This course will walk you through a variety of exercises and techniques as part of a capture the flag (CTF) game called Bandit. This will make sure that you have the necessary skills in Linux in order to excel in penetration testing and privilege escalation.
Hi, within this lecture, we're going to go to Level 26 of the Bandit. And it's fairly easy. If you run 'ls', you will see the bandit26.sshkey, which is our key to go into SSH into the Level 26. So, it's fairly easy, right?
But, it doesn't stop there. So, it gets harder at this point. And, at this point, I had to actually stop the videos and go to Google to find a solution because it actually had to do something with the Vim. And, as I said before, I don't usually use the Vim very often at least, okay? And it turns out, it has something in particular to do with the command line and do with the more command. I'm going to show you what are these. And again, this is a hard one. I couldn't solve it by myself because I had no idea that we could do that with Vim. So, I'm going to show you what I mean. But, just before that, I had to give you heads up. So, I couldn't figure it out in a short period of time like I did before. And, as a matter of fact, for the previous lectures, I didn't even look at the Google, I didn't even do any research. I just figured it out because I got used to it. I had the experience, but not this time. So, let's run the SSH command, 'ssh -i bandit26.sshkey'. And we're going log in as 'bandit26@localhost'. So, we are in the localhost. Or in this case, we are in the server in this case. So, we can say, 'localhost'. I'm just going to say, 'yes'. And here we go. We managed to login. But as you can see, the "Connection to localhost closed." So, in that case, we can try to change the shell, like we have done before. Like, remember we used the sh shell rather than Bash shell in order to maintain our session before. But, it doesn't even work over here as well. So, of course, we can try it. But here, we have some tools like tips. We have more tool. And it was pretty confusing for me to understand how we can use the more tool in here. So, of course, I went on and do that. So, I had to try this, right? So, '-t' with '"/bin/bash"'. Just go with "/bin/bash". If it doesn't work, go with "/bin/sh". It won't work either. So, as you can see the "Connection to localhost closed." And we didn't even get the detailed information like we did last time. So, you can go for '/bin/bash', without the quotation marks. And you can try the other alternatives as well. But as you can see, it doesn't work. So, what can we do with the more command? More command is something like cat. It's very simple. So, I try to... I actually stopped at this point and try to Google it out to find out about more. And I found out that it's actually connected with Vim at some point. So, let me show you what I mean. So, when we do, let me show you. When we do cat, we get the result back like this. So, if we do the more, it will give us the same result. Exactly the same result. So, as you can see, it's nothing different than cat. But, if we have something like this, if we do 'cat password.txt', as you can see, we cannot see all the lines. But, if you do 'more password.txt', it will show us the first page. And then, when we click 'Enter', it will show us the second page, third page. And we can just use the arrow points, arrow key, arrow up key, arrow down to see the whole thing over here. So, more does this. It's exactly the same with cat, but not exactly because it lets you see the part of it when the space is not enough for you. So, how can we use this? And furthermore, we have other tools over here, like vi, it's Vim. So, V-I, Vim. So, how can we combine those two together? This is where I actually had to Google it and understand. If I hadn't had the tips over here, maybe I wouldn't actually think of that as well. So, let me show you what I mean. I'm just going to run this as it is. I'm going to go into the bandit26 and I'm going to say, 'yes'. And as you can see, we have a lot of information over here. So, what I'm going to do, I'm going to make this a little bit smaller so that it would lack in size. So, if you can think about this, it will run it with more automatically. It turns out that when we run this, let me make it even a little bit smaller. When we run this and say, 'yes'. As you can see, displays it with More. And the point is, if you write 'vi', right now, v and i in your keyboard, it will open the Vim for you so that's what I didn't know. You can go into the Vim and you can write some commands over here. So, it's a little strange. It's a little strange. And more strange part is, if you hit 'Escape', you can write some commands like we used to do, :wq. Now, we're going to do ':set.' So, it turns out that we can set the bash over here, we can set the shell over here. So, I found this out by googling it. I didn't know that. And the way it works, you have to write 'shell=/bin/bash'. So, I want to set it to '/bin/bash'. And if I hit 'Enter', this will be set for me. And if I run 'shell', here you go. We have the shell in bandit26. Now, I can clear this up and I can just do what I want to do. And it's a little strange, I admit that. And I didn't know that you can go into Vim from more and I didn't know you can set the shell in Vim with a command like that. So, so far, so good. I learned a new thing, I hope you did as well. So, right now, we are in the bandit26 and we are maintaining our session. So, that's what we were trying to do. Even though we had the sshkey, it didn't let us go into because the shell was something else rather than the /bin/bash. Of course, I'm going to cat out the pass for this 26 as well because when we use the sshkey, it doesn't let us in. So, I'm going to copy this and I'm going to save it to level 26 over here. Okay, let me nano it. And I'm going to come down. I'm going to paste this and I'm going to say, 'level 26', and here you go. Okay, now we have this but I will show you some more depth of this lecture or more depth of this level in order for you to grasp it in an intense way as well. So, I'm going to exit out of this one. You can just do ':q!' and you can exit out of this one. I want to go into bandit25 because I want to show you something. So, as you can see, there is a tip saying that it doesn't use /bin/bash. So, if we 'cat /etc/passwd' like we always do in the penetration tests. You just do cat /etc/passwd. You can see all the shells that are used in this machine or in this server. And if you come over here, all of them are /bin/bash actually, but not bandit26. So, in here, we have the /usr/bin/showtext. So, this is not the regular /bin/bash. And maybe, we can get something out of this as well. So, we can cat this and see what it does. Or we can just try to go into that folder and try to understand something. So, let me come over here. As you can see, in the /usr/bin/showtext, it 'exports TERM=linux', it changes the environmental variables. It more -/text.txt that is why we have been seeing that more. So, it isn't a standard procedure that we come across or we face off, but this is how it's supposed to be. And it actually had this exit over here, that's why we actually had the trouble of maintaining our session. So maybe, we could have understand something from here as well. So, that's why more -/text.txt happened, that's why we managed to get into the vi like this. So, here we go. That's why we are seeing the more, that's why we can write vi and go into the Vim, that's why we can actually change the bash, change the shell to /bin/bash. We can just say, 'set shell=/bin/bash'. So maybe, you now understand it in a better way. Anyhow, we managed to go into the bandit26 by running shell. So, so far so good. Right now, we're in 26. Let's come over here and see how we can go to Level 27. As you can see it says that, "Good job getting a shell! Now hurry and grab the password from the bandit27!" I would say it's a good job to get this shell. And it only says run ls, so I believe it's cutting us a slack and it's a fairly simple step in this point. So, I'm going to run 'ls' and see what happens over here. So, we have a setuid, I believe, again. So, we have a text.txt over here. And this text.txt was the thing that we have been seeing with more, I believe. So, I'm going to run this 'bandit27'. As you can see it says that, "Run a command as another user." If we run it with ID, we can see that it belongs to bandit27. So, I'm going to cat the password of bandit27, like we have done before. So, it's fairly easy. It's says 'uid' one more time. So, bandit_pass, 'cat /etc/bandit_pass/bandit27'. So, here you go. This is the password for the bandit27. So, I'm going to copy this and I'm going to save this as well. So again, this is very easy because we have done this before. We know how it works and stuff but we didn't know the Vim thing. So, here we are in the bandit26. So, I'm going to exit out of this one. I'm going to hit ':q!' and I'm going to exit out of this one as well so that I can login to bandit27. So, do that. Go into the bandit27 and let's see if this works. I'm going to paste this over here and hit 'Enter' and here you go. Now, let's continue within the next lecture.
Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.