Level Goal
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.

Walkthrough
So for bandit26 we there is an ssh key on the home directory. The file is: bandit26.sshkey.

-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEApis2AuoooEqeYWamtwX2k5z9uU1Afl2F8VyXQqbv/LTrIwdW
pTfaeRHXzr0Y0a5Oe3GB/+W2+PReif+bPZlzTY1XFwpk+DiHk1kmL0moEW8HJuT9
/5XbnpjSzn0eEAfFax2OcopjrzVqdBJQerkj0puv3UXY07AskgkyD5XepwGAlJOG
xZsMq1oZqQ0W29aBtfykuGie2bxroRjuAPrYM4o3MMmtlNE5fC4G9Ihq0eq73MDi
1ze6d2jIGce873qxn308BA2qhRPJNEbnPev5gI+5tU+UxebW8KLbk0EhoXB953Ix
3lgOIrT9Y6skRjsMSFmC6WN/O7ovu8QzGqxdywIDAQABAoIBAAaXoETtVT9GtpHW
qLaKHgYtLEO1tOFOhInWyolyZgL4inuRRva3CIvVEWK6TcnDyIlNL4MfcerehwGi
il4fQFvLR7E6UFcopvhJiSJHIcvPQ9FfNFR3dYcNOQ/IFvE73bEqMwSISPwiel6w
e1DjF3C7jHaS1s9PJfWFN982aublL/yLbJP+ou3ifdljS7QzjWZA8NRiMwmBGPIh
Yq8weR3jIVQl3ndEYxO7Cr/wXXebZwlP6CPZb67rBy0jg+366mxQbDZIwZYEaUME
zY5izFclr/kKj4s7NTRkC76Yx+rTNP5+BX+JT+rgz5aoQq8ghMw43NYwxjXym/MX
c8X8g0ECgYEA1crBUAR1gSkM+5mGjjoFLJKrFP+IhUHFh25qGI4Dcxxh1f3M53le
wF1rkp5SJnHRFm9IW3gM1JoF0PQxI5aXHRGHphwPeKnsQ/xQBRWCeYpqTme9amJV
tD3aDHkpIhYxkNxqol5gDCAt6tdFSxqPaNfdfsfaAOXiKGrQESUjIBcCgYEAxvmI
2ROJsBXaiM4Iyg9hUpjZIn8TW2UlH76pojFG6/KBd1NcnW3fu0ZUU790wAu7QbbU
i7pieeqCqSYcZsmkhnOvbdx54A6NNCR2btc+si6pDOe1jdsGdXISDRHFb9QxjZCj
6xzWMNvb5n1yUb9w9nfN1PZzATfUsOV+Fy8CbG0CgYEAifkTLwfhqZyLk2huTSWm
pzB0ltWfDpj22MNqVzR3h3d+sHLeJVjPzIe9396rF8KGdNsWsGlWpnJMZKDjgZsz
JQBmMc6UMYRARVP1dIKANN4eY0FSHfEebHcqXLho0mXOUTXe37DWfZza5V9Oify3
JquBd8uUptW1Ue41H4t/ErsCgYEArc5FYtF1QXIlfcDz3oUGz16itUZpgzlb71nd
1cbTm8EupCwWR5I1j+IEQU+JTUQyI1nwWcnKwZI+5kBbKNJUu/mLsRyY/UXYxEZh
ibrNklm94373kV1US/0DlZUDcQba7jz9Yp/C3dT/RlwoIw5mP3UxQCizFspNKOSe
euPeaxUCgYEAntklXwBbokgdDup/u/3ms5Lb/bm22zDOCg2HrlWQCqKEkWkAO6R5
/Wwyqhp/wTl8VXjxWo+W+DmewGdPHGQQ5fFdqgpuQpGUq24YZS8m66v5ANBwd76t
IZdtF5HXs2S5CADTwniUS5mX1HO9l5gUkk+h0cH5JnPtsMCnAUM+BRY=
-----END RSA PRIVATE KEY-----

Lets save this key in the file where we kept the other key, so we don’t have to deal with access rights etc and lets connect using this file.
ssh -i D:\Users\JonySchats\Desktop\bandit17.txt bandit26@bandit.labs.overthewire.org -p 2220

So I tried a lot, read a lot and couldn’t figure it out the first time. At the time of writing this walk-through I had already done the challenge once. Till like level 31 and wanted to redo them all and write these walk-troughs. So I already knew I had to connect with a small terminal and try to open VI by pressing the v for VI. Then I have to edit the bash variable and start bash. But lets try this without looking up the answer, and I forget all commands for it.

So I dragged my cmd terminal to like 2cm height and connected using the ssh command listed above. I got into the more view. Pressed V to get into the vim text editor. I looked up how to set and change variables since our shell variable was some .txt file. This means we can’t execute any commands.
I tried using :set SHELL=/bin/bash but this didn’t work. Then I tried :set shell=/bin/bash and I didn’t get an error.

So how can we now execute commands? I tried typing :ls -la but nothing happens. I googled and we need to write an ! in front of the command we want to execute. Okay lets try this :! ls-la and move the screen a bit bigger. There is a file called bandit27.do, a setuid binary for challange 27. But we need the password for bandit26. We know the password is probably stored in /etc/bandit_pas/bandit26 like every other bandit. So lets cat this file :! cat /etc/bandit_pass/bandit26

And there is the password! : 5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z

Since we have already seen the file for bandit27, lets try to complete this. We already have the variable set for the shell so we can execute commands. Lets do an ! ls -la again and see what is in the home directory, I can make the terminal bigger to see, but when I type something it goes back to small.

When I try to execute :! /bandit27-do I get no such file or directory. Lets do :! pwd to see which directory we are in and try to give the full path. :! /home/bandit26/bandit27-do. It did run and i got the output back.

Run a command as another user.
  Example: /home/bandit26/bandit27-do id

which means I can run an command as another user. Okaay we already now where the password file probably is. Lets try the following :! /home/bandit26/bandit27-do cat /etc/bandit_pass/bandit27

And we got the password: 3ba3118a22e93127a4ed485be72ef5ea

This one took a long time to do and write.

Leave a Reply

Your email address will not be published. Required fields are marked *