This course will walk you through a variety of exercises and techniques as part of a capture the flag (CTF) game called Bandit. This will make sure that you have the necessary skills in Linux in order to excel in penetration testing and privilege escalation.
Hi, within this lecture, we're going to continue solving our Bandit capture the flag questions. So, right now, we are in level 3, and I will go to the level 3 to level 4 tips. So, as you can see, it says that the password for the next level is stored in a hidden file. So, here you go, now I believe you know how to do this as well, so you can just run ls -la, and here you go. Now we see the hidden folders and hidden files as well. So, we can come over here to see the inhere, and there's nothing over here if we run ls, but if we run ls -la, then we can see the hidden file over there, so this is a basic one, you know how to run ls -la, I suppose.
Of course, getting the password out of this is trivial, we can just run cat.hidden. So, here you go, this is the password for the bandit fork, now I'm going to exit out of that one, and I'm just going to SSH into the bandit fork, so here you go. Now, if I hit 'Enter', it will ask me for the password, then I can give this password and just log in. So, paste selection and hit 'Enter'. Here we go, now we are inside of the bandit fork. So, let's go to the next level. So, here we have the passwords stored in the only human-readable file. Here you go, human readable file in the inhere directory. So, this is kind of interesting. Let's see what it means, human-readable. So, I believe many of those will be not human-readable, and we will just see the human-readable file. So, let's try and see, if I run la -la, I can see the inhere folder over here. So, let me come over here to see the inhere and run ls -la one more time, and here we go. We have a lot of files over there, so 10 files.
Let me just try this one by one, and it's only 10 files. And I believe we can do this quickly. Maybe we can just run a script or write a script to test this automatically, but I'm not even going to bother with that because it's only 10 files. And as you can see, we cannot run this like that if we have to say ./-file00. So, here you go, this is not human-readable. I believe it was talking about this. So, we cannot read that, and I believe one of these files will contain a human readable text inside of that. So, I'm going to try this for file 1, and file 2, and file 3, and let's try it for file 4, 5; we have 6 and 7, and here you go. We have the password for the next level, I believe. So, this should be the password for the Bandit 5.
So, what I'm going to do, I'm going to copy this, and I'm going to copy selection, and I'm going to exit out of this one and just connect to Bandit 5. Let me come over here and write Bandit 5. It will ask me for the password, and we will see if we did it right. So, let me paste it over here and hit 'Enter'. So, here we go, we are inside of Bandit 5, and let me just open the tip from here as well. So, level 5 to level 6. Again, we have a password, and it start in a file somewhere under inhere directory, but this time it should be human-readable, and it has a specific bytes in size, and it should not be executable. Very interesting. Let's try to find that. Let's see how it looks like. Let me run ls, here we go, we have the inhere folder. Let me run ls -la, and we have a lot of folders right now, maybe here, maybe there. So, we have 20 folders.
So, this time, we're not going to try this one by one, I believe. So, it's getting harder and harder. And I believe, if we go into those folders, there will be a lot of many more files inside of those folders as well. Let me try one, and here we go. We have a lot of files over here like file one, file spaces, something like that. So, we have to find a way to test this at once, and actually we have to find a way to find our file with these specifications with bytes or not executable specifications. Of course, you can just try to see the size of the every file inside of those folders, but it will take some time. And here we have the tip. We have a comment in Linux called find.
And let me go to a new tab over here. It runs in Kali Linux as well, obviously. You can see how it's used over here by typing find. If you just type find, it will just try to find every file and folder, and it won't do any good for you. So, I'm going to clear this up, and I'm going to run find --help, so that we can see how it's used. Let me open this up, and here we go. So, find is a command that we use in order to find some file or folder, and it has, it takes in a lot of parameters over here, so we have to understand how can we use this in order to specify the size or specify the executable or not. So, over here, you can see the normal options, tests and actions, like you can just specify the maximum depth, minimum depth, depth have patterns, regex, or whole name, executable, readable. You can specify anything you want, actually.
And we're going to use all of those things, because, as you can see, it says executable; it says size. We're definitely going to use size, because we have these 1,033 bytes and not executable over here, we can just specify. I want to find the files that is 1,033 bytes in size, and I want to find the files that are not executable at all so that I can actually narrow down my search and I can just try maybe a couple of files to see if they're the ones that I'm looking for. So, we're going to use this command on the server as well. So, I'm going to make this smaller a little bit, one more time, and let me go back to here and let's try to run the find command over there. And we're going to narrow down all the possibilities over here. But I believe I cannot type anything right now, and I believe I lost my connection somehow. Maybe we can just exit out of this one or just try to connect it one more time.
Let me see if I can get my password. By the way, I don't have my passwords stored over here. Let me try to paste it over there, and let's see if this works or not. And here you go. I have the password, and I just realized that we are not saving these passwords, and I believe it's a very good habit to save all those passwords... all those passwords into a text file so that if we lose our connection like that we can come back and check it. So, let me go to my documents, and I'm going to create a folder called CTF or something like that or Bandit. Let's actually call the CTF because we're going to solve a lot of CTFs over here. I'm going to go into the CTF, and I'm going to create Bandit over here, and I'm just going to go into the bandit, and I'm going to create a notes.txt. I'm going to just use the Nano.
I'm going to call this password, and I'm just going to paste this over here. So, this is level 5. So, I'm going to take note of all the passwords. I'm going to say ctr+a, ctr+x, and here we are. So, here you go, I believe you know how to use Nano by this time; if you don't try to use any other text editor that you're comfortable with. I'm going to paste this in, and I'm going to try to log into our server over here, but I believe there is something wrong or let me try one more time. Here you go. We're getting some kind of a weird error over here. Let me try to copy this one more time from the file that we have just created. Maybe I have copied spaces by mistake. Okay, it happens. So, I'm going to keep this out, and I'm just going to take this. And I'm just going to copy this, and I'm just going to come back over here, and I'm going to log into the Bandit 5 one more time. Here we go. Let me paste the selection and hit 'Enter', and see what happens. Let me try one more time. Here you go. It says that connection closed, so maybe there's something wrong with the server. I'm going to try this one more time and see if we can make it right or not. Here you go. Now, we made it right. So, I'm going to clear this thing and I'm just going to use the find command that we have been discussing. So, I'm going to go over here and if we just write find.
So, . means I'm trying to find something in the current folder and I'm going to specify the type and size and whatever I want over here. So for the type, I'm going to, I'm looking for a file. So, I'm going to specify f and for the size, I'm just going to write size -size. Obviously, remember they have documentation and this will be 1033 and let's see if this works or not. If we don't have any executables over here, we don't need no further filtering. So, here you go. We only have one file in this current folder that is 1033 bytes in size. So, I believe it was easy to find this and of course, we can just narrow it down more but there's no point because as you can see, we only have one file and you can just write it like this.
So, -executable. As you can see, there is nothing executable over here. So, this is fine. Anyhow, I found what I'm looking for. So, you can just write something like this by the way, in order to make it negative like find something that is not executable and all you have to do is just put an ! in front of the executable and it gave us the same result because file 2 is not executable. So, I'm just trying to cut this out /maybehere07/.file2. And here you go. We have the password so see how easy this is due to the find command. So, remember this find command because we're going to be using this a lot during the course as well.
So, I'm going to try and log into the bandit6 and see if this works or not. See, if this is the right password if this is the right password. Don't forget to make a note of it. Here you go. Now, this is the right password we see. I'm going to open a new tab and come over here and write it in my password.txtfile. So, let's go to bandits and nano password.txt and I'm going to paste the thing that we have copied over here and I'm just going to write level 6. So, ctrl o, Enter, ctrl x and here we are. So, here we go.
Now, let's go to the tips for the level 6 to level 7. So, this is again the find command, I believe. So, this is the password for the next. I will store it somewhere on the server and has all of the following properties. So, either we have a folder called Somewhere on the server or it literally means that it's safe somewhere on the server and we don't know which folder this is. And it's owned by the user bandit7 and it's owned by the group bandit6 and it's only 33 bytes in size. So, fairly simple because now we know how to use find command. So, again without the find command, maybe we couldn't have find this or it will take so much time. But, if you run ls -la, as you can see, there is no file and folder over here and it literally means that it's saved somewhere on the server but we cannot see it. So, we have seen how to use find within the current folder that we are in with the . command. Write find.
But, we haven't seen how to use find command for the whole server or for the whole system. So, it's fairly easy. Again, rather than ., you can just write find / rather than .. We have written this like that a couple of minutes ago. Remember find .. Now, all we got to do is to replace this with / and I'm not even going to do that. Let's try to run this like that and you will see it won't find anything. So, write it like this, find . and just specify the type. It's going to be a file and the user this time is going to be the bandit7 and the group this time will be bandit6. We can specify the size, obviously. We can just write 33 over here. So, the size of our file that we're looking for is 33 bytes and here you go. It couldn't find anything because it really doesn't reside on this current folder. Now, let me replace this . with / and see what happens. So, if you run this like that then it will find a lot of things and here you go. We have a lot of things but we have permission denied for many of them because it's the user thing, the user bandit7 owns them and we don't have permission to read them and I believe we will find something that we have permission to read and here you go. This is var/lib/dpkg/info/bandit7.password. Here we go. Now, this is the thing that we are looking for. We are authorized to read this. As you can see, we don't see permission denied.
Right next to is it's owned by our group but it's owned by the user bandit7 and bandit7 apparently made it available for us. So, I'm going to cut this out and see the password of the bandit7. Here you go. This is the password of the bandit7. Now, I'm going to copy this and I'm going to make a note of it as usual. I suggest you do the same thing as well so that if you lose your connection at some point, you can come back and start where you left off. Otherwise, it means that you're going to either start from scratch or try to just copy and paste it from or just try to make a note of it from my videos. It's hard as well. So, let's try to ssh into this bandit7 and I'm going to paste this selection over here and here you go. We are inside of the bandit7. Now, what we're going to do, we're going to try to go into the bandit8, of course. And let's do that within the next lecture because we made this video a little bit long. Let's see you in the next lecture.
Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.