Thursday, May 12, 2016

OverTheWire Wargames - All Bandit Levels


Bandit - A Beautiful Di-bash-ter


    After attending a local security conference here in Charlotte the last weekend I decided to spend a little time working on my reversing skills.  I am very new to reverse engineering and it is one of my weaker subjects.  I started doing research, on the hunt for a site that was still alive and hosting some wargames.  Very quickly I stumbled upon 'OverTheWire', they had servers that seemed to still be alive and well.  I decided to give it a try and after about 4 hours or so I am having enough fun that I decided I should write about my experience with the site.  The owners of the site have asked that no spoilers be posted so I will do my best to explain the theory behind each level and give you enough information to reach the flag on your own.  This post does not contain any flags.  With that being said, I am no master in this field.  I am learning and writing about to to help others and help myself learn.  If you have a better way to solve a level than me please leave a comment.  This post will cover the bandit levels.  These levels are very easy but, I am very glad I did them and I enjoyed working through each challenge and brushing up on some old terminal commands I hadn't used in ages.  The more challenging series are coming soon.  They will take me a bit longer as they are much less in tune with my skill set at the current time.  Enjoy and as always, happy hacking!

The Good Stuff


Level 00


    This Level is designed to make sure you know how to use ssh.  For most if not all of you reading this is going to be a no brainer.






    Just like it says all you have to do is ssh into the box that is located at 'bandit.labs.overthewire.org' with the username '' and password ''. Thats it.  If you cant figure this one out message me and let me know what part you don't understand.  I always can use a good laugh.
    I'm going to add a few extra screenshots and details in this first one.  No other level will have a screenshot of the terminal or include the final commands to get the flag.  If you are familiar with ssh already feel free to skip over this next section but, for our newest members to the linux community I will give a brief explanation of the ssh protocol.
    SSH - SSH stands for SecureSHell.  At the highest level it is a secure way to send commands to a remote machine from your terminal(or ssh client of choice).  As you can imagine being able to use your terminal to manage a remote machine can come in very handy.  It is the backbone of server administration and I highly recommend becoming very familiar with ssh.  In general when you want to start an ssh session from a linux based machine, you will open your terminal and issue the ssh command.  The specific ssh command we use to connect to the server for the wargame is:
        'ssh -P bandit0@bandit.labs.overthewire.org'
    This is a form of the ssh command you will see a lot.  Lets break this down, the first part or 'ssh' is the actual ssh command itself.  You are calling the ssh client to start a remote connection.  The first argument '-P' means we are going to enter a password.  You will be promoted for this password right after you run the command(password is bandit0).  After this you have the string 'bandit0@bandit.labs.overthewire.org'.  Here the section before the '@' is our username 'bandit0'.  The '@' symbol tells the ssh client to expect the hostname of the machine we are connecting to next.  The section after the '@' means, thats right you guessed it! Thats our hostname for the box the wargames are hosted on.  Once you run the command and enter the password 'bandit0' you have started the fun!  You will see this screen after a successful login:




    If you would like a more technical explanation of what is happening when you start your ssh session continue reading this paragraph.  If you do not want to know more about ssh skip to level 1.  Lets start with the server.  When you have a linux server that you are going to be managing there is a good chance you will need remote access to the server.  As most of you probably know, the best servers have no GUI.  When you manage your server with terminal, rather than using something like remote desktop on windows you would use ssh to connect to a remote terminal and administer the server that way.  On your linux server you will have the ssh server setup and running.  If you would like to play with this more, download a free linux os(I highly recommend debian or fedora for beginners), spin up a vm(if you are on windows you will also need to install something like putty or cygwin) install linux and ssh into your box!  Google ' ssh server setup' and you will find a vast wealth of resources to learn more.
   Back to ssh.  Now when you use your ssh client to connect to a remote ssh server, you first request the connection, the server will check your credentials(hopefully you are using key based authentication instead of passwords, google it for more info) and if you are allowed access it will start the connection.  Behind the scenes whats is happening is you are creating an encrypted tunnel between yourself and the machine you are connecting to that you can issue commands over.  In our example above we are using ssh to connect to a remote bash session and administer the server but, ssh has all sorts of uses from transferring files to network tunneling.  Take a look at the links below if you would like to learn more about ssh and as always ask any questions you have in the comments below!

    - https://en.wikipedia.org/wiki/Secure_Shell#Definition

    - http://stackoverflow.com/questions/31226188/what-is-ssh-and-how-does-it-work
    - https://en.wikipedia.org/wiki/SSH_File_Transfer_Protocol
    - https://en.wikipedia.org/wiki/Tunneling_protocol

Level 01




  Level one is still a walk in the park for any experienced linux user.  In fact the first 15 or so will be a walk in the park.  The goal of this level is to view the contents of a file called '-' in your home directory.  This task might seem straight forward but, it gets fun when you remeber that in linux a lot of programs, including most of the ones you need use '-' to stand for stdin/stdout.  Stdin and stdout are your standard input and output streams.  This means if you try to run a command like 'vim -' or 'cat - ' you will receive and stdin console rather that seeing the contents of your file.  With this info you should be able to figure out with minimal effort how to escape the string.  Once you figure out how to pass a file with the name '-' to the cat command you will get you flag. For mo-re information on standard streams check out the links below.

    - https://en.wikipedia.org/wiki/Standard_streams
    - http://www.gnu.org/software/libc/manual/html_node/Standard-Streams.html
    - http://www.linfo.org/standard_output.html

Level 02




    Level two is exactly like level one except it uses spaces in the filename rather than using a commonly reserved character.  This one should be very easy.  If you area really stuck checkout the link below.

    - http://stackoverflow.com/questions/23019471/

Level 03




    In level three we are showing are knowledge of hidden files in linux.  For this one you will want to be familiar with the various options of the ls command.  Reference the man page for ls (type 'man ls' in linux terminal).  A key piece of knowledge on this level is that in linux hidden files begin with a period.  For example if you name a file '.hideMyAss.jpg' it will not show up with the standard 'ls' command.  For that we will need to find a flag for ls that allows showing files that start with a period.  With that in mind, open up the man page and read through the various flags available to you.  Below is a link to an html version ofd the man page for ls.

    - http://man7.org/linux/man-pages/man1/ls.1.html

Level 04




    In level four you will find one folder in your home directory that contains a handful of files named '-file0x'.  Only one of these files contains human readable text and that is your flag.  Now with this level you can do it one of two ways, the hard way or the easy way.  The hard way would be using cat to go through each file one at a time until you get the right one.  Personally I like to take a bit of a faster approach.  The issue is cat is only meant to display one file at a time.  I solved this one using the tail command.  Pay special attention to the '-n' flag in the man page linked below.  Play around with 'tail -n + 1' over all files in the directory.  With tail you can dump the contents of every file at once and pick out the flag very easily.

    - http://man7.org/linux/man-pages/man1/tail.1.html

Level 05




    Level five is all about bash magic.  You are given a directory full of assorted files and subdirectories.  You are told in the instructions that the file containing the flag is human readable, 1033 bytes in size and not executable.  The approach I took for this one was using the good old 'find' command.  Browsing through the man page for find you will notice a neat little feature, the exec flag.  Exec allows you to pass the filename found to a command of your choosing.  Another very handy command for this level is 'du'.  Du is a neat little piece of software that gives more details on the size of a specified file.  You can do all sorts of cool things with du such as print out the sizes of files in bytes.  The last command you should know about for this level and well, linux life in general is 'grep'.  Grep is the holy grail of filtering.  You will find yourself constantly using grep to filter search results in terminal and the best part is, it works with anything if you use piping!

    What is piping you ask?  In linux you can 'pipe' the output of one program into another programs input(stdin).  In terminal you pipe using the '|' operator.  For example in the image below you can see the result of me piping the output from an 'ls -al' command into grep and filtering out anything without the string 'tmp' in the name.  The first command in the image is the normal ls showing a list of every directory in the root.  Below that you will see the same ls command run with a pipe into grep attached.  This is the 'ls -al | grep tmp' at the bottom.  Notice that this command only returns the '/tmp' directory as it is the only directory matching the search terms used in grep.  Below the image are links to the man pages for grep, du and find as well as a link to a good tutorial on piping and redirection.




    - http://linux.die.net/man/1/find

    - http://linux.die.net/man/1/du
    - http://linux.die.net/man/1/grep
    - http://ryanstutorials.net/linuxtutorial/piping.php

Level 06




    Level seven is the same as level six using different parameters.  The only difference I used on this level was adding an extra group and user filter to the find command.  You can read about doing both of these in the man pages above or google them.


Level 07




    For level seven the only tool I used was vim.  You can do a quick google search for searching for string in vim.  Also basic usage, vim can be a bit strange the first time you use it but, I promise it is worth getting used to.  Open up vim or your favorite text editor, search for the term ' millionth' and you have your flag.


Level 08




    Level eight is a bit of a fun level.  When you login to the server you will find a file in your home directory named 'data.txt'.  This file contains a long list of possible passwords.  To find the flag you need to group all of the passwords together and find the only entry that only appears once.  I believe it is a safe assumption that they want you to use sort and uniq.  I will discuss those but, as a man who loves going against the grain I decided to take a scripted approach.  I decided to copy the data.txt file over to my local machine and write a python script that will count each unique entry and return the password that only shows up once in the list of passwords.  I have uploaded the script to github and placed the link below.  The code I have uploaded is missing a few sections of the code, this is intentional.  I don't want to give the answer away so I have replaced some code with pseudo code.  Feel free to clone the repo re-write the snippets I have removed and use the script to find the password.


    - Level08 Script

     
    Lets discuss the bash based solution.  The first command we will cover is sort.  Sort does exactly what it sounds like it does, it sorts all of the lines in a text file.  If you run 'sort data.txt' the output will be a list of every line in the file sorted by unique line.  You will still have all of the duplicate entries but they will be right next to one another.  The next command you will want to familiarize yourself with is uniq.  Uniq is used to filter out or display lines that show up more than once in a file.  Uniq can also do things like filter out any values that show up more than once.  If you need more of a hint that that remember piping!  Below are links to information on sort and uniq.  Pay attention to the flags for uniq, you will need one of them.

    - http://man7.org/linux/man-pages/man1/sort.1.html

    - http://ss64.com/bash/uniq.html

Level 09




    Level nine, time to get owned.  This is a very simple level, it is another one where you just need to open up the data.txt file in your favorite editor and search for a series of equals symbols.  After going through a few matches you will very quickly notice that one of the sets of equals symbols has a password after it.  I trust that after my training thus far, you can handle this one on your own young jedi.  I will say, if you would like some bonus points you can write a script that searches for any number of equals symbols(reqex) with 32 alphanumeric characters following it.


Level 10




    Level ten is designed as an introduction to base64 encoding.  Once you login you will notice that your data.txt file contains a base64 encoded string.  The dead giveaway here(if it weren't already in the description for the level) is the fact that this is an alphanumeric string with equals signs at the end(this is the padding used for base64 encoding).  To get the flag for this level you will need to learn the base64 command.  Below I have linked the man page and a few great resources for learning about base64 encoding.


    - http://linux.die.net/man/1/base64

    - https://en.wikipedia.org/wiki/Base64
    - https://www.base64encode.org/

Level 11




    Level eleven is along the same lines as the previous level.  The difference here is we are no longer using base 64 encoding.  This challenge uses a very common substitution cipher called ROT13(Rotate by 13).  I have added links below with more information about ROT13.


    - https://en.wikipedia.org/wiki/ROT13

    - http://stackoverflow.com/questions/5442436/

Level 12




    Level twelve and I have a bit of a love hate relationship.  It is a fun challenge and a makes you think a little bit more than its predecessors but by the end of it you will be very happy its over.  On this challenge I feel there was a much better way to accomplish the level than I took.  I used and abused the file command.  The file command will tell you what type of file you have.  From there you can rename to the appropriate extension and unpack!  When I first attempted this challenge I spend a good 15 minutes or so playing around with the hex.  After stepping back a bit I realized the level was much easier than I was making it out to be.  File, rename, unpack, rinse, repeat.


Level 13




  This level is designed to make sure you understand the basics of key based authentication.  You will notice when you login that there is a file called 'sshkey.private' in your home directory.  This is a file containing an RSA private key.  For anyone not familiar with key based auth I will give a little more detail.  This type of authentication is a step up from standard password based authentication and I highly recommend disabling passwords remotely and forcing RSA authentication.  When you are setting this system up on your ssh server you would start by generating a set of SSH keys, this will give you a public and a private key that are mathematically linked.  The public key is used to encrypt data and the private keys are used for decryption.  When you attempt to connect to the server the client first sends up the id of the keypair it would like to use for authentication.  The server then checks its 'authorized_keys' file for the associated public key.  If an associated public key is found the server will use it to encrypt a message and send it over to the client.  If he client is able to decrypt the message properly the authentication is successful and you are logged in.

   To complete the challenge you need to figure out how to use a private key in the ssh command.  Once you figure out how to use private key authentication, save the private key from the server in a file on your local machine, use that as they key in the ssh command and viola! Your logged in.  Below I have added some really great resources to learn more about ssh keys.

    - https://en.wikipedia.org/wiki/RSA_(cryptosystem)

    - https://www.digitalocean.com/community/

Level 14




   For level fourteen your going to need telnet you could also use netcat but im going with good old telnet.  This is a very easy level for most but I'm going to give a little detail on how the client server model and sockets work.  If you are already familiar with this info skip this.  You should be able to solve this one really easily if your familiar sockets.

  In this level you are asked to submit the password to the current level(/etc/bandit_pass) to port 30000 on localhost.  This means that there is some server application listening on port 30000 on this machine.  When you have a program where you have a client that communicates to a server that communication gets done on a pre decided port.  The server will listen on this port and when a client connects they connect over that port.  If were being technical here the actual communication is not done on this port, our client uses this port to connect and then we are given a random port to communicate to the server with but, for the sake of this article we wont go to far into that.  The client would make its request to the server, the server will process the request and respond.  At this point the client is updated and generally the connection is closed until it is needed again.  We can use programs like netcat and telnet to simulate a client or server, send data and observe interactions.

FINISH THIS I NEED TO REDO AND TEST IT


Level 15






    Level fifteen is the same theory as fourteen.  The difference here is we need to submit the password on our new port using ssl encryption.  For this one I'm going to link you to the s_client page.  This link holds all of the information you need.  Remember you just need to connect to a specific host and port using your s_client connection.


    - https://www.openssl.org/docs/manmaster/apps/s_client.html

Level 16




    Level sixteen is a great level.  For this challenge they introduce nmap, I love nmap and personally it is the first tool I bust out on any pentest.  Many skilled security engineers will tell you port scanning is dead.  I am not one of them.  Were going to break this one down one challenge at a time.

    The first thing they ask you to do is determine which ports between 31000 and 32000 are listening.  This is where nmap comes in.  Nmap is a highly advanced reconnaissance tool.  Not only does it detect open ports(working around many common practices in place to block port scanning) it also does all sorts of OS and service detection.  Here you will find anything you want to know about nmap.  To simply scan the ports you can run something like 'nmap -Pn -T4 -p 31000-32000 locahost'.  This will dump out a list of the open ports on that machine in the given range.
    Once we knows what ports are open in the range they gave us its time to move on to step two.  Checking which of those ports are accepting ssl.  For this we just start from the top(or bottom if your cool like me) of the list.  To test this you are going to use the exact same commands you used on level fifteen with a modified port number.  Some of the ports will deny the connection as they do not support ssl.  For the ports that allow the connection try sending them the password.  The correct server will spit out the password for level seventeen.  The other servers will simply repeat back the password you entered.

Level 17




    On level seventeen they step the difficulty back down a good bit.  For this challenge all you have to do is run a diff on the two files in your home directory.  There is only one life than changed in the file.  Being able to read a diff is definitely a useful skill if you are planning on being a developer.  Below I have added a link to the man page for diff.  This is a very simple procedure essentially you are giving your two files to the diff program and it is spitting out all the lines that changed.  The one line that changed, the newest version of it is your flag.


    http://man7.org/linux/man-pages/man1/diff.1.html


Level 18




    Level eighteen may seem tricky at first but it really isn't that bad.  The problem in this level is that some sly devil has added some code to your bashrc file that will log you out automatically when you login.  For those of you who don't know the bashrc file is run as soon as you start bash.  What you need to do here is read through the man pages of ssh for a way to run a command directly after connecting.  Once you figure that out you can run the command to cat out the contents of the readme file on login and bam, you have your flag.


Level 19




   Upon logging into the fair land of level nineteen you are presented with a binary in your home directory.  The first thing you should do when you run into a binary like this is run it.  Now let me be clear, I'm not saying its safe for you to run around willy nilly running every binary you come across.  In this type of scenario, run that shit.  When you run it with no arguments it will give you the following message.




    This message tells you exactly what you need to know.  This binary runs a given command as the user bandit20.  If you run the sample command it will output an example of this.




    Note here that the euid or esentially the id of the user the command is running as is bandit20.  Now that we know what this binary does the level should be very easy.  All you have left to do is find a command that will print out the password for the user bandit20.  I hope at this point you know where those passwords are located.  Once you figure out what that command is, feed it into your binary as an argument and your done!


Level 20




    Level twenty is all about a little program that is near and dear to my heart. Netcat, what is there to say about netcat. Netcat is a tool for testing reading and writing data to a UDP or TCP socket.  It can be set in listen mode and act as a server or you can use it in client mode and connect to any port running a UDP/TCP server.  Netcat can be used for all sorts of things ranging from testing to reverse shells and many things in between.  For this level you are going to need to login once and start netcat in listen mode.  You need to specify that it start on any vlid port number that is not in use.  Once you have done that you need to ssh into the box again to start a new session.  On this user you need to run the suconnect binary that is in your home directory specify the port the server in the previous step is listening on.  This will connect the client to the server and on the server you will be able to enter the password and be handed back the flag on the client!  All of this is very simple in netcat with a bit of google foo.  As always if you have questions as in the comments below.  I have added some links to more information on netcat and useful information for this level.  The last link is a bit more information on tcp vs udp.  This isnt really relevant on this level but it is good stuff to know.


    - https://en.wikipedia.org/wiki/Netcat

    - https://www.digitalocean.com/community/
    - http://www.howtogeek.com/190014/

Level 21





    For this level and the next few you are going to be looking at cron jobs.  In linux cron is a task scheduler.  When you create a cronjob you make a file in /etc/cron.d with a task(a command or shell script) and a time interval to run the task at.  You could have cron running a script to delete all the files in your tmp directory every hour or a cronjob to open meat spin on your friends browser every minute.  You know, fun stuff like that.  For this level we want to see the cron running for the user bandit22.  We notice that the /etc/cron.d directory there is a file called cronjon_bandit22.  If we cat out the contents of this file we see the cronjob looks as follows:




    Let me break down for you what this job is doing.  The first part of the job you will notice are the five asterisks.  The first five characters in the script are how you tell it what time interval to run at.  Five asterisks means run this script every minute of every day of every month every year.  I have added an image below explaining what each place represents.  Image source: http://serverfault.com/questions




    The next part of this job is the name of the user that the script will run as or 'bandit22'.  After that you see the command to execute.  In this case we see that the job is running the script /usr/bin/cronjob_bandit22.  The next section is something you will see in a lot of cronjobs.  The '&> /dev/null' in essence means take any output form this and redirect it into the /dev/null blackhole where it will forever be forgotten about with no hope of escape.  At the bottom of the level I have included links to follow to learn more about cron and how it works.

    Now that we know what script we are looking for we cat out the contents of the shell script and take a look at the task this job is performing.  Once you cat the contents of the script out the location of the flag should be very easy to find.  Just remember, in bash '>' stands for redirecting output of one command into a file.

    - https://en.wikipedia.org/wiki/Cron


Level 22




    This challenge requires you to follow the same steps as the previous challenge.  The difference here is your working with a script with a bit more code in it.  For this on the biggest piece of advice I can give you is, if you don't understand what a line in the script is doing, copy it and run it in bash to see what happens.  Copy the line, paste it into your terminal, hit enter and observe the output.  If you see something inside of a $(SOME_CODE_HERE), make sure you only copy what is inside the parenthesis(the SOME_CODE_HERE section).


Level 23




    On this level you are following the same first steps as the past few levels.  Find the cron job, cat out the contents and then cat out the contents of the script it is calling.  Here the action the script is taking is a bit different.  Ill give you a huge hint on this one as I could see someone who is new to scripting and tinkering having trouble on this one.  You will notice on this level that the script is looping through all scripts in a directory, executing them and then deleting them after.  No remember, whatever is in that directory will be run as the user bandit24 every minute.  In otherwords maybe you can write to this directory and add your own script that does something like, I don't know copy the password for bandit24 into a file that you have read access to.  Another big hint for this level, make sure you permissions are good, make sure your script is executable by all users and the directory it writes to is writeable by all users.  If you need help with this see the link below.


    - https://en.wikipedia.org/wiki/Chmod

    - http://www.linux.org/file-permissions

Level 24




    Level 24 is all about the brute force.  For this one I am going to publish my source code in the github link below.  The reason I am breaching protocol on this one is, as much as I feel that you should be aware of what brute forcing is, I highly suggest you don't ever use it in the real world.  It is about as far from stealthy as you can be and any target with a security department will notice.  Essentially the idea here is, try every single possible pin until one works.  As an attacker you would write a script like the one I link below(very sloppy quick late night hack together script, don't judge).  You would run this script, the server your running it on will most likely block you and that will be the end of that.  One thing I did notice about this level is it seems that the pin number is generated on a per session basis.  In other words if you close and re-open the connection the pin will change.  Because of this you must do all of your brute forcing in a single telnet session.


    - https://github.com/bandit/Level24


Level 25



    Level 25 start you out with the hint that the user bandit26 doesn't use bas they use something else.  Upon login you will notice you are given the ssh key to bandit26 in your home directory but, if you attempt to login you get a fancy ass ascii art header thats bangin and dope in its own right.  As the kids say that is.  From here your going to want to log back in as bandit25 and do some digging.  The first command you'll want to know is getent.  I have linked the man page below.  Figure out how to use getent to show you the shell that spawns at login for bandit26.  You can also get this info from /etc/passwd but wheres the fun in that.  The command getent is made to grab entries from name service switch libraries.  A name service switch or NSS is essentially a common way for your OS to interface with configuration information.  A sys admin can setup the nsswitch.conf file and point it to its common configuration databases such as group and passwd.  Once this is setup you can pull configuration information from all of these places through one common interface.  For this you are interested in the login script listed in the passwd config.  Once you discover that you will be able to read the script that the users login is calling.  Look at the script and you will notice it is using the more command to display the text in the text.txt file.  Now more has some fun functionality if you make your terminal window to small to display all of the text.  If you can get it to show only part of the desired text you have the option to go in vi mode.  Once in vi mode you can set your shell and launch it to break out of the script.

    - http://linux.die.net/man/1/getent
    - https://en.wikipedia.org/wiki/Name_Service_Switch

3 comments:

  1. how long will the script in level 24 run for?

    ReplyDelete
    Replies
    1. I would recommend to generate password strings upfront to a file and then feed this file to nc. It takes about 1-2 seconds at most to run both.

      Delete
  2. This comment has been removed by the author.

    ReplyDelete