Bandit - Overthewire.org/wargames

https://overthewire.org/wargames/bandit/bandit0.html

ssh bandit[level#]@bandit.labs.overthewire.org -p 2220

pass -> flag found in previous level

Basics

• Level 0

  • The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org, on port 2220. The username is bandit0 and the password is bandit0. Once logged in, go to the Level 1 page to find out how to beat Level 1.

    • ssh bandit0@bandit.labs.overthewire.org -p 2220

    • bandit0

• Level 0 → Level 1

  • The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.

    • ls

    • cat readme

      • NH2SXQwcBdpmTEzi3bvBHMM9H66vVXjL

• Level 1 → Level 2

  • The password for the next level is stored in a file called - located in the home directory

    • ls

    • cat ./- (As if we are trying to run the "-" file)

      • rRGizSaX8Mk1RTb1CNQoXTcYZWU6lgzi

• Level 2 → Level 3

  • The password for the next level is stored in a file called spaces in this filename located in the home directory

    • ls

    • cat spaces\ in\ this\ filename

      • aBZ0W5EmUfAf7kHTQeOwd8bauFJ2lAiG

• Level 3 → Level 4

  • The password for the next level is stored in a hidden file in the inhere directory.

    • ls

    • cd inhere

    • ls -la

    • cat .hidden

      • 2EW7BBsr6aMMoJ2HjW067dm8EgX26xNe

• Level 4 → Level 5

  • The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.

    • ls

    • cd inhere

    • ls -la

    • cat ./-file07

      • lrIWWI6bB37kxfiCQZqUdOIYfr6eEeqR

• Level 5 → Level 6

  • The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:

    • human-readable

    • 1033 bytes in size

    • not executable

      • cd inhere

      • find . -type f -size 1033c

      • cat ./maybehere07/.file2

        • P4L4vucdmLnm8I7Vl7jG1ApGSfjYKqJU

• Level 6 → Level 7

  • The password for the next level is stored somewhere on the server and has all of the following properties:

    • owned by user bandit7

    • owned by group bandit6

    • 33 bytes in size

      • find / -type f -user bandit7 -group bandit6 -size 33c

      • /var/lib/dpkg/info/bandit7.password

      • cat /var/lib/dpkg/info/bandit7.password

        • z7WtoNQU2XfjmMtWA8u5rN4vzqu4v99S

• Level 7 → Level 8

  • The password for the next level is stored in the file data.txt next to the word millionth

    • cat data.txt | grep millionth

      • millionth TESKZC0XvTetK0S9xNwm25STk5iWrBvP

• Level 8 → Level 9

  • The password for the next level is stored in the file data.txt and is the only line of text that occurs only once

    • sort data.txt | uniq -c

      • EN632PlfYiZbn3PhVK3XOGSlNInNE00t

• Level 9 → Level 10

  • The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters.

    • strings data.txt | grep "="

      • G7w8LIi6J3kTb8A7j9LgrywtEUlyyp6s

Encoded

• Level 10 → Level 11

  • The password for the next level is stored in the file data.txt, which contains base64 encoded data

    • base64 -d data.txt

      • 6zPeziLdR2RKNdNYFNb6nVCKzphlXHBM

• Level 11 → Level 12

  • The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions

    • ROT Cipher -> https://www.dcode.fr/rot-cipher

      • JVNBBFSmZwKKOP0XbFXOoW8chDz5yVRv

• Level 12 → Level 13

  • The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)

    • mkdir /tmp/alv

    • cp data.txt /tmp/alv

    • cd /tmp/alv

    • xxd -r data.txt > alv

    • file alv -> "alv: gzip compressed data"

    • mv alv alv.gz

    • gzip -d alv.gz

    • file alv -> "alv: bzip2 compressed data"

    • mv alv alv.bz2

    • bzip2 -d alv.bz2

    • file alv

    • mv alv alv.tar

    • tar xf alv.tar

    • file data5.bin

    • ....

      • wbWdlBxEir4CaE8LaPhauuOo6pwRmrDw

SSH and SSL

• Level 13 → Level 14

  • The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on

    • ssh -i sshkey.private bandit14@localhost -p 2220

    • cat /etc/bandit_pass/bandit14

      • fGrHPx402xGC7U7rXKDaxiWFTOiF0ENq

• Level 14 → Level 15

  • The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.

    • nc localhost 30000

    • fGrHPx402xGC7U7rXKDaxiWFTOiF0ENq

      • jN2kgmIXJ6fShzhT2avhotn4Zcka6tnt

• Level 15 → Level 16

  • The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.

    Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…

    • ncat --ssl localhost 30001

    • jN2kgmIXJ6fShzhT2avhotn4Zcka6tnt

      • JQttfApK4SeyHwDlI9SXGR50qclOAil1

• Level 16 → Level 17

  • The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.

    • nmap localhost -p 31000-32000 -> 5 ports opened

    • ncat --ssl localhost 31790

      • Copy the RSA private key into a .txt file

    • ssh -i pass17.txt bandit17@bandit.labs.overthewire.org -p 2220 -> "permission 0644 for 'pass17.txt' are too open"

    • chmod 400 pass17.txt

    • ssh -i pass17.txt bandit17@bandit.labs.overthewire.org -p 2220

    • cat /etc/bandit/bandit_pass/bandit17

      • VwOSWtCA7lRKkTfbr2IDh6awj9RNZM5e

• Level 17 → Level 18

  • There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new

    NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19

    • diff passwords.new passwords.old

      • hga5tuuCLF6fFzUpnagiMN8ssu9LFrdg

• Level 18 → Level 19

  • The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.

    • ssh -t bandit18@bandit.labs.overthewire.org -p 2220 '/bin/sh'

    • hga5tuuCLF6fFzUpnagiMN8ssu9LFrdg

    • cat readme

      • awhqfNnAbc1naukrpqDYcF95h7HoMTrC

SUID

• Level 19 → Level 20

  • To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.

    • ./bandit20-do

    • ./bandit20-do id

    • ./bandit20-do cat /etc/bandit_pass/bandit20

      • VxCazJaVykI6W36BkBU0mJTCM8rR95XT

• Level 20 → Level 21

  • There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).

    NOTE: Try connecting to your own network daemon to see if it works as you think

    • ./suconnect

    • (new bandit20 tab) nc localhost -l 4444

    • (old bandit20 tab) ./suconnect 4444

    • (new bandit20 tab) VxCazJaVykI6W36BkBU0mJTCM8rR95XT

      • NvEJF7oVjkddltPSrdKEFOllh9V1IBcq

Cron

• Level 21 → Level 22

  • A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

    • cd /etc/cron.d

    • ls -la

    • cat cronjob_bandit22

    • cat /usr/bin/cronjob_bandit22.sh

#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

• cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

  • WdDozAdTM2z9DiFEQ2mGlwngMfj4EZff

• Level 22 → Level 23

  • A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

    NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.

    • cd /etc/cron.d

    • cat cronjob_bandit23

    • cat usr/bin/cronjob_bandit23.sh

#!/bin/bash
myname=$(whoami) mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
cat /etc/bandit_pass/$myname > /tmp/$mytarget

• . usr/bin/cronjob_bandit23.sh

• myname=bandit23

• $myname

• echo I am user $myname | md5sum | cut -d ' ' -f 1

• cat /tmp/8ca319486bfbbc3663ea0fbe81326349

  • QYw0Y2aiA672PsMmh9puTQuhoz8SyR2G

• Level 23 → Level 24

  • A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

    NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!

    NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…

    • cd /etc/cron.d/

    • cat cronjob_bandit24

    • cat /usr/bin/cronjob_bandit24.sh

#!/bin/bash

myname=$(whoami)

cd /var/spool/$myname/foo
echo "Executing and deleting all scripts in /var/spool/$myname/foo:"
for i in * .*;
do
    if [ "$i" != "." -a "$i" != ".." ];
    then
        echo "Handling $i"
        owner="$(stat --format "%U" ./$i)"
        if [ "${owner}" = "bandit23" ]; then
            timeout -s 9 60 ./$i
        fi
        rm -f ./$i
    fi
done

• cd /var/spool/bandit24

• ls -la

  • Permission denied

• cd tmp

• mkdir alv

• cd alv

• echo "cat /etc/bandit_pass/bandit24 > /tmp/alv/password.txt" > script_alv.sh

• chmod 777 script_alv.sh

• touch password.txt

• chmod 777 password.txt

• cp script_alv.sh /var/spool/bandit24/foo

  • Wait for 1 minute

• cat password.txt

  • VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar

Ncat Python

• Level 24 → Level 25

  • A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing. You do not need to create new connections each time.

    • nc localhost 30002

    • Paste VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 6789

      • Invalid code

    • echo "[below text code]" > file.sh

      • if not working remove the "#!/bin/bash" part

#!/bin/bash

bandit24pass=VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar

for i in {0000..9999};
do
        echo "$bandit24pass $i"
done | nc localhost 30002

• ./file.sh

• p7TaowMYrmu23Ol8hiZh9UvD0O9hpx8d

VIM

• Level 25 → Level 26

  • Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.

    • cat /etc/passwd | grep bandit26

    • cat /usr/bin/showtext

    • ssh -i bandit26.sshkey bandit26@localhost -p2220

      • make the window small, so the "--More -- (X%)" appears

    • type v -> VIM editor is opened

      • return screen to normal size

    • :set shell=/bin/bash

    • :shell

    • cat /etc/bandit_pass/bandit26

      • c7GvcKlw9mC7aUQaPx7nwFstuAIBw1o1

• Level 26 → Level 27

  • Good job getting a shell! Now hurry and grab the password for bandit27!

    • ls

    • ./bandit27-do

    • ./bandit27-do cat /etc/bandit_pass/bandit27

      • YnQpBuifNMas1hcUFk70ZmqkhUU2EuaS

Git

• Level 27 → Level 28

  • There is a git repository at ssh://bandit27-git@localhost/home/bandit27-git/repo via the port 2220. The password for the user bandit27-git is the same as for the user bandit27.

    Clone the repository and find the password for the next level.

    • mkdir /tmp/alv27

    • cd /tmp/alv27

    • git clone ssh://bandit27-git@localhost:2220/home/bandit27-git/repo

    • cd repo

    • cat README

      • AVanL161y9rsbcJIsFHuw35rjaOM19nR

• Level 28 → Level 29

  • There is a git repository at ssh://bandit28-git@localhost/home/bandit28-git/repo via the port 2220. The password for the user bandit28-git is the same as for the user bandit28.

    Clone the repository and find the password for the next level.

    • mkdir /tmp/alv28

    • cd /tmp/alv28

    • git clone ssh://bandit28-git@localhost:2220/home/bandit28-git/repo

    • cd repo

    • cat README.md

      • Info was removed

    • git log

    • git checkout f08b9cc63fa1a4602fb065257633c2dae6e5651b

    • cat README.md

      • tQKvmcwNYcFS6vmPHIUSI3ShmsrQZK8S

• Level 29 → Level 30

  • There is a git repository at ssh://bandit29-git@localhost/home/bandit29-git/repo via the port 2220. The password for the user bandit29-git is the same as for the user bandit29.

    Clone the repository and find the password for the next level.

    • mkdir /tmp/alv29

    • cd /tmp/alv29

    • git clone ssh://bandit29-git@localhost:2220/home/bandit29-git/repo

    • cd repo

    • cat README.md

      • No info

    • git branch -r

    • git checkout dev

    • cat README.md

      • xbhV3HpNGlTIdnjUrdAlPzc2L6y9EOnS

• Level 30 → Level 31

  • There is a git repository at ssh://bandit30-git@localhost/home/bandit30-git/repo via the port 2220. The password for the user bandit30-git is the same as for the user bandit30.

    Clone the repository and find the password for the next level.

    • mkdir /tmp/alv30

    • cd /tmp/alv30

    • git clone ssh://bandit30-git@localhost:2220/home/bandit30-git/repo

    • cd repo

    • cat README.md

      • "empty file"

    • git tag

    • git show secret

      • OoffzGDlzhAlerFJ2cAiz1D41JW1Mhmt

• Level 31 → Level 32

  • There is a git repository at ssh://bandit31-git@localhost/home/bandit31-git/repo via the port 2220. The password for the user bandit31-git is the same as for the user bandit31.

    Clone the repository and find the password for the next level.

    • mkdir /tmp/alv31

    • cd /tmp/alv31

    • git clone ssh://bandit31-git@localhost:2220/home/bandit31-git/repo

    • cd repo

    • cat README.md

      • File is in a remote repository

    • cat .gitignore

    • rm .gitignore

    • echo "May I come in?" > key.txt

    • git add key.txt

    • git commit -m "new commit"

    • git push

      • rmCBvG56y58BXzv98yZGdO7ATVL5dW8y

Shell

• Level 32 → Level 33

  • After all this git stuff its time for another escape. Good luck!

    • $0

    • export SHELL=/bin/bash

    • $SHELL

    • cat /etc/bandit_pass/bandit33

      • odHo63fHiFqcWWJG9rLiLDtPm45KzUKy

• Level 33 → Level 34

  • At this moment, level 34 does not exist yet.