From 22d56b1455911a02ddfb8f606d68c35fcee9fa4e Mon Sep 17 00:00:00 2001 From: Zcross Date: Mon, 17 Apr 2023 20:56:38 +0530 Subject: [PATCH] bandit : aadityagupta400 --- level 1 password.txt | 301 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 301 insertions(+) create mode 100644 level 1 password.txt diff --git a/level 1 password.txt b/level 1 password.txt new file mode 100644 index 0000000..16385af --- /dev/null +++ b/level 1 password.txt @@ -0,0 +1,301 @@ +NH2SXQwcBdpmTEzi3bvBHMM9H66vVXjL - password level 1 +rRGizSaX8Mk1RTb1CNQoXTcYZWU6lgzi - password level 2 +aBZ0W5EmUfAf7kHTQeOwd8bauFJ2lAiG - password level 3 +2EW7BBsr6aMMoJ2HjW067dm8EgX26xNe - password level 4 +lrIWWI6bB37kxfiCQZqUdOIYfr6eEeqR - password level 5 +P4L4vucdmLnm8I7Vl7jG1ApGSfjYKqJU - password level 6 +z7WtoNQU2XfjmMtWA8u5rN4vzqu4v99S - password level 7 +TESKZC0XvTetK0S9xNwm25STk5iWrBvP - password level 8 +EN632PlfYiZbn3PhVK3XOGSlNInNE00t - password level 9 +G7w8LIi6J3kTb8A7j9LgrywtEUlyyp6s - password level 10 +6zPeziLdR2RKNdNYFNb6nVCKzphlXHBM - password level 11 +JVNBBFSmZwKKOP0XbFXOoW8chDz5yVRv - password level 12 +wbWdlBxEir4CaE8LaPhauuOo6pwRmrDw - password level 13 + +Gur cnffjbeq vf WIAOOSFzMjXXBC0KoSKBbJ8puQm5lIEi + + +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAxkkOE83W2cOT7IWhFc9aPaaQmQDdgzuXCv+ppZHa++buSkN+ +gg0tcr7Fw8NLGa5+Uzec2rEg0WmeevB13AIoYp0MZyETq46t+jk9puNwZwIt9XgB +ZufGtZEwWbFWw/vVLNwOXBe4UWStGRWzgPpEeSv5Tb1VjLZIBdGphTIK22Amz6Zb +ThMsiMnyJafEwJ/T8PQO3myS91vUHEuoOMAzoUID4kN0MEZ3+XahyK0HJVq68KsV +ObefXG1vvA3GAJ29kxJaqvRfgYnqZryWN7w3CHjNU4c/2Jkp+n8L0SnxaNA+WYA7 +jiPyTF0is8uzMlYQ4l1Lzh/8/MpvhCQF8r22dwIDAQABAoIBAQC6dWBjhyEOzjeA +J3j/RWmap9M5zfJ/wb2bfidNpwbB8rsJ4sZIDZQ7XuIh4LfygoAQSS+bBw3RXvzE +pvJt3SmU8hIDuLsCjL1VnBY5pY7Bju8g8aR/3FyjyNAqx/TLfzlLYfOu7i9Jet67 +xAh0tONG/u8FB5I3LAI2Vp6OviwvdWeC4nOxCthldpuPKNLA8rmMMVRTKQ+7T2VS +nXmwYckKUcUgzoVSpiNZaS0zUDypdpy2+tRH3MQa5kqN1YKjvF8RC47woOYCktsD +o3FFpGNFec9Taa3Msy+DfQQhHKZFKIL3bJDONtmrVvtYK40/yeU4aZ/HA2DQzwhe +ol1AfiEhAoGBAOnVjosBkm7sblK+n4IEwPxs8sOmhPnTDUy5WGrpSCrXOmsVIBUf +laL3ZGLx3xCIwtCnEucB9DvN2HZkupc/h6hTKUYLqXuyLD8njTrbRhLgbC9QrKrS +M1F2fSTxVqPtZDlDMwjNR04xHA/fKh8bXXyTMqOHNJTHHNhbh3McdURjAoGBANkU +1hqfnw7+aXncJ9bjysr1ZWbqOE5Nd8AFgfwaKuGTTVX2NsUQnCMWdOp+wFak40JH +PKWkJNdBG+ex0H9JNQsTK3X5PBMAS8AfX0GrKeuwKWA6erytVTqjOfLYcdp5+z9s +8DtVCxDuVsM+i4X8UqIGOlvGbtKEVokHPFXP1q/dAoGAcHg5YX7WEehCgCYTzpO+ +xysX8ScM2qS6xuZ3MqUWAxUWkh7NGZvhe0sGy9iOdANzwKw7mUUFViaCMR/t54W1 +GC83sOs3D7n5Mj8x3NdO8xFit7dT9a245TvaoYQ7KgmqpSg/ScKCw4c3eiLava+J +3btnJeSIU+8ZXq9XjPRpKwUCgYA7z6LiOQKxNeXH3qHXcnHok855maUj5fJNpPbY +iDkyZ8ySF8GlcFsky8Yw6fWCqfG3zDrohJ5l9JmEsBh7SadkwsZhvecQcS9t4vby +9/8X4jS0P8ibfcKS4nBP+dT81kkkg5Z5MohXBORA7VWx+ACohcDEkprsQ+w32xeD +qT1EvQKBgQDKm8ws2ByvSUVs9GjTilCajFqLJ0eVYzRPaY6f++Gv/UVfAPV4c+S0 +kAWpXbv5tbkkzbS0eaLPTKgLzavXtQoTtKwrjpolHKIHUz6Wu+n4abfAIRFubOdN +/+aLoRQ0yBDRbdXMsZN/jvY44eM+xRLdRVyMmdPtP8belRi2E2aEzA== +-----END RSA PRIVATE KEY----- + +: private key for level 14 + + +fGrHPx402xGC7U7rXKDaxiWFTOiF0ENq - password for level 14 +jN2kgmIXJ6fShzhT2avhotn4Zcka6tnt - password for level 15 +JQttfApK4SeyHwDlI9SXGR50qclOAil1 - password for level 16 + + + +MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ +imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ +Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu +DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW +JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX +x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD +KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl +J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd +d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC +YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A +vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama ++TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT +8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx +SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd +HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt +SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A +R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi +Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg +R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu +L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni +blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU +YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM +77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b +dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3 +vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY= + +- pvt key for level 17 + + +proceeding from level 16 to level 17 + +i first checked the read and write permissions in level 13 again as i was not able to proceed earlier + +for that i used these commands +ssh -p 2220 bandit13@bandit.labs.overthewire.org +ls -l + +it shows me the following permission for the file sshkey.private : -rw-r----- + +the command to get this is chmod 640 , i made a test file to test this + +i moved on to level 16 using ssh -p 2220 bandit16@bandit.labs.overthewire.org +i then moved to the directory where i stored the private key , used chmod 640 to set the same permissions , and tried to connect using the command +ssh -i private.key bandit17@localhost -p 2220 +but the same error of publickey is showing + +after 30 mins i realised my stupid mistake, i was not putting begin rsa key and end rsa key in the private key hence the format was unreadable and i was not able to proceed, +finished this level after 2 days + +the command to use it was ssh -i private.key bandit17@bandit.labs.overthewire.org -p 2200 + +used this since i saved the file locally. + +i now changed the file under /tmp/zcross_random named private.key , put the correct format , and then used the command : ssh -i private.key bandit17@localhost -p 2220 +it logged me in , succesfully logged in to level 17 + + +level 17 to level 18 + +command used : + +cat passwords.old +cat passwords.new +diff passwords.old passwords.new = shows error +man diff +diff --normal passwords.old password.new = output : 42c42 +< f9wS9ZUDvZoo3PooHgYuuWdawDFvGld2 +--- +> hga5tuuCLF6fFzUpnagiMN8ssu9LFrdg + +by this i am assuming that password for level 18 is f9wS9ZUDvZoo3PooHgYuuWdawDFvGld2 +i waas wrong , it is : hga5tuuCLF6fFzUpnagiMN8ssu9LFrdg + + +level 18 to level 19 + +i was immediately logged out, i googled modified .bashrc to log you out when you log in with SSH , found a stackoveflow link , https://serverfault.com/questions/94503/login-without-running-bash-profile-or-bashrc + +i guess i can use -t to force commands + +i used ssh -t -p 22220 bandit19@bandit.labs.overthewire.org cat readm but nothing happened, i then used ssh -p 2220 bandit18@bandit.labs.overthewire.org -t cat readme +and got the password , this was the response +bandit18@bandit.labs.overthewire.org's password: +awhqfNnAbc1naukrpqDYcF95h7HoMTrC +Connection to bandit.labs.overthewire.org closed. + + +level 19 to level 20 + +i checked the wikipedia file but did not understand how to implement anything so i googled suid, still nothing. +i used cd /etc/bandit_pass +opened bandit 20 using cat, but permission was not given and i could not even change the read write permissions. + +i went back and saw permission for each file + +and i discovered an executable file , i ran it and got this output : Run a command as another user. + Example: ./bandit20-do id + +ran ./bandit20-do cat /etc/bandit_pass/bandit20 and got +VxCazJaVykI6W36BkBU0mJTCM8rR95XT as password + +level 20 to level 21 + +i did some googling on opening ports and stuff and after various failed attemopt +i learnt to set up a server , and was still not able to understand how to send the old password to the server , i tried connecting to my own localhost but i couldnt get the password. + +i did a bit of googling and learnt about echo command , then used this command + +echo "VxCazJaVykI6W36BkBU0mJTCM8rR95XT" | nc -l -p 6969 + +however my system stopped here, did a bit of googling again and learnt about background processes so i used + + +echo "VxCazJaVykI6W36BkBU0mJTCM8rR95XT" | nc -l -p 6969 & + +after this + +./suconnect 6969 + +it gave me the password : NvEJF7oVjkddltPSrdKEFOllh9V1IBcq + + +level 21 to level 22 + +i went to /etc/cron.d , used cat cronjob_bandit22 , and got this as output: +@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null +* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null + +i didnt knew what to do but i checked out usr/bin/cronjob_bandit22.sh + +chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv +cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv + +this was the output , i think this means that a new folder or file is been created with that weird name and 644 means everyone can read it , and password is been pasted there + + +-bash: cd: /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv: Not a directory +bandit21@bandit:/$ ls +bin dev etc home lib lib64 lost+found mnt proc run snap sys usr +boot drifter formulaone krypton lib32 libx32 media opt root sbin srv tmp var +bandit21@bandit:/$ cd /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv/ +-bash: cd: /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv/: Not a directory +bandit21@bandit:/$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv +WdDozAdTM2z9DiFEQ2mGlwngMfj4EZff + +thus the password is WdDozAdTM2z9DiFEQ2mGlwngMfj4EZff + + +level 22 to level 23 + + +bandit22@bandit:~$ cd /etc/cron.d/ +bandit22@bandit:/etc/cron.d$ ls +cronjob_bandit15_root cronjob_bandit22 cronjob_bandit24 e2scrub_all sysstat +cronjob_bandit17_root cronjob_bandit23 cronjob_bandit25_root otw-tmp-dir +bandit22@bandit:/etc/cron.d$ cat cronjob_bandit23 +@reboot bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null +* * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null +bandit22@bandit:/etc/cron.d$ cat ../../usr/bin/cronjob_bandit23.sh +#!/bin/bash + +myname=$(whoami) +mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1) + +echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget" + +cat /etc/bandit_pass/$myname > /tmp/$mytarget +bandit22@bandit:/etc/cron.d$ cd ../../usr/bin + +after several ls and cat commands i learnt about scripts and vatriables and then i put + +bandit22@bandit:/$ echo I am user bandit23 | md5sum | cut -d ' ' -f 1 +8ca319486bfbbc3663ea0fbe81326349 + +since the script said passwrod file , and this is the new target now , we move to /tmp/weird file name + +bandit22@bandit:/$ cd /tmp/8ca319486bfbbc3663ea0fbe81326349 +-bash: cd: /tmp/8ca319486bfbbc3663ea0fbe81326349: Not a directory +bandit22@bandit:/$ cd /tmp/8ca319486bfbbc3663ea0fbe81326349/ +-bash: cd: /tmp/8ca319486bfbbc3663ea0fbe81326349/: Not a directory +bandit22@bandit:/$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349 +QYw0Y2aiA672PsMmh9puTQuhoz8SyR2G +bandit22@bandit:/$ + + +password : QYw0Y2aiA672PsMmh9puTQuhoz8SyR2G + +level 23 to level 24 + + cd /etc/cron.d/ +bandit23@bandit:/etc/cron.d$ ls +cronjob_bandit15_root cronjob_bandit23 e2scrub_all +cronjob_bandit17_root cronjob_bandit24 otw-tmp-dir +cronjob_bandit22 cronjob_bandit25_root sysstat +bandit23@bandit:/etc/cron.d$ cat cronjob_bandit23 +@reboot bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null +* * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null +bandit23@bandit:/etc/cron.d$ cat ../../usr/bin/cronjob_bandit23.sh +#!/bin/bash + +myname=$(whoami) +mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1) + +echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget" + +cat /etc/bandit_pass/$myname > /tmp/$mytarget +bandit23@bandit:/etc/cron.d$ echo I am user bandit24 | md5sum | cut -d ' ' -f 1 +ee4ee1703b083edac9f8183e4ae70293 +bandit23@bandit:/etc/cron.d$ cat /tmp/ee4ee1703b083edac9f8183e4ae70293 +VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar + +password : VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar + + +level 24 to level 25 + +this level took a ridiculous amount of time as i didnt know how to create a script. + +i first did nc localhost 30002 , entered few random numbers trying my luck , didnt get anything. + +then i created a test.sh script inside /tmp/zcross_scripts , under that i wrote this : + +for i in {0000..9999} +do + echo VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar $i >> test.txt +done + + +i opened test.txt using cat test.txt ,tried to copy and then did nc localhost 30002 and then pasted, still i was not able to get any result, it was just a swarm of +incorrect pincode, after a while i modified the script, i added these lines + +cat test.txt | nc localhost 30002 > results.txt + + +this showed error + +i changed it to + +cat test.txt | nc localhost 30002 >> results.txt + +opened cat results.txt and in the final line it was written : +Correct! +The password of user bandit25 is p7TaowMYrmu23Ol8hiZh9UvD0O9hpx8d + +Exiting. + +password : p7TaowMYrmu23Ol8hiZh9UvD0O9hpx8d \ No newline at end of file