Bandit 13

Bandit 13

The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on

Commands you may need to solve this level

ssh, telnet, nc, openssl, s_client, nmap

Helpful Reading Material



So the link provided kind of sucked for telling us what we need here, if you don't know already, RTFM. Looking at the man page we see a switch for ssh.

... 
SYNOPSIS
     ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
  [-D [bind_address:]port] [-E log_file] [-e escape_char]
  [-F configfile] [-I pkcs11] [-i identity_file] [-L address]
  [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
  [-Q query_option] [-R address] [-S ctl_path] [-W host:port]
  [-w local_tun[:remote_tun]] [user@]hostname [command] 
... 
 -i identity_file
      Selects a file from which the identity (private key) for public
      key authentication is read.  The default is ~/.ssh/identity for
      protocol version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa,
      ~/.ssh/id_ed25519 and ~/.ssh/id_rsa for protocol version 2.
      Identity files may also be specified on a per-host basis in the
      configuration file.  It is possible to have multiple -i options
      (and multiple identities specified in configuration files).  If
      no certificates have been explicitly specified by the
      CertificateFile directive, ssh will also try to load certificate
      information from the filename obtained by appending -cert.pub to
      identity filenames.

All this time logging into every level with this command, and we never read the man page on ssh. Looking at our page we see the syntax will be something like

ssh -i [key][user@hostname ]

Cool lets try it

bandit13@bandit:~$ ls
sshkey.private
bandit13@bandit:~$ ssh -i sshkey.private bandit14@bandit.lab.overthewire.org
ssh: Could not resolve hostname bandit.lab.overthewire.org: Name or service not known

Okay, read the instructions again, I'm using the local host since we arent connecting outside the network

bandit13@bandit:~$ ssh -i sshkey.private bandit14@localhost                 
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is ee:4c:8c:e7:57:2c:bc:63:24:b8:e6:23:27:63:72:9f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
 _                     _ _ _   
| |__   __ _ _ __   __| (_) |_ 
| '_ \ / _` | '_ \ / _` | | __|
| |_) | (_| | | | | (_| | | |_ 
|_.__/ \__,_|_| |_|\__,_|_|\__|
                               
a http://www.overthew...
~
~
~
...ch program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

bandit14@bandit:~$

Sweet, next level

Glowfish Contrast

Comments

Post a Comment

Popular posts from this blog

Thoughts on ISSA talk on using AI to automate security

Recently I attended the ISSA presentation in MN, the description of it: The Power and Potential of Robotic Process Automation. And the Security Risks. Please join us on March 22 nd  as we explore the powerful and emerging Robotic Process Automation technology in regards to what IT security professionals need to know about RPA platforms . Robotic process automation (RPA) is a powerful and emerging technology that streamlines and standardizes many human user processes as well as harmonizes different systems across an organization’s environment. So what do IT security professionals need to know about RPA platforms? Very simply, it is a new attack vector and organizations need to start to understand their risk. Because RPA software interacts directly with business applications and mimics the way applications use and mirror human credentials and entitlements, this can introduce risks when the software robots automate and perform routine business processes across multiple
Read more

Bandit 12

Bandit 12 bandit12@bandit:~$ ls data.txt bandit12@bandit:~$ mkdir data bandit12@bandit:~$ cp data.txt ./data bandit12@bandit:~$ cd data bandit12@bandit:~/data$ ls data.txt bandit12@bandit:~/data$ file data.txt data.txt: ASCII text 0000000: 1f8b 0808 4572 4259 0203 6461 7461 322e ....ErBY..data2. 0000010: 6269 6e00 0143 02bc fd42 5a68 3931 4159 bin..C...BZh91AY 0000020: 2653 59a3 fd61 8800 0019 ffff dffb 1ff5 &SY..a.......... 0000030: f7d7 dfdb fe4f ffb3 b5f7 ffdf b2d8 fefb .....O.......... 0000040: e7dd fffa fefd 7f7b d1fb fe3f b001 3b56 .......{...?..;V 0000050: a106 81a0 1a00 07a8 0068 01a1 a69a 0000 .........h...... 0000060: d1a0 d034 6868 34f5 0641 a000 000d 000f ...4hh4..A...... 0000070: 5064 00d0 321a 69e9 0323 1a27 a883 4003 Pd..2.i..#.'..@. 0000080: 41a0 01ea 0000 0003 4000 0068 7a4f 4800 A.......@..hzOH. 0000090: 0c8c 803d 41a0 64d1 a3d4 d1a3 6a68 01a0 ...=A.d.....jh.. 00000a0: 34da 8340 003d 4347 a83a 69a6 8699 0034 4..@.=CG.:i....4 00000b0: 3203 4610 3
Read more

Bandit level 14

Bandit 14 Level Goal The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost . Commands you may need to solve this level ssh, telnet, nc, openssl, s_client, nmap Helpful Reading Material How the Internet works in 5 minutes (YouTube) (Not completely accurate, but good enough for beginners) IP Addresses IP Address on Wikipedia Localhost on Wikipedia Ports Port (computer networking) on Wikipedia Okay so I know telnet doesn't have authentication. I know I'm probably using that so I check the man page. Synopsis telnet [ -8EFKLacdfrx ] [ -X authtype ] [ -b hostalias ] [ -e escapechar ] [ -k realm ] [ -l user ] [ -n tracefile ] [ host [ port ]] Okay so the command will be "telnet localhost 30000", remember those instructions from the previous level on where that password was? Neither do , lets read it again! "The pa
Read more