OverTheWire(Bandit) Write-Ups
Introduction
The Bandit wargame is aimed at absolute beginners. It will teach the basics needed to be able to play other wargames. If you notice something essential is missing or have ideas for new levels, please let us know!
The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org, on port 2220. The username and password is bandit0. Once logged in, go to the Level 1 page to find out how to beat Level 1.
Bandit Level 0 → Level 1:
The password for the next level is stored in a file called readme located in the home directory. Connect to host bandit.labs.overthewire.org on prot 2220 using username and password bandit0
$ ssh bandit0@bandit.labs.overthewire.org -p 2220
bandit0@bandit:~$ ls -la
total 24
drwxr-xr-x 2 root root 4096 Sep 1 06:30 .
drwxr-xr-x 49 root root 4096 Sep 1 06:30 ..
-rw-r--r-- 1 root root 220 Jan 6 2022 .bash_logout
-rw-r--r-- 1 root root 3771 Jan 6 2022 .bashrc
-rw-r--r-- 1 root root 807 Jan 6 2022 .profile
-rw-r----- 1 bandit1 bandit0 33 Sep 1 06:30 readme
bandit0@bandit:~$ cat readme
NH2SXQwcBdpmTEzi3bvBHMM9H66vVXjL
Bandit Level 1 → Level 2:
The password for the next level is stored in a file called- located in the home directory
$ ssh bandit1@bandit.labs.overthewire.org -p 2220
bandit1@bandit:~$ ls -la
total 24
-rw-r----- 1 bandit2 bandit1 33 Sep 1 06:30 -
drwxr-xr-x 2 root root 4096 Sep 1 06:30 .
drwxr-xr-x 49 root root 4096 Sep 1 06:30 ..
-rw-r--r-- 1 root root 220 Jan 6 2022 .bash_logout
-rw-r--r-- 1 root root 3771 Jan 6 2022 .bashrc
-rw-r--r-- 1 root root 807 Jan 6 2022 .profile
bandit1@bandit:~$ cat ./-
rRGizSaX8Mk1RTb1CNQoXTcYZWU6lgzi
Bandit Level 2 → Level 3:
The password for the next level is stored in a file called spaces in this filenamelocated in the home directory
$ ssh bandit2@bandit.labs.overthewire.org -p 2220
bandit2@bandit:~$ ls -la
total 24
drwxr-xr-x 2 root root 4096 Sep 1 06:30 .
drwxr-xr-x 49 root root 4096 Sep 1 06:30 ..
-rw-r--r-- 1 root root 220 Jan 6 2022 .bash_logout
-rw-r--r-- 1 root root 3771 Jan 6 2022 .bashrc
-rw-r--r-- 1 root root 807 Jan 6 2022 .profile
-rw-r----- 1 bandit3 bandit2 33 Sep 1 06:30 spaces in this filename
bandit2@bandit:~$ cat spaces\ in\ this\ filename
aBZ0W5EmUfAf7kHTQeOwd8bauFJ2lAiG
Bandit Level 3 → Level 4:
The password for the next level is stored in a hidden file in the inhere directory.
$ ssh bandit3@bandit.labs.overthewire.org -p 2220
bandit3@bandit:~$ ls -la
total 24
drwxr-xr-x 3 root root 4096 Sep 1 06:30 .
drwxr-xr-x 49 root root 4096 Sep 1 06:30 ..
-rw-r--r-- 1 root root 220 Jan 6 2022 .bash_logout
-rw-r--r-- 1 root root 3771 Jan 6 2022 .bashrc
drwxr-xr-x 2 root root 4096 Sep 1 06:30 inhere
-rw-r--r-- 1 root root 807 Jan 6 2022 .profile
bandit3@bandit:~$ cd inhere/
bandit3@bandit:~/inhere$ ls -la
total 12
drwxr-xr-x 2 root root 4096 Sep 1 06:30 .
drwxr-xr-x 3 root root 4096 Sep 1 06:30 ..
-rw-r----- 1 bandit4 bandit3 33 Sep 1 06:30 .hidden
bandit3@bandit:~/inhere$ cat .hidden
2EW7BBsr6aMMoJ2HjW067dm8EgX26xNe
Bandit Level 4 → Level 5:
The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.
$ ssh bandit4@bandit.labs.overthewire.org -p 2220
bandit4@bandit:~$ ls -la
total 24
drwxr-xr-x 3 root root 4096 Sep 1 06:30 .
drwxr-xr-x 49 root root 4096 Sep 1 06:30 ..
-rw-r--r-- 1 root root 220 Jan 6 2022 .bash_logout
-rw-r--r-- 1 root root 3771 Jan 6 2022 .bashrc
drwxr-xr-x 2 root root 4096 Sep 1 06:30 inhere
-rw-r--r-- 1 root root 807 Jan 6 2022 .profile
bandit4@bandit:~$ cd inhere/
bandit4@bandit:~/inhere$ ls -la
total 48
drwxr-xr-x 2 root root 4096 Sep 1 06:30 .
drwxr-xr-x 3 root root 4096 Sep 1 06:30 ..
-rw-r----- 1 bandit5 bandit4 33 Sep 1 06:30 -file00
-rw-r----- 1 bandit5 bandit4 33 Sep 1 06:30 -file01
-rw-r----- 1 bandit5 bandit4 33 Sep 1 06:30 -file02
-rw-r----- 1 bandit5 bandit4 33 Sep 1 06:30 -file03
-rw-r----- 1 bandit5 bandit4 33 Sep 1 06:30 -file04
-rw-r----- 1 bandit5 bandit4 33 Sep 1 06:30 -file05
-rw-r----- 1 bandit5 bandit4 33 Sep 1 06:30 -file06
-rw-r----- 1 bandit5 bandit4 33 Sep 1 06:30 -file07
-rw-r----- 1 bandit5 bandit4 33 Sep 1 06:30 -file08
-rw-r----- 1 bandit5 bandit4 33 Sep 1 06:30 -file09
bandit4@bandit:~/inhere$ file ./-file0*
./-file00: OpenPGP Public Key
./-file01: data
./-file02: data
./-file03: data
./-file04: data
./-file05: data
./-file06: data
./-file07: ASCII text
./-file08: data
./-file09: data
bandit4@bandit:~/inhere$ cat ./-file07
lrIWWI6bB37kxfiCQZqUdOIYfr6eEeqR
Explanation: Here, we use the
filecommand with a wildcard on the filename to find the file containing only ASCII text.
Bandit Level 5 → Level 6 :
The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:
- human-readable
- 1033 bytes in size
- not executable
$ssh bandit5@bandit.labs.overthewire.org -p 2220
bandit5@bandit:~$ ls -la
total 24
drwxr-xr-x 3 root root 4096 Sep 1 06:30 .
drwxr-xr-x 49 root root 4096 Sep 1 06:30 ..
-rw-r--r-- 1 root root 220 Jan 6 2022 .bash_logout
-rw-r--r-- 1 root root 3771 Jan 6 2022 .bashrc
drwxr-x--- 22 root bandit5 4096 Sep 1 06:30 inhere
-rw-r--r-- 1 root root 807 Jan 6 2022 .profile
bandit5@bandit:~$ cd inhere/
bandit5@bandit:~/inhere$ ls -la
total 88
drwxr-x--- 22 root bandit5 4096 Sep 1 06:30 .
drwxr-xr-x 3 root root 4096 Sep 1 06:30 ..
drwxr-x--- 2 root bandit5 4096 Sep 1 06:30 maybehere00
drwxr-x--- 2 root bandit5 4096 Sep 1 06:30 maybehere01
drwxr-x--- 2 root bandit5 4096 Sep 1 06:30 maybehere02
drwxr-x--- 2 root bandit5 4096 Sep 1 06:30 maybehere03
drwxr-x--- 2 root bandit5 4096 Sep 1 06:30 maybehere04
drwxr-x--- 2 root bandit5 4096 Sep 1 06:30 maybehere05
drwxr-x--- 2 root bandit5 4096 Sep 1 06:30 maybehere06
drwxr-x--- 2 root bandit5 4096 Sep 1 06:30 maybehere07
drwxr-x--- 2 root bandit5 4096 Sep 1 06:30 maybehere08
drwxr-x--- 2 root bandit5 4096 Sep 1 06:30 maybehere09
drwxr-x--- 2 root bandit5 4096 Sep 1 06:30 maybehere10
drwxr-x--- 2 root bandit5 4096 Sep 1 06:30 maybehere11
drwxr-x--- 2 root bandit5 4096 Sep 1 06:30 maybehere12
drwxr-x--- 2 root bandit5 4096 Sep 1 06:30 maybehere13
drwxr-x--- 2 root bandit5 4096 Sep 1 06:30 maybehere14
drwxr-x--- 2 root bandit5 4096 Sep 1 06:30 maybehere15
drwxr-x--- 2 root bandit5 4096 Sep 1 06:30 maybehere16
drwxr-x--- 2 root bandit5 4096 Sep 1 06:30 maybehere17
drwxr-x--- 2 root bandit5 4096 Sep 1 06:30 maybehere18
drwxr-x--- 2 root bandit5 4096 Sep 1 06:30 maybehere19
bandit5@bandit:~/inhere$ find -type f -readable ! -executable -size 1033c
./maybehere07/.file2
bandit5@bandit:~/inhere$ cat ./maybehere07/.file2
P4L4vucdmLnm8I7Vl7jG1ApGSfjYKqJU
Explanation: Here, we use the
findcommand with some parameter like -type f-readable ! -executable -size 1033cuse help or man for more options
Bandit Leve 6 → Level 7 :
The password for the next level is stored somewhere on the server and has all of the following properties:
- owned by user bandit7
- owned by group bandit6
- 33 bytes in size
$ ssh bandit6 @bandit.labs.overthewire.org -p 2220
bandit6@bandit:/$ find / -type f -size 33c -user bandit7 -group bandit6 2>&1 | grep "Per" -v
/var/lib/dpkg/info/bandit7.password
find: ‘/proc/2546283/task/2546283/fdinfo/6’: No such file or directory
find: ‘/proc/2546283/fdinfo/5’: No such file or directory
bandit6@bandit:/$ find / -type f -size 33c -user bandit7 -group bandit6 2>&1 | grep -v "Permission"
/var/lib/dpkg/info/bandit7.password
find: ‘/proc/2547097/task/2547097/fdinfo/6’: No such file or directory
find: ‘/proc/2547097/fdinfo/5’: No such file or directory
bandit6@bandit:/$ cat /var/lib/dpkg/info/bandit7.password
z7WtoNQU2XfjmMtWA8u5rN4vzqu4v99S
Explanation: Here, we use the
findcommand with some parameter liketype, size, group, user
Note:
2>&1This uses the >& redirect instruction. This instruction allows you to tell the shell to make one stream got to the same destination as another stream. In this case, we’re saying “redirect stream 2, stderr, to the same destination that stream 1, stdout, is being redirected to.”
Click Here for explain redirection
Bandit Leve 7 → Level 8 :
The password for the next level is stored in the file data.txt next to the word millionth
$ ssh bandit7@bandit.labs.overthewire.org -p 2220
bandit7@bandit:~$ ls -la
total 4108
drwxr-xr-x 2 root root 4096 Sep 1 06:30 .
drwxr-xr-x 49 root root 4096 Sep 1 06:30 ..
-rw-r--r-- 1 root root 220 Jan 6 2022 .bash_logout
-rw-r--r-- 1 root root 3771 Jan 6 2022 .bashrc
-rw-r----- 1 bandit8 bandit7 4184396 Sep 1 06:30 data.txt
-rw-r--r-- 1 root root 807 Jan 6 2022 .profile
bandit7@bandit:~$ cat data.txt | grep "millionth"
millionth TESKZC0XvTetK0S9xNwm25STk5iWrBvP
bandit7@bandit:~$
Explanation: Here, we use the grep command for select millionth
Bandit Leve 8 → Level 9 :
The password for the next level is stored in the file data.txt and is the only line of text that occurs only once
$ ssh bandit8@bandit.labs.overthewire.org -p 2220
bandit8@bandit:~$ ls -la
total 56
drwxr-xr-x 2 root root 4096 Sep 1 06:30 .
drwxr-xr-x 49 root root 4096 Sep 1 06:30 ..
-rw-r--r-- 1 root root 220 Jan 6 2022 .bash_logout
-rw-r--r-- 1 root root 3771 Jan 6 2022 .bashrc
-rw-r----- 1 bandit9 bandit8 33033 Sep 1 06:30 data.txt
-rw-r--r-- 1 root root 807 Jan 6 2022 .profile
bandit8@bandit:~$ sort data.txt |uniq -c| grep "1 "
1 EN632PlfYiZbn3PhVK3XOGSlNInNE00t
bandit8@bandit:~$
Explanation: Here, we use the sort for order lines, uniq -c for count them and grep for get line repeted only one
Bandit Leve 9 → Level 10 :
The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters.
$ ssh bandit9@bandit.labs.overthewire.org -p 2220
bandit9@bandit:~$ ls -la
total 40
drwxr-xr-x 2 root root 4096 Sep 1 06:30 .
drwxr-xr-x 49 root root 4096 Sep 1 06:30 ..
-rw-r--r-- 1 root root 220 Jan 6 2022 .bash_logout
-rw-r--r-- 1 root root 3771 Jan 6 2022 .bashrc
-rw-r----- 1 bandit10 bandit9 19379 Sep 1 06:30 data.txt
-rw-r--r-- 1 root root 807 Jan 6 2022 .profile
bandit9@bandit:~$ strings data.txt | grep -o "==.*"
========== the
========== password
========== is
==P
========== G7w8LIi6J3kTb8A7j9LgrywtEUlyyp6s
bandit9@bandit:~$
Explanation: Here, we use the strings and grep
Bandit Leve 10 → Level 11 :
The password for the next level is stored in the file data.txt, which contains base64 encoded data
$ ssh bandit10@bandit.labs.overthewire.org -p 2220
bandit10@bandit:~$ ls -la
total 24
drwxr-xr-x 2 root root 4096 Sep 1 06:30 .
drwxr-xr-x 49 root root 4096 Sep 1 06:30 ..
-rw-r--r-- 1 root root 220 Jan 6 2022 .bash_logout
-rw-r--r-- 1 root root 3771 Jan 6 2022 .bashrc
-rw-r----- 1 bandit11 bandit10 69 Sep 1 06:30 data.txt
-rw-r--r-- 1 root root 807 Jan 6 2022 .profile
bandit10@bandit:~$ cat data.txt
VGhlIHBhc3N3b3JkIGlzIDZ6UGV6aUxkUjJSS05kTllGTmI2blZDS3pwaGxYSEJNCg==
bandit10@bandit:~$ echo VGhlIHBhc3N3b3JkIGlzIDZ6UGV6aUxkUjJSS05kTllGTmI2blZDS3pwaGxYSEJNCg== | base64 -d
The password is 6zPeziLdR2RKNdNYFNb6nVCKzphlXHBM
bandit10@bandit:~$
Explanation: Here, we use the base64 _ with parameter -d for decryption
Bandit Leve 11 → Level 12 :
The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions
$ ssh bandit11@bandit.labs.overthewire.org -p 2220
bandit11@bandit:~$ ls -lah
total 24K
drwxr-xr-x 2 root root 4.0K Sep 1 06:30 .
drwxr-xr-x 49 root root 4.0K Sep 1 06:30 ..
-rw-r--r-- 1 root root 220 Jan 6 2022 .bash_logout
-rw-r--r-- 1 root root 3.7K Jan 6 2022 .bashrc
-rw-r----- 1 bandit12 bandit11 49 Sep 1 06:30 data.txt
-rw-r--r-- 1 root root 807 Jan 6 2022 .profile
bandit11@bandit:~$ cat data.txt
Gur cnffjbeq vf WIAOOSFzMjXXBC0KoSKBbJ8puQm5lIEi
bandit11@bandit:~$ cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'
The password is JVNBBFSmZwKKOP0XbFXOoW8chDz5yVRv
bandit11@bandit:~$
__Explanation:__ Here, we use the
trcommand for translate$ # Map upper case A-Z to N-ZA-M and lower case a-z to n-za-m $ tr 'A-Za-z' 'N-ZA-Mn-za-m' <<< "The Quick Brown Fox Jumps Over The Lazy Dog"For more info about ROT13 and tr command Click Here
Bandit Leve 12 → Level 13 :
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under/tmp in which you can work using mkdir. For example: mkdir /tmp/myname123 Then copy the datafile using cp, and rename it using mv (read the manpages!)
$ ssh bandit12@bandit.labs.overthewire.org -p 2220
bandit12@bandit:~$ ls -lah
total 24K
drwxr-xr-x 2 root root 4.0K Sep 1 06:30 .
drwxr-xr-x 49 root root 4.0K Sep 1 06:30 ..
-rw-r--r-- 1 root root 220 Jan 6 2022 .bash_logout
-rw-r--r-- 1 root root 3.7K Jan 6 2022 .bashrc
-rw-r----- 1 bandit13 bandit12 2.6K Sep 1 06:30 data.txt
-rw-r--r-- 1 root root 807 Jan 6 2022 .profile
bandit12@bandit:~$ cat data.txt
00000000: 1f8b 0808 7151 1063 0203 6461 7461 322e ....qQ.c..data2.
00000010: 6269 6e00 013f 02c0 fd42 5a68 3931 4159 bin..?...BZh91AY
00000020: 2653 595d ed11 a800 001b ffff d8ff fde7 &SY]............
00000030: dff7 ffff ffcf efcf bef7 7e7f dd39 3f7f ..........~..9?.
00000040: fafb ffbf cfbf 3eff a9fb bf7f b001 3b1b ......>.......;.
00000050: 6d20 0f50 0034 0680 0000 34c2 01ea 0d34 m .P.4....4....4
00000060: 0000 1900 1a32 1a68 0d00 0000 0034 0000 .....2.h.....4..
00000070: 000d 0069 91ea 0c6d 5100 0068 00c8 000d ...i...mQ..h....
00000080: 0323 4340 3d40 0d0d 1a68 01a3 4c83 401a .#C@=@...h..L.@.
00000090: 687a 4034 0340 1a00 3468 0188 c868 34d0 hz@4.@..4h...h4.
000000a0: 00c8 d01a 6874 d323 40d3 d206 81a1 a680 ....ht.#@.......
000000b0: d0c8 0190 d034 0340 0d00 c800 01a6 991a .....4.@........
000000c0: 0019 3400 d000 0006 800c 4d1a 0189 a001 ..4.......M.....
000000d0: fc18 2890 6086 162a 8035 6a6b 3d5c 1382 ..(.`..*.5jk=\..
000000e0: 0a38 e6dd 214b 6fa4 3984 0192 256e e084 .8..!Ko.9...%n..
000000f0: ed6b ad67 3318 b07a 005d 0e21 dbd1 fb84 .k.g3..z.].!....
00000100: 770f 055f 0044 3086 8230 d579 2881 afe7 w.._.D0..0.y(...
00000110: 531e 3071 f859 eeae 01aa 1040 75cd 3c5b S.0q.Y.....@u.<[
00000120: f24a 16b8 34e7 43db 9e73 56a1 3d3d fd90 .J..4.C..sV.==..
00000130: 6bc3 47a5 4c73 af13 a324 5731 b90e 2063 k.G.Ls...$W1.. c
00000140: 45ef fe11 842e 03f9 b063 8f4c fb41 0a32 E........c.L.A.2
00000150: 8fdb 7cea 82a0 ee91 4e05 c610 088e a2da ..|.....N.......
00000160: 7536 2c72 1701 c248 7ab7 1fef 30f8 142c u6,r...Hz...0..,
00000170: 0359 539c 5a21 4e94 6a33 9d18 6120 42a0 .YS.Z!N.j3..a B.
00000180: 6471 a01e 42a4 da3b 6eaa 5e7e edc3 f973 dq..B..;n.^~...s
00000190: 2ec7 5009 a7e8 101e a3ac b344 f2bb d9e6 ..P........D....
000001a0: 7bd7 c5fb 18b6 92ac 9fe8 aef4 673c da0c {...........g<..
000001b0: 0cdb 0440 4869 1bd0 7d84 e1e5 85c2 1a60 ...@Hi..}......`
000001c0: 701c c9ac 50ca adf7 bba9 226f f175 1ec2 p...P....."o.u..
000001d0: 90de 557e ed09 5c3b 1886 84dc f110 24e7 ..U~..\;......$.
000001e0: 871b 6148 f224 fb71 c3d1 1096 4a48 48a2 ..aH.$.q....JHH.
000001f0: 99ea 647b 4f3b ac19 3be6 1cb9 24c3 ce48 ..d{O;..;...$..H
00000200: 829b 0182 07ef fbee dff1 40da 6f5a c7fb ..........@.oZ..
00000210: 5412 78a9 43dd 2198 d456 3c1f e161 2b1f T.x.C.!..V<..a+.
00000220: 6e82 f066 70e2 67b8 ec48 d418 3e6a 0ee7 n..fp.g..H..>j..
00000230: 868a 1dcc e7b0 11ee 8b2a 8c53 0009 37f9 .........*.S..7.
00000240: 1017 0d29 485a ec30 cb90 45b8 93ff 1772 ...)HZ.0..E....r
00000250: 4538 5090 5ded 11a8 e965 cb22 3f02 0000 E8P.]....e."?...
bandit12@bandit:~$
bandit12@bandit:~$ mkdir /tmp/5afagy
bandit12@bandit:~$ cp data.txt /tmp/5afagy
bandit12@bandit:~$ cd /tmp/5afagy
bandit12@bandit:/tmp/5afagy$ xxd data.txt data.out
bandit12@bandit:/tmp/5afagy$ file data.out
data.out: gzip compressed data, was "data2.out", last modified: Thu Sep 1 06:30:09 2022, max compression, from Unix, original size modulo 2^32 575
bandit12@bandit:/tmp/5afagy$ mv data.bin data.gz
bandit12@bandit:/tmp/5afagy$ gzip -d data.gz
bandit12@bandit:/tmp/5afagy$ file data
data: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/5afagy$ bzip2 -d data
bzip2: Can\'t guess original name for data -- using data.out
bandit12@bandit:/tmp/5afagy$ file data.out
data.out: gzip compressed data, was "data4.bin", last modified: Thu Sep 1 06:30:09 2022, max compression, from Unix, original size modulo 2^32 20480
bandit12@bandit:/tmp/5afagy$ mv data.out data.gz
bandit12@bandit:/tmp/5afagy$ gzip -d data.gz
bandit12@bandit:/tmp/5afagy$ file data
data: POSIX tar archive (GNU)
bandit12@bandit:/tmp/5afagy$ tar -xf data
bandit12@bandit:/tmp/5afagy$ ls
data data5.bin data.bin data.txt
bandit12@bandit:/tmp/5afagy$ file data5.bin
data5.bin: POSIX tar archive (GNU)
bandit12@bandit:/tmp/5afagy$ tar -xf data5.bin
bandit12@bandit:/tmp/5afagy$ ls
data data5.bin data6.bin data.bin data.txt
bandit12@bandit:/tmp/5afagy$ file data6.bin
data6.bin: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/5afagy$ bzip2 -d data6.bin
bzip2: Can\'t guess original name for data6.bin -- using data6.bin.out
bandit12@bandit:/tmp/5afagy$ file data6.bin.out
data6.bin.out: POSIX tar archive (GNU)
bandit12@bandit:/tmp/5afagy$ tar -xf data6.bin.out
bandit12@bandit:/tmp/5afagy$ ls
data data5.bin data6.bin.out data8.bin data.bin data.txt
bandit12@bandit:/tmp/5afagy$ file data8.bin
data8.bin: gzip compressed data, was "data9.bin", last modified: Thu Sep 1 06:30:09 2022, max compression, from Unix, original size modulo 2^32 49
bandit12@bandit:/tmp/5afagy$ mv data8.bin data8.gz
bandit12@bandit:/tmp/5afagy$ gzip -d data8.gz
bandit12@bandit:/tmp/5afagy$ ls
data data5.bin data6.bin.out data8 data.bin data.txt
bandit12@bandit:/tmp/5afagy$ file data8
data8: ASCII text
bandit12@bandit:/tmp/5afagy$ cat data8
The password is wbWdlBxEir4CaE8LaPhauuOo6pwRmrDw
__Explanation:__ Here, we use xxd for convert hexdump to binary using parameter
-r
Bandit Leve 13 → Level 14 :
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on
$ ssh bandit13@bandit.labs.overthewire.org -p 2220
bandit13@bandit:~$ ls -la
total 24
drwxr-xr-x 2 root root 4096 Sep 1 06:30 .
drwxr-xr-x 49 root root 4096 Sep 1 06:30 ..
-rw-r--r-- 1 root root 220 Jan 6 2022 .bash_logout
-rw-r--r-- 1 root root 3771 Jan 6 2022 .bashrc
-rw-r--r-- 1 root root 807 Jan 6 2022 .profile
-rw-r----- 1 bandit14 bandit13 1679 Sep 1 06:30 sshkey.private
bandit13@bandit:~$ ssh bandit14@bandit.labs.overthewire.org -i sshkey.private -p 2220
bandit14@bandit:~$ cat /etc/bandit_pass/bandit14
fGrHPx402xGC7U7rXKDaxiWFTOiF0ENq
Explanation:** Here, we use the
-iparameter for using private key to login to the next level
Bandit Leve 14 → Level 15 :
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
$ ssh bandit14@bandit.labs.overthewire.org -p 2220
bandit14@bandit:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
link/ether 06:1f:4d:a3:fc:4e brd ff:ff:ff:ff:ff:ff
inet 10.0.1.148/24 metric 100 brd 10.0.1.255 scope global dynamic ens5
valid_lft 560sec preferred_lft 560sec
inet6 fe80::41f:4dff:fea3:fc4e/64 scope link
valid_lft forever preferred_lft forever
bandit14@bandit:~$ nc 10.0.1.148 30000
fGrHPx402xGC7U7rXKDaxiWFTOiF0ENq
Correct!
jN2kgmIXJ6fShzhT2avhotn4Zcka6tnt
__Explanation:__ Here, we use
ncfor connect to localhost on port 30000 and send enter the current password.
Bandit Leve 15 → Level 16 :
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
$ ssh bandit15@bandit.labs.overthewire.org -p 2220
bandit15@bandit:~$ openssl s_client -connect localhost:30001
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 CN = localhost
verify error:num=18:self-signed certificate
verify return:1
depth=0 CN = localhost
verify error:num=10:certificate has expired
notAfter=Nov 29 17:56:09 2022 GMT
verify return:1
depth=0 CN = localhost
notAfter=Nov 29 17:56:09 2022 GMT
verify return:1
---
Certificate chain
0 s:CN = localhost
i:CN = localhost
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA1
v:NotBefore: Nov 29 17:55:09 2022 GMT; NotAfter: Nov 29 17:56:09 2022 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDCzCCAfOgAwIBAgIEXGNPTzANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDDAls
b2NhbGhvc3QwHhcNMjIxMTI5MTc1NTA5WhcNMjIxMTI5MTc1NjA5WjAUMRIwEAYD
VQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7
SWmtl45Ry0yJMrHq5qTzSKDxpLvkC/MWqVkK2mAiSfkNsq3WWmr47MsrwzXhV7+5
lUVrcqRWriPxCwfKQ3N0ZTjo6ghs/mtIKBAveDLFlFM1HEZ2GwoqAeJgF1RE3UQE
qeUYzqnkhRVvabQQKIrdafCky1liLCJXHBbTzktl4ckLQ3BhiDZFSv3AjKdidWpx
3Uy/QowUi++Ouo5aiv/SV4nU4UBALcAug+TTFFSiaVZWeWlCWOOvr/B67AsSG1g7
CSMjHIWa2jxMpVg+Ue/+AE9GAasWjH9es+RhEnmgSdKrzJ9nnYW3jCqII4fljPS+
CsuTQX0vewKdr1bwK2w7AgMBAAGjZTBjMBQGA1UdEQQNMAuCCWxvY2FsaG9zdDBL
BglghkgBhvhCAQ0EPhY8QXV0b21hdGljYWxseSBnZW5lcmF0ZWQgYnkgTmNhdC4g
U2VlIGh0dHBzOi8vbm1hcC5vcmcvbmNhdC8uMA0GCSqGSIb3DQEBBQUAA4IBAQCN
K5kwsktmWFJVey2ZZQ6Muw5Dv2dVgeGXW3KTJ1G/1gMbXGKUHjAMdKo43zh0lZPc
HFRT2tl1yF7tsK/om2L7WnXE9mR6plqoQy/ug2Otj+dFAq8kM8mejON2rVpTPr25
HLwCZeT6XqRmHpi1YEmjxfKtyh83gOYrL6TROw0Rx8S9AOTla24UAq49ai7hONc0
Xb7nm5Z+hbNvgIXByPQJWw1H+8aokwokvmYv5yETQyjyomde4LOv8t9NPI8HGi7A
7pR/rYRvotvn+2MmkEAIbWrunP2o/AQ3QHh/vzWE83Whbvh3YNLws+x81IaP9Rv2
x2oOaH13tsadVT/+ndjH
-----END CERTIFICATE-----
subject=CN = localhost
issuer=CN = localhost
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1339 bytes and written 373 bytes
Verification error: certificate has expired
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 10 (certificate has expired)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 7020989F98C51C84C84496CA6195902B35EF1705523E9664F96967B6CC1B9BBC
Session-ID-ctx:
Resumption PSK: 8F2C2C089ECEFB85D9BAF073E340A9AAC43289AD26DE097F38A12A1430CBF94733313986DFE7300F4F6DF843291BBCF5
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 41 35 35 7b 38 5a 8a a6-f1 b8 68 07 94 aa 0a 4e A55{8Z....h....N
0010 - 95 be 43 9b c0 b7 29 73-e9 e6 a0 eb 0a 3b bb 56 ..C...)s.....;.V
0020 - b1 69 71 2d ba 37 37 53-62 d8 f7 72 24 14 0b a7 .iq-.77Sb..r$...
0030 - 63 39 28 70 5c 1a a6 f1-55 4b c1 84 d7 fd 31 b6 c9(p\...UK....1.
0040 - 34 72 a9 54 a9 eb 5f 4d-92 5a d1 7c 51 7b be 3b 4r.T.._M.Z.|Q{.;
0050 - 07 8b 0a e3 e7 c1 66 01-62 f1 f8 03 3d b6 be c2 ......f.b...=...
0060 - 49 90 b8 a8 e1 45 42 36-d8 94 74 7b 22 a4 39 4b I....EB6..t{".9K
0070 - be 58 a8 5f 14 3c be 1c-5d aa 7c ae f3 c1 31 2d .X._.<..].|...1-
0080 - 5d 65 f7 ed 05 f1 eb 70-b3 56 81 ab be c5 de 6f ]e.....p.V.....o
0090 - 01 ae 46 a7 84 33 39 d7-d3 8f 23 30 b1 4b b0 75 ..F..39...#0.K.u
00a0 - f4 c8 04 be 4a 81 c9 ba-20 ee 14 1b 8f e1 87 7d ....J... ......}
00b0 - 3a 08 43 45 a4 15 cf cd-85 cf fc 09 45 73 13 f0 :.CE........Es..
00c0 - f7 e6 89 8a 60 a4 11 fb-b0 20 4f ce cf 61 7e 61 ....`.... O..a~a
Start Time: 1669990481
Timeout : 7200 (sec)
Verify return code: 10 (certificate has expired)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 01E511CE21A6DE9195814748AFBD666EC36D05B1A7458B3B18DE2237480BF6D9
Session-ID-ctx:
Resumption PSK: BDC4D07593918749E6092566131DC5845BFB5E93FAA10DD15B4C53DF03D5D7B7F2899D25734403E59D16E822E594A239
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 41 35 35 7b 38 5a 8a a6-f1 b8 68 07 94 aa 0a 4e A55{8Z....h....N
0010 - f9 98 5f 54 3d aa 8c 4b-28 5b c5 69 a5 46 f6 ff .._T=..K([.i.F..
0020 - 41 d2 fe db df de 3c ca-9a 81 f9 b0 40 b6 90 d6 A.....<.....@...
0030 - bb 90 9c a6 6c 74 f4 8e-8a 7b 5d be 41 33 4b 5b ....lt...{].A3K[
0040 - ec b5 c0 14 83 64 b0 25-fc 62 a2 97 33 e1 73 cc .....d.%.b..3.s.
0050 - cf 5f bb 47 25 f5 1d 7e-30 cb af 35 0d 2c 85 b6 ._.G%..~0..5.,..
0060 - de 27 40 8a 19 fe 8d 3f-77 f5 d7 97 6c 4f da 7b .'@....?w...lO.{
0070 - f8 4a f9 2f 18 72 90 df-c4 fd d8 a2 14 51 01 cc .J./.r.......Q..
0080 - 5d 32 61 ba 33 37 50 2b-2f 39 b4 27 1b 4a e4 32 ]2a.37P+/9.'.J.2
0090 - e6 60 bf 07 70 7d 82 a6-49 e6 ad 75 fe e3 d6 59 .`..p}..I..u...Y
00a0 - 2b 5b 7f f9 13 29 49 d1-c8 7e 04 b1 25 5a 4f fd +[...)I..~..%ZO.
00b0 - d7 28 8d f3 97 ef 67 6c-e1 35 19 51 99 e0 93 61 .(....gl.5.Q...a
00c0 - b6 6f a8 20 77 16 bc 45-8c ee e3 32 6f 80 e1 a4 .o. w..E...2o...
Start Time: 1669990481
Timeout : 7200 (sec)
Verify return code: 10 (certificate has expired)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
jN2kgmIXJ6fShzhT2avhotn4Zcka6tnt
Correct!
JQttfApK4SeyHwDlI9SXGR50qclOAil1
closed
bandit15@bandit:~$
Bandit Leve 16 → Level 17 :
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
$ ssh bandit16@bandit.labs.overthewire.org -p 2220
bandit16@bandit:~$ ifconfig
ens5: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 9001
inet 10.0.1.148 netmask 255.255.255.0 broadcast 10.0.1.255
inet6 fe80::41f:4dff:fea3:fc4e prefixlen 64 scopeid 0x20<link>
ether 06:1f:4d:a3:fc:4e txqueuelen 1000 (Ethernet)
RX packets 14535581 bytes 1297540005 (1.2 GB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 19119076 bytes 8451481576 (8.4 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 27391996 bytes 1927238703 (1.9 GB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 27391996 bytes 1927238703 (1.9 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
bandit16@bandit:~$ nmap 10.0.1.148 -p31000-32000 -sV
Starting Nmap 7.80 ( https://nmap.org ) at 2022-12-02 15:25 UTC
Nmap scan report for bandit (10.0.1.148)
Host is up (0.00012s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
31046/tcp open echo
31518/tcp open ssl/echo
31691/tcp open echo
31790/tcp open ssl/unknown
31960/tcp open echo
bandit16@bandit:~$ openssl s_client -connect localhost:31790
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 CN = localhost
verify error:num=18:self-signed certificate
verify return:1
depth=0 CN = localhost
verify error:num=10:certificate has expired
notAfter=Nov 29 17:56:09 2022 GMT
verify return:1
depth=0 CN = localhost
notAfter=Nov 29 17:56:09 2022 GMT
verify return:1
---
Certificate chain
0 s:CN = localhost
i:CN = localhost
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA1
v:NotBefore: Nov 29 17:55:09 2022 GMT; NotAfter: Nov 29 17:56:09 2022 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDCzCCAfOgAwIBAgIEd/iBnDANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDDAls
b2NhbGhvc3QwHhcNMjIxMTI5MTc1NTA5WhcNMjIxMTI5MTc1NjA5WjAUMRIwEAYD
VQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDs
d3NkW6uKepKb7CrfKG9BBkBmHBvQx//HbCSybfs4rmHStCqmEPVn2ndXzM3ZqUj9
go5ilPb4ivDpAClyWYSVOWFHmL2H2av89FQCvRJo1lZg1jQ2ZizHudcoWtrMtdiS
WWh8bjZsPg27Kj/kQemm89Jww+z4yFv1jqyB92/t7dxwajMNQLNnApv51oYvnz3o
xnwsmv7I5Q1OzFKP0A9NnWlSlSumWYqsOTMjiYAUfu9fT5ROAbmbMniHUtvTF3KJ
f9Gt+dQZBrWunQZCkV/bEhZy3F7PmwLtko6SR5sa9Ag/23KdYIx5025ojE4cScwv
8IT7gjlegdsICmp7DDf3AgMBAAGjZTBjMBQGA1UdEQQNMAuCCWxvY2FsaG9zdDBL
BglghkgBhvhCAQ0EPhY8QXV0b21hdGljYWxseSBnZW5lcmF0ZWQgYnkgTmNhdC4g
U2VlIGh0dHBzOi8vbm1hcC5vcmcvbmNhdC8uMA0GCSqGSIb3DQEBBQUAA4IBAQDV
gDokTPvpRhXOdw9GKIRtnMx9CX5d3A0WDzDch3l/xKlZ9OtPBWVKUCCqY/9+YlAg
VIyHcxKf9hd6V8If+wlNICujWSAIZE3x4RgiDJVmC2fGZ6dL3VvJSZGVe2RNfG0f
Z6ToIsmMEXUgJOMq5UB9Y5abAd0BewCDZXouS5BUqRMNwszAOY8y79CYiBagf9F6
xj3Xk6i+4DPEZDGQt0d+EjLoRiCp7TF3Cq/mJ0ViTwmbBZDs7dojmvr3RVkMsy5n
F/sUC1dPQaKDKf/G4KTvyWOhruiVdHmAbGU+unNrnwKNpeFG8w7KhD9OiIIPXXky
41QNlSdwz9ilY5oXni10
-----END CERTIFICATE-----
subject=CN = localhost
issuer=CN = localhost
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1339 bytes and written 373 bytes
Verification error: certificate has expired
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 10 (certificate has expired)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: E3793949198D5F4D4B96FAB01552C41197105462F46434B5FE42D3640DE8E59C
Session-ID-ctx:
Resumption PSK: 4A8168F20FA955807707BDCBB170B27D61B2F9A3EF8E4680544A713095BE9F5A6A387DD5D0DFC4DBA943E45FCC4C3749
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - e7 ea a8 b4 b6 fb 4e 4b-db 7a 59 6d 34 ca e6 90 ......NK.zYm4...
0010 - 56 1b b6 e5 9f a5 3c 3b-ad 0a fd 35 55 94 a9 8a V.....<;...5U...
0020 - 08 0f d0 fb a6 4c c0 45-2f 65 08 a2 c9 97 0e 60 .....L.E/e.....`
0030 - d8 b0 55 db 17 59 f2 23-0d 6a 6f 6a b2 29 ed da ..U..Y.#.joj.)..
0040 - c4 e7 fd 56 a4 a3 12 6d-78 18 47 bf 4d ae b5 eb ...V...mx.G.M...
0050 - cf 43 ca 39 c6 73 30 3d-4d 20 20 92 80 d8 74 de .C.9.s0=M ...t.
0060 - 50 30 85 16 a3 5f f2 ac-c3 5d 85 8c 01 13 a7 7c P0..._...].....|
0070 - 70 e9 fa 2d 5e f4 cf e5-50 80 64 a1 d2 d5 62 8a p..-^...P.d...b.
0080 - 26 b6 b8 1f 37 12 05 4f-89 a4 9f 20 8e 1d a2 72 &...7..O... ...r
0090 - 18 eb 6d 04 a9 37 09 3d-79 45 4b 69 3b c7 83 6a ..m..7.=yEKi;..j
00a0 - 67 3b d6 e9 81 f7 ab b6-14 82 3c 02 46 ff 35 c3 g;........<.F.5.
00b0 - ca 33 38 d8 f7 d3 4a f3-df 11 40 2b e8 fe 36 4c .38...J...@+..6L
00c0 - 31 d2 4c a4 82 ab 3b 90-73 98 b2 3e 2d fb 44 24 1.L...;.s..>-.D$
Start Time: 1669995097
Timeout : 7200 (sec)
Verify return code: 10 (certificate has expired)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 2530C22B2625C203DBA4E2DD221B5DE2B3FCE8B8A13A635947DC5C1DF95C909E
Session-ID-ctx:
Resumption PSK: 3241616509718D8E444984F1A7E2DBF7D09C238D4B2025A9045FEA6D171AD368821B83471C8BF134161EAF19AA6E25F8
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - e7 ea a8 b4 b6 fb 4e 4b-db 7a 59 6d 34 ca e6 90 ......NK.zYm4...
0010 - 0a 7d d8 68 f6 81 c3 3d-9b c7 d3 e6 cc fa 40 68 .}.h...=......@h
0020 - 22 fe fd 1b d5 8d d8 ee-5c d6 ef de 47 5a fa 8f ".......\...GZ..
0030 - d7 84 2b 69 66 af 3e 90-30 ca b5 6b cc 82 fe 4c ..+if.>.0..k...L
0040 - fb 56 70 a3 b4 99 d7 82-17 f0 f4 d0 52 9b 08 4d .Vp.........R..M
0050 - 82 18 65 91 75 ed c0 f4-3e 95 5c 85 ae 85 aa d5 ..e.u...>.\.....
0060 - 2e 82 52 92 15 bc 6f 87-ea 0a f0 00 6a e8 2e 64 ..R...o.....j..d
0070 - 30 99 bb f1 21 f5 47 02-b5 a5 1a 46 a9 35 a9 e7 0...!.G....F.5..
0080 - dc 41 5c e4 61 cf 3a 8d-86 7c 16 b8 52 8a 9b b6 .A\.a.:..|..R...
0090 - 57 a1 b7 a6 3f ee 6c bf-46 9f 05 8b a0 91 d5 3f W...?.l.F......?
00a0 - 9a c8 eb 4d 7e 35 3f 9c-75 56 66 09 23 59 65 01 ...M~5?.uVf.#Ye.
00b0 - b1 51 5c ab bb 05 ee fa-25 ba 1d 41 3c e7 68 40 .Q\.....%..A<.h@
00c0 - 70 e0 7f 7b bd 76 a4 ae-72 0c 95 60 17 b9 4b 14 p..{.v..r..`..K.
Start Time: 1669995097
Timeout : 7200 (sec)
Verify return code: 10 (certificate has expired)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
JQttfApK4SeyHwDlI9SXGR50qclOAil1
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----
closed
bandit16@bandit:~$
__Note:__ Here, we store this private key in file
sshkey.privateand change permission usingchmod 400 sshkey.private
Bandit Leve 17 → Level 18 :
There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new
ssh bandit17@bandit.labs.overthewire.org -i sshkey.private -p 2220
bandit17@bandit:~$ ls
passwords.new passwords.old
bandit17@bandit:~$ diff passwords.old passwords.new
42c42
< 09wUIyMU4YhOzl1Lzxoz0voIBzZ2TUAf
---
> hga5tuuCLF6fFzUpnagiMN8ssu9LFrdg
bandit17@bandit:~$
Bandit Leve 18 → Level 19 :
The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.
──(khafagy㉿kali)-[~]
└─$ ssh bandit18@bandit.labs.overthewire.org -p 2220 cat readme
_ _ _ _
| |__ __ _ _ __ __| (_) |_
| '_ \ / _` | '_ \ / _` | | __|
| |_) | (_| | | | | (_| | | |_
|_.__/ \__,_|_| |_|\__,_|_|\__|
This is an OverTheWire game server.
More information on http://www.overthewire.org/wargames
bandit18@bandit.labs.overthewire.org's password:
awhqfNnAbc1naukrpqDYcF95h7HoMTrC
┌──(khafagy㉿kali)-[~]
└─$
Bandit Leve 19 → Level 20 :
To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.
$ ssh bandit19@bandit.labs.overthewire.org -p 2220
bandit19@bandit:~$ ls
bandit20-do
bandit19@bandit:~$ ./bandit20-do
Run a command as another user.
Example: ./bandit20-do id
bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
VxCazJaVykI6W36BkBU0mJTCM8rR95XT
bandit19@bandit:~$
Bandit Leve 20 → Level 21 :
To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.
#First Terminal
bandit20@bandit:~$ nc -lv localhost 5555 < /etc/bandit_pass/bandit20
Listening on localhost 5555
Connection received on localhost 41980
NvEJF7oVjkddltPSrdKEFOllh9V1IBcq
bandit20@bandit:~$
#Second Terminal
bandit20@bandit:~$ ./suconnect 5555
Read: VxCazJaVykI6W36BkBU0mJTCM8rR95XT
Password matches, sending next password
Bandit Leve 21 → Level 22 :
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
$ ssh bandit21@bandit.labs.overthewire.org -p 2220
bandit21@bandit:~$ ls -la /etc/cron.d
total 48
drwxr-xr-x 2 root root 4096 Sep 1 06:30 .
drwxr-xr-x 110 root root 4096 Oct 21 23:52 ..
-rw-r--r-- 1 root root 62 Sep 1 06:30 cronjob_bandit15_root
-rw-r--r-- 1 root root 62 Sep 1 06:30 cronjob_bandit17_root
-rw-r--r-- 1 root root 120 Sep 1 06:30 cronjob_bandit22
-rw-r--r-- 1 root root 122 Sep 1 06:30 cronjob_bandit23
-rw-r--r-- 1 root root 120 Sep 1 06:30 cronjob_bandit24
-rw-r--r-- 1 root root 62 Sep 1 06:30 cronjob_bandit25_root
-rw-r--r-- 1 root root 201 Jan 8 2022 e2scrub_all
-rwx------ 1 root root 52 Sep 1 06:30 otw-tmp-dir
-rw-r--r-- 1 root root 102 Mar 23 2022 .placeholder
-rw-r--r-- 1 root root 396 Feb 2 2021 sysstat
bandit21@bandit:~$ cat /etc/cron.d/cronjob_bandit22 .
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
cat: .: Is a directory
bandit21@bandit:~$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
bandit21@bandit:~$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
WdDozAdTM2z9DiFEQ2mGlwngMfj4EZff
Bandit Leve 22 → Level 23 :
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
$ ssh bandit22@bandit.labs.overthewire.org -p 2220
bandit22@bandit:~$ ls -la /etc/cron.d
total 48
drwxr-xr-x 2 root root 4096 Sep 1 06:30 .
drwxr-xr-x 110 root root 4096 Oct 21 23:52 ..
-rw-r--r-- 1 root root 62 Sep 1 06:30 cronjob_bandit15_root
-rw-r--r-- 1 root root 62 Sep 1 06:30 cronjob_bandit17_root
-rw-r--r-- 1 root root 120 Sep 1 06:30 cronjob_bandit22
-rw-r--r-- 1 root root 122 Sep 1 06:30 cronjob_bandit23
-rw-r--r-- 1 root root 120 Sep 1 06:30 cronjob_bandit24
-rw-r--r-- 1 root root 62 Sep 1 06:30 cronjob_bandit25_root
-rw-r--r-- 1 root root 201 Jan 8 2022 e2scrub_all
-rwx------ 1 root root 52 Sep 1 06:30 otw-tmp-dir
-rw-r--r-- 1 root root 102 Mar 23 2022 .placeholder
-rw-r--r-- 1 root root 396 Feb 2 2021 sysstat
bandit22@bandit:~$ cat /etc/cron.d/cronjob_bandit23
@reboot bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
bandit22@bandit:~$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash
myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
cat /etc/bandit_pass/$myname > /tmp/$mytarget
bandit22@bandit:~$ echo I am user bandit23 | md5sum | cut -d ' ' -f 1
8ca319486bfbbc3663ea0fbe81326349
bandit22@bandit:~$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
QYw0Y2aiA672PsMmh9puTQuhoz8SyR2G
Bandit Leve 23 → Level 24 :
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
$ ssh bandit23@bandit.labs.overthewire.org -p 2220
bandit23@bandit:~$ ls -la /etc/cron.d
total 48
drwxr-xr-x 2 root root 4096 Sep 1 06:30 .
drwxr-xr-x 110 root root 4096 Oct 21 23:52 ..
-rw-r--r-- 1 root root 62 Sep 1 06:30 cronjob_bandit15_root
-rw-r--r-- 1 root root 62 Sep 1 06:30 cronjob_bandit17_root
-rw-r--r-- 1 root root 120 Sep 1 06:30 cronjob_bandit22
-rw-r--r-- 1 root root 122 Sep 1 06:30 cronjob_bandit23
-rw-r--r-- 1 root root 120 Sep 1 06:30 cronjob_bandit24
-rw-r--r-- 1 root root 62 Sep 1 06:30 cronjob_bandit25_root
-rw-r--r-- 1 root root 201 Jan 8 2022 e2scrub_all
-rwx------ 1 root root 52 Sep 1 06:30 otw-tmp-dir
-rw-r--r-- 1 root root 102 Mar 23 2022 .placeholder
-rw-r--r-- 1 root root 396 Feb 2 2021 sysstat
bandit23@bandit:~$ cat /etc/cron.d/cronjob_bandit24
@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
bandit23@bandit:~$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash
myname=$(whoami)
cd /var/spool/$myname/foo
echo "Executing and deleting all scripts in /var/spool/$myname/foo:"
for i in * .*;
do
if [ "$i" != "." -a "$i" != ".." ];
then
echo "Handling $i"
owner="$(stat --format "%U" ./$i)"
if [ "${owner}" = "bandit23" ]; then
timeout -s 9 60 ./$i
fi
rm -f ./$i
fi
done
bandit23@bandit:~$ mkdir /tmp/khafagy
bandit23@bandit:~$ chmod 777 /tmp/khafagy
bandit23@bandit:~$ cd /tmp/khafagy
bandit23@bandit:~$ nano pass24.sh
#!/bin/sh
#cat /etc/bandit_pass/bandit24 > /tmp/khafagy/pass24file
bandit23@bandit:/tmp/khafagy$ chmod 777 pass24.sh
bandit23@bandit:/tmp/khafagy$ cp pass24.sh /var/spool/bandit24/foo/
bandit23@bandit:/tmp/khafagy$ cat pass24file
VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar
Bandit Leve 23 → Level 24 :
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.
$ ssh bandit23@bandit.labs.overthewire.org -p 2220
bandit24@bandit:~$ mkdir /tmp/pass25
bandit24@bandit:~$ cd /tmp/pass25
bandit24@bandit:/tmp/pass25$ nano sript.sh
#but bruteforce script
bandit24@bandit:/tmp/pass25$ chmod 777 sript.sh
bandit24@bandit:/tmp/pass25$ ./sript.sh
bandit24@bandit:/tmp/pass25$ ls
brute.txt result.txt sript.sh
bandit24@bandit:/tmp/pass25$ sort result.txt | grep -v "Wrong"
Correct!
Exiting.
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
The password of user bandit25 is p7TaowMYrmu23Ol8hiZh9UvD0O9hpx8d
bandit24@bandit:/tmp/pass25$
Bruteforce Script
#!/bin/bash
for i in {0000..9999}
do
echo UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i >> brute.txt
done
cat brute.txt | nc localhost 30002 > result.txt
Bandit Leve 25 → Level 26 & Bandit Leve 26 → Level 27 :
Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.
Bandit Leve 26 → Level 27
Good job getting a shell! Now hurry and grab the password for bandit27!
Explanation: First, we need to check what shell the user bandit26 used. We do this by looking in the correct line in the ‘passwd’ file.
$ ssh bandit25@bandit.labs.overthewire.org -p 2220
cat /etc/passwd | grep bandit26
bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext
bandit25@bandit:~$ cat /usr/bin/showtext
#!/bin/sh
export TERM=linux
more ~/text.txt
exit 0
What exactly has happened? The text in ’text.txt’ is very short, meaning the whole text can immediately be displayed. more does not need to go into command/interactive mode. If we make the terminal window smaller, more will go into command mode. We can then use v to go into vim. Now we can rescale the window.
bandit25@bandit:~$ ls
bandit26.sshkey
bandit25@bandit:~$ ssh -i bandit26.sshkey bandit26@localhost
_ _ _ _ ___ __
| | | (_) | |__ \ / /
| |__ __ _ _ __ __| |_| |_ ) / /_
| '_ \ / _` | '_ \ / _` | | __| / / '_ \
| |_) | (_| | | | | (_| | | |_ / /| (_) |
|_.__/ \__,_|_| |_|\__,_|_|\__|____\___/
Connection to localhost closed.
bandit25@bandit:~$
# Reduce the size of the terminal to enable 'more' to paging through text one screenful at a time.
# Max height = 6
_ _ _ _ ___ __
| | | (_) | |__ \ / /
| |__ __ _ _ __ __| |_| |_ ) / /_
| '_ \ / _` | '_ \ / _` | | __| / / '_ \
| |_) | (_| | | | | (_| | | |_ / /| (_) |
--More--(83%)
# Press 'v' to start vi
# Then, in vi type ':e /etc/bandit_pass/bandit26'
c7GvcKlw9mC7aUQaPx7nwFstuAIBw1o1
~
~
~
~
"/etc/bandit_pass/bandit26" [readonly] 1L, 33C
:set shell=/bin/bash
:!ls -la
total 36
drwxr-xr-x 3 root root 4096 Oct 16 14:00 .
drwxr-xr-x 41 root root 4096 Oct 16 14:00 ..
-rwsr-x--- 1 bandit27 bandit26 7296 Oct 16 14:00 bandit27-do
-rw-r--r-- 1 root root 220 May 15 2017 .bash_logout
-rw-r--r-- 1 root root 3526 May 15 2017 .bashrc
-rw-r--r-- 1 root root 675 May 15 2017 .profile
drwxr-xr-x 2 root root 4096 Oct 16 14:00 .ssh
-rw-r----- 1 bandit26 bandit26 258 Oct 16 14:00 text.txt
:!./bandit27-do cat /etc/bandit_pass/bandit27
YnQpBuifNMas1hcUFk70ZmqkhUU2EuaS
Bandit Leve 27 → Level 28:
There is a git repository at ssh://bandit27-git@localhost/home/bandit27-git/repo. The password for the user bandit27-git is the same as for the user bandit27.
Clone the repository and find the password for the next level.
$ ssh bandit27@bandit.labs.overthewire.org -p 2220
bandit27@bandit:~$ mkdir /tmp/repo2
bandit27@bandit:~$ cd /tmp/repo2
bandit27@bandit:/tmp/repo2$ ls
bandit27@bandit:/tmp/repo2$ git clone ssh://bandit27-git@localhost:2220/home/bandit27-git/repo
Cloning into 'repo'...
The authenticity of host '[localhost]:2220 ([127.0.0.1]:2220)' can't be established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Could not create directory '/home/bandit27/.ssh' (Permission denied).
Failed to add the host to the list of known hosts (/home/bandit27/.ssh/known_hosts).
_ _ _ _
| |__ __ _ _ __ __| (_) |_
| '_ \ / _` | '_ \ / _` | | __|
| |_) | (_| | | | | (_| | | |_
|_.__/ \__,_|_| |_|\__,_|_|\__|
This is an OverTheWire game server.
More information on http://www.overthewire.org/wargames
bandit27-git@localhost's password:
remote: Enumerating objects: 3, done.
remote: Counting objects: 100% (3/3), done.
remote: Compressing objects: 100% (2/2), done.
remote: Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (3/3), done.
bandit27@bandit:/tmp/repo2$ ls
repo
bandit27@bandit:/tmp/repo2$ cd repo
bandit27@bandit:/tmp/repo2/repo$ ls
README
bandit27@bandit:/tmp/repo2/repo$ cat README
The password to the next level is: AVanL161y9rsbcJIsFHuw35rjaOM19nR
bandit27@bandit:/tmp/repo2/repo$
Bandit Leve 28 → Level 29:
There is a git repository at ssh://bandit28-git@localhost/home/bandit28-git/repo. The password for the user bandit28-git is the same as for the user bandit28.
Clone the repository and find the password for the next level.
bandit28@bandit:~$ mkdir /tmp/repo3
bandit28@bandit:~$ cd /tmp/repo3
bandit28@bandit:/tmp/repo3$ git clone ssh://bandit28-git@localhost/home/bandit28-git/repo
Cloning into 'repo'...
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Could not create directory '/home/bandit28/.ssh' (Permission denied).
Failed to add the host to the list of known hosts (/home/bandit28/.ssh/known_hosts).
This is an OverTheWire game server.
More information on http://www.overthewire.org/wargames
!!! You are trying to log into this SSH server on port 22, which is not intended.
bandit28-git@localhost: Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
bandit28@bandit:/tmp/repo3$ git clone ssh://bandit28-git@localhost:2220/home/bandit28-git/repo
Cloning into 'repo'...
The authenticity of host '[localhost]:2220 ([127.0.0.1]:2220)' can't be established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Could not create directory '/home/bandit28/.ssh' (Permission denied).
Failed to add the host to the list of known hosts (/home/bandit28/.ssh/known_hosts).
_ _ _ _
| |__ __ _ _ __ __| (_) |_
| '_ \ / _` | '_ \ / _` | | __|
| |_) | (_| | | | | (_| | | |_
|_.__/ \__,_|_| |_|\__,_|_|\__|
This is an OverTheWire game server.
More information on http://www.overthewire.org/wargames
bandit28-git@localhost's password:
remote: Enumerating objects: 9, done.
remote: Counting objects: 100% (9/9), done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 9 (delta 2), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (9/9), done.
Resolving deltas: 100% (2/2), done.
bandit28@bandit:/tmp/repo3$ ls
repo
bandit28@bandit:/tmp/repo3$ cd repo
bandit28@bandit:/tmp/repo3/repo$ ls
README.md
bandit28@bandit:/tmp/repo3/repo$ cat README.md
# Bandit Notes
Some notes for level29 of bandit.
## credentials
- username: bandit29
- password: xxxxxxxxxx
bandit28@bandit:/tmp/repo3/repo$ git show README.md
commit 43032edb2fb868dea2ceda9cb3882b2c336c09ec (HEAD -> master, origin/master, origin/HEAD)
Author: Morla Porla <morla@overthewire.org>
Date: Thu Sep 1 06:30:25 2022 +0000
fix info leak
diff --git a/README.md b/README.md
index b302105..5c6457b 100644
--- a/README.md
+++ b/README.md
@@ -4,5 +4,5 @@ Some notes for level29 of bandit.
## credentials
- username: bandit29
-- password: tQKvmcwNYcFS6vmPHIUSI3ShmsrQZK8S
+- password: xxxxxxxxxx
bandit28@bandit:/tmp/repo3/repo$
Bandit Leve 29 → Level 30:
There is a git repository at ssh://bandit29-git@localhost/home/bandit29-git/repo. The password for the user bandit29-git is the same as for the user bandit29.
bandit29@bandit:~$ mkdir /tmp/lol
mkdir: cannot create directory ‘/tmp/lol’: File exists
bandit29@bandit:~$ mkdir /tmp/repo4
bandit29@bandit:~$ cd /tmp/repo4
bandit29@bandit:/tmp/repo4$ git clone ssh://bandit29-git@localhost:2220/home/bandit29-git/repo
Cloning into 'repo'...
The authenticity of host '[localhost]:2220 ([127.0.0.1]:2220)' can't be established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Could not create directory '/home/bandit29/.ssh' (Permission denied).
Failed to add the host to the list of known hosts (/home/bandit29/.ssh/known_hosts).
_ _ _ _
| |__ __ _ _ __ __| (_) |_
| '_ \ / _` | '_ \ / _` | | __|
| |_) | (_| | | | | (_| | | |_
|_.__/ \__,_|_| |_|\__,_|_|\__|
This is an OverTheWire game server.
More information on http://www.overthewire.org/wargames
bandit29-git@localhost's password:
remote: Enumerating objects: 16, done.
remote: Counting objects: 100% (16/16), done.
remote: Compressing objects: 100% (11/11), done.
Receiving objects: 100% (16/16), 1.44 KiB | 1.44 MiB/s, done.
remote: Total 16 (delta 2), reused 0 (delta 0), pack-reused 0
Resolving deltas: 100% (2/2), done.
bandit29@bandit:/tmp/repo4$ ls
repo
bandit29@bandit:/tmp/repo4$ cd repo
bandit29@bandit:/tmp/repo4/repo$ ls
README.md
bandit29@bandit:/tmp/repo4/repo$ cat README.md
# Bandit Notes
Some notes for bandit30 of bandit.
## credentials
- username: bandit30
- password: <no passwords in production!>
bandit29@bandit:/tmp/repo4/repo$ git branch
* master
bandit29@bandit:/tmp/repo4/repo$ git branch -r
origin/HEAD -> origin/master
origin/dev
origin/master
origin/sploits-dev
bandit29@bandit:/tmp/repo4/repo$ git checkout dev
Branch 'dev' set up to track remote branch 'dev' from 'origin'.
Switched to a new branch 'dev'
bandit29@bandit:/tmp/repo4/repo$ cat README.md
# Bandit Notes
Some notes for bandit30 of bandit.
## credentials
- username: bandit30
- password: xbhV3HpNGlTIdnjUrdAlPzc2L6y9EOnS
bandit29@bandit:/tmp/repo4/repo$
Bandit Leve 30 → Level 31:#
There is a git repository at ssh://bandit30-git@localhost/home/bandit30-git/repo. The password for the user bandit30-git is the same as for the user bandit30.
bandit30@bandit:~$ mkdir /tmp/repo5
bandit30@bandit:~$ cd /tmp/repo5
bandit30@bandit:/tmp/repo5$ git clone ssh://bandit30-git@localhost:2220/home/bandit30-git/repo
Cloning into 'repo'...
The authenticity of host '[localhost]:2220 ([127.0.0.1]:2220)' can't be established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Could not create directory '/home/bandit30/.ssh' (Permission denied).
Failed to add the host to the list of known hosts (/home/bandit30/.ssh/known_hosts).
_ _ _ _
| |__ __ _ _ __ __| (_) |_
| '_ \ / _` | '_ \ / _` | | __|
| |_) | (_| | | | | (_| | | |_
|_.__/ \__,_|_| |_|\__,_|_|\__|
This is an OverTheWire game server.
More information on http://www.overthewire.org/wargames
bandit30-git@localhost's password:
remote: Enumerating objects: 4, done.
remote: Counting objects: 100% (4/4), done.
remote: Total 4 (delta 0), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (4/4), done.
bandit30@bandit:/tmp/repo5$
bandit30@bandit:/tmp/repo5$ ls
repo
bandit30@bandit:/tmp/repo5$ cd repo
bandit30@bandit:/tmp/repo5/repo$ ls
README.md
bandit30@bandit:/tmp/repo5/repo$ cat README.md
just an epmty file... muahaha
bandit30@bandit:/tmp/repo5/repo$ git tag
secret
bandit30@bandit:/tmp/repo5/repo$ cat secret
cat: secret: No such file or directory
bandit30@bandit:/tmp/repo5/repo$ ls
README.md
bandit30@bandit:/tmp/repo5/repo$ git show secret
OoffzGDlzhAlerFJ2cAiz1D41JW1Mhmt
Bandit Leve 31 → Level 32:
There is a git repository at ssh://bandit31-git@localhost/home/bandit31-git/repo. The password for the user bandit31-git is the same as for the user bandit31.
Clone the repository and find the password for the next level.
bandit31@bandit:~$ mkdir /tmp/repo6
bandit31@bandit:~$ cd /tmp/repo6
bandit31@bandit:/tmp/repo6$ git clone ssh://bandit31-git@localhost:2220/home/bandit31-git/repo
Cloning into 'repo'...
The authenticity of host '[localhost]:2220 ([127.0.0.1]:2220)' can't be established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Could not create directory '/home/bandit31/.ssh' (Permission denied).
Failed to add the host to the list of known hosts (/home/bandit31/.ssh/known_hosts).
_ _ _ _
| |__ __ _ _ __ __| (_) |_
| '_ \ / _` | '_ \ / _` | | __|
| |_) | (_| | | | | (_| | | |_
|_.__/ \__,_|_| |_|\__,_|_|\__|
This is an OverTheWire game server.
More information on http://www.overthewire.org/wargames
bandit31-git@localhost's password:
remote: Enumerating objects: 4, done.
remote: Counting objects: 100% (4/4), done.
remote: Compressing objects: 100% (3/3), done.
remote: Total 4 (delta 0), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (4/4), done.
bandit31@bandit:/tmp/repo6$ cd repo
bandit31@bandit:/tmp/repo6/repo$ ls
README.md
bandit31@bandit:/tmp/repo6/repo$ cat README.md
This time your task is to push a file to the remote repository.
Details:
File name: key.txt
Content: 'May I come in?'
Branch: master
bandit31@bandit:/tmp/repo6/repo$ echo "May I come in?">key.txt
bandit31@bandit:/tmp/repo6/repo$ git add -f key.txt
bandit31@bandit:/tmp/repo6/repo$ git commit -m key.txt
[master 5c77711] key.txt
1 file changed, 1 insertion(+)
create mode 100644 key.txt
bandit31@bandit:/tmp/repo6/repo$ ls
key.txt README.md
bandit31@bandit:/tmp/repo6/repo$ cat key.txt
May I come in?
bandit31@bandit:/tmp/repo6/repo$ git push origin master
The authenticity of host '[localhost]:2220 ([127.0.0.1]:2220)' can't be established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Could not create directory '/home/bandit31/.ssh' (Permission denied).
Failed to add the host to the list of known hosts (/home/bandit31/.ssh/known_hosts).
_ _ _ _
| |__ __ _ _ __ __| (_) |_
| '_ \ / _` | '_ \ / _` | | __|
| |_) | (_| | | | | (_| | | |_
|_.__/ \__,_|_| |_|\__,_|_|\__|
This is an OverTheWire game server.
More information on http://www.overthewire.org/wargames
bandit31-git@localhost's password:
Enumerating objects: 4, done.
Counting objects: 100% (4/4), done.
Delta compression using up to 2 threads
Compressing objects: 100% (2/2), done.
Writing objects: 100% (3/3), 321 bytes | 321.00 KiB/s, done.
Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
remote: ### Attempting to validate files... ####
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
remote: Well done! Here is the password for the next level:
remote: rmCBvG56y58BXzv98yZGdO7ATVL5dW8y
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
To ssh://localhost:2220/home/bandit31-git/repo
! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to 'ssh://localhost:2220/home/bandit31-git/repo'
Bandit Leve 32 → Level 33:
After all this git stuff its time for another escape. Good luck!
>> LS
sh: 1: LS: not found
>> $0
$ ls
uppershell
$ ls -la
total 36
drwxr-xr-x 2 root root 4096 Sep 1 06:30 .
drwxr-xr-x 49 root root 4096 Sep 1 06:30 ..
-rw-r--r-- 1 root root 220 Jan 6 2022 .bash_logout
-rw-r--r-- 1 root root 3771 Jan 6 2022 .bashrc
-rw-r--r-- 1 root root 807 Jan 6 2022 .profile
-rwsr-x--- 1 bandit33 bandit32 15124 Sep 1 06:30 uppershell
$ whoami
bandit33
$ cat /etc/bandit_pass/bandit33
odHo63fHiFqcWWJG9rLiLDtPm45KzUKy
Bandit Leve 33 → Level 34:
At this moment, level 34 does not exist yet.
bandit33@bandit:~$ ls -la
total 24
drwxr-xr-x 2 root root 4096 Sep 1 06:30 .
drwxr-xr-x 49 root root 4096 Sep 1 06:30 ..
-rw-r--r-- 1 root root 220 Jan 6 2022 .bash_logout
-rw-r--r-- 1 root root 3771 Jan 6 2022 .bashrc
-rw-r--r-- 1 root root 807 Jan 6 2022 .profile
drwxr-xr-x 2 bandit33 bandit33 0 Jan 1 06:30 Khafagy_Was_Here
-rw------- 1 bandit33 bandit33 430 Sep 1 06:30 README.txt
bandit33@bandit:~$ cat README.txt
Congratulations on solving the last level of this game!
At this moment, there are no more levels to play in this game. However, we are constantly working
on new levels and will most likely expand this game with more levels soon.
Keep an eye out for an announcement on our usual communication channels!
In the meantime, you could play some of our other wargames.
If you have an idea for an awesome new level, please let us know!
bandit33@bandit:~$