Hello friends! Today we are continuing to solve Bandit’s levels from Level 14. If you haven’t seen the previous part. It is strongly recommended to view the previous part.
Level 14-15
Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
In this goal, the clue is given that the password of next level can be retrieved by submitting the password of the current level. So, first we read the password of current level using cat.
cat /etc/bandit_pass/bandit14
And, then using telnet connecting with port 30000 which is given and then submitting the current level’s password.
telnet localhost 30000
We can see that, we got the next level’s password.
ssh bandit15@localhost
Now, this password will be used to connect with bandit15.
Level 15-16
Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…
Here, we can’t connect with telnet because the localhost: 30001 using the SSL encryption. So, we’ll have to use openssl.
openssl s_client -connect localhost:30001 -ign_eof
We got password for next level: BfMYroe26WYalil77FoDi9qh59eK5xNr
Submitting the current level’s password, the next level’s password will be generated.
ssh bandit16@localhost
Now, we can connect with bandit16.
Level 16-17
Level Goal
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
Here, first we need to find SSL opened port using NMAP.
nmap -A localhost -p 31000-32000
Now, we can see that, there is an open port 31790 listening on SSL. Then, we need to connect localhost on port.
openssl s_client -connect localhost:31790 [Use the current password]
Now, after submitting the current level’s password, we get the RSA PRIVATE KEY.
Copy this in tmp directory using text editor.
mkdir /tmp/raj_bandit16
cd /tmp/raj_bandit16 nano sshkey.private
Paste the copied text here.
We have all done now, use ssh for connect bandit17.
chmod 600 sshkey.private ssh -i sshkey.private bandit17@localhost
Level 17-18
Level Goal
There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new
NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19
ls -la diff passwords.new passwords.old
ssh bandit18@localhost
Level 19
Level Goal
The password for the next level is stored in a file readme in the home directory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.
We will try to connect to bandit19.
ssh bandit19@localhost
But, after the connecting, the connection get terminated.
So, we will use ‘–T’ to connect with bandit18.
ssh -T bandit18@localhost
Now, we are connected with bandit18 and we will list all the files inside in the bandit18 directory.
After listing the files, there is only a single file named ‘readme’. So, we will read this file using cat command.
It must be the password for bandit19.
ls cat readme
The above password is used to connect bandit19.
ssh bandit19@localhost
Level 20
Level Goal
To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.
setuid:
According to goal, we need to execute the setuid binary file and by the help of that file we can only read the bandit20 which is inside the ‘/etc/bandit_pass’.
ls -la ./bandit20-do cat /etc/bandit_pass/bandit20
The above password is used for connect bandit20.
ssh bandit20@localhost
Level 21
Level Goal
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
Again, list it out all the files containing in the present directory.
There is a file named ‘suconnect’.
Let’s read the text using cat command.
ls -la
Here, I found the usage of the file. It is simple to use.
cat suconnect
I’m using the port 3222 to connect. Open the another bandit connection in another terminal for receive the password.
./suconncet 3222
Using netcat, we can start listening on port 3222.
nc -l 3222
The above password can be used to connect bandit21.
ssh bandit21@localhost
Before starting the Level 21 onwards, it is strongly recommended that read about cronjob.
Level 21-22
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
Here, we change the directory and go into ‘/etc/cron.d’. Then, we’ll see the files which are present in this directory.
There is a file named ‘cronjob_bandit22’. Let’s check it out, what does file contain?
cd /etc/cron.d ls -la
This files contains a bash script, which is changing the permission of a file present in ‘/tmp’ directory.
Now read this file using cat.
cat cronjob_bandit22 cat /usr/bin/cronjob_bandit22.sh cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
We got the password for bandit22. By using this password, we can connect bandit22.
ssh bandit22@localhost
Author: SOURABH is a Information Security Analyst | Pentester | Researcher Contact Here
The post OverTheWire – Bandit Walkthrough (14-21) appeared first on Hacking Articles.