Contents
Bandit
This course will walk you through a variety of exercises and techniques as part of a capture the flag (CTF) game called Bandit. This will make sure that you have the necessary skills in Linux in order to excel in penetration testing and privilege escalation.
Hi. We are in the Bandit Level 27 and we want to go into the 28. And here, we have the Git tips over here. So, this level is about Git. And if you are a software developer, I assume you know about the Git. Git is a version control system. We use it to version control our projects, version control our codes. We use it to publish our codes to the GitHub and so much more. If you are a developer, you should know about this. And if you are a cybersecurity specialist, you should know about this as well. So, this level is about Git. If you run Git in the server, as you can see, we can use the Git, we can use the Git commands. We're going to have to know a little bit about this Git stuff in order to solve this problem, I believe, because it says that there is a Git Repository in one of the folders or one of the files over here, and we have the password in the Git Repository. So, Git Repository is actually a project, okay? So, you write a code, you create a project, and you save it under your Git Repository so that you can reach that Git Repository later on to do some operations. For example, if you want to you can create a savepoint which is a commit in the Git. In that savepoint, you actually are at a point where you are satisfied with your project. So, if anything happens, like if you break something, you can fall back to that point if you want. You can check out to that commit later on. So, let me show you what I mean. Go to the 'github.com/atilsamancioglu'. So, it's spelled like this, okay? Just look at my browser. You can go to any Repository you want. But, you can just go to mine. And you can see, I have a lot of Repositories since I'm a software developer as well. I can go into my PythonCourse over here and I can see all the available files and folders for me, all the codes that I have been working on, all the checkpoints, all the commits that I have done over here. So, let me show you what I mean. So, in this case, we can say, 'View code'. And over here, I have a lot of Python notebooks. So, let me go into one of them. Like, in one file over here, we can see the code and stuff. As you can see, we used the Git in order to create a repository. And over that repository, I can do whatever I want. So, let me come over here and write 'git clone' and paste that SSH URL over here. And it says that, 'Permission denied'. I'm going to tell you what cloning means, don't worry. I'm going to create a temporary folder over here, okay? So, I'm going to call this '/tmp/atil27' since we are in 27. I'm going to 'cd' into that and I'm going to run the same code 'git clone' and I'm going to say, 'yes'. So, cloning means... And it asks for a password. So, I believe, we have to give the password for the Level 27 over here. I'm going to just say, 'Paste Selection'. Here you go. So, cloning means that copying that repo to my own server to my own computer. Now, if I run 'ls -la', here you go. We have the repository and we only have a README file. Now, if I kept that file... Here you go, we have the password. So, this is relatively easy. We didn't have anything to do. We just cloned it. But, we have learned about cloning. So, cloning means downloading that repo to your own project to your own computer to your own server. So, I'm going to nano this password over here and just paste it over there. So, this is 'level 28'. And this is 'level', not lebel. So, I'm going to 'Save' this one and I'm going to come back here to 'exit' out of that one and to login to 28 over there. So, as you can see it was fairly easy. We cloned it, we had just seen the README file, and we found the password. Let's see what else we have in 28. Let's see if it's related to Git again. Let's come over here. Yes, it's related to Git again. So again, there is a Git Repository at some server. And we're going to clone the repository to see what we can do with it. I'm going to just make another directory over here. I'm going to call this 'atil28'. I'm going to 'cd' into that and I'm going to clone the thing again. And, in order to clone, I will just run 'git clone' one more time, and paste the selection, and it will download the project for me. And for the password, of course, I'm going to cut the 'password.txt' and just copy and paste this thing. So, as you can see, keeping logs of our passwords is very efficient and very necessary at this point. So, if you're on ls, we can see the repo folder over here. If we're on ls -la one more time, we have the README. And here you go. We see the username and we see the password. But, password is actually encrypted. So, commands you may need to solve this level is Git. So, we have to deep dive into the Git commands over here. So, what did I say before? We can use the Git in order to create checkpoints. And there are a couple of things. if you come across in a situation like that. that you should do. You have to check some commands, you have to check 'git branch
-r'. So, it shows you the different branches that you are inside or different branches available. You can run 'git branch' to see the current branch that you are in, we are in the master branch. I'm going to tell you what a branch is later on. Just so you know, we are in the master branch right now. We don't need to do anything. You can search for 'git tag'. We don't have any tags in this repo. You can search for 'git log' and you can see all the commits that have been done for this project. So, what was the commit thing? What were the commits? So, these are checkpoints. When a developer writes some code, when he is satisfied, when she is satisfied with the current level, they can just say commit these changes to my repository so that I can come back here or go forward in time in order to just deal with my project. And, in this case, as you can see, it says, "fix info leak". So, this is a commit message. When you commit something, it asks you for a message. So, developer has written, "fix info leak". So, most probably at some point, developer fixed the info leak. And if we come back in time, like if we go to that commit, that particular commit, we may reverse the thing that she has done. So, when we can just say, 'git checkout'. And we can just copy that and paste that hash. And here we go. Now, I'm going to run 'ls -la'. So, nothing has been changed. Apparently, we only have README one more time. But, if I kept this, then I will see the password over here. So, what happened? The developer fixed that problem. They erased the password. They just put xxxx and then commit it. And we undo that commit. So, I'm going to 'Save' this to my password.txt and I'm going to 'exit' out of this one and I'm going to login into the Bandit 29. So, here you go. So, let's see if this is the right one, and let's paste this, and hit 'Enter'. So, here you go. We are inside of the Bandit 29. And let's see if this is about Git as well. If this is about the Git, I'm going to continue solving it. Yes, here we go. Again, this is the same thing. I'm just going to clone that one and see what this is about. I'm going to make directory under '/tmp', I'm going to call this '/atil29', and I'm 'cd' into that. And then, I'm going to 'git clone', and just paste this over here and we're going to need the password one more time. So, let me cut the password and let me get the password from here. And come over here and just 'Paste Selection'. Here you go. Now, we are inside of the Bandit 29 and we can see the repo. Let me 'ls -la' and here we go. Again, we don't have anything if we cut to README. It says that, '< no passwords in production! >'. So again, there are some standard things that we should do. We can check the git log, we can check the git tag. And here, we have the 'fix username' and 'initial commit of README'. So, we can try to go back to that commit and see if it changes anything, or we can try to just see if we have any tags like git tag or git branch. We are inside of master, but as you can see we have a lot of branches over here. So, branches are different ways that you can go in your project. So, you can create a test branch, for example, and just go back whenever you want so that you won't break anything. So, I'm going to just say, git checkout dev. So, if I write, git branch, right now I'm in the dev branch rather than master branch, so that means development. Now, since we actually changed the branch, we can check the git log one more time and we can check the readme one more time because it has been completely changed for us. For example, in git log, we see a lot of logs over here as you can see. So, let me cat readme and here we go, we already see it. If we hadn't seen this, we would try to go back into the other commits, again, with the git checkout command, but right now we can see the password. So, I'm going to copy this one and I'm going to just nano into this and I'm going to save the Level 30 over here. So far, so good. Actually, I'm trying to do this a little bit fast because I believe if you have come to this point, now you're a little bit fluent about this nano thing, SSH-ing into, okay, I'm not wasting any time to explain the things that we have done so far. So far, so good. Let me go into the bandit30 and let's see if this is about git as well. Let me come over here. Yep, this time is this is about git as well and it doesn't give us any specifications, we're going to have to do the same thing one more time. Let me go into the '/tmp/atil30' and I'm going to go into 'cd /tmp/atil30' and I'm going to git clone this project and let me "Paste" this over here and say, yes, and lets me get the password one more time. So, let me just copy this and come back and paste it over there and here you go, we have managed to clone it. So, if I run 'ls -la', we can see the repo. Let me run 'ls -la' and let me just cat readme file and it says that just an empty file and it laughs at us. So, very good. So, let me just go to git branch and we only have the master branch over here. Let me run git log and there's only one git log over here, one commit, and in git tag, we have the secret thingy going on. I believe we have to go for that. It's pretty obvious, right? So, you can use tags and if you say git show secret, it will show the secret for us. So, it may be the password for the next level, right? So, come over here and just paste it over there and let's go to Level 31. So, it was pretty easy as well. I believe these are all designed for us to learn about git but if you're a developer like me, you have done this like 1000 times so you know how to work with git and you can just proceed over here a little bit faster. So, let me come over here and say enter let me come over there and let me go back to here to go into Level 31 and this is about git as well. Let's see, yep. So, I'm going to git clone that one this time. So, I'm going to copy this, I'm going to just make a directory in the TMP folder say, atil31. I'm going to see the into that folder /tmp/atil31 and I'm just going to git clone that one and we're going to need the password. Let's go back for password. Let's get the password and let's get the password from here and say, "Copy Selection" and come over here and "Paste Selection". And let's see if we have the repo, if we go to repo and if we run ls -la. Let's see, we have the git ignore. So, let me cat readme, first of all, it says that this time your task is to push a file to the remote repository. Okay, we can do that with git push by the way, 'Details: File name: key.txt', Content: 'May I come in?' Branch: master. So, it asks us to create a file called 'key.txt' and inside of key.txt, we should have, 'May I come in?', with the question marks and everything like that and we will push that file. But we have to check that git ignore first because git ignore means that ignore some files. If we have the key.txt in there, even though we create this and we push this, it won't get a lot in the git repository because git ignore is created for that stuff. It ignores some of the files in the Git repository. It's created to keep it secure, like you want to keep the server keys for example safe. You don't want to push them to your git repo or other people cannot see them. Anyway, I'm just going to cat this, this is actually a little bit different than what I expect to see. It ignores every txt file, so it is pretty obvious what we should do. We can either change the git ignore content or we can just remove it before we create our file. So, I'm going to just rm the gitignore file and I'm going to run ls -la. As you can see, we got rid of that gitignore file, so we won't be ignoring the txt files. So, it's pretty trivial to create the key.txt with that content. You can use the echo command, you can use the vim. We cannot use the nano for some reason in this case, in the server, so I'm going to say, 'echo' and I'm going to just write, 'May I come in?' But just beware the question mark and all the other things. Okay, 'May I come in?' I'm going to take this output and put it into something called key.txt. Now, if I run ls -la, I will say, I will see the key.txt and if I cat the key.txt, I will see 'May I come in?' So, we're going to push that to the remote repository. In order to do that, first of all, we need to commit our changes. So, right now, we're going to do our own command, so we're going to save our changes, okay? And let me see if we have anything else. As you can see it says, 'May I come in?' And this is exactly what we have written, so I believe it's, we are fine. So, we are in the master branch, we have the file that we need or we need to just push it. So, I'm going to say git at key.txt ,this will add the file to our repository. I'm going to commit the thing and we need to give a commit message by saying, -m "new commit", okay? Of course, you need to be more specific in real life cases. So, over here it says that there is a new commit, 1 file changed, 1 insertion. So, I'm just going to push this, I'm going to say, git push and say, yes and it asks for the password one more time. Let me copy the password from here. And I'm going to come back and just paste it over there and I will hit "Enter" and here you go. Now, it got pushed and well done. Here is the password for the next level. So, this is the password for the Level 32. Great. So, let me just copy this one over here. And let me come over here and just say nano and save the password over there. So, I'm going to paste this thing in and I'm going to save it as Level 32. So, great. Let me come back over here and exit out of this one and I'm just going to try and connect to bandit32 in order to test the password that we have found. So, great. I believe this will be one of the last sections if it's not the last section itself. And let me try and see, yep, here you go Level 32 - Level 33. After all this git stuff, it's time for another escape. Good luck. So, great. Again, we are off to a new challenge, we're going to see what it means in the next level and as you can see it's THE UPPERCASE SHELL. So, it's interesting. Let's do that within the next lecture.
Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.