First of all, all the passwords are stored in /etc/bandit_pass in bandit.labs.overthewire.org, but we don’t have the permission to look at them unless we’re the user at a higher level.


Level 0

The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org, on port 2220. The username is bandit0 and the password is bandit0. Once logged in, go to the Level 1 page to find out how to beat Level 1.

1
2
~ ssh -p 2220 bandit0@bandit.labs.overthewire.org
bandit0@bandit:~$

Level 0 -> Level 1

The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.

1
2
3
4
bandit0@bandit:~$ ls
readme
bandit0@bandit:~$ cat readme
boJ9jbbUNNfktd78OOpsqOltutMc3MY1

Level 1 -> Level 2

The password for the next level is stored in a file called - located in the home directory

1
2
3
4
5
~ ssh -p 2220 bandit1@bandit.labs.overthewire.org
bandit1@bandit:~$ ls
-
bandit1@bandit:~$ cat ./-
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

Level 2 -> Level 3

The password for the next level is stored in a file called spaces in this filename located in the home directory

1
2
3
4
5
~ ssh -p 2220 bandit2@bandit.labs.overthewire.org
bandit2@bandit:~$ ls
spaces in this filename
bandit2@bandit:~$ cat spaces\ in\ this\ filename
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

Level 3 -> Level 4

The password for the next level is stored in a hidden file in the inhere directory.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
~ ssh -p 2220 bandit3@bandit.labs.overthewire.org
bandit3@bandit:~$ ls
inhere
bandit3@bandit:~$ cd inhere/
bandit3@bandit:~/inhere$ ls -al
total 12
drwxr-xr-x 2 root    root    4096 Dec 28  2017 .
drwxr-xr-x 3 root    root    4096 Dec 28  2017 ..
-rw-r----- 1 bandit4 bandit3   33 Dec 28  2017 .hidden
bandit3@bandit:~/inhere$ cat .hidden
pIwrPrtPN36QITSp3EQaw936yaFoFgAB

Level 4 -> Level 5

The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
~ ssh -p 2220 bandit4@bandit.labs.overthewire.org
bandit4@bandit:~$ ls
inhere
bandit4@bandit:~$ cd inhere
bandit4@bandit:~/inhere$ ls
-file00  -file01  -file02  -file03  -file04  -file05  -file06  -file07  -file08  -file09
bandit4@bandit:~/inhere$ file ./*
./-file00: data
./-file01: data
./-file02: data
./-file03: data
./-file04: data
./-file05: data
./-file06: data
./-file07: ASCII text
./-file08: data
./-file09: data
bandit4@bandit:~/inhere$ cat ./-file07
koReBOKuIDDepwhWk7jZC0RTdopnAYKh

Level 5 -> Level 6

The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:
    human-readable
    1033 bytes in size
    not executable

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
~ ssh -p 2220 bandit5@bandit.labs.overthewire.org
bandit5@bandit:~$ ls
inhere
bandit5@bandit:~$ cd inhere
bandit5@bandit:~/inhere$ ls
maybehere00  maybehere03  maybehere06  maybehere09  maybehere12  maybehere15  maybehere18
maybehere01  maybehere04  maybehere07  maybehere10  maybehere13  maybehere16  maybehere19
maybehere02  maybehere05  maybehere08  maybehere11  maybehere14  maybehere17
bandit5@bandit:~/inhere$ find . -not -executable -readable -size 1033c
./maybehere07/.file2
bandit5@bandit:~/inhere$ cat ./maybehere07/.file2
DXjZPULLxYr17uwoI01bNLQbtFemEgo7

Level 6 -> Level 7

The password for the next level is stored somewhere on the server and has all of the following properties:
    owned by user bandit7
    owned by group bandit6
    33 bytes in size

1
2
3
4
5
~ ssh -p 2220 bandit6@bandit.labs.overthewire.org
bandit6@bandit:~$ find / -size 33c -user bandit7 -group bandit6 2>/dev/null
/var/lib/dpkg/info/bandit7.password
bandit6@bandit:~$ cat /var/lib/dpkg/info/bandit7.password
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

Level 7 -> Level 8

The password for the next level is stored in the file data.txt next to the word millionth

1
2
3
4
5
~ ssh -p 2220 bandit7@bandit.labs.overthewire.org
bandit7@bandit:~$ ls
data.txt
bandit7@bandit:~$ grep -n 'data.txt' -e 'millionth'
3810:millionth	cvX2JJa4CFALtqS87jk27qwqGhBM9plV

Level 8 -> Level 9

The password for the next level is stored in the file data.txt and is the only line of text that occurs only once

1
2
3
4
5
~ ssh -p 2220 bandit8@bandit.labs.overthewire.org
bandit8@bandit:~$ ls
data.txt
bandit8@bandit:~$ cat data.txt | sort | uniq -u
UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR

Level 9 -> Level 10

The password for the next level is stored in the file data.txt in one of the few human-readable strings, beginning with several ‘=’ characters.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
~ ssh -p 2220 bandit9@bandit.labs.overthewire.org
bandit9@bandit:~$ ls
data.txt
bandit9@bandit:~$ grep -an data.txt -e '=='
D+0�w�txĨhz�========== theP`��d�Ԅ��H�JA�]��~~U��w�k퀒>�E��t�YڹG��A�ŭ0���V
                                                                         ��+F#�E�
                                                                                 ��R	�D��������X�Cm�9P%j���WЏ��
                                                                                 ..........
                                                                                 ..........
                                                                                 ..........
55:@$2˼9�RGr�'��5מos�_��x��g,hd����<�2�퟊�<$p(�׏7�	��ꌱ~0�D�[��?�$�i��}+MV 9~囊Ħ��\;	��Iu)d9[��S�I�x�sB�B?�������(�c�9=!/"Єl桺���~a�����.+,1u��݅ g�p�#�Q����a�
                                         ]�^K��m�.���f�
                                                       ��xT��P���8̳ad��X�臟��G)���Ͱ�zi�/g;.9���========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk

It will print out lots of stuff, but we can clearly see that there’s ========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk in the buttom


Level 10 -> Level 11

The password for the next level is stored in the file data.txt, which contains base64 encoded data

1
2
3
4
5
~ ssh -p 2220 bandit10@bandit.labs.overthewire.org
bandit10@bandit:~$ ls
data.txt
bandit10@bandit:~$ cat data.txt | base64 -d
The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

Level 11 -> Level 12

The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions

1
2
3
4
5
~ ssh -p 2220 bandit11@bandit.labs.overthewire.org
bandit11@bandit:~$ ls
data.txt
bandit11@bandit:~$ cat data.txt | tr '[a-z]' '[n-za-m]' | tr '[A-Z]' '[N-ZA-M]'
The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

Level 12 -> Level 13

The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
~ ssh -p 2220 bandit12@bandit.labs.overthewire.org
bandit12@bandit:~$ ls
data.txt
bandit12@bandit:~$ file data.txt
data.txt: ASCII text
bandit12@bandit:~$ mkdir /tmp/bandit12
bandit12@bandit:~$ cd /tmp/bandit12
bandit12@bandit:/tmp/bandit12$ cp /home/bandit12/data.txt .
bandit12@bandit:/tmp/bandit12$ xxd -r data.txt data_xxd_reverse
bandit12@bandit:/tmp/bandit12$ file data_xxd_reverse
data_xxd_reverse: gzip compressed data, was "data2.bin", last modified: Thu Dec 28 13:34:36 2017, max compression, from Unix
bandit12@bandit:/tmp/bandit12$ gunzip -c data_xxd_reverse > data_gunzip
bandit12@bandit:/tmp/bandit12$ file data_gunzip
data_gunzip: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/bandit12$ bzip2 -cd data_gunzip > data_bzip2_reverse
bandit12@bandit:/tmp/bandit12$ file data_bzip2_reverse
data_bzip2_reverse: gzip compressed data, was "data4.bin", last modified: Thu Dec 28 13:34:36 2017, max compression, from Unix
bandit12@bandit:/tmp/bandit12$ gunzip -c data_bzip2_reverse > data_gunzip_2
bandit12@bandit:/tmp/bandit12$ file data_gunzip_2
data_gunzip_2: POSIX tar archive (GNU)
bandit12@bandit:/tmp/bandit12$ tar -xvOf data_gunzip_2 > data_untar
data5.bin
bandit12@bandit:/tmp/bandit12$ file data_untar
data_untar: POSIX tar archive (GNU)
bandit12@bandit:/tmp/bandit12$ tar -xvOf data_untar > data_untar_2
data6.bin
bandit12@bandit:/tmp/bandit12$ file data_untar_2
data_untar_2: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/bandit12$ bzip2 -cd data_untar_2 > data_bzip2_reverse_2
bandit12@bandit:/tmp/bandit12$ file data_bzip2_reverse_2
data_bzip2_reverse_2: POSIX tar archive (GNU)
bandit12@bandit:/tmp/bandit12$ tar -xvOf data_bzip2_reverse_2 > data_untar_3
data8.bin
bandit12@bandit:/tmp/bandit12$ file data_untar_3
data_untar_3: gzip compressed data, was "data9.bin", last modified: Thu Dec 28 13:34:36 2017, max compression, from Unix
bandit12@bandit:/tmp/bandit12$ gunzip -c data_untar_3 > data_gunzip_3
bandit12@bandit:/tmp/bandit12$ file data_gunzip_3
data_gunzip_3: ASCII text
bandit12@bandit:/tmp/bandit12$ cat data_gunzip_3
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

Level 13 -> Level 14

The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on

1
2
3
4
5
6
~ ssh -p 2220 bandit13@bandit.labs.overthewire.org
bandit13@bandit:~$ ls
sshkey.private
bandit13@bandit:~$ ssh -i sshkey.private bandit14@localhost
bandit14@bandit:~$ cat /etc/bandit_pass/bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e

Level 14 -> Level 15

The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.

1
2
3
4
~ ssh -p 2220 bandit14@bandit.labs.overthewire.org
bandit14@bandit:~$ nc localhost 30000 < /etc/bandit_pass/bandit14
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr

Level 15 -> Level 16

The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…

1
2
3
4
5
6
7
8
~ ssh -p 2220 bandit15@bandit.labs.overthewire.org
bandit15@bandit:~$ cat /etc/bandit_pass/bandit15 | openssl s_client -connect localhost:30001 -ign_eof
......
......
......
---
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehd

Level 16 -> Level 17

The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
~ ssh -p 2220 bandit16@bandit.labs.overthewire.org
bandit16@bandit:~$ nmap -sT -A -p 31000-32000 localhost

Starting Nmap 7.01 ( https://nmap.org ) at 2018-08-21 20:34 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00023s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 996 closed ports
PORT      STATE SERVICE     VERSION
31046/tcp open  echo
31518/tcp open  ssl/echo
| ssl-cert: Subject: commonName=bandit
| Not valid before: 2017-12-28T13:23:40
|_Not valid after:  2027-12-26T13:23:40
|_ssl-date: TLS randomness does not represent time
31691/tcp open  echo
31790/tcp open  ssl/unknown
| ssl-cert: Subject: commonName=bandit
| Not valid before: 2017-12-28T13:23:40
|_Not valid after:  2027-12-26T13:23:40
|_ssl-date: TLS randomness does not represent time
31960/tcp open  echo
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port31790-TCP:V=7.01%T=SSL%I=7%D=8/21%Time=5B7C5B61%P=x86_64-pc-linux-g
SF:nu%r(GenericLines,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20cu
SF:rrent\x20password\n")%r(GetRequest,31,"Wrong!\x20Please\x20enter\x20the
SF:\x20correct\x20current\x20password\n")%r(HTTPOptions,31,"Wrong!\x20Plea
SF:se\x20enter\x20the\x20correct\x20current\x20password\n")%r(RTSPRequest,
SF:31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20current\x20password\
SF:n")%r(Help,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20current\x
SF:20password\n")%r(SSLSessionReq,31,"Wrong!\x20Please\x20enter\x20the\x20
SF:correct\x20current\x20password\n")%r(TLSSessionReq,31,"Wrong!\x20Please
SF:\x20enter\x20the\x20correct\x20current\x20password\n")%r(Kerberos,31,"W
SF:rong!\x20Please\x20enter\x20the\x20correct\x20current\x20password\n")%r
SF:(FourOhFourRequest,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20c
SF:urrent\x20password\n")%r(LPDString,31,"Wrong!\x20Please\x20enter\x20the
SF:\x20correct\x20current\x20password\n")%r(SIPOptions,31,"Wrong!\x20Pleas
SF:e\x20enter\x20the\x20correct\x20current\x20password\n");

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 89.37 seconds

We can see that we get 5 open ports. Every service of the port is echo except port 31790, so we’ll start testing this one.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
bandit16@bandit:~$ openssl s_client -connect localhost:31790
CONNECTED(00000003)
depth=0 CN = bandit
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = bandit
verify return:1
---
Certificate chain
 0 s:/CN=bandit
   i:/CN=bandit
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICsjCCAZqgAwIBAgIJAKZI1xYeoXFuMA0GCSqGSIb3DQEBCwUAMBExDzANBgNV
BAMMBmJhbmRpdDAeFw0xNzEyMjgxMzIzNDBaFw0yNzEyMjYxMzIzNDBaMBExDzAN
BgNVBAMMBmJhbmRpdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOcX
ruVcnQUBeHJeNpSYayQExCJmcHzSCktnOnF/H4efWzxvLRWt5z4gYaKvTC9ixLrb
K7a255GEaUbP/NVFpB/sn56uJc1ijz8u0hWQ3DwVe5ZrHUkNzAuvC2OeQgh2HanV
5LwB1nmRZn90PG1puKxktMjXsGY7f9Yvx1/yVnZqu2Ev2uDA0RXij/T+hEqgDMI7
y4ZFmuYD8z4b2kAUwj7RHh9LUKXKQlO+Pn8hchdR/4IK+Xc4+GFOin0XdQdUJaBD
8quOUma424ejF5aB6QCSE82MmHlLBO2tzC9yKv8L8w+fUeQFECH1WfPC56GcAq3U
IvgdjGrU/7EKN5XkONcCAwEAAaMNMAswCQYDVR0TBAIwADANBgkqhkiG9w0BAQsF
AAOCAQEAnrOty7WAOpDGhuu0V8FqPoKNwFrqGuQCTeqhQ9LP0bFNhuH34pZ0JFsH
L+Y/q4Um7+66mNJUFpMDykm51xLY2Y4oDNCzugy+fm5Q0EWKRwrq+hIM+5hs0RdC
nARP+719ddmUiXF7r7IVP2gK+xqpa8+YcYnLuoXEtpKkrrQCCUiqabltU5yRMR77
3wqB54txrB4IhwnXqpO23kTuRNrkG+JqDUkaVpvct+FAdT3PODMONP/oHII3SH9i
ar/rI9k+4hjlg4NqOoduxX9M+iLJ0Zgj6HAg3EQVn4NHsgmuTgmknbhqTU3o4IwB
XFnxdxVy0ImGYtvmnZDQCGivDok6jA==
-----END CERTIFICATE-----
subject=/CN=bandit
issuer=/CN=bandit
---
No client certificate CA names sent
---
SSL handshake has read 1015 bytes and written 631 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
    Session-ID: ABF625F41A0BFBAD9812842268C7011AC2509E6D33F2941B6045CB15F9ABE8D3
    Session-ID-ctx:
    Master-Key: 5ADC3A7B9614F0345FF5AE9E8B46A345594239130949878D26DDB74B2C6C35ADBEDA7C10DE15DDA0E4CF1E5FE3B1D018
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - aa 3d 08 f7 55 9a 83 cb-75 cb f1 ae ef 7b e3 4c   .=..U...u....{.L
    0010 - b2 6c ba 60 68 d2 eb 8d-5b 80 10 62 76 c2 bb fb   .l.`h...[..bv...
    0020 - df 91 76 34 d3 79 72 87-bc 41 77 b3 58 c3 64 38   ..v4.yr..Aw.X.d8
    0030 - b8 29 67 01 0d d7 61 0a-da fa af a9 e8 78 21 7c   .)g...a......x!|
    0040 - c0 cb 65 77 cd 26 e0 bc-85 95 b5 02 50 de 2a 58   ..ew.&......P.*X
    0050 - c4 86 8c 76 dc fd 0e 0b-c3 bd 14 86 a9 d2 06 0b   ...v............
    0060 - 7d b4 31 52 3e 54 29 40-34 5e ee 7a 23 db 7a fa   }.1R>T)@4^.z#.z.
    0070 - 0c 94 9f 3f ad 6f 4d 36-51 92 9b 8a c6 71 53 ed   ...?.oM6Q....qS.
    0080 - 67 ce f5 c5 52 5d cc 58-0d d7 aa 8b 71 05 2f a4   g...R].X....q./.
    0090 - 87 21 8f 01 95 60 52 af-c1 ab 3a 79 05 cb a0 c6   .!...`R...:y....

    Start Time: 1534876790
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---

Type the passowrd of bandit16 cluFn7wTiGryunymYOu4RcffSxQluehd

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----

closed

And finally we get the key.


Level 17 -> Level 18

There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new
NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
~ vim sshkey.private
~ cat sshkey.private
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----
~ chmod 600 sshkey.private
~ ssh -p 2220 bandit17@bandit.labs.overthewire.org -i sshkey.private
bandit17@bandit:~$ ls
passwords.new  passwords.old
bandit17@bandit:~$ diff passwords.old passwords.new
42c42
< 6vcSC74ROI95NqkKaeEC2ABVMDX9TyUr
---
> kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd

It means that there’s 6vcSC74ROI95NqkKaeEC2ABVMDX9TyUr in passwords.old but change into kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd in passwords.new, and that means kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd is the password of next level.


Level 18 -> Level 19

The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
~ ssh -p 2220 bandit18@bandit.labs.overthewire.org
......
......
......
Byebye !
Connection to bandit.labs.overthewire.org closed.
~ ssh -t -p 2220 bandit18@bandit.labs.overthewire.org /bin/sh
$ ls
readme
$ cat readme
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x

Level 19 -> Level 20

To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
~ ssh -p 2220 bandit19@bandit.labs.overthewire.org
bandit19@bandit:~$ ls
bandit20-do
bandit19@bandit:~$ ./bandit20-do
Run a command as another user.
  Example: ./bandit20-do id
bandit19@bandit:~$ ./bandit20-do id
uid=11019(bandit19) gid=11019(bandit19) euid=11020(bandit20) groups=11019(bandit19)
bandit19@bandit:~$ id
uid=11019(bandit19) gid=11019(bandit19) groups=11019(bandit19)
bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0j

Level 20 -> Level 21

There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
NOTE: Try connecting to your own network daemon to see if it works as you think

1
2
3
4
5
6
~ ssh -p 2220 bandit20@bandit.labs.overthewire.org
bandit20@bandit:~$ ls
suconnect
bandit20@bandit:~$ ./suconnect
Usage: ./suconnect <portnumber>
This program will connect to the given port on localhost using TCP. If it receives the correct password from the other side, the next password is transmitted back.

We can either use tmux or connect to bandit20 with another terminal. I’ll take port 31000 because we have already known that it’s not using via Nmap.

Start with terminal 1, and then terminal 2

1
bandit20@bandit:~$ nc -l 31000 < /etc/bandit_pass/bandit20
1
2
3
bandit20@bandit:~$ ./suconnect 31000
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Password matches, sending next password

Back to Terminal 1, and we can see that gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr is sent to us.


Level 21 -> Level 22

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
~ ssh -p 2220 bandit21@bandit.labs.overthewire.org
bandit21@bandit:~$ ls /etc/cron.d/
cronjob_bandit22  cronjob_bandit23  cronjob_bandit24  popularity-contest
bandit21@bandit:~$ cat /etc/cron.d/cronjob_bandit22
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
bandit21@bandit:~$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
bandit21@bandit:~$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

Level 22 -> Level 23

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
~ ssh -p 2220 bandit22@bandit.labs.overthewire.org
bandit22@bandit:~$ ls /etc/cron.d
cronjob_bandit22  cronjob_bandit23  cronjob_bandit24  popularity-contest
bandit22@bandit:~$ cat /etc/cron.d/cronjob_bandit23
@reboot bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
bandit22@bandit:~$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash

myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)

echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"

cat /etc/bandit_pass/$myname > /tmp/$mytarget
bandit22@bandit:~$ echo I am user bandit23 | md5sum | cut -d ' ' -f 1
8ca319486bfbbc3663ea0fbe81326349
bandit22@bandit:~$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

Level 23 -> Level 24

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
~ ssh -p 2220 bandit23@bandit.labs.overthewire.org
bandit23@bandit:~$ ls /etc/cron.d
cronjob_bandit22  cronjob_bandit23  cronjob_bandit24  popularity-contest
bandit23@bandit:~$ cat /etc/cron.d/cronjob_bandit24
@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
bandit23@bandit:~$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash

myname=$(whoami)

cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
do
    if [ "$i" != "." -a "$i" != ".." ];
    then
	echo "Handling $i"
	timeout -s 9 60 ./$i
	rm -f ./$i
    fi
done
bandit23@bandit:~$ ls -ld /var/spool/bandit24
drwx-wx--- 3 bandit24 bandit23 139264 Aug 21 21:42 /var/spool/bandit24

We can see that every time we put a script in /var/spool/bandit24/, it will execute it and delete it. So we can make a script which gives us the password and put it into /var/spool/bandit24

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
bandit23@bandit:~$ mkdir /tmp/bandit23
bandit23@bandit:~$ cd /tmp/bandit23
bandit23@bandit:/tmp/bandit23$ vim bandit23.sh
bandit23@bandit:/tmp/bandit23$ cat bandit23.sh
#!/bin/bash

cat /etc/bandit_pass/bandit24 > /tmp/bandit23/pass
bandit23@bandit:/tmp/bandit23$ chmod 777 /tmp/bandit23
bandit23@bandit:/tmp/bandit23$ chmod 777 bandit23.sh
bandit23@bandit:/tmp/bandit23$ cp bandit23.sh /var/spool/bandit24
bandit23@bandit:/tmp/bandit23$ ls
bandit23.sh  pass
bandit23@bandit:/tmp/bandit23$ cat pass
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ

Level 24 -> Level 25

A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
~ ssh -p 2220 bandit24@bandit.labs.overthewire.org
bandit24@bandit:/tmp/bandit24$ nc localhost 30002
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 2345
Wrong! Please enter the correct pincode. Try again.
^C
bandit24@bandit:~$ mkdir /tmp/bandit24
bandit24@bandit:~$ cd /tmp/bandit24
bandit24@bandit:/tmp/bandit24$ chmod 777 /tmp/bandit24
bandit24@bandit:/tmp/bandit24$ vim brute_force.sh
bandit24@bandit:/tmp/bandit24$ chmod 744 brute_force.sh
bandit24@bandit:/tmp/bandit24$ cat brute_force.sh

#!/bin/bash

for i in {0..9999}; do
    printf "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ %04d\n" "$i"
done
bandit24@bandit:/tmp/bandit24$ ./brute_force.sh > payload
bandit24@bandit:/tmp/bandit24$ nc localhost 30002 < payload
Wrong! Please enter the correct pincode. Try again.
Wrong! Please enter the correct pincode. Try again.
Wrong! Please enter the correct pincode. Try again.
Wrong! Please enter the correct pincode. Try again.
......
......
......
Wrong! Please enter the correct pincode. Try again.
Correct!
The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG

Exiting.

Level 25 -> Level 26

Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
~ ssh -p 2220 bandit25@bandit.labs.overthewire.org
bandit25@bandit:~$ ls
bandit26.sshkey
bandit25@bandit:~$ file bandit26.sshkey
bandit26.sshkey: PEM RSA private key
bandit25@bandit:~$ ssh -i bandit26.sshkey bandit26@localhost
......
......
......
Connection to localhost closed.
bandit25@bandit:~$ cat /etc/passwd
......
......
bandit25❌11025:11025:bandit level 25:/home/bandit25:/bin/bash
bandit26❌11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext
......
bandit25@bandit:~$ file /usr/bin/showtext
/usr/bin/showtext: POSIX shell script, ASCII text executable
bandit25@bandit:~$ cat /usr/bin/showtext
#!/bin/sh

export TERM=linux

more ~/text.txt
exit 0

As it shows, when we log in to bandit26, the content of text.txt using more, and then exit. What we’re going to do is trigger the more command, use it’s command “v” to start up an editor, and moreover get the shell.

First we need to minimize our terminal to trigger “more”

Local Picture Local Picture press “v” Local Picture

1
2
3
4
:set shell=/bin/bash
:shell
bandit26@bandit:~$ cat /etc/bandit_pass/bandit26
5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z

Finally, we get the password of bandit26. But actually, we should keep on going because log in to bandit26 is very time-consuming. We should get the password of bandit27 ASAP.


Level 26 -> Level 27

Good job getting a shell! Now hurry and grab the password for bandit27!

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
bandit26@bandit:~$ ls
bandit27-do  text.txt
bandit26@bandit:~$ file bandit27-do
bandit27-do: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=1c05d80e62cd205a3497b870e8294402424a4f7c, not stripped
bandit26@bandit:~$ ./bandit27-do
Run a command as another user.
  Example: ./bandit27-do id
bandit26@bandit:~$ ./bandit27-do id
uid=11026(bandit26) gid=11026(bandit26) euid=11027(bandit27) groups=11026(bandit26)
bandit26@bandit:~$ id
uid=11026(bandit26) gid=11026(bandit26) groups=11026(bandit26)
bandit26@bandit:~$ ./bandit27-do cat /etc/bandit_pass/bandit27
3ba3118a22e93127a4ed485be72ef5ea

Level 27 -> Level 28

There is a git repository at ssh://bandit27-git@localhost/home/bandit27-git/repo. The password for the user bandit27-git is the same as for the user bandit27.
Clone the repository and find the password for the next level.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
~ ssh -p 2220 bandit27@bandit.labs.overthewire.org
bandit27@bandit:~$ mkdir /tmp/bandit27
bandit27@bandit:~$ cd /tmp/bandit27
bandit27@bandit:/tmp/bandit27$ chmod 777 /tmp/bandit27
bandit27@bandit:/tmp/bandit27$ git clone ssh://bandit27-git@localhost/home/bandit27-git/repo
......
......
Checking connectivity... done.
bandit27@bandit:/tmp/bandit27$ ls
repo
bandit27@bandit:/tmp/bandit27$ cd repo
bandit27@bandit:/tmp/bandit27/repo$ ls
README
bandit27@bandit:/tmp/bandit27/repo$ file README
README: ASCII text
bandit27@bandit:/tmp/bandit27/repo$ cat README
The password to the next level is: 0ef186ac70e04ea33b4c1853d2526fa2

Level 28 -> Level 29

There is a git repository at ssh://bandit28-git@localhost/home/bandit28-git/repo. The password for the user bandit28-git is the same as for the user bandit28.
Clone the repository and find the password for the next level.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
~ ssh -p 2220 bandit28@bandit.labs.overthewire.org
bandit28@bandit:~$ mkdir /tmp/bandit28
bandit28@bandit:~$ cd /tmp/bandit28
bandit28@bandit:/tmp/bandit28$ chmod 777 /tmp/bandit28
bandit28@bandit:/tmp/bandit28$ git clone ssh://bandit28-git@localhost/home/bandit28-git/repo
......
......
Checking connectivity... done
bandit28@bandit:/tmp/bandit28$ ls
repo
bandit28@bandit:/tmp/bandit28$ cd repo
bandit28@bandit:/tmp/bandit28/repo$ ls
README.md
bandit28@bandit:/tmp/bandit28/repo$ cat README.md
# Bandit Notes
Some notes for level29 of bandit.

## credentials

- username: bandit29
- password: xxxxxxxxxx

bandit28@bandit:/tmp/bandit28/repo$ ls -al
total 16
drwxrwxr-x 3 bandit28 bandit28 4096 Aug 21 23:31 .
drwxrwxrwx 3 bandit28 bandit28 4096 Aug 21 23:31 ..
drwxrwxr-x 8 bandit28 bandit28 4096 Aug 21 23:31 .git
-rw-rw-r-- 1 bandit28 bandit28  111 Aug 21 23:31 README.md
bandit28@bandit:/tmp/bandit28/repo$ cd .git
bandit28@bandit:/tmp/bandit28/repo/.git$ ls
HEAD  branches  config  description  hooks  index  info  logs  objects  packed-refs  refs
bandit28@bandit:/tmp/bandit28/repo/.git$ cat packed-refs
# pack-refs with: peeled fully-peeled
04e2414585ba775805a49b78d662d0946d08f27a refs/remotes/origin/master
bandit28@bandit:/tmp/bandit28/repo/.git$ git cat-file -p 04e2414585ba775805a49b78d662d0946d08f27a
tree e275285b34f49c17ebf234a873f37aeaace5ad45
parent 196c3edc79e362fe89e0d75cfeef079d8c67beef
author Morla Porla <morla@overthewire.org> 1532263633 +0200
committer Morla Porla <morla@overthewire.org> 1532263633 +0200

fix info leak
bandit28@bandit:/tmp/bandit28/repo/.git$ git cat-file -p e275285b34f49c17ebf234a873f37aeaace5ad45
100644 blob 5c6457b17de03b5f47fb2353b80db051d595c46e	README.md
bandit28@bandit:/tmp/bandit28/repo/.git$ git cat-file -p 5c6457b17de03b5f47fb2353b80db051d595c46e
# Bandit Notes
Some notes for level29 of bandit.

## credentials

- username: bandit29
- password: xxxxxxxxxx

We can see that the password is already xxxxxxxxxx, just like what the commit “fix info leak” says. So we need to look deeper to its parent.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
bandit28@bandit:/tmp/bandit28/repo/.git$ git cat-file -p 196c3edc79e362fe89e0d75cfeef079d8c67beef
tree cc4b4261bb7217025839f483f21d21f9b857cfed
parent 80383714fa509a363756866425b0b697e87824a0
author Morla Porla <morla@overthewire.org> 1532263633 +0200
committer Morla Porla <morla@overthewire.org> 1532263633 +0200

add missing data
bandit28@bandit:/tmp/bandit28/repo/.git$ git cat-file -p cc4b4261bb7217025839f483f21d21f9b857cfed
100644 blob 3f7cee81d3c8b942c89a3fb32f09800f9322c409	README.md
bandit28@bandit:/tmp/bandit28/repo/.git$ git cat-file -p 3f7cee81d3c8b942c89a3fb32f09800f9322c409
# Bandit Notes
Some notes for level29 of bandit.

## credentials

- username: bandit29
- password: bbc96594b4e001778eee9975372716b2

Level 29 -> Level 30

There is a git repository at ssh://bandit29-git@localhost/home/bandit29-git/repo. The password for the user bandit29-git is the same as for the user bandit29.
Clone the repository and find the password for the next level.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
~ ssh -p 2220 bandit29@bandit.labs.overthewire.org
bandit29@bandit:~$ mkdir /tmp/bandit29
bandit29@bandit:~$ cd /tmp/bandit29
bandit29@bandit:/tmp/bandit29$ chmod 777 /tmp/bandit29
bandit29@bandit:/tmp/bandit29$ git clone ssh://bandit29-git@localhost/home/bandit29-git/repo
......
......
Checking connectivity... done.
bandit29@bandit:/tmp/bandit29$ ls
repo
bandit29@bandit:/tmp/bandit29$ cd repo
bandit29@bandit:/tmp/bandit29/repo$ ls
README.md
bandit29@bandit:/tmp/bandit29/repo$ cat README.md
# Bandit Notes
Some notes for bandit30 of bandit.

## credentials

- username: bandit30
- password: <no passwords in production!>

bandit29@bandit:/tmp/bandit29/repo$ ls -al
total 16
drwxrwxr-x 3 bandit29 bandit29 4096 Aug 21 23:39 .
drwxrwxrwx 3 bandit29 bandit29 4096 Aug 21 23:39 ..
drwxrwxr-x 8 bandit29 bandit29 4096 Aug 21 23:39 .git
-rw-rw-r-- 1 bandit29 bandit29  131 Aug 21 23:39 README.md
bandit29@bandit:/tmp/bandit29/repo$ cd .git
bandit29@bandit:/tmp/bandit29/repo/.git$ ls
HEAD  branches  config  description  hooks  index  info  logs  objects  packed-refs  refs
bandit29@bandit:/tmp/bandit29/repo/.git$ cat packed-refs
# pack-refs with: peeled fully-peeled
77ec80e97de5f88f035911a8d0fce1982dc7da05 refs/remotes/origin/dev
279d73d37ee7abbe68a3ec3655ef47bdd0d2ebf2 refs/remotes/origin/master
d59303d72ea1b6f75adc9eb34eb7d99b02e3e70a refs/remotes/origin/sploits-dev

Because it says that “no passwords in production” in the password field, so I’ll first take a look at the dev branch.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
bandit29@bandit:/tmp/bandit29/repo/.git$ git cat-file -p 77ec80e97de5f88f035911a8d0fce1982dc7da05
tree 3e6e84f371d74b18f48c779e1a61a4b80e84a60e
parent 0ced92a1b87e29e4225f45f3f6b803b1343aa8bb
author Morla Porla <morla@overthewire.org> 1532263643 +0200
committer Morla Porla <morla@overthewire.org> 1532263643 +0200

add data needed for development
bandit29@bandit:/tmp/bandit29/repo/.git$ git cat-file -p 3e6e84f371d74b18f48c779e1a61a4b80e84a60e
100644 blob 39b87a8f23cbe7e407497f52aa1d415150ceea06	README.md
040000 tree 0c5f36d5895023c36035b7352c5b0113f6326550	code
bandit29@bandit:/tmp/bandit29/repo/.git$ git cat-file -p 39b87a8f23cbe7e407497f52aa1d415150ceea06
# Bandit Notes
Some notes for bandit30 of bandit.

## credentials

- username: bandit30
- password: 5b90576bedb2cc04c86a9e924ce42faf

Level 30 -> Level 31

There is a git repository at ssh://bandit30-git@localhost/home/bandit30-git/repo. The password for the user bandit30-git is the same as for the user bandit30.
Clone the repository and find the password for the next level.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
~ ssh -p 2220 bandit30@bandit.labs.overthewire.org
bandit30@bandit:~$ mkdir /tmp/bandit30
bandit30@bandit:~$ cd /tmp/bandit30
bandit30@bandit:/tmp/bandit30$ chmod 777 /tmp/bandit30
bandit30@bandit:/tmp/bandit30$ git clone ssh://bandit30-git@localhost/home/bandit30-git/repo
......
......
Checking connectivity... done.
bandit30@bandit:/tmp/bandit30$ ls
repo
bandit30@bandit:/tmp/bandit30$ cd repo
bandit30@bandit:/tmp/bandit30/repo$ ls
README.md
bandit30@bandit:/tmp/bandit30/repo$ cat README.md
just an epmty file... muahaha
bandit30@bandit:/tmp/bandit30/repo$ ls -al
total 16
drwxrwxr-x 3 bandit30 bandit30 4096 Aug 21 23:47 .
drwxrwxrwx 3 bandit30 bandit30 4096 Aug 21 23:47 ..
drwxrwxr-x 8 bandit30 bandit30 4096 Aug 21 23:47 .git
-rw-rw-r-- 1 bandit30 bandit30   30 Aug 21 23:47 README.md
bandit30@bandit:/tmp/bandit30/repo$ cd .git
bandit30@bandit:/tmp/bandit30/repo/.git$ ls
HEAD  branches  config  description  hooks  index  info  logs  objects  packed-refs  refs
bandit30@bandit:/tmp/bandit30/repo/.git$ cat packed-refs
# pack-refs with: peeled fully-peeled
1791c9d4a559bffa4e6e89c15f7723167da10bb8 refs/remotes/origin/master
f17132340e8ee6c159e0a4a6bc6f80e1da3b1aea refs/tags/secret
bandit30@bandit:/tmp/bandit30/repo/.git$ git cat-file -p f17132340e8ee6c159e0a4a6bc6f80e1da3b1aea
47e603bb428404d265f59c42920d81e5

Level 31 -> Level 32

There is a git repository at ssh://bandit31-git@localhost/home/bandit31-git/repo. The password for the user bandit31-git is the same as for the user bandit31.
Clone the repository and find the password for the next level.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
~ ssh -p 2220 bandit31@bandit.labs.overthewire.org
bandit31@bandit:~$ mkdir /tmp/bandit31
bandit31@bandit:~$ cd /tmp/bandit31
bandit31@bandit:/tmp/bandit31$ chmod 777 /tmp/bandit31
bandit31@bandit:/tmp/bandit31$ git clone ssh://bandit31-git@localhost/home/bandit31-git/repo
......
......
Checking connectivity... done.
bandit31@bandit:/tmp/bandit31$ ls
repo
bandit31@bandit:/tmp/bandit31$ cd repo
bandit31@bandit:/tmp/bandit31/repo$ ls
README.md
bandit31@bandit:/tmp/bandit31/repo$ cat README.md
This time your task is to push a file to the remote repository.

Details:
    File name: key.txt
    Content: 'May I come in?'
    Branch: master

bandit31@bandit:/tmp/bandit31/repo$ vim key.txt
bandit31@bandit:/tmp/bandit31/repo$ cat key.txt
May I come in?
bandit31@bandit:/tmp/bandit31/repo$ git add key.txt
The following paths are ignored by one of your .gitignore files:
key.txt
Use -f if you really want to add them.
bandit31@bandit:/tmp/bandit31/repo$ git add -f key.txt
bandit31@bandit:/tmp/bandit31/repo$ git commit -m "Add key.txt"
[master c4ca710] Add key.txt
 1 file changed, 1 insertion(+)
 create mode 100644 key.txt
bandit31@bandit:/tmp/bandit31/repo$ git push origin master
......
......
remote: ### Attempting to validate files... ####
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
remote: Well done! Here is the password for the next level:
remote: 56a9bf19c63d650ce78e6ec0354ee45e
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:

Level 32 -> Level 33

After all this git stuff its time for another esape. Good luck!

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
~ ssh -p 2220 bandit32@bandit.labs.overthewire.org
bandit32@bandit:~$ ls
uppershell
bandit32@bandit:~$ ls -al | grep 'uppershell'
-rwsr-x---  1 bandit33 bandit32 7668 Jul 22 18:59 uppershell
bandit32@bandit:~$ ./uppershell
WELCOME TO THE UPPERCASE SHELL
>> echo "hello"
sh: 1: ECHO: not found
>> 1234
sh: 1: 1234: not found
>> exit
sh: 1: EXIT: not found
>> quit
sh: 1: QUIT: not found
>> ls
sh: 1: LS: not found
>> echo $PATH
sh: 1: ECHO: not found
>> $PATH
sh: 1: /home/bandit32/bin:/home/bandit32/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games: not found
>> $HOME
sh: 1: /home/bandit32: Permission denied
>> ^C

It seems like it prints out the value and access it. If it’s true, then it’ll be very easy to get the shell.

1
2
3
4
5
6
7
bandit32@bandit:~$ ./uppershell
WELCOME TO THE UPPERCASE SHELL
>> $SHELL
bandit33@bandit:~$ pwd
/home/bandit32
bandit33@bandit:~$ cat /etc/bandit_pass/bandit33
c9c3199ddf4121b10cf581a98d51caee

Level 33 -> Level 34

At this moment, level 34 does not exist yet.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
~ ssh -p 2220 bandit33@bandit.labs.overthewire.org
bandit33@bandit:~$ ls
README.txt
bandit33@bandit:~$ cat README.txt
Congratulations on solving the last level of this game!

At this moment, there are no more levels to play in this game. However, we are constantly working
on new levels and will most likely expand this game with more levels soon.
Keep an eye out for an announcement on our usual communication channels!
In the meantime, you could play some of our other wargames.

If you have an idea for an awesome new level, please let us know!