Posts tagged wargames

Krypton Walkthrough

posted on 2015-01-22 03:24:30

http://overthewire.org/wargames/krypton/ is just as much fun as bandit or leviathan, which I covered in earlier posts here or here.

prerequisites

Just go and have a look at the bandit post mentioned above

solutions

Here is what I have found by now.

level 0

[root@jerrylee /home/jl]# echo "S1JZUFRPTklTR1JFQVQ=" | base64 -d
KRYPTONISGREAT

This is only locally.

level 1

Here you have to login with 'krypton1'. In case you have already been on the server, you can see this here:

leviathan7@melinda:~$ grep krypton /etc/passwd
krypton1:x:8001:8001:krypton level 1:/home/krypton1:/bin/bash
krypton2:x:8002:8002:krypton level 2:/home/krypton2:/bin/bash
krypton3:x:8003:8003:krypton level 3:/home/krypton3:/bin/bash
krypton4:x:8004:8004:krypton level 4:/home/krypton4:/bin/bash
krypton5:x:8005:8005:krypton level 5:/home/krypton5:/bin/bash
krypton6:x:8006:8006:krypton level 6:/home/krypton6:/bin/bash
krypton7:x:8007:8007:krypton level 7:/home/krypton7:/bin/bash
leviathan7@melinda:~$

So, after connecting first lets see where our file is:

krypton1@melinda:~$ find / -iname '*krypton2*' | less

In less, do again the &krypton2 + Enter trick:

/games/krypton/krypton1/krypton2
/games/krypton/krypton2
/home/krypton2
~
~
~
~
~
~
~
& (END)

krypton1@melinda:~$ cat /games/krypton/krypton1/krypton2 | tr 'A-Za-z' 'N-ZA-Mn-za-m' LEVEL TWO PASSWORD ROTTEN ### level 2 krypton2@melinda:~$ ls -lah total 20K
drwxr-xr-x   2 root root 4.0K Nov 14 10:32 .
drwxr-xr-x 167 root root 4.0K Jan 12 17:44 ..
-rw-r--r--   1 root root  220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root root 3.6K Apr  9  2014 .bashrc
-rw-r--r--   1 root root  675 Apr  9  2014 .profile
krypton2@melinda:~$ cd /games/krypton/
krypton2@melinda:/games/krypton$ ls
krypton1  krypton2  krypton3  krypton4  krypton5  krypton6
krypton2@melinda:/games/krypton$ cd krypton2
krypton2@melinda:/games/krypton/krypton2$ ls -lah
total 15K
drwxr-xr-x 2 root     root     1.0K Nov 14 10:32 .
drwxr-xr-x 8 root     root     1.0K Nov 14 10:32 ..
-rw-r----- 1 krypton2 krypton2 1.1K Nov 14 10:32 README
-rwsr-x--- 1 krypton3 krypton2 8.8K Nov 14 10:32 encrypt
-rw-r----- 1 krypton3 krypton3   27 Nov 14 10:32 keyfile.dat
-rw-r----- 1 krypton2 krypton2   13 Nov 14 10:32 krypton3

So far, so nice. But the encrypt file does not work due to file permissions, it seems.

Lets hack up a really, really whacky bash script:

#!/bin/bash

## basically this converts the chars to their ascii code and back
## this is likely not the best solution, but everything else would have been even worse

## first read the file contents into an array
a=0
while read -n1 j
do
    ((a++))
    current[$a]=$(LC_CTYPE=C printf '%d ' "'$j")
done < <( cat ./krypton3 )## HERE PROCESS SUBSTITUTION IS NEEDED!
echo

## now iterate over the array we created and increment each item by 1
for i in {1..25}
do
    echo "OFFSET BY "${i}
    for l in $(seq 1 $((a-1)))
    do
        ## here is the most important part:
        ## since 'A' is 65 in ascii, substract 64
        ## such that 'A' becomes '1', and 'Z' becomes '26'
        ## then increment by one, take the modulo 26
        ## (else you have numbers bigger than 26)
        ## and aftwards add 64, so the ascii conversion can take place again
        ## the 'mod 26' trick works since we assume the pw is written in CAPSLOCK
        current[$l]=$(( $(( $((  $(( current[$l] - 64 )) + 1 )) % 26 )) + 64 ))
    done

    ## now print the current result by iterating again and converting to characters again
    for ((b=0; b<${#current[@]}; b++))
    do
        printf "\x$(printf %x ${current[$b]})"
    done
    echo
    echo
done

Uah, this was ugly. I did that just as a proof of concept, use a proper scripting language in case you want to do it yourself. But I disgress.

Lets just use this monster as a one-liner:

krypton2@melinda:/games/krypton/krypton2$ a=0; while read -n1 j; do ((a++)); current[$a]=$(LC_CTYPE=C printf '%d ' "'$j"); done < <( cat ./krypton3 ); for i in {1..25}; do echo "OFFSET BY "${i}; for l in $(seq 1 $((a-1))); do current[$l]=$(( $(( $((  $(( current[$l] - 64 )) + 1 )) % 26 )) + 64 )); done; for ((b=0; b<${#current[@]}; b++)); do printf "\x$(printf %x ${current[$b]})"; done; echo; echo; done
OFFSET BY 1
PNRFNEVFRNFL

OFFSET BY 2
QOSGOFWGSOGM

OFFSET BY 3
RPTHPGXHTPHN

OFFSET BY 4
SQUIQHYIUQIO

OFFSET BY 5
TRVJRI@JVRJP

OFFSET BY 6
USWKSJAKWSKQ

OFFSET BY 7
VTXLTKBLXTLR

OFFSET BY 8
WUYMULCMYUMS

OFFSET BY 9
XV@NVMDN@VNT

OFFSET BY 10
YWAOWNEOAWOU

OFFSET BY 11
@XBPXOFPBXPV

OFFSET BY 12
AYCQYPGQCYQW

OFFSET BY 13
B@DR@QHRD@RX

OFFSET BY 14
CAESARISEASY

OFFSET BY 15
DBFTBSJTFBT@

OFFSET BY 16
ECGUCTKUGCUA

OFFSET BY 17
FDHVDULVHDVB

OFFSET BY 18
GEIWEVMWIEWC

OFFSET BY 19
HFJXFWNXJFXD

OFFSET BY 20
IGKYGXOYKGYE

OFFSET BY 21
JHL@HYP@LH@F

OFFSET BY 22
KIMAI@QAMIAG

OFFSET BY 23
LJNBJARBNJBH

OFFSET BY 24
MKOCKBSCOKCI

OFFSET BY 25
NLPDLCTDPLDJ

Looks like offset '14' is our winner:

CAESARISEASY

This would have been quite easier if the encrypter just worked...

level 3

krypton3@melinda:~$ ls -alhF
total 20K
drwxr-xr-x   2 root root 4.0K Nov 14 10:32 ./
drwxr-xr-x 167 root root 4.0K Jan 12 17:44 ../
-rw-r--r--   1 root root  220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root root 3.6K Apr  9  2014 .bashrc
-rw-r--r--   1 root root  675 Apr  9  2014 .profile
krypton3@melinda:~$ cd /games/krypton/krypton
krypton1/ krypton2/ krypton3/ krypton4/ krypton5/ krypton6/
krypton3@melinda:~$ cd /games/krypton/krypton3
krypton3@melinda:/games/krypton/krypton3$ ls -lah
total 12K
drwxr-xr-x 2 root     root     1.0K Nov 14 10:32 .
drwxr-xr-x 8 root     root     1.0K Nov 14 10:32 ..
-rw-r----- 1 krypton3 krypton3   56 Nov 14 10:32 HINT1
-rw-r----- 1 krypton3 krypton3   37 Nov 14 10:32 HINT2
-rw-r----- 1 krypton3 krypton3  785 Nov 14 10:32 README
-rw-r----- 1 krypton3 krypton3 1.6K Nov 14 10:32 found1
-rw-r----- 1 krypton3 krypton3 2.1K Nov 14 10:32 found2
-rw-r----- 1 krypton3 krypton3  560 Nov 14 10:32 found3
-rw-r----- 1 krypton3 krypton3   42 Nov 14 10:32 krypton4

Using the contents of 'found1' to 'found3' with frequency analysis tools found on the web, I can get this: (the last column / line is the frequency in english language from most to fewest)

 s : 155 s : 243 s : 58   |    e
 c : 107 q : 186 q : 48   |    t
 q : 106 j : 158 j : 41   |    a
 j : 102 n : 135 g : 35   |    o
 u : 100 u : 130 c : 34   |    i
 b : 87  b : 129 n : 31   |    n
 g : 81  d : 119 b : 30   |    s
 n : 74  g : 111 u : 27   |    h
 d : 69  c : 86  d : 22   |    r
 z : 57  w : 66  v : 21   |    d
 v : 56  z : 59  z : 16   |    l
 w : 47  v : 53  w : 16   |    c
 y : 42  m : 45  e : 13   |    u
 t : 32  t : 37  m : 12   |    m
 x : 29  e : 34  k : 12   |    w
 m : 29  y : 33  x : 9    |    f
 l : 27  x : 33  y : 9    |    g
 k : 25  k : 30  a : 9    |    y
 a : 20  l : 27  t : 6    |    p
 e : 17  a : 26  l : 6    |    b
 f : 11  i : 14  f : 5    |    v
 o : 7   f : 12  i : 3    |    k
 h : 2   o : 3   o : 2    |    j
 i : 2   h : 2   p : 1    |    x
 r : 1   r : 2   r : 1    |    q
 p : 0   p : 1   h : 0    |    z

 SCQJUBGNDZVWYTXMLKAEFOHIRP
 SQJNUBDGCWZVMTEYXKLAIFOHRP
 SQJGCNBUDVZWEMKXYATLFIOPRH

 ETAOINSHRDLCUMWFGYPBVKJXQZ

Using this on the server:

krypton3@melinda:/games/krypton/krypton3$ cat krypton4 | tr [SCQJUBGNDZVWYTXMLKAEFOHIRP] [ETAOINSHRDLCUMWFGYPBVKJXQZ]
krypton3@melinda:/games/krypton/krypton3$ cat krypton4 | tr [SCQJUBGNDZVWYTXMLKAEFOHIRP] [ETAOINSHRDLCUMWFGYPBVKJXQZ]; echo
YELLC NSEOR ELEXE LWNFH UAIIY NHCTI PHFOE
krypton3@melinda:/games/krypton/krypton3$ cat krypton4 | tr [SQJNUBDGCWZVMTEYXKLAIFOHRP] [ETAOINSHRDLCUMWFGYPBVKJXQZ]; echo
YECCD NHEAS ECEVE CGNUO FTIIY NODRI BOUAE
krypton3@melinda:/games/krypton/krypton3$ cat krypton4 | tr [SQJGCNBUDVZWEMKXYATLFIOPRH] [ETAOINSHRDLCUMWFGYPBVKJXQZ]; echo
WEDDC SOEAR EDEKE DFSMN GTHHW SNCIH YNMAE

Well, this could be better. But by now I lost my motivation, so this stops here. If I will continue, the following steps will be put up here into this post.

Leviathan Walkthrough

posted on 2015-01-22 01:38:57

http://overthewire.org/wargames/leviathan/ is just as much fun as bandit, which I covered in eralier post here.

prerequisites

Just go and have a look at the bandit post mentioned above

solutions

Here is what I have found by now.

level 0

leviathan0@melinda:~$ ls -alh
total 24K
drwxr-xr-x   3 root       root       4.0K Nov 14 10:32 .
drwxr-xr-x 167 root       root       4.0K Jan 12 17:44 ..
drwxr-x---   2 leviathan1 leviathan0 4.0K Nov 14 10:32 .backup
-rw-r--r--   1 root       root        220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root       root       3.6K Apr  9  2014 .bashrc
-rw-r--r--   1 root       root        675 Apr  9  2014 .profile
leviathan0@melinda:~$ cd .backup/
leviathan0@melinda:~/.backup$ ls -alh
total 140K
drwxr-x--- 2 leviathan1 leviathan0 4.0K Nov 14 10:32 .
drwxr-xr-x 3 root       root       4.0K Nov 14 10:32 ..
-rw-r----- 1 leviathan1 leviathan0 131K Nov 14 10:32 bookmarks.html
leviathan0@melinda:~/.backup$ grep leviathan1 *
<DT><A HREF="http://leviathan.labs.overthewire.org/passwordus.html | This will be fixed later, the password for leviathan1 is rioGegei8m" ADD_DATE="1155384634" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">password to leviathan1</A>

pw is rioGegei8m, as can be seen in the last line.

level 1

ltrace for tracing libraries is the key here.

leviathan1@melinda:~$ ls -alhF
total 28K
drwxr-xr-x   2 root       root       4.0K Nov 14 10:32 ./
drwxr-xr-x 167 root       root       4.0K Jan 12 17:44 ../
-rw-r--r--   1 root       root        220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root       root       3.6K Apr  9  2014 .bashrc
-rw-r--r--   1 root       root        675 Apr  9  2014 .profile
-r-sr-x---   1 leviathan2 leviathan1 7.4K Nov 14 10:32 check*
leviathan1@melinda:~$ ./check 
password: 


Wrong password, Good Bye ...
leviathan1@melinda:~$ ltrace ./check 
__libc_start_main(0x804852d, 1, 0xffffd784, 0x80485f0 <unfinished ...>
printf("password: ")                             = 10
getchar(0x8048680, 47, 0x804a000, 0x8048642password: 
)     = 10
getchar(0x8048680, 47, 0x804a000, 0x8048642
)     = 10
getchar(0x8048680, 47, 0x804a000, 0x8048642
)     = 10
strcmp("\n\n\n", "sex")                          = -1
puts("Wrong password, Good Bye ..."Wrong password, Good Bye ...
)             = 29
+++ exited (status 0) +++
leviathan1@melinda:~$ ./check
password: sex
$ id
uid=12001(leviathan1) gid=12001(leviathan1) euid=12002(leviathan2) groups=12002(leviathan2),12001(leviathan1)
$ cd /                  
$ pwd
/
$ find . -iname "*leviathan*2*" | less

Then in less, use & to show just lines matching your search content, and type leviathan2 and hit enter, which will give you this:

./etc/leviathan_pass/leviathan2
./home/leviathan2
~
~
~
~
~
~
~
~
~
& (END)

So:

$ cat ./etc/leviathan_pass/leviathan2
ougahZi8Ta

level 2

:(

leviathan2@melinda:~$ ls -alh
total 28K
drwxr-xr-x   2 root       root       4.0K Nov 14 10:32 .
drwxr-xr-x 167 root       root       4.0K Jan 12 17:44 ..
-rw-r--r--   1 root       root        220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root       root       3.6K Apr  9  2014 .bashrc
-rw-r--r--   1 root       root        675 Apr  9  2014 .profile
-r-sr-x---   1 leviathan3 leviathan2 7.4K Nov 14 10:32 printfile
leviathan2@melinda:~$ ./printfile 
*** File Printer ***
Usage: ./printfile filename
leviathan2@melinda:~$ mkdir -p /tmp/sjas/
leviathan2@melinda:~$ ln -s /etc/leviathan_pass/leviathan3 /tmp/sjas/lvl2
leviathan2@melinda:~$ ls -alh /tmp/sjas/lvl2 
lrwxrwxrwx 1 leviathan2 leviathan2 30 Jan 22 01:15 /tmp/sjas/lvl2 -> /etc/leviathan_pass/leviathan3
leviathan2@melinda:~$ touch /tmp/sjas/asdf\ lvl2
leviathan2@melinda:~$ ./printfile /tmp/sjas/lvl2\ asdf 
You cant have that file...
leviathan2@melinda:~$ touch /tmp/sjas/lvl2\ asdf
leviathan2@melinda:~$ ./printfile /tmp/sjas/lvl2\ asdf
Ahdiemoo1j
/bin/cat: asdf: No such file or directory

And we get the password: Ahdiemoo1j

This is a security flaw. But neither strace nor this here...

leviathan2@melinda:~$ ltrace ./printfile /tmp/sjas/lvl2\ asdf
__libc_start_main(0x804852d, 2, 0xffffd754, 0x8048600 <unfinished ...>
access("/tmp/sjas/lvl2 asdf", 4)                 = 0
snprintf("/bin/cat /tmp/sjas/lvl2 asdf", 511, "/bin/cat %s", "/tmp/sjas/lvl2 asdf") = 28
system("/bin/cat /tmp/sjas/lvl2 asdf"/bin/cat: /tmp/sjas/lvl2: Permission denied
/bin/cat: asdf: No such file or directory
 <no return ...>
 --- SIGCHLD (Child exited) ---
 <... system resumed> )                           = 256
 +++ exited (status 0) +++

... helped my understanding much.

By using the space in the filename, this works. If used only the link, it wouldn't work. I cannot tell you more, since I googled this as I wasn't smart enough to figure this out by myself.

See https://www.gnu.org/software/libc/manual/html_node/Testing-File-Access.html for more info, if you happen to program C.

level 3

 1  leviathan3@melinda:~$ ls -alh
 2  total 28K
 3  drwxr-xr-x   2 root       root       4.0K Nov 14 10:32 .
 4  drwxr-xr-x 167 root       root       4.0K Jan 12 17:44 ..
 5  -rw-r--r--   1 root       root        220 Apr  9  2014 .bash_logout
 6  -rw-r--r--   1 root       root       3.6K Apr  9  2014 .bashrc
 7  -rw-r--r--   1 root       root        675 Apr  9  2014 .profile
 8  -r-sr-x---   1 leviathan4 leviathan3 7.4K Nov 14 10:32 level3
 9  leviathan3@melinda:~$ ./level3 
10  Enter the password> 
11  bzzzzzzzzap. WRONG
12  leviathan3@melinda:~$ ltrace ./level3 
13  __libc_start_main(0x8048450, 1, 0xffffd784, 0x8048600 <unfinished ...>
14  __printf_chk(1, 0x80486ca, 0x804860b, 0xf7fca000) = 20
15  fgets(Enter the password>                
16  "\n", 256, 0xf7fcac20)                     = 0xffffd5bc
17  puts("bzzzzzzzzap. WRONG"bzzzzzzzzap. WRONG
18  )                       = 19
19  +++ exited (status 0) +++
20  leviathan3@melinda:~$ strings ./level3 
21  /lib/ld-linux.so.2
22  libc.so.6
23  _IO_stdin_used
24  __printf_chk
25  puts
26  __stack_chk_fail
27  stdin
28  fgets
29  system
30  __libc_start_main
31  __gmon_start__
32  GLIBC_2.3.4
33  GLIBC_2.4
34  GLIBC_2.0
35  PTRhp
36  QVhP
37  [^_]
38  snlprintf
39  [You've got shell]!
40  /bin/sh
41  bzzzzzzzzap. WRONG
42  Enter the password> 
43  ;*2$",
44  secret
45  leviathan3@melinda:~$ ./level3 
46  Enter the password> snlprintf
47  [You've got shell]!
48  $ id
49  uid=12003(leviathan3) gid=12003(leviathan3) euid=12004(leviathan4) groups=12004(leviathan4),12003(leviathan3)
50  $ cat /etc/leviathan_pass/leviathan4
51  vuH0coox6m

Line 37 should be the if-clause or something, 38 the string to test against. Line 39 and 40 are the branch for true whereas 41 is the branch for false?

So much for some wild guesswork.

level 4

leviathan4@melinda:~$ ls -lahF
total 24K
drwxr-xr-x   3 root root       4.0K Nov 14 10:32 ./
drwxr-xr-x 167 root root       4.0K Jan 12 17:44 ../
-rw-r--r--   1 root root        220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root root       3.6K Apr  9  2014 .bashrc
-rw-r--r--   1 root root        675 Apr  9  2014 .profile
dr-xr-x---   2 root leviathan4 4.0K Nov 14 10:32 .trash/
leviathan4@melinda:~$ cd .trash/
leviathan4@melinda:~/.trash$ ls -lahF
total 16K
dr-xr-x--- 2 root       leviathan4 4.0K Nov 14 10:32 ./
drwxr-xr-x 3 root       root       4.0K Nov 14 10:32 ../
-r-sr-x--- 1 leviathan5 leviathan4 7.3K Nov 14 10:32 bin*
leviathan4@melinda:~/.trash$ ./bin 
01010100 01101001 01110100 01101000 00110100 01100011 01101111 01101011 01100101 01101001 00001010 
leviathan4@melinda:~/.trash$ ltrace ./bin 
__libc_start_main(0x80484cd, 1, 0xffffd754, 0x80485c0 <unfinished ...>
fopen("/etc/leviathan_pass/leviathan5", "r")      = 0
+++ exited (status 255) +++
leviathan4@melinda:~/.trash$ for i in `./bin`; do echo "ibase=2;$i" | bc; done
84
105
116
104
52
99
111
107
101
105
10
leviathan4@melinda:~/.trash$ for i in `./bin`; do j=$(echo "ibase=2;$i" | bc); printf "\x$(printf %x $j)"; done
Tith4cokei

This was some ugly stuff at the end. Once you see the binary values, and converting them to decimals, the numbers look like ascii character numbers. The decoding printf statement is from stackoverflow.com.

level 5

leviathan5@melinda:~$ ls -lahF
total 28K
drwxr-xr-x   2 root       root       4.0K Nov 14 10:32 ./
drwxr-xr-x 167 root       root       4.0K Jan 12 17:44 ../
-rw-r--r--   1 root       root        220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root       root       3.6K Apr  9  2014 .bashrc
-rw-r--r--   1 root       root        675 Apr  9  2014 .profile
-r-sr-x---   1 leviathan6 leviathan5 7.5K Nov 14 10:32 leviathan5*
leviathan5@melinda:~$ ./leviathan5 
Cannot find /tmp/file.log
leviathan5@melinda:~$ ltrace ./leviathan5 
__libc_start_main(0x80485ed, 1, 0xffffd774, 0x8048690 <unfinished ...>
fopen("/tmp/file.log", "r")                      = 0
puts("Cannot find /tmp/file.log"Cannot find /tmp/file.log
)                = 26
exit(-1 <no return ...>
+++ exited (status 255) +++
leviathan5@melinda:~$ ln -s /etc/leviathan_pass/leviathan6 /tmp/file.log
leviathan5@melinda:~$ ./leviathan5 
UgaoFee4li

No explanation here, as this one was rather easy.

level 6

leviathan6@melinda:~$ ls -lahF
total 28K
drwxr-xr-x   2 root       root       4.0K Nov 14 10:32 ./
drwxr-xr-x 167 root       root       4.0K Jan 12 17:44 ../
-rw-r--r--   1 root       root        220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root       root       3.6K Apr  9  2014 .bashrc
-rw-r--r--   1 root       root        675 Apr  9  2014 .profile
-r-sr-x---   1 leviathan7 leviathan6 7.4K Nov 14 10:32 leviathan6*
leviathan6@melinda:~$ ./leviathan6 
usage: ./leviathan6 <4 digit code>
leviathan6@melinda:~$ ltrace ./leviathan6 
__libc_start_main(0x804850d, 1, 0xffffd774, 0x8048590 <unfinished ...>
printf("usage: %s <4 digit code>\n", "./leviathan6"usage: ./leviathan6 <4 digit code>
) = 35
exit(-1 <no return ...>
+++ exited (status 255) +++
leviathan6@melinda:~$ for i in `seq 0000 9999`; do echo $i; ./leviathan6 $i; done
Wrong
0
Wrong
1
Wrong
2
Wrong
3
Wrong
4


... this takes a while.


Wrong
7120
Wrong
7121
Wrong
7122
Wrong
7123
$ cat /etc/leviathan_pass/leviathan7
ahy7MaeBo9

Bruteforcing this with a bash one-liner is the easiest option to find '7123'. Cat the PW file once you have the leviathan7 shell and you are done.

level 7

leviathan7@melinda:~$ ls -lahF
total 24K
drwxr-xr-x   2 root       root       4.0K Nov 14 10:32 ./
drwxr-xr-x 167 root       root       4.0K Jan 12 17:44 ../
-rw-r--r--   1 root       root        220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root       root       3.6K Apr  9  2014 .bashrc
-rw-r--r--   1 root       root        675 Apr  9  2014 .profile
-r--r-----   1 leviathan7 leviathan7  178 Nov 14 10:32 CONGRATULATIONS
leviathan7@melinda:~$ cat CONGRATULATIONS 
Well Done, you seem to have used a *nix system before, now try something more serious.
(Please don't post writeups, solutions or spoilers about the games on the web. Thank you!)
leviathan7@melinda:~$ 

Ooooops.

Bandit Walkthrough

posted on 2014-08-30 11:39:32

http://overthewire.org/wargames/bandit/ is quite some fun, in case you are a linux user. You might even learn a trick or two along the way.

prerequisites

Helpful may be, to create a ssh host shortcut either in ~/.ssh/config or a DNS shortcut in /etc/hosts for the banditlabs url:

Host asdf
    Hostname bandit.labs.overthewire.org

That way you can access the server via ssh <username>@asdf.

solutions

These are the solutions I found so far:

level 0

Connect via ssh bandit0@asdf if you made the shortcut like above. Else use ssh bandit0@bandit.labs.overthewire.org.

bandit0@melinda:~$ ls
readme
bandit0@melinda:~$ cat readme 
boJ9jbbUNNfktd78OOpsqOltutMc3MY1

level 1

Now connect via ssh bandit1@asdf if you made the shortcut like above. Else use ssh bandit1@bandit.labs.overthewire.org.

bandit1@melinda:~$ ls
-
bandit1@melinda:~$ cat ./- 
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

level 2

You should by now know which username to use to connnect to the server for the next level... ;)

bandit2@melinda:~$ ls
spaces in this filename
bandit2@melinda:~$ cat spaces\ in\ this\ filename 
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

Just use Tab for auto-completion in the shell and avoid typing...

level 3

bandit3@melinda:~$ cd inhere/
bandit3@melinda:~/inhere$ ls -a
.  ..  .hidden
bandit3@melinda:~/inhere$ cat .hidden 
pIwrPrtPN36QITSp3EQaw936yaFoFgAB

level 4

bandit4@melinda:~$ cd inhere/
bandit4@melinda:~/inhere$ ls
-file00  -file02  -file04  -file06  -file08
-file01  -file03  -file05  -file07  -file09
bandit4@melinda:~/inhere$ file ./*
./-file00: data
./-file01: data
./-file02: Non-ISO extended-ASCII text, with no line terminators
./-file03: data
./-file04: data
./-file05: data
./-file06: data
./-file07: ASCII text
./-file08: data
./-file09: Non-ISO extended-ASCII text
bandit4@melinda:~/inhere$ cat ./-file07
koReBOKuIDDepwhWk7jZC0RTdopnAYKh

level 5

bandit5@melinda:~$ find inhere/ -size 1033c \! -executable
inhere/maybehere07/.file2
bandit5@melinda:~$ cat inhere/maybehere07/.file2
DXjZPULLxYr17uwoI01bNLQbtFemEgo7
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        bandit5@melinda:~$ 

level 6

bandit6@melinda:~$ find / -user bandit7 -group bandit6 -size 33c 2>/dev/null
/var/lib/dpkg/info/bandit7.password
bandit6@melinda:~$ cat /var/lib/dpkg/info/bandit7.password 
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

level 7

bandit7@melinda:~$ grep millionth data.txt 
millionth   cvX2JJa4CFALtqS87jk27qwqGhBM9plV

level 8

bandit8@melinda:~$ cat data.txt | sort | uniq -u
UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR

level 9

bandit9@melinda:~$ strings data.txt | grep ^=
========== the
=qy9g
========== is
=9-5
========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
bandit9@melinda:~$ strings data.txt | grep ==
========== the
,========== passwordc
========== is
========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk

level 10

bandit10@melinda:~$ base64 -d data.txt 
The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

level 11

bandit11@melinda:~$ cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'          
The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

level 12

This is a longer one... I inserted extra newlines for better readability this time.

bandit12@melinda:~$ l
data.txt

bandit12@melinda:~$ mkdir /tmp/sjas/ && cp data.txt /tmp/sjas

bandit12@melinda:~$ cd /tmp/sjas

bandit12@melinda:/tmp/sjas$ l
data.txt

bandit12@melinda:/tmp/sjas$ cat data.txt 
0000000: 1f8b 0808 d095 b051 0203 6461 7461 322e  .......Q..data2.
0000010: 6269 6e00 013a 02c5 fd42 5a68 3931 4159  bin..:...BZh91AY
0000020: 2653 5915 d9db 2800 0017 7fff ff5d f6ea  &SY...(......]..
0000030: e98b bff6 ff7f ffbf fce3 f7fa a3fb badb  ................
0000040: f3e9 f873 b7ff fcff cffb 7bff b001 3b35  ...s......{...;5
0000050: b080 d000 0000 0000 1ea0 f534 3400 0d00  ...........44...
0000060: d1a1 a1a1 a006 8680 0006 9ea0 6868 68f4  ............hhh.
0000070: 81b5 0d34 d0c2 0d0d 3d13 47a4 cd44 01a1  ...4....=.G..D..
0000080: a007 a801 a000 d1a0 d00d 0034 0640 1ea3  ...........4.@..
0000090: 4c99 0000 d034 d1b5 3201 a0d1 a06d 4003  L....4..2....m@.
00000a0: d403 351a 00f4 2347 a801 9348 1a7a 8034  ..5...#G...H.z.4
00000b0: d340 0000 0006 690d 0000 0340 0d3d 46d1  .@....i....@.=F.
00000c0: 341a 7a86 8190 1a1a 1a34 347a 8d00 001a  4.z......44z....
00000d0: 6468 d006 8001 0403 0081 e752 1ca1 324a  dh.........R..2J
00000e0: 2d8d 2082 b927 606a 8dc4 4407 d0eb 1428  -. ..'`j..D....(
00000f0: 8782 7c75 29f4 19d4 3b6a 1f7e 147f 5636  ..|u)...;j.~..V6
0000100: 0183 4dbf 9a5d 968c 7340 d299 dd22 3024  ..M..]..s@..."0$
0000110: 8ecc 1ffe 92b3 101b ca86 20bd 47f2 7958  .......... .G.yX
0000120: 7d40 d62a 1dc8 8697 d109 66ae 1549 39df  }@.*......f..I9.
0000130: 95e2 2dad 4990 b250 9a0b f842 0ade e4fb  ..-.I..P...B....
0000140: 2717 ba73 0a60 9048 c4db 851b db3c 0e4d  '..s.`.H.....<.M
0000150: 9d04 a542 3d98 a411 65b8 116f 0710 19e3  ...B=...e..o....
0000160: 210a 11d4 b9bc 5227 c02e f8ac fab6 f541  !.....R'.......A
0000170: f934 9619 a951 6654 8482 4fd2 9ce7 af09  .4...QfT..O.....
0000180: 0ed5 e29c 3482 e515 3882 07b5 8a2b 02e7  ....4...8....+..
0000190: 5357 2cd5 c071 3d10 546c d9e2 aa49 a75c  SW,..q=.Tl...I.\
00001a0: 2ada f467 469d 4464 c20e f8f0 17d3 271d  *..gF.Dd......'.
00001b0: e3c6 ac3a 9f96 d17f 897c 04bf c445 d6bc  ...:.....|...E..
00001c0: a706 16b0 34bf 2f1b 3419 9eea 5d5a f7c0  ....4./.4...]Z..
00001d0: 1ce4 5477 832b 2258 6b29 55ec 2155 2e66  ..Tw.+"Xk)U.!U.f
00001e0: 2ad1 81d1 edd0 22fe 0f6c 9172 b0d2 3b93  *....."..l.r..;.
00001f0: 42b3 079e 8013 c6ef 1425 82fe a53b 1898  B........%...;..
0000200: c9b5 2111 5c53 eb19 6142 a8b6 480a a8eb  ..!.\S..aB..H...
0000210: 439e b18f 9269 890e dcec da54 614c 4eba  C....i.....TaLN.
0000220: fe8c 5c10 6586 1321 680b 9896 fdee b1d5  ..\.e..!h.......
0000230: 8e68 d49a 11d4 868d 7e82 3238 4e13 dd44  .h......~.28N..D
0000240: 9ad4 0081 b138 f17f e2ee 48a7 0a12 02bb  .....8....H.....
0000250: 3b65 0018 d921 743a 0200 00              ;e...!t:...

bandit12@melinda:/tmp/sjas$ file data.txt 
data.txt: ASCII text

bandit12@melinda:/tmp/sjas$ xxd -r data.txt data1

bandit12@melinda:/tmp/sjas$ file data1
data1: gzip compressed data, was "data2.bin", from Unix, last modified: Thu Jun  6 13:59:44 2013, max compression

bandit12@melinda:/tmp/sjas$ mv data1 data1.gz

bandit12@melinda:/tmp/sjas$ gzip -d data1.gz 

bandit12@melinda:/tmp/sjas$ l
data.txt  data1

bandit12@melinda:/tmp/sjas$ mv data1 data2.bin

bandit12@melinda:/tmp/sjas$ file data2.bin 
data2.bin: bzip2 compressed data, block size = 900k

bandit12@melinda:/tmp/sjas$ bzip2 -d data2.bin
bzip2: Can't guess original name for data2.bin -- using data2.bin.out

bandit12@melinda:/tmp/sjas$ l
data.txt  data2.bin.out

bandit12@melinda:/tmp/sjas$ file data2.bin.out 
data2.bin.out: gzip compressed data, was "data4.bin", from Unix, last modified: Thu Jun  6 13:59:43 2013, max compression

bandit12@melinda:/tmp/sjas$ gzip -d -S .out data2.bin.out 

bandit12@melinda:/tmp/sjas$ l
data.txt  data2.bin

bandit12@melinda:/tmp/sjas$ file data2.bin. 
data2.bin.: POSIX tar archive (GNU)

bandit12@melinda:/tmp/sjas$ tar -xvf data2.bin 
data5.bin

bandit12@melinda:/tmp/sjas$ l
data.txt  data2.bin  data5.bin

bandit12@melinda:/tmp/sjas$ file data5.bin 
data5.bin: POSIX tar archive (GNU)

bandit12@melinda:/tmp/sjas$ tar -xvf data5.bin 
data6.bin

bandit12@melinda:/tmp/sjas$ file data6.bin 
data6.bin: bzip2 compressed data, block size = 900k

bandit12@melinda:/tmp/sjas$ bzip2 -d data6.bin
bzip2: Can't guess original name for data6.bin -- using data6.bin.out

bandit12@melinda:/tmp/sjas$ file data6.bin.out     
data6.bin.out: POSIX tar archive (GNU)

bandit12@melinda:/tmp/sjas$ tar xf data6.bin.out 

bandit12@melinda:/tmp/sjas$ l
data.txt  data2.bin  data5.bin  data6.bin.out  data8.bin

bandit12@melinda:/tmp/sjas$ file data8.bin 
data8.bin: gzip compressed data, was "data9.bin", from Unix, last modified: Thu Jun  6 13:59:43 2013, max compression

bandit12@melinda:/tmp/sjas$ gzip -d -S .bin data8.bin

bandit12@melinda:/tmp/sjas$ l
data.txt  data2.bin  data5.bin  data6.bin.out  data8

bandit12@melinda:/tmp/sjas$ file data8 
data8: ASCII text

bandit12@melinda:/tmp/sjas$ cat data8 
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

Finally it's over...

level 13

This time all the console output is shown:

I connect to host asdf as I made the aforementioned shortcut in ~/.ssh/config.

[sjas@beckett /tmp]% ssh bandit13@asdf                                         

This is the OverTheWire game server. More information on http://www.overthewire.org/wargames

Please note that wargame usernames are no longer level<X>, but wargamename<X>
e.g. vortex4, semtex2, ...

Note: at this moment, blacksun and drifter are not available.

bandit13@bandit.labs.overthewire.org's password: 
Welcome to Ubuntu 12.04.5 LTS (GNU/Linux 3.15.4-x86_64-linode45 x86_64)

 * Documentation:  https://help.ubuntu.com/

Welcome to the OverTheWire games machine !

Please read /README.txt for more information on how to play the levels
on this gameserver.

  System information disabled due to load higher than 8.0

11 packages can be updated.
8 updates are security updates.

New release '14.04.1 LTS' available.
Run 'do-release-upgrade' to upgrade to it.



*** System restart required ***

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

bandit13@melinda:~$ l
sshkey.private
bandit13@melinda:~$ logout
Connection to bandit.labs.overthewire.org closed.
[sjas@beckett /tmp]% scp bandit13@asdf:sshkey.private .                        

This is the OverTheWire game server. More information on http://www.overthewire.org/wargames

Please note that wargame usernames are no longer level<X>, but wargamename<X>
e.g. vortex4, semtex2, ...

Note: at this moment, blacksun and drifter are not available.

bandit13@bandit.labs.overthewire.org's password: 
sshkey.private                                100% 1679     1.6KB/s   00:00    
[sjas@beckett /tmp]%

All here is to do is to download the ssh private key to your local machine. I moved it to /tmp since I will not need anymore after the levels. It this were different, I'd have placed it into my ~/.ssh folder.

level 14

Now the private key from level 13 is to be put to use. The next levels are to be passed on the server, connected as bandit14, anyway.

The pass the keyfile to ssh, use -i, if it should not use ~/.ssh/id_rsa or ~/.ssh/id_dsa

Also the complete output is shown here.

[sjas@beckett /tmp]% ssh -i /tmp/sshkey.private bandit14@asdf                  

This is the OverTheWire game server. More information on http://www.overthewire.org/wargames

Please note that wargame usernames are no longer level<X>, but wargamename<X>
e.g. vortex4, semtex2, ...

Note: at this moment, blacksun and drifter are not available.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/tmp/sshkey.private' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /tmp/sshkey.private
bandit14@bandit.labs.overthewire.org's password: 

[sjas@beckett /tmp]% chmod 600 /tmp/sshkey.private                             
[sjas@beckett /tmp]% ssh -i /tmp/sshkey.private bandit14@asdf                  

This is the OverTheWire game server. More information on http://www.overthewire.org/wargames

Please note that wargame usernames are no longer level<X>, but wargamename<X>
e.g. vortex4, semtex2, ...

Note: at this moment, blacksun and drifter are not available.

Welcome to Ubuntu 12.04.5 LTS (GNU/Linux 3.15.4-x86_64-linode45 x86_64)

 * Documentation:  https://help.ubuntu.com/

Welcome to the OverTheWire games machine !

Please read /README.txt for more information on how to play the levels
on this gameserver.

System information disabled due to load higher than 8.0

11 packages can be updated.
8 updates are security updates.

New release '14.04.1 LTS' available.
Run 'do-release-upgrade' to upgrade to it.



*** System restart required ***

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

bandit14@melinda:~$ cat /etc/bandit_pass/bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e

chmod is used to fix permissions that were off. ssh expects RW access to the key only being possible by the owner, no other rights.

level 15

localhost? On my own computer?

[sjas@beckett /tmp]% telnet localhost 30000                                    
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused

Not so. How on the remote server?

[sjas@beckett /tmp]% telnet bandit.labs.overthewire.org 9000                   
Trying 178.79.134.250...
^C

Won't work from a remote server, most likely due to firewall rules. So Ctrl-C for ending the connection try and retry from on the server:

[sjas@beckett /tmp]% ssh -i /tmp/sshkey.private bandit14@asdf                   
.
.
.

bandit14@melinda:~$ telnet localhost 30000
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr

Connection closed by foreign host.
bandit14@melinda:~$ 

nc (netcat) works, too:

bandit14@melinda:~$ nc localhost 30000
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr

bandit14@melinda:~$

level 16

First try:

bandit14@melinda:~$ openssl s_client -connect localhost:30001
CONNECTED(00000003)
depth=0 CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = localhost
verify return:1
---
Certificate chain
 0 s:/CN=localhost
   i:/CN=localhost
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICpDCCAYwCCQDDVcPYicjxQjANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDEwls
b2NhbGhvc3QwHhcNMTMwNjA2MTM1ODM3WhcNMjMwNjA0MTM1ODM3WjAUMRIwEAYD
VQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDF
Id/8XRfPayS8u+XfqkXQq3QawTEmxcxQw4TiLKlnqLqsl02U3dUIBqSJu1LQE8lf
/eez2KF9Nse9cXqty6M6J9/515b+xaLfkAV1q97JwO1BfciJDiWqjPerMcikUb0d
zTnDFSpWpnrTjLqlquSWrgRxMffmGi+6x7lsWp8EOAIrFhxadYgTskVUslsgtwBP
dVtDG3OZSa8uyD6LJMCgMpaIs0nI1AS8yWWRnBPP6tujJV9x5JI8GYuC1OB9hsYT
+J7ZMkQ5soOXi9TIuyQSfavH27z44uMF3g4fB6i9l2KNFeKkuq1JVM+HbrXfSlf3
+Gtm/+hO/jlKzGw+pmobAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAF0ah9QUPxRM
cCNaZ2Bb+IkBXbj1esk92Hv7H4uYIionJl2f+8M6/YgGNhBI4C1r82Hwbi9DwVYs
kztth6DQIBw3KnNLyoKfYmEz6+Azko5rIefeJoHEBdD41tMqmBd8jWi5+hUbkeLr
8A0wzwi/mVQP4xBZ5cELDEaC2MFCi20X4APFFYeXEMjEYwTwADdADiQ52ezle0zr
iSZ10PUmxqjE4NCYo8feZ7emRcAozZElyF9JjoHfXSSiEViELPU2Wb9ygljYz2Hy
AGDcpE2FIGZRiHk+PT2tHD92bp4BeyZsh52pYvItJie3owdIQoQASfperclRvcyn
mNrjHPUubAc=
-----END CERTIFICATE-----
subject=/CN=localhost
issuer=/CN=localhost
---
No client certificate CA names sent
---
SSL handshake has read 1272 bytes and written 363 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 162F69EE481BEE8FF1AC7CCBA304284F7C7A6AF9C35743D0272D285514D8226D
    Session-ID-ctx: 
    Master-Key: 6CDD3BC45858C00FF59DD8E0C872AC96769EAC33574BD56590AA0B0A32C1DA309F32FF8C38B10AB6AFD58D44AF3CB767
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1409415184
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
BfMYroe26WYalil77FoDi9qh59eK5xNr
HEARTBEATING
read R BLOCK
read:errno=0
bandit14@melinda:~$

Ok, lets give the manpage a try? (man s_client)

CONNECTED COMMANDS
       If a connection is established with an SSL server then any data
       received from the server is displayed and any key presses will be sent
       to the server. When used interactively (which means neither -quiet nor
       -ign_eof have been given), the session will be renegotiated if the line
       begins with an R, and if the line begins with a Q or if end of file is
       reached, the connection will be closed down.

Awww, lets just try -quiet...

bandit14@melinda:~$ openssl s_client -connect localhost:30001 -quiet
depth=0 CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = localhost
verify return:1
BfMYroe26WYalil77FoDi9qh59eK5xNr
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehd

read:errno=0
bandit14@melinda:~$

:D

level 17

First lets do a simple portscan:

bandit14@melinda:~$ nmap -PN localhost

Starting Nmap 5.21 ( http://nmap.org ) at 2014-08-30 16:28 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0011s latency).
Not shown: 994 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
113/tcp   open  auth
443/tcp   open  https
3306/tcp  open  mysql
30000/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds

Bummer. But that's due to nmap only scanning the first 30000 ports. See:

bandit14@melinda:~$ nmap -p 30000-32000 localhost

Starting Nmap 5.21 ( http://nmap.org ) at 2014-08-30 16:41 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00086s latency).
Not shown: 1994 closed ports
PORT      STATE SERVICE
30000/tcp open  unknown
30001/tcp open  unknown
31046/tcp open  unknown
31518/tcp open  unknown
31691/tcp open  unknown
31790/tcp open  unknown
31960/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 0.54 seconds
bandit14@melinda:~$

30001 wasn't shown in the first scan.

Since we know the port is between 31000 and 32000, so it's one of these:

  • 31046
  • 31518
  • 31691
  • 31790
  • 31960

This can be programmatically tried by nmap, too, but I am an amateur, so I will try them by hand. It's just that five ports.

bandit14@melinda:~$ openssl s_client -quiet -connect localhost:31046
140737354065568:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:749:


bandit14@melinda:~$ openssl s_client -quiet -connect localhost:31518
depth=0 CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = localhost
verify return:1
cluFn7wTiGryunymYOu4RcffSxQluehd
cluFn7wTiGryunymYOu4RcffSxQluehd
^C


bandit14@melinda:~$ openssl s_client -quiet -connect localhost:31691 
140737354065568:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:749:
bandit14@melinda:~$ openssl s_client -quiet -connect localhost:31790
depth=0 CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = localhost
verify return:1
cluFn7wTiGryunymYOu4RcffSxQluehd
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----

read:errno=0
bandit14@melinda:~$

Well, this looks like ssh privatekey? :)

For fun the last port:

bandit14@melinda:~$ openssl s_client -quiet -connect localhost:31960
140737354065568:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:749:
bandit14@melinda:~$

By the way:
-PN flag used in the first scan is for skipping the host discovery stage. Use it, if you know for sure that the host is up.

level 18

The desctiption was a bit off, since there was no password. 'Just' a private key.

Anyway, copy the content of the private key and put it into a new key file.

I created a new file in /tmp/newkey. Opened it in my editor of choice (vim), pasted everything between the delimiters into it:

-----BEGIN RSA PRIVATE KEY----- 

    and the garbage between 
         included, too

-----END RSA PRIVATE KEY-----

... and save it.

If you have a microsoft-based operating system and fuck up the line endings due to copy paste, you're to blame (CRLF instead of just LF.).

If all was done accordingly, it will work as can be seen here. Of course, I forgot chmod 600 on the keyfile once again.

[sjas@beckett /tmp]% ssh -i /tmp/newkey bandit17@asdf                          

This is the OverTheWire game server. More information on http://www.overthewire.org/wargames

Please note that wargame usernames are no longer level<X>, but wargamename<X>
e.g. vortex4, semtex2, ...

Note: at this moment, blacksun and drifter are not available.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0664 for '/tmp/newkey' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /tmp/newkey
bandit17@bandit.labs.overthewire.org's password: 

[sjas@beckett /tmp]% chmod 600 newkey                                          
[sjas@beckett /tmp]% ssh -i /tmp/newkey bandit17@asdf

.
. (this time I omitted the servers welcome message........)
.

bandit17@melinda:~$ 

After having this out of the way, there are options to solve this:

diff wasn't mentioned, but is the easiest by far:

bandit17@melinda:~$ diff passwords.old passwords.new 
42c42
< PRjrhDcANrVM6em57fPnFp4Tcq8gvwzK
---
> kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd

It shows the differences between two files.

42c42 tells, line 42 in the first file got changed to line 42 in the second file, and thus is the new password.

Another solution:

bandit17@melinda:~$ TEMP=`cat passwords.new`; for i in $TEMP; do grep $i passwords.old > /dev/null; if [ $? -ne 0 ]; then echo $i; fi; done
kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd

Explaining this, because there's helpful stuff in there:

 1      TEMP=`cat passwords.new`
 2      for i in $TEMP
 3      do 
 4          grep $i passwords.old > /dev/null
 5          if [ $? -ne 0 ]
 6          then 
 7              echo $i
 8          fi
 9      done
  1. assign the new variable TEMP the contents of 'passwords.new'
  2. for loop, index i, running through contents of temp
  3. start of body of for loop
  4. grep for finding matches. exit code 0 if yes, exit code 1 if no match found. The grep output was streamed to /dev/null, because the output is of no importance to us.
  5. if clause, checking if no match was found. $? returns return code of last command that was run. -ne is 'not equal'.
  6. start of if body
  7. echo the currently tested string, which is our winner
  8. return to escape the loop as soon as we found our match
  9. end of if body
  10. end of body of for loop

level 19

Execute the cat from your localhost to run on the server and return the results. To do so simply append the command you want to the ssh call.

[sjas@beckett /tmp]% ssh bandit18@asdf cat readme                              

This is the OverTheWire game server. More information on http://www.overthewire.org/wargames

Please note that wargame usernames are no longer level<X>, but wargamename<X>
e.g. vortex4, semtex2, ...

Note: at this moment, blacksun and drifter are not available.

bandit18@bandit.labs.overthewire.org's password: 
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x

level 20

bandit19@melinda:~$ ll /etc/bandit_pass/
total 108
drwxr-xr-x   2 root     root     4096 Jun 27  2013 ./
drwxr-xr-x 109 root     root     4096 Aug 30 10:57 ../
-r--------   1 bandit0  bandit0     8 Jun  6  2013 bandit0
-r--------   1 bandit1  bandit1    33 Jun  6  2013 bandit1
-r--------   1 bandit10 bandit10   33 Jun  6  2013 bandit10
-r--------   1 bandit11 bandit11   33 Jun  6  2013 bandit11
-r--------   1 bandit12 bandit12   33 Jun  6  2013 bandit12
-r--------   1 bandit13 bandit13   33 Jun  6  2013 bandit13
-r--------   1 bandit14 bandit14   33 Jun  6  2013 bandit14
-r--------   1 bandit15 bandit15   33 Jun 27  2013 bandit15
-r--------   1 bandit16 bandit16   33 Jun  6  2013 bandit16
-r--------   1 bandit17 bandit17   33 Jun  6  2013 bandit17
-r--------   1 bandit18 bandit18   33 Jun  6  2013 bandit18
-r--------   1 bandit19 bandit19   33 Jun  6  2013 bandit19
-r--------   1 bandit2  bandit2    33 Jun  6  2013 bandit2
-r--------   1 bandit20 bandit20   33 Jun  6  2013 bandit20
-r--------   1 bandit21 bandit21   33 Jun  6  2013 bandit21
-r--------   1 bandit22 bandit22   33 Jun  6  2013 bandit22
-r--------   1 bandit23 bandit23   33 Jun  6  2013 bandit23
-r--------   1 bandit24 bandit24   33 Jun  6  2013 bandit24
-r--------   1 bandit3  bandit3    33 Jun  6  2013 bandit3
-r--------   1 bandit4  bandit4    33 Jun  6  2013 bandit4
-r--------   1 bandit5  bandit5    33 Jun  6  2013 bandit5
-r--------   1 bandit6  bandit6    33 Jun  6  2013 bandit6
-r--------   1 bandit7  bandit7    33 Jun  6  2013 bandit7
-r--------   1 bandit8  bandit8    33 Jun  6  2013 bandit8
-r--------   1 bandit9  bandit9    33 Jun  6  2013 bandit9
bandit19@melinda:~$

Since we need the pass for bandit20...

bandit19@melinda:~$ ls -ln /etc/bandit_pass/bandit20 
-r-------- 1 11020 11020 33 Jun  6  2013 /etc/bandit_pass/bandit20

but really only bandit20 can read it.

So what's up with the binary?

bandit19@melinda:~$ whoami
bandit19
bandit19@melinda:~$ id
uid=11019(bandit19) gid=11019(bandit19) groups=11019(bandit19)
bandit19@melinda:~$ ./bandit20-do whoami
bandit20
bandit19@melinda:~$ ./bandit20-do id    
uid=11019(bandit19) gid=11019(bandit19) euid=11020(bandit20) groups=11020(bandit20),11019(bandit19)

Niiice. And so...

bandit19@melinda:~$ ./bandit20-do cat /etc/bandit_pass/bandit20 
GbKksEFF4yrVs6il55v6gwY5aVje5f0j

level 21

For this one, you have to open two shells, with which you connect to the server:

On the first one, open a netcat server on a free port. (ss -a, to look up which ports are in use, nc -l <port> to run it.)

On the second shell, connect with the SUID binary to the netcatserver. (./suconnect <port used before with netcat>)

Once connected, send the password from the last level from the server (via first shell).

FIRST SHELL: (there arrives the new pw!)

bandit20@melinda:~$ nc -l 54545
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
bandit20@melinda:~$

SECOND SHELL:

bandit20@melinda:~$ ./suconnect 54545
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Password matches, sending next password
bandit20@melinda:~$ 

Et voila.

level 22

First lets see what cronjobs are defined in /etc/cron.d. For better readability, I let the filename be printed in yellow.

bandit21@melinda:/etc/cron.d$ for i in *; do echo $'\e[1;33m'$i$'\e[0m'; cat $i; done
boobiesbot-check
@reboot root /vulnbot/launchbot.sh start boobiesbot
cron-apt
#
# Regular cron jobs for the cron-apt package
#
# Every night at 4 o'clock.
0 4 * * *   root    test -x /usr/sbin/cron-apt && /usr/sbin/cron-apt
# Every hour.
# 0 *   * * *   root    test -x /usr/sbin/cron-apt && /usr/sbin/cron-apt /etc/cron-apt/config2
# Every five minutes.
# */5 * * * *   root    test -x /usr/sbin/cron-apt && /usr/sbin/cron-apt /etc/cron-apt/config2
cronjob_bandit22
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
cronjob_bandit23
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
cronjob_bandit24
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
eloi0
@reboot eloi0 /eloi/eloi0/eloi0.sh
eloi1
@reboot eloi1 /eloi/eloi1/eloi1.sh
hintbot-check
@reboot root /vulnbot/launchbot.sh start hintbot
manpage3_resetpw_job
cat: manpage3_resetpw_job: Permission denied
melinda-stats
*/30 * * * * root /root/scripts/melinda-cronjob.sh
natas-session-toucher
* * * * * root /root/scripts/natas-session-toucher.sh
natas-stats
*/30 * * * * root /root/scripts/natas-cronjob.sh
natas25_cleanup
cat: natas25_cleanup: Permission denied
natas26_cleanup
cat: natas26_cleanup: Permission denied
php5
# /etc/cron.d/php5: crontab fragment for php5
#  This purges session files older than X, where X is defined in seconds
#  as the largest value of session.gc_maxlifetime from all your php.ini
#  files, or 24 minutes if not defined.  See /usr/lib/php5/maxlifetime

# Look for and purge old sessions every 30 minutes
09,39 *     * * *     root   [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f -cmin +$(/usr/lib/php5/maxlifetime) ! -execdir fuser -s {} 2>/dev/null \; -delete
semtex0-32
@reboot root /semtex/semtex0 24000 /semtex/semtex0.data32
semtex0-64
@reboot root /semtex/semtex0 24001 /semtex/semtex0.data64
semtex0-ppc
@reboot root /semtex/semtex0 24002 /semtex/semtex0.datappc
semtex10
@reboot root /semtex/semtex10 24019
semtex12
@reboot root /semtex/semtex12.authd 24012 /semtex/semtex12.data/password
@reboot root /semtex/semtex12.reader 24013 /semtex/semtex12.data/dir/
semtex5
@reboot root /semtex/semtex5 24027
semtex6
@reboot root /semtex/semtex6
semtex8
@reboot root /semtex/semtex8 /semtex/semtex8.data/semtex8.jpg /semtex/semtex8.data/semtex8.sock
semtex9
@reboot root /semtex/semtex9.fshell /semtex/semtex9.data/fakeshell
@reboot root /semtex/semtex9.i2t -f /semtex/semtex9.data/fakeshell
sysstat
# The first element of the path is a directory where the debian-sa1
# script is located
PATH=/usr/lib/sysstat:/usr/sbin:/usr/sbin:/usr/bin:/sbin:/bin

# Activity reports every 10 minutes everyday
5-55/10 * * * * root command -v debian-sa1 > /dev/null && debian-sa1 1 1

# Additional run at 23:59 to rotate the statistics file
59 23 * * * root command -v debian-sa1 > /dev/null && debian-sa1 60 2
vortex0
@reboot root /vortex/vortex0
vortex20
@reboot root /vortex/vortex20
vulnbot0-check
# @reboot root /vulnbot/launchbot.sh start vulnbot0
vulnbot1-check
# @reboot root /vulnbot/launchbot.sh start vulnbot1
bandit21@melinda:/etc/cron.d$ 

Looks like cronjob_bandit22 is the way to go.

bandit21@melinda:/etc/cron.d$ cat cronjob_bandit22 
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null

Now we know which script gets executed every minute. (* * * * *)

bandit21@melinda:/etc/cron.d$ cat /usr/bin/cronjob_bandit22.sh 
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

Well, lets check the rights and the content of these files from the script...

bandit21@melinda:/etc/cron.d$ ll /etc/bandit_pass/bandit22
-r-------- 1 bandit22 bandit22 33 Jun  6  2013 /etc/bandit_pass/bandit22

No luck, no read access for us.

bandit21@melinda:/etc/cron.d$ ll /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
-rw-r--r-- 1 bandit22 bandit22 33 Aug 30 19:32 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

But here...

bandit21@melinda:/etc/cron.d$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

level 23

bandit22@melinda:~$ cd /etc/cron.d
bandit22@melinda:/etc/cron.d$ ll
total 128
drwxr-xr-x   2 root root 4096 Jul 22 13:40 ./
drwxr-xr-x 109 root root 4096 Aug 30 10:57 ../
-rw-r--r--   1 root root  102 Apr  2  2012 .placeholder
-rw-r--r--   1 root root   52 Oct 22  2013 boobiesbot-check
-rw-r--r--   1 root root  355 Nov 18  2011 cron-apt
-rw-r--r--   1 root root   61 Jun  6  2013 cronjob_bandit22
-rw-r--r--   1 root root   62 Jun  6  2013 cronjob_bandit23
-rw-r--r--   1 root root   61 Jun  6  2013 cronjob_bandit24
-rw-r--r--   1 root root   35 Jun  6  2013 eloi0
-rw-r--r--   1 root root   35 Jun  6  2013 eloi1
-rw-r--r--   1 root root   49 Jul  3 14:13 hintbot-check
-rw-------   1 root root  233 Jun  6  2013 manpage3_resetpw_job
-rw-r--r--   1 root root   51 Jul 12 15:57 melinda-stats
-rw-r--r--   1 root root   54 Sep 30  2013 natas-session-toucher
-rw-r--r--   1 root root   49 Sep 30  2013 natas-stats
-r--r-----   1 root root   47 Sep 30  2013 natas25_cleanup
-r--r-----   1 root root   45 Jul 22 13:40 natas26_cleanup
-rw-r--r--   1 root root  544 Mar 11  2013 php5
-rw-r--r--   1 root root   58 Jun  6  2013 semtex0-32
-rw-r--r--   1 root root   58 Jun  6  2013 semtex0-64
-rw-r--r--   1 root root   59 Jun  6  2013 semtex0-ppc
-rw-r--r--   1 root root   36 Jun  6  2013 semtex10
-rw-r--r--   1 root root  143 Jun  6  2013 semtex12
-rw-r--r--   1 root root   35 Jun  6  2013 semtex5
-rw-r--r--   1 root root   29 Jun  6  2013 semtex6
-rw-r--r--   1 root root   96 Jun  6  2013 semtex8
-rw-r--r--   1 root root  134 Jun  6  2013 semtex9
-rw-r--r--   1 root root  396 Dec 16  2011 sysstat
-rw-r--r--   1 root root   29 Jun  6  2013 vortex0
-rw-r--r--   1 root root   30 Jul  2  2013 vortex20
-rw-r--r--   1 root root   52 Jul  3 13:41 vulnbot0-check
-rw-r--r--   1 root root   52 Jul  3 13:41 vulnbot1-check
bandit22@melinda:/etc/cron.d$ cat cronjob_bandit23
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null

Oh, another cronjob running every minute.

bandit22@melinda:/etc/cron.d$ ll /usr/bin/cronjob_bandit23.sh 
-rwxr-x--- 1 bandit23 bandit22 211 Jun  6  2013 /usr/bin/cronjob_bandit23.sh*

Running a script, for which our group just happens to have execute permission, too.

bandit22@melinda:/etc/cron.d$ cat /usr/bin/cronjob_bandit23.sh 
#!/bin/bash

myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)

echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"

cat /etc/bandit_pass/$myname > /tmp/$mytarget

And the script just further happens to copy something into /tmp, again. Granting read permissions to everyone in the process.

This tells us different things.

  • We can run the script ourselves. But this won't help us.
  • The path where the file is stored lies under /tmp and the filename is generated.
  • If we knew the filename, we'd have the pw.

So let's do the line with the filename creation by hand:

bandit22@melinda:/etc/cron.d$ echo I am user bandit23 | md5sum | cut -d' ' -f1
8ca319486bfbbc3663ea0fbe81326349

Which is the filename. Since i am not overly into copy-typing:

bandit22@melinda:/etc/cron.d$ cat /tmp/`echo I am user bandit23 | md5sum | cut -d' ' -f1`
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

level 24

level 25

This one is not prepared yet. It's over for now.

\O/
 |
/ \

This blog covers .csv, .htaccess, .pfx, .vmx, /etc/crypttab, /etc/network/interfaces, /etc/sudoers, /proc, 10.04, 14.04, AS, ASA, ControlPanel, DS1054Z, GPT, HWR, Hyper-V, IPSEC, KVM, LSI, LVM, LXC, MBR, MTU, MegaCli, PHP, PKI, R, RAID, S.M.A.R.T., SNMP, SSD, SSL, TLS, TRIM, VEEAM, VMware, VServer, VirtualBox, Virtuozzo, XenServer, acpi, adaptec, algorithm, ansible, apache, apachebench, apple, arcconf, arch, architecture, areca, arping, asa, asdm, awk, backup, bandit, bar, bash, benchmarking, binding, bitrate, blackarmor, blowfish, bochs, bond, bonding, booknotes, bootable, bsd, btrfs, buffer, c-states, cache, caching, ccl, centos, certificate, certtool, cgdisk, cheatsheet, chrome, chroot, cisco, clamav, cli, clp, clush, cluster, coleslaw, colorscheme, common lisp, console, container, containers, controller, cron, cryptsetup, csync2, cu, cups, cygwin, d-states, database, date, db2, dcfldd, dcim, dd, debian, debug, debugger, debugging, decimal, desktop, df, dhclient, dhcp, diff, dig, display manager, dm-crypt, dmesg, dmidecode, dns, docker, dos, drivers, dtrace, dtrace4linux, du, dynamictracing, e2fsck, eBPF, ebook, efi, egrep, emacs, encoding, env, error, ess, esx, esxcli, esxi, ethtool, evil, expect, exportfs, factory reset, factory_reset, factoryreset, fail2ban, fbsd, fedora, file, filesystem, find, fio, firewall, firmware, fish, flashrom, forensics, free, freebsd, freedos, fritzbox, fsck, fstrim, ftp, ftps, g-states, gentoo, ghostscript, git, git-filter-branch, github, gitolite, gnutls, gradle, grep, grml, grub, grub2, guacamole, hardware, haskell, hdd, hdparm, hellowor, hex, hexdump, history, howto, htop, htpasswd, http, httpd, https, i3, icmp, ifenslave, iftop, iis, imagemagick, imap, imaps, init, innoDB, innodb, inodes, intel, ioncube, ios, iostat, ip, iperf, iphone, ipmi, ipmitool, iproute2, ipsec, iptables, ipv6, irc, irssi, iw, iwconfig, iwlist, iwlwifi, jailbreak, jails, java, javascript, javaws, js, juniper, junit, kali, kde, kemp, kernel, keyremap, kill, kpartx, krypton, lacp, lamp, languages, ldap, ldapsearch, less, leviathan, liero, lightning, links, linux, linuxin3months, lisp, list, livedisk, lmctfy, loadbalancing, locale, log, logrotate, looback, loopback, losetup, lsblk, lsi, lsof, lsusb, lsyncd, luks, lvextend, lvm, lvm2, lvreduce, lxc, lxde, macbook, macro, magento, mailclient, mailing, mailq, manpages, markdown, mbr, mdadm, megacli, micro sd, microsoft, minicom, mkfs, mktemp, mod_pagespeed, mod_proxy, modbus, modprobe, mount, mouse, movement, mpstat, multitasking, myISAM, mysql, mysql 5.7, mysql workbench, mysqlcheck, mysqldump, nagios, nas, nat, nc, netfilter, networking, nfs, nginx, nmap, nocaps, nodejs, numberingsystem, numbers, od, onyx, opcode-cache, openVZ, openlierox, openssl, openvpn, openvswitch, openwrt, oracle linux, org-mode, os, oscilloscope, overview, parallel, parameter expansion, parted, partitioning, passwd, patch, pdf, performance, pfsense, php, php7, phpmyadmin, pi, pidgin, pidstat, pins, pkill, plesk, plugin, posix, postfix, postfixadmin, postgres, postgresql, poudriere, powershell, preview, profiling, prompt, proxmox, ps, puppet, pv, pvecm, pvresize, python, qemu, qemu-img, qm, qmrestore, quicklisp, r, racktables, raid, raspberry pi, raspberrypi, raspbian, rbpi, rdp, redhat, redirect, registry, requirements, resize2fs, rewrite, rewrites, rhel, rigol, roccat, routing, rs0485, rs232, rsync, s-states, s_client, samba, sar, sata, sbcl, scite, scp, screen, scripting, seafile, seagate, security, sed, serial, serial port, setup, sftp, sg300, shell, shopware, shortcuts, showmount, signals, slattach, slip, slow-query-log, smbclient, snmpget, snmpwalk, software RAID, software raid, softwareraid, sophos, spacemacs, spam, specification, speedport, spi, sqlite, squid, ssd, ssh, ssh-add, sshd, ssl, stats, storage, strace, stronswan, su, submodules, subzone, sudo, sudoers, sup, swaks, swap, switch, switching, synaptics, synergy, sysfs, systemd, systemtap, tar, tcpdump, tcsh, tee, telnet, terminal, terminator, testdisk, testing, throughput, tmux, todo, tomcat, top, tput, trafficshaping, ttl, tuning, tunnel, tunneling, typo3, uboot, ubuntu, ubuntu 16.04, udev, uefi, ulimit, uname, unetbootin, unit testing, upstart, uptime, usb, usbstick, utf8, utm, utm 220, ux305, vcs, vgchange, vim, vimdiff, virtualbox, virtualization, visual studio code, vlan, vmstat, vmware, vnc, vncviewer, voltage, vpn, vsphere, vzdump, w, w701, wakeonlan, wargames, web, webdav, weechat, wget, whois, wicd, wifi, windowmanager, windows, wine, wireshark, wpa, wpa_passphrase, wpa_supplicant, x11vnc, x2x, xfce, xfreerdp, xmodem, xterm, xxd, yum, zones, zsh


Unless otherwise credited all material Creative Commons License by sjas