{"id":997,"date":"2013-08-01T23:17:37","date_gmt":"2013-08-01T22:17:37","guid":{"rendered":"https:\/\/www.aerian.fr\/?p=997"},"modified":"2018-02-18T14:49:01","modified_gmt":"2018-02-18T13:49:01","slug":"bandit-challenges-overthewire","status":"publish","type":"post","link":"https:\/\/www.aerian.fr\/en\/bandit-challenges-overthewire\/","title":{"rendered":"(Fran\u00e7ais) Solutions challenges Bandit OverTheWire (1-24)"},"content":{"rendered":"

Sorry, this entry is only available in Fran\u00e7ais<\/a>.<\/p>

J’ai commenc\u00e9 \u00e0 m’amuser avec les “challenges” du site OverTheWire<\/a>. Ce site propose des exercices pour s’exercer \u00e0 la s\u00e9curit\u00e9 sous Linux. Pour le moment, je n’en ai fait que quelques exercices, je vais poster les solutions que je trouve au fur et \u00e0 mesure que j’avance.<\/p>\n

Challenges Bandits<\/h2>\n

On se connecte tout d’abord en SSH sur l’adresse bandit.labs.overthewire.org<\/em> avec bandit0:bandit0.<\/p>\n

Niveau 0 -> 1<\/strong>
\nLe mot de passe est stock\u00e9 dans le fichier readme. Il suffit de lister le r\u00e9pertoire.<\/p>\n

\r\nbandit0@melinda:~$ ls\r\nreadme\r\nbandit0@melinda:~$ cat readme\r\nboJ9jbbUNNfktd78OOpsqOltutMc3MY1\r\n<\/code><\/pre>\n
Niveau 1 -> 2<\/strong>
\nLe mot de passe est ici stock\u00e9 dans un fichier nomm\u00e9 “-“, hors “-” \u00e9tant utilis\u00e9 pour les arguments des commandes, pour lire ce fichier il est n\u00e9cessaire d’ajouter .\/ ou la location absolue pour l’afficher.<\/p>\n
\r\nbandit1@melinda:~$ ls\r\n-\r\nbandit1@melinda:~$ cat .\/-\r\nCV1DtqXWVFXTvM2F0k09SHz0YwRINYA9\r\n<\/code><\/pre>\n
Niveau 2 -> 3<\/strong>
\nPour cet exercice, le mot de passe est stock\u00e9 dans un fichier contenant des espaces, on a juste \u00e0 les \u00e9chapper avec des “\/”.<\/p>\n
\r\nbandit2@melinda:~$ ls\r\nspaces in this filename\r\nbandit2@melinda:~$ cat spaces\\ in\\ this\\ filename"\r\nUmHadQclWmgdLOKQ3YNgjWxGoRMb5luK\r\n<\/code><\/pre>\n
Niveau 3 -> 4<\/strong>
\nLe mot de passe est stock\u00e9 dans un fichier cach\u00e9. On affiche avec l’argument “-a” de ps.<\/p>\n
\r\nbandit3@melinda:~$ ls\r\ninhere\r\nbandit3@melinda:~$ cd inhere\r\nbandit3@melinda:~\/inhere$ ls -la\r\ntotal 12\r\ndrwxr-xr-x 2 root    root    4096 2012-05-10 23:51 .\r\ndrwxr-xr-x 3 root    root    4096 2012-05-10 23:51 ..\r\n-rw-r----- 1 bandit4 bandit3   33 2012-05-10 23:51 .hidden\r\nbandit3@melinda:~\/inhere$ cat .hidden\r\npIwrPrtPN36QITSp3EQaw936yaFoFgAB\r\n<\/code><\/pre>\n
Niveau 4 -> 5<\/strong>
\nLe mot de passe est stock\u00e9 dans le seul fichier lisible par un “humain” \u00e0 comprendre, le seul fichier contenant des caract\u00e8res ASCII ou Unicode. On utilise donc la commande “file”.<\/p>\n
\r\nbandit4@melinda:~$ cd inhere\r\nbandit4@melinda:~\/inhere$ file .\/-*\r\n.\/-file00: data\r\n.\/-file01: data\r\n.\/-file02: data\r\n.\/-file03: data\r\n.\/-file04: data\r\n.\/-file05: data\r\n.\/-file06: data\r\n.\/-file07: ASCII text\r\n.\/-file08: data\r\n.\/-file09: data\r\nbandit4@melinda:~\/inhere$ cat .\/-file07\r\nkoReBOKuIDDepwhWk7jZC0RTdopnAYKh\r\n<\/code><\/pre>\n
Niveau 5 -> 6<\/strong>
\nLe mot de passe est stock\u00e9 dans un fichier de 1033 bytes. On utilise donc la commande find avec l’attribue “size”<\/p>\n
\r\nbandit5@melinda:~$ find inhere -size 1033c\r\n.\/-file00: data\r\n.\/-file01: data\r\n.\/-file02: data\r\n.\/-file03: data\r\n.\/-file04: data\r\n.\/-file05: data\r\n.\/-file06: data\r\n.\/-file07: ASCII text\r\n.\/-file08: data\r\n.\/-file09: data\r\nbandit5@melinda:~\/inhere$ cat .\/-file07\r\nkoReBOKuIDDepwhWk7jZC0RTdopnAYKh\r\n<\/code><\/pre>\n
Niveau 6 -> 7<\/strong>
\nCette fois-ci, on ne sait pas o\u00f9 se trouve le fichier contenant le mot de passe sur le serveur.On sait par contre qu’il appartient \u00e0 l’utilisateur bandit7 et au groupe bandit6. On le trouve donc avec la commande find et les options “-user” et “-group”<\/p>\n
\r\nbandit6@melinda:~$ find \/ -user bandit7 -group bandit6 2>\/dev\/null\r\n\/var\/lib\/dpkg\/info\/bandit7.password\r\nbandit6@melinda:~$ cat \/var\/lib\/dpkg\/info\/bandit7.password\r\nHKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs\r\n<\/code><\/pre>\n
Niveau 7 -> 8<\/strong>
\nLe mot de passe est contenu dans data.txt, \u00e0 cot\u00e9 du mot “millionth”, on filtre donc avec “grep” le contenu du fichier.<\/p>\n
\r\nbandit7@melinda:~$ grep millionth data.txt\r\nmillionth       cvX2JJa4CFALtqS87jk27qwqGhBM9plV\r\n<\/code><\/pre>\n
Niveau 8 -> 9<\/strong>
\nLe mot de passe est contenu dans data.txt sur la seule ligne unique du fichier. On trie le fichier \u00e0 l’aide “sort” et on affiche uniquement les lignes uniques \u00e0 l’aide de “uniq -u”.<\/p>\n
\r\nbandit8@melinda:~$ cat data.txt | sort | uniq -u\r\nUsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR\r\n<\/code><\/pre>\n
Niveau 9 -> 10<\/strong>
\nLe fichier data.txt contenant le mot de passe est un binaire. J’ai essay\u00e9 avec “grep -a “=” data.txt mais cela ne m’a pas donn\u00e9 le r\u00e9sultat que j’escomptais, j’ai donc utilis\u00e9 la commande “strings” qui affiche les chaines de caract\u00e8res contenues dans un binaire et “grep” pour filtrer les lignes commen\u00e7ant par “=”.<\/p>\n
\r\nbandit9@melinda:~$ strings data.txt | grep =\r\nRj=G\r\n========== the\r\n=qy9g\r\n,========== passwordc\r\n========== is\r\n=9-5\r\nO=p~\r\n#r=t!\r\n7e}=eG\r\n========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk\r\nuXI\/{I=VPO=\r\n6'Q|_=Vt\r\n:={!\r\nyd=6\r\n<\/code><\/pre>\n
Niveau 10 -> 11<\/strong>
\nDans cet exercice, le texte contenu dans le fichier data.txt \u00e9tait cod\u00e9 en base64. Il a donc fallu le d\u00e9coder \u00e0 l’aide de la commande base64 et de l’argument “-d”<\/p>\n
\r\nbandit10@melinda:~$ base64 -d data.txt\r\nThe password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR\r\n<\/code><\/pre>\n
Niveau 11 -> 12<\/strong>
\nDans cet exercice, le texte contenu dans le fichier data.txt \u00e9tait cod\u00e9 \u00e0 l’aide du Rot13. Toute les lettres avaient \u00e9t\u00e9 d\u00e9cal\u00e9es de 13 positions. Il a donc fallu faire les rotations n\u00e9cessaire \u00e0 l’aide de la commande tr.<\/p>\n
\r\nbandit11@melinda:~$ cat data.txt |tr a-zA-Z n-za-mN-ZA-M\r\nThe password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu\r\n<\/code><\/pre>\n
Niveau 12 -> 13<\/strong>
\nDans cet exercice, on dispose d’un dump hexad\u00e9cimal d’un fichier compress\u00e9 de multiple fois, on va donc renverser le dump \u00e0 l’aide de “xxd -r” pour r\u00e9cup\u00e9rer l’archive puis \u00e0 l’aide de la commande file combin\u00e9s aux commandes d’archives, on va d\u00e9compresser le fichier.<\/p>\n
\r\nbandit12@melinda:~$ mkdir \/tmp\/lince ; cd \/tmp\/lince\r\nbandit12@melinda:\/tmp\/lince$ xxd -r ~\/data.txt > data2\r\nbandit12@melinda:\/tmp\/lince$ file data2\r\ndata2: bzip2 compressed data, block size = 900k\r\nbandit12@melinda:\/tmp\/lince$ bzip2 -d data2\r\nbzip2: Can't guess original name for data2 -- using data2.out\r\nbandit12@melinda:\/tmp\/lince$ file data2.out\r\ndata2.out: gzip compressed data, was "data4.bin", from Unix, last modified: Thu Jun  6 13:59:43 2013, max compression\r\nbandit12@melinda:\/tmp\/lince$ mv data2.out data2.gz\r\nbandit12@melinda:\/tmp\/lince$ gzip -d data2.gz\r\nbandit12@melinda:\/tmp\/lince$ ls\r\ndata.txt  data2\r\nbandit12@melinda:\/tmp\/lince$ file data2\r\ndata2: POSIX tar archive (GNU)\r\nbandit12@melinda:\/tmp\/lince$ tar -xvf data2\r\ndata5.bin\r\nbandit12@melinda:\/tmp\/lince$ file data5.bin\r\ndata5.bin: POSIX tar archive (GNU)\r\nbandit12@melinda:\/tmp\/lince$ tar -xvf data5.bin\r\ndata6.bin\r\nbandit12@melinda:\/tmp\/lince$ file data6.bin\r\ndata6.bin: bzip2 compressed data, block size = 900k\r\nbandit12@melinda:\/tmp\/lince$ tar -xvf data6.bin\r\ndata8.bin\r\nbandit12@melinda:\/tmp\/lince$ file data8.bin\r\ndata8.bin: gzip compressed data, was "data9.bin", from Unix, last modified: Thu Jun  6 13:59:43 2013, max compression\r\nbandit12@melinda:\/tmp\/lince$ mv data8.bin data8.gz\r\nbandit12@melinda:\/tmp\/lince$ gzip -d data8.gz\r\nbandit12@melinda:\/tmp\/lince$ file data8\r\ndata8: ASCII text\r\nbandit12@melinda:\/tmp\/lince$ cat data8\r\nThe password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL\r\nbandit12@melinda:\/tmp\/lince$ cd ~ ; rm \/tmp\/lince\r\n<\/code><\/pre>\n
Niveau 13 -> 14<\/strong>
\nDans cet exercice, on dispose d’une cl\u00e9 ssh priv\u00e9e appartenant \u00e0 bandit14. On sp\u00e9cifie donc le fichier contenant la cl\u00e9 \u00e0 l’aide de l’option -i, on se connecte et on affiche le fichier contenant le mot de passe.<\/p>\n
\r\nbandit13@melinda:~$ ssh -i bandit14@localhost -i sshkey.private\r\nbandit14@melinda:~$ cat \/etc\/bandit_pass\/bandit14\r\n4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e\r\n<\/code><\/pre>\n
Niveau 14 -> 15<\/strong>
\nDans cet exercice, on doit \u00e9crire le mot de passe du niveau 14 sur le port 30000 de la machine courante. “echo” combin\u00e9 \u00e0 “nc” suffisent \u00e0 obtenir ce r\u00e9sultat.<\/p>\n
\r\nbandit14@melinda:~$ echo 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e | nc localhost 30000\r\nCorrect!\r\nBfMYroe26WYalil77FoDi9qh59eK5xNr\r\n<\/code><\/pre>\n
Niveau 15 -> 16<\/strong>
\nDans cet exercice, on doit \u00e9crire le mot de passe du niveau 15 sur le port 30001 de la machine courante. Contrairement \u00e0 l’exercice pr\u00e9c\u00e9dent, il est n\u00e9cessaire d’\u00e9tablir une connexion SSL. On utilise donc la commande openssl s_client. Le probl\u00e8me est que par d\u00e9faut, s_client d\u00e9marre un client interactif. Pour obtenir le mot de passe, il suffit de lui coller dans le pseudo shell. Comme j’avais commenc\u00e9 de la m\u00eame mani\u00e8re que le pr\u00e9c\u00e9dent exercice avec “echo”, j’ai du rajouter -quiet comme option.<\/p>\n
\r\nbandit15@melinda:\/$ echo BfMYroe26WYalil77FoDi9qh59eK5xNr | openssl s_client -quiet -connect localhost:30001\r\ndepth=0 CN = localhost\r\nverify error:num=18:self signed certificate\r\nverify return:1\r\ndepth=0 CN = localhost\r\nverify return:1\r\nCorrect!\r\ncluFn7wTiGryunymYOu4RcffSxQluehd\r\n\r\nread:errno=0\r\n<\/code><\/pre>\n
Niveau 16 -> 17<\/strong>
\nDans cet exercice, on doit \u00e9crire le mot de passe du niveau 16 sur un port contenu entre 31000 et 32000. On r\u00e9utilise l’exercice pr\u00e9c\u00e9dent auquel on ajoute un scan de port. J’aurais bien voulu \u00e9viter un bruteforce des ports, mais je n’ai pas trouv\u00e9 d’option me permettant d’isoler le bon serveur. j’ai donc test\u00e9 toute la liste \u00e0 l’aide d’une boucle for et de la commande de l’exercice pr\u00e9c\u00e9dent.
\nOn obtient alors la cl\u00e9 priv\u00e9e que l’on doit stocker dans un fichier puis r\u00e9utiliser. J’ai bloqu\u00e9 sur la syntax de sed pour les multi-lignes, car je voulais stocker la cl\u00e9 automatique dans un fichier puis lancer ssh sur ce fichier, j’ai donc juste enlev\u00e9 les lignes qui me d\u00e9rangeaient puis j’ai recr\u00e9e les d\u00e9limiteurs de cl\u00e9 RSA. Ce qui me fait la commande trop longue suivante.<\/p>\n
\r\nbandit16@melinda:~$ if [ ! -x \/tmp\/lince2 ] ; then mkdir \/tmp\/lince2 ; chmod 777  \/tmp\/lince2  ; fi ; for i in $(nmap localhost -p 31000-32000 | grep tcp | sed -e "s\/\\(.*\\)\\\/.*\/\\1\/" | tr "\\n" " ") ; do echo "Test $i" >&2 ; echo $(echo cluFn7wTiGryunymYOu4RcffSxQluehd | ( openssl s_client -quiet -connect localhost:$i 2>\/dev\/null) & sleep 2; kill -9 $! 2>\/dev\/null) >> \/tmp\/lince2\/temp ;  done ; echo -e "-----BEGIN RSA PRIVATE KEY-----\\n$(cat \/tmp\/lince2\/temp | tr " " "\\n" | sed "1,8d" | tac | sed "1,5d" |tac)\\n-----END RSA PRIVATE KEY-----\\n" > \/tmp\/lince2\/sshkey.priv ; rm \/tmp\/lince2\/temp ; chmod 700 \/tmp\/lince2\/sshkey.priv ; ssh -i \/tmp\/lince2\/sshkey.priv bandit17@localhost\r\nTest 31046\r\nTest 31518\r\nTest 31691\r\nTest 31790\r\nTest 31960\r\nCould not create directory '\/home\/bandit16\/.ssh'.\r\nThe authenticity of host 'localhost (127.0.0.1)' can't be established.\r\nECDSA key fingerprint is 91:b4:28:0b:9a:4d:0c:b6:39:1f:8f:68:89:4a:ce:92.\r\nAre you sure you want to continue connecting (yes\/no)?\r\n<\/code><\/pre>\n
La cl\u00e9 RSA de cet exercice est la suivante:<\/p>\n
\r\n-----BEGIN RSA PRIVATE KEY-----\r\nMIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ\r\nimZzeyGC0gtZPGujUSxiJSWI\/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ\r\nJa6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE\/GL2GWyuKN0K5iCd5TbtJzEkQTu\r\nDSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q\/kALHYW3OekePQAzL0VUYbW\r\nJGTi65CxbCnzc\/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX\r\nx0YVztz\/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD\r\nKHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl\r\nJ9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd\r\nd8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC\r\nYNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A\r\nvLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama\r\n+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT\r\n8c8hAuRBb2G82so8vUHk\/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx\r\nSatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd\r\nHCctNi\/FwjulhttFx\/rHYKhLidZDFYeiE\/v45bN4yFm8x7R\/b0iE7KaszX+Exdvt\r\nSghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A\r\nR57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi\r\nTtiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ\/lemmEY5eTDAFMLy9FL2m9oQWCg\r\nR8VdwSk8r9FGLS+9aKcV5PI\/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu\r\nL8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni\r\nblh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq\/ZJQ7YfzOKU4ZxEnabvXnvWkU\r\nYOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a\/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM\r\n77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b\r\ndxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3\r\nvBgsyi\/sN3RqRBcGU40fOoZyfAMT8s1m\/uYv52O6IgeuZ\/ujbjY=\r\n-----END RSA PRIVATE KEY-----\r\n<\/pre>\n
Niveau 17 -> 18<\/strong>
\nDans cet exercice, on doit trouver la ligne de diff\u00e9rente entre le fichier passwords.old et passwords.new. La ligne du passwords.new nous donne acc\u00e8s au niveau 18.<\/p>\n
\r\nbandit17@melinda:~$ diff -u passwords.new passwords.old | grep -E "^-[[:alpha:]]"\r\n-kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd\r\n<\/code><\/pre>\n
Niveau 18 -> 19<\/strong>
\nLe mot de passe de ce niveau est contenu dans le fichier readme du r\u00e9pertoire de bandit18. D\u00e8s le chargement de la session, vous \u00eates d\u00e9connect\u00e9s suite \u00e0 une commande inclue dans le .bashrc. Il suffit de lancer directement la commande pour afficher le mot de passe directement avec ssh.<\/p>\n
\r\nbandit17@melinda:~$ ssh bandit18@localhost "cat readme"\r\nThe authenticity of host 'localhost (127.0.0.1)' can't be established.\r\nECDSA key fingerprint is 91:b4:28:0b:9a:4d:0c:b6:39:1f:8f:68:89:4a:ce:92.\r\nAre you sure you want to continue connecting (yes\/no)? yes\r\nFailed to add the host to the list of known hosts (\/home\/bandit17\/.ssh\/known_hosts).\r\n\r\nThis is the OverTheWire game server. More information on http:\/\/www.overthewire.org\/wargames\r\n\r\nPlease note that wargame usernames are no longer levelX, but wargamenameX\r\ne.g. vortex4, semtex2, ...\r\n\r\nNote: at this moment, blacksun and drifter are not available.\r\n\r\n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\r\n@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @\r\n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\r\nPermissions 0640 for '\/home\/bandit17\/.ssh\/id_rsa' are too open.\r\nIt is required that your private key files are NOT accessible by others.\r\nThis private key will be ignored.\r\nbad permissions: ignore key: \/home\/bandit17\/.ssh\/id_rsa\r\nbandit18@localhost's password:\r\nIueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x\r\n<\/code><\/pre>\n
Niveau 19 -> 20<\/strong>
\nLe mot de passe de ce niveau est contenu dans le \/ect\/bandit_pass\/bandit20. Un binaire appartenant \u00e0 bandit20 et ayant le bit de setuid est stock\u00e9 dans le r\u00e9pertoire de bandit19. En utilisant ce binaire, on peut lancer des commandes comme bandit20. Il suffit donc d’afficher le mot de passe \u00e0 l’aide de ce binaire.<\/p>\n
\r\nbandit19@melinda:~$ .\/bandit20-do cat \/etc\/bandit_pass\/bandit20\r\nGbKksEFF4yrVs6il55v6gwY5aVje5f0j\r\n<\/code><\/pre>\n
Niveau 20 -> 21<\/strong>
\nLe script fournit dans le r\u00e9pertoire de bandit20 effectue une connexion sur le port pass\u00e9 en argument et lit les donn\u00e9es envoy\u00e9es dans ce port. Si ces donn\u00e9es sont \u00e9gale au mot de passe de bandit20, il renvoie le mot de passe de bandit 21.
\nOn a donc besoin d’utiliser nc pour ouvrir un port et envoyer sur ce port le mot de passe de bandit20 puis lancer le binaire fournis sur le m\u00eame port pour obtenir le mot de passe. Cela peut \u00eatre effectu\u00e9 \u00e0 l’aide de la commande suivante. <\/p>\n
\r\nbandit20@melinda:~$  echo GbKksEFF4yrVs6il55v6gwY5aVje5f0j | nc -l -k localhost 11112 & .\/suconnect 11112\r\n[2] 12044\r\nRead: GbKksEFF4yrVs6il55v6gwY5aVje5f0j\r\nPassword matches, sending next password\r\ngE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr\r\n<\/code><\/pre>\n
Niveau 21 -> 22<\/strong>
\nDans ce niveau, un job crontab est activ\u00e9 pour bandit22, on va donc regarder la commande lanc\u00e9e dans \/etc\/cron.d\/cronjob_bandit22, on r\u00e9cup\u00e8re la location du script lanc\u00e9 par la commande, on affiche le script ce qui nous donne la mani\u00e8re d’obtenir le mot de passe. Ici, il suffit d’afficher un fichier existant dans \/tmp.<\/p>\n
\r\nbandit21@melinda:~$ cat \/etc\/cron.d\/cronjob_bandit22\r\n* * * * * bandit22 \/usr\/bin\/cronjob_bandit22.sh &> \/dev\/null\r\nbandit21@melinda:~$ cat \/usr\/bin\/cronjob_bandit22.sh\r\n#!\/bin\/bash\r\nchmod 644 \/tmp\/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv\r\ncat \/etc\/bandit_pass\/bandit22 > \/tmp\/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv\r\nbandit21@melinda:~$ cat \/tmp\/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv\r\nYk7owGAcWjwMVRwrTesJEwB7WVOiILLI\r\n<\/code><\/pre>\n
Niveau 22 -> 23<\/strong>
\nDans ce niveau, un job crontab est activ\u00e9 pour bandit23, on va donc regarder la commande lanc\u00e9e dans \/etc\/cron.d\/cronjob_bandit23, on r\u00e9cup\u00e8re la location du script lanc\u00e9 par la commande, on affiche le script ce qui nous donne la mani\u00e8re d’obtenir le mot de passe. Ici, le script \u00e9crit encore un fichier dans temp, mais avec un nom non explicite g\u00e9n\u00e9r\u00e9 par une commande. On r\u00e9\u00e9xecute la commandeavec le bon param\u00e8tre et on r\u00e9cup\u00e8re le mot de passe dans le fichier.<\/p>\n
\r\nbandit22@melinda:~$ cat \/usr\/bin\/cronjob_bandit23.sh\r\n#!\/bin\/bash\r\n\r\nmyname=$(whoami)\r\nmytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)\r\n\r\necho "Copying passwordfile \/etc\/bandit_pass\/$myname to \/tmp\/$mytarget"\r\n\r\ncat \/etc\/bandit_pass\/$myname > \/tmp\/$mytarget\r\nbandit22@melinda:~$ echo I am user bandit23 | md5sum | cut -d ' ' -f 1\r\n8ca319486bfbbc3663ea0fbe81326349\r\nbandit22@melinda:~$ cat \/usr\/bin\/cronjob_bandit23.sh\r\n#!\/bin\/bash\r\n\r\nmyname=$(whoami)\r\nmytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)\r\n\r\necho "Copying passwordfile \/etc\/bandit_pass\/$myname to \/tmp\/$mytarget"\r\n\r\ncat \/etc\/bandit_pass\/$myname > \/tmp\/$mytarget\r\nbandit22@melinda:~$ echo I am user bandit23 | md5sum | cut -d ' ' -f 1\r\n8ca319486bfbbc3663ea0fbe81326349\r\nbandit22@melinda:~$ cat \/tmp\/8ca319486bfbbc3663ea0fbe81326349\r\njc1udXuA1tiHqjIsL8yaapX5XIAI6i0n\r\n<\/code><\/pre>\n
Niveau 23 -> 24<\/strong>
\nDans ce niveau, un job crontab est activ\u00e9 pour bandit24, on va donc regarder la commande lanc\u00e9e dans \/etc\/cron.d\/cronjob_bandit24, on r\u00e9cup\u00e8re la location du script lanc\u00e9 par la commande, on affiche le script. On voit alors que tout les binaires ex\u00e9cutable contenus dans <\/p>\n
\r\nbandit23@melinda:~$ cat \/etc\/cron.d\/cronjob_bandit23\r\n* * * * * bandit23 \/usr\/bin\/cronjob_bandit23.sh  &> \/dev\/null\r\nbandit23@melinda:~$ cat \/usr\/bin\/cronjob_bandit23.sh\r\n#!\/bin\/bash\r\n\r\nmyname=$(whoami)\r\nmytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)\r\n\r\necho "Copying passwordfile \/etc\/bandit_pass\/$myname to \/tmp\/$mytarget"\r\n\r\ncat \/etc\/bandit_pass\/$myname > \/tmp\/$mytarget\r\nbandit23@melinda:~$ cat \/usr\/bin\/cronjob_bandit24.sh\r\n#!\/bin\/bash\r\n\r\nmyname=$(whoami)\r\n\r\ncd \/var\/spool\/$myname\r\necho "Executing and deleting all scripts in \/var\/spool\/$myname:"\r\nfor i in *;\r\ndo\r\n    echo "Handling $i"\r\n    .\/$i\r\n    rm -f $i\r\ndone\r\n\r\nbandit23@melinda:~$ vim \/var\/spool\/bandit24\/.lince.sh\r\nbandit23@melinda:~$ cat \/var\/spool\/bandit24\/.lince.sh\r\n#!\/bin\/bash\r\ncat \/etc\/bandit_pass\/bandit24 > \/tmp\/lince\/bandit24\r\nchown 777 \/tmp\/lince\/bandit24\r\nbandit23@melinda:~$ chmod +x \/var\/spool\/bandit24\/.lince.sh\r\nbandit23@melinda:~$ cp \/var\/spool\/bandit24\/.lince.sh \/var\/spool\/bandit24\/lince.sh\r\nbandit23@melinda:~$ cat \/tmp\/lince\/bandit24\r\nUoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ\r\n<\/code><\/pre>\n
<\/p>","protected":false},"excerpt":{"rendered":"
Sorry, this entry is only available in Fran\u00e7ais.J’ai commenc\u00e9 \u00e0 m’amuser avec les “challenges” du site OverTheWire. Ce site propose des exercices […]<\/p>\n","protected":false},"author":1,"featured_media":1675,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ngg_post_thumbnail":0,"footnotes":""},"categories":[174,220],"tags":[195,193,191,196,192,198,194],"class_list":["post-997","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-notes","category-security","tag-bandit","tag-challenges","tag-hack","tag-level","tag-overthewire","tag-security","tag-solution"],"yoast_head":"\n(Fran\u00e7ais) Solutions challenges Bandit OverTheWire (1-24) - Aerian.fr<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.aerian.fr\/en\/bandit-challenges-overthewire\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"(Fran\u00e7ais) Solutions challenges Bandit OverTheWire (1-24) - Aerian.fr\" \/>\n<meta property=\"og:description\" content=\"Sorry, this entry is only available in Fran\u00e7ais.J’ai commenc\u00e9 \u00e0 m’amuser avec les “challenges” du site OverTheWire. Ce site propose des exercices […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.aerian.fr\/en\/bandit-challenges-overthewire\/\" \/>\n<meta property=\"og:site_name\" content=\"Aerian.fr\" \/>\n<meta property=\"article:published_time\" content=\"2013-08-01T22:17:37+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2018-02-18T13:49:01+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.aerian.fr\/wp-content\/uploads\/2013\/08\/overthewire_logo-e1509911163861.png\" \/>\n\t<meta property=\"og:image:width\" content=\"300\" \/>\n\t<meta property=\"og:image:height\" content=\"300\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"42\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@LinceAerian\" \/>\n<meta name=\"twitter:site\" content=\"@LinceAerian\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"42\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"14 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.aerian.fr\/bandit-challenges-overthewire\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.aerian.fr\/bandit-challenges-overthewire\/\"},\"author\":{\"name\":\"42\",\"@id\":\"https:\/\/www.aerian.fr\/#\/schema\/person\/622c3cefbea11a0be741137608b4bf8b\"},\"headline\":\"(Fran\u00e7ais) Solutions challenges Bandit OverTheWire (1-24)\",\"datePublished\":\"2013-08-01T22:17:37+00:00\",\"dateModified\":\"2018-02-18T13:49:01+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.aerian.fr\/bandit-challenges-overthewire\/\"},\"wordCount\":1340,\"publisher\":{\"@id\":\"https:\/\/www.aerian.fr\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.aerian.fr\/bandit-challenges-overthewire\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.aerian.fr\/wp-content\/uploads\/2013\/08\/overthewire_logo-e1509911163861.png\",\"keywords\":[\"bandit\",\"challenges\",\"hack\",\"level\",\"overthewire\",\"security\",\"solution\"],\"articleSection\":[\"Notes\",\"Security\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.aerian.fr\/en\/bandit-challenges-overthewire\/\",\"url\":\"https:\/\/www.aerian.fr\/en\/bandit-challenges-overthewire\/\",\"name\":\"(Fran\u00e7ais) Solutions challenges Bandit OverTheWire (1-24) - Aerian.fr\",\"isPartOf\":{\"@id\":\"https:\/\/www.aerian.fr\/en\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.aerian.fr\/en\/bandit-challenges-overthewire\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.aerian.fr\/bandit-challenges-overthewire\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.aerian.fr\/wp-content\/uploads\/2013\/08\/overthewire_logo-e1509911163861.png\",\"datePublished\":\"2013-08-01T22:17:37+00:00\",\"dateModified\":\"2018-02-18T13:49:01+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.aerian.fr\/en\/bandit-challenges-overthewire\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[[\"https:\/\/www.aerian.fr\/en\/bandit-challenges-overthewire\/\"]]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.aerian.fr\/en\/bandit-challenges-overthewire\/#primaryimage\",\"url\":\"https:\/\/www.aerian.fr\/wp-content\/uploads\/2013\/08\/overthewire_logo-e1509911163861.png\",\"contentUrl\":\"https:\/\/www.aerian.fr\/wp-content\/uploads\/2013\/08\/overthewire_logo-e1509911163861.png\",\"width\":300,\"height\":300},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.aerian.fr\/en\/bandit-challenges-overthewire\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.aerian.fr\/en\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Solutions challenges Bandit OverTheWire (1-24)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.aerian.fr\/en\/#website\",\"url\":\"https:\/\/www.aerian.fr\/en\/\",\"name\":\"Aerian.fr\",\"description\":\"Welcome to Aerian.fr\",\"publisher\":{\"@id\":\"https:\/\/www.aerian.fr\/en\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.aerian.fr\/en\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.aerian.fr\/en\/#organization\",\"name\":\"Aerian.fr\",\"url\":\"https:\/\/www.aerian.fr\/en\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.aerian.fr\/en\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.aerian.fr\/wp-content\/uploads\/2012\/01\/logo.png\",\"contentUrl\":\"https:\/\/www.aerian.fr\/wp-content\/uploads\/2012\/01\/logo.png\",\"width\":667,\"height\":522,\"caption\":\"Aerian.fr\"},\"image\":{\"@id\":\"https:\/\/www.aerian.fr\/en\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/LinceAerian\",\"https:\/\/www.linkedin.com\/in\/marleixmathieu\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.aerian.fr\/#\/schema\/person\/622c3cefbea11a0be741137608b4bf8b\",\"name\":\"42\",\"sameAs\":[\"http:\/\/www.aerian.fr\"],\"url\":\"https:\/\/www.aerian.fr\/en\/author\/lince\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"(Fran\u00e7ais) Solutions challenges Bandit OverTheWire (1-24) - Aerian.fr","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.aerian.fr\/en\/bandit-challenges-overthewire\/","og_locale":"en_US","og_type":"article","og_title":"(Fran\u00e7ais) Solutions challenges Bandit OverTheWire (1-24) - Aerian.fr","og_description":"Sorry, this entry is only available in Fran\u00e7ais.J’ai commenc\u00e9 \u00e0 m’amuser avec les “challenges” du site OverTheWire. Ce site propose des exercices […]","og_url":"https:\/\/www.aerian.fr\/en\/bandit-challenges-overthewire\/","og_site_name":"Aerian.fr","article_published_time":"2013-08-01T22:17:37+00:00","article_modified_time":"2018-02-18T13:49:01+00:00","og_image":[{"width":300,"height":300,"url":"https:\/\/www.aerian.fr\/wp-content\/uploads\/2013\/08\/overthewire_logo-e1509911163861.png","type":"image\/png"}],"author":"42","twitter_card":"summary_large_image","twitter_creator":"@LinceAerian","twitter_site":"@LinceAerian","twitter_misc":{"Written by":"42","Est. reading time":"14 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.aerian.fr\/bandit-challenges-overthewire\/#article","isPartOf":{"@id":"https:\/\/www.aerian.fr\/bandit-challenges-overthewire\/"},"author":{"name":"42","@id":"https:\/\/www.aerian.fr\/#\/schema\/person\/622c3cefbea11a0be741137608b4bf8b"},"headline":"(Fran\u00e7ais) Solutions challenges Bandit OverTheWire (1-24)","datePublished":"2013-08-01T22:17:37+00:00","dateModified":"2018-02-18T13:49:01+00:00","mainEntityOfPage":{"@id":"https:\/\/www.aerian.fr\/bandit-challenges-overthewire\/"},"wordCount":1340,"publisher":{"@id":"https:\/\/www.aerian.fr\/#organization"},"image":{"@id":"https:\/\/www.aerian.fr\/bandit-challenges-overthewire\/#primaryimage"},"thumbnailUrl":"https:\/\/www.aerian.fr\/wp-content\/uploads\/2013\/08\/overthewire_logo-e1509911163861.png","keywords":["bandit","challenges","hack","level","overthewire","security","solution"],"articleSection":["Notes","Security"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.aerian.fr\/en\/bandit-challenges-overthewire\/","url":"https:\/\/www.aerian.fr\/en\/bandit-challenges-overthewire\/","name":"(Fran\u00e7ais) Solutions challenges Bandit OverTheWire (1-24) - Aerian.fr","isPartOf":{"@id":"https:\/\/www.aerian.fr\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.aerian.fr\/en\/bandit-challenges-overthewire\/#primaryimage"},"image":{"@id":"https:\/\/www.aerian.fr\/bandit-challenges-overthewire\/#primaryimage"},"thumbnailUrl":"https:\/\/www.aerian.fr\/wp-content\/uploads\/2013\/08\/overthewire_logo-e1509911163861.png","datePublished":"2013-08-01T22:17:37+00:00","dateModified":"2018-02-18T13:49:01+00:00","breadcrumb":{"@id":"https:\/\/www.aerian.fr\/en\/bandit-challenges-overthewire\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":[["https:\/\/www.aerian.fr\/en\/bandit-challenges-overthewire\/"]]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.aerian.fr\/en\/bandit-challenges-overthewire\/#primaryimage","url":"https:\/\/www.aerian.fr\/wp-content\/uploads\/2013\/08\/overthewire_logo-e1509911163861.png","contentUrl":"https:\/\/www.aerian.fr\/wp-content\/uploads\/2013\/08\/overthewire_logo-e1509911163861.png","width":300,"height":300},{"@type":"BreadcrumbList","@id":"https:\/\/www.aerian.fr\/en\/bandit-challenges-overthewire\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.aerian.fr\/en\/"},{"@type":"ListItem","position":2,"name":"Solutions challenges Bandit OverTheWire (1-24)"}]},{"@type":"WebSite","@id":"https:\/\/www.aerian.fr\/en\/#website","url":"https:\/\/www.aerian.fr\/en\/","name":"Aerian.fr","description":"Welcome to Aerian.fr","publisher":{"@id":"https:\/\/www.aerian.fr\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.aerian.fr\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.aerian.fr\/en\/#organization","name":"Aerian.fr","url":"https:\/\/www.aerian.fr\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.aerian.fr\/en\/#\/schema\/logo\/image\/","url":"https:\/\/www.aerian.fr\/wp-content\/uploads\/2012\/01\/logo.png","contentUrl":"https:\/\/www.aerian.fr\/wp-content\/uploads\/2012\/01\/logo.png","width":667,"height":522,"caption":"Aerian.fr"},"image":{"@id":"https:\/\/www.aerian.fr\/en\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/LinceAerian","https:\/\/www.linkedin.com\/in\/marleixmathieu"]},{"@type":"Person","@id":"https:\/\/www.aerian.fr\/#\/schema\/person\/622c3cefbea11a0be741137608b4bf8b","name":"42","sameAs":["http:\/\/www.aerian.fr"],"url":"https:\/\/www.aerian.fr\/en\/author\/lince\/"}]}},"_links":{"self":[{"href":"https:\/\/www.aerian.fr\/en\/wp-json\/wp\/v2\/posts\/997","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.aerian.fr\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.aerian.fr\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.aerian.fr\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.aerian.fr\/en\/wp-json\/wp\/v2\/comments?post=997"}],"version-history":[{"count":39,"href":"https:\/\/www.aerian.fr\/en\/wp-json\/wp\/v2\/posts\/997\/revisions"}],"predecessor-version":[{"id":2131,"href":"https:\/\/www.aerian.fr\/en\/wp-json\/wp\/v2\/posts\/997\/revisions\/2131"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.aerian.fr\/en\/wp-json\/wp\/v2\/media\/1675"}],"wp:attachment":[{"href":"https:\/\/www.aerian.fr\/en\/wp-json\/wp\/v2\/media?parent=997"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.aerian.fr\/en\/wp-json\/wp\/v2\/categories?post=997"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.aerian.fr\/en\/wp-json\/wp\/v2\/tags?post=997"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}