Skip to main content

Bandit 20 Over The Wire

Lessons Learned

using nc to create a steady connection, also on background and foreground processes

Logging in


On a kali vm/ linux machine
Type:

ssh bandit20@bandit.labs.overthewire.org -p 2220
GbKksEFF4yrVs6il55v6gwY5aVje5f0j

Completing The Challenge

The Goal:

There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).

The Solution:

bandit20@bandit:~$ nc -l -p 2000
^Z
[1]+  Stopped                 nc -l -p 2000
bandit20@bandit:~$ ./suconnect 2000
^Z
[2]+  Stopped                 ./suconnect 2000
bandit20@bandit:~$ fg 1
nc -l -p 2000
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
^Z
[1]+  Stopped                 nc -l -p 2000
bandit20@bandit:~$ fg 2
./suconnect 2000
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Password matches, sending next password
bandit20@bandit:~$ fg1
-bash: fg1: command not found
bandit20@bandit:~$ fg 1
nc -l -p 2000
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr


this took me some time since i kept wanting to use the -c but that sends one message and closes, it wasn't till i read https://www.computerhope.com/unix/nc.htm that i understood that "nc -l -p port" creates an active connection that wont actively close after the first message and can be used to keep sending and receiving messages.

Labels:

Comments

Post a Comment

Popular posts from this blog

Snort Challenge - The Basics

Rules Ive Used # This file intentionally does not come with signatures.  Put your local # additions here. # alert icmp any any <> any any (msg: "IP ID 35369 Found"; id:35369; sid: 1000001; rev:1) # log tcp any any <> any any (msg: "ALL SYN FLAGS"; flags:S;  sid: 1000001; rev:1;) # log tcp any any <> any any (msg: "ALL SYN FLAGS"; flags:P,A;  sid: 1000001; rev:1;) # log ip any any <> any any (msg: "SAME-IP IN IP"; sameip; sid:1000001; rev:1;)#This was not used in the first snort, they only wanted the next 2 rules, which showed less dups log udp any any <> any any (msg: "SAME-IP IN TCP"; sameip; sid:1000001; rev:1;) log tcp any any <> any any (msg: "SAME-IP IN UDP"; sameip; sid:1000002; rev:1;)  Snort Params: Some Sniffer mode parameters are explained in the table below; Parameter Description -v Verbose. Display the TCP/IP output in the console. -d Display the packet data (payload). -e Display
Post a Comment
Read more

Network Services

Network Services https://tryhackme.com/room/networkservices 3. Enumerating SMB Conduct an nmap scan of your choosing, How many ports are open? running nmap 10.10.197.190 results in PORT STATE SERVICE 22/tcp open ssh 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 02:21:CD:94:98:F5 (Unknown) Show/Hide What ports is SMB running on? 139/445 Show/Hide this is the known default values for SMB Let's get started with Enum4Linux, conduct a full basic enumeration. For starters, what is the workgroup name? WORKGROUP Show/Hide looking at the rest of the info from enum4linux -a 10.10.197.190 ill summarize here ========================== | Target Information | ========================== Target ........... 10.10.197.190 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none =================================================
Post a Comment
Read more