Level 15 -> Level 16

The goal of this level is to submit the password of the current level to port 30001 on localhost using SSL encryption and get the password to the next level.

Firstly we will get the password of the current level by using the command cat /etc/bandit_pass/bandit15

We can use the command as echo password_of_current_level | openssl s_client -ign_eof -connect localhost:30001 to get the password of next level.

echo command in Linux is used to display line of text/string that are passed as an argument.

OpenSSL is a multi-platform, open source SSL/TLS toolkit. OpenSSL can be downloaded from http://www.openssl.org/. It is already present in Linux based systems.

The OpenSSL command line tool can be used for several purposes like creating certificates, viewing certificates and testing https services/connectivity etc.

The following command can be used to test connectivity:

openssl s_client -connect <hostname>:<port>

For example: openssl s_client -connect example.com:443

ign_eof does is it prevents the server from closing down the connection when the end of file is reached in our input

This is how we will get password to the next level.

Use the command ssh bandit16@localhost to connect to the level 16.

Enter the password and hit enter.

Successfully passed level 16.…

Level 16 -> Level 17

The goal of this level is to submit the password of the current level to port on localhost in the range 31000 to 32000 and get the password to the next level.

First, we need to find out which of these ports have a server listening on them. We will use nmap port scan to find out the listening ports in the range 31000–32000.

Only two ports 31518 and 31790 are open

Then, we need to find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.

We will check at both the ports one by one by connecting to the port using openssl s_client command and by submitting password of current level.

Get the password of the current level by using the command cat /etc/bandit_pass/bandit15

We can use the command as echo password_of_current_level | openssl s_client -ign_eof -connect localhost:31518 to connect to port 31518.

· We are connected to the port 31518 but no password or key is found at this post.

· Using ctrl+c keys we will come out of this and check on the other port i.e. 31790.

We will connect to this by using same command i.e.

echo password_of_current_level | openssl s_client -ign_eof -connect localhost:31790

RSA private key is found at this port which will be used by us to connect to the next level.

The key looks like:-

Steps that can be followed now –

· Make a directory in /tmp directory with any name. I made it as mkdir /tmp/rsakey17.

· Enter into the newly created directory using cd command.

· Make a file using touch command with any name. I made it as touch bandit17.key.

· Open the newly created file using vim command. File will open as a text editor. Press i to enable insert mode copy the RAS key and paste in this editor. Press esc key and then type :wq to quit the editor.

· Use command ssh -I ./bandit17.key bandit17@localhost to insert the key and login to the next level.

· OOPS!!!! A warning flashed that the file bandit17.key that we created for saving our rsa key is not protected. It has permission 0644 which are too open.

· Check the permissions of the file using command ls -la. (permissions are– 644 -rw-r — r — )

· Change the permissions using the command chmod 600 bandit17.key where 600 are new permssions .i.e -rw — — — -

· Now again, use command ssh -I ./bandit17.key bandit17@localhost to insert the key and login to the next level.

This time we are successful in logging in…….

Successfully passed level 17.…

Level 17 -> Level 18

The goal of this level is to find out the different (changed line) between two files named as passwords.old and passwords.new present in home directory. And the password is the only line that is changed in passwords.new file.

Diff command is very useful here. diff stands for difference. This command is used to display the differences in the files by comparing the files line by line.

So, we used the command used is: diff passwords.new passwords.old

In result:

· Lines preceded by a < are lines from the first file.

· Lines preceded by > are lines from the second file.

· 42c42 means line 42 in the first file needs to be changed to match line number 42 in the second file.

Our password is in file passwords.new. So, line preceded with < is our required password.

Use the command ssh bandit18@localhost to connect to the level 18.

Enter the password and hit enter.

OOPS!!!!! As soon as we try to connect to level 18 connection to the localhost get closed. Reason for this is in level 19.

Save the password of level 18…

Level 18 -> Level 19

The goal of this level is to enter into the home directory and read the readme file and get the password to the next level.

But the main issue is that we are unable to log in to level 18 with SSH because .bashrc has been modified to log us out when we try to log in with SSH. Thi s modification logs us out as soon as our ssh command completes.

.bashrc file determines the behaviour of interactive shells. It initializes an interactive shell session.

We can use the command: ssh -t bandit18@localhost cat readme where -t option is used to open the pseudo terminal which will easily connect to level 18 and directly print the content of readme file.

Or simply we can use ssh bandit18@localhost cat readme (include our query with connection command) without -t option so that as soon as our command complete, we can get the required content even if we log out from the bandit18@localhost after that.

Use the command ssh bandit19@localhost to connect to the level 19.

Enter the password and hit enter.

Successfully passed level 19.…

Level 19 -> Level 20

The goal of this level is to use the setuid binary in the homedirectory. Password is found in the usual place (/etc/bandit_pass), after we have used the setuid binary.

Use ls -la to find out all the files and there permissions, user, etc. The red mark indicates that the file has elevated it’s permissions.

We will execute the setuid binary without any argument so that we can get to know about how to use it. For execution we will use command: ./bandit20-do

It says that we should execute this file as another user. Example is also present: ./bandit20-do id

Id can be: cat /etc/bandit_pass/bandit20

So, the command used to get the password is:-

./bandit20-do cat /etc/bandit_pass/bandit20

We got the password…

Use the command ssh bandit20@localhost to connect to the level 20.

Enter the password and hit enter.

Successfully passed level 20.…

TH4NK Y0U!!!