This course will walk you through a variety of exercises and techniques as part of a capture the flag (CTF) game called Bandit. This will make sure that you have the necessary skills in Linux in order to excel in penetration testing and privilege escalation.
Hi. Within this lecture, we're going to continue where wgghe left off from the previous one. So, remember
we have this data.txt file. And inside of this data.txt file, we have a hex dump of a file. So, first of all, we need to convert this into a file leveraging that hex dump, okay? So, if we cut this data.txt, we can see the hex dump of that file. So, maybe you know how this works, maybe you don't know. I'm going too show you anyway.
And in the tips, we have what we need actually, okay? So, we have this tool called xxd in order to leverage the hex dump and convert it into a file. Then we're going to focus on this one. So, this file apparently has been repeatedly compressed. So, this file has been compressed and it has been repeatedly compressed. So, multiple compression that we're dealing with and we're going to decompress that file. It sounds easy but I believe it's going to take some time. And anyway, we have this TMP file again. So, it suggests us to work with inside of the TMP file, TMP folder I mean. And the general reason for this is that we get to write some files into the TMP folder as we move along over here. So, I'm going to show you what I mean. If we write, whoami, we get this bandit12.
So, in the bandit12, I believe we don't have any permission to write files over here in the current directory that we are into. So, we need to go into the TMP folder, and we need to work it over there. So, if I come over here and write mkdir /tmp/ and I'm just going to write my name which is atil. You can do it with your own name as well, okay? And over here I'm going to go into that file, or actually let me copy this. Okay, Let me copy this data.txt to that folder. I'm going to come over here and say cp data.txt /tmp/atil. And I'm going to go into that folder right now /tmp/atil, and here we are. We have the data.txt over there. Right now I can just do what I have to do and just write a new file. Why would I need to write a file? Because again, we have a hex dump and we're going to create a file using that hex dump, okay? So, we're going to use this xxd. And I'm going to run xxd --help in order to see the manual of this xxd. Now, here we go. As you can see, we have a lot of parameters over here that we can give. And what are we going to do with this tool? Is that we're going to give this hex dump file and we're going to say convert this hex dump into an actual file, okay? So, as you can see, -r stands for reverse operation. We generally use xxd to create a hex dump of a file but if we have a hex dump, we can create a file from it as well. All you have to do is just write this xxd -r data.txt in the temporary folder that you have created.
So, once we do that, we're going to get some kind of a zip file I believe, but we don't know the extension yet. So, I'm going to output this, and in order to do that you have to just write > and I'm going to call mine atil. You can call it your own name. So, I have a file called atil and it's basically a zip file most probably, okay? It says so in the description. So, we have to find out what kind of a file is this, so I'm going to write file atil. And as you can see atil is a gzip compressed data. So, this is gzip. So, gzip is a tool or a kind of an extension like a winzip, like .zip, .rar. So, maybe you're aware of .zip, .rar files but gzip is something like that. And we also have bzip as well and we have also the tar as well. But right now we are dealing with gzip, maybe we will deal with the other ones later on. So, right now I have to use gzip tool in order to decompress this one. So, I'm going to decompress the atil file so that we can see the content of the compressed files or folders. Whatever we are facing, we don't know yet.
So, we can use this file command whenever we need to identify a file. As you can see, let's now try to use gzip in order to decompress this. And of course, you can see the menu of the gzip as well, but it's very easy. All you have to do is just say -d and write the file over here, like gzip -d atil. But as you can see, we got an error, and most probably our file does not have an extension. That's why we are getting this error, right? So, this is atil, but it doesn't have the extension like atil.gzip. So, we have to make sure that it has the extension. So, I'm going to rename this. In order to rename this, we can use move command and mv command. So, we can use this move command in order to move a file to another folder but if we leave it inside of the same folder, we can also rename it in a way that we want. We can change the extension, we can rename it, we can do whatever we want as long as we just leave it in the same folder that we are currently in. So, what we want to do over here we can just write mv atil atil.gz. So, here you go. Right now we have this atil.gz over here which is the gzip extension. So, I'm going to try this one more time, and here we go. Now we have another file. We have uncompressed this, decompressed this I believe. So, the term is decompressing. And if we write file atil one more time, as you can see, now we get another thing which is bzip2.
So, again this has been repeatedly compressed, as it says over here. And bzip2 is just another extension, another tool, that we need to use to decompress this file one more time. So, I'm going to move atil to atil.bzip2, this time bz2. So, bz2 is the extension of bzip2 like gz, okay? So I'm going to use bzip2 and say -d atil.bz2 one more time. So, the command is the same, d for decompressing. So, I'm going to write file atil, and here you go. We have another gzip compressed data. So, again this is getting ridiculous. As you can see, it's been repeatedly compressed; however, we need to do what we got to do. So, I'm going to move this to atil.gz and I'm going to use gzip one more time to decompress this. Let's see. We have atil one more time. I'm going to call file atil, and here we go. We have another format over here which is the tar archive. So, again, this is kind of a zip format and we can use tar in order to decompress this. The usage is a little bit different when it comes to tar. And if you have worked with Linux before, I believe you came across with tar even though you haven't seen the bzip2 or gzip. Tar is very common. So, I'm going to move this to atil.tar, and I'm going to say tar xf atil.tar, okay? So, here we go.
Once we do that, as you can see in the tar, we still have the atil.tar. It didn't go away or something like that, but we have this data5.bin file. So, we have a binary file over here which is a good thing. I believe we're making progress, but if you run file data5.bin, we again get another tar file which is something that we really don't want, but it's the case, okay? So, this is a tar file as well. So, I'm going to decompress this as we have done before, and we're going to see what it gives us back. So, again, we are still decompressing even though we managed to decompress it multiple times. We're going to do this one more time. So, I'm going to move this data5.bin to another file. I believe we have atil.tar, but it will override it. So, I'm going to run tar xf atil.tar and here we go. We have data6.bin which is a bzip2 file. Very good. So, I'm going to use the same technique that we have been doing so far, okay? I'm going to turn this into a bzip2 file and then we're going to just decompress it until we get the password. So, I'm going to move this data6.bin to atil.bz2, okay. So, this is the extension that we need to work with so we have this bz2, bzip2-d atil.bz2 and here we go. Once we do that... We have this atil file over here which is weird if we're on file atil this is a tar archive. Yeah, I'm sick of this. So, we need to work with atil, so I'm going to remove this atil.tar, I'm going to remove data.txt, We only have this atil over here which is what we're going to work with, and I'm going to convert it to tar. And I'm going to say tar xf atil.tar. And once we do that, we have data8.bin. And data8.bin is again a gzip file, and I believe we need to decompress this to get data9.bin, but let's see. I'm going to move this into a gzip format. So, can we call this atil or we can call this anything else as well whatever you want over here, but I'm going to call this my: name atil.gzip, gz. And I'm going to use gzip to decompress atil.gz. If we run ls, we're going to see the atil which is an ASCII text. Finally, I believe we have finally the password over here.
So, right now we only have this atil. What I'm going to do, I'm going to run file one more time to make sure, this is just a text file, so I'm going to cat it and here you go. Finally we have the password for the level 13. Again guys, this is a little bit overboard I believe, repeatedly compressing. I haven't seen something like this in another CTF but this is what they want, and I believe after this, you all know how to use gzip, bzip and tar so in a way maybe it makes sense. So, let me exit out of this one and let me go into bandit13 to see if this works or not. And if it doesn't work, I don't know. We have been working for 10 minutes I believe. Here you go, it works.
So, we are inside of bandit13 and now we want to go to the bandit14. So, let me clear this up. So, let's see what it says. The password for the next level is stored in /etc/bandint_pass/bandit14 and can only be read by user bandit14. Very good. So, this makes sense. For this level, you don't get the next password but you get a private SSH key that can be used to login into the next level. So, here you go. We don't need to find the password over here. All we need to do is just find an SSH key. So, I'm going to show you what an SSH key does. Let's see if it's just standing over there or sitting over there and we have a note over here. Localhost is the host name that refers to the machine you're working on, okay. We know that already. So, sshkey.private is just actually this thing over here, so we already have that one.
We can just do an SSH from bandit13 to bandit14. SSH key is a key that we use. Rather than giving a password, we can just use this key in order to log into some server. So, if you have this key, you can just use it to login basically, okay? And I believe we already have that one. So, I'm not going to exit out of this one or we can just find a way to copy this sshkey.private to our local host, but I believe there is no need to do that; we can just run ssh --help As you can see, SSH works in bandit servers as well, and we can use this identity file parameter over here. We can just say ssh -i sshkey.private, okay? So, we are giving this sshkey.private file as a parameter to i parameter over here and we're going to use the port and the hosting that we have been using. We can use the local host over here. We're just going to say bandit14@localhost rather than writing the whole thing over here, okay. Because we are already inside of that server, we're just switching to another user using an SSH key.
So, I'm going to say bandit14@localhost and I believe we don't even need to specify a port over here, we can just say 'Enter' and say yes. And here we go. We are inside of the bandit14. So, but beware that it says the password for this level, at this for the level 14 is saved under the etc/bandit_pass. So, I'm going to make note of that. I'm just going to take the password from here in order to write into my notes.
And again, maybe this will be some kind of a help when the time comes later on. Okay, so, I'm going to cat this file. I'm going to say cat /etc/ bandit_password. So, not password bandit pass/bandit14 and here we go. This is the bandit14 password. We are currently inside of the bandit14. But, anyway again, it's a good thing to have the passwords for the all levels. We skipped the first four, but maybe you have just taken a note somehow in your own notes as well, right?
So, here we go. Now we are inside of the bandit14. Now, what we want to do, we want to go to the bandit15. So, here you go, it says that the password for the next level can be retrieved by submitting the password of the current level to port 300000 over here or 30000. Yeah, Yeah, 30000 on localhosts. So, it's a good thing that we got that password, we already knew how to get it. So, it's just sitting under the etc, okay? But, as you can see we need it.
So, what we want to do, we want to take that password, we already have it, and we want to submit that password to the port 30000 on localhost. So, how do we submit data to some port? Of course, if you say Netcat, then you're right because it's a very convenient tool, it's very easy to use. You can just write Netcat over here nc. And if you have taken my previous courses, I believe you know how to use this. I'm just going to say nc localhost 30000. And right after that, I'm just going to write test and we get nothing back, but rather than test maybe we can just take the password that we have saved over here like this. So, I'm going to copy this one and come back here and just paste it over there and hit 'Enter' and see if this works or not.
So, we are waiting, we are waiting, and we're not getting any response from the server I believe. Let me try it like this. So, I'm just going to say netcat localhost 30000 and just hit 'Enter' and here you go. Now, it works, it says correct and it gives us some kind of a password back and I believe this is the password for the level 15. So, I'm going to just come over here and paste the password for the level 15 over there so that we can move on to level 15. Here you go. I'm going to exit out of this one, okay? And let's see. We can exit. And it exited to bandit13, so I'm going to exit one more time. And let me just come over here and rather than 13 or 14, I'm just going to go for 15, and it will ask me for a password. And I'm going to give the password and see if this works or not, okay? Paste the selection and here you go. We are inside. Let's continue within the next lecture with the level 15.
Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.