SSH Basics and Linux Commands

Questions and Answers

Which of the following scenarios would require specifying a port number when using SSH?

• Connecting to a server using its standard SSH port.
• Connecting to a server using its IP address instead of a domain name.
• Connecting to a server that uses a non-default port for SSH. (correct)
• Connecting to a server when the username is not the default.

After successfully SSHing into a remote server, which action will return you to your local machine's shell?

• Running the `pwd` command.
• Exiting the SSH session. (correct)
• Closing the terminal window.
• Running the `clear` command.

What is the purpose of the known_hosts file in SSH?

• It stores a list of commonly used SSH commands.
• It stores usernames and passwords for SSH authentication.
• It stores the IP addresses of frequently accessed servers.
• It stores server fingerprints to verify the identity of SSH servers. (correct)

Which command displays the contents of a file named important.txt on the terminal?

cat important.txt (A)

You need to copy a file named report.txt from a remote server to your local machine using SCP. The remote server's SSH port is 2222. Which command would you use?

scp -P 2222 user@host:report.txt /local/directory (C)

You are in a directory /home/user/documents. Which command would you use to navigate to the parent directory?

cd .. (C)

Which command would list all files, including hidden files, in the current directory?

ls -a (B)

You encounter a file named My Important Document.txt in your current directory. How can you correctly use the cat command to display its contents?

Both B and C (A)

After placing a process in the background using bg, how can you subsequently bring it back to the foreground?

Using the fg command followed by the job ID (e.g., fg 1). (C)

Which of the following best describes how the bandit21 password was likely discovered, based on content?

By capturing the output of bandit20 via a Netcat listener. (A)

What is the primary function of cron?

To schedule and automate the execution of tasks. (C)

Where are system-wide cron job definitions typically stored?

/etc/cron.d/ (C)

Given the cron job syntax "minute, hour, day of month, month, day of week, and command," which of the following cron expressions would execute a script named backup.sh located in /home/user/scripts/ at 05:00 AM every Monday?

0 5 * * 1 /home/user/scripts/backup.sh (C)

What is the purpose of the first character in the output of the command ls -l?

Denotes the file type (e.g., regular file, directory). (D)

Which wildcard character matches zero or more characters in a filename pattern?

• (C)

In the find command, what is the purpose of the ! option?

It inverts the specified option. (D)

What do file permissions control?

Who can read, write, or execute the file. (A)

What is the purpose of redirection in Linux commands?

To control where the output of a command goes. (C)

What does the | symbol represent in the Linux command line?

A pipe, connecting the output of one command to the input of another. (B)

What is the purpose of the grep -v command?

To invert the match, showing lines that do not match the pattern. (C)

What is the main advantage of Unicode over ASCII?

Unicode can represent characters from various languages. (C)

What does the strings command do?

It extracts human-readable strings from binary files. (A)

What is Base64 encoding primarily used for?

Encoding binary data into an ASCII string format. (C)

What is the fundamental principle behind the ROT13 cipher?

It shifts each letter by 13 positions in the alphabet. (C)

What is the purpose of a hex dump?

To represent a file's contents in hexadecimal format. (C)

Before using gunzip on a file, what is typically required?

Renaming the file to include a .gz extension. (B)

What is the primary function of CyberChef?

A web-based tool for various encoding, decoding, and data manipulation tasks. (A)

After extracting a .tar archive, you find a bzip2 compressed file. Which command would you use to extract this file?

bzip2 -d filename.bz2 (A)

What is the primary purpose of the -i option when using SSH?

To indicate the identity file (private key) for authentication. (C)

After decoding a hex text file using xxd -r, what is the next recommended step to retrieve the ASCII text file?

Piping the output to zcat and other commands. (A)

In the Bandit challenges, what is the initial step required to retrieve the password for the next level from port 30000 on localhost?

Submit the current level's password to port 30000 using netcat. (D)

Which command is used to connect to a port on localhost using SSL encryption to retrieve the password for the next level?

openssl s_client -connect localhost:30001 (C)

In the context of the Bandit challenges, what tool is best suited for scanning a range of ports on localhost to identify services that speak SSL?

nmap (C)

When dealing with an SSH private key, which chmod command is essential for ensuring that it's only readable by the user, thus preventing login issues?

chmod 400 (B)

In a scenario where two files, password.old and password.new, exist, and the password for the next level is the only differing line between them, which command is most effective for identifying this line?

diff password.old password.new (D)

When combining two files, sorting their contents, and identifying unique lines in a directory with permission restrictions, where should the operations be performed?

The /tmp directory. (C)

If a .bashrc file is modified to cause an immediate logout upon SSH login, what is the most direct method to read the contents of a file named readme in the home directory?

Executing cat readme directly after logging in. (C)

What is the primary effect of the SetUID bit on an executable file?

It grants the file owner's privileges to whoever executes the file. (B)

What is the correct command to run a bandit20 binary that connects to port 9090 on localhost, assuming it's designed to exchange passwords for the Bandit levels?

./bandit20 9090 (D)

In the context of network connections, how can netcat be used to listen on a specific port?

netcat -l -p (D)

How can a command be sent to the background in a Linux shell?

By adding & to the end of the command. (A)

In what scenario would the jobs command be most useful?

When needing to list background processes started in the current shell. (C)

After sending a process to the background, how can you bring it back to the foreground?

Using the fg command. (A)

Flashcards

What is SSH?

Connects to a remote server to execute commands securely.

What is known_hosts?

A file that stores fingerprints of known SSH servers.

What does ls do?

Lists files and directories in the current location.

What does cat do?

Displays the content of a file.

What does cd do?

Moves you to a different directory.

What is SCP?

Securely copies files between computers.

What are hidden files?

Files that start with a .

What does . represent?

The current directory.

Ctrl+Z vs bg?

Ctrl+Z pauses a foreground process, bg resumes it in the background.

What is Cron?

A job scheduler that uses the crond daemon to execute scheduled tasks.

Cron job files

Configuration files that specify when and how programs are automatically executed by cron.

Cron job syntax fields

Minute, hour, day of month, month, day of week, command.

What is TAR?

Creates an archive file also named 'tarball'.

First character in ls -l

Indicates the file type in ls -l output (e.g., - for regular file, d for directory).

Wildcards

Characters like ? and * that match patterns in filenames.

The find command

Command to search for files in a directory hierarchy.

Redirection

Controls where a command's output goes, like to a file.

Pipe (|)

Connects the output of one command to the input of another.

The grep command

Searches for lines matching a pattern in a file or input.

Unicode

Character encoding standard to represent characters from various languages.

The strings command

Extracts human-readable strings from binary files.

Base64 Encoding

Encodes binary data into an ASCII string format.

ROT13 Cipher

Simple cipher that rotates letters by 13 positions.

The xxd command

Creates and reverses hex dumps.

gunzip

Command helps extract files compressed with gzip.

CyberChef

A web-based tool for encoding, decoding, and data manipulation.

`zcat

Used for extracting files compressed with gzip.

tar -xf

Command for extracting tar archives.

SSH -i option

Specifies the identity file (private key) for SSH authentication.

xxd -r

Reverses the hex conversion done by xxd.

netcat

Connects to a specified port on a remote server.

openssl s_client

Connects to a port using SSL encryption.

nmap

Scans network ports to find open services.

diff command

Shows the differences between two files.

cat command

Combines the content of multiple files into one stream.

sort command

Sorts each line of the file alphabetically

uniq command

Filters out adjacent, identical lines in a sorted input

SSH's -t option

Allocates a pseudo-terminal in SSH.

SetUID

Grants the privileges of the file owner to whoever executes the file.

Background Process

Allows commands to run concurrently without blocking the shell.

& (ampersand)

Sends a process to the background.

jobs command

Lists background processes.

fg command

Brings a background process to the foreground.

Study Notes

SSH Basics

• SSH requires a username, host, and sometimes a port number if it's not the default 22.
• The basic SSH structure is: SSH user@host. For a specific port: SSH -p port user@host
• The Bandit CTF series focuses on learning Linux and security concepts through SSH.
• When you SSH into a server, your shell changes to that of the user on the server. Exiting returns you to your original shell.
• Staying connected to an SSH server for too long might trigger an automatic disconnection script which is known as a broken pipe.

SSH Fingerprints

• SSH clients store server fingerprints in the known_hosts file.
• Deleting entries in known_hosts will prompt SSH to ask you to confirm and save the fingerprint of the server you're connecting to the next time you connect.
• Use yes to save a new fingerprint, which is then stored in the known_hosts file.

Basic Linux Commands

• ls command lists files and directories in the current directory.
• file <filename> command determines the type of a file.
• cat <filename> command concatenates and displays the content of a file on the terminal.
• There are other tools to display text files, such as head, tail, more, and less.
• clear command clears the terminal screen.

Navigating the File System

• CD command moves between folders

Text Editors

• nano command opens a lightweight terminal text editor
• pluma <filename> command text editor
• vi command opens a more advanced text editor (:q to quit).

Secure Copy (SCP)

• SCP is used to securely copy files between systems.
• SCP command structure: SCP options source destination.
• The -P option specifies the port number for the SSH connection.
• Example: SCP -P 2220 user@host:~/readme /local/directory downloads readme from the user's home directory on the host to /local/directory.

Working with Special File Names

• File names with spaces need to be enclosed in single or double quotes, or escaped using backslashes.
• Example: cat "file with spaces" or cat file\ with\ spaces
• Tab autocompletion can automatically insert backslashes for spaces in file names.

Relative and Absolute Paths

• A relative path is relative to the current directory.
• An absolute path starts from the root directory (/).
• PWD command displays the present working directory (absolute path).
• . represents the current directory and .. represents the parent directory.
• The home directory is represented by ~.

Hidden Files

• Files and directories starting with a . are hidden.
• ls -a lists all files, including hidden ones.
• ls -l provides a long listing format.
• The first character in ls -l output indicates the file type (- for regular file, d for directory).

Wildcards

• Wildcards are characters that can be used to match patterns in file names.
• ? matches any single character.
• * matches zero or more characters.
• Wildcards can be used with commands like cat and file.

The find Command

• find command searches for files in a directory hierarchy.
• Basic structure: find directory options.
• -executable option finds executable files; ! negates the option.
• -size <n>c option finds files of size n bytes (characters).
• Example: find . -size 33c
• You can specify a particular file and search just for that, for example find . -name "readme.txt"

File Permissions and Ownership

• Each file and directory has permissions for the owner, group, and others.
• Permissions control who can read, write, or execute the file.

Redirection

• Redirection allows you to control where the output of a command goes
• Standard output (STDOUT) refers to the normal output of a command
• Standard error (STDERR) refers to its error messages/ This can be redirected with numbers where "1" = the previous and "2" = for STDERR
• You can use the symbol > followed by a location where the output will go
• You can redirect error messages to /dev/null to suppress them: 2> /dev/null.

Pipes

• A pipe (|) connects the output of one command to the input of another.

The grep Command

• grep command searches for lines matching a pattern in a file or input.
• -v option inverts the match (shows lines that do not match the pattern).

Unicode and Character Encoding

• Unicode is a character encoding standard that can represent characters from various languages.
• ASCII is a character encoding standard using 8 bits per character (one byte).

The strings Command

• strings command extracts human-readable strings from binary files.

Base64 Encoding

• Base64 is a method of encoding binary data into an ASCII string format.
• base64 command encodes and decodes Base64 data.
• -d option decodes Base64 data.

ROT13 Cipher

• ROT13 is a simple substitution cipher that rotates letters by 13 positions.
• The tr command can be used to implement ROT13.

Command to use ROT13

• TR command options allow you to substitute given values with the given order
• Example: TR "A-M" "N-2" will replace A with N, B with O etc
• Command example: TR A-Za-z N-ZA-Mn-za-m

Hex Dumps and Binary Files

• A hex dump is a hexadecimal representation of a file's contents.
• xxd command creates and reverses hex dumps.
• -r option reverses a hex dump back into binary.
• Gzip is a compression algorithm.

Compression and Decompression

• Gzip and gunzip are common compression tools on Linux.
• You need to rename the file mv data data.gz so it's a .gz file before you can gunzip data.gz

CyberChef

• CyberChef is a web-based tool for various encoding, decoding, and data manipulation tasks.

File Compression and Extraction Techniques

• The initial file, Data 2.bin, was converted to Data and then compressed.
• The objective is to extract the data from this repeatedly compressed file.
• Tools for compression/extraction include gzip, bzip2, and tar.
• gunzip is used for extracting files compressed with gzip.
• zcat displays the contents of a gzipped text file without extracting it.
• bzcat functions similarly to zcat but for bzip2 compressed files.

Initial Extraction Steps Using Zcat

• The first attempt involves using zcat data to output the content.
• The output is piped to the file command to determine the file type.
• The file command shows the file is bzip compressed after the initial zcat
• bzcat data is then used, with the output piped to the file command again to determine the new file type.
• The file commmand shows it is ZZ gzip
• zcat data piped to zcat
• The file command shows it is posix tar archive
• Tar command is then used to extract data tar hyon XO x capital o

Further File Type Identification and Extraction

• Repeatedly using tar command to extract data T hyphen X Capal
• The loop continues, using zcat and bzcat as needed based on the identified file type and piped to the file type
• Process identifies bz2 compressed data from the tar file.
• Bycat is used to extract data from buy2 compress data
• After extraction, the process identifies a text file containing the password.

Alternative Extraction Methods

• An alternative approach involves using gunzip to decompress the file.
• gunzip requires the file to have a .gz extension.
• Changing the file name to include the .gz extension allows gunzip to work.
• Using loop of file identification command and decompression via gzip and bzip tools
• Additional file extraction is performed using the tar command (tar -xf). Files are repeatedly extracted using the tar command.
• The loop continues utlizing bnip to data 6 command. Files are repeatedly extracted using the tar command
• The loop continues utilizing gunzip data 8 command, requires file name change to ensure command is effective.

File Overwriting and Password Retrieval

• A file named "Data" will be overwritten.
• The overwritten file is an ASCII text file.
• Viewing the contents of the "data" file will reveal a password.
• gzip -d is used for gunzipping (decompression).
• bzip2 is used for decompressing BZip2 archives.
• tar -xf is the command for extracting tar archives.

Bandit 13 to Bandit 14

• The password for Bandit 14 is stored in /etc/bandit_pass/bandit14.
• Only Bandit 14 can read the password file.
• The level provides a private SSH key instead of the next password.
• localhost refers to the machine being worked on.
• The SSH private key has unusual permissions, it should ideally have read permissions only for the user.
• The SSH private key is used to log into Bandit 14.
• The command ssh Bandit14@localhost -i <SSH_PRIVATE_KEY> is how to use the private key file.
• The -i option in SSH specifies the identity file (private key).
• The password for Bandit 14 is located in the file /etc/bandit_pass/bandit14.
• The speaker downloads the SSH private key using SCP.
• The port number is required when using SCP from outside the server.
• Backslash is used to escape spaces in file names.
• Incorrect file permissions for the SSH private key can cause login issues.
• chmod 400 <SSH_PRIVATE_KEY> changes the permissions to read-only for the user.

Bandit 12 and Password Retrieval

• A text file of hex text needs to be converted using xxd -r.
• xxd -r is the reverse operation for converting hex text.
• Piping xxd -r output to zcat and other commands retrieves the ASCII text file.
• Removing the ASCII text file reveals the password.

Bandit 14 and Port Submission

• The password for the next level is retrieved by submitting the current level's password to port 30000 on localhost.
• Standard SSH may not work, and the user must specify -P 2220 to specify a port for SSH to work
• The syntax for connecting to a listening server is netcat <IP_ADDRESS> <PORT_NUMBER>.
• netcat -l -p <PORT_NUMBER> listens for incoming connections on a specified port.
• ncat is another tool to use.
• socat is briefly mentioned
• tnet can also be used to connect to localhost and transfer this password over servers and clients
• curl can be used to connect to the host as well, where the exact protocol can also be specified

Bandit 15 and SSL Encryption

• The password for the next level is retrieved by submitting the current level's password to port 30001 on localhost using SSL encryption.
• OpenSSL has all the commands for SSL encryption during data streams
• The command openssl s_client -connect localhost:30001 connects to the port using SSL.
• The password for the current level needs to be sent to the connection.
• The ncat tool has an SSL option.
• The -c option in ncat shows the end-of-line sequence.

Bandit 16 and Port Scanning

• The credentials for the next level are retrieved by submitting the password for the current level to a port on localhost between 31000 and 32000.
• The task involves finding out which of the ports in the range has a server listening, and which speaks SSL.
• nmap is the best tool designed for scanning IP addresses and ports.
• Various options and target specifications can be used with nmap.
• nmap localhost -p 31000-32000 scans the specified port range on localhost.
• A private key can be obtained as a credential for the next level instead of the password.
• chmod 400 <SSH_PRIVATE_KEY> is used to set the permissions for the SSH private key.
• SSH -i <SSH_PRIVATE_KEY> will use the private key

Bandit 17: File Comparison and Password Retrieval

• There are two files in the home directory: password.old and password.new.
• The password for the next level is stored in password.new.
• The password is the only line that has been changed between the two files.
• The diff command is used to find the differing line between the files.
• The command diff password.old password.new show the differences

Combining and Sorting Files

• The goal is to combine two files, sort their contents, and identify unique lines.
• Due to permission restrictions in the current directory, operations are performed in the /tmp directory.
• The mktemp command creates a temporary file.
• cat password.old and cat password.new concatenates the contents of two files.
• The output of the combined files are redirected into the temporary file.
• The content of the temporary file may be sorted or unsorted.
• The sort command sorts the contents of the temporary file.
• The uniq command filters the sorted content, leaving only unique lines.

Bypassing .bashrc Restrictions

• The challenge is to access a file (readme) in the home directory despite a modified .bashrc file that causes immediate logout.
• The modified .bashrc executes echo byebye and exit 0, causing the logout.
• The shortest path to the solution is directly reading the readme file using cat readme.
• Another is to use a different shell with ssh -t [email protected] -p 2220 sh.
• Using -t option allocates a pseudo-terminal, allowing execution of commands within the SSH session.
• Tab auto-completion and arrow keys may not work in alternative shells.
• The -T option disables pseudo-terminal allocation with ssh -T [email protected] -p 2220.
• Disabling the pseudo-terminal still allows executing commands like ls and cat readme.

Exploiting SetUID Permissions

• The "set id" (SetUID) bit on an executable grants privileges of the file owner to whoever executes the file.
• Executing the bandit20 binary without arguments reveals its usage.
• The id command shows the current user ID.
• The euid shows the effective user ID, reflecting the SetUID effect.
• Using the bandit20 binary to execute cat /etc/bandit_pass/bandit20 leverages SetUID to read the password.

Network Connection and Password Exchange

• A SetUID binary in the home directory connects to localhost on a specified port, reads a line, and compares it to a password.
• If the password matches, the next level's password is sent back.
• Netcat (nc) can be used to listen on a port to receive the output from the SetUID
• Running ./bandit20 9090 executes the bandit20 binary, connecting to port 9090 on localhost.
• The listener needs to receive a line containing the current level's password.
• Once the correct password is sent by the listener, the Bandit21 password transmitted and printed to the listener.

Background Processes

• Foreground processes occupy the shell, preventing further commands until they complete.
• Background processes allow commands to run concurrently without blocking the shell.
• Adding & to the end of a command sends it to the background like nc -lvp 9090 &.
• jobs command lists background processes
• fg command brings a background process to the foreground.
• Ctrl+Z pauses a foreground process, and bg resumes it in the background.
• Netcat listener started in background, also bandit20 program started in background.
• fg 1 put netcat to foreground.
• After password copy it to notepad and send netcat to background using Ctrl+Z and bg.
• Then fg 2 bandit20 bring it to foreground.
• Then bandit21 show as a result of bandit20 program reading netcat result
• Netcat and bandit20 process is closed authomatically

Cron Jobs

• Cron is a job scheduler
• Cron schedulers use crond directory to define the execution
• Command crontab with no parameters will execute this file
• Cron job configuration file specifies when and how programs are executed automatically.
• /etc/cron.d directory typically contains system-wide cron job definitions
• bandit22 file in cron.d is being used
• Cron job syntax fields: minute, hour, day of month, month, day of week, and command.
• Example format “At 05:00 on Monday”
• Tar can creates a file called home.tz it takes the file from home directory and saves in backups directory of War directory
• If you open file inside crown.d directory, you can see command to gain bandit22 privileges and login in.

Description

Explore SSH basics, including connection structure, the Bandit CTF series, and managing disconnections. Learn about SSH fingerprints and the known_hosts file. Also, review fundamental Linux commands such as 'ls' and 'file'.