This course will walk you through a variety of exercises and techniques as part of a capture the flag (CTF) game called Bandit. This will make sure that you have the necessary skills in Linux in order to excel in penetration testing and privilege escalation.
Hi. We are currently in the Level 17 of the Bandit CTF. Now, we're going to go into the Level 18. So here, we have the Level 18 password log over here. It's important that you log every one of the passwords over here, not only for CTF reasons, but we can lose the connection anytime as you have may already experienced at this point. And, I believe, I have already lost my connection to Bandit 17. I'm going to just close it down and just join it again later on. Just for right now, I'm going to focus on the right-hand side in order to understand what kind of challenge we are facing over here. Then, we can go back and ssh into bandit17 one more time. So, there are two files: passwords.old and passwords.new. So, the password for the next level is in passwords.new actually. And that password is the only one that has been changed between the passwords.old and passwords.new. So, it's fairly easy. The only string that has been altered is our password. So, we're going to have to find that thing. So, let me just open a 'New Terminal' over here and 'ssh bandit17' because I've lost my connection. So, I believe, there is a timeout. So maybe, if you wait something, like two minutes or five minutes, before writing stuff or without interacting with it, it will lose the connection. But, I don't know the logic behind it. So, let me run 'ls -la'. I believe, I've changed my keyboard settings for some reason. I'm going to change my keyboard back to the Turkish version so you don't have to do that obviously. So, I'm going to run 'ls -la'. So, here we go. We have those files over here: passwords.new and passwords.old. So, that's good. So, we have to find the difference between them and there is a very basic command that does that for us. So, let me just 'cat' this password. As you can see, there are a lot of passwords over here. It's actually very pretty much the same in the cat passwords.old as well. There are a lot of hashes so there is only one difference and we have to find it. So, of course, you can think different kind of algorithms in order to do that. But, there is one command, which is diff, and it's given to us here. It stands for difference and it's exactly what we want. It takes the difference between two files. So, you can just run 'diff passwords.new passwords.old'. And it will give you the difference between those two files. It's that easy. So, we have two hashes over here. One of them is our password. I don't know which one is that. But, I believe, since we have written the new, the first one should be our password. So, let's go for that one. And, of course, if it doesn't work, we can always go for the other one as well. But, right now, I'm going to assume that is our password. So, I'm going to 'Save' this and I'm just going to save it as 'level 18'. And, I'm going to 'exit' out of this one and I'm going to go into the 'bandit18'. And here you go. Let me just try to connect to the bandit18 and let me test this and see if this works or not. And here you go. I believe, it worked but we get some error. Now, it says, the "Byebye!". And here we go. We have that tip over here. So, we have that, "NOTE: If you have solved this level and see 'Byebye!' when trying to log into bandit18, this is related to the next level, bandit19". So, I believe, there is some a new challenge. Let's go to 'bandit18'. So, "The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH." So, it's a little bit tricky thing. So, if you log in via SSH, there is a file called .bashrc and it's configured to log us out. And it's interesting. So, all the commands that we need to solve this level is ssh, ls, and cat. So, it's getting a little bit hard, as you can see. And, I believe, we can overcome this with SSH since this is the only lead that we have over here. And, in order to do that, we have to use SSH parameter, SSH capability of changing the shell that we are trying to log into. So, we can do that with SSH. But, we have to specify some new parameters. We are just saying login with bandit18 to that host in this case. And,
rather than .bashrc, we need to cancel out this .bashrc. So, we need to change to another shell rather than Bash shell over here. So, let me go to 'google.com' and search for it. I'm going to say, 'ssh change shell sh'. So, rather than Bash, of course, I'm going to go with the sh. There are different kinds of shells that we can use when we try to open a session in a terminal. So, "Choosing the shell that SSH uses?" That is exactly what I'm looking for. And here you go. It's exactly the same thing that we are asking for. It's using Bash and we need to change it to something else. So, we can use change sh, nope. It can be used after we log in, but we cannot even log in. So here, we have something like zsh -l. And, "The -t flag forces a pseudo-tty allocation." We can try this -t flag. And, "-l flag spawns a login shell." So, we can use those flags in order to try and change our shell over there. So, let me just scan these other solutions here a little bit. And, I believe, we don't have anything else. Let's try this -t flag. So, I'm going to give '-t' flag over here. And I'm going to specify the shell at the end, like we have seen in one of the examples. So, let's see. Where was that example? Here you go, zsh. Now, I'm not going to use zsh, I'm just going to use the old bin/sh. So, it should work if this -t flag works. So, all you got to do is just come to the end of this and write 'bin/sh', by the way, single quotation marks like that. So, if I hit 'Enter', it will ask me for the password and let me give the password and let's see if we can come over here. Let me just take the password one more time. Let me 'cat password.txt'. It didn't even accept the password. I believe, we are doing something wrong over here. So, let me paste it and hit 'Enter'. It says, "No such file or directory'. It cannot find the bin/sh. So, let me just try it like this. It will make much more sense, '/bin/sh'. And let me give the password one more time. And here we go. We have the shell, I believe. So, we are inside of the shell. Who am I? I'm bandit18. So, good. So far, so good. So, if I run 'ls', I will see the readme. And let's see. Let's 'cat readme'. And here we go. We have the file, we have the password for the level 19. So, it's very easy to go to the level 19 from 18. But, it's also not easy to open the level 18. If you don't know, you can change the shell with the SSH. Of course, it can be found easily like we did with googling, But again, it's a hardy, I believe. So, we are inside of 18 now and we have the password for the 19. I believe, we are done over here. So, if I didn't see that SSH command in the tips, by the way, it would be very hard for me to understand that I need to change this. And also, it gives us the .bashrc tip over here. So, it was easy for me to find. But, if I didn't have the .bashrc tip and the SSH tip over there, maybe it would take me much more longer to figure this out. So, let me try 'ssh bandit19'. And for some reason, we cannot come over here. And let me just copy that one more time and say, 'Paste Selection'. And here we go. We are inside of bandit19. So far, so good. Let me open the 'Bandit 19' over there. And now, we're going to go into the Bandit Level 20. So, we are going inside of a new thing, setuid. I'm going to come over here and just stop this and continue within the next lecture to go into the Bandit Level 20.
Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.