 Hello and welcome back, everyone. Hope you're enjoying these videos on over the wire of the Bandit Wargame. My name is John Hammond and we are jumping right back into level 11 where we left off on the last video. We've got the password saved, storing it in this file that we're reading out through some bash command substitution, passing it to SSH pass so we don't have to enter the password each time and just running with that user for SSH connection. So once we log into the level, let's check the prompt for this. Password for this level is going to be stored in this file, data.text, where all the lowercase and uppercase letters A through Z are rotated by 13 positions. Okay, so we've got that data.text file and we can assume this is trying to say the password is all this nonsense, but it's shifted and it's rotated by those 13 positions. So this is a Caesar cipher. This is at its base a Caesar cipher or a ROT 13 rotate by 13 places substitution cipher. Really, really simple, not that hard to break because obviously it's just moving one letter in the alphabet into a different letter in the alphabet, just kind of moving it over right or left those 13 places. So 13 is not too difficult to do because it's just in the middle of the alphabet right, the 26 letters. And we can just do this really easily with an online tool, rotate 13 or ROT13.com should just work this fine. We can paste this in and okay, we get our password. That's nice and convenient. It's not too much fun when we're not doing it in the command line though, because that's what we like to do. So I don't think this is installed in here. It's not okay. If you are on your home system outside of the bandit level wargame, you can use ROT13, which again may not be installed, but it's in the package BSD games. So you can install pseudo apkid install BSD games and that will install ROT13 and Caesar. Caesar is also really handy because Caesar, you can pass it the number that you want to rotate these, rotate this by. So even if it's not a ROT13 cipher, you can do a for loop and just do a brute force. Okay, what is the key that's being used for this rotation? If it's a substitution cipher just by shifting the alphabet, shifting letters. So if we had this original string like we do here, I'm going to get the original back. We can echo, I'm not going to use cat because cat, it's not a file name, it's just echo to put this in center output. Let's echo this onto the screen, pass it to ROT13 and that works just fine as well. Cool, this is a level is this bandit 12? Yeah, cool. Let's break out of here and just like that, we're moving through them. All right, ROT13, Caesar cipher. Now this case, pass it for the next level stored in data.tech, which is a hex dump of a file that has been repeatedly compressed for this level, it may be useful to create a directory in the temp folder. Okay, cool, so we're moving into temp, get a new home. What do we got? We have data.txt and this is a hex dump. You can see all the kind of hex bytes and bits and stuff out of in the middle here, the ASCII representation that it's trying to use over on the right side and then the number as it's reading through these bytes on the left. So let's make a home for us in temp, make directory for temp. I'm gonna say john and let's copy data.txt to that directory. Cool, let's get there, change directory into where you just moved to and this data.txt is a hex dump and we can assume that it was put together by this command XXD. XXD is typically a built-in hex dump tool or program in the links command line and it can make a hex dump in that format that we've just seen or it can do the reverse, it can repair or take the hex dump and bring it back to the original like raw binary bytes file. So let's try and see how that looks. If we did XXD said it was tack reverse, right? And it needs probably the file that we're working with, so data.txt and cool, now we've got all this raw gross bytes but we can store this in a file. Let's redirect this with that greater than symbol that walk a walk an arrow to bring it to like something, right? And that'll be our new file. So now that it's there, we can run file on something and try and identify what this thing is and it tells us that this is gzip compressed data. It was originally data 2.bin, but it is not right now, now it's compressed. So if it's gzip compressed data, we can g-unzip or gunzip, I like to say, on that file. We can gunzip something and it'll say, oh, I don't know the suffix. Ignore it, I'm not going to do anything. Okay, so gunzip and a lot of other compression tools don't really play that nicely if you don't have the correct file extension. So let's move that something to something.gzip and now we can gunzip that. Maybe it wants it as just gz, I think. Gunzip that. Oh, it did not. Okay, it just added on that gz at the end. So make sure you have just gz as your file extension and obviously pass the correct file name to gunzip. It won't give you any output, but if you check your file system you got just something now or the original uncompressed file. So what is that now? Ah, it's bzip2 compressed data. Okay, let's try and gunzip that or be unzip and it's gunzip2. That's a built-in, again, utility here. Give it the file name we're working with. It needs to know... Oh, okay, I guess it didn't know what the file name was originally so it just guessed, but now we've got this and it's still... Okay, gz up again. Let's move this back to where we had it before. I think this process happens a lot. Let's kind of lather rinse repeat here. Oh, this is a tar archive, okay. If you haven't seen the tar command yet, it's a tape archive. Another kind of common Linux archive file format a lot like Windows has the zip archive that it's typically used to. tar is, again, historic and traditional for Linux. We can extract with tar x and then the file that we're working with and you may need to use tag f to format or I'm sorry force that from terminal, whatever and now it's got some things extracted. It's got data5.bin and that is apparently another tar archive so let's tar x f If you actually supply v here v and f I think should always be at the end for tar for some reason. Tar is a weird thing. There's a lot of funny xkcd comics about the arguments for tar that no one really knows them but you just say random letters. tar x v f to see the file names that it's working through and then let's just use the data5.bin Okay now it extracted data6.bin and what is that? That's vzip2 so let's bunzip that one I'm sure you guys are getting the hang of this at this point another tar archive again another gzip let's move that to.gz gunzip and now we have ASCII text as data8.bin so that must be our password there it is okay excellent cool what do we got now? let's move into bandit13 oh we have SSH key private a private SSH key password for the next level is stored in this and can only be read by user14 for this level you don't get the next password but you get a private SSH key that can be used to log into the next level okay so we can use localhost to refer to the machine we're currently working on so let's SSH kind of into ourselves here as can we use this SSH private key? okay it's we can read it so we are bandit13 and as the group we have the permissions just in the middle here to r for read the rw and that hyphen at the very end is just for the owner bandit14 but the group the next three we can just read it so we can SSH tack I now to use an identifier or a file with the SSH key that private as our private key that we're going to use to authenticate not a password anymore and let's do this to ourselves right localhost and we want to specify the username so we want to be bandit14 now we can accept this whatever fingerprint thing and now we're level 14 great okay the password for the next level can be retrieved by submitting the password for the current level to port 30,000 I read it right this time I was able to process that number that number on that port on our localhost on our self okay let's do that with netcat so netcat or nc is how we can make these connections to just different ports or specific services or connections with the specific host name in this case localhost or any other computer with that port so first we need to know the password for this level we know that that is in et cetera bandits pass right yep I just used tab to autocomplete there it's a directory but we want it for bandit14 cool so we can copy and paste it if we wanted to but we can just pipe that into netcat and netcat will let's do this by hand first so I can show you netcat will need the host name that we're trying to connect to so localhost just to refer to this machine just bandit just the server that we're on the wargame and then we'll use 30,000 as our port number it just takes this as an argument following it doesn't need to tack P like SSH does that's a keen distinction between netcat and SSH so nothing really happens so if I would just say hello it says wrong please enter the correct current password so okay we know we are interacting with a service and it just needs that password to copy and paste it in there or we can just pipe it in through what we have so netcat into localhost 30,000 and hey there we go correct and we get the password for the next level bandit 15 let's break out of 14 and 13 and let's make a note for bandit 15 and we can connect to that in the next video alright thank you guys for watching hope you're enjoying these again run them through them bandit littering some Linux command line stuff and getting our feet with a capture the flag cybersecurity wargame so hope to see you in the next video