ssh

Clearly the password has been removed in our current version of the repo. The stated purpose of .git is version control so it reasons to can easily check if previous .git commits exist by viewing git log:

`commit edd935d60906b33f0619605abd1689808ccdd5ee Author: Morla Porla morla@overthewire.org Date: Thu May 7 20:14:49 2020 +0200

fix info leak

commit c086d11a00c0648d095d04c089786efef5e01264 Author: Morla Porla morla@overthewire.org Date: Thu May 7 20:14:49 2020 +0200

add missing data

commit de2ebe2d5fd1598cd547f4d56247e053be3fdc38 Author: Ben Dover noone@overthewire.org Date: Thu May 7 20:14:49 2020 +0200

initial commit of README.md`

So I decided to try to reverse back to initial commit using git reset --hard HEAD~1

Received the result: HEAD is now at c086d11 add missing data

Checked my README.md file and viola! Ze password iz mine!!

Bandit 29

Same as previous bandit. We are given a repo and inside the README.md are the following credentials:

username: bandit30
password:

I started poking around the .git and directory and found this in ORIG_HEAD that looks interesting:

208f463b5b3992906eabf23c562eda3277fea912

Since it like a git commit hash, I tried reverting to it, found nothing. Then I noticed that the packed-refs file also contained some git commit hashes:

# pack-refs with: peeled fully-peeled bc833286fca18a3948aec989f7025e23ffc16c07 refs/remotes/origin/dev 208f463b5b3992906eabf23c562eda3277fea912 refs/remotes/origin/master 786d5bea2bd2dcbed2c8896a310c3c5306bc713c refs/remotes/origin/sploits-dev

Another way I could have accessed this info would be using the git show-ref command to check for all git references in local repo.

I then reset git to the /origin/dev' and checked theREADME` and yes! Password found!

git reset --hard bc833286fca18a3948aec989f7025e23ffc16c07 HEAD is now at bc83328 add data needed for development

Bandit LV30: Searching an “empty” repo for clues

#git #gitlog #gitshow

Similar to the last two levels, we are given a repo only this time, it's EMPTY save for a the READMD.md that just has this hilarious message: just an epmty file... muahaha < MIS-SPELLED AND ALL! I laughed.

Then I tried the usual suspects:

git log gives us just the initial commit of README.md — not helpful:

`commit 3aefa229469b7ba1cc08203e5d8fa299354c496b Author: Ben Dover noone@overthewire.org Date: Thu May 7 20:14:54 2020 +0200

initial commit of README.md`

I tried git show which describes the HEAD commit by default:

`commit 3aefa229469b7ba1cc08203e5d8fa299354c496b Author: Ben Dover noone@overthewire.org Date: Thu May 7 20:14:54 2020 +0200

initial commit of README.md

diff —git a/README.md b/README.md new file mode 100644 index 0000000..029ba42 —– /dev/null +++ b/README.md @@ -0,0 +1 @@`

This does look like there was a new README.md file created, the useless one. Not sure how helpful this is?

Decided to poke around the repo references again: less ./.git/packed-refs

# pack-refs with: peeled fully-peeled 3aefa229469b7ba1cc08203e5d8fa299354c496b refs/remotes/origin/master f17132340e8ee6c159e0a4a6bc6f80e1da3b1aea refs/tags/secret

This secret tag is interesting. Git tags are a reference point to a specific moment in git history and store data about that point. This can be accessed with the command syntax: git show <tag>

So I tried git show f17132340e8ee6c159e0a4a6bc6f80e1da3b1aea

And the password onwards appeared!

bandit 18... the bye bye! one

December 31, 2021

#ssh #bashrc #bash

So, I had to ask for a hint on this one from discord. The person said: “you dont need any extra parameters for ssh command”

I misunderstood this level on a fundamental level. I thought the goal was to login so I could access the readme file for the password. This is not the goal. The goal is to get the password. Logging in is irrelevant. This was mistake one.

Having assumed that I had to log in meant that I interpreted the problem as a matter of “disabling the .bashrc” file so I went about on a wild google search reading about different approaches to doing this. It turns out that this is not an uncommon problem — interestingly. However, this was a mistake on my end to do so because it is skipping the step of what my tool (the level tells you to use ssh) was made to do. I looked up different ways of using ssh towards a specific purpose without understanding the tool's stated purpose.

Had I looked at the manual for ssh instead of assuming I already knew its usage(s), I would have found this description:

ssh (SSH client) is a program for logging into a remote machine and for executing commands on a remote machine.

All I needed to do was read the readme via remote command execution. There was no need to go about disabling the .bashrc.

I've noticed that the levels that I get stuck on are from getting too attached to an initial idea and pursuing that instead of examining ALL my possibilities and experimenting. This almost happened in a previous level but I caught myself. Time to make it into an acronym like my 10DIME for algorithms.

How to problem-solve OTW/CTFs:

GOAL: What is my goal?
ASSUMPTIONS: Are there any procedural assumptions in my goal statement that limit how I can get to that goal or is it truly a goal?
DESCRIBE: Describe my tools. If I can't describe their purpose with certainty, read the description SLOWLY. Not backwards. Not diagonally. SLOWLY.
Try EVERYTHING!

GADE.

Next.

The solution was simply ssh banditit18@bandit.labs.overthewire.org -p 2220 "less ~/readme"

Bandit LVL 13-16

December 31, 2021

#SSL #SSH #NC #nmap #bandit #overthewire #linux #cli

Level 13 –> 14

In this level, we were given: – “a private SSH key that can be used to log into the next level”

Upon examination, there was a RSA key in the file sshkey.private. The goal is to use this key to login to the next level.

_What is immediately different about how we are asked to log in here vs previous levels?

Previously, we had to exit the connection and SSH into the server using the next username and password. This time, we must use the next username and RSA key.

To log in using a private SSH key, we use: ssh -i sshkey.private bandit14@localhost

We are staying on the same server (localhost) so we don't need to specify the port number.

Level 14—>15

We are asked to submit data to port 30000 on localhost in order to retrieve the next password.

The utility nc (netcat) allows us to “read or write data across network connections using the TCP or UDP protocols”. The basic syntax is: nc [options] host port

The data we needed to send is a file called bandit14 so we used: less bandit14 | nc localhost 30000 to solve this level.

QUESTION: Can I log into LV15 from within the server?

Yes! It worked to use SSH bandit15@localhost! Yay for learning to be more efficient!

Level 15 –> 16

In this level, we are asked to submit “the password of the current level to port 30001 on localhost using SSL encryption”.

Tools to explore: openssl, client_s

s_client will connect to “a remote host using SSL/TLS.”

QUESTION: why does it specify that it connects to a remote host? What about connecting to a service on localhost?

What I tried (unsuccessful):

openssl s_client -connect localhost:30001

I knew this wouldn't work because I wasn't sending the password. But it did say CONNECTED. Unfortunately, it kept waiting for something and I wasn't sure how to interpret this so I looked up a hint online. It turns out it was waiting for a password! There was no password prompt so I didn't think to try sending any input. Had I tried sending _anything at all, I would have received a wrong password message and realized what was happening!

LESSON LEARNED: TRY EVERYTHING!!!

The answer turned out to be: openssl s_client -connect localhost:30001 $PASS (with the password string saved in $PASS)

Level 16 –> 17

In this level, we have to (1) scan for open ports for a server that listens to SSL and then (2) forward the response credentials to login to the next level.

I used nmap -p 31000-32000 localhost to scan for the ports on localhost between 31000-32000 (the range given in the instructions). This returned only 5 active ports (yay!):

Starting Nmap 7.40 ( https://nmap.org ) at 2021-12-31 02:52 CET Nmap scan report for localhost (127.0.0.1) Host is up (0.00033s latency). Not shown: 996 closed ports PORT STATE SERVICE 31046/tcp open unknown 31518/tcp open unknown 31691/tcp open unknown 31790/tcp open unknown 31960/tcp open unknown

Then I manually attempted an openssl s_client connection to each port to see if there would be a response.

I found that port 31790 responded with the credentials (an RSA key). I then created a temporary file containing this key and attemped to SSH into the next level using the method from a few levels back: ssh -i lumpo.private bandit17@localhost

Unfortuately, this did not work because I got this warning back:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0644 for 'lumpo.private' are too open. It is required that your private key files are NOT accessible by others. This private key will be ignored.

So now my options are to either (1) set permissions for my temporary file so that it is not accessible by others, or (2) find a way to forward the credentials automatically when they are returned from the server.

Trying (1) first:

chmod 600 /tmp/lumpo.private will restrict my file so that the owner (me) has access to read/write but nobody else can do so. Retried sending ssh with private key after adding this permission restriction and success!

What I could have done better?

Instead of manually testing each listening port with openssl s_client, I should have figured out how to automate it because testing manually would not work for a large pool of ports.