Bandit [Overthewire]
I started the challenge during MCO (movement control order) in Malaysia, Sadly, I didn’t save my blog post and had to redo all of it…
@ level 26 - 11 Sept 2020
@ level 34 - 14 Sept 2020
The challenge seems to stop at level 34 as of 14 Sept 2020
More elaborations and references will be added when I have the time to do so.
Bandit Level 0
The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org, on port 2220. The username is bandit0 and the password is bandit0
Clue: ssh
Bandit Level 1
pwd: bandit0
The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.
Clue: ls, catPayload
2. cat [file]
Bandit Level 2
pwd: boJ9jbbUNNfktd78OOpsqOltutMc3MY1
The password for the next level is stored in a file called - located in the home directory
Clue: find, catPayload
2. cat [file]
Bandit Level 3
pwd: CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
The password for the next level is stored in a file called spaces in this filename located in the home directory
Clue: ls, cat, tab key :)Payload
2. cat [file]
Bandit Level 4
pwd: UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
The password for the next level is stored in a hidden file in the inhere directory.
Clue: cd, find, catPayload
2. find .
3. cat [file]
Bandit Level 5
pwd: pIwrPrtPN36QITSp3EQaw936yaFoFgAB
The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.
Clue: cd, find, catPayload
2. find .
3. cat [file] (repeat till you find the one)
Bandit Level 6
pwd: koReBOKuIDDepwhWk7jZC0RTdopnAYKh
The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:
human-readable,
1033 bytes in size,
not executable,
Clue: cd, find, catPayload
2. find -readable -size 1033c ! -executable
3. cat [file]
Bandit Level 7
pwd: DXjZPULLxYr17uwoI01bNLQbtFemEgo7
The password for the next level is stored somewhere on the server and has all of the following properties:
owned by user bandit7,
owned by group bandit6,
33 bytes in size
Clue: cd, find, catPayload
2. find / -user [username] -group [groupname] -size 33c
3. cat [file]
Bandit Level 8
pwd: HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs
The password for the next level is stored in the file data.txt next to the word millionth
Clue: cat, grepPayload
2. cat [file] | grep "millionth"
Bandit Level 9
pwd: cvX2JJa4CFALtqS87jk27qwqGhBM9plV
The password for the next level is stored in the file data.txt and is the only line of text that occurs only once
Clue: sort, uniqPayload
2. sort [file] | uniq -u
Bandit Level 10
pwd: UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR
The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters.
Clue: strings, grepPayload
2. strings [file] | grep "="
Bandit Level 11
pwd: truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
The password for the next level is stored in the file data.txt, which contains base64 encoded data
Clue: base64Payload
2. base64 -d [file]
Bandit Level 12
pwd: IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR
The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions
Clue: rot13 by using trPayload
2. cat data.txt | tr "n-za-mN-ZA-M" "a-zA-z" ** not "n-zA-MN-Za-m" but "n-za-mN-ZA-M"
Bandit Level 13
pwd: 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)
Clue: file, xxd, zcat, bunzip2, tarPayload
2. cp data.txt /tmp/[dir name] 3. file /tmp/[dir name]/data.txt ** hint - data.txt is a hexdump 4. xxd -r /tmp/[dir name]/data.txt > /tmp/[dir name]/data.bin 5. file /tmp/[dir name]/data.bin 6. zcat /tmp/[dir name]/data.bin > /tmp/[dir name]/data2.bin 7. file /tmp/[dir name]/data2.bin 8. bunzip2 /tmp/[dir name]/data2.bin 9. file /tmp/[dir name]/data2.bin.out 10. zcat /tmp/[dir name]/data2.bin.out > /tmp/[dir name]/data4.bin 11. file /tmp/[dir name]/data4.bin 12. tar -C /tmp/[dir name] -xvf /tmp/[dir name]/data4.bin 13. file /tmp/[dir name]/data5.bin 14. tar -C /tmp/[dir name] -xvf /tmp/[dir name]/data5.bin 15. file /tmp/[dir name]/data6.bin 16. bunzip2 /tmp/[dir name]/data6.bin 17. file /tmp/[dir name]/data6.bin.out 18. tar -C /tmp/[dir name] -xvf /tmp/[dir name]/data6.bin.out 19. file /tmp/[dir name]/data8.bin 20. zcat /tmp/[dir name]/data8.bin > /tmp/[dir name]/data9.bin 21. file /tmp/[dir name]/data9.bin 22. cat /tmp/[dir name]/data9.bin
Bandit Level 14
pwd: 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on
Clue: sshPayload
2. ssh -i [private key] bandit14@localhost 3. cat [file]
Bandit Level 15
pwd: 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
Clue: nc, echoPayload
or
1. open 2 terminal window, one for listening and the other to connect and send the password
Bandit Level 16
pwd: BfMYroe26WYalil77FoDi9qh59eK5xNr
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…
Clue: openssl, s_clientPayload
2. paste password
Bandit Level 17
pwd: cluFn7wTiGryunymYOu4RcffSxQluehd
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
Clue: nmapPayload
2. openssl s_client localhost:[port]
3. paste password
Bandit Level 18
private key
***** remember to chmod (set permission)
There are 2 files in the home directory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new
NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19
Clue: diffPayload
Bandit Level 19
pwd: kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.
Clue: catPayload
Bandit Level 20
pwd: IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.
Clue: setuidPayload
2. ./[filename] cat [password file]
Bandit Level 21
pwd: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.
Clue: unix job control, ps,Payload
or
1. echo [password] | nc -l localhost -p [port] &
2. ps aux to check if ^ running in the background
3. ./suconnect [port]
Bandit Level 22
pwd: gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
Clue: ls, catPayload
2. cat cronjob_bandit[number]
3. cat [file]
4. cat [file]
Bandit Level 23
pwd: Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.
Clue: -Payload
2. cat /etc/crin.d/[file]
3. cat [shell script]
4. echo ..... bandit23 | md5sum | cut -d ' ' -f 1
5. cat /tmp/[^ result above]
Bandit Level 24
pwd: jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…
Clue: chmod, /tmp/, cpPayload
2. cat /etc/crin.d/[file]
3. cat [shell script]
4. mkdir /tmp/[dir name] && cd /tmp/[dir name]
5. vim [your script] press escape then :wq to write and quit
6. chmod 777 [your script] to make it executable 7. touch [filename] for your password in your /tmp/[dir name] 8. chmod 666 [filename] to make it writeable 9. cp [your script] /var/spool/bandit24 since only bandit 24 can access bandit24 password shell script
Bandit Level 25
pwd: UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.
Clue: python socketsPayload
Bandit Level 26
pwd: uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG
Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.
Clue: /etc/passwd/, morePayload
2. cat [file]
3. minimize terminal window to trigger more
4. once triggered more, press v to trigger vim
5. :r /etc/bandit_pass/bandit26
Bandit Level 27
pwd: 5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z
Good job getting a shell! Now hurry and grab the password for bandit27!
Clue: bandit25, set shellPayload
2. :set shell=/bin/bash
3. :shell or :sh
4. ls
5. ./[script] cat /etc/bandit_pass/bandit27
Bandit Level 28
pwd: 3ba3118a22e93127a4ed485be72ef5ea
There is a git repository at ssh://bandit27-git@localhost/home/bandit27-git/repo. The password for the user bandit27-git is the same as for the user bandit27.
Clone the repository and find the password for the next level.
Clue: git clonePayload
2. cd /tmp/[dir name]
3. ls
4. cat [file]
Bandit Level 29
pwd: 0ef186ac70e04ea33b4c1853d2526fa2
There is a git repository at ssh://bandit28-git@localhost/home/bandit28-git/repo. The password for the user bandit28-git is the same as for the user bandit28.
Clone the repository and find the password for the next level.
Clue: log, resetPayload
2. cd /tmp/[dir name]
3. ls
4. cat [file]
5. git log
6. git reset [commit hash]
7. cat [file]
Bandit Level 30
pwd: bbc96594b4e001778eee9975372716b2
There is a git repository at ssh://bandit29-git@localhost/home/bandit29-git/repo. The password for the user bandit29-git is the same as for the user bandit29.
Clone the repository and find the password for the next level.
Clue: git branchPayload
2. cd /tmp/[dir name]
3. ls
4. cat [file]
5. git branch -a
6. git pull origin [remote branch name]
7. ls
8. cat [file]
Bandit Level 31
pwd: 5b90576bedb2cc04c86a9e924ce42faf
There is a git repository at ssh://bandit30-git@localhost/home/bandit30-git/repo. The password for the user bandit30-git is the same as for the user bandit30.
Clone the repository and find the password for the next level.
Clue: git tag, git blob, git gcPayload
2. cd /tmp/[dir name]
3. ls
4. cat [file]
5. git tag
6. try git checkout [tag name]^ and git checkout [tag name]~1
7. ls .git/objects -type f
8. git verify-pack -v .git/objects/pack/[pack name].idx
9. git gc
10. try git checkout [tag name]
11. git diff [tag name] [file]
Bandit Level 32
pwd: 47e603bb428404d265f59c42920d81e5
There is a git repository at ssh://bandit31-git@localhost/home/bandit31-git/repo. The password for the user bandit31-git is the same as for the user bandit31.
Clone the repository and find the password for the next level.
Clue: .gitignorePayload
2. cd /tmp/[dir name]
3. ls
4. cat [file]
5. vim [file]
6. git add [file] -f
7. git status
8. git commit -m "[commit message]"
9. git push -u origin master
Bandit Level 33
pwd: 56a9bf19c63d650ce78e6ec0354ee45e
After all this git stuff its time for another escape. Good luck!
Clue: bash special parameterPayload
2. cat /etc/bandit_pass/bandit33
Bandit Level 34 TBC
pwd: c9c3199ddf4121b10cf581a98d51caee
...
Clue: