This article will guide you through the OVERTHEWIRE Bandit level 19-23. The OVERTHEWIRE BANDIT levels make you understand the basic functionalities of linux operating systems and how you can work in that environment. If you didn’t see my past posts of overthewire series, Here are the links to those posts:
The series from level 19 to level 23 are about the file system in the linux and how a simple mis-configuration can leverage the risk of being hacked in the linux system. It also gives information about new functionalities which will help you complete many boot2root challenges in the vulnhub.
Let’s get started!
Login using command: ssh firstname.lastname@example.org -p 2220 and with the password we obtained in last level.
When you login into 18th level with the password it will exit the session and will not give you any shell. This is because the .bashrc file is modified. The file .bashrc is basically for generating an interactive session for logged in users. This file typically creates an interactive shell so that you could run command and works together with .bash_profile.
In this level,this very file is modified in such a way that right when you log into ssh, it will log you out.
So we have to specify the “/bin/sh” ourselves to get the shell.
Once you do that,cat the readme file and there is the password for the next level.
LEVEL 19- 20
Login as ssh email@example.com -p 2220 with the above password.
The hint for this level says:
To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.
There is a file in the home directory which is called bandit20-do.
When you stat this file, you will find the following information. That is file’s user is bandit20 with the id 11020 and it comes under the group user bandit19 with id 11019.
Now before giving you the answer to this level, Let’s talk about suid.
Suid stands for set user id, this is basically made as a security feature in linux file system. Because it will allow non root users to control some third party file under little root privilege but not cannot fully modify or edit it until the root allows it.
This very feature is being exploited because many third party requires root privileges to use the network or other internal tools in the linux system. Ex: nmap, ping etc.
In the above stat output you will see the Access: 4750 where four indicates SUID bit set, seven for full permissions for owner, five for read and execute permissions for group, and no permissions for others.
The hint above says we have to execute the bandit20-do to check how to run it.
./bandit20-do id is how we have to run it. I have tried a lot of times when I finally understood that the id here is actually linux command id!
So finally I was able to use it, the way it is meant to: ./bandit20-do cat /etc/bandit_pass/bandit20 will give you password for the next level.
Login as bandit20 with the above password.
The hint for this level says
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
There are many hint commands that you will find. The hint which is given above is pretty forward and it is easy to execute. But the commands we will use here are different.
tmux has been introduced here to the users. tmux is actually a terminal multiplexer which will open multiple session on a single terminal. After google on how I can use it, I easily executed the command on tmux without having multiple terminal windows.
In the home directory will find suconnect which will connect to a port and if the port reflect the last level’s password correctly, it will reflect back the password.
I typed tmux on the terminal after login via ssh and was presented with the terminal having a green line below.
I was able to generate the 2nd window by pressing: CTRL+b + “. This gave me two sessions on same terminal.
I knew what I have to do so I used this command on first session to echo the password on the localhost of bandit20 with nc on port 45556:
echo “level 20 password” | nc -l -p 45556
Then I wrote ./suconnect 45556 on second session in the terminal. Once I’ve done that, it checked the password and echoed back the password on the first session.
Login as bandit21 with the password gained above.
The hint for this level says
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
The hint is pretty straight forward. I went to /etc/cron.d to check the jobs. popularity-contest got my attention but sooner I realized it was nothing. The password for 22nd level must be stored in cronjob_bandit22. So I checked but it says by using cat command.
/usr/bin/cronjob_bandit22.sh passes its out to /dev/null. ~~Seems peculiar!
So I check what /usr/bin/cronjob_bandit22.sh says by using cat command again and it seems that it is passing its output to a file in /tmp/.
So I check what /tmp/t7~ file says by using cat command. It gave out the password for the next level 22!
This series will continue in the next article. So level 23 – 26 will be in the next series of OVERTHEWIRE BANDIT! Till then Ciao!