Post

Overthewire Bandit Level 13 -> 14

Solution for the Overthewire.org Bandit level 13 -> 14

Level Goal

The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don't get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on


Walkthrough

Login to the server using the password obtained from the previous level Bandit level 12 -> 13.

username: bandit13

1
ssh bandit13@bandit.labs.overthewire.org -p 2220

This time the password is located in a file that we (bandit13) do not have read access to.
We have been given an an SSH key to login to next level.
The key is a file sshkey.private in the home directory.

1
2
3
4
5
bandit13@bandit:~$ ls
sshkey.private

bandit13@bandit:~$ file sshkey.private 
sshkey.private: PEM RSA private key

Reading the contents of the sshkey shows alot of base64 encoding.

1
2
3
4
5
6
7
8
bandit13@bandit:~$ cat sshkey.private 
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAxkkOE83W2cOT7IWhFc9aPaaQmQDdgzuXCv+ppZHa++buSkN+
          --- [snip] ---
/+aLoRQ0yBDRbdXMsZN/jvY44eM+xRLdRVyMmdPtP8belRi2E2aEzA==
-----END RSA PRIVATE KEY-----

bandit13@bandit:~$

We have been using ssh with a password to access these levels but now we need to see how to use ssh with a private key.
Time to look at the man page

Looking through the man page we can see an entry that mentions private key.
The -i option for ssh will allow us to specify an identity (private ssh key) to use instead of a password.

Here is the section of the man ssh page concerning -i option.

1
2
3
4
5
6
7
8
9
10
-i identity_file
    Selects a file from which the identity (private key) for public key authentication is read.  
    The default is ~/.ssh/identity for protocol version 1, 
    and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 and ~/.ssh/id_rsa for protocol version 2.  
    Identity files may also be specified on a per-host basis in the configuration file.
    It is possible to have multiple -i options (and multiple identities specified in
    configuration files).  
    If no certificates have been explicitly specified by the CertificateFile directive, 
    ssh will also try to load certificate information from the filename obtained by appending
    -cert.pub to identity filenames.

So now we can use the -i option to login to the next level (bandit14).
Since the level we are logged into (bandit13) and the next level (bandit14) are located on
the same server we use @localhost instead of @bandit.labs.overthewire.org as the address.

1
bandit13@bandit:~$ ssh -i sshkey.private bandit14@localhost

Now that we are logged into bandit14 we can get the password for bandit14 from /etc/bandit_pass/bandit14.
Getting this password will make it easier to access bandit14 later.

1
2
bandit14@bandit:~$ cat /etc/bandit_pass/bandit14
4wcYUJ##########################
This post is licensed under CC BY 4.0 by the author.