Learning Linux & InfoSec Principles Using OverTheWire’s Bandit — Part 4
Begin learning Linux using a fun, online “wargame”
Introduction
In the previous post (https://bit.ly/3qFZACp) we have continued our Linux journey with levels 10 through 14 of OverTheWire’s Bandit machine. If you haven’t read the three first posts yet, they are warmly recommended — you’ll have an even better intro.
In essence, Bandit is the most basic machine the OverTheWire.org website has to offer, designed to introduce people to basic Linux commands and information security ideas.
The goal of this article is to provide you with a practical and enjoyable way of getting to know the Linux operating system (particularly the bash shell), using the Bandit “wargame”. If you have already read the previous posts, or are too enthusiastic to get on with this one (I completely understand that :)), then let’s dive in.
Reminder
The transition from level 13 to 14 wasn’t as always, providing a password to the appropriate user — we had to have a double-SSH connection, and only then could we retrieve the password for the bandit14 user.
Now, head on to connect via SSH to this user and provide the password, so we can carry on: 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e.
ssh -p 2220 bandit14@bandit.labs.overthewire.org
Level 14 → Level 15
In order to progress to the next level, we are instructed to submit the password to this one to port 30000 on localhost. But first, what does localhost means? This is a reference to the current machine itself, and generally tied with the 127.0.0.1 IP address, which is called the loopback interface.
In order to achieve that, we will utilize a tool called netcat, frequently nicknamed a “Swiss Army Knife” for networking. It allows us to access a certain target (by specifying IP address and port), and establish a connection through which we can pass messages.
First, we will generate the message: using nano, we shall create a file under the /tmp/ directory, which is used to store temporary files (as can be inferred from its name), and in which we have writing permissions.
nano /tmp/passwd.txt
Then, paste the password you used to enter this level, since this is the message we want to pass. Another way to do the same might be:
touch /tmp/passwd.txt
This creates a new, empty file. To fill it, we can use the echo command, and apply output redirection, as discussed previously.
echo 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e > /tmp/passwd.txt
The echo command simply prints something to the screen, but we instruct the terminal to redirect the output — so instead of appearing on the screen, it goes to the file specified.
Now we can finally run the netcat command, which we run using the nc shortcut:
After the command itself, we type the host (IP address, or localhost which is a special keyword), the target port, and then we redirect the input: rather than giving us a console, we tell the command to read its input from the file we have just created, so now its content will be sent to the target specified.
As we can observe, we have successfully finished this level and acquired the password for the next one. Let’s connect to it!
Level 15 → Level 16
The task in this stage is very similar to the last one, but this time we need to make our connection SSL encrypted. This is a cryptographic protocol that intends to secure the transportation of data over the internet. This means that if someone “snuffs” the data packets, he will now won’t be able to deduce anything from them, as opposed to the raw use of netcat.
Unfortunately, to apply this encryption, we cannot use netcat again, but rather a tool called, surprisingly enough, sslclient. The necessary command is:
openssl s_client -connect localhost:30001
Let’s explain the rest: the s_client specifies that we want to launch an SSL connection as a client, and not a server that listens. Then, the -connect followed by the host and port are set so that sslclient will know what to connect to.
A lot of information is dumped at us, but down below we have a prompt. Paste the password to this level:
And we can move along.
Level 16 → Level 17
The instructions for this one seem a bit overwhelming at first. For more clarity, let’s divide them into practical tasks:
- Search for listening servers in the specified range.
- Determine which server/s uses SSL.
- Send the necessary message to all the matching servers, save the password retrieved by the one not simply repeating ours.
To the first task! Things become quite interesting… The best solution is to use the tool called nmap, a shorthand for network mapper. It helps us scan a host for the various open ports it has. We can also tweak certain parameters so that the scan would fit precisely to our needs.
nmap localhost -p 31000–32000
After the command itself, we type in the host address, in our case, localhost. Then, using the -p parameter, we specify a certain range of ports, as told.
We get a list of ports, of which four are open. We move on to the second step — check which ports comprise a server with SSL. Again, nmap will be our measure — we’ll specify only the four relevant ports, but add the -A option, stands for aggressive, so that we’ll get more information about the services behind those open ports.
We can gather that only port 31790 utilizes SSL, so that will be the destination for the openssl command this time.
openssl s_client -connect localhost:31790
The output this time is not a simple password, but a private key of SSH. To make use of it, we need to create a file under the /tmp directory, naming it mysshkey.private and pasting the key in, using any text editor of your choice. Make sure you include the “constraints” of the key — BEGIN/END RSA PRIVATE KEY respectively. Moreover, change the permissions of the file so that it won’t be accessible to other users:
chmod 700 /tmp/mysshkey.private
Don’t worry, we will dive into permissions in the future. Then, as we did in the former post, we will authenticate using SSH.
Level 17 → Level 18
Hurray! We are at the last level for this article. Our objective now does not involve nmap or other networking principles as before, but to find the difference between the two files in our directory: passwords.new and passwords.old. The current password is the line in the first file that is not the same as in the second.
Of course we can manually examine the two files, but I’m sure you’ve guessed there is a better way — a Bash tool that automates the process: diff. It allows us to inspect the differences between two files.
We provided diff with the two relevant files as command line arguments, and the output tells us that there is a difference in line 42: the upper line is the content of this line in passwords.new (the first argument), and the bottom one is the line found in passwords.old (the second argument).
This password will be used to enter level 18, not to be dealt with now.
For easier access in the next article (I’ve already progressed :), so you should listen to my advice ;)), let’s save the password for level 17 — remember, we entered using a private SSH key. To read the raw password, read the contents of the /etc/bandit_pass/bandit17 file, and keep it until next time.
Conclusion
The several levels we have solved in this article introduced us to a new concept: networking tools in Linux. Things begin to get more interesting, this is a mild taste of future information security related issues: working with nmap, netcat, openssl…
I hope you have learned and improved your Linux skills throughout this article. As mentioned previously, I pray you have also had fun! Please leave some comments and let me know what you prefer me to do or want me to cover otherwise.
I must thank each and every one of you who reads my posts — you are amazing. Goodbye for now. Have a great time until we meet again!
