Featured image of post OverTheWire - Bandit - Level 6
Wargames Infosec OverTheWire Bandit

OverTheWire - Bandit - Level 6

The solution to OverTheWires Bandit, Level 6

Bandit 6

I’m so happy to have some hints, to go off of and have to figure it out now. We’re starting to get to some good stuff now.

Challenge

The password for the next level is stored somewhere on the server and has all of the following properties:

  • owned by user bandit7
  • owned by group bandit6
  • 33 bytes in size

Notes

It appears we’ll be doing more finding… let’s crack open ss64 - FIND command again. Alternatively, if you’re on *nix, you can just type man find to get the same info.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

bandit6@bandit:~$ ls -l
total 0

bandit6@bandit:~$ ls -la
total 20
drwxr-xr-x  2 root root 4096 Feb 21 22:02 .
drwxr-xr-x 70 root root 4096 Feb 21 22:04 ..
-rw-r--r--  1 root root  220 Jan  6  2022 .bash_logout
-rw-r--r--  1 root root 3771 Jan  6  2022 .bashrc
-rw-r--r--  1 root root  807 Jan  6  2022 .profile

To the root!

Ahhh, it looks like we’re looking system wide now, and no longer just in the current dir. Let’s try and filter out some permission denied messages w/negative grep.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101

bandit6@bandit:~$ find / -size 33c -user bandit7 -group bandit6 | grep -v 'denied'
find: ‘/sys/kernel/tracing’: Permission denied
find: ‘/sys/kernel/debug’: Permission denied
find: ‘/sys/fs/pstore’: Permission denied
find: ‘/sys/fs/bpf’: Permission denied
find: ‘/lost+found’: Permission denied
find: ‘/boot/efi’: Permission denied
find: ‘/drifter/drifter14_src/axTLS’: Permission denied
find: ‘/proc/tty/driver’: Permission denied
find: ‘/proc/1543179/task/1543179/fd/6’: No such file or directory
find: ‘/proc/1543179/task/1543179/fdinfo/6’: No such file or directory
find: ‘/proc/1543179/fd/5’: No such file or directory
find: ‘/proc/1543179/fdinfo/5’: No such file or directory
find: ‘/run/chrony’: Permission denied
find: ‘/run/user/11026’: Permission denied
find: ‘/run/user/11011’: Permission denied
find: ‘/run/user/8005’: Permission denied
find: ‘/run/user/11021’: Permission denied
find: ‘/run/user/11015’: Permission denied
find: ‘/run/user/11019’: Permission denied
find: ‘/run/user/11031’: Permission denied
find: ‘/run/user/8006’: Permission denied
find: ‘/run/user/11007’: Permission denied
find: ‘/run/user/11009’: Permission denied
find: ‘/run/user/11030’: Permission denied
find: ‘/run/user/11016’: Permission denied
find: ‘/run/user/11013’: Permission denied
find: ‘/run/user/11014’: Permission denied
find: ‘/run/user/11012’: Permission denied
find: ‘/run/user/11024’: Permission denied
find: ‘/run/user/11032’: Permission denied
find: ‘/run/user/11023’: Permission denied
find: ‘/run/user/11000’: Permission denied
find: ‘/run/user/11003’: Permission denied
find: ‘/run/user/11020’: Permission denied
find: ‘/run/user/11004’: Permission denied
find: ‘/run/user/11001’: Permission denied
find: ‘/run/user/11002’: Permission denied
find: ‘/run/user/11008’: Permission denied
find: ‘/run/user/11006/systemd/inaccessible/dir’: Permission denied
find: ‘/run/user/11005’: Permission denied
find: ‘/run/sudo’: Permission denied
find: ‘/run/screen/S-bandit20’: Permission denied
find: ‘/run/multipath’: Permission denied
find: ‘/run/cryptsetup’: Permission denied
find: ‘/run/lvm’: Permission denied
find: ‘/run/credentials/systemd-sysusers.service’: Permission denied
find: ‘/run/systemd/propagate’: Permission denied
find: ‘/run/systemd/unit-root’: Permission denied
find: ‘/run/systemd/inaccessible/dir’: Permission denied
find: ‘/run/lock/lvm’: Permission denied
find: ‘/snap/core18/2679/etc/ssl/private’: Permission denied
find: ‘/snap/core18/2679/root’: Permission denied
find: ‘/snap/core18/2679/var/cache/ldconfig’: Permission denied
find: ‘/snap/core18/2679/var/lib/private’: Permission denied
find: ‘/snap/core20/1822/etc/ssl/private’: Permission denied
find: ‘/snap/core20/1822/root’: Permission denied
find: ‘/snap/core20/1822/var/cache/ldconfig’: Permission denied
find: ‘/snap/core20/1822/var/cache/private’: Permission denied
find: ‘/snap/core20/1822/var/lib/private’: Permission denied
find: ‘/snap/core20/1822/var/lib/snapd/void’: Permission denied
find: ‘/tmp’: Permission denied
find: ‘/dev/mqueue’: Permission denied
find: ‘/dev/shm’: Permission denied
find: ‘/etc/polkit-1/localauthority’: Permission denied
find: ‘/etc/multipath’: Permission denied
find: ‘/etc/sudoers.d’: Permission denied
find: ‘/etc/ssl/private’: Permission denied
find: ‘/root’: Permission denied
find: ‘/home/drifter6/data’: Permission denied
find: ‘/home/drifter8/chroot’: Permission denied
find: ‘/home/bandit27-git’: Permission denied
find: ‘/home/bandit31-git’: Permission denied
find: ‘/home/ubuntu’: Permission denied
find: ‘/home/bandit29-git’: Permission denied
find: ‘/home/bandit28-git’: Permission denied
find: ‘/home/bandit5/inhere’: Permission denied
find: ‘/home/bandit30-git’: Permission denied
find: ‘/var/cache/apt/archives/partial’: Permission denied
find: ‘/var/cache/private’: Permission denied
find: ‘/var/cache/pollinate’: Permission denied
find: ‘/var/cache/apparmor/e10c1cf9.0’: Permission denied
find: ‘/var/cache/apparmor/c47eabf7.0’: Permission denied
find: ‘/var/cache/ldconfig’: Permission denied
find: ‘/var/crash’: Permission denied
find: ‘/var/log’: Permission denied
find: ‘/var/snap/lxd/common/lxd’: Permission denied
find: ‘/var/tmp’: Permission denied
find: ‘/var/spool/cron/crontabs’: Permission denied
find: ‘/var/spool/rsyslog’: Permission denied
find: ‘/var/spool/bandit24’: Permission denied
find: ‘/var/lib/apt/lists/partial’: Permission denied
find: ‘/var/lib/polkit-1’: Permission denied
find: ‘/var/lib/ubuntu-advantage/apt-esm/var/lib/apt/lists/partial’: Permission denied
find: ‘/var/lib/private’: Permission denied
find: ‘/var/lib/chrony’: Permission denied
find: ‘/var/lib/amazon’: Permission denied
find: ‘/var/lib/snapd/void’: Permission denied
find: ‘/var/lib/snapd/cookie’: Permission denied
find: ‘/var/lib/update-notifier/package-data-downloads/partial’: Permission denied
/var/lib/dpkg/info/bandit7.password

Ahh.. so it’s important to know about stdin, stdout, stderr, and pipes. In this case, those permission denied messages are being output to stderr not stdout. The pipe operator | is going to pipe stdout to grep, which means we can match on things in stdout. stderr is being output directly to the screen though, we’re not redirecting it, so we still get all the permission denied messages. Doh!

Regardless, I did see an interesting file at the bottom of the results :)

/var/lib/dpkg/info/bandit7.password

1
2

bandit6@bandit:~$ cat /var/lib/dpkg/info/bandit7.password
FLAG_FLAG_FLAG_FLAG_FLAG
© 2020 - 2023 Benjamin Walters
Built with Hugo
Theme Stack designed by Jimmy