 Hello everyone and welcome back to another YouTube video still looking at the bandit wargame from over the wire and we just finished up level 19 or like now we are on level 19 and We're just jumping back in I'm going to still use SSH pass with the file that we're using to keep the password that we've been collecting and Estimating with the correct user. So once we are in we can see in our home directory a bandit 20 do But it's all red and weird. So the prompt here says it's gain access to the next level use a set UID binary in the home directory execute it without arguments to find out how to use it and Passive for the level can be found in the usual place after you've used a set UID binary So if you haven't seen a set UID to binary before you can read up on it But the gist of it is is that it lets you Within the scope of that program or within the scope of just running that program that binary that executable You get to act as another user. So if we check out the permissions on this, I'm going to LS tack L You can see RW s as part of the permissions that s means it's a set UID binary So it's owned by bandit 20. However, we are bandit 19 so it's owned by the next level so we can take advantage of it and exploit it quote-unquote to Get the password for bandit 20 that's typically how most war games work is that you have binaries or programs that will give you like temporary access for the user The user above the user currently in or the next level and then you just got to figure out a way to get it To spit out the password to let you into the next level. So let's try this bandit Do it it is just executable. We see that it's marked with that that x bit So we can use a period and a forward slash and dot slash the binary to run it So I use tab to autocomplete I'd enter It says run the command as another user example Bandit 20 tech do ID. So ID just to see what happens. Ah So our unique are you sorry not unique our user ID number is this and we can tell we're been at 19 Our group ID number been at 19, but our effective user ID or our EU ID our effective user ID is bandit 20 So we are acting for the moment as bandit 20 now if I ran this without That bandit 20 do if I just ran regular old ID command that bandit 20 is not in there Because within the scope of that program We're running a set you ID binary and we can do whatever we want as that user Especially if we can just run commands. Why not cat etc bandit pass. Oh, how about bandit 20? Why does that not work? Oh It's because I spelled bandit No, I didn't tell What am I doing wrong? Did I did I actually type something wrong there? What oh, oh, oh, oh, I'm sorry. Okay after poking around a little bit Figured out what the issue was it's trying to run that whole thing as if it were a command as If that argument were a command, but we need to have those not in quotes so that it will run Everything tokenized and then cat the file out. Okay. I'm sorry. I Was misreading permission night as and it's not there But no such file directory as in it's actually not there permission I just saying oh, we don't have the permission to read it It was reading this entire string. You can see from the environment. It's not it's not wasn't it wasn't Like a bash error. It's just like environment. This isn't a command you can run So I realize okay, you can't have you can't have quotes in there peculiar thing to note but Password for bandit 20 good stuff. Let's keep moving. Let's try it one more time Get to bandit 20. All right. We're logged in and what is this man? We're getting close to the end Set UID binary in the home directory does the following it makes a connection to local hose on the port You specify as a command line or it then reads a line of text from the connection and compares it to the password in the previous level If the password is correct, it will transmit the password for the next level What? What? So s you connect This program will connect to the given port on teased on local port locals using TCP If it receives the correct, so the next password turns it back. Oh, so we need to have a connection just kind of listening just kind of Waiting to give it to okay waiting on itself to okay So we need two shells right now because one we do invoke as you connect to connect to ourself What's SSH bandit 20 at bandit labs dot over the wire Paste the password in Did I not paste it? What's going on? Oh, I'm a fool. I realized I was not on the right port number. That's silly me All right, cool. Now we're jumped in so if we had a netcat listener, which you may not have Heard before but let's put something on attack L listening on port eight eight eight eight Now that's doing its own thing like that is its own socket and servers Or server server service, whatever you want to call it running on 8888 on this local host on this on this computer let's actually Ensured that port is what we want with tech P and let's use V to be verbose So listening here and if we were to make a connection up top with 8888 Give it the port number that we are currently listening on you can see it makes a connection So connected here. So it wants to receive the correct password It wants to receive the current password. So if we paste this in send it It says great that client read the password Matches what it was supposed to be so it'll send the next one and we can see back down here We did get the password for bandit 21 Perfect does that make sense We set up a shell we set up another netcat listener to kind of act as a server so that it could send a Connection to it on that port number that we've supplied because we're the one creating that service creating that server And then if we just give it the password that it expected the input that it wanted it would send us the password Awesome Let's get to bandit 21 logged in Program is running automatically at regular intervals from cron the time-based job schedule looking etc cron.d for the configuration And see what command is being executed Ah, okay. So these are the commands we can check out if uh, you haven't heard of cron before it is just A task scheduler. It'll like run commands or run scripts at a specific time and You can run through all of the man pages if you really want to but if uh, I guess I'm just gonna Have us jump in because cron is the program that runs all this stuff at a specific time it will Schedule a job or schedule a task so You can modify these By using a cron tab editor and that is done with cron tab tag e to edit Okay permission denied So I can't edit these because I'm not allowed to Whatever rights I have is the bandit 21 user, but as it said we can check out the acetra cron tag d Uh folder in our file system and see what in that directory we can read So let's actually get there so I'm bandit 21 And I want the password for bandit 22. So let's check out what that file is Also on reboot it runs this and This syntax here Cron tabs have a uh here. I'll show you on my my host Cron tab tag e Let's just use nano You can specify a Minute hour day of month day of Something Whatever day of week. I don't know it doesn't really matter You can go through the details of this, but it will let you specify that at what interval you want this command to execute So if they're using a star, they're doing Every that's the wild card for every single occurrence. So in this case up top Since they've specified it for Every minute of every hour of every weekday, etc. Etc. It's doing this every minute. So This is the command that it must be running as the bandit 22 user So let's check out what that is You can cat that file Oh It's putting a temporary file Creating one and it's catting out the password to the bandit 22 user into that temporary file Well, if it's in temp, that's world readable world writable. It's not world readable in this case, but We might be able to read that file. Let's check it out. Do we have permissions on that thing? We do everyone has permission to read it So let's check it out There is the password for bandit 22 all right Let's note that one and let's hurry up here see What is that? Program is running automatically at regular intervals from cron the time-based jobs guys. So check out. Okay the same directory we were in the cron configuration We see a cron job bandit 23 let's uh See what is in this okay Another script in user bin Just as the previous level was Let's cat out what this is doing So it has a shebang line. It's a running a bash script. It's trying to Get the current user with who am I storing it as a variable my name It says my target is The output of echo. I am My name Pipe to md5 some cut tack d Okay, so Let's try and let's try and recreate this just to kind of get an idea of what it's doing Who am I is the command to get your username, right? So we stored it in the variable my name And if I use the dollar sign here that'll expand the variable They're using the dollar sign in parentheses to say that I'm doing command substitution a lot like our back ticks That's another syntax for command substitution. So they're saying my target is All this stuff what is Now the my target variable Okay A hash because this is echoing I am user Bandit 22 in this case putting it into md5 some an md5 some is taking just a hash. Okay Bandits Now you see we get the same hash because we are just doing that and it's cutting out this hyphen at the end They're just using cut tack d With the space and the getting the first field to get only that but This isn't being run from the cron job as user bandit 22. It's being run as bandit 23 So this is being executed with my target Using echo I am user bandit 23 We can make that change And now this must be the hash that we're actually going to be looking for because this script As we saw earlier Takes all these variables and then it copies The password file to a temporary location with that variable. Okay, so Can we cat out That file No Hmm Okay What's going wrong echo I am user Bandit. Ah, I wrote bandit 32. I'm a fool At least that wasn't Incredibly painful troubleshooting. Thanks for sticking with me guys. I'm sure you were screaming at your monitor the whole time. Great Now we have the password for bandit 23 All right, let's save this and put this in a new file, but let's uh table all these for now and we'll get back to The next level and finishing up bandit in the next video. So thanks so much again for sticking with me guys Hope you're enjoying these. Thanks for tolerating my mistakes, and I'll see you in the next video