Categories
CTF Tech Training

Over the Wire: Bandit 0-20

What is Over the Wire?

Over the wire is a website offering challenges whereby beating a challenge provides access to the next level. In their words, these “wargames offered by the OverTheWire community can help you to learn and practice security concepts in the form of fun-filled games”. The Bandit pathway however is particularly interesting in that it initially focuses on unix commands, letting you build on past levels to move further into the next.

First things first, you gotta know where to search. man pages are good, and you can search through them by ussing the / key then entering the pattern you want. If no results, try again. Stack Overflow may have some suggestions. SS64 also has some good examples. Next up, youll want to have some tools ready. My preference is Terminator on Linux OS’s for the command line stuff, as it lets you quickly open additional terminals from the same window (man pages, etc.). If you are on Windows, you will need PuTTY or similar SSH client to connect to the game. You are given the first user & password, host & port. There are many valid syntaxes, I used


ssh bandit.labs.overthewire.org -p 2220 -l bandit0

Enter the password and you are in. The next level, you are told there is a file called readme in the home directory (where you land upon login). ls & cat provide the password for the next level.

Level 1 – Here, the difficulty is that the name is a dash. – When processing it, the programs take it to mean an argument follows, and so cat doesn’t read the file. Fortunately there are ways to force certain files as input or output cat < - and you’re golden.

Level 2- The filename has spaces. Not to fret, you’re using Terminator, right? find the file using ls; prepare your cat command and start typing the name of the filename. Press the tab key after the first couple letters and… filename completely encapsulated.

Level 3 – File is hidden and inside a different directory. ls shows that the directory is a subdirectory of where the user is, so quick cd inhere. ls however comes up empty… hmmm… hidden files… maybe ls -a so it shows ALL the files and good to go.

Level 4 – You need to find a human-readable file in a given directory. Building up from the last level, cd into the inhere directory and ls . 2 difficulties arise; Firstly, there are multiple files. Secondly, the initial dash in the filenames. You could brute force your way through the files using
cat < -file OR you could take a hint from the challenge and look at the file command. file ./* and you can easily read the password.

Level 5 – Here you have multiple subfolders inside the inhere directory. Running file ./*/* isn’t very useful as there are too many possible results. Quick check of the find man page for size and find -size 1033c gets you to the appropriate file.

Level 6 – Similar to level 5, except the file is hidden somewhere in the server. Running file ./*/* has the same issues as previously, and I’m not sure how deep down you would need to add wildcards for all the potential subdirectories. Once more, find -size ran from the root (cd /) lets us find all possible files. There is something interesting in /var/lib, so running ls -l /var/lib/...| grep bandit7 shows the file attributes. I’m using grep here to ensure an attribute matches the user-owner bandit7 (as per the challenge). The attributes correspon to the challenge: owned by user bandit7, owned by group bandit 6so time for level 7.

Level 7 – Back to data analysis. There are close to 100’000 lines in the given file, so attempting to search it by hand is pointless. Doing cat %input% | grep %pattern% is an absolutely valid solution. Particularly if you are starting out by looking at a file’s content, it is normal to expand that process into filtering the noise from the signal. It is however, worth knowing you can do that in a single command grep %pattern% infile or in thes case grep millionth data.txt and ready for the next level.

Level 8 – Initial point is to cat data.txt and see what we’re working with. The challenge suggests using sort and uniq. uniq -c provides a count on the number of sequential occurences occurences, however in the current state of the file that is a 1 on each line. sort data.txt | uniq -c and look for the single one.

Level 9 – If we try to find lines with 2 or more = signs through cat file | grep or grep file return errors as the file does not consist of text. cat file is not human readable. The strings command will look through the file and provide several lines. Filtering the output for the aforementionned pattern provides the answer.
strings data.txt | grep ==

Level 10 – The password is in a file which is base64 encoded. Depending on where your input data is coming in from, you may want to look at CyberChef due to its high potential for data transformation. However, much easier to just base64 -d data.txt for the password to the next level.

Level 11 – This has been rotated once by 13 chars, while maintaining case. This means applying the same transform would return the original text. This one-liner may be useful for CTF challenges: tr 'A-Za-z' 'N-ZA-Mn-za-m'

Level 12 – The original file has been compressed multiple times and hex encoded. Be organised, and use file at each decoding / decompressing part to see what the next required operation is.

Level 13 – This is a different ssh syntax. Remember to get the password for level 14 once logged in, as running ssh sessions from within ssh session can quickly

Level 14 – This is the first network challenge. Connect with nc nc localhost 30000 then enter the password for bandit14 (which you got earlier from the ssh connection) and good to go.

Level 15 – Second network challenge, this time you need to use SSL. openssl s_client -connect host:port provides you a similar connection as we got in level 14. Submit password and get access to the next level.

Level 16 – This time we need to look through approximately 1000 ports! or not… nmap will provide a scan. nmap localhost -p31000-32000 already limits the number of ports to test. However, we can agressively look through this while also getting as detailed a report as possible by using some additional flags. nmap -A -T5 localhost -p31000-32000 – look for the ports running ssl services and get the password for the next level.

Level 17 – Back to file analysis. Could try reading the files on 2 terminals looking for the different line OR use the built-in diff command. diff oldFile newFile returns the lines that change; look through the man pages for more details, but this essentially provides you with access to the next level.

Level 18 – Logging in immediately kicks us off the connection. hmmm. The good news, we’re warned this is an issue with the bash profile, so maybe we can get a command in along with the connection string? ssh host -p<port> -l user "COMMAND" and we can read the password in the file as per the challenge.

Level 19 – We can run comands as another user! Password is available at /etc/bandit_pass/bandit20 so execute the binary and then read the password as if you were already that user.

Level 20 – We want to create a listener returning the current password… echo "REQ" | nc -l host -p<port> & where “REQ” holds the password within the double quotes. Pick the port of your choosing (above 1000 is a good call to avoid anything already in use) and then run the binary using that port. #winning.

With the tools presented in these 20 levels, you already have a great toolbag for moving around an unix environment. There are of course multiple ways to solve the challenges, including various scripting techniques for the large enumeration challenges at the begining; however, for this post I wanted to focus on using existing tools as recommended by the challenge.

Categories
CTF Open Source Open Source OSINT Tech

Judging a Tracelabs CTF

Judging?

After the June CTF I was considering participating in a couple more events in a competitive manner. The goal being to get better at the analytics side of things as it is not limited in scope to OSINT for missing people. I like Nicole’s Cognitive Stairways of Analysis as a foundational framework (https://threathuntergirl.com/f/the-cognitive-stairways-of-analysis). However, the intent to be competitive implies preparation, and life got in the way; with 2 team mates down I could only hope for a 3rd time in top 50. So for the Defcon edition of the Tracelabs CTF, I applied to judge.

Preparation

Much like for competitive participation, judging requires some preparation. You want to be the best judge for your team(s). However, the preparation is not as extensive as for competitive. In my case it consisted of catching up with the judge’s briefing & reading the judge’s guide. Following that it was a matter of preparing a way of (easily) keeping track of the accepted flags. Joplin comes pre-installed on the Tracelabs VM, so I created the notes with that tool. I have migrated them to Obsidian as Obsidian uses less metadata within the files. A template for other judges or people participating solo is available on my github. This should be fairly easy to import into Obsidian, Joplin or Notion as it is a simple collection of markdown files. Links may need to be converted if using Joplin instead of Obsidian.

Having the guidelines quickly at hand meant I could easily copy-paste reasons for rejecting a flag, or validate if a flag was in the right category. (Family vs Friends, Basic vs Advanced subject info, etc.). By keeping track of the submitted flags I could quickly spot duplicates.

For future judging I would look into having something else to do, as the flags seem to come in batches wether you have 1, 2 or 3 teams. I found myself often with 10-15 minute interludes between batches of flags, specially at the begining while the teams were getting warmed up.

The process

You might expect the flags to come pouring in with no break – except, of course the tams need to start their research which means until the first flag comes in you’re left finalising your preparations. As you will need to be verifying flags from various social media elements, one element of preparation is ensuring you still have access to the various platforms. I left the various platforms open such that I could then copy-paste the URLs with no need for logging in & avoiding cross-contamination between the isolated tabs (Firefox Containers does wonders for this).

The first flag comes in and suddenly the platform makes a lot more sense to when competing. (Which hopefully means less rejections at the next competition). The flag includes the team name so let the team know I’m judging for them in the comms channel, this way they can discuss any questions more easily than interposed flags & rejections. Test the flag (is it a new flag?) and validate it (does the flag make sense?) accept or reject. Upon rejecting, explain why – having the guidelines handy makes it easier to explain why a flag is rejected or category changed.

You have 2-3 teams. Life happens so some judges will take on 4. If any flags seem odd, or you are unable to verify them other judges can help, this means you can then provide your team with the best possible experience.

Post CTF

The Tracelabs CTFs can expose some of the worst that humanity has to offer. As such, it’s important to create an appropriate disconnection from what you’ve experience before shutting down. See Nicole’s talk at ConINT on strategies for disconnecting:

In my case, it was just catching up on a comedy TV show and crashing for the night. Had there been any significantly traumatic elements having the other judges to discuss and externalise any thoughts was/is reconforting. It is made abundantly clear that if any judge needs to step away at any time for any reason, it is not a fault on their person, and other judges are happy to take on the extra flags. Knowing when and how to seek help is a part of preparation, but the Trace Labs team make sure to remind the judges about their availability should a crisis happen.

Learning outcomes

During competitions I found the platform to make it difficult to explain the value of the flag. You can establish the category, the relevance and the supporting evidence, along with 1 attachment. As a judge it actually made a ot more sense: Submit the URL pointing to the flag. Relevance: explain the flag (i.e. Category => sub category, what cn be done with this piece of information?). Supporting evidence => How did you get to this conclusion? If you got to a profile from a different URL, submit it here. As a jduge, it is a lot easier to follow your reasoning, and during recompilation the flag will be extra useful. Attachment => visual aid. Screenshot of a social media account isn’t ideal, however, being able to show how you can proove it belongs to a person adds value to the flag.

10/10, would judge again