Post

OverTheWire - Bandit - Level 10 -> Level 15


Description

Hello l33ts, I hope you are doing well. In today’s episode, we will be doing Level 10 -> Level 15 of Bandit from OverTheWire. Let’s connect to bandit10 and start.

Level 10 -> Level 11

Goal

The password for the next level is stored in the file data.txt, which contains base64 encoded data

Solution

We can use base64 with -d to decode the file.

1
2
3
4
5
6
bandit10@bandit:~$ ls
data.txt
bandit10@bandit:~$ cat data.txt
VGhlIHBhc3N3b3JkIGlzIElGdWt3S0dzRlc4TU9xM0lSRnFyeEUxaHhUTkViVVBSCg==
bandit10@bandit:~$ base64 -d data.txt
The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbxxx

Level 11 -> Level 12

Goal

The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions

Solution

From the description, the file content is encoded with rot13.

1
2
3
4
bandit11@bandit:~$ ls
data.txt
bandit11@bandit:~$ cat data.txt
Gur cnffjbeq vf 5Gr8L4qetPEsPk8htqjhRK8XSP6x2xxx

Indeed it is, we can write a python script to decode the strings or just simply go to google and search for rot13. This site Rot13 can decode the strings for us.

rot13

Level 12 -> Level 13

Goal

The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)

Solution

Fot this level, we need to create a directory in /tmp in order to be able to write files, move to that directory, and copy the data.txt file to us.

1
2
3
4
5
bandit12@bandit:~$ mkdir /tmp/hack
bandit12@bandit:~$ cd /tmp/hack
bandit12@bandit:/tmp/hack$ cp ~/data.txt .
bandit12@bandit:/tmp/hack$ ls
data.txt

If we read the file, we see that it is hexdump, we can change that using xxd with -r to convert the file to it’s precious form, and then we need to write the output to a file.

1
2
3
4
bandit12@bandit:/tmp/hack$ xxd -r data.txt > file
bandit12@bandit:/tmp/hack$ ls
data.txt  file.txt
bandit12@bandit:/tmp/hack$ file file.txt

In the Goal, we’ve been told that the file has been repeatedly compressed, let’s use file to determine the type of file.txt

1
2
bandit12@bandit:/tmp/hack$ file file.txt
file.txt: gzip compressed data, was "data2.bin", last modified: Thu May  7 18:14:30 2020, max compression, from Unix

It’s a gzip compressed file. We need to rename it from file.txt to file.gz to be able to decompress it.

1
2
3
4
5
6
7
8
9
10
11
bandit12@bandit:/tmp/hack$ ls
data.txt  file.txt
bandit12@bandit:/tmp/hack$ mv file.txt file.gz
bandit12@bandit:/tmp/hack$ ls
data.txt  file.gz
bandit12@bandit:/tmp/hack$ gzip -d file.gz
bandit12@bandit:/tmp/hack$ ls
data.txt  file
bandit12@bandit:/tmp/hack$ file file
file: bzip2 compressed data, block size = 900k

Great, we decompressed the file successfully, and we got a file called file and it is also compressed with bzip2, let’s rename the file to file.bz2 and decompress it using bzip2 -d

1
2
3
4
5
6
7
8
bandit12@bandit:/tmp/hack$ mv file file.bz2
bandit12@bandit:/tmp/hack$ ls
data.txt  file.bz2
bandit12@bandit:/tmp/hack$ bzip2 -d file.bz2
bandit12@bandit:/tmp/hack$ ls
data.txt  file
bandit12@bandit:/tmp/hack$ file file
file: gzip compressed data, was "data4.bin", last modified: Thu May  7 18:14:30 2020, max compression, from Unix

Now we have gzip compressed file, I assume you know what to do now.

1
2
3
4
5
6
bandit12@bandit:/tmp/hack$ mv file file.gz
bandit12@bandit:/tmp/hack$ gzip -d file.gz
bandit12@bandit:/tmp/hack$ ls
data.txt  file
bandit12@bandit:/tmp/hack$ file file
file: POSIX tar archive (GNU)

We now have tar compressed file.

1
2
3
4
5
6
7
bandit12@bandit:/tmp/hack$ mv file file.tar
bandit12@bandit:/tmp/hack$ tar -xvf file.tar
data5.bin
bandit12@bandit:/tmp/hack$ ls
data5.bin  data.txt  file.tar
bandit12@bandit:/tmp/hack$ file data5.bin
data5.bin: POSIX tar archive (GNU)

Another tar compressed file.

1
2
3
4
5
bandit12@bandit:/tmp/hack$ mv data5.bin data.tar
bandit12@bandit:/tmp/hack$ tar -xvf data.tar
data6.bin
bandit12@bandit:/tmp/hack$ file data6.bin
data6.bin: bzip2 compressed data, block size = 900k

Now a bzip2 compressed file.

1
2
3
4
5
6
andit12@bandit:/tmp/hack$ mv data6.bin data6.bz2
bandit12@bandit:/tmp/hack$ bzip2 -d data6.bz2
bandit12@bandit:/tmp/hack$ ls
data6  data.tar  data.txt  file.tar
bandit12@bandit:/tmp/hack$ file data6
data6: POSIX tar archive (GNU)

We got a tar compressed file

1
2
3
4
5
6
7
8
bandit12@bandit:/tmp/hack$ mv data6 data6.tar
bandit12@bandit:/tmp/hack$ tar -xfv data6.tar
tar: v: Cannot open: No such file or directory
tar: Error is not recoverable: exiting now
bandit12@bandit:/tmp/hack$ tar -xvf data6.tar
data8.bin
bandit12@bandit:/tmp/hack$ file data8.bin
data8.bin: gzip compressed data, was "data9.bin", last modified: Thu May  7 18:14:30 2020, max compression, from Unix

I know what you thinking right now, is this ever going to end?! No worries, i was asking the same question. Let’s decompress this gzip file.

1
2
3
4
5
6
7
8
9
bandit12@bandit:/tmp/hack$ mv data8.bin data8.gz
bandit12@bandit:/tmp/hack$ gzip -d data8.gz
bandit12@bandit:/tmp/hack$ ls
data6.tar  data8  data.tar  data.txt  file.tar
bandit12@bandit:/tmp/hack$ file data8
data8: ASCII text
bandit12@bandit:/tmp/hack$ cat data8
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORxxx
bandit12@bandit:/tmp/hack$

Finally, we finished the decompression and got our password.

Level 13 -> Level 14

Goal

The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on

Solution

With a private SSH key, we can connect without providing a password, so let’s copy the content of sshkey.private file and put it in a file in our machine. Normaly, the file that holds the private key get named id_rsa, you can name whatever you want. We can connect by adding -i {private_key} after ssh command, the full command would be like this ssh -i {private_key} bandit14@bandit.labs.overthewire.org -p 2220

1
2
3
4
5
6
7
8
9
10
11
$ ssh -i id_rsa bandit14@bandit.labs.overthewire.org -p 2220                                                                                         130 ⨯
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "id_rsa": bad permissions
bandit14@bandit.labs.overthewire.org's password:

“Wait, you said we don’t need a password!”

Yes, but for the private key to do it’s job, it needs to have certain file permissions (600), we need to change it’s permissions using chmod 600 {private_key}, which mean that only the owner of the file can read and write the file.

1
2
3
4
5
6
7
8
9
10
$ chmod 600 id_rsa                                                                                                                                   130 ⨯

$ ssh -i id_rsa bandit14@bandit.labs.overthewire.org -p 2220
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

Linux bandit.otw.local 5.4.8 x86_64 GNU/Linux
.
.
.
bandit14@bandit:~$

The password for bandit14 is located in /etc/bandit_pass/bandit14.

1
2
bandit14@bandit:~$ cat /etc/bandit_pass/bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3xxx

Level 14 -> Level 15

Goal

The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.

Solution

We can use telnet to connect to localhost on port 30000 and submit the password.

1
2
3
4
5
6
7
8
9
bandit14@bandit:~$ telnet localhost 30000                                     
Trying 127.0.0.1...                                                        
Connected to localhost.                                                      
Escape character is '^]'.                                                    
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e                                             
Correct!                                                                      
BfMYroe26WYalil77FoDi9qh59eK5xxx                                              

Connection closed by foreign host

Thank you for taking the time to read my writeup, I hope you have learned something with this, if you have any questions or comments, please feel free to reach out to me. See you in the next hack :) .

This post is licensed under CC BY 4.0 by the author.