Walkthrough of the bandit wargame at overthewire.org
Link to wargame: http://overthewire.org/wargames/bandit/
ssh -p 2220 bandit0@bandit.labs.overthewire.org bandit0 cat readme # dispays the contents of the readme file in the home directory
ssh -p 2220 bandit0@bandit.labs.overthewire.org boJ9jbbUNNfktd78OOpsqOltutMc3MY1 cat ./- # Here the password is in the "-" file. However this is a special character in bash, thus "./" has to be appended to signal that a file path is being provided.
ssh -p 2220 bandit2@bandit.labs.overthewire.org CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9 cat spaces\ in\ this\ filename # The file containing the password has spaces, thus "\" is used to escape the special characters. This is automatically done if one presses tab after typing in the first few characters of the file name.
ssh -p 2220 bandit3@bandit.labs.overthewire.org UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK find -name "*" #find allows one to search for a file by name in the cwd and all subdirectories cat ./inhere/.hidden # Alternative Procedure cd inhere ls -a # -a flag shows all files as well cat .hidden
ssh -p 2220 bandit4@bandit.labs.overthewire.org pIwrPrtPN36QITSp3EQaw936yaFoFgAB cd inhere ls file ./* # bserve here how ./ is appended to * to list all files as the file names begin with - ''' # Output ./-file00: data ./-file01: data ./-file02: data ./-file03: data ./-file04: data ./-file05: data ./-file06: data ./-file07: ASCII text ./-file08: data ./-file09: data ''' # Here we can see that only ./-file7 is human readable, thus we open that file cat ./-file07
ssh -p 2220 bandit5@bandit.labs.overthewire.org koReBOKuIDDepwhWk7jZC0RTdopnAYKh] cd inhere find . -type f -size 1033c #Here we use find to search for a file of size 1033 bytes (https://www.ostechnix.com/find-files-bigger-smaller-x-size-linux/) cat ./maybehere07/.file2
ssh -p 2220 bandit6@bandit.labs.overthewire.org DXjZPULLxYr17uwoI01bNLQbtFemEgo7 find . -type f -size 33c -user bandit7 -group bandit6 # Here we just append more conditions (group and user) to the find command. cat ./var/lib/dpkg/info/bandit7.password
ssh -p 2220 bandit7@bandit.labs.overthewire.org HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs grep "millionth" data.txt # grep is used to search for strings within text files and display the line containing the matched string {https://www.linode.com/docs/tools-reference/tools/how-to-grep-for-text-in-files/}
ssh -p 2220 bandit8@bandit.labs.overthewire.org cvX2JJa4CFALtqS87jk27qwqGhBM9plV sort data.txt | uniq -u # uniq -u compares each line to an adjacent lines and outputs the line if it is locally unique (compared to adjacent lines) # To ensure that the line is globally unique, we run the sort command and pipe the output into uniq
ssh -p 2220 bandit9@bandit.labs.overthewire.org UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR strings data.txt | grep '^=\+' # Finding all ASCII strings in data.txt, we pipe that into a grep search utilising regular expression. # '^=\+' indicatest that the line should start wtih one or more "=" characters # {https://www.gnu.org/software/findutils/manual/html_node/find_html/grep-regular-expression-syntax.html}
ssh -p 2220 bandit10@bandit.labs.overthewire.org truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk base64 -d data.txt # Decodes the base64 file and prints the output # Some notes on base64: it is an encoding scheme that encodes binary to ACSII wehre each each base 64 digit represents 6 bits of data (since 2^6 == 64). When used on text, the chars are first converted into octets and bits before being base64 encoded {https://en.wikipedia.org/wiki/Base64#Examples}
ssh -p 2220 bandit11@bandit.labs.overthewire.org IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR alias rot13="tr 'A-Za-z' 'N-ZA-Mn-za-m'" # Define a function rot13 to perform the decryption # A to Z is mapped to N-Z followed by A-M, the rot13 formula cat data.txt | rot13 # Pipe the input into the function and read the decrypted message
ssh -p 2220 bandit12@bandit.labs.overthewire.org 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu # Set up work envt mkdir /tmp/brandontang cp data.txt /tmp/brandontang cd /tmp/brandontang # Revert Hex Dump cat data.txt xxd -r data.txt reverted # Recursively Unzip the files; start by finding out what type of file it is. file reverted # Choose unzip method gunzip filename.gz bzip2 -d filename.bz2 tar -xvf filename.bin # Repeat above until ASCII file is obtained # Read off password cat data8
ssh -p 2220 bandit13@bandit.labs.overthewire.org 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL ssh -i sshkey.private bandit14@localhost # Simply use the private key to login to the bandit 14 account cat /etc/bandit_pass/bandit14
ssh -p 2220 bandit14@bandit.labs.overthewire.org 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e telnet localhost 30000 # use telnet to connect to the host on port <30000> 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e # nter password
ssh -p 2220 bandit15@bandit.labs.overthewire.org BfMYroe26WYalil77FoDi9qh59eK5xNr # Connect to localhost at port 30001 with SSL # open an SSL connection to localhost port 30001 and print the ssl certificate used by the service openssl s_client -connect localhost:30001 BfMYroe26WYalil77FoDi9qh59eK5xNr #enter password
ssh -p 2220 bandit16@bandit.labs.overthewire.org cluFn7wTiGryunymYOu4RcffSxQluehd nmap -sV -p 31000-32000 localhost # Use Nmap to perform a service scan on ports 31000-32000 openssl s_client -connect localhost:31790 # Connect to port 31790 cluFn7wTiGryunymYOu4RcffSxQluehd # Output Credentials -----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama +TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT 8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM 77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3 vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY= -----END RSA PRIVATE KEY----- # Create a new temp directory and create a credentials file. Use it to ssh into the next level mkdir /tmp/somename cd /tmp/somename echo "-----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama +TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT 8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM 77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3 vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY= -----END RSA PRIVATE KEY-----" > bandit17key.private ssh -i bandit17key.private bandit17@localhost cat /etc/bandit_pass/bandit17 # Find out the actual password for bandit17
ssh -p 2220 bandit17@bandit.labs.overthewire.org xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn diff passwords.new passwords.old
# In this level, the .bashrc logs one out immediately once an interactive session is started. # Thus we read the password without opening an interactive bash shell ssh -p 2220 bandit18@bandit.labs.overthewire.org "cat readme" kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
ssh -p 2220 bandit19@bandit.labs.overthewire.org IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x ./bandit20-do cat /etc/bandit_pass/bandit20 # ./bandit20-do runs a command as bandit20; from there we just use it to access the bandit20 password
ssh -p 2220 bandit20@bandit.labs.overthewire.org GbKksEFF4yrVs6il55v6gwY5aVje5f0j tmux # create a new tmux session printf "GbKksEFF4yrVs6il55v6gwY5aVje5f0j" | netcat -l -p 3001 # Start a port listener (daemon) on port 3001 which returns the current password to any connections that are made [ctrl b + d] # Dettach from the tmux session ./suconnect 3001 # Connect to the port listener tmux attach # Attach back to the tmux session # The new password should be printed
ssh -p 2220 bandit21@bandit.labs.overthewire.org gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr cd /etc/cron.d ls cat cronjob_bandit22 ''' @reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null * * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null ''' # We can deduce that the cron job is running /usr/bin/cronjob_bandit22.sh and redirecting output to NULL. # Now re proceed to find out what /usr/bin/cronjob_bandit22.sh does cat /usr/bin/cronjob_bandit22.sh ''' #!/bin/bash chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv ''' # The password is being written to /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv, thus we read the password from there cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
ssh -p 2220 bandit22@bandit.labs.overthewire.org Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI cd /etc/cron.d ls cat cronjob_bandit23 cat /usr/bin/cronjob_bandit23.sh ''' #!/bin/bash myname=$(whoami) mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1) echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget" #We need to find out the value of $mytarget when myname=bandit23 cat /etc/bandit_pass/$myname > /tmp/$mytarget ''' # Simulating running the cronjob myname="bandit23" mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1) echo $mytarget '''8ca319486bfbbc3663ea0fbe81326349''' # Read off the file cat /tmp/8ca319486bfbbc3663ea0fbe81326349
ssh -p 2220 bandit23@bandit.labs.overthewire.org jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n cd /etc/cron.d ls cat cronjob_bandit24 cat /usr/bin/cronjob_bandit24.sh cd /var/spool/bandit24 # We see that the script runs all scripts within /var/spool/bandit24 as bandit24 # thus we need to write a script to extract the password from /etc/bandit_pass/bandit24 # Use nano to write the following script to /var/spool/bandit24/script.sh # Note that there is no point printing debugging statements because all std output is redirected to Null by the cron job """ #!/bin/bash cat /etc/bandit_pass/bandit24 > bandit24pass """ chmod +x script.sh # Wait a while for the cronjob to run (~ 1 min or so), keep checking if bandit24pass is generated yet cat bandit24pass
ssh -p 2220 bandit24@bandit.labs.overthewire.org UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ # Create a tmp directory and cd there to do all the work # Create a bash script to bruteforce the daemon (saved as bandit.sh) """ #!/bin/bash for i in {1000..10000} do echo $i printf "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i\n" | netcat localhost 30002 done """ chmod +x bandit.sh # Make bandit.sh executable # Pipe the file into the daemon and write output to the "output" file # Note that letting the daemon write to stdout resulted in a time out error (for me) ./bandit.sh | netcat localhost 30002 > output cat output # the password is on the last line
ssh -p 2220 bandit25@bandit.labs.overthewire.org uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG ssh -i bandit26.sshkey bandit26@localhost cat /etc/passwd cat /usr/bin/showtext ''' #!/bin/sh export TERM=linux more ~/text.txt exit 0 ''' # (i failed to do this myself) # Make the terminal small and run (this actually hard) ssh -i bandit26.sshkey bandit26@localhost # press v to get a vim editor # Perform a shell escape (i believe the space is impt) # ":! /bin/bash" # Get level 27 password ./bandit27-do cat /etc/bandit_pass/bandit27
ssh -p 2220 bandit27@bandit.labs.overthewire.org 3ba3118a22e93127a4ed485be72ef5ea # Create tmp working envt mkdir /tmp/brandontang89 cd /tmp/brandontang89 # Clone the git repo git clone ssh://bandit27-git@localhost/home/bandit27-git/repo # Read the password cat /repo/README
ssh -p 2220 bandit28@bandit.labs.overthewire.org 0ef186ac70e04ea33b4c1853d2526fa2 # Create tmp working envt mkdir /tmp/brandontang1 cd /tmp/brandontang1 # Clone the git repo git clone ssh://bandit28-git@localhost/home/bandit28-git/repo cd repo # Analyse the files cat README.md ''' # Bandit Notes Some notes for Level 29 of bandit. ## credentials - username: bandit29 - password: xxxxxxxxxx ''' # The password has been hidden, but maybe it was in plain text in an older version of the file git log --all --full-history -- * # Displays all commits ''' commit 073c27c130e6ee407e12faad1dd3848a110c4f95 Author: Morla Porla Date: Tue Oct 16 14:00:39 2018 +0200 fix info leak commit 186a1038cc54d1358d42d468cdc8e3cc28a93fcb Author: Morla Porla Date: Tue Oct 16 14:00:39 2018 +0200 add missing data commit b67405defc6ef44210c53345fc953e6a21338cc7 Author: Ben Dover Date: Tue Oct 16 14:00:39 2018 +0200 initial commit of README.md ''' # We see that there are several different versions of the file, trying the second commit yields the flag git show 186a1038cc54d1358d42d468cdc8e3cc28a93fcb:README.md ''' ## credentials - username: bandit29 - password: bbc96594b4e001778eee9975372716b2 '''
# Basically a repeat of the previous level ssh -p 2220 bandit29@bandit.labs.overthewire.org bbc96594b4e001778eee9975372716b2 # Set up work envt mkdir /tmp/brandontang2 cd /tmp/brandontang2 git clone ssh://bandit29-git@localhost/home/bandit29-git/repo bbc96594b4e001778eee9975372716b2 cd repo # Honestly do the exact same thing as above git log --all --full-history -- * # Displays all commits git show 9b19e7d8c1aadf4edcc5b15ba8107329ad6c5650:README.md ''' # Bandit Notes Some notes for bandit30 of bandit. ## credentials - username: bandit30 - password: 5b90576bedb2cc04c86a9e924ce42faf '''
ssh -p 2220 bandit30@bandit.labs.overthewire.org 5b90576bedb2cc04c86a9e924ce42faf # Set up work envt mkdir /tmp/brandontang3 cd /tmp/brandontang3 git clone ssh://bandit30-git@localhost/home/bandit30-git/repo 5b90576bedb2cc04c86a9e924ce42faf cd repo cd .git cat packed-refs ''' # pack-refs with: peeled fully-peeled 3aa4c239f729b07deb99a52f125893e162daac9e refs/remotes/origin/master f17132340e8ee6c159e0a4a6bc6f80e1da3b1aea refs/tags/secret ''' # We see theres some tag; the following command reveals it to be a "blob" git cat-file -t f17132340e8ee6c159e0a4a6bc6f80e1da3b1aea # We then print the blob contents and read the password git cat-file -p f17132340e8ee6c159e0a4a6bc6f80e1da3b1aea > secret.txt cat secret.txt
ssh -p 2220 bandit31@bandit.labs.overthewire.org 47e603bb428404d265f59c42920d81e5 # Set up work envt mkdir /tmp/brandontang4 cd /tmp/brandontang4 git clone ssh://bandit31-git@localhost/home/bandit31-git/repo cd repo cat REAMD.md ''' This time your task is to push a file to the remote repository. Details ''' File name: key.txt Content: 'May I come in?' Branch: master ''' # Here we simply create the file they requested, the push it to the remote repo echo 'May I come in?' > key.txt git add key.txt -f git commit -m "added key" git push origin master 47e603bb428404d265f59c42920d81e5 ''' remote: ### Attempting to validate files... #### remote remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo. remote remote: Well done! Here is the password for the next level remote: 56a9bf19c63d650ce78e6ec0354ee45e remote remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo. remote: '''
ssh -p 2220 bandit32@bandit.labs.overthewire.org 56a9bf19c63d650ce78e6ec0354ee45e # Quick testing and analysis reveals that all the commands keyed into the shell are capitalised and thus rendered ineffective # To deal with this, we try out some "bash special variables" $0 # returns the first word; that is the command name (in this case sh) # running $0 will thus spawn a sh shell where we can read off the final password cat /etc/bandit_pass/bandit33 '''c9c3199ddf4121b10cf581a98d51caee'''
ssh -p 2220 bandit33@bandit.labs.overthewire.org c9c3199ddf4121b10cf581a98d51caee ls cat README.txt ''' Congratulations on solving the last level of this game! At this moment, there are no more levels to play in this game. However, we are constantly working on new levels and will most likely expand this game with more levels soon. Keep an eye out for an announcement on our usual communication channels! In the meantime, you could play some of our other wargames. If you have an idea for an awesome new level, please let us know! '''