Inspired by the upcoming CTF event by TCM Security and MetaCTF, I decided to look more into cybersecurity challenges and heard that Bandit from OverTheWire is a good start for that.
The goal in Bandit is to beat one level to get into the next one by solving challenges.
Most of the tasks are pretty easy and are aimed for beginners, so do not worry if you are new to this and wonder if you can solve anything at all.
Come and join me on this journey where we go from one level to the next, learn new skills and gain knowledge together.
https://overthewire.org/wargames/bandit/
Warning: Please follow the website in case anything has changed since the making of this write-up!
If you want Part 1 click here!
Let’s continue where we left off!
Level 19 → 20
For this level, we use the setuid binary (lets us temporarily do certain tasks with higher permissions than our usual one) with the information that the password can be found in /etc/bandit_pass.
You can use ls -l to look at the permissions and see how things are here. When you run the bandit20-do it tells you to run it as another user with an example.
./bandit20-do idHere you see we are bandit19 but our euid (effective user ID) is bandit20.
With those information’s we can use the following command to get the password for the next level.
./bandit20-do cat /etc/bandit_pass/bandit20Level 20 → 21
We go back to setuid binary in this level but this time two shells are required for this challenge:
Open two of the typical ssh one that we pretty much did for every level:
ssh bandit20@bandit.labs.overthewire.org -p 2220- In one of them we are going to use ./suconnect, which is a command to execute the suconnect script or program in the current directory:
./suconnect portyouwant- In the other we will run a netcat listener:
nc -lvp portyouwantNow in the netcat listener we can paste the password we got and we are going to receive the one for the next level!
Level 21 → 22
In this level we are going to work with cron (time-based job scheduler) by taking a look in /etc/cron.d/ to find out which command is set to run.
First we can cd to /etc/cron.d and with a ls command see what is inside it. We then can cat cronjob_bandit22 to get the information of the file. We can see what it runs on reboot and how often it gets executed.
Looking more into the .sh file with the cat command we can see that it utilizes the chmod command and redirects its output to another file located in /tmp/.
To get the password we just use the cat command the file that we found and move to the next level.
Level 22 → 23
In this level there will be a program running automatically at regular intervals from cron and we should look in /etc/cron.d/ for the configuration to see what command is being executed.
Let’s move to /etc/cron.d/ and cat cronjob_bandit23 just like in the last challenge. We see that it runs a bash script that we play around with.
We can get the password by running the following:
echo I am user bandit23 | md5sum | cut -d " " -f1Level 23 → 24
This challenge we will see cron again but it requires us to create a shell-script to move to the next level.
Let’s do the same steps as the other levels by using the cat command and look at the bash script we see that it runs every minute.
cat /etc/cron.d/cronjob_bandit24We then can take a look into /usr/bin/cronjob_bandit24.sh and see that it executes and deletes scripts in bandit24 owned by bandit23.
cat /etc/cron.d/cronjob_bandit24.shNow let us create a script using nano (or whatever you prefer) to get the password for the next level. We use the mkdir command and then cd into it.
nano bandit24_pass.shNano script:
#!/bin/bash
cat /etc/bandit_pass/bandit24 > /tmp/chosennamebyyou/password
Now change up the permissions with the chmod command.
Copy the script into the cron with the cp command and wait a minute.
After that use cat password to get the password for the next level!
Level 24 → 25
In this challenge we will work with daemons and will do some brute-forcing.
Let’s start with:
for i in {0000..9999}; do echo passwordfrombandit24 $i; done | nc localhost 30002This script tries passwords from 0000 to 9999 on the local service using netcat and you should end up with the password for the next level!
Level 25 → 26
Here we should logging in to bandit26 from the bandit25 but the shell is not in /bin/bash.
In this level make your window very small and ssh into it as you always did. But this time you will see an information with a % since it did not fully complete because of the small screen. If you do not get the % then repeat the process and make your window smaller.
Press v to get into vim and put this in:
:e /etc/bandit_pass/bandit26After you press enter you should get your password!
Level 26 → 27
This challenge tells us to hurry up and grab the password for bandit27.
Like the last level we make the window small and ssh into it and put this in:
:set shell=/bin/bashFollow it with:
:shellWe can now ls to see bandit27-do which we can run as another user to get the password.
./bandit27-do cat /etc/bandit_pass/bandit27Now we can move on to the next level and one step closer to the finish line!
Level 27 → 28
In this challenge we will work with git and clone the repository to find the password for the next level.
We start of by cd into /tmp, followed with a mkdir and then cd into that.
Let’s use the command git clone followed by the provided information we got for this level and add the 2220 port to it.
git clone ssh://bandit27-git@localhost:2220/home/bandit27-git/repoEnter the password and cat the new password out to move to the next level!
Level 28 → 29
We are given an ssh with the information that there is a git repository and that we have to clone the repository to find the password for the next level.
Connect with the ssh that is provided and cp followed by a ls to see a README.md. We then can cat that to see some credentials for the next level.
We can look at the logs with a git log command to see the commits that have been made, followed by git checkout and the commit that said “add missing data”.
Now let us cat README.md again to get the password!
Level 29 → 30
The information we are provided with are pretty much the same for this one.
You can mktemp -d and cd into it, followed by the git clone command that they provide us with (do not forget to add the port to it) and read the README.md again.
This time we are going to use the command git branch -r to see a list of remote branches in this git repository.
We can now use git checkout dev and cat out the password from README.md.
Level 30 → 31
Again, same information provided here like in the last challenges.
Do the same steps again and we get that the file is “empty hahaha”.
For this challenge we are going to git tag and we will get secret. Let’s follow it up with git show secret and we get the password for the next level.
git show secretLevel 31 → 32
And again… same information so we do all the steps again.
When we cat the README.md we get a file name, content and a branch.
We can git branch to make a file and follow it up with an echo of the content we saw earlier and output it into key.txt.
echo 'May I come in?' > key.txtWith the ls -al command we can see a .gitignore file that we can just remove with the rm command.
Now we can git add key.txt and git commit -m “Add Key.txt”. (The text can be whatever you want) After that we just need to git push and give the old password and we have solved this level.
Level 32 → 33
All we get for this level is“After all this git stuff its time for another escape. Good luck!”
When we ssh into it we can see that everything is in uppercase. For this challenge we simply do the following steps:
$0
which bash
cat /etc/bandit_pass/bandit33And get the password with that cat command to move to the final level!
Level 33 → 34
Well…
At this moment, level 34 does not exist yet.
So I guess that we are done until we get more levels.
Thank you all for reading this write-up and be sure to follow me for more cybersecurity write-ups and content in the future!
If you found a mistake please let me know in the comments and I correct it!
I hope you had fun doing Bandit from OverTheWire and I want to thank them for providing us with this any many more challenges that you can find on their website: https://overthewire.org/wargames/
