Bandit 17 ~ 20

Bandit17 -> 18

1.There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new

NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19

---

※ cmp, diff, diff3, comm 

cmp : 두 파일을 비교하는 명령어-> 다른 위치만 알려주고 내용은 알려주지 않는는다!!  ($ cmp [option] [file1] [file2]) 

diff : 두 파일 사이의 내용을 비교하는 명령어 ($ diff [option] [file1] [file2])

diff3 : 세 파일 사이의 내용을 비교하는 명령어 ($ diff3 [option] [file1] [file2] [file3])

comm : 두 파일의 공통적인 부분과 한쪽에만 있는 부분을 찾아낼 수 있다

여기서 사용할 명령어는 diff 명령어!!

option -c :  두 파일간의 차이점 출력!

---

01.  diff 명령어 사용
bandit17@bandit:~$ diff -c passwords.new passwords.old
*** passwords.new 2023-01-11 19:18:43.763021135 +0000
--- passwords.old 2023-01-11 19:18:43.759021118 +0000

*** 39,45 ****
gQrtOUFTznkiQ8eV6d3cMwqzEW96Fmas
EDDuIuVuSsLDeGNi9yQ2MKjKaUGFog3G
2CJyw8SShDgBcDPwxhhAxiwFBJxfisw8
! hga5tuuCLF6fFzUpnagiMN8ssu9LFrdg
0ungl7rOBKSIxmD6iR5Ktpm3oUewk9jZ
E21AvMjgWkBvze5hssb29ZGqjskOudcO
v3AmqgL4y0VOqCDE5TyPS5gcF8GxaFXx
--- 39,45 ----
gQrtOUFTznkiQ8eV6d3cMwqzEW96Fmas
EDDuIuVuSsLDeGNi9yQ2MKjKaUGFog3G
2CJyw8SShDgBcDPwxhhAxiwFBJxfisw8
! 810zq8IK64u5A9Lb2ibdTGBtlcSZsoe8
0ungl7rOBKSIxmD6iR5Ktpm3oUewk9jZ
E21AvMjgWkBvze5hssb29ZGqjskOudcO
v3AmqgL4y0VOqCDE5TyPS5gcF8GxaFXx

---

---

bandit18의 PW : hga5tuuCLF6fFzUpnagiMN8ssu9LFrdg

ssh bandit18@bandit.labs.overthewire.org -p 2220
PW: hga5tuuCLF6fFzUpnagiMN8ssu9LFrdg   

---

Bandit18 -> 19

1.The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.

---

※ .bashrc -> /bin/bash 가 실행될 때 실행되는 파일

SSH(Secure Shell) : 원격 호스트에 접속하기 위해 사용되는 보안 프로토콜!
★ ssh는 주소 뒤에 리눅스 명령어를 사용할 수 있다 이점을 이용하여 셸을 가져와 이용!!

---

1.  ssh를 이용해 셸을 취득하기
root# ssh bandit18@bandit.labs.overthewire.org -p 2220 /bin/sh
ls
readme
cat readme
awhqfNnAbc1naukrpqDYcF95h7HoMT

---

SSH 명령어 뒤에 /bin/sh 사용

---

bandit19의 PW : awhqfNnAbc1naukrpqDYcF95h7HoMTrC

ssh bandit19@bandit.labs.overthewire.org -p 2220
PW : awhqfNnAbc1naukrpqDYcF95h7HoMTrC

---

Bandit19 -> 20

1.  To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.

---

※ setuid binary
- setuid : 사용자, 소유자의 권한으로 실행하게 해주는 권한

 

1.  setuid를 이용하여 bandit20권한으로 PW 얻기
bandit19@bandit:~$ ll
-rwsr-x--- 1 bandit20 bandit19 14876 Jan 11 19:18 bandit20-do*
        
bandit19@bandit:~$ ./bandit20-do
Run a command as another user.
Example: ./bandit20-do id
        
bandit19@bandit:~$ ./bandit20-do id
uid=11019(bandit19) gid=11019(bandit19) euid=11020(bandit20) groups=11019(bandit19)
        
bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
VxCazJaVykI6W36BkBU0mJTCM8rR95XT

---

---

bandit20의 PW : VxCazJaVykI6W36BkBU0mJTCM8rR95XT

ssh bandit20@bandit.labs.overthewire.org -p 2220
PW : VxCazJaVykI6W36BkBU0mJTCM8rR95XT

---

Bandit20 -> 21

1.  There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).

NOTE: Try connecting to your own network daemon to see if it works as you think

---

※ 터미널 2개를 이용하여 nc로 서로 연결하여 PW교환

01.  터미널 2개다 bandit20으로 로그인(터미널A, 터미널B)
    
02.  터미널A는 nc로 연결
bandit20@bandit:~$ nc -lnvp 7777
Listening on 0.0.0.0 7777
    
03.  터미널B는 setuid파일(suconnect)을 이용하여 nc 연결
bandit20@bandit:~$ ./suconnect 7777
[터미널A]
Connection received on 127.0.0.1 45876
    
04.  터미널A에 Bandit20의 암호를 입력
[터미널A]
VxCazJaVykI6W36BkBU0mJTCM8rR95XT <- bandit20 PW
NvEJF7oVjkddltPSrdKEFOllh9V1IBcq <- bandit21 PW

[터미널B]
Read: VxCazJaVykI6W36BkBU0mJTCM8rR95XT
Password matches, sending next password

---

---

bandit21의 PW : NvEJF7oVjkddltPSrdKEFOllh9V1IBcq

ssh bandit21@bandit.labs.overthewire.org -p 2220
PW : NvEJF7oVjkddltPSrdKEFOllh9V1IBcq