OverTheWire: Bandit Lab

-

Bismillahirrahmanirrahim (In the name of Allah the most gracious, the most merciful)

So recently I and @electro decided to solve wargames and CTFs in the spirit of honing the skills and because we are preparing for something really important (another post for another day). We decided to start with the labs at overthewire and the first on the list was Bandit Lab. Bandit Lab was a fun experience, mostly easy, except for one or two tricky levels, level 26 and level 33 in particular. This Labs weren't so difficult but required a bit of thinking outside the box, hence why am documenting them.

NB: this writeup doesn't include our thought process while solving the levels

Level 26

Level Description


When we attempt to login to this level using the private key obtained from the previous level we get automatically logged out and since the level goal already informed us that we are dealing with a different shell, we need to figure out what it is and how to break out of it.


Above is the banner that gets printed out when we attempt to log in and we get automatically logged out. So how do we figure out the shell we are dealing with? well, we will have to look at the /etc/passwd file from the previous level, since it holds the login information of all users on the system.


And indeed the shell isn't bash but some unknown shell showtext, let's check out what it is.


It turned out showtext is just a short shell script that uses more utility to show the content of the text.txt file and then exit. Now, this is the tricky part, since the level goal already recommended reading man pages for more which we did we figured out we could run shell commands with more utility.


The problem was that shell kept exiting before we even had the chance to interact with more. After a lot of headbanging and reading of the manual pages for ssh, vi, and more it turned out we just needed to resize the terminal window and we will be able to intercept the shell script in more before it exits.


Attempting to log in with a resized screen.


Login in successful and we are now in more so shell script hasn't exited. Running command directly via more didn't turn out to work successfully so we figured from the documentation that we could start the vi editor from more with the v command.


The reason the command didn't work directly in more was that we were still using the showtext shell and we can see that by attempting to view the current shell from vi.



we need to change the shell to bash or something in order to be able to run arbitrary commands.


After changing the shell, we run :sh to execute our newly set shell from vi.


And that's it Level solved.

Level 33

Level Description


It's another shell escape level. I must confess without the amazing team effort with @electro am not sure I would have figured this out quickly. So upon login to level32, the shell has been set to change all commands to uppercase.


When we check the /etc/passwd file we confirm that the shell is indeed not bash.


The shell is uppershell and is not even readable. Our approach to defeating this level relied on shell expansion (will be discussed fully in another post) and the fact that /tmp/ dir is globally writable.


In summary, what we did was create a directory under /tmp/ with our custom shell script which we made executable by anyone and then relied on shell expansion to do the heavy lifting for us. I plan to create another post to explain the above concept in detail since it's late now (about 01:48 AM) and I need to wake up early tomorrow.

So that's basically it on the two levels that we found to be really interesting in the bandit lab, watch out for natas and krypton labs coming soon inshaAllah.



Comments

  1. abdulhameedOctober 20, 2021 at 4:48 PM

    i love it, it's a little bit challenging, i'm coming for it too

    ReplyDelete

Post a Comment

Popular posts from this blog

Before You Dive In...

-
I have always wanted to write, partly to improve my writing skills but also to document my research in reverse code engineering, software exploitation and computer programming in general, my current goal is to have at least a post a week, but since am just starting out I do not know how feasible that will be considering school and my need for quality over quantity. In the coming weeks, I will post on varying topics from software reverse engineering to exploitation and basically anything that interest me. My primary aim is just to cement my knowledge in my fields of interest by giving back to the community as I learn and hopefully along the way help someone trying to learn. A quick disclaimer though is that I am no professional at either writing or the subject on which I will be writing (at least for now),  am just trying to navigate through the vast ocean of knowledge hoping to pick one or two things along the way, so corrections, constructive criticism, and even unconstructive ones
Read more

SSRF Notes: PortSwigger Labs Continued

-
Image
  Lab 3: SSRF with blacklist-based input filter Task :  This lab has a stock check feature which fetches data from an internal system.  To solve the lab, change the stock check URL to access the admin interface at http://localhost/admin and delete the user carlos.  The developer has deployed two weak anti-SSRF defenses that you will need to bypass. This Lab is just like the previous ones except that we need to bypass blacklist filters. This is what a normal request to the stock check feature looks like: Passing http://localhost/admin to the stockApi parameter does not work this time. we get this response: That's the filter blocking us. It turned out 127.0.0.1, localhost, admin are all blacklisted so cannot be used. So after trying a couple things the following was able to bypass the filter: We get the following response: So to complete the Lab we just proceed to delete carlos. And that's it Lab solved.
Read more