The improvised OverTheWire writeup you were not looking for — Bandit.Pt1

Over the wire is a widespread and known CTF site containing challenges divided into categories.

In case you don’t know what a CTF is, this video is an excellent introduction to the concept imho.

As the n00b that I am, I’m going to attempt (and most likely fail a lot in the process) to complete them starting with the most basic category:

Bandit

Every level has a description and some hints in form of:

  • A list of commands that could help you solve the challenge
  • Some useful links to start your research if you are completely lost

Let’s start from the beginning, shall we?


Bandit — Level0

This one is easy — even for me — . We just need to establish a connection over SSH to the specified server and port using the credentials granted by the site.

ssh bandit0@bandit.labs.overthewire.org -p 2220
bandit0

And… we got in!

From now on, we are executing commands on bandit.labs.overthewire.org server as user bandit0. Naturally, as these commands are going through the internet (and, in my case, reaching out to the other side of the globe) don’t expect the command line to be as fluent as in your own computer. Delay you shall face.

If you encounter yourself having to execute complex commands, or trying several combinations/options to find a solution try speeding the things up executing tests into your machine and then, when you have the commands well-formed and ready to be executed, go over the ssh-connected terminal and try them on the real thing. That will save you a TON of time.


Bandit — Level0 pt2

This part is pretty straightforward too. Plaintext, a non-hidden treasure is found just as easy as reading a file:

cat readme
boJ9jbbUNNfktd78OOpsqOltutMc3MY1
Side note: to exit the session opened over SSH you can type ‘exit’ or ‘logout’

Bandit — Level1

This one was a little more exciting. I actually had to think how to type the name to read that f****** file.

cat ./-
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

And… we got our ticket to the next round!


Bandit — Level2

From now on, connecting to each level has no secrets for us, so I’ll keep this simple and skip that part.

Let’s jump into the challenge:

Autocomplete (using tab) gracefully solves this challenge for us, escaping every single space in the filename:

cat ./spaces\ in\ this\ filename
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

Number three here we go!


Bandit — Level3

Gotta find’em all (even if they are hidden)

Using ‘ll’ alias instead of just ‘ls’ gives us the capability of seeing hidden files and folders. That’s why I always prefer ll over ls.

To move within the filesystem you can use the ‘cd’ command like this:

cd directoryName
-- step into a directory
cd ..
-- step outside the directory you are currently on
cd ./
-- ./ refers to the same directory you are on

Just for the sake of being explicit, here is the difference in output:

ll ./inhere/cat ./inhere/.hidden
pIwrPrtPN36QITSp3EQaw936yaFoFgAB

Bandit — Level4

After stepping into the right directory we found 10 files from which, as the level description says, only one is human readable.

They all have been created by the same user, at the same time and have the same privilege restrictions and size. There’s probably a much better way to do this but, since they are only ten files, I think try and error is a valid approach here.

To see the content type of each file we can use the command ‘file’. Then, after catching the correct one, we display the next password using cat as always.

file ./-file07
./-file07: ASCII text
cat ./-file07
koReBOKuIDDepwhWk7jZC0RTdopnAYKh

Bandit — Level5

After entering the inhere directory I found myself entering into a labyrinth of files. I realize this time looking for each file will get me nowhere.

Ok, so… let’s think. I need a way to filter all these files and find the one that meets the requirements:

  • human-readable
  • 1003 bytes in size
  • not executable

I could probably use a combination of ‘find’, ‘grep’ and ‘file’ commands to achieve that. First of all, since I don’t remember how to actually use the command (shame on me), I try reading the man pages for ‘find’. To see the man pages of any command you can type:

man commandName

Some commands also have help options like these:

commandName --help
commandName -help
commandName -h

that display a help page often listing option lists or command examples; really useful stuff.

I suggest typing ‘man find’ into your own terminal, reading the pages, trying some options and then returning to the ssh terminal to execute some test because reading man pages and testing commands over ssh could be a painful experience.

So, after some reading I try the filter by size first :

find -L -size 1033c

-L will make find follow the links and -size 1033c will filter out all the files that are not 1033 bytes in size (c unit is used for bytes).

After using this filter we get only one file… and it’s human-readable :

This doesn’t feel right at all since we are not using the other 2 conditions we were provided with… but the file meets all the requirements and trying this password has no cost, so I give it a try:

and we are in! I was totally wrong… this feels just right!


Bandit — Level6

This level’s description looks similar to the previous one. We are asked to find a file that:

  • Is owned by user bandit7
  • Is owned by group bandit6
  • Which size is 33 bytes

I’ll try the size filter first, then see how to apply the rest of the conditions. The file can be placed anywhere inside the server so I fire the find command on the root directory:

find -L size 33c

This time the results are endless and I had to stop the process (using ctrl+c). I see some redirection loops reading the output so I take out the -L option to avoid them. We need to dive deeper into the filter options. Next attempt is :

find -size 33c -group bandit6 -user bandit7

If you’ve read this far I’m sure you need no explanation on what the extra parameters will do:

We have our candidate ‘bandit7.password’:

Bingo!

There are still a lot of levels to beat… but a little break won’t harm anyone


syscall59

Shellcode for the masses

Syscall59 — by Alan Vivona

Written by

Twitter: @syscall59 | medium.syscall59.com | syscall59@protonmail.com

syscall59

syscall59

Shellcode for the masses

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade