Esta web utiliza cookies, puedes ver nuestra política de cookies, aquí Si continuas navegando estás aceptándola

Bandit overthewire Wargame


0 -> 1

ssh [email protected]
bandit0
[email protected]:~$ cat readme
boJ9jbbUNNfktd78OOpsqOltutMc3MY1

1 -> 2

ssh [email protected]
boJ9jbbUNNfktd78OOpsqOltutMc3MY1
[email protected]:~$ cat ./-
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

2 -> 3

ssh [email protected] -p22
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
[email protected]:~$ cat spaces\ in\ this\ filename
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

3 -> 4

ssh [email protected] -p22
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
[email protected]:~$ cat inhere/.hidden
pIwrPrtPN36QITSp3EQaw936yaFoFgAB

4 -> 5

ssh [email protected] -p22
pIwrPrtPN36QITSp3EQaw936yaFoFgAB
[email protected]:~$ cd inhere
[email protected]:~/inhere$ cat ./-file07
koReBOKuIDDepwhWk7jZC0RTdopnAYKh

5 -> 6

ssh [email protected] -p22
koReBOKuIDDepwhWk7jZC0RTdopnAYKh
[email protected]:~$ cd inhere/
[email protected]:~/inhere$ find . -type f -size 1033c -name "[[:print:]]*" ! -executable
./maybehere07/.file2

[email protected]:~/inhere$ cat ./maybehere07/.file2
DXjZPULLxYr17uwoI01bNLQbtFemEgo7

6 -> 7

ssh [email protected] -p22
DXjZPULLxYr17uwoI01bNLQbtFemEgo7
[email protected]:~$ find / -type f -size 33c -user bandit7 -group bandit6

[email protected]:~$ cat /var/lib/dpkg/info/bandit7.password
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

7 -> 8

ssh [email protected] -p22
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs
[email protected]:~$ grep millionth data.txt
millionth    cvX2JJa4CFALtqS87jk27qwqGhBM9plV

8 -> 9

ssh [email protected] -p22
cvX2JJa4CFALtqS87jk27qwqGhBM9plV
[email protected]:~$ cat data.txt |sort|uniq -c
      1 UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR

9 -> 10

ssh [email protected] -p22
UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR
[email protected]:~$ strings data.txt |grep '===='
I========== the6
========== password
========== ism
========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk

10 -> 11

ssh [email protected] -p22
truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
[email protected]:~$ strings data.txt |base64 -d
The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

11 -> 12

ssh [email protected] -p22
IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR
[email protected]:~$ alias rot13="tr '[A-Za-z]' '[N-ZA-Mn-za-m]'"
[email protected]:~$ echo -e "Gur cnffjbeq vf 5Gr8L4qetPEsPk8htqjhRK8XSP6x2RHh"|rot13
The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

12 -> 13

ssh [email protected] -p22
5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu
[email protected]:~$ mkdir /tmp/kr0m
[email protected]:~$ cp data.txt  /tmp/kr0m/
[email protected]:/tmp/kr0m$ xxd -r data.txt foobar.bin
[email protected]:/tmp/kr0m$ file foobar.bin
foobar.bin: gzip compressed data, was "data2.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression
[email protected]:/tmp/kr0m$ mv foobar.bin foobar.bin.gz
[email protected]:/tmp/kr0m$ gunzip foobar.bin.gz
[email protected]:/tmp/kr0m$ file foobar.bin
foobar.bin: bzip2 compressed data, block size = 900k
[email protected]:/tmp/kr0m$ bzip2 -d foobar.bin.gz2
bzip2: Can't guess original name for foobar.bin.gz2 -- using foobar.bin.gz2.out
[email protected]:/tmp/kr0m$ file foobar.bin.gz2.out
foobar.bin.gz2.out: gzip compressed data, was "data4.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression
[email protected]:/tmp/kr0m$ mv foobar.bin.gz2.out foobar.bin.gz     
[email protected]:/tmp/kr0m$ gunzip foobar.bin.gz
[email protected]:/tmp/kr0m$ file foobar.bin
foobar.bin: POSIX tar archive (GNU)
[email protected]:/tmp/kr0m$ tar -xvf foobar.bin
data5.bin
[email protected]:/tmp/kr0m$ file data5.bin
data5.bin: POSIX tar archive (GNU)
[email protected]:/tmp/kr0m$ mv data5.bin data5.bin.tar
[email protected]:/tmp/kr0m$ tar -xvf data5.bin.tar
data6.bin
[email protected]:/tmp/kr0m$ file data6.bin
data6.bin: bzip2 compressed data, block size = 900k
[email protected]:/tmp/kr0m$ mv data6.bin data6.bin.gz2
[email protected]:/tmp/kr0m$ bzip2 -d data6.bin.gz2
bzip2: Can't guess original name for data6.bin.gz2 -- using data6.bin.gz2.out
[email protected]:/tmp/kr0m$ file data6.bin.gz2.out
data6.bin.gz2.out: POSIX tar archive (GNU)
[email protected]:/tmp/kr0m$ mv data6.bin.gz2.out data6.bin.tar    
[email protected]:/tmp/kr0m$ tar -xvf data6.bin.tar
[email protected]:/tmp/kr0m$ file data8.bin
data8.bin: gzip compressed data, was "data9.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression
[email protected]:/tmp/kr0m$ mv data8.bin data8.bin.gz
[email protected]:/tmp/kr0m$ gunzip data8.bin.gz
[email protected]:/tmp/kr0m$ file data8.bin
data8.bin: ASCII text
[email protected]:/tmp/kr0m$ cat data8.bin
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

13 -> 14

ssh [email protected] -p22
8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
[email protected]:~$ cat sshkey.private
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAxkkOE83W2cOT7IWhFc9aPaaQmQDdgzuXCv+ppZHa++buSkN+
gg0tcr7Fw8NLGa5+Uzec2rEg0WmeevB13AIoYp0MZyETq46t+jk9puNwZwIt9XgB
ZufGtZEwWbFWw/vVLNwOXBe4UWStGRWzgPpEeSv5Tb1VjLZIBdGphTIK22Amz6Zb
ThMsiMnyJafEwJ/T8PQO3myS91vUHEuoOMAzoUID4kN0MEZ3+XahyK0HJVq68KsV
ObefXG1vvA3GAJ29kxJaqvRfgYnqZryWN7w3CHjNU4c/2Jkp+n8L0SnxaNA+WYA7
jiPyTF0is8uzMlYQ4l1Lzh/8/MpvhCQF8r22dwIDAQABAoIBAQC6dWBjhyEOzjeA
J3j/RWmap9M5zfJ/wb2bfidNpwbB8rsJ4sZIDZQ7XuIh4LfygoAQSS+bBw3RXvzE
pvJt3SmU8hIDuLsCjL1VnBY5pY7Bju8g8aR/3FyjyNAqx/TLfzlLYfOu7i9Jet67
xAh0tONG/u8FB5I3LAI2Vp6OviwvdWeC4nOxCthldpuPKNLA8rmMMVRTKQ+7T2VS
nXmwYckKUcUgzoVSpiNZaS0zUDypdpy2+tRH3MQa5kqN1YKjvF8RC47woOYCktsD
o3FFpGNFec9Taa3Msy+DfQQhHKZFKIL3bJDONtmrVvtYK40/yeU4aZ/HA2DQzwhe
ol1AfiEhAoGBAOnVjosBkm7sblK+n4IEwPxs8sOmhPnTDUy5WGrpSCrXOmsVIBUf
laL3ZGLx3xCIwtCnEucB9DvN2HZkupc/h6hTKUYLqXuyLD8njTrbRhLgbC9QrKrS
M1F2fSTxVqPtZDlDMwjNR04xHA/fKh8bXXyTMqOHNJTHHNhbh3McdURjAoGBANkU
1hqfnw7+aXncJ9bjysr1ZWbqOE5Nd8AFgfwaKuGTTVX2NsUQnCMWdOp+wFak40JH
PKWkJNdBG+ex0H9JNQsTK3X5PBMAS8AfX0GrKeuwKWA6erytVTqjOfLYcdp5+z9s
8DtVCxDuVsM+i4X8UqIGOlvGbtKEVokHPFXP1q/dAoGAcHg5YX7WEehCgCYTzpO+
xysX8ScM2qS6xuZ3MqUWAxUWkh7NGZvhe0sGy9iOdANzwKw7mUUFViaCMR/t54W1
GC83sOs3D7n5Mj8x3NdO8xFit7dT9a245TvaoYQ7KgmqpSg/ScKCw4c3eiLava+J
3btnJeSIU+8ZXq9XjPRpKwUCgYA7z6LiOQKxNeXH3qHXcnHok855maUj5fJNpPbY
iDkyZ8ySF8GlcFsky8Yw6fWCqfG3zDrohJ5l9JmEsBh7SadkwsZhvecQcS9t4vby
9/8X4jS0P8ibfcKS4nBP+dT81kkkg5Z5MohXBORA7VWx+ACohcDEkprsQ+w32xeD
qT1EvQKBgQDKm8ws2ByvSUVs9GjTilCajFqLJ0eVYzRPaY6f++Gv/UVfAPV4c+S0
kAWpXbv5tbkkzbS0eaLPTKgLzavXtQoTtKwrjpolHKIHUz6Wu+n4abfAIRFubOdN
/+aLoRQ0yBDRbdXMsZN/jvY44eM+xRLdRVyMmdPtP8belRi2E2aEzA==
-----END RSA PRIVATE KEY-----

[email protected]:~$ logout

14 -> 15

vi .ssh/vertex
ssh -i .ssh/vertex [email protected] -p22
[email protected]:~$ cat /etc/bandit_pass/bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
ssh [email protected] -p22
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
[email protected]:~$ telnet localhost 30000
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr

Connection closed by foreign host.

15 -> 16

ssh [email protected] -p22
BfMYroe26WYalil77FoDi9qh59eK5xNr
[email protected]:~$ openssl s_client -ign_eof -connect localhost:30001
CONNECTED(00000003)
depth=0 CN = li190-250.members.linode.com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = li190-250.members.linode.com
verify return:1
---
Certificate chain
 0 s:/CN=li190-250.members.linode.com
   i:/CN=li190-250.members.linode.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC3jCCAcagAwIBAgIJAI5QiWZw4YHbMA0GCSqGSIb3DQEBCwUAMCcxJTAjBgNV
BAMTHGxpMTkwLTI1MC5tZW1iZXJzLmxpbm9kZS5jb20wHhcNMTQxMTE0MTAyODA0
WhcNMjQxMTExMTAyODA0WjAnMSUwIwYDVQQDExxsaTE5MC0yNTAubWVtYmVycy5s
aW5vZGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsKmy9o5z
WU+1EH7Z3bB5TGQA+16zXDcEJy6tZWZ8CDrRyQXiahendp45BWUc/ZuLDo0+B3Wt
ZXjofmLw/F4fmR+8X1s1fQZX2dFt920qEm7LxqzWd0c7FdHiBwwRrwhkk+3cQpOB
TTGdLWEgpdmwwNZDTUdsDLzjDczPnju6T6p6ArTECztPbmTjfY4QIRtC6capL1Z+
yPJSQVAuAMEX1wTDWTGdm0VV7oW4F5cGZutf6QAP51jdhSyZuGilIPHbnj0l6Qc7
a7+OtEsEGi31aJ8KpRf7LNZ7DXCuoB3Hf75Pd6VjDgoOIagcH0NYqa75gEjBkGzs
ktLWykT7ag7fKwIDAQABow0wCzAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IB
AQCaZdUNAj8WDEKWdoU3LNXUBJlTJwiWBrh550PbHSQORcCz2K0kiMei1A4ojK2N
dMHFGAqAeUEaxtz92p2BoFpZasAtdSa3u63tBckFhfUolIS1TC7Cj51y19ysTeep
fGPFpuPCVqVPsruei8Z/iqn3bFIhQQdmumeePZQdPMwZSWHNVYC5XODd7PvNDrDu
5MZJjkz4+6LbwwAvyew62meFN2QEsYbK2Brtbhze+IjE27FGWlSw4K3jlwa409MD
MTf4JU41ELaYY8G/LSNDJsBVhhkHzvXR9iCbXxNz3IL0dQDNj7h4LKhBy0q7hvqg
kDzwlmBO4WKSmCAuky44cXmd
-----END CERTIFICATE-----
subject=/CN=li190-250.members.linode.com
issuer=/CN=li190-250.members.linode.com
---
No client certificate CA names sent
---
SSL handshake has read 1714 bytes and written 637 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 4752AD4270FEFE9AE3B505AD5AB5AA08FF30F9EF24914ACBEB87F293DE7FCDBA
    Session-ID-ctx:
    Master-Key: 3228D00C43C71BB4171E1EF3191C3C928C7B512E53716ECBABDA1BEF9747681ED98F33233474BB1467103E928580365A
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1476341975
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
BfMYroe26WYalil77FoDi9qh59eK5xNr
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehd

read:errno=0

16 -> 17

ssh [email protected] -p22
cluFn7wTiGryunymYOu4RcffSxQluehd
[email protected]:~$ nmap localhost -p 31000-32000

Starting Nmap 6.40 ( http://nmap.org ) at 2016-10-13 07:04 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0024s latency).
Not shown: 996 closed ports
PORT      STATE SERVICE
31046/tcp open  unknown
31518/tcp open  unknown
31691/tcp open  unknown
31790/tcp open  unknown
31960/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds
[email protected]:~$ openssl s_client -ign_eof -connect localhost:31790
CONNECTED(00000003)
depth=0 CN = li190-250.members.linode.com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = li190-250.members.linode.com
verify return:1
---
Certificate chain
 0 s:/CN=li190-250.members.linode.com
   i:/CN=li190-250.members.linode.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC3jCCAcagAwIBAgIJAI5QiWZw4YHbMA0GCSqGSIb3DQEBCwUAMCcxJTAjBgNV
BAMTHGxpMTkwLTI1MC5tZW1iZXJzLmxpbm9kZS5jb20wHhcNMTQxMTE0MTAyODA0
WhcNMjQxMTExMTAyODA0WjAnMSUwIwYDVQQDExxsaTE5MC0yNTAubWVtYmVycy5s
aW5vZGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsKmy9o5z
WU+1EH7Z3bB5TGQA+16zXDcEJy6tZWZ8CDrRyQXiahendp45BWUc/ZuLDo0+B3Wt
ZXjofmLw/F4fmR+8X1s1fQZX2dFt920qEm7LxqzWd0c7FdHiBwwRrwhkk+3cQpOB
TTGdLWEgpdmwwNZDTUdsDLzjDczPnju6T6p6ArTECztPbmTjfY4QIRtC6capL1Z+
yPJSQVAuAMEX1wTDWTGdm0VV7oW4F5cGZutf6QAP51jdhSyZuGilIPHbnj0l6Qc7
a7+OtEsEGi31aJ8KpRf7LNZ7DXCuoB3Hf75Pd6VjDgoOIagcH0NYqa75gEjBkGzs
ktLWykT7ag7fKwIDAQABow0wCzAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IB
AQCaZdUNAj8WDEKWdoU3LNXUBJlTJwiWBrh550PbHSQORcCz2K0kiMei1A4ojK2N
dMHFGAqAeUEaxtz92p2BoFpZasAtdSa3u63tBckFhfUolIS1TC7Cj51y19ysTeep
fGPFpuPCVqVPsruei8Z/iqn3bFIhQQdmumeePZQdPMwZSWHNVYC5XODd7PvNDrDu
5MZJjkz4+6LbwwAvyew62meFN2QEsYbK2Brtbhze+IjE27FGWlSw4K3jlwa409MD
MTf4JU41ELaYY8G/LSNDJsBVhhkHzvXR9iCbXxNz3IL0dQDNj7h4LKhBy0q7hvqg
kDzwlmBO4WKSmCAuky44cXmd
-----END CERTIFICATE-----
subject=/CN=li190-250.members.linode.com
issuer=/CN=li190-250.members.linode.com
---
No client certificate CA names sent
---
SSL handshake has read 1714 bytes and written 637 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: DA74667E06E24EA181951E7F117010B61980075AC16E164A69223182E9698C6E
    Session-ID-ctx:
    Master-Key: 05534180311AFEDCDFCD20FF5D42CB714DD8974EAABD83480BB9AE533E9778F783ED0E864D704B8996E35E118181D77C
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1476342385
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
cluFn7wTiGryunymYOu4RcffSxQluehd
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----

read:errno=0

17 -> 18

vi .ssh/vertex
ssh [email protected] -p22
[email protected]:~$ diff passwords.new passwords.old
42c42
< kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
---
> BS8bqB1kqkinKJjuxL6k072Qq9NRwQpR
ssh [email protected] -p22
kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
Byebye !

18 -> 19

ssh -t [email protected] -p22 /bin/sh
kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
$ cat readme
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x

19 -> 20

ssh [email protected] -p22
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
[email protected]:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0j

20 -> 21

ssh [email protected] -p22
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
[email protected]:~$ nc -l -p 7777
[email protected]:~$ ./suconnect 7777
[email protected]:~$ nc -l -p 7777
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
[email protected]:~$ ./suconnect 7777
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Password matches, sending next password
[email protected]:~$ nc -l -p 7777
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr

21 -> 22

ssh [email protected] -p22
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
[email protected]:~$ ls -la /usr/bin/cronjob_bandit*    
-rwxr-x--- 1 bandit22 bandit21 130 Nov 14  2014 /usr/bin/cronjob_bandit22.sh
-rwxr-x--- 1 bandit23 bandit22 211 Nov 14  2014 /usr/bin/cronjob_bandit23.sh
-rwxr-x--- 1 bandit24 bandit23 257 May  3  2015 /usr/bin/cronjob_bandit24.sh
-rwx------ 1 root     root     186 May  3  2015 /usr/bin/cronjob_bandit24_root.sh
[email protected]:~$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
[email protected]:~$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

22 -> 23

ssh [email protected] -p22
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
[email protected]:~$ ls -la /usr/bin/cronjob_bandit*    
-rwxr-x--- 1 bandit22 bandit21 130 Nov 14  2014 /usr/bin/cronjob_bandit22.sh
-rwxr-x--- 1 bandit23 bandit22 211 Nov 14  2014 /usr/bin/cronjob_bandit23.sh
-rwxr-x--- 1 bandit24 bandit23 257 May  3  2015 /usr/bin/cronjob_bandit24.sh
-rwx------ 1 root     root     186 May  3  2015 /usr/bin/cronjob_bandit24_root.sh
[email protected]:~$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash
myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
cat /etc/bandit_pass/$myname > /tmp/$mytarget
[email protected]:~$ echo I am user bandit23 | md5sum | cut -d ' ' -f 1
8ca319486bfbbc3663ea0fbe81326349
[email protected]:~$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

23 -> 24

ssh [email protected] -p22
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
[email protected]:~$ ls -la /usr/bin/cronjob_bandit*    
-rwxr-x--- 1 bandit22 bandit21 130 Nov 14  2014 /usr/bin/cronjob_bandit22.sh
-rwxr-x--- 1 bandit23 bandit22 211 Nov 14  2014 /usr/bin/cronjob_bandit23.sh
-rwxr-x--- 1 bandit24 bandit23 257 May  3  2015 /usr/bin/cronjob_bandit24.sh
-rwx------ 1 root     root     186 May  3  2015 /usr/bin/cronjob_bandit24_root.sh
[email protected]:~$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash
myname=$(whoami)
cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
do
    if [ "$i" != "." -a "$i" != ".." ];
    then
    echo "Handling $i"
    timeout -s 9 60 "./$i"
    rm -f "./$i"
    fi
done
[email protected]:~$ ls -la /var/spool/
total 169
drwxr-xr-x  6 root     root       4096 May  3  2015 .
drwxr-xr-x 15 root     root       4096 Nov 14  2014 ..
drwxrwxrwx  2 bandit24 bandit23 151552 Oct 13 08:32 bandit24
drwxr-xr-x  5 root     root       4096 Apr 20  2014 cron
lrwxrwxrwx  1 root     root          7 Apr 20  2014 mail -> ../mail
drwxr-xr-x  2 root     root       4096 Apr 11  2014 plymouth
drwx------  2 syslog   adm        4096 Dec  4  2013 rsyslog
[email protected]:~$ vi /var/spool/bandit24/kr0m.sh
#! /bin/bash
cat /etc/bandit_pass/bandit24 > /tmp/bandit24pass
chown bandit23:bandit23 /tmp/bandit24pass
chmod 777 /var/spool/bandit24/kr0m.sh

Esperamos

watch 'cat /tmp/bandit24pass'
[email protected]:~$ cat /tmp/bandit24pass
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ

24 -> 25

ssh [email protected] -p22
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ

Para ir mas rápido abrimos 8 consolas:

[email protected]:~$ for i in $(seq -w 0 1250); do echo I: $i && echo UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i | nc localhost 30002 |grep -v 'separated by a space' | grep -v 'Try again'; done
[email protected]:~$ for i in $(seq -w 1251 2500); do echo I: $i && echo UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i | nc localhost 30002 |grep -v 'separated by a space' | grep -v 'Try again'; done
[email protected]:~$ for i in $(seq -w 2501 3750); do echo I: $i && echo UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i | nc localhost 30002 |grep -v 'separated by a space' | grep -v 'Try again'; done
[email protected]:~$ for i in $(seq -w 3751 5000); do echo I: $i && echo UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i | nc localhost 30002 |grep -v 'separated by a space' | grep -v 'Try again'; done
[email protected]:~$ for i in $(seq -w 5001 6250); do echo I: $i && echo UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i | nc localhost 30002 |grep -v 'separated by a space' | grep -v 'Try again'; done
[email protected]:~$ for i in $(seq -w 6251 7500); do echo I: $i && echo UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i | nc localhost 30002 |grep -v 'separated by a space' | grep -v 'Try again'; done
[email protected]:~$ for i in $(seq -w 7501 8750); do echo I: $i && echo UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i | nc localhost 30002 |grep -v 'separated by a space' | grep -v 'Try again'; done
[email protected]:~$ for i in $(seq -w 8751 9999); do echo I: $i && echo UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i | nc localhost 30002 |grep -v 'separated by a space' | grep -v 'Try again'; done
I: 5669
Correct!
The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG

25 -> 26

ssh [email protected] -p22
uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG
[email protected]:~$ grep bandit26 /etc/passwd
bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext
[email protected]:~$ cat /usr/bin/showtext
#!/bin/sh
more ~/text.txt
exit 0
[email protected]:~$ cat /home/bandit26/text.txt
cat: /home/bandit26/text.txt: Permission denied
[email protected]:~$ ls -la /home/bandit26/text.txt
-rw-r----- 1 bandit26 bandit26 258 Nov 16  2014 /home/bandit26/text.txt
[email protected]:~$ ls -la /usr/bin/showtext
-rwxr-xr-x 1 root root 34 Nov 16  2014 /usr/bin/showtext
[email protected]:~$ ls -la /home/bandit26/text.txt
-rw-r----- 1 bandit26 bandit26 258 Nov 16  2014 /home/bandit26/text.txt
[email protected]:~$ cat bandit26.sshkey
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEApis2AuoooEqeYWamtwX2k5z9uU1Afl2F8VyXQqbv/LTrIwdW
pTfaeRHXzr0Y0a5Oe3GB/+W2+PReif+bPZlzTY1XFwpk+DiHk1kmL0moEW8HJuT9
/5XbnpjSzn0eEAfFax2OcopjrzVqdBJQerkj0puv3UXY07AskgkyD5XepwGAlJOG
xZsMq1oZqQ0W29aBtfykuGie2bxroRjuAPrYM4o3MMmtlNE5fC4G9Ihq0eq73MDi
1ze6d2jIGce873qxn308BA2qhRPJNEbnPev5gI+5tU+UxebW8KLbk0EhoXB953Ix
3lgOIrT9Y6skRjsMSFmC6WN/O7ovu8QzGqxdywIDAQABAoIBAAaXoETtVT9GtpHW
qLaKHgYtLEO1tOFOhInWyolyZgL4inuRRva3CIvVEWK6TcnDyIlNL4MfcerehwGi
il4fQFvLR7E6UFcopvhJiSJHIcvPQ9FfNFR3dYcNOQ/IFvE73bEqMwSISPwiel6w
e1DjF3C7jHaS1s9PJfWFN982aublL/yLbJP+ou3ifdljS7QzjWZA8NRiMwmBGPIh
Yq8weR3jIVQl3ndEYxO7Cr/wXXebZwlP6CPZb67rBy0jg+366mxQbDZIwZYEaUME
zY5izFclr/kKj4s7NTRkC76Yx+rTNP5+BX+JT+rgz5aoQq8ghMw43NYwxjXym/MX
c8X8g0ECgYEA1crBUAR1gSkM+5mGjjoFLJKrFP+IhUHFh25qGI4Dcxxh1f3M53le
wF1rkp5SJnHRFm9IW3gM1JoF0PQxI5aXHRGHphwPeKnsQ/xQBRWCeYpqTme9amJV
tD3aDHkpIhYxkNxqol5gDCAt6tdFSxqPaNfdfsfaAOXiKGrQESUjIBcCgYEAxvmI
2ROJsBXaiM4Iyg9hUpjZIn8TW2UlH76pojFG6/KBd1NcnW3fu0ZUU790wAu7QbbU
i7pieeqCqSYcZsmkhnOvbdx54A6NNCR2btc+si6pDOe1jdsGdXISDRHFb9QxjZCj
6xzWMNvb5n1yUb9w9nfN1PZzATfUsOV+Fy8CbG0CgYEAifkTLwfhqZyLk2huTSWm
pzB0ltWfDpj22MNqVzR3h3d+sHLeJVjPzIe9396rF8KGdNsWsGlWpnJMZKDjgZsz
JQBmMc6UMYRARVP1dIKANN4eY0FSHfEebHcqXLho0mXOUTXe37DWfZza5V9Oify3
JquBd8uUptW1Ue41H4t/ErsCgYEArc5FYtF1QXIlfcDz3oUGz16itUZpgzlb71nd
1cbTm8EupCwWR5I1j+IEQU+JTUQyI1nwWcnKwZI+5kBbKNJUu/mLsRyY/UXYxEZh
ibrNklm94373kV1US/0DlZUDcQba7jz9Yp/C3dT/RlwoIw5mP3UxQCizFspNKOSe
euPeaxUCgYEAntklXwBbokgdDup/u/3ms5Lb/bm22zDOCg2HrlWQCqKEkWkAO6R5
/Wwyqhp/wTl8VXjxWo+W+DmewGdPHGQQ5fFdqgpuQpGUq24YZS8m66v5ANBwd76t
IZdtF5HXs2S5CADTwniUS5mX1HO9l5gUkk+h0cH5JnPtsMCnAUM+BRY=
-----END RSA PRIVATE KEY-----

[email protected]:~$ logout
vi .ssh/vertex

 

ssh -i .ssh/vertex [email protected] -p22

Redimensionamos el terminal para que sea muy pequeño y no quepa el txt
Entramos en modo edición del more:

v

Leemos el fichero de pass:

:r /etc/bandit_pass/bandit26
5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z

Autor: Kr0m -- 14/10/2016 00:10:03