Cyph3r Ryx · Follow
5 min read · Nov 12, 2023
--
Hey, ya guys! I am Ryx, and today we will continue our Linux terminal hacking series with the wargame known as Bandit Wargames from OverTheWire.
Goal: There is a setuid binary in the home directory that does the following: it makes a connection to localhost on the port you specify as a command line argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password to the next level (bandit21).
NOTE: Try connecting to your network daemon to see if it works as you think
So I connected to bandit20 via the password we got from the last level
I used ls to see what we have there and then got a file named ‘suconnect’, which is a setuid in the home directory.
On looking close at the level description.,
The given setuid makes a connection to localhost on the port you specify as a command line argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password.
This means that the Swiss Army Knife is coming into the play…
- We need to listen to the port for the request sent to that SSH ID, and when we enter the password to log in from 2nd terminal, we will get the password for the next level in our main terminal, where we are listening for the port request because it is mentioned in the question that it will read a line of text from the connection and compares it to the password and if it is correct it will transmit the password for next level.
Let's try it now!
- To set up the listening port, we will use the netcat command with instructions of -l to listen -v to get more information -p to enter the port for listening.
The command will be as follows:
ncat -lvp 9999
Here 9999 is a random port we need to listen to, and then we need to log in to the other terminal or second terminal by
ssh bandit20@bandit.labs.overthewire.org -p 2220
Now doing that will send the connection request on the first terminal where we are listening to port 9999. Then setup another ‘bandit20’ connection via SSH login in the second terminal, and use:
./suconnect 9999
So that the port is connected on both ends, and now when we enter the password for bandit20 in the first terminal, then in the second terminal, as the password matches, it will send the password for the next level.
And it sent!! We got the password for the next level. Save it in the passwords files and move to the next level!
Goal: A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
‘Cron’ allows Linux users to run commands or scripts at a given date and time. You can schedule scripts to be executed periodically for commands that need to be executed repeatedly (e.g., hourly, daily, or weekly).
The crontab command creates a crontab file containing commands and instructions for the cron daemon to execute. You can use the crontab command with the following options:
crontab -a filename
Install the filename as your crontab file. On many systems, this command is executed simply as crontab filename (i.e., without the -a option).
crontab -e
Edit your crontab file, or create one if it doesn’t already exist.
crontab -l
Display your crontab file.
crontab -r
Remove your crontab file.
crontab -v
Display the last time you edited your crontab file. (This option is available on only a few systems.)
crontab -u user
Used in conjunction with other options, this option allows you to modify or view the crontab file of user. When available, only administrators can use this option.
Now let’s move on to our level.,
Explanation:
Firstly log into the shell via SSH,
Provide the password which we got from the last level and get into the shell. Once we are there go to the home directory
Then write
cd /etc/cron.d
Get into the directory and check the contents by using ‘ls’ command, and then I can see a file named ‘cronjob_bandit22’
So I tried to read it by using ‘cat cronjob_bandit22.sh’ and that is where I found this bunch of content:
Here the cool thing is we got a directory path of bandit22.sh to read so then I executed ‘cat /usr/bin/cronjob_bandit22.sh’ as I entered the file the chmod command already got executed and it let me read the contents of the files:
Here we can see in the third line that we have a a directory path named ‘/tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv’ so I tried to read the content of the directory, by ‘cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv’
And there we go!!! We got the password for the next level 🥳. Save the password in the passwords.txt file which we are maintaining from the beginning of the challenge.
Here, I conclude the eleventh article of this series. I’ll continiue posting the walkthrough for every level daily. You can find me here every day :)
Till then, make sure to follow me on my socials 😉! Peace Out!
Twitter : https://twitter.com/PadhiyarRushi
GitHub : https://github.com/cyph3rryx