This article is the continuation of my previous article OVERTHEWIRE: BANDIT WALKTHROUGH SERIES 5-12 LEVELS.
Over the wire level 12-15 are quite different from other levels. They mostly talk about usage of different services. They are hard if you did not know what you are doing.
Login using command: ssh email@example.com -p 2220 with the password we obtained in last article.
The hint says:
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)
So, we need to create a copy of data.txt and paste it in the directory /tmp/.
I created my directory using mkdir command. Now the hint says that it is a hexdump. Hexdump is a hexadecimal display of the data in the file. All the bytes in a hexdump file is is represented as a two-digit hexadecimal number. Hex dumps are commonly organized into rows of 8 or 16 bytes, sometimes separated by whitespaces. We have a command line tool which converts and reverses hexadecimal format,it is known as xxd. Now we want to reverse the data and I used command xxd -r data.txt data1, where data.txt is the actual hexdump and data1 is reverse of data.txt.
Now, if you read the hint further it says that it is a hexdump file which is repeatedly compressed. To check that I used file command on data1 : file data1. It showed me that it is a bzip2 compressed file. So We need to decompressed the bzipped file using command: bzip2 -d data1.Then I checked it again through file to see in which format it is compressed and this time it is gzip. to uncompress that file I used gzip -d data1.out.
After checking again using file, it says it is tar file. So we uncompressed it using tar -xvf data1.out. I kept doing the same procedure until data8 file came. The data8 file contains the actual password and I used cat to check that.
I logged into level 13 using above password and below ssh command:
Right when I logged in, I used ls command to see what’s in the folder and I found an sshkey.private. Now, ssh login mechanism uses two keys public and private. With the help of private key, the public key is generated and they can only work together, Without private key or the right password we cannot login to any SSH server.
So, That was all the required knowledge about ssh for now. The hint on the website says:
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note:localhost is a hostname that refers to the machine you are working on.
The hint is pretty forward. So I copied the ssh key on my machine with the name level13priv and gave chmod 400 permission to level13priv using command: chmod 400 level13priv. It is a permission given to the private keys in ssh and scp like services on linux. It says that only the corresponding user can read the file and no one else can read it.
The command we used with ssh to give private key instead of password is:
ssh -i filename server -p portnumber
You can see below.
Now, the hint says that the password is in /etc/bandit14/bandit_pass file . So I cat it and there is the password.
Login with the above password in bandit15 user through ssh.
The hint for this level says:
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
Before solving this level , let me tell you a little about PORTS and SERVICES. The services open different ports on the computer with which these services communicate with other computers. Tools such as SSH, Telnet, ftp are actually services with which we can connect remotely, there are other more. Also tools such as nc short for netcat gives you a way to connect to any port on remote computer and see what that particular port service does through packet or header transfer.
Below, I used telnet to make a connection to the localhost which is on the same machine [bandit14] since I am already inside the machine through ssh and there is a service running on port 30000 of this machine. The command I’d used is below. We have to enter the password bandit14 to this port and it will display the password.
Login into the user bandit15 on ssh with the password we found above.
The hint for this level says:
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…
The above password can be retrieved the same way we did in the level above. But this time we have SSL and there is a perfect tool for it called openssl. Let’s know a little about ssl, it stands for secure socket layer, It encrypts the transmission of the traffic so no one can eavesdrop on it. It provides us with the certification with which a server or client proves his identity.
The command I have used:
openssl s_client -connect localhost:30001
It will give the server certificate and then you have to copy the password of this level there.
When I did that it gave me HEARTBLEED error. So I checked the hint and it says to add a flag -ign_eof as you can see below.
It gave me the password after.
That’s it for know, I will be continuing with more level in further articles.