Over The Wire Writeup

(0 comments)

Recently I have been trying out some wargames on
http://overthewire.org to increase my cracking skills.

Bandit

Access like ssh -p 2220 bandit.labs.overthewire.org

This is just an exercise in basic Unix commands.

The sha512sum of the passwords (from echo password | sha512sum) are

  • bandit1 c7facc4e8b444c00706267736219ad0f2d4a56b3a394ba8a5d78f17082e57429e55bd573dff6631dfa3e16cb18deda33db3f789fdedf4e7df6bc9d9de0854567
  • bandit2 13cdae5ad2e41697b33d35d0c20cac4581a72e85bbabe3629f15cb110f25d6e8ecc87ec31475dca735f6bfead2ea7f6f1dc4844055b6bdc91fb0fec82832d7ae
  • bandit3 905a0b4d3801bc29e68567706e85ed69c63d75f254af4fdef7c9fe270d134ca0abf708d9c273de10ac6037d1e9e6255d1a9eeeaec603b613c316071cf8a7b593
  • bandit4 c112cfbbbd252eb7681bc0eacc1c6e8ffb504ddded8925de98a17f8ec7f1d0405ce53b51b1cf44a1086155090c57e02d6bb676a4e45bf3a544a466ee3895d8a2
  • bandit5 a85d8a1102165e7f27c1ca4bfe58bc05b1eaa074931b38a3c73e78dfbfc79ee0762dc299b759595772a5be19e2e715beea3b1a7d63f8c49ff5270a8bdd54d543
  • bandit6 5e18a5859a3a68c49029e34cf562a8a00c1e8a447c139183846cb0ba64495bd761eed18017b7564654e4244b2fe0cc706905453db2918cd16470e6ebbd4a4485
  • bandit7 e371286da5f39d3f2a1081990327851aba02032a69ca8cba10e6064f9d3ba131532204ebcf79f9d23b4f6c55724f1779030914a422017eaf1df987b5f5748e97
  • bandit8 946696b59e2c62e0d1bdc5dd9c1a44800b05aa955f8a30d4a175503c2c50e8137b1cae5366d01d541e52301e75902188482db142d7380ce520f95c61893c28aa
  • bandit9 06fec0aff3000eee2adec2f661d1f4fff4fe10295a2a837768378fadcf850ec7e5948874b867733e1153efbcef7dd6a221aac0d2dd88ba20d601369263e265a4
  • bandit10 383dda74baa779bcfba18ab3395ba31502edd2c67b7be2b732773a53970ce2d454e92ff0a319c5a2a8e664c35a2f8b313cbe6f93dfded431fb5b282c2087e835
  • bandit11 c96dff209cbe909cf568c45c017d31eb5d5eea205c4399768264267aada37493e6878f1355e7e9416101cf5fe309d720267ff39f690f30a3c52249846a0d9b29
  • bandit12 e2002a825cd898e8a42e8aa8dc2db661e9bd624f25a6fa69f8972fbf26d78d640ac2ac0a55b659099229e4965ac58f8de11512a0f24e773fe97408a7ee40eebe
  • bandit13 b9a4d4bd3ba2e36d5c5d92a10d3dfda2ebb35671e1b824a2885f116c79d0ad4c79a2daee407f5a1f04e1775c0c40c2bd3d4fb239575ff8d991c95fe795ca5a22
  • bandit14 66b86d68a4f0280c749c18d91eed5dce4a2cccecf6bdb076e3d7b5a1f006acceb1e93215ed512297f2564522a6041f14bfcc932bbe79c258d29c91db6cc1552d
  • bandit15 50c1619e50ad3c8943f14ce970a7832b06a38b5c781c810f03b7407033b472b4f6a3279bf7358f634566171e52aa5b6287b3690c20ff6519a727123d45fb007a
  • bandit16 4c3342d88e757ca01d064f74e29bc755270cefa1baddce8f51b58cb0353ae4d7342ddcc2589fde4a141f0b4c4a4d86e9ac820e3c1ad6ad4085484fd9df547f26
  • bandit18 b382dd5ee664abebd27ba7db7d201ff2ddc338c833b132ada78395d17f29d5c96c33b011b9683136a942e05ba593d2f56d9b69a5d83facc7042c08c924fa7655
  • bandit19 163eca8334d1be722beb19e376e17e45e8fdc196ca3df562d7b026f9e8a1e0ceccb2c6c84687c99d3f5fe0f57dc71555022763bc7e50fe5e9c9ada13dce671ae
  • bandit20 41de9e28004f2bb1330a85807f84091b2b1600663d94346cad0125607566d1cd00882753cbc354662e080d9412257ae8be9f660bf35d449185297ea8303bf309
  • bandit21 1373d2f09ac5342cdd31ebae477e67bd178158cce305a190064cac67ad5c9549c9737cae1ad70727659e2af22b0ff405e0abbeb6c23ea0700a6b647873a70ef4
  • bandit22 e0140efcbeebdde3465789820497c908be61117ebd760a174d33895aa9d2bb79e51d5a533a6b828478d2689a9f63ee6965d4d746010be1877878c6ea7e9819e6
  • bandit23 ac6811ed7af812cb56cf3637f12d40ec76f7e0dc46c53f06b6cb9fae60b60d6dd101f8faf85c1b06e2ad2ace3cf134ba0f4a4a4d3568e5bb1f14a4f7b4536d3c
  • bandit24 6ec832830bd9c6c529526a373d744276eae0d2e97e8da7f1f64bae7f61e4a149f1e518320a24c2ff1f57da63ef95726fc05c8fbf818b1091f64e5f451484ad2f
  • bandit25 3935e3a07687b91d779ee5743bcb9e1306d6fe4d62fa751aa170d58d0c3f4f9e4b7f0f5d2ec2565efe4781642a93df4fe76e8c7bcc39ce3007f35492be2a0a4c
  • bandit27 b6ac376df661213f960ca59c2c6c798b41199de2f4e8926c204aee5b73840e3ba2bee8c9c40c4d6dc398dbeaa2a6eed6f6611002f2cf447b39df90bb1b791ae5

Natas

These are a series of webpages on http://natas0.natas.labs.overthewire.org/

You can see my ranking on
http://www.wechall.net//profile/sstewartgallus

natas0

Simply view source

natas1

Simply view source

natas2

Find a file in a secret directory

natas3

Search robots.txt

natas4

Simply edit the Referer header

natas5

Simply change the loggedin cookie

natas6

Simply view the included file from the source.

natas7

Simply change the page parameter to the password file

natas8

Simply decode the secret in the source

natas9

You can inject a shell command here.

natas10

They filter certain shell characters but not newlines.

natas11

The cookie is xor encrypted and so two different values can xored
together to recover the key.

natas12

You can upload a file with a php extension that is executable. This
doesn't seem to work through firefox so I used curl to do it.

natas13

You can make a hybrid JPG and PHP file to fool the checker.

natas14

You can do SQL injection

natas15

You can add a LIKE clause or similar to the SQL query to find if the
password matches and very quickly bruteforce the password.

natas16

You can bruteforce by injecting a grep command to find the password.

natas17

You can bruteforce by using the sleep function in SQL

Behemoth

Access like ssh -p 2221 behemoth0@behemoth.labs.overthewire.org.

Behemoth 0

The first level is easy. You have to disassemble the binary and find
that it calls the memfrob function which xors a string with 42. You
can then dump the binary strings and xor them with 42 to find the
password. You can then enter the password, get dumped to a shell and
find the password for the next level.
The sha512sum of the password for the next level (from echo password | sha512sum) is
f3d30ef24afd5ba6e09b25a08912a283bb0e83083f6f3cd90b97a138afefdf63effab44e05361bdc41cabc38558528b0e334fab886159a385728ec95720b3abf

Behemoth 1

This level involves a buffer overflow with the insecure gets function.
Simply overwrite the return address and you can jump to your shell
code. For simplicity it's probably best to jump to an environment
variable.

Password Hash: d28497a1ce6f75480f532ff8d564f4b62a1eb3b89cc561ebc9846540a2c4550c4231233b94f43b8935c39f8253ce002521ab09606c47e37f0a18a20e0d7f06e6

Behemoth 2

This level's binary shells out to a touch command. We can change the

path and use our own command.

Password Hash: 27e91a16174eda7d0f98f32b54a106674b1a10ab105408a50d3b44c750f0498750ee3b516716f067f667cdc9e7fab63c7f92b78ce917b3355196d2603cb39cfc

Behemoth 3

This level involves a format string vulnerability.

Password Hash: edaf16be59845e3a133e67b9977b7c2f0097b1dac7c0fc4d9e55518ad4082af7bc290008c298dcc0110e768713ded10e2e35769c61c45c14bd55455245ed0811

Behemoth 4

This level involves symlinking a file to another one. You have to use
exec in a shell script also.

Password Hash: 03daaef6d336280074c489bb8cbf188b8ec13bf75e2091d980d71a7aeebfd1be35a4b2c5a2e11cff38113ef5094694647a091329d87e96fbf216843169f4ffd2

Behemoth 5

This level simply involves listening on a network port.

Password Hash: 4a4427d6bf0888b28b7703980cfaa6d0a0301da1987f81f6cb3565b9189010f24af71a3dfeeb48611b4c54bb12555a5d175b3ca5cd727471c6df9d8087ce5973

Currently unrated

Comments

There are currently no comments

New Comment

required

required (not published)

optional

required