From 94567f0850ea9aae4ef52a53357b1c896f8eb389 Mon Sep 17 00:00:00 2001 From: kituuu Date: Tue, 18 Apr 2023 02:46:43 +0530 Subject: [PATCH] Adds Karthiks Bandit Assignment Signed-off-by: kituuu --- Karthik.txt | 307 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 307 insertions(+) create mode 100644 Karthik.txt diff --git a/Karthik.txt b/Karthik.txt new file mode 100644 index 0000000..3f271a5 --- /dev/null +++ b/Karthik.txt @@ -0,0 +1,307 @@ +Git Assignment MDG b26 +sudo ssh bandit0@bandit.labs.overthewire.org -p 2220 +password +cat readme +p1 : NH2SXQwcBdpmTEzi3bvBHMM9H66vVXjL + +sudo ssh bandit1@bandit.labs.overthewire.org -p 2220 +cat ./- +rRGizSaX8Mk1RTb1CNQoXTcYZWU6lgzi + +sudo ssh bandit2@bandit.labs.overthewire.org -p 2220 +cat “spaces in this filename” +aBZ0W5EmUfAf7kHTQeOwd8bauFJ2lAiG + +sudo ssh bandit3@bandit.labs.overthewire.org -p 2220 +ls +cd inhere +ls -a +cat .hidden +2EW7BBsr6aMMoJ2HjW067dm8EgX26xNe + +sudo ssh bandit4@bandit.labs.overthewire.org -p 2220 +ls +cd inhere +ls +file ./* +cat ascii text data +lrIWWI6bB37kxfiCQZqUdOIYfr6eEeqR + + +cd inhere +ls -l +du —bytes -a | sort -rh +P4L4vucdmLnm8I7Vl7jG1ApGSfjYKqJU + + +find / -user bandit7 -group bandit6 -size 33c 2>/dev/null +cat /var/lib/dpkg/info/bandit7.password +bandit8 +z7WtoNQU2XfjmMtWA8u5rN4vzqu4v99S + +man grep +grep -w "millionth" data.txt +pswd: TESKZC0XvTetK0S9xNwm25STk5iWrBvP + + + +sort data.txt | uniq -c +EN632PlfYiZbn3PhVK3XOGSlNInNE00t + + +sudo ssh bandit9@bandit.labs.overthewire.org -p 2220 +ls +grep “=“ data.txt +strings data.txt +strings data.txt | grep “==“ +G7w8LIi6J3kTb8A7j9LgrywtEUlyyp6s + +sudo ssh bandit10@bandit.labs.overthewire.org -p 2220 +ls +cat data.txt +base64 —help +base64 -d data.txt +6zPeziLdR2RKNdNYFNb6nVCKzphlXHBM + +sudo ssh bandit11@bandit.labs.overthewire.org -p 2220 +ls +cat data.txt +copy rotated text +tr 'A-Za-z' 'N-ZA-Mn-za-m' <<< "WIAOOSFzMjXXBC0KoSKBbJ8puQm5lIEi" +JVNBBFSmZwKKOP0XbFXOoW8chDz5yVRv + +mkdir /tmp/mykt +cp data.txt /tmp/mykt +file data.txt +cd /tmp/mykt +xxd -r data.txt -> data +file data +xxd -r data +mv data data.gz +gzip -d data.gz +file data +mv data data.bzip2 +file data.bzip2 +mv data.bzip2.out data.bzip2.gz +gzip -b data.bzip2.gz +file data.bzip2 +tar —help +mv data.bzip2 data.tar +tar -x -f data.tar +file data5.bin +rm data.tar +mv data5.bin data.tar +tar -x -f data.tar +file data6.bin +mv data6.bin data.bz2 +bzip2 -d data.bz2 +file data +mv data data.tar +tar -x -f data.tar +file data8.bin +mv data8.bin data.gz +gzip -d data.gz +ls +file data +cat data +wbWdlBxEir4CaE8LaPhauuOo6pwRmrDw + + +ssh -i sshkey.private bandit14@bandit.labs.overthewire.org -p 2220 + +ls -la +cd .. +cd .. +cd .. +cd etc +cd bandit_pass +ls +cat bandit14 +np localhost 30000 +fGrHPx402xGC7U7rXKDaxiWFTOiF0ENq +jN2kgmIXJ6fShzhT2avhotn4Zcka6tnt + +ssh bandit15@bandit.labs.overthewire.org -p 2220 +openssl s_client localhost:30001 +JQttfApK4SeyHwDlI9SXGR50qclOAil1 + +ssh bandit16@bandit.labs.overthewire.org -p 2220 +nmap -sO -p31000-32000 localhost +nmap localhost -p31000-32000 +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ +imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ +Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu +DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW +JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX +x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD +KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl +J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd +d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC +YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A +vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama ++TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT +8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx +SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd +HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt +SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A +R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi +Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg +R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu +L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni +blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU +YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM +77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b +dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3 +vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY= +-----END RSA PRIVATE KEY----- +mkdir /tmp +cd tmp +touch sshkey.private +nano sshkey.private +paste the password +ssh -i sshkey.private bandit17@bandit.labs.overthewire.org -p 2220 +diff --normal password.old password.new +hga5tuuCLF6fFzUpnagiMN8ssu9LFrdg + +sudo ssh bandit18@bandit.labs.overthewire.org -p 2220 "cat readme" +awhqfNnAbc1naukrpqDYcF95h7HoMTrC + +sudo ssh bandit19@bandit.labs.overthewire.org -p 2220 +ls -la +drwxr-xr-x 2 root root 4096 Feb 21 22:03 . +drwxr-xr-x 70 root root 4096 Feb 21 22:04 .. +-rwsr-x--- 1 bandit20 bandit19 14876 Feb 21 22:03 bandit20-do +-rw-r--r-- 1 root root 220 Jan 6 2022 .bash_logout +-rw-r--r-- 1 root root 3771 Jan 6 2022 .bashrc +-rw-r--r-- 1 root root 807 Jan 6 2022 .profile +# here we can see that bandit20-do is owned by bandit20 but bandit19 can see it, +we can retrieve the password from this for the next level +./bandit20-do +./bandit20-do id +uid=11019(bandit19) gid=11019(bandit19) euid=11020(bandit20) +groups=11019(bandit19) +# uid - userid, gid-groupid, euid-effective user id (for us, our effective userid +is of bandit20)-for the moment we are bandit20 +./bandit20-do cat /etc/bandit_pass/bandit20 +VxCazJaVykI6W36BkBU0mJTCM8rR95XT + +open 2 terminal for bandit20, create a netcat listener on one terminal and +connect using suconnect script provided in the level +on sending the password of bandit20 from netcat terminal you will re-receive the +password of bandit21 +T1 : nc -l 2000 +T2 : ./suconnect 2000 +T1 : bandit20 pass +T2 : Receives bandit20 pass, sends nect password to T1 again +T1 : NvEJF7oVjkddltPSrdKEFOllh9V1IBcq + + +man 5 crontab +man crontab +man cron +ls +ls -la +cd /etc +cd cron.d +ls -la +cat cronjob_bandit22 +copied the path in cronjob command +ls /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv +cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv +WdDozAdTM2z9DiFEQ2mGlwngMfj4EZff + +ls +cd /etc/cron.d +cat cronjob_bandit23 +cat /usr/bin/cronjob_bandit23.sh +CRONJOB_BANDIT23.SH STARTS +#!/bin/bash + +myname=$(whoami) +mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1) + +echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget" + +cat /etc/bandit_pass/$myname > /tmp/$mytarget +CRONJOB_BANDIT23.SH ENDS + +bandit22@bandit:/etc/cron.d$ whoami +bandit22 +bandit22@bandit:/etc/cron.d$ myname = whoami +'myname: command not found +bandit22@bandit:/etc/cron.d$ myname = $whoami +myname: command not found +bandit22@bandit:/etc/cron.d$ myname = $(whoami) +myname: command not found +bandit22@bandit:/etc/cron.d$ myname=$(whoami) +bandit22@bandit:/etc/cron.d$ echo mynam +mynam +bandit22@bandit:/etc/cron.d$ echo myname +myname +bandit22@bandit:/etc/cron.d$ echo $myname +bandit22 +bandit22@bandit:/etc/cron.d$ echo I am user $myname | md5sum | cut -d ' ' -f 1 +8169b67bd894ddbb4412f91573b38db3 +bandit22@bandit:/etc/cron.d$ echo I am user bandit22 | md5sum | cut -d ' ' -f 1 +8169b67bd894ddbb4412f91573b38db3 +bandit22@bandit:/etc/cron.d$ echo I am user bandit23 | md5sum | cut -d ' ' -f 1 +8ca319486bfbbc3663ea0fbe81326349 +bandit22@bandit:/etc/cron.d$ myname=bandit23 +bandit22@bandit:/etc/cron.d$ mytarget=I am user $myname | md5sum | cut -d ' ' -f +1 +am: command not found +d41d8cd98f00b204e9800998ecf8427e +bandit22@bandit:/etc/cron.d$ mytarget=$(echo I am user $myname | md5sum | cut -d +' ' -f 1) +bandit22@bandit:/etc/cron.d$ echo mytarget +mytarget +bandit22@bandit:/etc/cron.d$ echo myname +myname +bandit22@bandit:/etc/cron.d$ echo $mytarget +8ca319486bfbbc3663ea0fbe81326349 +bandit22@bandit:/etc/cron.d$ echo "Copying passwordfile /etc/bandit_pass/$myname +to /tmp/$mytarget" +Copying passwordfile /etc/bandit_pass/bandit23 to +/tmp/8ca319486bfbbc3663ea0fbe81326349 +bandit22@bandit:/etc/cron.d$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349 +QYw0Y2aiA672PsMmh9puTQuhoz8SyR2G + +ls +cd /etc/cron.d +cat cronjob_bandit24 +cat /usr/bin/cronjob_bandit24.sh +myname=bandit24 +cd /var/spool/$myname/foo +mkdir /tmp/mykt2 +chmod 777 /tmp/mykt2 +nano dahs.sh +#!/usr/bin/bash + +cat /etc/bandit_pass/bandit24 > /tmp/mykt2/brobandit24.txt + +save the script +chmod -x dahs.sh #making this script executable (i guess) +after 1 min +cat /tmp/mykt2/brobandit24.txt +VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar + +p7TaowMYrmu23Ol8hiZh9UvD0O9hpx8d +mkdir /tmp/mykt3 +cp /etc/bandit_pass/bandit24 /tmp/mykt3 +cd /tmp/mykt3 +nano script.sh +chmod +x script.sh +Put the following code in the file +#!/usr/bin/bash + +for i in {000..9999} +do + echo "VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar $i" +done +nc localhost 30002 | ./script.sh +The password of user bandit25 is p7TaowMYrmu23Ol8hiZh9UvD0O9hpx8d + + + +