Skip to main content

Bandit 22 Over the Wire

Lessons Learned

understanding more complicated bash scripts

Logging in

On a kali vm/ linux machine

Type:

ssh bandit22@bandit.labs.overthewire.org -p 2220
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

Completing The Challenge

The Goal:

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

The Solution:

bandit22@bandit:~$ ls /etc/cron
cron.d/       cron.hourly/  crontab       
cron.daily/   cron.monthly/ cron.weekly/  
bandit22@bandit:~$ ls /etc/cron
cron.d/       cron.hourly/  crontab       
cron.daily/   cron.monthly/ cron.weekly/  
bandit22@bandit:~$ ls /etc/cron.d/
cronjob_bandit15_root  cronjob_bandit22  cronjob_bandit24
cronjob_bandit17_root  cronjob_bandit23  cronjob_bandit25_root
bandit22@bandit:~$ cat /etc/cron.d/cronjob_bandit23
@reboot bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
bandit22@bandit:~$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash

myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)

echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"

cat /etc/bandit_pass/$myname > /tmp/$mytarget

Here I will try to interpret the shell script

myname is a call of whoami, this should be bandit23 since its a job set up by them

mytarget is an echo that says "I am user bandit23" which is piped to md5sum, the resulting hash is piped to cut which im not entirely sure how it works. so i will write what I do to understand below.

man cut

-d, --delimiter=DELIM
              use DELIM instead of TAB for field delimiter

 -f, --fields=LIST
              select only these fields;  also print any  line  that  contains no delimiter character, unless the -s option is specified

bandit22@bandit:~$ echo I am user bandit23 | md5sum
8ca319486bfbbc3663ea0fbe81326349  -
bandit22@bandit:~$ echo I am user bandit23 | md5sum | cut -d ' '
cut: you must specify a list of bytes, characters, or fields
Try 'cut --help' for more information.

This shows that the md5sum results in a string with spaces, using the ' ' as a delimiter results in 2 fields, the first containing the md5sum of "I am user bandit23", the other containing a -. I will now verify this:

 bandit22@bandit:~$ echo I am user bandit23 | md5sum | cut -d ' ' -f 1
8ca319486bfbbc3663ea0fbe81326349
bandit22@bandit:~$ echo I am user bandit23 | md5sum | cut -d ' ' -f 2

bandit22@bandit:~$ echo I am user bandit23 | md5sum | cut -d ' ' -f 3
-
bandit22@bandit:~$ echo I am user bandit23 | md5sum | cut -d ' ' -f 4

bandit22@bandit:~$ echo I am user bandit23 | md5sum | cut -d ' ' -f 5

bandit22@bandit:~$ echo I am user bandit23 | md5sum | cut -d ' ' -f 6

bandit22@bandit:~$ echo I am user bandit23 | md5sum | cut -d ' ' -f 10

bandit22@bandit:~$ echo I am user bandit23 | md5sum | cut -d ' ' -f 100

bandit22@bandit:~$ echo I am user bandit23 | md5sum | cut -d ' ' -f 1000

as shown above, i was wrong.

there were 2 spaces so the cut did finish with those two variables as separate fields, but it wasn't just 2 fields, i also am not sure why i can keep calling up to field 1000 without issue, but ill leave that for later, if i feel like it.

anyway, final command in the file shows that the password of bandit23 was copied to a tmp file by the name of
8ca319486bfbbc3663ea0fbe81326349

now there are 2 ways this cat can be done:

 bandit22@bandit:~$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
bandit22@bandit:~$ cat /tmp/$(echo I am user bandit23 | md5sum | cut -d ' ' -f 1)
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

 

Labels

Labels:

Comments

Post a Comment

Popular posts from this blog

Snort Challenge - The Basics

Rules Ive Used # This file intentionally does not come with signatures.  Put your local # additions here. # alert icmp any any <> any any (msg: "IP ID 35369 Found"; id:35369; sid: 1000001; rev:1) # log tcp any any <> any any (msg: "ALL SYN FLAGS"; flags:S;  sid: 1000001; rev:1;) # log tcp any any <> any any (msg: "ALL SYN FLAGS"; flags:P,A;  sid: 1000001; rev:1;) # log ip any any <> any any (msg: "SAME-IP IN IP"; sameip; sid:1000001; rev:1;)#This was not used in the first snort, they only wanted the next 2 rules, which showed less dups log udp any any <> any any (msg: "SAME-IP IN TCP"; sameip; sid:1000001; rev:1;) log tcp any any <> any any (msg: "SAME-IP IN UDP"; sameip; sid:1000002; rev:1;)  Snort Params: Some Sniffer mode parameters are explained in the table below; Parameter Description -v Verbose. Display the TCP/IP output in the console. -d Display the packet data (payload). -e Display...
Post a Comment
Read more

Network Services

Network Services https://tryhackme.com/room/networkservices 3. Enumerating SMB Conduct an nmap scan of your choosing, How many ports are open? running nmap 10.10.197.190 results in PORT STATE SERVICE 22/tcp open ssh 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 02:21:CD:94:98:F5 (Unknown) Show/Hide What ports is SMB running on? 139/445 Show/Hide this is the known default values for SMB Let's get started with Enum4Linux, conduct a full basic enumeration. For starters, what is the workgroup name? WORKGROUP Show/Hide looking at the rest of the info from enum4linux -a 10.10.197.190 ill summarize here ========================== | Target Information | ========================== Target ........... 10.10.197.190 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none =================================================...
Post a Comment
Read more

Bandit 24 Over The Wire

Lessons Learned writing bash scripts that can brute force pins Logging in On a kali vm/ linux machine Type: ssh bandit24@bandit.labs.overthewire.org -p 2220 UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ Completing The Challenge The Goal: A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing. The Solution: create a file in the /tmp folder, fill in the folder with the following: for ((i=1000; i < 10000; i++)); do         echo "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i" done | nc localhost 30002 In this code i looked up for loops, but i ended up looking up what to do to get a for loop on netcat, someone gave an answer with no context on Stack Overflow and it was the first result. a much better link is http://www.softpanorama.org/Scripting/Shellorama/Co...
Post a Comment
Read more