[New post] OverTheWire baby hACKs Part 11

Dan posted: " Presenting my attempts at levels 26, 27, and 28 of the OverTheWire Bandit game in which I start to relise how important planning is. Level 26 Introduction:Good job getting a shell! Now hurry and grab the password for bandit27! These clues are g" Respond to this post by replying above this line New post on Writing Wrongs OverTheWire baby hACKs Part 11 by Dan Presenting my attempts at levels 26, 27, and 28 of the OverTheWire Bandit game in which I start to relise how important planning is. Level 26 Introduction: Good job getting a shell! Now hurry and grab the password for bandit27! These clues are getting really obscure now. To begin with this runs from the work done to complete level 25 in the last effort. So as a starting point we'll be running Vi from the more command. So the question becomes what can we do from Vi to get a proper shell and see what we can do. Scouting around we can run commands in Vi and get a proper shell that way. Trying to test with exclamation I ran into some issues trying to set the shell variable. :!whoami [No write since last change] :set shell=/bin/sh Without the exclamation it seems to work fine. I love how everything makes sense and is straightforward. So now, we can get into a shell. :shell $ bash bandit26@bandit:~$ This seems to be the hardest part of things and now we can see what we have to do. bandit26@bandit:~$ ls -la total 36 drwxr-xr-x 3 root root 4096 May 7 2020 . drwxr-xr-x 41 root root 4096 May 7 2020 .. -rwsr-x--- 1 bandit27 bandit26 7296 May 7 2020 bandit27-do -rw-r--r-- 1 root root 220 May 15 2017 .bash_logout -rw-r--r-- 1 root root 3526 May 15 2017 .bashrc -rw-r--r-- 1 root root 675 May 15 2017 .profile drwxr-xr-x 2 root root 4096 May 7 2020 .ssh -rw-r----- 1 bandit26 bandit26 258 May 7 2020 text.txt bandit26@bandit:~$ file bandit27-do bandit27-do: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=8e941f24b8c5cd0af67b22b724c57e1ab92a92a1, not stripped bandit26@bandit:~$ ./bandit27-do Run a command as another user. Example: ./bandit27-do id bandit26@bandit:~$ ./bandit27-do cat /etc/bandit_pass/bandit27 3ba3118a22e93127a4ed485be72ef5ea Level 27 Introduction: There is a git repository at ssh://bandit27-git@localhost/home/bandit27-git/repo. The password for the user bandit27-git is the same as for the user bandit27. Clone the repository and find the password for the next level. At the time of doing this task I was aware of the git command so this is good practise. Cloning a repository should be simple and it's always motivating to set off with a success under your belt. So we should be able to use 'git clone' to grab the repo. bandit28@bandit:~$ git clone ssh://bandit28-git@localhost/home/bandit28-git/repo fatal: could not create work tree dir 'repo': Permission denied Oops so much for the quick success. Although permission denied seems like my typical error of not having an open workspace. I'll create one with 'mktemp -d' and work from there. bandit27@bandit:~$ mktemp -d /tmp/tmp.DloTC4ZFQe bandit27@bandit:~$ chmod +777 /tmp/tmp.DloTC4ZFQe bandit27@bandit:~$ cd /tmp/tmp.DloTC4ZFQe bandit27@bandit:/tmp/tmp.DloTC4ZFQe$ git clone ssh://bandit27-git@localhost/home/bandit27-git/repo Cloning into 'repo'… Could not create directory '/home/bandit27/.ssh'. The authenticity of host 'localhost (127.0.0.1)' can't be established. ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc. Are you sure you want to continue connecting (yes/no)? yes Failed to add the host to the list of known hosts (/home/bandit27/.ssh/known_hosts). This is a OverTheWire game server. More information on http://www.overthewire.org/wargames bandit27-git@localhost's password: remote: Counting objects: 3, done. remote: Compressing objects: 100% (2/2), done. remote: Total 3 (delta 0), reused 0 (delta 0) Receiving objects: 100% (3/3), done. bandit27@bandit:/tmp/tmp.DloTC4ZFQe$ That is much better. We're able to clone the repository and it's now in the temporary workspace. The cloning process will create a new folder based on the name of the repository. bandit27@bandit:/tmp/tmp.DloTC4ZFQe$ ls repo Let's go into the repo and see what we have. bandit27@bandit:/tmp/tmp.DloTC4ZFQe$ cd repo/ bandit27@bandit:/tmp/tmp.DloTC4ZFQe/repo$ ls README I always do what randomly downloaded files tell me to do, so let's read the file. bandit27@bandit:/tmp/tmp.DloTC4ZFQe/repo$ cat README The password to the next level is: 0ef186ac70e04ea33b4c1853d2526fa2 Level 28 Introduction: There is a git repository at ssh://bandit28-git@localhost/home/bandit28-git/repo. The password for the user bandit28-git is the same as for the user bandit28. Clone the repository and find the password for the next level. bandit28@bandit:~$ git clone ssh://bandit28-git@localhost/home/bandit28-git/repo fatal: could not create work tree dir 'repo': Permission denied Some day I will learn from my mistakes, today was not that day. In my defense I was waiting for a Formula 1 race to start. I did realise my mistake quite quickly so I guess I learned something. Creating a workspace and cloning the repository involved the same steps as the last level. In the repo we had the same README file. Getting a terrible sense of deja vu but so far the game hasn't let me down. bandit28@bandit:/tmp/tmp.c1rrbJbtwS$ cat repo/README.md # Bandit Notes Some notes for level29 of bandit. ## credentials - username: bandit29 - password: xxxxxxxxxx I'm fairly certain that isn't the password but just in case... bandit28@bandit:/tmp/tmp.c1rrbJbtwS$ ssh bandit29@localhost bandit29@localhost's password: Permission denied, please try again. Never trust, verify. The whole point of git is to be a version control system. We can use 'git log' to see any changes that have been made to the README file. bandit28@bandit:/tmp/tmp.c1rrbJbtwS/repo$ git log commit edd935d60906b33f0619605abd1689808ccdd5ee Author: Morla Porla morla@overthewire.org Date: Thu May 7 20:14:49 2020 +0200 fix info leak commit c086d11a00c0648d095d04c089786efef5e01264 Author: Morla Porla morla@overthewire.org Date: Thu May 7 20:14:49 2020 +0200 add missing data commit de2ebe2d5fd1598cd547f4d56247e053be3fdc38 Author: Ben Dover noone@overthewire.org Date: Thu May 7 20:14:49 2020 +0200 initial commit of README.md This info leak sounds interesting. From here we use the command 'git revert edd935d60906b33f0619605abd1689808ccdd5ee' to go back to before the info leak was fixed. This gave me a bunch of messages and opened the Nano editor to create a new commit message. I was able to exit with no issues. Once exited the location looked the same but now when I look the README file. bandit28@bandit:/tmp/tmp.c1rrbJbtwS/repo$ cat README.md #Bandit Notes Some notes for level29 of bandit. ## credentials - username: bandit29 - password: bbc96594b4e001778eee9975372716b2 This free site is ad-supported. Learn more ​ Dan | October 31, 2021 at 4:35 am | Tags: beginner, ctf, guides, hacking, linux, overthewire, tech, technical | Categories: Articles | URL: https://wp.me/p2Do8T-hq Comment    See all comments    Like Unsubscribe to no longer receive posts from Writing Wrongs. Change your email settings at Manage Subscriptions. Trouble clicking? Copy and paste this URL into your browser: https://behindakeyboard.wordpress.com/2021/10/31/overthewire-baby-hacks-part-11/ Thanks for flying with WordPress.com