OverTheWire Bandit

OverTheWire - Bandit Level (0 -34) Writeup 

Series of WriteUp For OverTheWire Bandit Level 0 to Level 34 For beginners. Each stage will give you a password to the next stage that you use to login with to get the next password and so on.

Check it out here: http://overthewire.org/wargames/bandit/ 

Recommendation:

Try to solve the level your own. It is the only true way to learn. Before start the game in every level their is link for commands to understand or you can read the manpage of the commands.

Level 0 Enter The Game

The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org, on port 2220. The username is bandit0 and the password is bandit0. Once logged in, go to the Level 1 page to find out how to beat Level 1.

To connect from your linux using ssh, use the command below:

ssh -p 2220 [email protected]

..........

Level 0 → Level 1

Link → Level 0 -> Level 1

Level Goal

The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.

Commands you may need to solve this level

ls, cd, cat, file, du, find

Once you connect, Simply run the ls command to view the current directory as instructed by the level’s hint, and see there is just one file, readme. Let's cat the readme file to view its content.

Simply run ls to view the current directory as instructed by the level’s hint, and then cat the readme file to view its content.

The password to gain access to the next level is : boJ9jbbUNNfktd78OOpsqOltutMc3MY1

..........

Level 1 → Level 2

Link → Level 1 -> Level 2

Level Goal

The password for the next level is stored in a file called - located in the home directory

Commands you may need to solve this level

ls, cd, cat, file, du, find

Helpful Reading Material

Log in as usual to the account with the password you retrieved from the previous level.

As the hint has suggested, you need to check the content in the file named – Normally, cat would be the command we run to view the contents of a file, terminal is just going to get stuck.

In order to read this file, you need to provide the full path of the file instead of simply cat the file name.

[email protected]:~$ cat ./-

The password to gain access to the next level is : CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

..........

Level 2 → Level 3

Link → Level 2 -> Level 3

Level Goal

The password for the next level is stored in a file called spaces in this filename located in the home directory

Commands you may need to solve this level

ls, cd, cat, file, du, find

Helpful Reading Material

You can run ls as usual to see what is in the current directory, and we do see the spaces in this filename file.

As usual, we'll run cat to check out the file, since there are spaces in the name of the file, the command assumes each word separated by space to be a separate file.

To complete this task, either use backslash before each space, or embed the entire file name as a string.

  1. Adding backslash before each space
  2. Adding double quote to embed the file name

The password to gain access to the next level is : UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

..........

Level 3 → Level 4

Link → Level 3 -> Level 4

Level Goal

The password for the next level is stored in a hidden file in the inhere directory.

Commands you may need to solve this level

ls, cd, cat, file, du, find

You can run ls as usual to see what is in the current directory, and we can clearly see the inhere directory. Let's cd into that.

Now when we ls, we see nothing!

Note that the challenge description told us that this was a hidden file. In order to see these files, we still run the ls command, but now we supply the -a flag. Now we can see the hidden file. Cat out the file to get the key for the next level.

The password to gain access to the next level is : pIwrPrtPN36QITSp3EQaw936yaFoFgAB

..........

Level 4 → Level 5

Link → Level 4 -> Level 5

Level Goal

The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.

Commands you may need to solve this level

ls, cd, cat, file, du, find

You can run ls as usual to see what is in the current directory, and we can clearly see the inhere directory. Let's cd into that.

Navigate to the directory inhere found in the home folder using cd. ‘ls’ reveals a list of 10 files all beginning with ‘-file0’ and ending with numbers 0–9.

Since only one file is human-readable and contains the password to the next round, instead of opening all the files one by one and read its content, why not print all its content and spot the password?

Use a wild card * in place of the numbers 0–9. I see a bunch of garbage, but one of these outputs is human-readable and looks like most passwords we have seen before!

The password to gain access to the next level is : koReBOKuIDDepwhWk7jZC0RTdopnAYKh

..........

Level 5 → Level 6

Link → Level 5 -> Level 6

Level Goal

The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:

  • human-readable
  • 1033 bytes in size
  • not executable

Commands you may need to solve this level

ls, cd, cat, file, du, find

You can run ls as usual to see what is in the current directory, and we can clearly see the inhere directory. Let's cd into that.

We will find 20 directories, each with a couple of files.

So you can look for files with specific properties using the find command.

We need to narrow down the scope using the hints given to us, for instance, a file that is human-readable and 1033 bytes in size.

The find command is extremely handy. you can make use of the size and readable parameters finding what you need is easy.

The password to gain access to the next level is : DXjZPULLxYr17uwoI01bNLQbtFemEgo7

..........

Level 6 → Level 7

Link → Level 6 -> Level 7

Level Goal

The password for the next level is stored somewhere on the server and has all of the following properties:

  • owned by user bandit7
  • owned by group bandit6
  • 33 bytes in size

Commands you may need to solve this level

ls, cd, cat, file, du, find, grep

The challenge description tells us the file is somewhere on the server. So we've got to look everywhere.

If you read the manpage of the find command very carefully, you should very easily be able to piece together what command we need to run to find our file.

 The above command basically perform a search on the root directory, as depicted by the slash (/) symbol right after the find command. Other parameters includes,

  1. user, which defines the file owner, bandit7

  2. group, which defines the file group, bandit6 in this case

  3. size, which defines the size of the file. 33c means 33 bytes of characters

The password to gain access to the next level is : HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

..........

Level 7 → Level 8

Link → Level 7 -> Level 8

Level Goal

The password for the next level is stored in the file data.txt next to the word millionth

Commands you may need to solve this level

grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd

If we ls we can clearly see that file in our home directory data.txt. Let's cat it out:

The challenge description tells us that the key is next to the word "millionth" is this file... well, okay, seems like we ought to search for that word.

This level is actually very simple. simply cat the file and then grep the keyword mentioned in the hint, “millionth“.

The password to gain access to the next level is : cvX2JJa4CFALtqS87jk27qwqGhBM9plV

..........

Level 8 → Level 9

Link → Level 8 -> Level 9

Level Goal

The password for the next level is stored in the file data.txt and is the only line of text that occurs only once

Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd

Helpful Reading Material

This level can be quite tricky if you don’t know about commands like sort and uniq and how it really works.

First look at the man of sort  and uniq-u command and how it works.

The level goal specifies that the line of interest occurs only once, which means that there are repeated data.

To identify the unique line, cat out the file; pipe it to sort command to sort the output; pipe the sorted output to uniq command with the -u switch. The result will be a single line of text, which is the key for level 9.

cat data.txt | sort | uniq -u

The password to gain access to the next level is : UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR

..........

Level 9 → Level 10

Link → Level 9 -> Level 10

Level Goal

The password for the next level is stored in the file data.txt in one of the few human-readable strings, beginning with several ‘=’ characters.

Commands you may need to solve this level

grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd

This level is similar to previous levels, which basically require us to search for the password in a text file.

However, the difficulty is that you cannot perform the cat+grep command on it because it is a “binary” file instead of a text file.

Well, great. The challenge prompt tells us that it is in a human readable string, however = so we can scrape all of those out, can't we?

That is where the strings command comes in nicely. strings was listed in the "commands you may need to solve this level," so I would hope that you have taken a look at it.

Simply, strings will grab all the human readable strings out of a file (or output). So, let's try and feed it the data.txt file!

Use the command strings to extract only human readable output and pipe the result into grep to search for sequential occurrence of ‘=’ character.

The password to gain access to the next level is : truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk

..........

Level 10 → Level 11

Link → Level 10 -> Level 11

Level Goal

The password for the next level is stored in the file data.txt, which contains base64 encoded data

Commands you may need to solve this level

grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd

Helpful Reading Material

Base64 on Wikipedia

This level basically introduce us to base64 encoding, one of the most commonly used method to encode data.

If you cat out the file, you will find the base64 encoded data. To decode use the base64 command with the -d switch. The output reveals the key for level 11.

The password to gain access to the next level is : IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

..........

Level 11 → Level 12

Link → Level 11 -> Level 12

Level Goal

The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions

Commands you may need to solve this level

grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd

Helpful Reading Material

Rot13 on Wikipedia

As provided in the hint, we are required to perform a ROT13 “decode” on the file given.

The level goal provides the clue that the text has been transformed using rot-13 cipher, a substitution cipher which rotates the characters by 13 positions. To reverse this, we can use the ‘tr’ command by providing the original set and key set which would be rotated by 13 positions.

For example, A,B,C,D.. becomes N,O,P,Q…. .

cat data.txt | tr ‘A-Za-z’ ‘N-ZA-Mn-za-m’

Or You can use this online Tool ROT13.

The password to gain access to the next level is : 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

..........

Level 12 → Level 13

Link → Level 12 -> Level 13

Level Goal

The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)

Commands you may need to solve this level

grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd, mkdir, cp, mv, file

Helpful Reading Material

Hex dump on Wikipedia

Warning: This level sucks, and takes a little bit of time.

The data.txt file is again in the home directory. As usual, that is what we will be working with.

First, let’s move the file to a new directory in the /tmp folder under your name (create one using the mkdir command!).

mkdir /tmp/mrreh

cp data.txt /tmp/mrreh

cd /tmp/mrreh

Now we have to perform a reverse hashdump using xxd command,

xxd -r data.txt > mrreh file mrreh

After performing the reverse hashdump command, run the file command to check what kind of file is it.

From here onwards, the flow goes like this,

  1. Identify what type of file is this, using the file command

  2. Rename it to that particular file format, using the mv command to change its file type

  3. Decompress/unzip the files using the correct type of tool

  4. Repeat the above process until you have the file

It basically follows the flow which I described above.
The password to gain access to the next level is : 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

..........

Level 13 → Level 14

Link → Level 13 -> Level 14

Level Goal

The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note:localhost is a hostname that refers to the machine you are working on

Commands you may need to solve this level

ssh, telnet, nc, openssl, s_client, nmap

Helpful Reading Material

SSH/OpenSSH/Keys

Let's check out the current directory with ls and see what we've got to work with.

Oooh! It looks like it gives us a sshprivate key. If you know a bit more about ssh (hint: read the man pages), you'll know you can use this as kind of an identification file to log in with. It removes the need for a password when you ssh.

You use this with the -i argument, and specify the file you are using as your private key, then continue your regular ssh syntax.

Remember to specify the bandit14 user as the user you want to log in as!

Enter 'yes' to accept, and log right in. Now that we are logged in as bandit14, let's check out our current password...

The password to gain access to the next level is : 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e

..........

Level 14 → Level 15

Link → Level 14 -> Level 15

Level Goal

The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.

Commands you may need to solve this level

ssh, telnet, nc, openssl, s_client, nmap

Helpful Reading Material

Netcat is a simple unix utility which reads and writes data across network connections, using TCP or UDP protocol.

The challenge prompt tells us we have to submit our current password to the port 30000 on our current machine, localhost.

nc localhost 30000

The password to gain access to the next level is : BfMYroe26WYalil77FoDi9qh59eK5xNr

..........

Level 15 → Level 16

Link → Level 15 -> Level 16

Level Goal

The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.

Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…

Commands you may need to solve this level

ssh, telnet, nc, openssl, s_client, nmap

Helpful Reading Material

In this level, we have to connect the port 30001 on localhost using the SSL encryption. We can do it using the openssl command.

The password to gain access to the next level is : cluFn7wTiGryunymYOu4RcffSxQluehd

..........

Level 16 → Level 17

Link → Level 16 -> Level 17

Level Goal

The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.

Commands you may need to solve this level

ssh, telnet, nc, openssl, s_client, nmap

Helpful Reading Material

Port scanner on Wikipedia

This level require us to have basic understanding in port scanning and identifying the services. First, let’s perform a port scan to identify the open ports between the range of 31000 to 32000. $ nmap localhost -p31000-32000 It found 2 ports. Now, the challenge prompt tells us that the port we want is using SSL, so we have to connect to it with the openssl s_client -connect command again We see that port 31790 is able to accept SSL connection, which means that port 31790 is our target.

This one kept a connection. It just waiting for our input.If you enter in the password for this level, you get the RSA private key.

$ openssl s_client -connect localhost:31790 The private key for accessing the next level is stored inport 31790! Now, We have to save this RSA private key into a tmp dir file and then use it to connect to the next level. You should encounter an error message, which is a good learning point with regards to RSA keys permissions. The fix is very simple, simply modify the file permission and set it as 600 and you are good to go!

Now you should try and connect with ssh and the private key again...

$ ssh -i /tmp/mr/17.key [email protected]

The password to gain access to the next level is : xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn

..........

Level 17 → Level 18

Link → Level 17 -> Level 18

Level Goal

There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new

NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19

Commands you may need to solve this level

cat, grep, ls, diff

There are 2 password files in the home directory. As the hint goes, New vs Old, the first thing to come to mind is to perform the diff function.

The password to gain access to the next level is : kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd

Note that when you try and log in, you are greeted with Byebye! and kicked out of your bandit18 shell. This is okay!

..........

Level 18 → Level 19

Link → Level 18 -> Level 19

Level Goal

The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.

Commands you may need to solve this level

ssh, ls, cat

In this level, we need to connect using the ssh -t. The -t parameter basically opens a pseudo-tty within the session, with output in the same screen. The ssh session closes when the command completes. This way, you can quickly run a command before the connectivity closes and kicks you out with a “Byebye!”. $ ssh [email protected] -p 2220 ls

Notice my ls command tacked on at the very end? Once you enter the password, you should be able to see the output:

readme

The challenge prompt told us there is a readme file in the home directory that has the password for the next level. This must be that file! Let's try and cat it out, the same way we ran the last command (as an argument to ssh).

The password to gain access to the next level is : IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x

..........

Level 19 → Level 20

Link → Level 19 -> Level 20

Level Goal

To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.

Helpful Reading Material

setuid on Wikipedia

You will find an executable named bandit20-do in the home directory. Running the executable without any parameters provide helpful info on how to use the file. It is also to be noted that the file has the suid bit set, and the file is owned by the user bandit20 and the group bandit19. It’s interesting because it allows us to run a command or do anything as bandit20.

The password to gain access to the next level is : GbKksEFF4yrVs6il55v6gwY5aVje5f0j

..........

Level 20 → Level 21

Link → Level 20 -> Level 21

Level Goal

There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).

NOTE: Try connecting to your own network daemon to see if it works as you think

Commands you may need to solve this level

ssh, nc, cat, bash, screen, tmux, Unix ‘job control’ (bg, fg, jobs, &, CTRL-Z, …)

The challenge prompt tells us that there is another new setuid binary in the home directory. If we ls, we should be able to see it.

The challenge prompt tells us that this program will "make a connection to localhost on the port you specify as a command-line argument." So, if we don't pass it an argument, it tells us:

$ ./suconnect   Usage: ./suconnect <portnumber> This program will connect to the given port on localhost using TCP. If it receives the correct password from the other side, the next password is transmitted back The notes in this challenge prompt explain that we will need to connect to this level with ssh twice -- once to start the listening server, and then again to run the new suconnect setuid binary.

Now we setup your own listener with current level password. In first terminal, connect to port 12345 (or any free port) using nc with the -l & -p switch for listening and port respectively. Pass the current password to the session. On the second terminal, run the executable suconnect with 12345 as port parameter. It should show that it read the current password and password has matched and it sent the next password.

The password to gain access to the next level is : gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr

..........

Level 21 → Level22

Link → Level 21 -> Level 22

Level Goal

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

Commands you may need to solve this level

cron, crontab, crontab(5) (use “man 5 crontab” to access this)

This level is very simple, as hinted by the clue, just navigate to the /etc/cron.d directory and look for the files, you will noticed the cronjob_bandit22 files.

Since cronjob_bandit22.sh is the only file which is related to this level, let’s view its content.

Now we know that file /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv contains the password for the next level. We can view the password using command cat

The password to gain access to the next level is : Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

..........

Level 22 → Level 23

Link → Level 22 -> Level 23

Level Goal

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.

Commands you may need to solve this level

cron, crontab, crontab(5) (use “man 5 crontab” to access this)

Like what we have done in the previous level, let’s navigate to the /etc/cron.d path and check the cronjob files.

Notice that cronjob_bandit23 is will be running the /usr/bin/cronjob_bandit23.sh script? Let’s view its content.

To generate new hash run echo I am user bandit23 | md5sum | cut -d ' ' -f 1 on terminal. The new hash is 8ca319486bfbbc3663ea0fbe81326349 and this is the name of file in tmp directory.

To see password run cat /tmp/8ca319486bfbbc3663ea0fbe81326349

The password to gain access to the next level is : jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

..........

Level 23 → Level 24

Link → Level 23 -> Level 24

Level Goal

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!

NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…

Commands you may need to solve this level

cron, crontab, crontab(5) (use “man 5 crontab” to access this

Like what we have done in the previous level, let’s navigate to the /etc/cron.d path and check the cronjob files.

Notice that cronjob_bandit24 is will be running the /usr/bin/cronjob_bandit24.sh script? Let’s view its content.

As usual for levels which require us to write, we have to create our own file directory in /tmp and then create a script which output the password file there, and then move it over to the /var/spool/$myname directory.

Script:

#!/bin/sh
cat /etc/bandit_pass/bandit24 > /tmp/reh/pass

Important: remember to change the permission of your script before copying it to the /var/spool/bandit24 folder or it will not be run by the bandit24 account. It took me a few tries to notice it.

The scripts in /var/spool/bandit24 will be run once and then purged away every minute.

The password to gain access to the next level is : UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ

..........

Level 24 → Level 25

Link → Level 24 -> Level 25

Level Goal

A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.

To complete this level, you will need to brute-force your way into getting the desired response. To receive the password for level 25, you need to send the password for the current level and a 4 digit pin separated by a space. That is a total of 10000 combinations (0000 to 9999).To brute-force pin we will write a shell script in /tmp/mrreh directory.

The script is

#!/bin/bash
for i in {0000..9999}
do echo "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i"
done

The name of the script is bruteforcescript.sh lets make executable. After that, we will run the script and file pass.txt will store all combinations of 4 digit number with password.

We will feed pass.txt to nc localhost at port 30002 and then we will feed the output to a file called result.txt. This will make reading the password easier. Now using the sort command combined with the uniq command, we will extract the correct password easily.

The password to gain access to the next level is : uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG

..........

Level 25 → Level 26

Link → Level 25 -> Level 26

Level Goal

Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.

Commands you may need to solve this level

ssh, cat, more, vi, ls, id, pwd

Once logged in, you will find the ssh private key to connect into bandit26 in the home directory.

However, after you logged into bandit26, you will be logged out immediately, “Connection to localhost closed.”

The challenge prompt says that, "The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it."

To see what it is, check the line for bandit26 on /etc/passwd. On login for bandit26, a script named showtext is run. On cat out showtext, we see that it opens up a txt file via more and exits.

The man page for more does describe certain hotkeys that you can enter to do other interesting things, like try and run a command within a subshell or even open an editor, like vi / vim.

However, we can only interact with the more command in this way if it "pages" the output, and stops to wait for you to scroll. Since the banner text from earlier is so small, this typically doesn't happen...

How can we make it "page"? Well.... can we resize our terminal window to a very very small height... smaller than the height of the banner, and try connecting again. This time, the session holds within more, with a prompt to scroll for more.

Press ‘v’ to enter vim. Now Type :r followed by location of password file for /etc/bandit_pass/bandit26 to read the password for the next level!

The password to gain access to the next level is : 5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z

..........

Level 26 → Level 27

Link → Level 26 -> Level 27

Level Goal

Good job getting a shell! Now hurry and grab the password for bandit27!

Commands you may need to solve this level

ls

Do note that the shell is still not bash. When connecting, ensure that the terminal window to a very very small height... smaller than the height of the banner.

Once logged in and the window is displays the text file in more, enter ‘v’ to start vim. To break out of vim and into shell, re-set the shell variable to /bin/bash using the set command :set shell=/bin/bash . Type :!sh and enter to exit to shell.

You will get a %%content%%#60;/strong> prompt. Type bash & enter to get the complete bash prompt. An executable named bandit27-do is present in the home directory.

Ok that’s interesting. Reading the txt file shows it’s just the bandit 26 banner so our focus is on the bandit27-do file.

We can run commands as user bandit27. Let’s read the password file located at /etc/bandit_pass/bandit27.

./bandit27-do cat /etc/bandit_pass/bandit27

The password to gain access to the next level is : 3ba3118a22e93127a4ed485be72ef5ea

..........

Level 27 → Level 28

Link → Level 27 -> Level 28

Level Goal

There is a git repository at ssh://[email protected]/home/bandit27-git/repo. The password for the user bandit27-git is the same as for the user bandit27.

Clone the repository and find the password for the next level.

Commands you may need to solve this level

git

Let’s find the password for the next level.

Clone the git repository, however you won’t be able to clone it to the home directory so first make our own folder in tmp.

Command to clone : git clone ssh://[email protected]/home/bandit27-git/repo

and enter this level’s password : 3ba3118a22e93127a4ed485be72ef5ea

 

The password to gain access to the next level is : 0ef186ac70e04ea33b4c1853d2526fa2

..........

Level 28 → Level 29

Link → Level 28 -> Level 29

Level Goal

There is a git repository at ssh://[email protected]/home/bandit28-git/repo. The password for the user bandit28-git is the same as for the user bandit28.

Clone the repository and find the password for the next level.

Commands you may need to solve this level

git

Initial part is same as the previous level. Clone the repository in your tmp directory.

But README.md file does not contain password.

To see the changes made in the commit, we will use the git show command to read the changes made. As expected, we found the password inside this commit.

The password to gain access to the next level is : bbc96594b4e001778eee9975372716b2

..........

Level 29 → Level 30

Link → Level 29 -> Level 30

Level Goal

There is a git repository at ssh://[email protected]/home/bandit29-git/repo. The password for the user bandit29-git is the same as for the user bandit29.

Clone the repository and find the password for the next level.

Commands you may need to solve this level

git

Initial part is same as the previous level. Clone the repository in your tmp directory.

Navigate into the directory to find a README file. Cat out the file. The content shows that the password has been changed to <no passwords in production!>. Therefore we have to see whether there are different branches of this repository.

We list all the branches in this git using the git branch command. It shows us that we have another branch called dev.

After switching to dev branch, we run ls command to see that we have a README file. Upon reading that file we get the Password for next Level.

The password to gain access to the next level is : 5b90576bedb2cc04c86a9e924ce42faf

..........

Level 30 → Level 31

Link → Level 30 -> Level 31

Level Goal

There is a git repository at ssh://[email protected]/home/bandit30-git/repo. The password for the user bandit30-git is the same as for the user bandit30.

Clone the repository and find the password for the next level.

Commands you may need to solve this level

git

Initial part is same as the previous level. Clone the repository in your tmp directory.

Looking into the repository we just cloned, cat out README.md file it shows.

This is “just an empty file”.

git tag create, list, delete or verify a tag object signed with GPG. This command tells us about the secret tag. We can view this tag using git show secret and we get the password for next level.

The password to gain access to the next level is : 47e603bb428404d265f59c42920d81e5

..........

Level 31 → Level 32

Link → Level 31 -> Level 32

Level Goal

There is a git repository at ssh://[email protected]/home/bandit31-git/repo. The password for the user bandit31-git is the same as for the user bandit31.

Clone the repository and find the password for the next level.

Commands you may need to solve this level

git

Initial part is same as the previous level. Clone the repository in your tmp directory.Looking into the repository we just cloned, cat out README.md file it shows.

Looking into the repository we just cloned, cat out README.md file.

Hmm, it seems like we need to follow the instruction to push a file to the remote repository this time. Let’s do it.

touch key.txt echo "May I come in?" > key.txt git add key.txt
But when we try to add file it tell us that .gitignore file is ignoring our file.
git add -f key.txt
git commit -m "Upload File"

git puch origin master

The password to gain access to the next level is : 56a9bf19c63d650ce78e6ec0354ee45e

..........

Level 32 → Level 33

Link → Level 32 -> Level 33

Level Goal

After all this git stuff its time for another escape. Good luck!

Commands you may need to solve this leve

sh, man

After Login we are greeted with a message “Welcome to the Uppercase shell”. The shell converts every command into uppercase. We need to fix it and gain the normal shell again. After some research, we found that we can bypass this uppercase shell using an escape character ‘$0’.

So let’s try it..

$0

Enter bash for full prompt. Now we can access the /etc/bandit_pass/bandit33 file to get the password for the next level.

The password to gain access to the next level is : c9c3199ddf4121b10cf581a98d51caee

..........

Level 33 → Level 34

Link → Level 33 -> Level 34

Level Goal

At this moment, level 34 does not exist yet.

..........

Leave a Reply

Your email address will not be published. Required fields are marked *