not yours, bandit19.
now try ./bandit20-do. you'll get
"Run a command as another user. Example: ./bandit20-do id"
"id" is another bash command, meaning you can put any command/s you want there (with their options and arguments). if you still didn't get it read the INSTRUCTIONS again for your final hint.


Level 20: socket listener

the ./suconnect tries to connect to another port. then it reads content.
if the content is bandit20 password, bandit21 password will output.
so we need to "create" a service on some port (and thats called a "listener"), for the suconnect to connect to and read data from.
this can be very easily done with "nc" command.


Level 21: cron (timer job) introduction

If i know where are the config files, I know what is going to run (and when), I then can see what running and keep going.


Level 22: follow script (cron)

Same as 21. try run the script, you get some results, but the script gets executed all the time as user bandit23.... so that means.....


Level 23: cron - the rabbit hole

Following the scripts and files, you should find a directory where you as bandit23 have write and exec permissions, but not read permissions.
Remember to give your [1] script exec permissions for other users ("chmod"), and your [2] target folder permissions for other users.


Level 24: brute force

"nc" and how to send data with that, "netcat [ip-address] [port] < something.txt" or "echo "bla bla bla" | netcat [ip-address] [port] >> file", gratz, i spoiled you, now go learn to write a brute force .sh file, this one is actually a nice programming mission, learn bash shell programming.
P.S.1 I left mine running at night and saw the answer in the morning.
P.S.2 for any-one, and myself, a real spoiler, my script.


Level 25: the "/etc/passwd" file

1st part of the mission learn about the "/etc/passwd" file, and generally learn about the /etc folder.
i really couldnt figure that one out, so thx to kongwenbin (full spoiler there).

so to finish the mission the INSTRUCTIONS gave you a little hint, commands to use are "more" and "vi" which is the vim text editor.

You can now either do heavy digging or keep reading.

The more command gets auto-executed if the terminal is too small sized for the text needed to be written, and is followed by a "read char" command.

You can now either do some digging about vim or keep reading.


vim can be opened by just "v", and then give it its commands...
if you need more than that, go to the blog above.


Level 26: ... not exits yet

but something is gonna be via the "vim" editor?




THANK ALOT for OverTheWire.com team.
THANK ALOT for all the bloggers out there that helped me solve this.





Comments

Popular posts from this blog

c# Service Play Sound with NAudio example by Moshe

Asp.Net Ending Response options, Response.End() vs CompleteRequest()

JS/JQ simulate Enter event