Bandit Walkthrough | OverTheWire
It's a journey from 0 to 1
Introduction
What is Bandit?
The Bandit wargame is aimed at absolute beginners. It will teach the basics needed to be able to play other wargames.
You can check it out on: OverTheWire.org
Bandit Level 0
Level Goal
The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org, on port 2220. The username is bandit0 and the password is bandit0. Once logged in, go to the Level 1 page to find out how to beat Level 1.
So now we have the following SSH Information:
Server: bandit.labs.overthewire.org
Port: 2220
Username: bandit0
Password: bandit0
Now we can connect with the following command:
ssh bandit0@bandit.labs.overthewire.org -p 2220![](https://cdn.hashnode.com/res/hashnode/image/upload/v1706971163380/4b2bab09-5ba0-4cea-bf00-1daf5cf0eda9.png align="center")
and voila we are in.
Bandit Level 0 → Level 1
Level Goal
The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.
Solution:
After we log in bandit0 the password we will use for the next level is on a file called readme.
Below is the password for level 1.
NH2SXQwcBdpmTEzi3bvBHMM9H66vVXjLBandit Level 1 → Level 2
Level Goal
The password for the next level is stored in a file called - located in the home directory
Solution:
After login with bandit1 using:
SSH:ssh bandit1@bandit.labs.overthewire.org -p 2220
Password:NH2SXQwcBdpmTEzi3bvBHMM9H66vVXjL
the trick here is if you tried cat "-" or cat -, the cat command will interpret "-" as standard input rather than as the filename you intend to read.
so we can use cat ./- the ./ before the dash is used to explicitly indicate that "-" is a file in the current directory.
We can also use cat < "-" to tell the cat to read from standard input ("<") and to use the file "-" as the source of input.
Below is the password for level 2.
rRGizSaX8Mk1RTb1CNQoXTcYZWU6lgziBandit Level 2 → Level 3
Level Goal
The password for the next level is stored in a file called spaces in this filename located in the home directory
Solution:
After login with bandit2 using:
SSH:ssh bandit2@bandit.labs.overthewire.org -p 2220
Password:rRGizSaX8Mk1RTb1CNQoXTcYZWU6lgzi
The trick here is the file name contains spaces but we can easily put the name in double quotes and it will work fine
Also, there is another way by using backslashes before each space in the filename, we're escaping the spaces so that they are treated as part of the filename rather than as separators between arguments.
Below is the password for level 3.
aBZ0W5EmUfAf7kHTQeOwd8bauFJ2lAiGBandit Level 3 → Level 4
Level Goal
The password for the next level is stored in a hidden file in the Inhere directory.
Solution:
After login with bandit3 using:
SSH:ssh bandit3@bandit.labs.overthewire.org -p 2220
Password:aBZ0W5EmUfAf7kHTQeOwd8bauFJ2lAiG
the trick here is that the file is hidden using a dot before the filename so it will not be shown if we type ls separately but we can simply type ls -a or ll to show the hidden file that starts with a dot.
Below is the password for level 4.
2EW7BBsr6aMMoJ2HjW067dm8EgX26xNeBandit Level 4 → Level 5
Level Goal
The password for the next level is stored in the only human-readable file in the Inhere directory. Tip: if your terminal is messed up, try the “reset” command.
Solution:
After login with bandit4 using:
SSH:ssh bandit4@bandit.labs.overthewire.org -p 2220
Password:2EW7BBsr6aMMoJ2HjW067dm8EgX26xNe
The trick here is that the files look the same :D
But of course not, we can use the file command to determine the actual file type easily:
Below is the password for level 5.
lrIWWI6bB37kxfiCQZqUdOIYfr6eEeqRBandit Level 5 → Level 6
Level Goal
The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:
human-readable
1033 bytes in size
not executable
Solution:
After login with bandit5 using:
SSH:ssh bandit5@bandit.labs.overthewire.org -p 2220
Password:lrIWWI6bB37kxfiCQZqUdOIYfr6eEeqR
The trick here is that it is a waste of time and effort to go into each folder check each file and compare whether it has the same desired properties.
With find command we can use -type f to specify that the search should only consider regular files, -size 1033c specifies the size in bytes of the files to search for is 1033 bytes, ! -executable to exclude files that are executable and only show not executable files as it is required.
so the final command will be find -type f -size 1033c ! -executable
Below is the password for level 6.
P4L4vucdmLnm8I7Vl7jG1ApGSfjYKqJUBandit Level 6 → Level 7
Level Goal
The password for the next level is stored somewhere on the server and has all of the following properties:
owned by user bandit7
owned by group bandit6
33 bytes in size
Solution:
After login with bandit6 using:
SSH:ssh bandit6@bandit.labs.overthewire.org -p 2220
Password:P4L4vucdmLnm8I7Vl7jG1ApGSfjYKqJU
With the before-level concept, we should find the file with the above properties in the whole server with the find command so with a little digging in find manual page we can use find / -user bandit7 -group bandit6 -size 33c
To discard all errors we can use 2> stderr stream to send them to /dev/null
So the final command will be find / -user bandit7 -group bandit6 -size 33c 2>/dev/null
Below is the password for level 7.
z7WtoNQU2XfjmMtWA8u5rN4vzqu4v99SBandit Level 7 → Level 8
Level Goal
The password for the next level is stored in the file data.txt next to the word millionth
Solution:
After login with bandit7 using:
SSH:ssh bandit7@bandit.labs.overthewire.org -p 2220
Password:z7WtoNQU2XfjmMtWA8u5rN4vzqu4v99S
Now if we notice the file size it's huge to display and search manually with cat
So we can use grep command to search in the file with grep "millionth" data.txt
Or we can use pipe ("|") withcat to make the cat stdout be the grep stdin like this: cat data.txt | grep millionth
Below is the password for level 8.
TESKZC0XvTetK0S9xNwm25STk5iWrBvPBandit Level 8 → Level 9
Level Goal
The password for the next level is stored in the file data.txt and is the only line of text that occurs only once
Solution:
After login with bandit8 using:
SSH:ssh bandit8@bandit.labs.overthewire.org -p 2220
Password:TESKZC0XvTetK0S9xNwm25STk5iWrBvP
At this level, we need to find the line that occurs only once in the file.
So we can use uniq command before that we need to know how uniq work
uniq compares adjacent lines, considering them duplicates if they are identical.
So to get the Correct result we should use it with sort command so the final command will be: sort data.txt | uniq -u
Below is the password for level 9.
EN632PlfYiZbn3PhVK3XOGSlNInNE00tBandit Level 9 → Level 10
Level Goal
The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters.
Solution:
After login with bandit9 using:
SSH:ssh bandit9@bandit.labs.overthewire.org -p 2220
Password:EN632PlfYiZbn3PhVK3XOGSlNInNE00t
At this level, we can use srings command to find human-readable strings, and will search with grep and challenge say that several `=` so it's two or more.
The final command will be: strings data.txt | grep ==
Below is the password for level 10.
G7w8LIi6J3kTb8A7j9LgrywtEUlyyp6sBandit Level 10 → Level 11
Level Goal
The password for the next level is stored in the file data.txt, which contains base64 encoded data.
Solution:
After login with bandit10 using:
SSH:ssh bandit10@bandit.labs.overthewire.org -p 2220
Password:G7w8LIi6J3kTb8A7j9LgrywtEUlyyp6s
At this level, the file content in the base64 encodes.
The Base64 is a method for encoding binary data into ASCII characters, allowing safe transmission over text-based protocols so that we can decode it with base64 -d
the final command will be base64 -d data.txt OR cat data.txt | base64 -d
Below is the password for level 11.
6zPeziLdR2RKNdNYFNb6nVCKzphlXHBMBandit Level 11 → Level 12
Level Goal
The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions
Solution:
After login with bandit11 using:
SSH:ssh bandit11@bandit.labs.overthewire.org -p 2220
Password:6zPeziLdR2RKNdNYFNb6nVCKzphlXHBM
From the level description, we can notice that's a classic example of a Caesar cipher with a rotation of 13 positions, also known as ROT13.
In ROT13, each letter of the alphabet is shifted 13 positions. For example, 'A' becomes 'N', 'B' becomes 'O', 'C' becomes 'P', and so on.
So the final command will be:tr 'A-Za-z' 'N-ZA-Mn-za-m' < data.txt or cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'
Below is the password for level 12.
JVNBBFSmZwKKOP0XbFXOoW8chDz5yVRvBandit Level 12 → Level 13
Level Goal
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level, it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)
Solution:
After login with bandit12 using:
SSH:ssh bandit12@bandit.labs.overthewire.org -p 2220
Password:JVNBBFSmZwKKOP0XbFXOoW8chDz5yVRv
As stated in the description, we need to create a directory under /tmp path to be able to perform any operation without permission error. So we can use mkdir to create a directory and then copy the data.txt file inside it.
The funny thing is that when I tried to create a directory called bandit12, I found that it already existed, to satisfy my curiosity, I entered it, and I was surprised that the level had already been solved by someone else, most likely because it is an AWS shared instance :D.
Never mind, Let's complete the level as required :D.
I followed the instructions and used the mktemp -d built-in command to automatically create a temporary unique directory under /tmp you can check this. Now we have to become more focused because this level is a little more challenging than the previous one
So, to reverse the hexdumb file to binary data Then we can determine the compression method.
reverse with xxd -r data.txt reversed then need to be used file reversed to know the actual file compression method based on magic number signature. check this.
Now we find out that the reversed compressed file is gzip and to decompress it we rename the file to end with .gz an extension using mv compressed compressed.gz then we run gzip -d compressed.gz.
After that, we found that the compressed file is bzip2 so we will repeat the previous steps naming the compressed file to end with .bz2 using mv compressed compressed.bz2
decompress with bzip2 -d compressed.bz2.
gzip again... repeat the steps mv compressed compressed.gz then we run gzip -d compressed.gz.
Now new compression method appeared but the steps are still the same...mv compressed compressed.tar then tar -xf compressed.tar to decompress.
but hold on data6.bin file has appeared and it compressed with bzip2 we will repeat the steps and continue the decompressing..
Finally, after repeating the boring decompression stuff, we were able to successfully extract the key.
Below is the password for level 13.
wbWdlBxEir4CaE8LaPhauuOo6pwRmrDwBandit Level 13 → Level 14
Level Goal
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note:localhost is a hostname that refers to the machine you are working on
Solution:
After login with bandit13 using:
SSH:ssh bandit13@bandit.labs.overthewire.org -p 2220
Password:wbWdlBxEir4CaE8LaPhauuOo6pwRmrDw
we can notice the sshkey.private file this is another way to connect instead of connecting with a password you can check this article that explains public key cryptography.
After typing yes and logging in as bandit14 successfully we can find the next level key as stated in the level description under /etc/bandit_pass/bandit14.
Below is the password for level 14.
fGrHPx402xGC7U7rXKDaxiWFTOiF0ENqBandit Level 14 → Level 15
Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
Solution:
After login with bandit14 using:
SSH:ssh bandit14@bandit.labs.overthewire.org -p 2220
Password:fGrHPx402xGC7U7rXKDaxiWFTOiF0ENq
"Localhost" is a hostname that refers to the local computer or the computer you are currently working on. It is often used to establish connections to services running on the same machine. In networking, localhost typically resolves to the IP address 127.0.0.1, which is the loopback address for the local machine. This allows programs running on the same computer to communicate with each other via network protocols such as TCP/IP without needing to go through the physical network interface.
So, if we run the following command with netcat on port 30000 we will receive the key for the next level
Below is the password for level 15.
jN2kgmIXJ6fShzhT2avhotn4Zcka6tntBandit Level 15 → Level 16
Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…
Solution:
After login with bandit15 using:
SSH:ssh bandit15@bandit.labs.overthewire.org -p 2220
Password:jN2kgmIXJ6fShzhT2avhotn4Zcka6tnt
OpenSSL is an open-source cryptographic library used for secure communication over networks. You can establish an SSL connection to a server using the openssl s_client command followed by the server's hostname and port number. in this situation: openssl s_client -connect localhost:30001.
Submit the current Level Password:
Below is the password for level 16.
JQttfApK4SeyHwDlI9SXGR50qclOAil1Bandit Level 16 → Level 17
Level Goal
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First, find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
Solution:
After login with bandit16 using:
SSH:ssh bandit16@bandit.labs.overthewire.org -p 2220
Password:JQttfApK4SeyHwDlI9SXGR50qclOAil1
To find the actual port that the server listens on we can use Nmap.
Nmap is a powerful network scanning tool used to discover hosts and services on a computer network. It provides information about open ports, operating systems, and other network attributes.
So we can start scanning open ports with nmap -sV -T4 localhost -p 31000-32000
-sV: Perform service version detection
-T4: Sets the timing template to "Aggressive." It controls the speed of the scan.
-P: specifies the range of ports to scan. 31000-32000
The Result:
The results indicate that there are 5 open ports. The challenge description tells us that we want only the ports that SSL works on.
so we have ports 31518/tcp and 31790/tcp. While there is only one server that will give us the next credentials, it will certainly not be the 31518/tcp because it's ssl/echo (This means that it repeats what is sent to it, like echo command in Linux).
This means that the desired port is 31790/tcp let's connect using:openssl s_client -connect localhost:317900.
After submitting the current level password the server replied with a private SSH key that we will use to connect to the next level.
chmod 600 sshkeyfile.Below is the password for level 17.
Bandit Level 17 → Level 18
Level Goal
There are 2 files in the home directory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new
NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19
Solution:
After login with bandit17 using:
SSH:ssh -i sshkey17.private bandit17@bandit.labs.overthewire.org -p 2220
Password:--------------------------------------------------------------
Simply, we can use diff command.
The diff command is a Linux utility used to compare the contents of two files line by line and display the differences between them. It shows which lines are unique to each file and which lines are different between the files.
Output Explained
42c42: This indicates that the difference is on line 42 of both files.
< p6ggwdNHncnmCNxuAt0KtKVq185ZU7AW: This line represents the content of line 42 in passwords.old.
The < symbol: indicates that this line is present only in passwords.old.
---: This line separates the content of the two files being compared.
> hga5tuuCLF6fFzUpnagiMN8ssu9LFrdg: This line represents the content of line 42 in passwords.new.
The > symbol: indicates that this line is present only in passwords.new.
So, in summary, the output indicates that on line 42, the password p6ggwdNHncnmCNxuAt0KtKVq185ZU7AW in passwords.old has been changed to hga5tuuCLF6fFzUpnagiMN8ssu9LFrdg in passwords.new.
Below is the password for level 18.
hga5tuuCLF6fFzUpnagiMN8ssu9LFrdgBandit Level 18 → Level 19
Level Goal
The password for the next level is stored in a file readme in the home directory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.
Solution:
After login with bandit18 using:
SSH:ssh bandit18@bandit.labs.overthewire.org -p 2220
Password:hga5tuuCLF6fFzUpnagiMN8ssu9LFrdg
As we saw in the previous level notes and this level description when you try to log in with the correct SSH credentials tells you byebye! then terminate the connection.
before trying to bypass this we need to know what is .bashrc file.
The .bashrc file is a shell script that is executed by the Bash shell whenever it starts an interactive session. It is typically used to configure the shell environment, set aliases, define functions, and customize the shell prompt.
In fact, we have more than one way to bypass this.
first method by specifying a command to execute directly when logging in with SSH before .bashrc file execution like the following:ssh bandit18@bandit.labs.overthewire.org -p 2220 ls
As we see the ls command runs normally so we can extract the flag with a one-liner:ssh bandit18@bandit.labs.overthewire.org -p 2220 'ls && cat readme'
The second method
specifies the shell to execute directly (/bin/bash or /bin/sh) without executing any commands immediately. This effectively bypasses the modified .bashrc file that logs you out when you log in with SSH.
.bashrc file or any other initialization scripts that might contain commands to log you out. Instead, it simply starts the shell and waits for further input. This allows you to gain access to the shell without being logged out immediately, allowing you to interact with the system and access the readme file to retrieve the password.Below is the password for level 19.
awhqfNnAbc1naukrpqDYcF95h7HoMTrCBandit Level 19 → Level 20
Level Goal
To gain access to the next level, you should use the setuid binary in the home directory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.
Solution:
After login with bandit19 using:
SSH:ssh bandit19@bandit.labs.overthewire.org -p 2220
Password:awhqfNnAbc1naukrpqDYcF95h7HoMTrC
In Linux, the setuid (set user ID) permission is a special permission that can be set on executable files. When an executable file has the setuid permission enabled, it runs with the privileges of the file's owner rather than the privileges of the user who executes it.
Here's how it works:
Normal Execution: By default, when you execute an executable file, it runs with the privileges of the user who executes it. For example, if you run a program, it typically runs with your user privileges.
Setuid Execution: When a file has the setuid permission set and it is executed, it runs with the privileges of the user who owns the file, instead of the user who executes it. This means that even if a regular user executes the file, it will run with the elevated privileges of the owner.
That means with this setuid file we can access the bandit20 user password file, which can only be read by the user bandit20.
Below is the password for level 20
VxCazJaVykI6W36BkBU0mJTCM8rR95XTBandit Level 20 → Level 21
Level Goal
There is a setuid binary in the home directory that does the following: it makes a connection to localhost on the port you specify as a command line argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
NOTE: Try connecting to your own network daemon to see if it works as you think
Solution:
After login with bandit20 using:
SSH:ssh bandit20@bandit.labs.overthewire.org -p 2220
Password:VxCazJaVykI6W36BkBU0mJTCM8rR95XT
We need to set up a listener that replies with a previous-level password to the setuid binary file by connecting on the same port simply we can do this using the following: echo 'VxCazJaVykI6W36BkBU0mJTCM8rR95XT' | nc -l -p 1337 &, after that run the setuid binary file using ./suconnect 1337
Below is the password for level 21.
NvEJF7oVjkddltPSrdKEFOllh9V1IBcqBandit Level 21 → Level 22
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
Solution:
After login with bandit21 using:
SSH:ssh bandit21@bandit.labs.overthewire.org -p 2220
Password:NvEJF7oVjkddltPSrdKEFOllh9V1IBcq
After navigating to /etc/cron.d/ we found a cronjob file for every level because we need the next level password we have to check cronjob_bandit22
a cron job scheduled to run a script named cronjob_bandit22.sh as the user bandit22. This script does a couple of things:x
Changes the permissions of a file named
/tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgvto read and write for the owner and read only for others.Copies the contents of the file
/etc/bandit_pass/bandit22into the/tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgvfile.
So, the script is essentially copying the password for the next level (bandit22) into a temporary file.
Below is the password for level 22.
WdDozAdTM2z9DiFEQ2mGlwngMfj4EZffBandit Level 22 → Level 23
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.
Solution:
After login with bandit22 using:
SSH:ssh bandit22@bandit.labs.overthewire.org -p 2220
Password:WdDozAdTM2z9DiFEQ2mGlwngMfj4EZff
Same as the last level, we check the cronjob of the next level
and check the /usr/bin/cronjob_bandit23.sh script that runs every 5 minutes every day.
It retrieves the username of the current user by using the
whoamicommand and stores it in the variablemyname.It creates a hash of the string "I am user {username}" using the MD5 algorithm. This string includes the username obtained in step 1. The hash is stored in the variable
mytarget.It echoes a message indicating that it's copying a password file from
/etc/bandit_pass/directory. The filename is based on the current user's name and the hash generated in step 2.It copies the contents of the password file corresponding to the current user from
/etc/bandit_pass/to a temporary file in the/tmp/directory. The name of the temporary file is based on the hash generated in step 2.
So we can simply extract the filename that stores the next level password by running this with bandit23: echo I am user bandit23 | md5sum | cut -d ' ' -f 1
Below is the password for level 23.
QYw0Y2aiA672PsMmh9puTQuhoz8SyR2GBandit Level 23 → Level 24
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…
Solution:
After login with bandit23 using:
SSH:ssh bandit23@bandit.labs.overthewire.org -p 2220
Password:QYw0Y2aiA672PsMmh9puTQuhoz8SyR2G
as we used to, I displayed the cronjob script of bandit24
This Bash script retrieves the current user's name and navigates to a (/var/spool/bandit24/foo) directory. It iterates over all files in the directory, executing scripts owned by "bandit23" with a timeout of 60 seconds, then deletes them.
as we all know the password bandit24 exists in /etc/bandit_pass/bandit24 and only accessible by bandit24 and the cron job script that is running has the bandit24 privileges *It's obvious*.
Well, why don't we use this script to dump the password for us, since it executes all files in /var/spool/bandit24/foo before deleting them?
to do that we simply:
Create a directory to redirect the password to it. mine is:
/tmp/amrmoadelCreate a file with nano or Vim
in this file write the following lines:
#!/bin/bash cat /etc/bandit_pass/bandit24 > /tmp/amrmoadel/passwordSave the script then make it executable with
chmod +x scriptNameCopy the password to
/var/spool/bandit24/foowithcpcommandWait a minute then retrieve the password with
cat /tmp/amrmoadel/password
Below is the password for level 24.
VAfGXJ1PBSsPSnvsjI8p759leLZ9GGarBandit Level 24 → Level 25
Level Goal
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.
You do not need to create new connections each time
Solution:
After login with bandit24 using:
SSH:ssh bandit24@bandit.labs.overthewire.org -p 2220
Password:VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar
As explained in the description, if we try to contact the daemon via nc localhost 30002, a message will appear telling us that it wants the bandit24 password and the correct PIN Code in one line.
Well, now it doesn't make sense to do this manually, so we will automate this process using a simple bash script:
This script prints while generating all possible combinations of the password for bandit24 followed by a 4-digit pincode.
i redirected the output to list.txt file so you can relate:
After that, we use ./brute.sh | nc localhost 30002 | grep -v "Wrong!" send each combination along with the password for bandit24 to the daemon, capture the responses from the daemon, and grep -v "Wrong!" filter out any responses that indicate an incorrect pincode. This allows you to identify the correct pincode for bandit25.
Wait a little bit..and voila the next-level password
Below is the password for level 25.
p7TaowMYrmu23Ol8hiZh9UvD0O9hpx8dBandit Level 25 → Level 26
Level Goal
Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.
Solution:
After login with bandit25 using:
SSH:ssh bandit25@bandit.labs.overthewire.org -p 2220
Password:p7TaowMYrmu23Ol8hiZh9UvD0O9hpx8d
in the description, he told us that SHELL is not /bin/bash let's figure out what is it.
The /etc/passwd file in Unix-like systems stores user account information, including usernames, hashed passwords (nowadays replaced with 'x' or '*'), user and group IDs, home directories, and default shells, facilitating user authentication and login processes.
so we can run cat /etc/passwd with grep bandit26 to filter the result:
As it appears the default shell of bandit26 is a file called showtext that executes more ~/text.txt and there is a sshkey in home directory if you tried to connect using it the connection will closed immediately.
To bypass this we need to understand important things about more command that runs immediately while connecting to bandit26.
The more command displays the contents of a file one screen at a time, allowing scrolling through the text using the spacebar. It's useful for viewing large files without overwhelming the terminal.
This explains why the connection is closed every time we try to connect! the ~/text.txt file is too short to fill the screen.
This is the trick we will use, we will minimize the terminal window enough to allow more to work fine.
now type v to open Vim and now you can return the shell to /bin/bash or retrieve the password directly:
Below is the password for level 26.
c7GvcKlw9mC7aUQaPx7nwFstuAIBw1o1Bandit Level 26 → Level 27
Level Goal
Good job getting a shell! Now hurry and grab the password for bandit27!
Solution:
After login with bandit26 using:
SSH:ssh bandit26@bandit.labs.overthewire.org -p 2220
Password:c7GvcKlw9mC7aUQaPx7nwFstuAIBw1o1
after listing bandit26 home directory we found setuid file called bandit27-do
using ./bandit27-do cat /etc/bandit\_pass/bandit27 to directly display the bandit27 password:
Below is the password for level 27.
YnQpBuifNMas1hcUFk70ZmqkhUU2EuaSBandit Level 27 → Level 28
Level Goal
There is a git repository at ssh://bandit27-git@localhost/home/bandit27-git/repo via the port 2220. The password for the user bandit27-git is the same as for the user bandit27.
Clone the repository and find the password for the next level.
Solution:
After login with bandit27 using:
SSH:ssh bandit27@bandit.labs.overthewire.org -p 2220
Password:YnQpBuifNMas1hcUFk70ZmqkhUU2EuaS
Git is a distributed version control system used for tracking changes in source code during software development. It allows multiple developers to collaborate on a project, keeping track of every modification made to the codebase. Git stores this information in a repository, which can be hosted locally or on a remote server like GitHub, GitLab, or Bitbucket.
Here are the top essential Git commands you might need:
git init: Initializes a new Git repository.
git clone: Creates a copy of an existing repository.
git add: Stages changes for the next commit.
git commit: Records changes to the repository with a message.
git pull: Fetches and merges changes from a remote repository.
git push: Sends committed changes to a remote repository.
git log: Displays the commit history of the repository.
git show: Shows information about a specific commit.
git branch: Lists, creates, or deletes branches.
git checkout: Switches branches or restores working tree files.
So now all we need to clone this repository using: git clone ssh://bandit27-git@localhost:2220/home/bandit27-git/repo
Then enter to repo directory and then view the README file
Below is the password for level 28.
AVanL161y9rsbcJIsFHuw35rjaOM19nRBandit Level 28 → Level 29
Level Goal
There is a git repository at ssh://bandit28-git@localhost/home/bandit28-git/repo via the port 2220. The password for the user bandit28-git is the same as for the user bandit28.
Clone the repository and find the password for the next level.
Solution:
After login with bandit28 using:
SSH:ssh bandit28@bandit.labs.overthewire.org -p 2220
Password:AVanL161y9rsbcJIsFHuw35rjaOM19nR
After cloning bandit28-git repo i found README file written in Markdown inside it there are bandit29 credentials but password hidden
So i used git log to show commits log i found that before last commit the developer leak the credentials by mistake then he fix that in last commit.
Simply, i used git show to show the commit that caused the credentials leak.
Below is the password for level 28
tQKvmcwNYcFS6vmPHIUSI3ShmsrQZK8SBandit Level 29 → Level 30
Level Goal
There is a git repository at ssh://bandit29-git@localhost/home/bandit29-git/repo via the port 2220. The password for the user bandit29-git is the same as for the user bandit29.
Clone the repository and find the password for the next level.
Solution:
After login with bandit29 using:
SSH:ssh bandit29@bandit.labs.overthewire.org -p 2220
Password:tQKvmcwNYcFS6vmPHIUSI3ShmsrQZK8S
Same as last level we start by clonning the repo then check out it's contents.
in software development, we have different environments where different stages of the software lifecycle occur.
Development Environment: This is where software developers write, test, and debug code. It's a controlled environment where developers have the freedom to experiment without affecting the live or production system. Development environments typically mirror the production environment as closely as possible to minimize surprises when deploying code to production.
Production Environment: This is the live environment where the final, stable version of the software is deployed and used by end users. Production environments require a high level of stability, reliability, and security since they directly impact users' experiences. Changes to the production environment should be carefully planned, tested, and deployed to minimize disruptions and avoid introducing bugs or vulnerabilities.
So, we can notice the hint that the password field says "no passwords in production" The password maybe in other environments or "branches" in git language.
To figure out we can use the two essential commands I provided in bandit27git branch and git checkout
As we expected there is a branch called dev related to the development environment, now we can use git checkout dev to switch our local repo to the dev branch
Below is the password for level 28:
xbhV3HpNGlTIdnjUrdAlPzc2L6y9EOnSBandit Level 30 → Level 31
Level Goal
There is a git repository at ssh://bandit30-git@localhost/home/bandit30-git/repo via the port 2220. The password for the user bandit30-git is the same as for the user bandit30.
Clone the repository and find the password for the next level.
Solution:
After login with bandit30 using:
SSH:ssh bandit30@bandit.labs.overthewire.org -p 2220
Password:xbhV3HpNGlTIdnjUrdAlPzc2L6y9EOnS
As we are used to, after cloning the repo the README file is worthless.
In Git, a "tag" is a way to mark a specific commit as significant or noteworthy in some way. It's commonly used to label important milestones, releases, or versions of a project. Tags are immutable references to specific commits and serve as a convenient way to reference specific points in the project's history.
So, let's check the git tag of this repo. Indeed, there is a git tag called secret we can view its content using git show secret.
Below is the password for level 31.
OoffzGDlzhAlerFJ2cAiz1D41JW1MhmtBandit Level 31 → Level 32
Level Goal
There is a git repository at ssh://bandit31-git@localhost/home/bandit31-git/repo via the port 2220. The password for the user bandit31-git is the same as for the user bandit31.
Clone the repository and find the password for the next level.
Solution:
After login with bandit31 using:
SSH:ssh bandit31@bandit.labs.overthewire.org -p 2220
Password:OoffzGDlzhAlerFJ2cAiz1D41JW1Mhmt
As we can see in the README file we need to push a new file called key.txt which contains "May I come in?"
To do this, we need to create the desired file (you can use nano normally)
then
git add -f key.txtto add the File to the Staging area and force any .gitignore rule.then commit the changes with
git commit -aFinally, use the
git pushcommand to push the committed changes to the remote repository's "master" branch:
After that, you will asked to enter the bandit31-git password.
Below is the password for level 32
rmCBvG56y58BXzv98yZGdO7ATVL5dW8yBandit Level 32 → Level 33
After all this git stuff it's time for another escape. Good luck!
Solution:
After login with bandit32 using:
SSH:ssh bandit32@bandit.labs.overthewire.org -p 2220
Password:rmCBvG56y58BXzv98yZGdO7ATVL5dW8y
As we can see, the name explains what the shell that we logged in does. It turns any command into uppercase letters. As we know, shell commands are case-sensitive, so the most we can do is print the environment variables because they are written in uppercase letters.
here are some common environment variables found in Unix-like operating systems:
PATH: Specifies the directories where executable files are located. When you type a command in the shell, the system searches the directories listed in the PATH variable for an executable file with the same name as the command.
HOME: Points to the user's home directory, where their files and settings are stored.
USER: Stores the username of the current user.
SHELL: Specifies the default shell for the user.
PWD: Stores the current working directory.
LANG: Specifies the default language and localization settings.
TERM: Specifies the terminal type or emulation.
Maybe we lost one? yes, the $0.
$0: This environment variable holds the name of the currently executing script or program. It is also known as the "zeroth argument" or "script name." When you run a script or program from the command line, $0 is set to the name of the script or program being executed. For example, if you execute a script named myscript.sh, $0 will be myscript.sh.
When you run $0, you're effectively executing the shell itself, which typically doesn't have the same modifications applied to it as regular commands. This means that the uppercase conversion script is not affecting the shell itself, allowing you to run commands normally.
I checked the shell running by executing echo $SHELL it's a binary file called uppershell
So I modified the SHELL variable to /bin/bash to return everything to normal.
We will then notice that we have permission to read the /etc/bandit_pass/bandit33 file that contains the password of the last level.
After we got the last password we tried to log in with
SSH:
ssh bandit32@bandit.labs.overthewire.org -p 2220Password:
rmCBvG56y58BXzv98yZGdO7ATVL5dW8y
I enjoyed this game and I hope you enjoyed reading it too.
