{"id":568,"date":"2015-01-25T22:15:23","date_gmt":"2015-01-25T22:15:23","guid":{"rendered":"https:\/\/www.hackmethod.com\/?p=568"},"modified":"2022-06-03T05:40:09","modified_gmt":"2022-06-03T05:40:09","slug":"overthewire-bandit-14","status":"publish","type":"post","link":"https:\/\/hackmethod.com\/overthewire-bandit-14\/","title":{"rendered":"OvertheWire &#8211; Bandit 14"},"content":{"rendered":"<p>[et_pb_section fb_built=&#8221;1&#8243; admin_label=&#8221;section&#8221; _builder_version=&#8221;3.22&#8243;][et_pb_row admin_label=&#8221;row&#8221; _builder_version=&#8221;3.25&#8243; background_size=&#8221;initial&#8221; background_position=&#8221;top_left&#8221; background_repeat=&#8221;repeat&#8221;][et_pb_column type=&#8221;4_4&#8243; _builder_version=&#8221;3.25&#8243; custom_padding=&#8221;|||&#8221; custom_padding__hover=&#8221;|||&#8221;][et_pb_text admin_label=&#8221;Text&#8221; _builder_version=&#8221;4.7.5&#8243; background_size=&#8221;initial&#8221; background_position=&#8221;top_left&#8221; background_repeat=&#8221;repeat&#8221; hover_enabled=&#8221;0&#8243; sticky_enabled=&#8221;0&#8243;]<strong>Recap of Level 13: <\/strong>We tinkered around with a hexdump that was repeatedly compressed.\u00a0 By linking zcat, tar, and bzcat we were able to grab the password.<strong><br \/><\/strong><\/p>\n<p>&nbsp;<\/p>\n<p><a href=\"http:\/\/overthewire.org\/wargames\/bandit\/bandit14.html\" target=\"_blank\" rel=\"noopener\"><strong>Bandit Level 14<\/strong><\/a><\/p>\n<h4><strong>Objective:<\/strong><\/h4>\n<p>Find the password to the next level<\/p>\n<h4><strong>Intel Given:<\/strong><\/h4>\n<ul>\n<li>The password for the next level is stored in <strong>\/etc\/bandit_pass\/bandit14 and can only be read by user bandit14<\/strong>.<\/li>\n<li>For this level, you don\u2019t get the next password, but you get a private SSH key that can be used to log into the next level. <strong>Note:<\/strong> <strong>localhost<\/strong> is a hostname that refers to the machine you are working on<\/li>\n<\/ul>\n<p><!--more--><\/p>\n<h4><strong>How to:<\/strong><\/h4>\n<p>Checking out our home directory we no longer have data.txt! Now we have a file called sshkey.private to work with. If\u00a0cat or file on it you&#8217;ll see that sshkey.private is a RSA private key. In short, we will use this as our password to SSH into level 14.<\/p>\n<p>SSH keypair exchange is a much more secure method of authentication. Major benefits include difficulty to brute force due to complexity as well as the security of your key in general. In a typical login &amp; password authentication scenario the distant server requires knowledge of your login and password. With a key the distant server only has your public key and your private key remains with you. Thus, if the distant server was ever compromised he hacker\u00a0would only have your public key and be unable to steal your login information.<\/p>\n<p>You could go about this in two ways. Typically we have been SSHing into our bandit sessions like such.<\/p>\n<p><code>$ ssh bandit13@bandit.labs.overthewire.org<\/code><\/p>\n<p>When prompted for a password we then enter it and we are granted access to the machine. Well now we need to use our private key so that the distant server can bump it up against our public key. To do that we type the following line.<\/p>\n<p><code>$ ssh bandit14@localhost -i ~\/sshkey.private<\/code><\/p>\n<p>Why did I use localhost instead of the FQDN (Fully Qualified Domain Name)? Well, for one I used the hint, and two I know something about our environment. We are already logged into the bandit.labs.overthewire.org server. If I wish to SSH into it again with another account I just could just send my command through the loopback interface (localhost) to send it to itself. If you typed the FQDN it wouldn&#8217;t know who to contact, probably because there is no internal DNS to resolve the address.<\/p>\n<p>The other way would be to download the key to yourself using secure copy (scp). To copy the file from theoverthewire server simply type<\/p>\n<p><code>$ scp bandit13@bandit.overthewire.labs.org:sshkey.private ~\/Desktop<\/code><\/p>\n<p>Enter the password to authenticate to level 13 and the key will be downloaded to your Desktop.<\/p>\n<p>Now you can type the command below from your host machine to authenticate to bandit 14.<\/p>\n<p><code>sudo ssh bandit14@bandit.labs.overthewire.org -i ~\/Desktop\/sshkey.private<\/code><\/p>\n<p><strong>Note:\u00a0<\/strong>You have to run the command as a sudo because file permissions are preserved when you scp&#8217;d the file. You could change the permissions if you wish.<\/p>\n<h4><strong>Conclusion:<\/strong><\/h4>\n<p>We discussed connecting to an SSH service with an RSA private key to a distant server who already has our public key. I also very very very briefly went over\u00a0over how Private\/Public key encryption works when authenticating to a service.<br \/>\n[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=&#8221;4.7.5&#8243; _module_preset=&#8221;default&#8221; column_structure=&#8221;1_2,1_2&#8243;][et_pb_column _builder_version=&#8221;4.7.5&#8243; _module_preset=&#8221;default&#8221; type=&#8221;1_2&#8243;][et_pb_image src=&#8221;https:\/\/hackmethod.com\/wp-content\/uploads\/2020\/12\/Previous.png&#8221; _builder_version=&#8221;4.7.5&#8243; _module_preset=&#8221;default&#8221; alt=&#8221;Previous Level&#8221; title_text=&#8221;Previous&#8221; url=&#8221;https:\/\/hackmethod.com\/overthewire-bandit-13&#8243; hover_enabled=&#8221;0&#8243; sticky_enabled=&#8221;0&#8243;][\/et_pb_image][\/et_pb_column][et_pb_column _builder_version=&#8221;4.7.5&#8243; _module_preset=&#8221;default&#8221; type=&#8221;1_2&#8243;][et_pb_image src=&#8221;https:\/\/hackmethod.com\/wp-content\/uploads\/2020\/12\/Next.png&#8221; _builder_version=&#8221;4.7.5&#8243; _module_preset=&#8221;default&#8221; alt=&#8221;Next Level&#8221; title_text=&#8221;Next&#8221; url=&#8221;https:\/\/hackmethod.com\/overthewire-bandit-15&#8243; align=&#8221;right&#8221; hover_enabled=&#8221;0&#8243; sticky_enabled=&#8221;0&#8243;][\/et_pb_image][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Recap of Level 13: We tinkered around with a hexdump that was repeatedly compressed.\u00a0 By linking zcat, tar, and bzcat we were able to grab the password. &nbsp; Bandit Level 14 Objective: Find the password to the next level Intel Given: The password for the next level is stored in \/etc\/bandit_pass\/bandit14 and can only be [&hellip;]<\/p>\n","protected":false},"author":8,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"<strong>Recap of <a href=\"https:\/\/www.hackmethod.com\/overthewire-bandit-14\/\" target=\"_blank\">Last\u00a0Lesson<\/a>:<\/strong>\r\n\r\n<a href=\"http:\/\/overthewire.org\/wargames\/bandit\/bandit14.html\" target=\"_blank\"><strong>Bandit Level 14<\/strong><\/a>\r\n\r\n<strong>Objective<\/strong>\r\n\r\nFind the password to the next level\r\n\r\n<strong>Intel Given<\/strong>\r\n<ul>\r\n\t<li>The password for the next level is stored in <strong>\/etc\/bandit_pass\/bandit14 and can only be read by user bandit14<\/strong>.<\/li>\r\n\t<li>For this level, you don\u2019t get the next password, but you get a private SSH key that can be used to log into the next level. <strong>Note:<\/strong> <strong>localhost<\/strong> is a hostname that refers to the machine you are working on<\/li>\r\n<\/ul>\r\n<!--more-->\r\n\r\n<strong>How to<\/strong>\r\n\r\nChecking out our home directory we no longer have data.txt! Now we have a file called sshkey.private to work with. If\u00a0cat or file on it you'll see that sshkey.private is a RSA private key. In short, we will use this as our password to SSH into level 14.\r\n\r\nSSH keypair exchange is a much more secure method of authentication. Major benefits include difficulty to brute force due to complexity as well as the security of your key in general. In a typical login &amp; password authentication scenario the distant server requires knowledge of your login and password. With a key the distant server only has your public key and your private key remains with you. Thus, if the distant server was ever compromised he hacker\u00a0would only have your public key and be unable to steal your login information.\r\n\r\nYou could go about this in two ways. Typically we have been SSHing into our bandit sessions like such.\r\n\r\n<code>$ ssh bandit13@bandit.labs.overthewire.org<\/code>\r\n\r\nWhen prompted for a password we then enter it and we are granted access to the machine. Well now we need to use our private key so that the distant server can bump it up against our public key. To do that we type the following line.\r\n\r\n<code>$ ssh bandit14@localhost -i ~\/sshkey.private<\/code>\r\n\r\nWhy did I use localhost instead of the FQDN (Fully Qualified Domain Name)? Well, for one I used the hint, and two I know something about our environment. We are already logged into the bandit.labs.overthewire.org server. If I wish to SSH into it again with another account I just could just send my command through the loopback interface (localhost) to send it to itself. If you typed the FQDN it wouldn't know who to contact, probably because there is no internal DNS to resolve the address.\r\n\r\nThe other way would be to download the key to yourself using secure copy (scp). To copy the file from theoverthewire server simply type\r\n\r\n<code>$ scp bandit13@bandit.overthewire.labs.org:sshkey.private ~\/Desktop<\/code>\r\n\r\nEnter the password to authenticate to level 13 and the key will be downloaded to your Desktop.\r\n\r\nNow you can type the command below from your host machine to authenticate to bandit 14.\r\n\r\n<code>sudo ssh bandit14@bandit.labs.overthewire.org -i ~\/Desktop\/sshkey.private<\/code>\r\n\r\n<strong>Note:\u00a0<\/strong>You have to run the command as a sudo because file permissions are preserved when you scp'd the file. You could change the permissions if you wish.\r\n\r\n<strong>Conclusion<\/strong>\r\n\r\nWe discussed connecting to an SSH service with an RSA private key to a distant server who already has our public key. I also very very very briefly went over\u00a0over how Private\/Public key encryption works when authenticating to a service.","_et_gb_content_width":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[44],"tags":[43,45,46],"class_list":["post-568","post","type-post","status-publish","format-standard","hentry","category-overthewire","tag-bandit","tag-overthewire","tag-tutorials"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p5zY4D-9a","_links":{"self":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts\/568","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/comments?post=568"}],"version-history":[{"count":9,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts\/568\/revisions"}],"predecessor-version":[{"id":27532,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts\/568\/revisions\/27532"}],"wp:attachment":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/media?parent=568"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/categories?post=568"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/tags?post=568"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}