Recap

Bandit had us go through a number of machines that we SSH’d into. We needed to find a password file, or in some cases an SSH private key, to login to the next level.

We went through 26 levels (0-25) and learnt a bunch about some fairly standard Linux commands, as well as nifty tools that’ll help us in the future.

Commands used

  • ssh [[email protected]]host [command]
    • used to connect to each machine
    • -p to specify a non-standard port to connect to
    • -i to specify an identity (SSH private key) file
    • [command] at end runs as soon as connection is made
  • ls [directory]
    • used to list files in a directory
    • -l to list more details
    • -a to show ALL files (including hidden)
  • cat file
    • output a file’s contents to the screen
  • echo string
    • outputs the provided string
  • file file
    • used to get various types of information on a file
  • find [root search directory]
    • used to find files
    • -executable to find executable files
    • -size to find specific sized files (1033c is bytes)
    • -user to specify the user the file belongs to
    • -group to specify the group the file belongs to
    • ! to negate an option
  • grep string file
    • used to find text in a file
  • uniq file
    • used to output unique lines in a file
    • -u to only output lines that occur once
    • best used with sort
  • sort file
    • by default, sorts lines in a file in alphanumeric order
  • strings file
    • finds ASCII strings in a file
  • base64 string
    • converts a string to base64 encoding
    • -r to decode a base64 string
  • tr pattern1 pattern2
    • translates a string based on patterns
  • mkdir [path/]name
    • creates a directory
  • cp source-file dest-file
    • copies a file
  • mv source-file dest-file
    • moves a file
  • xxd file
    • creates a hexdump of a file
    • -r attempts to reconstruct file from hexdump
  • gunzip file
    • decompress .gz files
  • bunzip2 file
    • decompress .bz2 files
  • tar -f file
    • used to archive and unarchive files
    • -x to unarchive
    • -f to specify file to unarchive
  • scp [[[email protected]]host:]source-filepath [[[email protected]]host:]dest-filepath
    • copy a remote file using SSH
    • -P to specify a nonstandard port
  • nc address port
    • connect to/open a port
    • -l to create a listening port
      • you can pipe an echo to output something to whoever connects
  • openssl s_client [-connect host:port]
    • used to connect to an SSL port
    • -ign_eof to keep connection open after input finished
    • -quiet to remove extraneous output
  • nmap address/range
    • scans an address or address range for available hosts, open ports, etc.
    • -p to specify port, ports, port range.
    • -A to get a crapload of information. Runs scripts, service discovery, traceroutes, etc.
  • diff file1 file2
    • compares two files and outputs differences
  • whoami
    • outputs the user the command is run as
  • chmod [permissions] file/directory
    • changes the permissions of a file or directory
    • can use octal or specify bits with u, g, (user, group, other) and +/ with rwx (read, write, execute
    • e.g. chmod u+x test.sh will add execute permission to the user on test.sh
  • sleep time
    • waits the specified amount of time in seconds

Concepts learned

  • using quotes, backslashes, and relative/full paths to open files with special characters in the filename
  • wildcarding with *
  • chaining commands with &&
  • piping command output with |
  • running commands in the background with &
  • redirecting output to files with >
  • appending output to files with >>
  • redirecting errors with 2>
  • using setuid to run programs as a different user
  • reading /etc/cron.d to see what period tasks are running
  • using command substitution with
  • creating and editing text files with vi
  • changing permissions to allow other users to read, write, and execute to files/directories
  • basic BASH scripting

    • Creates a counter loop starting at x and ending before y, increasing i by 1 each loop
    • using variables with $<variable>
  • brute-forcing
    • why it sucks
    • why you sometimes need to slow down your brute-forcing
  • finding user information in /etc/passwd
  • keeping a connection open that uses more
  • breaking out of more using a text editor, then using that text editor to read other files