Bandit level 6

Bandit 6

Level Goal

The password for the next level is stored somewhere on the server and has all of the following properties:
  • owned by user bandit7
  • owned by group bandit6
  • 33 bytes in size

Commands you may need to solve this level

ls, cd, cat, file, du, find, grep

Somewhere on the server? I didn't read the instructions all that well, I knew the user and the group switch before this for the find command but forgot what the size switch for bytes was. Now if I didn't write this blog and have that documentation, I would have had to read the man page for "find" again!




bandit6@bandit:~$ ls
bandit6@bandit:~$ find ./* -user bandit7 -group bandit6 -size 33c
find: `./*': No such file or directory

Weird it's not in our current directory,after realizing there was nothing in the directory and looking at the instructions about being somewhere on the server I tried this.

bandit6@bandit:~$ find / -user bandit7 -group bandit6 -size 33c
find: `/var/log': Permission denied
/var/lib/dpkg/info/bandit7.password
find: `/var/lib/php5': Permission denied
...
find: `/proc/144/fd/5': No such file or directory
find: `/proc/144/fdinfo/5': No such file or directory
There is a pretty large output here but in the first couple results I spot something! The only reason I did was because I documented everything for us! The file path here seems interesting

/var/lib/dpkg/info/bandit7.password

If a gift horse spits on your shoes are you going to just ignore it? Nah, lets roll with this

bandit6@bandit:~$ cat /var/lib/dpkg/info/bandit7.password
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs
bandit6@bandit:~$ exit
logout
Connection to bandit.labs.overthewire.org closed.
root@kali:~#
Cool beans. We got lucky though. For the sake of being a completionist I looked for and found a better solution, another blog has this solution on their page





bandit6@bandit:~$ find / -user bandit7 -group bandit6 -size 33c | 2> /dev/null

/dev/null is like a black hole. You know it exists, but you cannot communicate with it. It has no output, only input. It swallows all data it can possibly get and nobody knows what it looks inside.

So we pipe/send the results of our command with "|" operator to a directory called /dev/null.While /dev/null is fairly simple concept to understand, it's a place we banish things we don't want to see, nothing comes back, we throw anything we don't want in there.

So what does the "2>" mean? Well there are three options for this, its called a file descriptor. While I could not find a good resource on how to explain these I'll do my best.

0,1, & 2 are all standard POSIX file descriptors that generally works on most platforms from bash ( (the linux shell language we've been learning here) , to assembly, .net framework, etc. It's been around since the 1950's. They describe standard streams which are preconnected input and output (I/O = input/output) communication channels between a computer program and its environment when it begins execution.

The three I/O streams are as follows:
  • 0 - which represents standard input  otherwise known as stdin
  • 1 - which represents standard ouput otherwise known as stdout
  • 2 - which represents standard error otherwise know as stderr 
See what I'm getting at? So this is a bit beyond the scope of information for this level. Basically use "find" to get results, which then pipes all information coming across the error stream to /dev/null, which is the "permission denied" and "no such file or directory" or any other results that trigger an error to get a neat, singular output for the one file we wanted.


Glowfish Contrast

Comments

Post a Comment

Popular posts from this blog

Bandit 12

Bandit 12 bandit12@bandit:~$ ls data.txt bandit12@bandit:~$ mkdir data bandit12@bandit:~$ cp data.txt ./data bandit12@bandit:~$ cd data bandit12@bandit:~/data$ ls data.txt bandit12@bandit:~/data$ file data.txt data.txt: ASCII text 0000000: 1f8b 0808 4572 4259 0203 6461 7461 322e ....ErBY..data2. 0000010: 6269 6e00 0143 02bc fd42 5a68 3931 4159 bin..C...BZh91AY 0000020: 2653 59a3 fd61 8800 0019 ffff dffb 1ff5 &SY..a.......... 0000030: f7d7 dfdb fe4f ffb3 b5f7 ffdf b2d8 fefb .....O.......... 0000040: e7dd fffa fefd 7f7b d1fb fe3f b001 3b56 .......{...?..;V 0000050: a106 81a0 1a00 07a8 0068 01a1 a69a 0000 .........h...... 0000060: d1a0 d034 6868 34f5 0641 a000 000d 000f ...4hh4..A...... 0000070: 5064 00d0 321a 69e9 0323 1a27 a883 4003 Pd..2.i..#.'..@. 0000080: 41a0 01ea 0000 0003 4000 0068 7a4f 4800 A.......@..hzOH. 0000090: 0c8c 803d 41a0 64d1 a3d4 d1a3 6a68 01a0 ...=A.d.....jh.. 00000a0: 34da 8340 003d 4347 a83a 69a6 8699 0034 4..@.=CG.:i....4 00000b0: 3203 4610 3...
Read more

Thoughts on ISSA talk on using AI to automate security

Recently I attended the ISSA presentation in MN, the description of it: The Power and Potential of Robotic Process Automation. And the Security Risks. Please join us on March 22 nd  as we explore the powerful and emerging Robotic Process Automation technology in regards to what IT security professionals need to know about RPA platforms . Robotic process automation (RPA) is a powerful and emerging technology that streamlines and standardizes many human user processes as well as harmonizes different systems across an organization’s environment. So what do IT security professionals need to know about RPA platforms? Very simply, it is a new attack vector and organizations need to start to understand their risk. Because RPA software interacts directly with business applications and mimics the way applications use and mirror human credentials and entitlements, this can introduce risks when the software robots automate and perform routine business processes across mult...
Read more

Bandit Level 1

Bandit 1  We just got the password for level one and are now logging in. I got sick of PuTTY and VM'ed kali really quickly. root@kali:~# ssh bandit1@bandit.labs.overthewire.org -p 2220 The authenticity of host '[bandit.labs.overthewire.org]:2220 ([176.9.9.172]:2220)' can't be established. ECDSA key fingerprint is SHA256:SCySwNrZFEHArEX1cAlnnaJ5gz2O8VEigY9X80nFWUU. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[bandit.labs.overthewire.org]:2220,[176.9.9.172]:2220' (ECDSA) to the list of known hosts. _ _ _ _ | |__ __ _ _ __ __| (_) |_ | '_ \ / _` | '_ \ / _` | | __| | |_) | (_| | | | | (_| | | |_ |_.__/ \__,_|_| |_|\__,_|_|\__| a http://www.overthewire.org wargame. bandit1@bandit.labs.overthewire.org's password: Welcome to Ubuntu 14.04 LTS (GNU/Linux 4.4.0-71-generic x86_64) * Documentation: https://help.ubuntu.com/ The programs included wi...
Read more