OverTheWire Bandit
Excerpt
Level 0
Level Goal
The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org, on port 2220. The username is bandit0 and the password is bandit0. Once logged in, go to the Level 1 page to find out how to beat Level 1.
Commands you may need to solve this level
ssh
Helpful Reading Material
Solution
root@athos:~# ssh -p 2220 bandit0@bandit.labs.overthewire.org
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit0@bandit.labs.overthewire.org's password: bandit0
Level 0 → Level 1
Level Goal
The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.
Commands you may need to solve this level
ls, cd, cat, file, du, find
Solution
bandit0@bandit:~$ ls -lF
total 4
-rw-r----- 1 bandit1 bandit0 33 Oct 16 14:00 readme
bandit0@bandit:~$ cat readme
boJ9jbbUNNfktd78OOpsqOltutMc3MY1
Level 1 → Level 2
Level Goal
The password for the next level is stored in a file called - located in the home directory
Commands you may need to solve this level
ls, cd, cat, file, du, find
Helpful Reading Material
Solution
bandit1@bandit:~$ ls -lF
total 4
-rw-r----- 1 bandit2 bandit1 33 Oct 16 14:00 -
bandit1@bandit:~$ cat ./-
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
Level 2 → Level 3
Level Goal
The password for the next level is stored in a file called spaces in this filename located in the home directory
Commands you may need to solve this level
ls, cd, cat, file, du, find
Helpful Reading Material
Solution
bandit2@bandit:~$ ls -lF
total 4
-rw-r----- 1 bandit3 bandit2 33 Oct 16 14:00 spaces in this filename
bandit2@bandit:~$ cat ./spaces\ in\ this\ filename
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
Level 3 → Level 4
Level Goal
The password for the next level is stored in a hidden file in the inhere directory.
Commands you may need to solve this level
ls, cd, cat, file, du, find
Solution
bandit3@bandit:~$ ls -lF
total 4
drwxr-xr-x 2 root root 4096 Oct 16 14:00 inhere/
bandit3@bandit:~$ ls -laF inhere/
total 12
drwxr-xr-x 2 root root 4096 Oct 16 14:00 ./
drwxr-xr-x 3 root root 4096 Oct 16 14:00 ../
-rw-r----- 1 bandit4 bandit3 33 Oct 16 14:00 .hidden
bandit3@bandit:~$ cat inhere/.hidden
pIwrPrtPN36QITSp3EQaw936yaFoFgAB
Level 4 → Level 5
Level Goal
The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.
Commands you may need to solve this level
ls, cd, cat, file, du, find
Solution
bandit4@bandit:~$ ls -lF
total 4
drwxr-xr-x 2 root root 4096 Oct 16 14:00 inhere/
bandit4@bandit:~$ ls -lF inhere/
total 40
-rw-r----- 1 bandit5 bandit4 33 Oct 16 14:00 -file00
-rw-r----- 1 bandit5 bandit4 33 Oct 16 14:00 -file01
-rw-r----- 1 bandit5 bandit4 33 Oct 16 14:00 -file02
-rw-r----- 1 bandit5 bandit4 33 Oct 16 14:00 -file03
-rw-r----- 1 bandit5 bandit4 33 Oct 16 14:00 -file04
-rw-r----- 1 bandit5 bandit4 33 Oct 16 14:00 -file05
-rw-r----- 1 bandit5 bandit4 33 Oct 16 14:00 -file06
-rw-r----- 1 bandit5 bandit4 33 Oct 16 14:00 -file07
-rw-r----- 1 bandit5 bandit4 33 Oct 16 14:00 -file08
-rw-r----- 1 bandit5 bandit4 33 Oct 16 14:00 -file09
bandit4@bandit:~$ cat inhere/*
▒▒▒▒▒▒▒▒▒▒~% C[▒걱>▒▒| ▒▒▒▒U"7▒w▒▒▒H▒▒ê▒Q▒▒(▒(▒ִ▒▒▒▒▒A*▒
2J▒Ş؇_▒y7▒.A▒▒u▒▒#▒▒▒w$N?c▒-▒▒Db3▒▒=▒▒▒=<▒W▒▒▒▒▒ht▒Z▒▒!▒▒{▒U
▒+▒▒pm▒▒▒;▒▒:D▒▒^▒▒@▒gl▒Q▒▒@▒koReBOKuIDDepwhWk7jZC0RTdopnAYKh
FPn▒
'▒U▒▒▒M▒▒/u
XS
▒mu▒z▒▒▒хN▒{▒▒Y▒d4▒▒▒▒]3▒▒▒▒▒9(▒
Level 5 → Level 6
Level Goal
The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:
- human-readable
- 1033 bytes in size
- not executable
Commands you may need to solve this level
ls, cd, cat, file, du, find
Solution
bandit5@bandit:~$ find . ! -executable -size 1033c
./inhere/maybehere07/.file2
bandit5@bandit:~$ cat ./inhere/maybehere07/.file2
DXjZPULLxYr17uwoI01bNLQbtFemEgo7
Level 6 → Level 7
Level Goal
The password for the next level is stored somewhere on the server and has all of the following properties:
- owned by user bandit7
- owned by group bandit6
- 33 bytes in size
Commands you may need to solve this level
ls, cd, cat, file, du, find, grep
Solution
bandit6@bandit:~$ find / -user bandit7 -group bandit6 -size 33c 2> /dev/null
/var/lib/dpkg/info/bandit7.password
bandit6@bandit:~$ cat /var/lib/dpkg/info/bandit7.password
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs
Level 7 → Level 8
Level Goal
The password for the next level is stored in the file data.txt next to the word millionth
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
Solution
bandit7@bandit:~$ ls -lF
total 4088
-rw-r----- 1 bandit8 bandit7 4184396 Oct 16 14:00 data.txt
bandit7@bandit:~$ grep millionth data.txt
millionth cvX2JJa4CFALtqS87jk27qwqGhBM9plV
Level 8 → Level 9
Level Goal
The password for the next level is stored in the file data.txt and is the only line of text that occurs only once
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
Helpful Reading Material
Solution
bandit8@bandit:~$ ls -lF
total 36
-rw-r----- 1 bandit9 bandit8 33033 Oct 16 14:00 data.txt
bandit8@bandit:~$ sort data.txt | uniq -u
UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR
Level 9 → Level 10
Level Goal
The password for the next level is stored in the file data.txt in one of the few human-readable strings, beginning with several ‘=’ characters.
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
Solution
bandit9@bandit:~$ ls -lF
total 20
-rw-r----- 1 bandit10 bandit9 19379 Oct 16 14:00 data.txt
bandit9@bandit:~$ strings data.txt | grep =
2========== the
========== password
>t= yP
rV~dHm=
========== isa
=FQ?P\U
= F[
pb=x
J;m=
=)$=
========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
iv8!=
Level 10 → Level 11
Level Goal
The password for the next level is stored in the file data.txt, which contains base64 encoded data
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
Helpful Reading Material
Solution
bandit10@bandit:~$ ls -lF
total 4
-rw-r----- 1 bandit11 bandit10 69 Oct 16 14:00 data.txt
bandit10@bandit:~$ cat data.txt
VGhlIHBhc3N3b3JkIGlzIElGdWt3S0dzRlc4TU9xM0lSRnFyeEUxaHhUTkViVVBSCg==
bandit10@bandit:~$ base64 -d data.txt
The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR
Level 11 → Level 12
Level Goal
The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions
Commands you may need to solve this level grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
Helpful Reading Material - Rot13 on Wikipedia
Solution
bandit11@bandit:~$ ls -lF
total 4
-rw-r----- 1 bandit12 bandit11 49 Oct 16 14:00 data.txt
bandit11@bandit:~$ cat data.txt
Gur cnffjbeq vf 5Gr8L4qetPEsPk8htqjhRK8XSP6x2RHh
bandit11@bandit:~$ cat data.txt | tr '[N-Zn-zA-Ma-m]' '[A-Ma-mN-Zn-z]'
The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu
Level 12 → Level 13
Level Goal
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)
Commands you may need to solve this level grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd, mkdir, cp, mv
Helpful Reading Material
Solution
bandit12@bandit:~$ ls -lF
total 4
-rw-r----- 1 bandit13 bandit12 2581 Oct 16 14:00 data.txt
bandit12@bandit:~$ cat data.txt
00000000: 1f8b 0808 d7d2 c55b 0203 6461 7461 322e .......[..data2.
00000010: 6269 6e00 013c 02c3 fd42 5a68 3931 4159 bin..<...BZh91AY
00000020: 2653 591d aae5 9800 001b ffff de7f 7fff &SY.............
00000030: bfb7 dfcf 9fff febf f5ad efbf bbdf 7fdb ................
00000040: f2fd ffdf effa 7fff fbd7 bdff b001 398c ..............9.
00000050: 1006 8000 0000 0d06 9900 0000 6834 000d ............h4..
00000060: 01a1 a000 007a 8000 0d00 0006 9a00 d034 .....z.........4
00000070: 0d1a 3234 68d1 e536 a6d4 4000 341a 6200 ..24h..6..@.4.b.
00000080: 0069 a000 0000 0000 d003 d200 681a 0d00 .i..........h...
00000090: 0001 b51a 1a0c 201e a000 6d46 8068 069a ...... ...mF.h..
000000a0: 6834 340c a7a8 3406 4000 0680 0001 ea06 h44...4.@.......
000000b0: 8190 03f5 4032 1a00 0343 4068 0000 0686 ....@2...C@h....
000000c0: 8000 0320 00d0 0d00 0610 0014 1844 0308 ... .........D..
000000d0: 04e1 c542 9ab8 2c30 f1be 0b93 763b fb13 ...B..,0....v;..
000000e0: 50c4 c101 e008 3b7a 92a7 9eba 8a73 8d21 P.....;z.....s.!
000000f0: 9219 9c17 052b fb66 a2c2 fccc 9719 b330 .....+.f.......0
00000100: 6068 8c65 e504 5ec0 ae02 fa6d 16bc 904b `h.e..^....m...K
00000110: ba6c f692 356e c02b 0374 c394 6859 f5bb .l..5n.+.t..hY..
00000120: 0f9f 528e 4272 22bb 103c 2848 d8aa 2409 ..R.Br"..<(H..$.
00000130: 24d0 d4c8 4b42 7388 ce25 6c1a 7ec1 5f17 $...KBs..%l.~._.
00000140: cc18 ddbf edc1 e3a4 67f1 7a4d 8277 c823 ........g.zM.w.#
00000150: 0450 2232 40e0 07f1 ca16 c6d6 ef0d ecc9 .P"2@...........
00000160: 8bc0 5e2d 4b12 8586 088e 8ca0 e67d a55c ..^-K........}.\
00000170: 2ca0 18c7 bfb7 7d45 9346 ea5f 2172 01e4 ,.....}E.F._!r..
00000180: 5598 673f 45af 69b7 a739 7814 8706 04ed U.g?E.i..9x.....
00000190: 5442 1240 0796 6cc8 b2f6 1ef9 8d13 421d TB.@..l.......B.
000001a0: 461f 2e68 4d91 5343 34b5 56e7 46d0 0a0a F..hM.SC4.V.F...
000001b0: 72b7 d873 71d9 6f09 c326 402d dbc0 7cef r..sq.o..&@-..|.
000001c0: 53b1 df60 9ec7 f318 00df 3907 2e85 d85b S..`......9....[
000001d0: 6a1a e105 0207 c580 e31d 82d5 8646 183c j............F.<
000001e0: 6a04 4911 101a 5427 087c 1f94 47a2 270d j.I...T'.|..G.'.
000001f0: ad12 fc5c 9ad2 5714 514f 34ba 701d fb69 ...\..W.QO4.p..i
00000200: 8eed 0183 e2a1 53ea 2300 26bb bd2f 13df ......S.#.&../..
00000210: b703 08a3 2309 e43c 44bf 75d4 905e 5f96 ....#..<D.u..^_.
00000220: 481b 362e e82d 9093 7741 740c e65b c7f1 H.6..-..wAt..[..
00000230: 5550 f247 9043 5097 d626 3a16 da32 c213 UP.G.CP..&:..2..
00000240: 2acd 298a 5c8a f0c1 b99f e2ee 48a7 0a12 *.).\.......H...
00000250: 03b5 5cb3 0037 cece 773c 0200 00 ..\..7..w<...
bandit12@bandit:~$ mkdir -p /tmp/39852/
bandit12@bandit:~$ xxd -r data.txt > /tmp/39852/data
bandit12@bandit:~$ cd /tmp/39852/
bandit12@bandit:/tmp/39852$ file data
data: gzip compressed data, was "data2.bin", last modified:
Tue Oct 16 12:00:23 2018, max compression, from Unix
bandit12@bandit:/tmp/39852$ mv data data.gz ; gunzip data.gz
bandit12@bandit:/tmp/39852$ file data
data: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/39852$ bunzip2 data
bunzip2: Can't guess original name for data -- using data.out
bandit12@bandit:/tmp/39852$ file data.out
data.out: gzip compressed data, was "data4.bin", last modified:
Tue Oct 16 12:00:23 2018, max compression, from Unix
bandit12@bandit:/tmp/39852$ mv data.out data.gz ; gunzip data.gz
bandit12@bandit:/tmp/39852$ file data
data: POSIX tar archive (GNU)
bandit12@bandit:/tmp/39852$ tar -xf data
bandit12@bandit:/tmp/39852$ file data5.bin
data5.bin: POSIX tar archive (GNU)
bandit12@bandit:/tmp/39852$ tar -xf data5.bin
bandit12@bandit:/tmp/39852$ file data6.bin
data6.bin: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/39852$ bunzip2 data6.bin
bunzip2: Can't guess original name for data6.bin -- using data6.bin.out
bandit12@bandit:/tmp/39852$ file data6.bin.out
data6.bin.out: POSIX tar archive (GNU)
bandit12@bandit:/tmp/39852$ tar -xf data6.bin.out
bandit12@bandit:/tmp/39852$ file data8.bin
data8.bin: gzip compressed data, was "data9.bin", last modified:
Tue Oct 16 12:00:23 2018, max compression, from Unix
bandit12@bandit:/tmp/39852$ mv data8.bin data.gz ; gunzip data.gz
bandit12@bandit:/tmp/39852$ file data
data: ASCII text
bandit12@bandit:/tmp/39852$ cat data
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
Level 13 → Level 14
Level Goal
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on
Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap
Helpful Reading Material
Solution
bandit13@bandit:~$ ls -lF
total 4
-rw-r----- 1 bandit14 bandit13 1679 Oct 16 14:00 sshkey.private
bandit13@bandit:~$ head -5 sshkey.private
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAxkkOE83W2cOT7IWhFc9aPaaQmQDdgzuXCv+ppZHa++buSkN+
gg0tcr7Fw8NLGa5+Uzec2rEg0WmeevB13AIoYp0MZyETq46t+jk9puNwZwIt9XgB
ZufGtZEwWbFWw/vVLNwOXBe4UWStGRWzgPpEeSv5Tb1VjLZIBdGphTIK22Amz6Zb
ThMsiMnyJafEwJ/T8PQO3myS91vUHEuoOMAzoUID4kN0MEZ3+XahyK0HJVq68KsV
bandit13@bandit:~$ ssh -i sshkey.private bandit14@localhost
bandit14@bandit:~$ cat /etc/bandit_pass/bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Level 14 → Level 15
Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap
Helpful Reading Material
- IP Addresses
- IP Address on Wikipedia
- Localhost on Wikipedia
- Ports
- Port (computer networking) on Wikipedia
Solution
bandit14@bandit:~$ echo 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e | nc -vv localhost 30000
localhost [127.0.0.1] 30000 (?) open
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr
sent 33, rcvd 43
Level 15 → Level 16
Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command
Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap
Helpful Reading Material
Solution
echo BfMYroe26WYalil77FoDi9qh59eK5xNr | \
openssl s_client -quiet -ign_eof -connect localhost:30001
bandit15@bandit:~$ echo BfMYroe26WYalil77FoDi9qh59eK5xNr | \
> openssl s_client -quiet -ign_eof -connect localhost:30001
depth=0 CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = localhost
verify return:1
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehd
Level 16 → Level 17
Level Goal
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap
Helpful Reading Material
Solution
bandit16@bandit:~$ nmap -sV -p 31000-32000 localhost
Starting Nmap 7.40 ( https://nmap.org ) at 2018-11-22 14:14 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00020s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
31518/tcp open ssl/echo
31790/tcp open ssl/unknown
(truncated)
Service detection performed.
Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 88.78 seconds
echo cluFn7wTiGryunymYOu4RcffSxQluehd | \
openssl s_client -quiet -ign_eof -connect localhost:31790 > /tmp/72502/data
bandit16@bandit:~$ echo cluFn7wTiGryunymYOu4RcffSxQluehd | \
> openssl s_client -quiet -ign_eof -connect localhost:31790 > /tmp/72502/data
depth=0 CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = localhost
verify return:1
bandit16@bandit:~$ head -5 /tmp/72502/data
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
bandit16@bandit:~$ sed -i '1d' /tmp/72502/data
bandit16@bandit:~$ chmod 400 /tmp/72502/data
bandit16@bandit:~$ ssh -i /tmp/72502/data bandit17@localhost
bandit17@bandit:~$ cat /etc/bandit_pass/bandit17
xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn
Level 17 → Level 18
Level Goal
There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new
NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19
Commands you may need to solve this level
cat, grep, ls, diff
Solution
bandit17@bandit:~$ diff passwords.old passwords.new
42c42
< hlbSBPAWJmL6WFDb06gpTx1pPButblOA
---
> kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
Level 18 → Level 19
Level Goal
The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.
Commands you may need to solve this level
ssh, ls, cat
Solution
root@athos:~# ssh -T -p 2220 bandit18@bandit.labs.overthewire.org
Or
root@athos:~# ssh -t -p 2220 bandit18@bandit.labs.overthewire.org /bin/sh
$ ls -lF
total 4
-rw-r----- 1 bandit19 bandit18 33 Oct 16 14:00 readme
$ cat readme
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
Level 19 → Level 20
Level Goal
To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.
Helpful Reading Material
Solution
bandit19@bandit:~$ ls -lF
total 8
-rwsr-x--- 1 bandit20 bandit19 7296 Oct 16 14:00 bandit20-do*
bandit19@bandit:~$ ./bandit20-do
Run a command as another user.
Example: ./bandit20-do id
bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Level 20 → Level 21
Level Goal
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
NOTE: Try connecting to your own network daemon to see if it works as you think
Commands you may need to solve this level
ssh, nc, cat, bash, screen, tmux, Unix ‘job control’ (bg, fg, jobs, &, CTRL-Z)
Solution
bandit20@bandit:~$ ls -lF
total 12
-rwsr-x--- 1 bandit21 bandit20 12088 Oct 16 14:00 suconnect*
bandit20@bandit:~$ ./suconnect
Usage: ./suconnect <portnumber>
This program will connect to the given port on localhost using TCP. If it receives
the correct password from the other side, the next password is transmitted back.
bandit20@bandit:~$ echo GbKksEFF4yrVs6il55v6gwY5aVje5f0j | nc -lp 31337 &
[1] 19490
bandit20@bandit:~$ ./suconnect 31337
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Password matches, sending next password
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
[1]+ Done echo GbKksEFF4yrVs6il55v6gwY5aVje5f0j | nc -lp 31337
Level 21 → Level 22
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
Commands you may need to solve this level
cron, crontab, crontab(5) (use “man 5 crontab” to access this)
Solution
bandit21@bandit:~$ ls -lF /etc/cron.d/
total 12
-rw-r--r-- 1 root root 120 Oct 16 14:00 cronjob_bandit22
-rw-r--r-- 1 root root 122 Oct 16 14:00 cronjob_bandit23
-rw-r--r-- 1 root root 120 Oct 16 14:00 cronjob_bandit24
bandit21@bandit:~$ cat /etc/cron.d/cronjob_bandit22
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
bandit21@bandit:~$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
bandit21@bandit:~$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
Level 22 → Level 23
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.
Commands you may need to solve this level
cron, crontab, crontab(5) (use “man 5 crontab” to access this)
Solution
bandit22@bandit:~$ ls -lF /etc/cron.d/
total 12
-rw-r--r-- 1 root root 120 Oct 16 14:00 cronjob_bandit22
-rw-r--r-- 1 root root 122 Oct 16 14:00 cronjob_bandit23
-rw-r--r-- 1 root root 120 Oct 16 14:00 cronjob_bandit24
bandit22@bandit:~$ cat /etc/cron.d/cronjob_bandit23
@reboot bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
bandit22@bandit:~$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash
myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
cat /etc/bandit_pass/$myname > /tmp/$mytarget
bandit22@bandit:~$ myname=bandit23
bandit22@bandit:~$ mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
bandit22@bandit:~$ cat /tmp/$mytarget
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
Level 23 → Level 24
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around …
Commands you may need to solve this level cron, crontab, crontab(5) (use “man 5 crontab” to access this)
Solution
bandit23@bandit:~$ ls -lF /etc/cron.d/
total 12
-rw-r--r-- 1 root root 120 Oct 16 14:00 cronjob_bandit22
-rw-r--r-- 1 root root 122 Oct 16 14:00 cronjob_bandit23
-rw-r--r-- 1 root root 120 Oct 16 14:00 cronjob_bandit24
bandit23@bandit:~$ cat /etc/cron.d/cronjob_bandit24
@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
bandit23@bandit:~$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash
myname=$(whoami)
cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
do
if [ "$i" != "." -a "$i" != ".." ];
then
echo "Handling $i"
timeout -s 9 60 ./$i
rm -f ./$i
fi
done
cat <<EOF > /var/spool/bandit24/script.sh
#!/bin/bash
mkdir -p /tmp/37552/
cp /etc/bandit_pass/bandit24 /tmp/37552/
chmod -R a+rwx /tmp/37552/
EOF
bandit23@bandit:~$ cat <<EOF > /var/spool/bandit24/script.sh
> #!/bin/bash
> mkdir -p /tmp/37552/
> cp /etc/bandit_pass/bandit24 /tmp/37552/
> chmod -R a+rwx /tmp/37552/
> EOF
bandit23@bandit:~$ chmod a+x /var/spool/bandit24/script.sh
bandit23@bandit:~$ cat /tmp/37552/bandit24
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
Level 24 → Level 25
Level Goal
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.
Solution
for i in $(seq -w 1 9999); do echo "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i"; done | \
nc localhost 30002
Or
for i in {1..9999}; \
do printf "%s %04d\n" "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ" "$i"; done | \
nc localhost 30002
Or
for i in $(seq -w 1 9999); \
do echo "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i"; done | \
nc localhost 30002
bandit24@bandit:~$ for i in $(seq -w 1 9999); \
> do echo "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i"; done | \
> nc localhost 30002
Wrong! Please enter the correct pincode. Try again.
Wrong! Please enter the correct pincode. Try again.
Wrong! Please enter the correct pincode. Try again.
Wrong! Please enter the correct pincode. Try again.
Wrong! Please enter the correct pincode. Try again.
Correct!
The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG
Exiting.
Level 25 → Level 26
Level Goal
Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.
Commands you may need to solve this level
ssh, cat, more, vi, ls, id, pwd
Solution
bandit25@bandit:~$ ls -lF
total 4
-r-------- 1 bandit25 bandit25 1679 Oct 16 14:00 bandit26.sshkey
bandit25@bandit:~$ ssh -i bandit26.sshkey bandit26@localhost
_ _ _ _ ___ __
| | | (_) | |__ \ / /
| |__ __ _ _ __ __| |_| |_ ) / /_
| '_ \ / _` | '_ \ / _` | | __| / / '_ \
| |_) | (_| | | | | (_| | | |_ / /| (_) |
|_.__/ \__,_|_| |_|\__,_|_|\__|____\___/
Connection to localhost closed.
bandit25@bandit:~$ grep bandit26 /etc/passwd
bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext
bandit25@bandit:~$ cat /usr/bin/showtext
#!/bin/sh
export TERM=linux
more ~/text.txt
exit 0
bandit25@bandit:~$ ssh -i bandit26.sshkey bandit26@localhost
Escaping!
:set shell=/bin/sh
:shell
$ cat /etc/bandit_pass/bandit26
5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z
$ ls -lF
total 12
-rwsr-x--- 1 bandit27 bandit26 7296 Oct 16 14:00 bandit27-do*
-rw-r----- 1 bandit26 bandit26 258 Oct 16 14:00 text.txt
$ ./bandit27-do cat /etc/bandit_pass/bandit27
3ba3118a22e93127a4ed485be72ef5ea
Level 26 → Level 27
Level Goal
Good job getting a shell! Now hurry and grab the password for bandit27!
Commands you may need to solve this level
ls
Solution
$ ls -lF
total 12
-rwsr-x--- 1 bandit27 bandit26 7296 Oct 16 14:00 bandit27-do*
-rw-r----- 1 bandit26 bandit26 258 Oct 16 14:00 text.txt
$ ./bandit27-do cat /etc/bandit_pass/bandit27
3ba3118a22e93127a4ed485be72ef5ea
Level 27 → Level 28
Level Goal
There is a git repository at ssh://bandit27-git@localhost/home/bandit27-git/repo. The password for the user bandit27-git is the same as for the user bandit27.
Clone the repository and find the password for the next level.
Commands you may need to solve this level
git
Solution
bandit27@bandit:~$ mkdir /tmp/81832 ; cd /tmp/81832/
bandit27@bandit:/tmp/81832$ git clone ssh://bandit27-git@localhost/home/bandit27-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit27/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit27/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit27-git@localhost's password:
remote: Counting objects: 3, done.
remote: Compressing objects: 100% (2/2), done.
remote: Total 3 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (3/3), done.
bandit27@bandit:/tmp/81832$ ls -lF
total 4
drwxr-sr-x 3 bandit27 root 4096 Nov 24 11:11 repo/
bandit27@bandit:/tmp/81832$ ls -lF repo/
total 4
-rw-r--r-- 1 bandit27 root 68 Nov 25 12:54 README
bandit27@bandit:/tmp/81832$ cat repo/README
The password to the next level is: 0ef186ac70e04ea33b4c1853d2526fa2
Level 28 → Level 29
Level Goal
There is a git repository at ssh://bandit28-git@localhost/home/bandit28-git/repo. The password for the user bandit28-git is the same as for the user bandit28.
Clone the repository and find the password for the next level.
Commands you may need to solve this level
git
Solution
bandit28@bandit:~$ mkdir /tmp/16143/ ; cd /tmp/16143/
bandit28@bandit:/tmp/16143$ git clone ssh://bandit28-git@localhost/home/bandit28-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit28/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit28/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit28-git@localhost's password:
remote: Counting objects: 9, done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 9 (delta 2), reused 0 (delta 0)
Receiving objects: 100% (9/9), done.
Resolving deltas: 100% (2/2), done.
bandit28@bandit:/tmp/16143$ ls -lF repo/
total 4
-rw-r--r-- 1 bandit28 root 111 Nov 25 13:00 README.md
bandit28@bandit:/tmp/16143$ cat repo/README.md
# Bandit Notes
Some notes for level29 of bandit.
## credentials
- username: bandit29
- password: xxxxxxxxxx
bandit28@bandit:/tmp/16143$ cd repo ; git log -p
commit 073c27c130e6ee407e12faad1dd3848a110c4f95
Author: Morla Porla <morla@overthewire.org>
Date: Tue Oct 16 14:00:39 2018 +0200
fix info leak
diff --git a/README.md b/README.md
index 3f7cee8..5c6457b 100644
--- a/README.md
+++ b/README.md
@@ -4,5 +4,5 @@ Some notes for level29 of bandit.
## credentials
- username: bandit29
-- password: bbc96594b4e001778eee9975372716b2
+- password: xxxxxxxxxx
(truncated)
Level 29 → Level 30
Level Goal
There is a git repository at ssh://bandit29-git@localhost/home/bandit29-git/repo. The password for the user bandit29-git is the same as for the user bandit29.
Clone the repository and find the password for the next level.
Commands you may need to solve this level
git
Solution
bandit29@bandit:~$ mkdir /tmp/98038/ ; cd /tmp/98038/
bandit29@bandit:/tmp/98038$ git clone ssh://bandit29-git@localhost/home/bandit29-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit29/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit29/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit29-git@localhost's password:
remote: Counting objects: 16, done.
remote: Compressing objects: 100% (11/11), done.
remote: Total 16 (delta 2), reused 0 (delta 0)
Receiving objects: 100% (16/16), done.
Resolving deltas: 100% (2/2), done.
bandit29@bandit:/tmp/98038$ ls -lF repo/
total 4
-rw-r--r-- 1 bandit29 root 131 Nov 25 13:06 README.md
bandit29@bandit:/tmp/98038$ cat repo/README.md
# Bandit Notes
Some notes for bandit30 of bandit.
## credentials
- username: bandit30
- password: <no passwords in production!>
bandit29@bandit:/tmp/98038$ cat repo/.git/packed-refs
# pack-refs with: peeled fully-peeled
33ce2e95d9c5d6fb0a40e5ee9a2926903646b4e3 refs/remotes/origin/dev
84abedc104bbc0c65cb9eb74eb1d3057753e70f8 refs/remotes/origin/master
2af54c57b2cb29a72e8f3e84a9e60c019c252b75 refs/remotes/origin/sploits-dev
bandit29@bandit:/tmp/98038$ cd repo ; git checkout 33ce2e95d9c5d6fb0a40e5ee9a2926903646b4e3
HEAD is now at 33ce2e9... add data needed for development
bandit29@bandit:/tmp/98038/repo$ ls -lF
total 8
drwxr-sr-x 2 bandit29 root 4096 Nov 24 17:11 code/
-rw-r--r-- 1 bandit29 root 134 Nov 24 17:11 README.md
bandit29@bandit:/tmp/98038/repo$ cat README.md
# Bandit Notes
Some notes for bandit30 of bandit.
## credentials
- username: bandit30
- password: 5b90576bedb2cc04c86a9e924ce42faf
Level 30 → Level 31
Level Goal
There is a git repository at ssh://bandit30-git@localhost/home/bandit30-git/repo. The password for the user bandit30-git is the same as for the user bandit30.
Clone the repository and find the password for the next level.
Commands you may need to solve this level
git
Solution
bandit30@bandit:~$ mkdir /tmp/27719/ ; cd /tmp/27719/
bandit30@bandit:/tmp/27719$ git clone ssh://bandit30-git@localhost/home/bandit30-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit30/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit30/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit30-git@localhost's password:
remote: Counting objects: 4, done.
remote: Total 4 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (4/4), done.
bandit30@bandit:/tmp/27719$ ls -lF repo/README.md
-rw-r--r-- 1 bandit30 root 30 Nov 24 17:16 repo/README.md
bandit30@bandit:/tmp/27719$ cat repo/README.md
just an epmty file... muahaha
bandit30@bandit:/tmp/27719$ cat repo/.git/packed-refs
# pack-refs with: peeled fully-peeled
3aa4c239f729b07deb99a52f125893e162daac9e refs/remotes/origin/master
f17132340e8ee6c159e0a4a6bc6f80e1da3b1aea refs/tags/secret
bandit30@bandit:/tmp/27719$ cd repo/ ; git tag
secret
bandit30@bandit:/tmp/27719/repo$ git show secret
47e603bb428404d265f59c42920d81e5
Level 31 → Level 32
Level Goal
There is a git repository at ssh://bandit31-git@localhost/home/bandit31-git/repo. The password for the user bandit31-git is the same as for the user bandit31.
Clone the repository and find the password for the next level.
Commands you may need to solve this level
git
Solution
bandit30@bandit:~$ mkdir /tmp/02203/ ; cd /tmp/02203/
bandit31@bandit:/tmp/02203$ git clone ssh://bandit31-git@localhost/home/bandit31-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit31/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit31/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit31-git@localhost's password:
remote: Counting objects: 4, done.
remote: Compressing objects: 100% (3/3), done.
remote: Total 4 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (4/4), done.
bandit31@bandit:/tmp/02203$ ls -lF repo/
total 4
-rw-r--r-- 1 bandit31 root 147 Nov 25 13:10 README.md
bandit31@bandit:/tmp/02203$ cat repo/README.md
This time your task is to push a file to the remote repository.
Details:
File name: key.txt
Content: 'May I come in?'
Branch: master
bandit31@bandit:/tmp/02203$ cd repo
bandit31@bandit:/tmp/02203/repo$ echo 'May I come in?' > key.txt
bandit31@bandit:/tmp/02203/repo$ git add -f key.txt
bandit31@bandit:/tmp/02203/repo$ git commit -m 'push key.txt'
[master 6e95227] push key.txt
1 file changed, 1 insertion(+)
create mode 100644 key.txt
bandit31@bandit:/tmp/02203/repo$ git push
Could not create directory '/home/bandit31/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit31/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit31-git@localhost's password:
Counting objects: 3, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (2/2), done.
Writing objects: 100% (3/3), 323 bytes | 0 bytes/s, done.
Total 3 (delta 0), reused 0 (delta 0)
remote: ### Attempting to validate files... ####
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
remote: Well done! Here is the password for the next level:
remote: 56a9bf19c63d650ce78e6ec0354ee45e
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
To ssh://localhost/home/bandit31-git/repo
! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to 'ssh://bandit31-git@localhost/home/bandit31-git/repo'
Level 32 → Level 33
After all this git stuff its time for another escape. Good luck!
Commands you may need to solve this level
sh, man
Solution
bandit32:x:11032:11032:bandit level 32:/home/bandit32:/home/bandit32/uppershell
bandit31@bandit:~$ cat /home/bandit32/uppershell
cat: /home/bandit32/uppershell: Permission denied
>> $0
$ cat /etc/bandit_pass/bandit33
c9c3199ddf4121b10cf581a98d51caee
Level 33 → Level 34
At this moment, level 34 does not exist yet.
Solution
bandit33@bandit:~$ ls -lF
total 4
-rw------- 1 bandit33 bandit33 430 Oct 16 14:00 README.txt
bandit33@bandit:~$ cat README.txt
Congratulations on solving the last level of this game!
At this moment, there are no more levels to play in this game. However, we are constantly working
on new levels and will most likely expand this game with more levels soon.
Keep an eye out for an announcement on our usual communication channels!
In the meantime, you could play some of our other wargames.
If you have an idea for an awesome new level, please let us know!