Monday, 7 September 2015

[Write-up] OverTheWire Bandit CTF

20:07 Posted by Matnacian , , , , No comments
Hi there,
I'm a newbie in CTF, so I create this blog to help ME, and YOU, the ones who really want to improve CTF skills. And the first write-up series are about Bandit CTF:

Let's go! Hope we will have great time together! Keep calm and Happy CTF! ^^

Level 0: SSH
$ ssh
>> Password: bandit0
bandit0@melinda:~$ ls (you will see a file named readme)
bandit0@melinda:~$ vi readme

Got it? Easy, right?

Level 1: Strange file name
bandit1@melinda:~$ vi "./-"

Level 2: Strange file name
Nothing different!

Level 3: Hidden file
$ cd inhere
$ ls -a
$ vi .hidden

Level 4: Many files
I see a command named "cat", and I find it's more useful than "vi".
$ cat "./-file07"

Level 5: Super many files
In this level, I saw many folders and files, and they really made me confuse.
So I think we should use some search command to handle this chal.
Let's google!

I think the file contained flag is the lastest modified file, so I search "find last modified file linux"  and found this command:
stat --printf="%y %n\n" $(ls -tr $(find * -type f))
But the results didn't look good. Phew!!!

I played some CTFs, and when getting stuck in a problem, I often gave up.
But this time - when I am writing this blog, I'm going to participate a contest between universities in my country.  It's very important for me to win this contest, so I must try my best ^^

So what should we do now?
I take a look of some files, and they are big text files. So I think we should find a small file that has the same flag file in bandit4.

OK, let's see. bandit4's -file07 -> 33bytes -> We'll find a file that has the 33 byte-size.
 Now we are in bandit5/inhere. List all file with size description:
$ ls -LR -l
I can't find any 33 byte-file, but we have 77 and 51 here. Try submit password of these file but "Permission denied, please try again."

Ah, hidden file!
$ ls -LR -l -a
Still no 33 byte-file. Try submit password of the new 99 byte-file, and error again.

I don't know what to do next, so I click the link "Level 5 → Level 6" in the menu Bandit and find the hint: 1033 bytes. OK, easy!  Use my eyes and bingo:

But how to use command to find an -x-byte file?
$ find -size 1033c

Note: Please read the description of challenges before solving them!

Time for lunch! I will be right back! :D


Level 6: The level that I gave up!
"The password for the next level is stored somewhere on the server".
$ find / -user bandit7 -group bandit6 -size 33c 2>/dev/null
$ cat /var/lib/dpkg/info/bandit7.password

WTF is "2>/dev/null"?
dev/null treated as black hole in Linux/Unix, so you can put any this into this but at the end your will not able to get this back from /dev/null/.
so further on 2>, means is you are redirecting [i.e. ">"] stderr [i.e. 2] into black hole [i.e. /dev/null/ ]

Level 7: | grep
cat data.txt | grep millionth

Level 8: uniq and sort
$ uniq data.txt -u
What? Many rows??
$ sort data.txt | uniq -u

or: $ cat data.txt | sort | uniq -u

Level 9: strings
bandit9@melinda:~$ cat data.txt | grep =
Binary file (standard input) matches

Submit flag: 'Binary file (standard input) matches'. Failed :v
Search for the error: "The grep -a, --text option may be of use to you"
OK, $ cat data.txt | grep -a "=="

or: $ strings data.txt | grep '='

Level 10: base64
$ strings data.txt | base64 -d
The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

Level 11: tr
bandit11@melinda:~$ cat data.txt | tr 'a-zA-Z' 'n-za-mN-ZA-M'
The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

Level 12: xxd mv cd mkdir
bandit12@melinda:/tmp/hihihi$ strings data8
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

Level 13: ssh
$ ssh -i sshkey.private bandit14@localhost
$ cat /etc/bandit_pass/bandit14

Level 14: telnet
$ telnet localhost 30000

Level 15: openssl
$ openssl s_client -connect localhost:30001 -quiet

Level 16: nmap
$ nmap localhost -p 31000-32000
$ openssl s_client -connect localhost:31790

Copy and creat sshkey.private
$ ssh -i sshkey.private bandit17@localhost
$ ls
$ diff password.old

< kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd <-- pass 18-19
> BS8bqB1kqkinKJjuxL6k072Qq9NRwQpR

xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn <-- pass 17-18

Level 18: ssh with command
ssh cat readme

Level 19:
$ ./bandit20-do cat /etc/bandit_pass/bandit20

Level 20: 

$ nc -l 6969
$ ./suconnect 6969

--- manacian ---
--- ctf for beginners ---


Post a Comment