Bandit Writeups

8

Bandit Level 8 The password for the next level is stored in the file data.txt and is the only line of text that occurs only once

sort uniq

9

Bandit Level 9 The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters.

strings grep binary +1

10

Bandit Level 10 The password for the next level is stored in the file data.txt, which contains base64 encoded data

base64 encoding

11

Bandit Level 11 The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions

rot13 tr encoding

12

Bandit Level 12 The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work. Use mkdir with a hard to guess directory name. Or better, use the command “mktemp -d”. Then copy the datafile using cp, and rename it using mv (read the manpages!)

xxd hexdump gzip +2

13

Bandit Level 13 The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Look at the commands that logged you into previous bandit levels, and find out how to use the key for this level.

ssh privatekey

14

Bandit Level 14 The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.

netcat nc networking

15

Bandit Level 15 The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL/TLS encryption.

ssl tls openssl +1

16

Bandit Level 16 The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL/TLS and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.

ssl tls openssl +4

17

Bandit Level 17 There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new

diff filecomparison

18

Bandit Level 18 The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.

ssh bashrc

19

Bandit Level 19 To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.

setuid suid permissions

20

Bandit Level 20 There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).

setuid suid nc +1

21

Bandit Level 21 A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed

cron cronjob bash +1

22

Bandit Level 22 A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

cron cronjob bash +3

23

Bandit Level 23 A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

cron cronjob bash +2

24

Bandit Level 24 A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.

bruteforce scripting bash +1

25

Bandit Level 25 Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.

ssh privatekey shell +1

26

Bandit Level 26 Good job getting a shell! Now hurry and grab the password for bandit27!

ssh more vim +3

27

Bandit Level 27 There is a git repository at ssh://bandit27-git@bandit.labs.overthewire.org/home/bandit27-git/repo via the port 2220. The password for the user bandit27-git is the same as for the user bandit27.

git gitclone

28

Bandit Level 28 There is a git repository at ssh://bandit28-git@bandit.labs.overthewire.org/home/bandit28-git/repo via the port 2220. The password for the user bandit28-git is the same as for the user bandit28.

git gitlog gitshow +1

29

Bandit Level 29 There is a git repository at ssh://bandit29-git@bandit.labs.overthewire.org/home/bandit29-git/repo via the port 2220. The password for the user bandit29-git is the same as for the user bandit29.

git gitbranch gitcheckout +1

30

Bandit Level 30 There is a git repository at ssh://bandit30-git@bandit.labs.overthewire.org/home/bandit30-git/repo via the port 2220. The password for the user bandit30-git is the same as for the user bandit30.

git gittag gitshow

31

Bandit Level 31 There is a git repository at ssh://bandit31-git@bandit.labs.overthewire.org/home/bandit31-git/repo via the port 2220. The password for the user bandit31-git is the same as for the user bandit31.

git gitpush gitignore

32

Bandit Level 32 After all this git stuff, it’s time for another escape. Good luck!

shell escape uppercase +2

33

Bandit Level 33 The final level