Linux Hacking: SETUID Binary, Netcat & Cron | Bandit: OverTheWire (Levels 19-22)

John Hammond · Intermediate ·🔐 Cybersecurity ·8y ago

Key Takeaways

Solving Bandit levels 19-22 using SETUID binary, Netcat, and Cron

Full Transcript

hello everyone and welcome back to the YouTube video still looking at the bandit war game from over the wire and we just finished up level 19 or likes now we are on level 19 and we're just jumping back in I'm going to still use us a sage pass with the file that we're using to keep the password that we've been collecting and assisting with the correct user so once we are in we can see in our home directory a bandit 20 do but it's all red and weird so the prompt here says to gain access to the next level use the set UID binary in the home directory execute it without arguments to find out how to use it and passing for the level can be found the usual place after you've so if you haven't seen a set UID to binary before you can read up on it but the gist of it is is that it lets you within the scope of that programmer within the scope of just running that program that binary that executable you get to act as another user so if we check out the permissions on this I'm gonna LS tak L you can see our WS as part of the permissions that s means it's a set UID binary so it's owned by bandit 20 however we are Bend at 19 so it's owned by the next level so we can take advantage of it and exploit it or quote-unquote to get the password for bandit 20 that's typically how most wargames work is that you have binaries or programs that will give you like temporary access for the user the user above the user you're currently in or the next level and then you just got to figure out a way to get it to spit out the password or let you into the next level so let's try this bandit do it it is just executable we see that it's marked that that X bit so we can use a period and a four slash and dot slash the binary to run it so I just tapped out of complete I hit enter and it says run the command as another user example bandit 20 attack to ID so ID just to see what happens ah so our unique are you sorry not unique our user ID is this we can tell we're been at 19 our group ID number and in 19 but our effective user ID or our II UID our effective user ID is banned at 20 so we are acting for the moment as banned at 20 now if I ran this without that banned at 20 do if I just ran regular old ID command that been at 20 is not in there because within the scope of that program we're running a set UID binary and we can do whatever we want as that user especially if we can just run commands why not cat etc bandit pass oh how about bandit 20 why does that not work oh it's because I spelled bandit no I didn't hotel what am I doing wrong did I did I actually type something wrong here what oh oh oh oh I'm sorry okay after poking around a little bit I figured out what the issue was it's trying to run that whole thing as if it were a command as if that argument were a command but we need to have those not in quotes so that it will run everything tokenized and then cut the file up okay I'm sorry I was miss reading Oh permission denied and it's not there but no such file directory isn't it's actually not their permission denied is just saying oh we don't have the permission to read it it was reading this entire string you can see from the environment it's not it's not wasn't it wasn't like a bash error it's just like environment this isn't a command you can run so I realize okay you can't have you can't have quotes in their peculiar saying a note but password for Ben at 20 good stuff let's keep moving now let's try it one more time get to your bandit 20 all right we're logged in and what is this we were getting close to the end set UID binary in the home director does the following it makes a connection to local house on a port you specify as a command line again it then reads a lot of text on the connection and compares it to the password in the previous level if the password is correct it will transmit the password for the next level what what so su connect this program will connect the given port on T son local port and local is using TCP if it receives it so thanks for strands on your backs oh so we need to have a connection just kind of listening just kind of waiting to give it to okay waiting on itself to okay so we need two shells right now because one when do invoke su connect to connect to our self let's SSH bandit 20 at bandit labs dot over the wire that word paste the password in did I not paste it what's going on oh I'm a fool I realized I was not on the right port number that's silly me all right cool now we're done 10 so if we had a netcat listener which you may not have heard before but let's put something on tack l listening on port 80 8 now that's doing its own thing like that is its own socket and servers or server server service whatever you want to call it running on 8 8 8 8 on this localhost on this on this computer let's actually ensure that port is what we want with tag V and let's use V to be verbose so listening here and if we were to make a connection up top with 888 give it the port number that we are currently listening on you can see it makes a connection so connected here so it wants to receive the correct password it wants to receive the current password so if we paste this in send it it says great that client read the password matches what it was supposed to be so it'll send the next one and we can see back down here we did get the password for bandit 21 perfect does that make sense we set up a shell we set up another netcat listener to act as a server so that it could send a connection to it on that port number that we've supplied because we're the one creating that service creating that server and then if we just give it the password that expected the input that it wanted it would send us the password awesome let's get to bandit 21 logged in program is running automatically at regular intervals from cron the time-based job schedule looking etc cron dot d for the configuration and see what commander is being executed ah ok so these are the commands we can check out if you haven't heard of cron before it is just a task scheduler like run commands and run scripts at a specific time and you can run through all of the main pages if you really want to but if I guess I'm just gonna have us jump in because cron is the program that runs all this stuff at a specific time it will schedule a job or schedule a task so you can modify these by using a cron tab editor and that is done with crontab tak e to edit ok permission denied so I can't edit these because I'm not allowed to whatever rights I have is the bandit 21 user but as it said we can check out the etc cron tak D folder in our file system and see what in that directory we can read so let's actually get there so I'm bandit 21 and I want the pastor of bandit 22 so let's check out what that file is also on reboot it runs this and this syntax here crontab have a here I'll show you on my my host crontab tacky no you can specify a minute our day of month day of something whatever day of week I don't know it doesn't really matter you can go through the details of this but it will let you specify it at what interval you want this command to execute so if they're using a star they're doing every that's the wildcard for every single occurrence so in this case up top since I've specified it for every minute of every hour of every weekday etc etc it's doing this every minute so this is the command that it must be running as the bandit 22 user so let's check out what that is cat that file oh it's putting a temporary file creating one and it's cutting out the password to the bandit 22 user into that temporary file well if it's in temp that's a world readable well writable list not full readable in this case but we might be able to read that file let's check out do we have permissions on that thing we do everyone has permission to read it so let's check it out there is the password for bandit 22 all right let's note that one and let's hurry up here see what is that program is running automatically at regular intervals from cron the time-based job scheduler so check out okay the same directory were in the cron configuration we see a cron job bandit 23 let's see what is in this ok another script and user bin just as the previous level was let's count out what this is doing so it has a shebang line it's a running a bash script it's trying to get the current user with who am i stored as a variable my name says my target is the output of echo I am my name pipe two md5sum cut tact D okay so let's try it let's try and recreate this just to kind of get an idea of what it's doing Who am I is the command to get your username right so we sorted in the variable my name and if I use the dollar sign here that will expand the variable there using the dollar sign in parentheses to say that I'm doing command substitution a lot like our backticks at some of their syntax for command substitution so they're saying my target is all this stuff what is now the my target variable okay a hash because this is echoing I am user bandit 22 in this case putting it into md5 sum an md5 sum is taking just a hash okay bandits 22 now you see we get the same hash because we're just doing that and it's cutting out this - at the end they're just using cut attack D with the space and the getting the first field to get only that but this isn't being run from the cron job as user bandit 22 it's being run as Bend at 23 so this is being executed with my target using echo I am user bandit 23 we can make that change and now this must be the hash that we're actually going to be looking for because this script as we saw earlier takes all these variables and then it copies the password file to a temporary location with that variable okay so can we cat out that file no hmm okay what's going wrong echo I am user bandit ah I wrote bandit 32 I'm a fool at least that wasn't incredibly painful troubleshooting thanks for sticking with me guys I'm sure you were screaming at your monitor the whole time great now we have the password for bandit 23 alright let's save this and put this a new file but let's table these for now and we'll get back to the next level and finishing up bandit in the next video so thanks so much again for sticking with me guys hope you're enjoying these things for tolerating my mistakes and I'll see you in the next video

Original Description

If you would like to support me, please like, comment & subscribe, and check me out on Patreon: https://patreon.com/johnhammond010 E-mail: johnhammond010@gmail.com PayPal: http://paypal.me/johnhammond010 GitHub: https://github.com/JohnHammond Site: http://www.johnhammond.org Twitter: https://twitter.com/_johnhammond
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from John Hammond · John Hammond · 0 of 60

← Previous Next →
1 Code Commentaries? PHP to JavaScript in Bash and PHP!
Code Commentaries? PHP to JavaScript in Bash and PHP!
John Hammond
2 Tutorials? MySQL connection with PHP and Bash!
Tutorials? MySQL connection with PHP and Bash!
John Hammond
3 Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
John Hammond
4 JavaScript Splits The URL!
JavaScript Splits The URL!
John Hammond
5 HTML Tables in Python!
HTML Tables in Python!
John Hammond
6 HTML, Net Shares, GML!
HTML, Net Shares, GML!
John Hammond
7 Python 08 Programming Style and Comments
Python 08 Programming Style and Comments
John Hammond
8 Python 26 Object Oriented Programming
Python 26 Object Oriented Programming
John Hammond
9 75 Python Tutorials, Out Now!
75 Python Tutorials, Out Now!
John Hammond
10 Batch 14 Mathematical Expressions
Batch 14 Mathematical Expressions
John Hammond
11 Batch 85 Array Append
Batch 85 Array Append
John Hammond
12 Batch 86 Array Count
Batch 86 Array Count
John Hammond
13 Batch 87 Array Index
Batch 87 Array Index
John Hammond
14 Batch 88 Array Insert
Batch 88 Array Insert
John Hammond
15 Batch 89 Array Remove
Batch 89 Array Remove
John Hammond
16 Batch 90 Array Reverse
Batch 90 Array Reverse
John Hammond
17 Python [colorama] 00 Installing on Linux
Python [colorama] 00 Installing on Linux
John Hammond
18 Python [colorama] 09 Cursor Position
Python [colorama] 09 Cursor Position
John Hammond
19 Python [hashlib] 02 Algorithms
Python [hashlib] 02 Algorithms
John Hammond
20 Python 00 Installing IDLE on Linux
Python 00 Installing IDLE on Linux
John Hammond
21 Python [pygame] 11 Rectangular Collision Detection
Python [pygame] 11 Rectangular Collision Detection
John Hammond
22 Python [pygame] 12 Platforming Rectangular Collision Resolution
Python [pygame] 12 Platforming Rectangular Collision Resolution
John Hammond
23 Python [XML-RPC] 01 Research
Python [XML-RPC] 01 Research
John Hammond
24 Python [pyenchant] 03 Personal Word Lists
Python [pyenchant] 03 Personal Word Lists
John Hammond
25 FancyURLopener Authentication and User-Agent [urllib] 03
FancyURLopener Authentication and User-Agent [urllib] 03
John Hammond
26 Python 04: PEP8 Coding
Python 04: PEP8 Coding
John Hammond
27 Python Challenge! 17 COOKIES
Python Challenge! 17 COOKIES
John Hammond
28 Google CTF 2016: Ernst Echidna
Google CTF 2016: Ernst Echidna
John Hammond
29 Google CTF 2016: Spotted Quoll
Google CTF 2016: Spotted Quoll
John Hammond
30 Google CTF 2016: Can you Repo It?
Google CTF 2016: Can you Repo It?
John Hammond
31 Google CTF 2016: No Big Deal
Google CTF 2016: No Big Deal
John Hammond
32 Google CTF 2016: In Recorded Conversation
Google CTF 2016: In Recorded Conversation
John Hammond
33 Homemade CTF Challenge: 01 "Orchestra"
Homemade CTF Challenge: 01 "Orchestra"
John Hammond
34 Homemade CTF Challenge: 02 "Bae's Base"
Homemade CTF Challenge: 02 "Bae's Base"
John Hammond
35 Homemade CTF Challenge: 03 "Web Hunt"
Homemade CTF Challenge: 03 "Web Hunt"
John Hammond
36 Homemade CTF Challenge: 04 "UPX"
Homemade CTF Challenge: 04 "UPX"
John Hammond
37 Homemade CTF Challenge: 05 "The Assumption Song"
Homemade CTF Challenge: 05 "The Assumption Song"
John Hammond
38 Homemade CTF Challenge: 06 "A Brisk Stroll"
Homemade CTF Challenge: 06 "A Brisk Stroll"
John Hammond
39 Homemade CTF Challenge: 06 "I lost my password!"
Homemade CTF Challenge: 06 "I lost my password!"
John Hammond
40 web25 :: Mr. Robot : EKOPARTY CTF 2016
web25 :: Mr. Robot : EKOPARTY CTF 2016
John Hammond
41 web50 : RFC 7230 :: EKOPARTY CTF 2016
web50 : RFC 7230 :: EKOPARTY CTF 2016
John Hammond
42 misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
John Hammond
43 Hack The Vote 2016 CTF: Sander's Fan Club [web100]
Hack The Vote 2016 CTF: Sander's Fan Club [web100]
John Hammond
44 Hack The Vote 2016 CTF Warpspeed [forensics150]
Hack The Vote 2016 CTF Warpspeed [forensics150]
John Hammond
45 Juniors CTF 2016 :: Black Suprematic Square
Juniors CTF 2016 :: Black Suprematic Square
John Hammond
46 Juniors CTF 2016 :: Six Strange Tales
Juniors CTF 2016 :: Six Strange Tales
John Hammond
47 Juniors CTF 2016 :: Lost Code
Juniors CTF 2016 :: Lost Code
John Hammond
48 Juniors CTF 2016 :: Here Goes!
Juniors CTF 2016 :: Here Goes!
John Hammond
49 Juniors CTF 2016 :: Southern Cross
Juniors CTF 2016 :: Southern Cross
John Hammond
50 Juniors CTF 2016 :: Clone Attack
Juniors CTF 2016 :: Clone Attack
John Hammond
51 Juniors CTF 2016 :: Dirty Repo
Juniors CTF 2016 :: Dirty Repo
John Hammond
52 Juniors CTF 2016 :: Hackers Blog
Juniors CTF 2016 :: Hackers Blog
John Hammond
53 Juniors CTF 2016 :: Voting!!!
Juniors CTF 2016 :: Voting!!!
John Hammond
54 Juniors CTF 2016 :: The Good, The Bad and The Junkman
Juniors CTF 2016 :: The Good, The Bad and The Junkman
John Hammond
55 Juniors CTF 2016 :: Stop Thief!
Juniors CTF 2016 :: Stop Thief!
John Hammond
56 Juniors CTF 2016 :: ROFL
Juniors CTF 2016 :: ROFL
John Hammond
57 Juniors CTF 2016 :: Restriced Area
Juniors CTF 2016 :: Restriced Area
John Hammond
58 Juniors CTF 2016 :: Oh SSH!
Juniors CTF 2016 :: Oh SSH!
John Hammond
59 HackCon CTF 2017 TRIVIA and BONUS Challenges
HackCon CTF 2017 TRIVIA and BONUS Challenges
John Hammond
60 HackCon CTF 2017 "Bacche" Challenges
HackCon CTF 2017 "Bacche" Challenges
John Hammond

Related Reads

📰
Top 20 Cyber Security Interview Questions for Freshers
Learn the top 20 cyber security interview questions for freshers to boost your career in cyber security
Dev.to AI
📰
Managing a Million Security Profiles at the Edge
Learn how to manage a large number of security profiles at the edge of a global network by predicting site defenses and traffic patterns
Medium · AI
📰
The First Five Minutes After an Employee Clicks a Phishing Link
Learn what happens in the first five minutes after an employee clicks a phishing link and why it matters for cybersecurity
Medium · Cybersecurity
📰
IDOR simple way with no burpsuite banged P3
Learn a simple way to identify IDOR vulnerabilities without using Burpsuite, and understand the impact and reporting of such vulnerabilities
Medium · Cybersecurity
Up next
Best VPN For China 2026 — Which One Actually Works?
Tutorial Stack
Watch →