OverTheWire Wargames — Bandit Walkthrough (0–34)

Bismillah.
Today, i want to share about one of the wargames offered by the OverTheWire community called Bandit. I think this wargames can help you to learn and practice security concepts in the form of fun-filled games. The Bandit wargame is aimed at absolute beginners. It will teach the basics of most Linux commands in a fun and challenging way.
The objective of this game is to find the password file on each level to get access to the next level.
This game has 34 levels. May you will encounter many situations in which you have no idea what you are supposed to do. Don’t panic! Don’t give up! The purpose of this game is for you to learn the basics. Part of learning the basics, is reading a lot of new information.
You can reach bandit by this link below:
https://overthewire.org/wargames/bandit/

Level 0

The goal of this level is for you to log into the game using SSH. It teaches us to connect to a host using SSH.
You can read helpful material below:
Secure Shell (SSH) on Wikipedia
How to use SSH on wikiHow

We got the required information from reading the instruction page.

Host     : bandit.labs.overthewire.org
Port     : 2220
Username : bandit0
Password : bandit0

We used the above information to login using ssh

~# ssh bandit0@bandit.labs.overthewire.org -p 2220
Command explanation:
ssh → OpenSSH SSH client (remote login program).
      ssh username@host -p port
-p → Port to connect to on the remote host. This can be specified on a per-host basis in the configuration file.

This level doesn’t require anything else other than logging in. Time to move in on the next level.

Level 0 → 1

On this level, we need to find the password for the next level that stored in a file called readme located in the home directory. Once we find that file, we need to read and use string on that file as the password to access the next level.
You can read helpful material below:
15 Basic ‘ls’ Command Examples in Linux
13 Basic Cat Command Examples in Linux

bandit0@bandit:~$ ls
readme
bandit0@bandit:~$ cat readme
boJ9jbbUNNfktd78OOpsqOltutMc3MY1 //password for next level
Command explanation:
ls → list files and directories in bare format where we won’t be able to view  details like file types, size, modified date and time, permission and  links etc.
cat → display contents of file

Level 1 → 2

On this level, we must catch the password for the next level stored in a file called - located in the home directory. But it is not simply like before, we can’t read the - with common cat command. When cat sees the string - as a filename, it treats it as a synonym for stdin.
This is helpful material you must read before:
Google Search for “dashed filename”
Advanced Bash-scripting Guide — Chapter 3 — Special Characters

~# ssh bandit1@bandit.labs.overthewire.org -p 2220
bandit1@bandit:~$ ls
-
bandit1@bandit:~$ cat ./-
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
Command explanation:
./- → The filename prefix with a path used to alter the filename string so the cat command refers to a file called -.

Level 2 → 3

On this level, we have information that the password for the next level stored in a file called spaces in this filename located in the home directory. As cat command reads files name only until space as it considers space as null ‘/0’. If we directly use cat command, it won’t be able to find the file.
This is helpful material you must read before:
Google Search for “spaces in filename”

~# ssh bandit2@bandit.labs.overthewire.org -p 2220
bandit2@bandit:~$ ls
spaces in this filename
bandit2@bandit:~$ cat 'spaces in this filename' 
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
Command explanation:
cat 'spaces in this filename' → The filename prefix with quote, so cat command can identify space as part of filename.
Tips:
click tab button after you type first word of the command or filename, it will be automatically filled.

Level 3 → 4

The password for the next level is stored in a hidden file in the inhere directory. As ls with no option command will not show hidden files. So we need a command to display hidden files on that directory.
You can read this helpful material again:
15 Basic ‘ls’ Command Examples in Linux

~# ssh bandit3@bandit.labs.overthewire.org -p 2220
bandit3@bandit:~$ ls
inhere
bandit3@bandit:~$ cd inhere
bandit3@bandit:~/inhere$ ls -al
total 12
drwxr-xr-x 2 root    root    4096 Oct 16  2018 .
drwxr-xr-x 3 root    root    4096 Oct 16  2018 ..
-rw-r----- 1 bandit4 bandit3   33 Oct 16  2018 .hidden
bandit3@bandit:~/inhere$ cat .hidden
pIwrPrtPN36QITSp3EQaw936yaFoFgAB
Command explanation:
cd → Change the shell working directory.
ls -al → Option command a used to show all files on the directory and l used to diplay files on long listing format.

Level 4 → 5

The password for the next level is stored in the only human-readable file in the inhere directory. In that directory we will find a bunch of files, so we need to find the right one by use information of all file on that directory.
You can read helpful material below:
file command in Linux with examples

~# ssh bandit4@bandit.labs.overthewire.org -p 2220
bandit4@bandit:~$ ls
inhere
bandit4@bandit:~$ cd inhere
bandit4@bandit:~/inhere$ ls
-file00  -file02  -file04  -file06  -file08
-file01  -file03  -file05  -file07  -file09
bandit4@bandit:~/inhere$ file ./*
./-file00: data
./-file01: data
./-file02: data
./-file03: data
./-file04: data
./-file05: data
./-file06: data
./-file07: ASCII text //the one and only human-readable files
./-file08: data
./-file09: data
bandit4@bandit:~/inhere$ cat ./-file07
koReBOKuIDDepwhWk7jZC0RTdopnAYKh
Command explanation:
file → Used to determine the type of a file.
./* → Select all file on the directory.

Level 5 → 6

The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:
human-readable
1033 bytes in size
not executable
At this level, we will get many files in that directory. So we need to find the right one that matches the property that has been mentioned.
You can read helpful material below:
35 Practical Examples of Linux Find Command
Linux Tips: Find All Files of a Particular Size

~# ssh bandit5@bandit.labs.overthewire.org -p 2220
bandit5@bandit:~$ ls
inhere
bandit5@bandit:~$ cd inhere
bandit5@bandit:~/inhere$ ls
maybehere00  maybehere04  maybehere08  maybehere12  maybehere16
maybehere01  maybehere05  maybehere09  maybehere13  maybehere17
maybehere02  maybehere06  maybehere10  maybehere14  maybehere18
maybehere03  maybehere07  maybehere11  maybehere15  maybehere19
bandit5@bandit:~/inhere$ find -size 1033c
./maybehere07/.file2 
bandit5@bandit:~/inhere$ cat ./maybehere07/.file2
DXjZPULLxYr17uwoI01bNLQbtFemEgo7
Command explanation:
find → Used to search and locate the list of files and directories based on conditions you specify for files that match the arguments.
-size → Used to find all the files of a particular size.
b – for 512-byte blocks (this is the default if no suffix is used)
c – for bytes
w – for two-byte words
k – for Kilobytes (units of 1024 bytes)
M – for Megabytes (units of 1048576 bytes)
G – for Gigabytes (units of 1073741824 bytes)

Level 6 → 7

The password for the next level is stored somewhere on the server and has all of the following properties:
owned by user bandit7
owned by group bandit6
33 bytes in size
Basically this level is like the previous level, we can found the file by using advanced find command because there are additional properties that must be matched with the file.
You can read this helpful material again:
35 Practical Examples of Linux Find Command

~# ssh bandit6@bandit.labs.overthewire.org -p 2220
bandit6@bandit:~$ find / -user bandit7 -group bandit6 -size 33c
find: ‘/run/lvm’: Permission denied
find: ‘/run/screen/S-bandit1’: Permission denied
find: ‘/run/screen/S-bandit30’: Permission denied
find: ‘/run/screen/S-bandit5’: Permission denied
find: ‘/run/screen/S-bandit25’: Permission denied
find: ‘/run/screen/S-bandit29’: Permission denied
find: ‘/run/screen/S-bandit7’: Permission denied
find: ‘/run/screen/S-bandit14’: Permission denied
find: ‘/run/screen/S-bandit16’: Permission denied
find: ‘/run/screen/S-bandit26’: Permission denied
find: ‘/run/screen/S-bandit15’: Permission denied
find: ‘/run/screen/S-bandit13’: Permission denied
find: ‘/run/screen/S-bandit33’: Permission denied
find: ‘/run/screen/S-bandit4’: Permission denied
find: ‘/run/screen/S-bandit24’: Permission denied
find: ‘/run/screen/S-bandit28’: Permission denied
find: ‘/run/screen/S-bandit10’: Permission denied
find: ‘/run/screen/S-bandit8’: Permission denied
find: ‘/run/screen/S-bandit27’: Permission denied
find: ‘/run/screen/S-bandit0’: Permission denied
find: ‘/run/screen/S-bandit18’: Permission denied
find: ‘/run/screen/S-bandit22’: Permission denied
find: ‘/run/screen/S-bandit31’: Permission denied
find: ‘/run/screen/S-bandit19’: Permission denied
find: ‘/run/screen/S-bandit21’: Permission denied
find: ‘/run/screen/S-bandit23’: Permission denied
find: ‘/run/screen/S-bandit20’: Permission denied
find: ‘/run/shm’: Permission denied
find: ‘/run/lock/lvm’: Permission denied
find: ‘/var/spool/rsyslog’: Permission denied
find: ‘/var/spool/cron/crontabs’: Permission denied
find: ‘/var/log’: Permission denied
find: ‘/var/tmp’: Permission denied
find: ‘/var/cache/ldconfig’: Permission denied
find: ‘/var/cache/apt/archives/partial’: Permission denied
/var/lib/dpkg/info/bandit7.password //the only one accessible file
find: ‘/var/lib/apt/lists/partial’: Permission denied
find: ‘/var/lib/polkit-1’: Permission denied
find: ‘/cgroup2/csessions’: Permission denied
find: ‘/home/bandit28-git’: Permission denied
find: ‘/home/bandit30-git’: Permission denied
find: ‘/home/bandit31-git’: Permission denied
find: ‘/home/bandit5/inhere’: Permission denied
find: ‘/home/bandit27-git’: Permission denied
find: ‘/home/bandit29-git’: Permission denied
find: ‘/tmp’: Permission denied
find: ‘/lost+found’: Permission denied
find: ‘/root’: Permission denied
find: ‘/etc/ssl/private’: Permission denied
find: ‘/etc/lvm/backup’: Permission denied
find: ‘/etc/lvm/archive’: Permission denied
find: ‘/etc/polkit-1/localauthority’: Permission denied
find: ‘/sys/fs/pstore’: Permission denied
find: ‘/proc/tty/driver’: Permission denied
find: ‘/proc/27038/task/27038/fd/6’: No such file or directory
find: ‘/proc/27038/task/27038/fdinfo/6’: No such file or directory
find: ‘/proc/27038/fd/5’: No such file or directory
find: ‘/proc/27038/fdinfo/5’: No such file or directory
find: ‘/boot/lost+found’: Permission denied
bandit6@bandit:~$ cat /var/lib/dpkg/info/bandit7.password
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs
Command explanation:
find → Used to search and locate the list of files and directories based on conditions you specify for files that match the arguments.
-size → Used to find all the files of a particular size.
-user → Used to find all the files of a particular user.
-group → Used to find all the files of a particular group.

Level 7 → 8

The password for the next level is stored in the file data.txt next to the word millionth. There are a lot of string inside data.txt, we can catch the data manually by sorting the string with our effort without any commands. But, that is not the point of this level. Imagine if we must deal with a lot of data in the real world, I think it will take a lot of time. So, we need to find the command to solve this effectively.
You can read this helpful material below:
How to use grep to search for strings in files on the shell

~# ssh bandit7@bandit.labs.overthewire.org -p 2220
bandit7@bandit:~$ ls
data.txt
bandit7@bandit:~$ grep "millionth" data.txt
millionth cvX2JJa4CFALtqS87jk27qwqGhBM9plV
Command explanation:
grep → Used to search text or search any given file for lines containing a match to the supplied words/strings.
Tips:
In other way, we can use text editor to open the file and search the specific words/strings.

Level 8 → 9

The password for the next level is stored in the file data.txt and is the only line of text that occurs only once. In these case, we can used advanced commands with pipelines to sort a unique value of the string on data.txt.
You can read helpful material below:
How to find the particular text stored in the file “data.txt” and it occurs only once

~# ssh bandit8@bandit.labs.overthewire.org -p 2220
bandit8@bandit:~$ ls
data.txt
bandit8@bandit:~$ sort data.txt | uniq -u
UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR
Command explanation:
sort → Used to display the contents of the file however it sorts the file lexicographically by lines (it reorders them alphabetically so that matching ones are together).
| → is a pipe that redirects the output from one command into another.
uniq → Used to reports or omits repeated lines and by passing it the -u argument we tell it to report only unique lines.
Used together like this, the command will sort data.txt  lexicographically by each line, find the unique line and print it back in the terminal for you.

Level 9 → 10

The password for the next level is stored in the file data.txt in one of the few human-readable strings, beginning with several ‘=’ characters. If we use common cat command to display data.txt, we will see a bunch of abstract string and few human-raedable strings. So we need to filter the human-readable strings and grep it with the requirement character to get the password.
You can read helpful material below:
Linux strings Command Tutorial for Beginners (5 Examples)

~# ssh bandit9@bandit.labs.overthewire.org -p 2220
bandit9@bandit:~$ ls
data.txt
bandit9@bandit:~$ strings data.txt | grep "===="
2========== the
========== password
========== isa
========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
Command explanation:
strings → Used to prints the strings of printable characters in files. We use this command to filter the human-readable character.

Level 10 → 11

The password for the next level is stored in the file data.txt, which contains base64 encoded data. If you use cat command to display the file, you will see an encoded string that we must decode with same algorithm (base64). To understanding this levels, we must learn about algorithm that used to encode the string. We must learn the characteristic of encoded data, I think it will be helpful when we don’t have any information about used encoded algorithm.
You can read helpful material below:
Base64 on Wikipedia
Linux base64 decode

~# ssh bandit10@bandit.labs.overthewire.org -p 2220
bandit10@bandit:~$ ls
data.txt
bandit10@bandit:~$ cat data.txt | base64 -d
The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR
Command explanation:
base64 → Used to encode and decode file with base64 algorithm. -d used to decode file.

Level 11 → 12

The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions. We are hinted with Rot13 algorithm that mentioned on helpful material. This is like previous levels that we must learn about the algorithm, so we can get the password by decoding the strings with the right algorithm.
You can read helpful material below:
Rot13 on Wikipedia
Decode ROT13 on Linux command line

~# ssh bandit11@bandit.labs.overthewire.org -p 2220
bandit11@bandit:~$ ls
data.txt
bandit11@bandit:~$ cat data.txt | tr '[A-Za-z]' '[N-ZA-Mn-za-m]'
The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu
Command explanation:
tr → Used to rotate back the string, Mn is the Az character in encoded string. So that command will reverse the strings to previous 13 character to decode the strings.

Level 12 → 13

The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)
This levels may take a long explanation and may will make you confuse, so don’t hesitate to ask me on comment haha, don’t give up!
You can read helpful materials below:
Hex dump on Wikipedia

First, we must reverse the hexdump to see what is the real file. But, to do that process we must have a directory with read and write permission. We can follow the instruction to doing that.
You can read this helpful material below:
Check Linux file permissions with ls

~# ssh bandit12@bandit.labs.overthewire.org -p 2220
bandit12@bandit:~$ ls -al
total 24
drwxr-xr-x  2 root     root     4096 Oct 16  2018 .
drwxr-xr-x 41 root     root     4096 Oct 16  2018 ..
-rw-r--r--  1 root     root      220 May 15  2017 .bash_logout
-rw-r--r--  1 root     root     3526 May 15  2017 .bashrc
-rw-r-----  1 bandit13 bandit12 2581 Oct 16  2018 data.txt
-rw-r--r--  1 root     root      675 May 15  2017 .profile
Explanation:
drwxr-xr-x → This mention that we didn't have any permission to write file on this directory, so that why we must create new directory under /tmp directories.

Let’s make a new directory under /tmp and copy data.txt into the new directory.

bandit12@bandit:~$ mkdir /tmp/newfolder
bandit12@bandit:~$ cp data.txt /tmp/newfolder
bandit12@bandit:~$ cd /tmp/newfolder
bandit12@bandit:/tmp/newfolder$ ls
data.txt
bandit12@bandit:/tmp/newfolder$ file data.txt 
data.txt: ASCII text
bandit12@bandit:/tmp/newfolder$ ls -al
total 3940
drwxr-sr-x    2 bandit12 root    4096 Nov  7 16:13 .
drwxrws-wt 3597 root     root 4018176 Nov  7 16:14 ..
-rw-r-----    1 bandit12 root    2581 Nov  7 16:13 data.txt
Command explanation:
mkdir → Used to make a new directory.
cp → Used to copy a file into specific directories.
Explaination:
drwxrws-wt → Ok, now we have permission to write a file on this directory.

Second, we must reverse the hexdump file into real file using xxd command. Then, we must inspect what is the real compressed file using the file command.

bandit12@bandit:/tmp/newfolder$ xxd -r data.txt data1
bandit12@bandit:/tmp/newfolder$ ls
data1  data.txt
bandit12@bandit:/tmp/newfolder$ file data1
data1: gzip compressed data, was "data2.bin", last modified: Tue Oct 16 12:00:23 2018, max compression, from Unix
bandit12@bandit:/tmp/newfolder$ mv data1 data2.gz
bandit12@bandit:/tmp/newfolder$ ls
data2.gz  data.txt
bandit12@bandit:/tmp/newfolder$ gzip -d data2.gz 
bandit12@bandit:/tmp/newfolder$ ls
data2  data.txt
bandit12@bandit:/tmp/newfolder$ file data2
data2: bzip2 compressed data, block size = 900k
Command explanation:
xxd → Used to make a hexdump or do the reverse. -r used to do reverse operation: convert (or patch) hexdump into binary.
mv → Used to rename SOURCE to DEST, or move SOURCE(s) to DIRECTORY.
gzip → Used to compress or decompress files. -d used to do decompressing files.

Third, we have information that the file is compressed data with bzip2 extension. So we can do the same thing like the previous compressing method until we get the real file, by rename and decompressing the compressed file.

bandit12@bandit:/tmp/newfolder$ ls
data2  data.txt
bandit12@bandit:/tmp/newfolder$ mv data2 data3.bz2
bandit12@bandit:/tmp/newfolder$ ls
data3.bz2  data.txt
bandit12@bandit:/tmp/newfolder$ file data3.bz2 
data3.bz2: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/newfolder$ bzip2 -d data3.bz2
bandit12@bandit:/tmp/newfolder$ ls
data3  data.txt
bandit12@bandit:/tmp/newfolder$ file data3
data3: gzip compressed data, was "data4.bin", last modified: Tue Oct 16 12:00:23 2018, max compression, from Unix
bandit12@bandit:/tmp/newfolder$ ls
data3  data.txt
bandit12@bandit:/tmp/newfolder$ file data3
data3: gzip compressed data, was "data4.bin", last modified: Tue Oct 16 12:00:23 2018, max compression, from Unix
bandit12@bandit:/tmp/newfolder$ mv data3 data4.gz
bandit12@bandit:/tmp/newfolder$ ls
data4.gz  data.txt
bandit12@bandit:/tmp/newfolder$ gzip -d data4.gz 
bandit12@bandit:/tmp/newfolder$ ls
data4  data.txt
bandit12@bandit:/tmp/newfolder$ file data4
data4: POSIX tar archive (GNU)
Command explanation:
bzip2 → Used to compresses  files  using  the Burrows-Wheeler block sorting text compression algorithm, and Huffman coding. -d used to do decompressing files.

Fourth, we get a new archiving method, you can read these helpful materials below to get information about file extraction with this method:
Linux: tar Extract Files

bandit12@bandit:/tmp/newfolder$ tar -xvf data4
data5.bin
bandit12@bandit:/tmp/newfolder$ file data5.bin 
data5.bin: POSIX tar archive (GNU)
bandit12@bandit:/tmp/newfolder$ tar -xvf data5.bin
data6.bin
bandit12@bandit:/tmp/newfolder$ file data6.bin 
data6.bin: bzip2 compressed data, block size = 900k
Command explanation:
tar → Is an archiving utility. -xvf used to extract all files from archive.tar files.

Last, we will get the file that used bzip2 and gzip method again. We need to decompress it like previously, just doing it repeatedly until we get the real file.

bandit12@bandit:/tmp/newfolder$ mv data6.bin data7.bz2
bandit12@bandit:/tmp/newfolder$ ls
data4  data5.bin  data7.bz2  data.txt
bandit12@bandit:/tmp/newfolder$ file data7.bz2 
data7.bz2: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/newfolder$ bzip2 -d data7.bz2
bandit12@bandit:/tmp/newfolder$ ls
data4  data5.bin  data7  data.txt
bandit12@bandit:/tmp/newfolder$ file data7
data7: POSIX tar archive (GNU)
bandit12@bandit:/tmp/newfolder$ tar -xvf data7
data8.bin
bandit12@bandit:/tmp/newfolder$ file data8.bin 
data8.bin: gzip compressed data, was "data9.bin", last modified: Tue Oct 16 12:00:23 2018, max compression, from Unix
bandit12@bandit:/tmp/newfolder$ mv data8.bin data9.gz
bandit12@bandit:/tmp/newfolder$ gzip -d data9.gz 
bandit12@bandit:/tmp/newfolder$ ls
data4  data5.bin  data7  data9  data.txt
bandit12@bandit:/tmp/newfolder$ file data9
data9: ASCII text
bandit12@bandit:/tmp/newfolder$ cat data9
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

Level 13 → 14

The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on.
The objective of this level is to log in into SSH using a SSH key. So we can log in into the next level with that SSH key.
You can read this helpful materials below:
SSH/OpenSSH/Keys
Log in with an SSH private key on Linux and macOS

~# ssh bandit13@bandit.labs.overthewire.org -p 2220
bandit13@bandit:~$ ls
sshkey.private
bandit13@bandit:~$ cat sshkey.private 
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAxkkOE83W2cOT7IWhFc9aPaaQmQDdgzuXCv+ppZHa++buSkN+
gg0tcr7Fw8NLGa5+Uzec2rEg0WmeevB13AIoYp0MZyETq46t+jk9puNwZwIt9XgB
ZufGtZEwWbFWw/vVLNwOXBe4UWStGRWzgPpEeSv5Tb1VjLZIBdGphTIK22Amz6Zb
ThMsiMnyJafEwJ/T8PQO3myS91vUHEuoOMAzoUID4kN0MEZ3+XahyK0HJVq68KsV
ObefXG1vvA3GAJ29kxJaqvRfgYnqZryWN7w3CHjNU4c/2Jkp+n8L0SnxaNA+WYA7
jiPyTF0is8uzMlYQ4l1Lzh/8/MpvhCQF8r22dwIDAQABAoIBAQC6dWBjhyEOzjeA
J3j/RWmap9M5zfJ/wb2bfidNpwbB8rsJ4sZIDZQ7XuIh4LfygoAQSS+bBw3RXvzE
pvJt3SmU8hIDuLsCjL1VnBY5pY7Bju8g8aR/3FyjyNAqx/TLfzlLYfOu7i9Jet67
xAh0tONG/u8FB5I3LAI2Vp6OviwvdWeC4nOxCthldpuPKNLA8rmMMVRTKQ+7T2VS
nXmwYckKUcUgzoVSpiNZaS0zUDypdpy2+tRH3MQa5kqN1YKjvF8RC47woOYCktsD
o3FFpGNFec9Taa3Msy+DfQQhHKZFKIL3bJDONtmrVvtYK40/yeU4aZ/HA2DQzwhe
ol1AfiEhAoGBAOnVjosBkm7sblK+n4IEwPxs8sOmhPnTDUy5WGrpSCrXOmsVIBUf
laL3ZGLx3xCIwtCnEucB9DvN2HZkupc/h6hTKUYLqXuyLD8njTrbRhLgbC9QrKrS
M1F2fSTxVqPtZDlDMwjNR04xHA/fKh8bXXyTMqOHNJTHHNhbh3McdURjAoGBANkU
1hqfnw7+aXncJ9bjysr1ZWbqOE5Nd8AFgfwaKuGTTVX2NsUQnCMWdOp+wFak40JH
PKWkJNdBG+ex0H9JNQsTK3X5PBMAS8AfX0GrKeuwKWA6erytVTqjOfLYcdp5+z9s
8DtVCxDuVsM+i4X8UqIGOlvGbtKEVokHPFXP1q/dAoGAcHg5YX7WEehCgCYTzpO+
xysX8ScM2qS6xuZ3MqUWAxUWkh7NGZvhe0sGy9iOdANzwKw7mUUFViaCMR/t54W1
GC83sOs3D7n5Mj8x3NdO8xFit7dT9a245TvaoYQ7KgmqpSg/ScKCw4c3eiLava+J
3btnJeSIU+8ZXq9XjPRpKwUCgYA7z6LiOQKxNeXH3qHXcnHok855maUj5fJNpPbY
iDkyZ8ySF8GlcFsky8Yw6fWCqfG3zDrohJ5l9JmEsBh7SadkwsZhvecQcS9t4vby
9/8X4jS0P8ibfcKS4nBP+dT81kkkg5Z5MohXBORA7VWx+ACohcDEkprsQ+w32xeD
qT1EvQKBgQDKm8ws2ByvSUVs9GjTilCajFqLJ0eVYzRPaY6f++Gv/UVfAPV4c+S0
kAWpXbv5tbkkzbS0eaLPTKgLzavXtQoTtKwrjpolHKIHUz6Wu+n4abfAIRFubOdN
/+aLoRQ0yBDRbdXMsZN/jvY44eM+xRLdRVyMmdPtP8belRi2E2aEzA==
-----END RSA PRIVATE KEY-----
bandit13@bandit:~$ ssh -i sshkey.private bandit14@localhost
Could not create directory '/home/bandit13/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit13/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
Linux bandit 4.18.12 x86_64 GNU/Linux
               
      ,----..            ,----,          .---. 
     /   /   \         ,/   .`|         /. ./|
    /   .     :      ,`   .'  :     .--'.  ' ;
   .   /   ;.  \   ;    ;     /    /__./ \ : |
  .   ;   /  ` ; .'___,/    ,' .--'.  '   \' .
  ;   |  ; \ ; | |    :     | /___/ \ |    ' ' 
  |   :  | ; | ' ;    |.';  ; ;   \  \;      : 
  .   |  ' ' ' : `----'  |  |  \   ;  `      |
  '   ;  \; /  |     '   :  ;   .   \    .\  ; 
   \   \  ',  /      |   |  '    \   \   ' \ |
    ;   :    /       '   :  |     :   '  |--"  
     \   \ .'        ;   |.'       \   \ ;     
  www. `---` ver     '---' he       '---" ire.org     
               
              
Welcome to OverTheWire!
If you find any problems, please report them to Steven or morla on
irc.overthewire.org.
--[ Playing the games ]--
This machine might hold several wargames. 
  If you are playing "somegame", then:
* USERNAMES are somegame0, somegame1, ...
    * Most LEVELS are stored in /somegame/.
    * PASSWORDS for each level are stored in /etc/somegame_pass/.
Write-access to homedirectories is disabled. It is advised to create a
  working directory with a hard-to-guess name in /tmp/.  You can use the
  command "mktemp -d" in order to generate a random and hard to guess
  directory in /tmp/.  Read-access to both /tmp/ and /proc/ is disabled
  so that users can not snoop on eachother. Files and directories with 
  easily guessable or short names will be periodically deleted!
 
  Please play nice:
      
    * don't leave orphan processes running
    * don't leave exploit-files laying around
    * don't annoy other players
    * don't post passwords or spoilers
    * again, DONT POST SPOILERS! 
      This includes writeups of your solution on your blog or website!
--[ Tips ]--
This machine has a 64bit processor and many security-features enabled
  by default, although ASLR has been switched off.  The following
  compiler flags might be interesting:
-m32                    compile for 32bit
    -fno-stack-protector    disable ProPolice
    -Wl,-z,norelro          disable relro
In addition, the execstack tool can be used to flag the stack as
  executable on ELF binaries.
Finally, network-access is limited for most levels by a local
  firewall.
--[ Tools ]--
For your convenience we have installed a few usefull tools which you can find
 in the following locations:
* pwndbg (https://github.com/pwndbg/pwndbg) in /usr/local/pwndbg/
    * peda (https://github.com/longld/peda.git) in /usr/local/peda/
    * gdbinit (https://github.com/gdbinit/Gdbinit) in /usr/local/gdbinit/
    * pwntools (https://github.com/Gallopsled/pwntools)
    * radare2 (http://www.radare.org/)
    * checksec.sh (http://www.trapkit.de/tools/checksec.html) in /usr/local/bin/checksec.sh
--[ More information ]--
For more information regarding individual wargames, visit
  http://www.overthewire.org/wargames/
For support, questions or comments, contact us through IRC on
  irc.overthewire.org #wargames.
Enjoy your stay!
bandit14@bandit:~$
Command explanation:
-i → Used to selects a file from which the identity (private key) for public key authentication is read.

Level 14 → 15

The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
On this level, we can get the current password level from /etc/bandit_pass. Every password on that directory can be accessed only with the current SSH login. So, don’t think it is a shortcut to get all the password. Then, we can use nc command to submit the password to localhost.
You can read helpful materials below:
Linux nc command

bandit14@bandit:~$ cd /etc/bandit_pass/
bandit14@bandit:/etc/bandit_pass$ ls
bandit0   bandit13  bandit18  bandit22  bandit27  bandit31  bandit6
bandit1   bandit14  bandit19  bandit23  bandit28  bandit32  bandit7
bandit10  bandit15  bandit2   bandit24  bandit29  bandit33  bandit8
bandit11  bandit16  bandit20  bandit25  bandit3   bandit4   bandit9
bandit12  bandit17  bandit21  bandit26  bandit30  bandit5
bandit14@bandit:/etc/bandit_pass$ cat bandit1
cat: bandit1: Permission denied
bandit14@bandit:/etc/bandit_pass$ cat bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
bandit14@bandit:/etc/bandit_pass$ echo 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e | nc localhost 30000
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr
Command explanation:
echo → Used to display a line of text.
nc → Is a simple unix utility which reads and writes data across network connections, using TCP or UDP protocol.

Level 15 → 16

The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
At this level, we need to connect to localhost using SSL to submit the password. We can use openssl to connect to localhost.
You can read helpful materials below:
How to use telnet to test SSL/https websites

~# ssh bandit15@bandit.labs.overthewire.org -p 2220
bandit15@bandit:~$ ls
bandit15@bandit:~$ cat /etc/bandit_pass/bandit15
BfMYroe26WYalil77FoDi9qh59eK5xNr
bandit15@bandit:~$ openssl s_client -connect localhost:30001
CONNECTED(00000003)
depth=0 CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = localhost
verify return:1
---
Certificate chain
 0 s:/CN=localhost
   i:/CN=localhost
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICBjCCAW+gAwIBAgIEfkeLojANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDDAls
b2NhbGhvc3QwHhcNMTkwODAzMDc0OTMxWhcNMjAwODAyMDc0OTMxWjAUMRIwEAYD
VQQDDAlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMDGwHmT
GntqHvPYiM0wm4Dsmhlmiywaj0CGZKW1Cx6ze9pH+iWXEvcnWga4Kfevqh0LJLeS
jmgE6hFRK9rTwq+q6UE0hADazxb7r8jpthnHwKyRGEtFmsFTv/JqJDk+V5cngA4Y
m4scTjF+r1Y7jQA5VkUPHy+eYoNoqRqGh7JhAgMBAAGjZTBjMBQGA1UdEQQNMAuC
CWxvY2FsaG9zdDBLBglghkgBhvhCAQ0EPhY8QXV0b21hdGljYWxseSBnZW5lcmF0
ZWQgYnkgTmNhdC4gU2VlIGh0dHBzOi8vbm1hcC5vcmcvbmNhdC8uMA0GCSqGSIb3
DQEBBQUAA4GBAEICbhntCy/wyg56HQpox3nt8YtTkr6g21P4akxso7m08u6FuyiY
t/8yd+iph6qlRDHQ+D8T4TcpflsV8YKPXIgMoJQtGkuVgqHeCfgBEJcx+T52F8aX
84l5d7tEr9XEuCPKIlf4/GL8wOQLww2a2+sjlSwa8S1XlkbC61JzPyS3
-----END CERTIFICATE-----
subject=/CN=localhost
issuer=/CN=localhost
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1019 bytes and written 269 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: E4CEA494AF0B4D3CF485272DF0781B72EB6EAE847FF074AEF67BB3FB8EF1E353
    Session-ID-ctx: 
    Master-Key: 6CCF2C75F775628F2ADA6E64B199D237B49F60EA462D6C698336390DEC6E08F17B4F7D21F64650309EE0BC09C2D77F8F
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 6a 32 a6 c7 27 26 f0 c8-b4 75 99 96 41 ed a8 13   j2..'&...u..A...
    0010 - 9a 0f b5 5f aa 7a db 7d-00 d6 23 4b 73 f2 81 5a   ..._.z.}..#Ks..Z
    0020 - 9a eb 94 5f 7e 53 cc 0b-eb f3 39 9e 4e 34 da 55   ..._~S....9.N4.U
    0030 - 98 8c b0 9a 53 88 57 c9-de 31 06 86 c7 d4 66 78   ....S.W..1....fx
    0040 - 58 bb 15 9b 56 af a8 a6-c7 29 8f a0 ea cf b0 4d   X...V....).....M
    0050 - f9 43 d5 3b 57 b2 76 9b-37 83 ff 76 20 99 b5 f0   .C.;W.v.7..v ...
    0060 - 43 52 b8 11 97 33 9e 50-06 7e d8 a7 95 81 a0 5b   CR...3.P.~.....[
    0070 - a5 f7 9e 8f a2 f6 19 5e-2e 6c 2d bd c1 1c 7c 4d   .......^.l-...|M
    0080 - ee d7 b1 c3 f1 32 36 ca-26 c6 a7 9a b9 4b ee b0   .....26.&....K..
    0090 - 3f 1f 11 0b 6a ca 16 06-11 1e 15 b3 0b 28 8b 9a   ?...j........(..
Start Time: 1573199651
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: yes
---
BfMYroe26WYalil77FoDi9qh59eK5xNr
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehd
closed
Command explanation:
openssl → Is a cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and related cryptography standards required by them.
s_client → Is a SSL/TLS client program.
-connect → Used to establish connection to host with specific port.

Level 16 → 17

The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
You can read helpful materials below:
How to use telnet to test SSL/https websites
Top 15 Nmap Commands to Scan Remote Hosts
SSH/OpenSSH/Keys
Log in with an SSH private key on Linux and macOS
Learning the shell — Lesson 9: Permissions — LinuxCommand.org

This level require basic understanding in port scanning and identifying the services. We can use nmap to do port scanning to identify the open port with range 31000 to 32000.

~# ssh bandit16@bandit.labs.overthewire.org -p 2220
bandit16@bandit:~$ nmap -A localhost -p 31000-32000
Starting Nmap 7.40 ( https://nmap.org ) at 2019-11-23 14:26 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00022s latency).
Not shown: 999 closed ports
PORT      STATE    SERVICE     VERSION
31518/tcp filtered unknown
31790/tcp open     ssl/unknown
| fingerprint-strings: 
|   FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SIPOptions, SSLSessionReq, TLSSessionReq: 
|_    Wrong! Please enter the correct current password
| ssl-cert: Subject: commonName=localhost
| Subject Alternative Name: DNS:localhost
| Not valid before: 2019-10-20T14:45:33
|_Not valid after:  2020-10-19T14:45:33
|_ssl-date: TLS randomness does not represent time
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port31790-TCP:V=7.40%T=SSL%I=7%D=11/23%Time=5DD933AF%P=x86_64-pc-linux-
SF:gnu%r(GenericLines,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20c
SF:urrent\x20password\n")%r(GetRequest,31,"Wrong!\x20Please\x20enter\x20th
SF:e\x20correct\x20current\x20password\n")%r(HTTPOptions,31,"Wrong!\x20Ple
SF:ase\x20enter\x20the\x20correct\x20current\x20password\n")%r(RTSPRequest
SF:,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20current\x20password
SF:\n")%r(Help,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20current\
SF:x20password\n")%r(SSLSessionReq,31,"Wrong!\x20Please\x20enter\x20the\x2
SF:0correct\x20current\x20password\n")%r(TLSSessionReq,31,"Wrong!\x20Pleas
SF:e\x20enter\x20the\x20correct\x20current\x20password\n")%r(Kerberos,31,"
SF:Wrong!\x20Please\x20enter\x20the\x20correct\x20current\x20password\n")%
SF:r(FourOhFourRequest,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20
SF:current\x20password\n")%r(LPDString,31,"Wrong!\x20Please\x20enter\x20th
SF:e\x20correct\x20current\x20password\n")%r(LDAPSearchReq,31,"Wrong!\x20P
SF:lease\x20enter\x20the\x20correct\x20current\x20password\n")%r(SIPOption
SF:s,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20current\x20passwor
SF:d\n");
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 90.39 seconds
Command explaination:
nmap → Is a network exploration tool and security that used to do port scanning. -A used to enable OS detection, version detection, script scanning, and traceroute.

Let’s see, 31790 is a TCP port with open status and SSL service. Like previous levels, we need to enter the current level password into SSL port to get the password or private key.

bandit16@bandit:~$ cat /etc/bandit_pass/bandit16
cluFn7wTiGryunymYOu4RcffSxQluehd
bandit16@bandit:~$ openssl s_client -connect localhost:31790
CONNECTED(00000003)
depth=0 CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = localhost
verify return:1
---
Certificate chain
 0 s:/CN=localhost
   i:/CN=localhost
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICBjCCAW+gAwIBAgIEGpQekzANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDDAls
b2NhbGhvc3QwHhcNMTkxMDIwMTQ0NTMzWhcNMjAxMDE5MTQ0NTMzWjAUMRIwEAYD
VQQDDAlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMkwU7m6
xDfEL/GsaNXsAxU8ufmNdGXsuvoaArC1HoU8DkpzrBxf2leveeUOu5w5t0N9EuuW
TBbOFLb1cXLXlae9xli/NgJG3HMScwJjSFrGZZ9lQ/LTlbhyBn4bV4iwZrJMfQz/
9xfQ6ZhLBVw0i7/jWUTUIDzJvpITCo38V2S7AgMBAAGjZTBjMBQGA1UdEQQNMAuC
CWxvY2FsaG9zdDBLBglghkgBhvhCAQ0EPhY8QXV0b21hdGljYWxseSBnZW5lcmF0
ZWQgYnkgTmNhdC4gU2VlIGh0dHBzOi8vbm1hcC5vcmcvbmNhdC8uMA0GCSqGSIb3
DQEBBQUAA4GBAJdi/S9Mn3xRpJm7wUFaJp4w8npqy/Zru60aoGUl67wU4hKjU2A8
g9NsoE44zWHrgRj294lrDYtJsWoz7ZQwCUWfa0xASEPiOKpKIoimETVEzTWAOXUa
8MiW+LRN6VfgUqlmjjRLwH56KzRfJU0HGB8MHs2yNeI/KqygL6SvjbMr
-----END CERTIFICATE-----
subject=/CN=localhost
issuer=/CN=localhost
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1019 bytes and written 269 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: FF9E583C21F55F3381602CE2DB383F0ABDC072BA17883CCD7543DBFDCA3C8B8B
    Session-ID-ctx: 
    Master-Key: 7E6BE21BAFDA17081D29BAC1B86C1423C4A138B875211D8958F3595AC88BF80B70005C259DF35AA1FF87A2BEDD418F67
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - af bd 2f 22 dd d2 95 f6-fa 91 a8 0e 07 79 de 85   ../".........y..
    0010 - 4e 66 67 46 56 15 b9 89-34 df d8 13 03 01 84 24   NfgFV...4......$
    0020 - 6e 7b 7e 1f 85 f4 f1 25-7d e5 8b f5 08 73 39 05   n{~....%}....s9.
    0030 - 02 ad 65 39 5c 48 2f eb-d4 d4 8d 1a 3c 95 24 d0   ..e9\H/.....<.$.
    0040 - 14 59 45 7a 8c 24 42 34-d1 34 79 ac 74 82 5d b6   .YEz.$B4.4y.t.].
    0050 - 34 83 f5 34 39 d5 77 ec-4a 74 8e 45 7c 94 0f f7   4..49.w.Jt.E|...
    0060 - b1 cd 00 dc bd ce b9 f3-2b d3 3f b6 9c bd fe a0   ........+.?.....
    0070 - 9c 2a b4 10 75 c0 8f 4c-f4 84 9e 4e 61 88 0d 23   .*..u..L...Na..#
    0080 - 53 01 16 ec 49 43 87 fd-99 e6 48 c6 7c 42 80 b8   S...IC....H.|B..
    0090 - ad 56 aa 4d c9 55 15 33-ac a9 c1 cf f7 4e eb 51   .V.M.U.3.....N.Q
Start Time: 1574517380
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: yes
---
cluFn7wTiGryunymYOu4RcffSxQluehd //current levels password
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----
closed

From now, we get the private key for accessing the next level with ssh. But, we must save the private key into a file on directory. Let’s say we must have permission to create a file on directory. So, we can make it on tmp directory like previous levels. :)

bandit16@bandit:~$ cd /tmp
bandit16@bandit:/tmp$ nano ssh-17.private
Unable to create directory /home/bandit16/.nano: Permission denied
It is required for saving/loading search history or cursor positions.
Press Enter to continue //here we copy the private key into a file
bandit16@bandit:/tmp$ ssh -i ssh-17.private bandit17@localhost
Could not create directory '/home/bandit16/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit16/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'ssh-17.private' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "ssh-17.private": bad permissions
bandit17@localhost's password:

Ok, we have the private key file but why we cannot login ? we have mentioned that our private key file has wrong permission. So, we must change the permission using chmod to enable access for the private key into ssh login.

bandit16@bandit:/tmp$ chmod 600 ssh-17.private
bandit16@bandit:/tmp$ ssh -i ssh-17.private bandit17@localhost
Could not create directory '/home/bandit16/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit16/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
Linux bandit 4.18.12 x86_64 GNU/Linux
               
      ,----..            ,----,          .---. 
     /   /   \         ,/   .`|         /. ./|
    /   .     :      ,`   .'  :     .--'.  ' ;
   .   /   ;.  \   ;    ;     /    /__./ \ : |
  .   ;   /  ` ; .'___,/    ,' .--'.  '   \' .
  ;   |  ; \ ; | |    :     | /___/ \ |    ' ' 
  |   :  | ; | ' ;    |.';  ; ;   \  \;      : 
  .   |  ' ' ' : `----'  |  |  \   ;  `      |
  '   ;  \; /  |     '   :  ;   .   \    .\  ; 
   \   \  ',  /      |   |  '    \   \   ' \ |
    ;   :    /       '   :  |     :   '  |--"  
     \   \ .'        ;   |.'       \   \ ;     
  www. `---` ver     '---' he       '---" ire.org     
               
              
Welcome to OverTheWire!
If you find any problems, please report them to Steven or morla on
irc.overthewire.org.
--[ Playing the games ]--
This machine might hold several wargames. 
  If you are playing "somegame", then:
* USERNAMES are somegame0, somegame1, ...
    * Most LEVELS are stored in /somegame/.
    * PASSWORDS for each level are stored in /etc/somegame_pass/.
Write-access to homedirectories is disabled. It is advised to create a
  working directory with a hard-to-guess name in /tmp/.  You can use the
  command "mktemp -d" in order to generate a random and hard to guess
  directory in /tmp/.  Read-access to both /tmp/ and /proc/ is disabled
  so that users can not snoop on eachother. Files and directories with 
  easily guessable or short names will be periodically deleted!
 
  Please play nice:
      
    * don't leave orphan processes running
    * don't leave exploit-files laying around
    * don't annoy other players
    * don't post passwords or spoilers
    * again, DONT POST SPOILERS! 
      This includes writeups of your solution on your blog or website!
--[ Tips ]--
This machine has a 64bit processor and many security-features enabled
  by default, although ASLR has been switched off.  The following
  compiler flags might be interesting:
-m32                    compile for 32bit
    -fno-stack-protector    disable ProPolice
    -Wl,-z,norelro          disable relro
In addition, the execstack tool can be used to flag the stack as
  executable on ELF binaries.
Finally, network-access is limited for most levels by a local
  firewall.
--[ Tools ]--
For your convenience we have installed a few usefull tools which you can find
 in the following locations:
* pwndbg (https://github.com/pwndbg/pwndbg) in /usr/local/pwndbg/
    * peda (https://github.com/longld/peda.git) in /usr/local/peda/
    * gdbinit (https://github.com/gdbinit/Gdbinit) in /usr/local/gdbinit/
    * pwntools (https://github.com/Gallopsled/pwntools)
    * radare2 (http://www.radare.org/)
    * checksec.sh (http://www.trapkit.de/tools/checksec.html) in /usr/local/bin/checksec.sh
--[ More information ]--
For more information regarding individual wargames, visit
  http://www.overthewire.org/wargames/
For support, questions or comments, contact us through IRC on
  irc.overthewire.org #wargames.
Enjoy your stay!
bandit17@bandit:~$ cat /etc/bandit_pass/bandit17
xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn
Command explanation:
chmod → Used to change the permission of a file or directory. 644 is common permission that other everyone can used or change it. We change the permission into 600, this means that only the owner can make change to read and write the file.
Tips:
Mention every levels password into a note. It's will be helpful if we want to continue last game we play from the current level.

Level 17 → 18

There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new
NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19
We have mentioned that the password is only different line between two file. We can use diff command to get the result.
You can read helpful materials below:
diff command in Linux with examples

~# ssh bandit17@bandit.labs.overthewire.org -p 2220
bandit17@bandit:~$ ls
passwords.new  passwords.old
bandit17@bandit:~$ diff passwords.new passwords.old
42c42
< kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd //this is the password 
---
> hlbSBPAWJmL6WFDb06gpTx1pPButblOA
Command Explanation:
diff → Used to display the differences in the files by comparing the files line by line.

We have two results that indicate different line between the first file and the second file. Let see, we have clue that the correct password will show us to ‘Byebye!’. Check it out!

Level 18 → 19

The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH. The good thing is we can see the ‘Byebye!’ at previous level to make sure the correct password haha 💩. To solve it, we can use -T parameter over ssh to disable the pseudo -tty allocation.
You need to read this helpful material below:
Forcing pseudo terminal on ssh command execution

~# ssh -T bandit18@bandit.labs.overthewire.org -p 2220
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit18@bandit.labs.overthewire.org's password: 
Linux bandit 4.18.12 x86_64 GNU/Linux
               
      ,----..            ,----,          .---. 
     /   /   \         ,/   .`|         /. ./|
    /   .     :      ,`   .'  :     .--'.  ' ;
   .   /   ;.  \   ;    ;     /    /__./ \ : |
  .   ;   /  ` ; .'___,/    ,' .--'.  '   \' .
  ;   |  ; \ ; | |    :     | /___/ \ |    ' ' 
  |   :  | ; | ' ;    |.';  ; ;   \  \;      : 
  .   |  ' ' ' : `----'  |  |  \   ;  `      |
  '   ;  \; /  |     '   :  ;   .   \    .\  ; 
   \   \  ',  /      |   |  '    \   \   ' \ |
    ;   :    /       '   :  |     :   '  |--"  
     \   \ .'        ;   |.'       \   \ ;     
  www. `---` ver     '---' he       '---" ire.org     
               
              
Welcome to OverTheWire!
If you find any problems, please report them to Steven or morla on
irc.overthewire.org.
--[ Playing the games ]--
This machine might hold several wargames. 
  If you are playing "somegame", then:
* USERNAMES are somegame0, somegame1, ...
    * Most LEVELS are stored in /somegame/.
    * PASSWORDS for each level are stored in /etc/somegame_pass/.
Write-access to homedirectories is disabled. It is advised to create a
  working directory with a hard-to-guess name in /tmp/.  You can use the
  command "mktemp -d" in order to generate a random and hard to guess
  directory in /tmp/.  Read-access to both /tmp/ and /proc/ is disabled
  so that users can not snoop on eachother. Files and directories with 
  easily guessable or short names will be periodically deleted!
 
  Please play nice:
      
    * don't leave orphan processes running
    * don't leave exploit-files laying around
    * don't annoy other players
    * don't post passwords or spoilers
    * again, DONT POST SPOILERS! 
      This includes writeups of your solution on your blog or website!
--[ Tips ]--
This machine has a 64bit processor and many security-features enabled
  by default, although ASLR has been switched off.  The following
  compiler flags might be interesting:
-m32                    compile for 32bit
    -fno-stack-protector    disable ProPolice
    -Wl,-z,norelro          disable relro
In addition, the execstack tool can be used to flag the stack as
  executable on ELF binaries.
Finally, network-access is limited for most levels by a local
  firewall.
--[ Tools ]--
For your convenience we have installed a few usefull tools which you can find
 in the following locations:
* pwndbg (https://github.com/pwndbg/pwndbg) in /usr/local/pwndbg/
    * peda (https://github.com/longld/peda.git) in /usr/local/peda/
    * gdbinit (https://github.com/gdbinit/Gdbinit) in /usr/local/gdbinit/
    * pwntools (https://github.com/Gallopsled/pwntools)
    * radare2 (http://www.radare.org/)
    * checksec.sh (http://www.trapkit.de/tools/checksec.html) in /usr/local/bin/checksec.sh
--[ More information ]--
For more information regarding individual wargames, visit
  http://www.overthewire.org/wargames/
For support, questions or comments, contact us through IRC on
  irc.overthewire.org #wargames.
Enjoy your stay!
Command Explanation:
-T → Used to disable pseudo-terminal allocation.

See, is something goes wrong? The ‘Byebye!’ was gone.
But, where is the shell?
It’s there, not visible but it’s there. Like you that far away from me but always deep down on my heart eaa 😍
Ok, back to the topic haha. We can just write the command like a common shell.

ls
readme
cat readme
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x //see, we got the password

Level 19 → 20

To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.
You can read helpful material below:
setuid on Wikipedia

~# ssh bandit19@bandit.labs.overthewire.org -p 2220
bandit19@bandit:~$ ls
bandit20-do
bandit19@bandit:~$ file bandit20-do 
bandit20-do: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=8e941f24b8c5cd0af67b22b724c57e1ab92a92a1, not stripped
bandit19@bandit:~$ ./bandit20-do 
Run a command as another user.
  Example: ./bandit20-do id

Hmm, interesting, as you can see we got the file is a program that can execute command on the bandit20. We can run a command as bandit20 by adding command after executing the file program. Remember that we have a clue for the password location.

bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0j

Level 20 → 21

There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21). In this case, we need two terminal to establish port connection like client server.
NOTE: Try connecting to your own network daemon to see if it works as you think
You can read helpful materials below:
Linux nc command

~# ssh bandit20@bandit.labs.overthewire.org -p 2220
bandit20@bandit:~$ ls
suconnect
bandit20@bandit:~$ file suconnect 
suconnect: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=74c0f6dc184e0412b6dc52e542782f43807268e1, not stripped
bandit20@bandit:~$ ./suconnect 
Usage: ./suconnect <portnumber>
This program will connect to the given port on localhost using TCP. If it receives the correct password from the other side, the next password is transmitted back.

See, we got to know that the program needs to transmit the password over a port. So, we need to establish a port connection.

#First terminal for listening port
bandit20@bandit:~$ echo GbKksEFF4yrVs6il55v6gwY5aVje5f0j | nc -vlp 1111
listening on [any] 1111 ...

Overall is ok, we got listening port that ready to listening on any 1111. It’s like a single person that ready to get connection and open their heart to any person haha 😆

#Second terminal for establish connection
bandit20@bandit:~$ ./suconnect 1111
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Password matches, sending next password

When the passwords are match, it will be sent to the listening port.

bandit20@bandit:~$ echo GbKksEFF4yrVs6il55v6gwY5aVje5f0j | nc -vlp 1111
listening on [any] 1111 ...
connect to [127.0.0.1] from localhost [127.0.0.1] 44284
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr

Level 21 → 22

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed. Simply put it’s like a command history. We can see cron file using cat command, and analyze for the password location.
You can read helpful materials below:
Crontab in Ubuntu

~# ssh bandit21@bandit.labs.overthewire.org -p 2220
bandit21@bandit:~$ cd /etc/cron.d
bandit21@bandit:/etc/cron.d$ ls
cronjob_bandit22  cronjob_bandit23  cronjob_bandit24
bandit21@bandit:/etc/cron.d$ cat cronjob_bandit22
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
bandit21@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
bandit21@bandit:/etc/cron.d$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

Level 22 → 23

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed. The clue is the script on the crontab file. I think this level enhance us to use every source we have.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.
You can read helpful materials below:
Crontab in Ubuntu

~# ssh bandit22@bandit.labs.overthewire.org -p 2220
bandit22@bandit:~$ cd /etc/cron.d
bandit22@bandit:/etc/cron.d$ ls
cronjob_bandit22  cronjob_bandit23  cronjob_bandit24
bandit22@bandit:/etc/cron.d$ cat cronjob_bandit23
@reboot bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
bandit22@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash
myname=$(whoami) //for sure it's next level username (bandit23)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
cat /etc/bandit_pass/$myname > /tmp/$mytarget
bandit22@bandit:/etc/cron.d$ echo I am user bandit23 | md5sum | cut -d ' ' -f 1
8ca319486bfbbc3663ea0fbe81326349
bandit22@bandit:/etc/cron.d$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

Level 23 → 24

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed. At this level, you may need looking around previous level to get the light haha :p
See, how previous level script put the password to file directory and how to play with file permission especially 777 permission.
You can read helpful materials below:
Crontab in Ubuntu
Learning the shell — Lesson 9: Permissions — LinuxCommand.org
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…

~# ssh bandit23@bandit.labs.overthewire.org -p 2220
bandit23@bandit:~$ cd /etc/cron.d
bandit23@bandit:/etc/cron.d$ ls
cronjob_bandit22  cronjob_bandit23  cronjob_bandit24
bandit23@bandit:/etc/cron.d$ cat cronjob_bandit24
@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
bandit23@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash
myname=$(whoami)
cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
do
    if [ "$i" != "." -a "$i" != ".." ];
    then
 echo "Handling $i"
 timeout -s 9 60 ./$i
 rm -f ./$i
    fi
done

Let’s begin to analyze the script, as we can see that every file script will automatically execute and delete on /var/spool/$myname directories. Did you remember about the previous level method? yeah scroll it up haha 💩
First, we need to establish a directory to accommodate our shell-script. Make sure it on right permission that user can do anything, you can lookup on helpful material.

bandit23@bandit:/etc/cron.d$ mkdir /tmp/kunci
bandit23@bandit:/etc/cron.d$ chmod 777 /tmp/kunci
bandit23@bandit:/etc/cron.d$ cd /tmp/kunci

Then, create a shell script to copy the password from /etc/bandit_pass to our directories.

bandit23@bandit:/tmp/kunci$ nano shell-kunci.sh
Unable to create directory /home/bandit23/.nano: Permission denied
It is required for saving/loading search history or cursor positions.
Press Enter to continue
//below is the script for copy the password into our directories
#!/bin/bash
cat /etc/bandit_pass/bandit24 >> /tmp/kunci/ikikunci

Last, copy our script into /var/spool/$myname. So, it will automatically execute and we’ll get the password. It may take a minute, be patient and take a cup of coffee ☕️

bandit23@bandit:/tmp/kunci$ cp shell-kunci.sh /var/spool/bandit24/
bandit23@bandit:/tmp/kunci$ ls
ikikunci  shell-kunci.sh
bandit23@bandit:/tmp/kunci$ cat ikikunci 
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ

Level 24 → 25

A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pin code. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.
You can imagine it’s like to hack an instagram account, that we know the username but we didn’t know about the password. Simply take the brute-forcing method is way to guessing the password with all possible character. In this case, we must guessing 4-digit pin code that means we have 4 decimal digits there are 10,000 (0000 to 9999) possible values.
It will take many time if we doing it manually. I think this level will enhance your skill to make a script to doing brute-force automatically. So let’s get the punch 👊
You can read helpful materials below:
What is a Brute Force Attack?
Linux nc command
Learning the shell — Lesson 9: Permissions — LinuxCommand.org

~# ssh bandit24@bandit.labs.overthewire.org -p 2220
bandit24@bandit:~$ nc localhost 30002
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.

As you can see, we got the pin checker with that command. So, we must try to log in with all possible pin and then checking it with that command. I am the lazy one, so we’ll make a script to simplify that process.

bandit24@bandit:~$ mkdir /tmp/bforcing
bandit24@bandit:~$ cd /tmp/bforcing
bandit24@bandit:/tmp/bforcing$ nano bforcer.sh
Unable to create directory /home/bandit24/.nano: Permission denied
It is required for saving/loading search history or cursor positions.
Press Enter to continue
//below is the script for brute-forcing the pin code
#!/bin/bash
password="UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ"
for i in {0000..9999} 
//looping to try any possible pin code
do
echo $password' '$i >> wordlist.txt 
//save password and possible pin code into wordlist 
done

Ok, now we have all possible pin code on our wordlist. Let’s try into pin checker command. In this case, we save the result into hasil.txt because it’s too long to display on this article haha. Then we can sort the unique one and get the password. The coolest things are when we do brute-forcing without save it into a file and sorting the result manually. May you feel like a pro hacker when it’s running haha 😊

bandit24@bandit:/tmp/bforcing$ cat wordlist.txt | nc localhost 30002 >> hasil.txt
bandit24@bandit:/tmp/bforcing$ sort hasil.txt | uniq -u
Correct!
Exiting.
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG
Note:
May you'll getting error session timeout when you are trying to running the script above, it's because we are trying to many pin from 0 to 9999 that the network can't handle it. To resolve this, you can try with small sections like 0 to 1000 and 1001 to 2000 and so on.

Level 25 → 26

Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.
They say it should be fairly easy ? yeah they say the truth, but there is some f*cking tricky challenge to resolve this level 😜
First, we must looking for user default shell on /etc/passwd to see what is configured shell for every user. We can use the grep command to determine what we are looking for specifically. So we can see what is configured shell for bandit26.
You can read helpful materials below:
What is default shell for terminal?
The /etc/passwd File
more(1) — Linux man page
How to specify shell for vim?

~# ssh bandit25@bandit.labs.overthewire.org -p 2220
bandit25@bandit:~$ ls
bandit26.sshkey
bandit25@bandit:~$ ssh bandit26@localhost -i bandit26.sshkey
Could not create directory '/home/bandit25/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit25/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
Linux bandit 4.18.12 x86_64 GNU/Linux
               
      ,----..            ,----,          .---. 
     /   /   \         ,/   .`|         /. ./|
    /   .     :      ,`   .'  :     .--'.  ' ;
   .   /   ;.  \   ;    ;     /    /__./ \ : |
  .   ;   /  ` ; .'___,/    ,' .--'.  '   \' .
  ;   |  ; \ ; | |    :     | /___/ \ |    ' ' 
  |   :  | ; | ' ;    |.';  ; ;   \  \;      : 
  .   |  ' ' ' : `----'  |  |  \   ;  `      |
  '   ;  \; /  |     '   :  ;   .   \    .\  ; 
   \   \  ',  /      |   |  '    \   \   ' \ |
    ;   :    /       '   :  |     :   '  |--"  
     \   \ .'        ;   |.'       \   \ ;     
  www. `---` ver     '---' he       '---" ire.org     
               
              
Welcome to OverTheWire!
If you find any problems, please report them to Steven or morla on
irc.overthewire.org.
--[ Playing the games ]--
This machine might hold several wargames. 
  If you are playing "somegame", then:
* USERNAMES are somegame0, somegame1, ...
    * Most LEVELS are stored in /somegame/.
    * PASSWORDS for each level are stored in /etc/somegame_pass/.
Write-access to homedirectories is disabled. It is advised to create a
  working directory with a hard-to-guess name in /tmp/.  You can use the
  command "mktemp -d" in order to generate a random and hard to guess
  directory in /tmp/.  Read-access to both /tmp/ and /proc/ is disabled
  so that users can not snoop on eachother. Files and directories with 
  easily guessable or short names will be periodically deleted!
 
  Please play nice:
      
    * don't leave orphan processes running
    * don't leave exploit-files laying around
    * don't annoy other players
    * don't post passwords or spoilers
    * again, DONT POST SPOILERS! 
      This includes writeups of your solution on your blog or website!
--[ Tips ]--
This machine has a 64bit processor and many security-features enabled
  by default, although ASLR has been switched off.  The following
  compiler flags might be interesting:
-m32                    compile for 32bit
    -fno-stack-protector    disable ProPolice
    -Wl,-z,norelro          disable relro
In addition, the execstack tool can be used to flag the stack as
  executable on ELF binaries.
Finally, network-access is limited for most levels by a local
  firewall.
--[ Tools ]--
For your convenience we have installed a few usefull tools which you can find
 in the following locations:
* pwndbg (https://github.com/pwndbg/pwndbg) in /usr/local/pwndbg/
    * peda (https://github.com/longld/peda.git) in /usr/local/peda/
    * gdbinit (https://github.com/gdbinit/Gdbinit) in /usr/local/gdbinit/
    * pwntools (https://github.com/Gallopsled/pwntools)
    * radare2 (http://www.radare.org/)
    * checksec.sh (http://www.trapkit.de/tools/checksec.html) in /usr/local/bin/checksec.sh
--[ More information ]--
For more information regarding individual wargames, visit
  http://www.overthewire.org/wargames/
For support, questions or comments, contact us through IRC on
  irc.overthewire.org #wargames.
Enjoy your stay!
_                     _ _ _   ___   __  
 | |                   | (_) | |__ \ / /  
 | |__   __ _ _ __   __| |_| |_   ) / /_  
 | '_ \ / _` | '_ \ / _` | | __| / / '_ \ 
 | |_) | (_| | | | | (_| | | |_ / /| (_) |
 |_.__/ \__,_|_| |_|\__,_|_|\__|____\___/ 
Connection to localhost closed.

Ok, as you can see we can log in into bandit26. Unfortunately, someone has modified the shellcode to get log out when we try to log in with SSH. I think this is a similar case as the previous level.
Let’s take a look back to the instruction, we know that the shell is not /bin/bash. We can see what is configured shell for every user in /etc/passwd. In another way, we can use grep command for bandit26 to get the specific result.

bandit25@bandit:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/bin/false
messagebus:x:101:104::/var/run/dbus:/bin/false
sshd:x:102:65534::/run/sshd:/usr/sbin/nologin
identd:x:103:65534::/var/run/identd:/bin/false
ntp:x:104:107::/home/ntp:/bin/false
bandit0:x:11000:11000:bandit level 0:/home/bandit0:/bin/bash
bandit1:x:11001:11001:bandit level 1:/home/bandit1:/bin/bash
bandit10:x:11010:11010:bandit level 10:/home/bandit10:/bin/bash
bandit11:x:11011:11011:bandit level 11:/home/bandit11:/bin/bash
bandit12:x:11012:11012:bandit level 12:/home/bandit12:/bin/bash
bandit13:x:11013:11013:bandit level 13:/home/bandit13:/bin/bash
bandit14:x:11014:11014:bandit level 14:/home/bandit14:/bin/bash
bandit15:x:11015:11015:bandit level 15:/home/bandit15:/bin/bash
bandit16:x:11016:11016:bandit level 16:/home/bandit16:/bin/bash
bandit17:x:11017:11017:bandit level 17:/home/bandit17:/bin/bash
bandit18:x:11018:11018:bandit level 18:/home/bandit18:/bin/bash
bandit19:x:11019:11019:bandit level 19:/home/bandit19:/bin/bash
bandit2:x:11002:11002:bandit level 2:/home/bandit2:/bin/bash
bandit20:x:11020:11020:bandit level 20:/home/bandit20:/bin/bash
bandit21:x:11021:11021:bandit level 21:/home/bandit21:/bin/bash
bandit22:x:11022:11022:bandit level 22:/home/bandit22:/bin/bash
bandit23:x:11023:11023:bandit level 23:/home/bandit23:/bin/bash
bandit24:x:11024:11024:bandit level 24:/home/bandit24:/bin/bash
bandit25:x:11025:11025:bandit level 25:/home/bandit25:/bin/bash
bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext
bandit27:x:11027:11027:bandit level 27:/home/bandit27:/bin/bash
bandit28:x:11028:11028:bandit level 28:/home/bandit28:/bin/bash
bandit29:x:11029:11029:bandit level 29:/home/bandit29:/bin/bash
bandit3:x:11003:11003:bandit level 3:/home/bandit3:/bin/bash
bandit30:x:11030:11030:bandit level 30:/home/bandit30:/bin/bash
bandit31:x:11031:11031:bandit level 31:/home/bandit31:/bin/bash
bandit32:x:11032:11032:bandit level 32:/home/bandit32:/home/bandit32/uppershell
bandit33:x:11033:11033:bandit level 33:/home/bandit33:/bin/bash
bandit4:x:11004:11004:bandit level 4:/home/bandit4:/bin/bash
bandit5:x:11005:11005:bandit level 5:/home/bandit5:/bin/bash
bandit6:x:11006:11006:bandit level 6:/home/bandit6:/bin/bash
bandit7:x:11007:11007:bandit level 7:/home/bandit7:/bin/bash
bandit8:x:11008:11008:bandit level 8:/home/bandit8:/bin/bash
bandit9:x:11009:11009:bandit level 9:/home/bandit9:/bin/bash
bandit27-git:x:11527:11527::/home/bandit27-git:/usr/bin/git-shell
bandit28-git:x:11528:11528::/home/bandit28-git:/usr/bin/git-shell
bandit29-git:x:11529:11529::/home/bandit29-git:/usr/bin/git-shell
bandit30-git:x:11530:11530::/home/bandit30-git:/usr/bin/git-shell
bandit31-git:x:11531:11531::/home/bandit31-git:/usr/bin/git-shell
bandit25@bandit:~$ cat /etc/passwd | grep bandit26
bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext

Ok, we got the result. Let’s jump into /usr/bin/show text and see what is inside that file.

bandit25@bandit:~$ cat /usr/bin/showtext
#!/bin/sh
export TERM=linux
more ~/text.txt
exit 0

As you can see, we’ll get log out after the shell execute ~/text.txt. But, we have other information that they use more command running on the shell. What is more command on Linux? read the helpful material bro, please don’t be lazy haha 😔
Simply take, we can still log in to bandit26 and interrupt the shell process by decrease terminal into minimum size as image below.

Running SSH on decreased terminal size

The shell is still stuck and will not be ended until we expand the terminal size. Then, what should we do ? may you can ask your mom haha 😐
What if we change the shell into /bin/bash, so we can run the shell and command as usual. We can write the command by enable vim editor by pressing ‘v’ button as shown on the image below.

Activated vim editor

We can use command on vim by additional command and get the password. But, in this case, we want to get the /bin/bash/ back. First, you must read the helpful material about the specified shell for vim. Are you done?
Ok, we can change the shell by adding the command as shown on image below.

Adding command to set /bin/bash on shell

Then, execute with :sh.

Executing shell

Finally, we already get the /bin/bash shell for bandit26.

We got the shell

Don’t forget to save the password of this level from /etc/bandit_pass/ to get back up when you want to continue this game from this level.

bandit26@bandit:~$ cat /etc/bandit_pass/bandit26
5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z

Level 26 → 27

Good job getting a shell! Now hurry and grab the password for bandit27!
This level hire us to remembering another previous level, may this level is easy if you remember about stuid on previous level.
Ok, no more helpful material on this level haha 👶

~# ssh bandit26@bandit.labs.overthewire.org -p 2220
bandit26@bandit:~$ ls
bandit27-do  text.txt
bandit26@bandit:~$ file bandit27-do 
bandit27-do: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=8e941f24b8c5cd0af67b22b724c57e1ab92a92a1, not stripped
bandit26@bandit:~$ ./bandit27-do whoami
bandit27
bandit26@bandit:~$ ./bandit27-do cat /etc/bandit_pass/bandit27
3ba3118a22e93127a4ed485be72ef5ea
Command Explanation:
whoami → Used to print the user name associated with the current effective user ID.

Level 27 → 28

There is a git repository at ssh://bandit27-git@localhost/home/bandit27-git/repo. The password for the user bandit27-git is the same as for the user bandit27.
Goal on this level is to clone git repositories on the link to our directories.
You can read helpful material below:
Learning Git: What is a Git Repository?
Clone a repository

First, we should establish a directory for clone the git. As usual, we can use /tmp/ directories then clone the git.

~# ssh bandit27@bandit.labs.overthewire.org -p 2220
bandit27@bandit:~$ mkdir /tmp/git_clone
bandit27@bandit:~$ cd /tmp/git_clone
bandit27@bandit:/tmp/git_clone$ git clone ssh://bandit27-git@localhost/home/bandit27-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit27/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit27/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit27-git@localhost's password: 
remote: Counting objects: 3, done.
remote: Compressing objects: 100% (2/2), done.
remote: Total 3 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (3/3), done.
bandit27@bandit:/tmp/git_clone$ ls
repo
bandit27@bandit:/tmp/git_clone$ cd repo
bandit27@bandit:/tmp/git_clone/repo$ ls
README
bandit27@bandit:/tmp/git_clone/repo$ cat README 
The password to the next level is: 0ef186ac70e04ea33b4c1853d2526fa2
Command Explanation:
git clone → Used to clone a repository into a new directory.

Level 28 → 29

There is a git repository at ssh://bandit28-git@localhost/home/bandit28-git/repo. The password for the user bandit28-git is the same as for the user bandit28.
Ok, first we must known about commit on git. The git commit command captures a snapshot of the project's currently staged changes. Is there any log on commit ? of course. Git save every commited into a log. So we can see, what is point of change between any commit.
You can read helpful material below:
Git commit

~# ssh bandit28@bandit.labs.overthewire.org -p 2220
bandit28@bandit:~$ mkdir /tmp/git_clone2
bandit28@bandit:~$ cd /tmp/git_clone2
bandit28@bandit:/tmp/git_clone2$ git clone ssh://bandit28-git@localhost/home/bandit28-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit28/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit28/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit28-git@localhost's password: 
remote: Counting objects: 9, done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 9 (delta 2), reused 0 (delta 0)
Receiving objects: 100% (9/9), done.
Resolving deltas: 100% (2/2), done.
bandit28@bandit:/tmp/git_clone2$ ls
repo
bandit28@bandit:/tmp/git_clone2$ cd repo/
bandit28@bandit:/tmp/git_clone2/repo$ ls
README.md
bandit28@bandit:/tmp/git_clone2/repo$ cat README.md 
# Bandit Notes
Some notes for level29 of bandit.
## credentials
- username: bandit29
- password: xxxxxxxxxx

As you can see, the password is changed into ‘xxxxxxxxxx’. From there, we know that we must look back into git log to see what is the latest user commit.

bandit28@bandit:/tmp/git_clone2/repo$ git log
commit 073c27c130e6ee407e12faad1dd3848a110c4f95
Author: Morla Porla <morla@overthewire.org>
Date:   Tue Oct 16 14:00:39 2018 +0200
fix info leak
commit 186a1038cc54d1358d42d468cdc8e3cc28a93fcb
Author: Morla Porla <morla@overthewire.org>
Date:   Tue Oct 16 14:00:39 2018 +0200
add missing data
commit b67405defc6ef44210c53345fc953e6a21338cc7
Author: Ben Dover <noone@overthewire.org>
Date:   Tue Oct 16 14:00:39 2018 +0200
initial commit of README.md

Ok, we get the commit log. Guess what is the meaning of ‘fix info leak’? yeaah, I guess it’s protecting the password from us haha 😆
Every log has a unique ID, we can see what is inside log with git show command by adding the unique ID.

bandit28@bandit:/tmp/git_clone2/repo$ git show 073c27c130e6ee407e12faad1dd3848a110c4f95
commit 073c27c130e6ee407e12faad1dd3848a110c4f95
Author: Morla Porla <morla@overthewire.org>
Date:   Tue Oct 16 14:00:39 2018 +0200
fix info leak
diff --git a/README.md b/README.md
index 3f7cee8..5c6457b 100644
--- a/README.md
+++ b/README.md
@@ -4,5 +4,5 @@ Some notes for level29 of bandit.
 ## credentials
 
 - username: bandit29
-- password: bbc96594b4e001778eee9975372716b2
+- password: xxxxxxxxxx

As you can see, the latest commit is to fixing info leak. That means change password into a hidden character.

Level 29 → 30

There is a git repository at ssh://bandit29-git@localhost/home/bandit29-git/repo. The password for the user bandit29-git is the same as for the user bandit29.
At this level, we’ll learn about git branches. In Git, branches are a control system models that important to undertanding for your development process. They said git branches is much more lightweight than other version control system models. If you have a git repositories, i think you’ll get the awareness about your repositories after doing all of this git level haha, me too.
You can read helpful material below:
Git Branch

~# ssh bandit29@bandit.labs.overthewire.org -p 2220
bandit29@bandit:~$ mkdir /tmp/git_clone3
bandit29@bandit:~$ cd /tmp/git_clone3
bandit29@bandit:/tmp/git_clone3$ git clone ssh://bandit29-git@localhost/home/bandit29-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit29/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit29/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit29-git@localhost's password: 
remote: Counting objects: 16, done.
remote: Compressing objects: 100% (11/11), done.
remote: Total 16 (delta 2), reused 0 (delta 0)
Receiving objects: 100% (16/16), done.
Resolving deltas: 100% (2/2), done.
bandit29@bandit:/tmp/git_clone3$ ls
repo
bandit29@bandit:/tmp/git_clone3$ cd repo
bandit29@bandit:/tmp/git_clone3/repo$ ls
README.md
bandit29@bandit:/tmp/git_clone3/repo$ cat README.md 
# Bandit Notes
Some notes for bandit30 of bandit.
## credentials
- username: bandit30
- password: <no passwords in production!>

Here we are, we get to know that the password isn’t production in this repositories. I think this is like a framework that enforces us to place our password in separate repositories that no one can see it, except us of course. And there are the git branches, we can see another branch with branch command.

bandit29@bandit:/tmp/git_clone3/repo$ git branch -a
* master
  remotes/origin/HEAD -> origin/master
  remotes/origin/dev
  remotes/origin/master
  remotes/origin/sploits-dev

For now, we have all the branches. If you’re a developer, where you’ll place statement for your credentials? I see, on developing repositories of course 😐
so let see, am I right..
We can switch our branch with the checkout command.

bandit29@bandit:/tmp/git_clone3/repo$ git checkout dev
Branch dev set up to track remote branch dev from origin.
Switched to a new branch 'dev'
bandit29@bandit:/tmp/git_clone3/repo$ ls
code  README.md
bandit29@bandit:/tmp/git_clone3/repo$ cat README.md 
# Bandit Notes
Some notes for bandit30 of bandit.
## credentials
- username: bandit30
- password: 5b90576bedb2cc04c86a9e924ce42faf

Level 30 → 31

There is a git repository at ssh://bandit30-git@localhost/home/bandit30-git/repo. The password for the user bandit30-git is the same as for the user bandit30.
On this level, we’ll learn about git concept of tagging and the git tag command. Developer usually make a tag for important point on developing process. After cloning the repositories, we’ll get an empty file on directories. So we can use tag to see if developer mention something on tag for important point of developing process.
You can read helpful material below:
Git Tag

~# ssh bandit30@bandit.labs.overthewire.org -p 2220
bandit30@bandit:~$ mkdir /tmp/git_clone4
bandit30@bandit:~$ cd /tmp/git_clone4
bandit30@bandit:/tmp/git_clone4$ git clone ssh://bandit30-git@localhost/home/bandit30-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit30/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit30/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit30-git@localhost's password: 
remote: Counting objects: 4, done.
remote: Total 4 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (4/4), done.
bandit30@bandit:/tmp/git_clone4$ ls
repo
bandit30@bandit:/tmp/git_clone4$ cd repo
bandit30@bandit:/tmp/git_clone4/repo$ ls
README.md
bandit30@bandit:/tmp/git_clone4/repo$ cat README.md 
just an epmty file... muahaha

See, we got the bandits joke haha 💩

bandit30@bandit:/tmp/git_clone4/repo$ git tag
secret
bandit30@bandit:/tmp/git_clone4/repo$ git show secret
47e603bb428404d265f59c42920d81e5

Level 31 → 32

There is a git repository at ssh://bandit31-git@localhost/home/bandit31-git/repo. The password for the user bandit31-git is the same as for the user bandit31.
On this level, we’ll learn how to add and commit file into git repositories.
You can read helpful material below:
Adding a file to a repository using the command line

~# ssh bandit31@bandit.labs.overthewire.org -p 2220
bandit31@bandit:~$ mkdir /tmp/git_clone5
bandit31@bandit:~$ cd /tmp/git_clone5
bandit31@bandit:/tmp/git_clone5$ git clone ssh://bandit31-git@localhost/home/bandit31-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit31/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit31/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit31-git@localhost's password: 
remote: Counting objects: 4, done.
remote: Compressing objects: 100% (3/3), done.
remote: Total 4 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (4/4), done.
bandit31@bandit:/tmp/git_clone5$ ls
repo
bandit31@bandit:/tmp/git_clone5$ cd repo
bandit31@bandit:/tmp/git_clone5/repo$ ls
README.md
bandit31@bandit:/tmp/git_clone5/repo$ cat README.md 
This time your task is to push a file to the remote repository.
Details:
    File name: key.txt
    Content: 'May I come in?'
    Branch: master

See, we have mentioned the properties of files required. We can make a txt file using nano, then fill it with “May I come in?”. Let’s try!

bandit31@bandit:/tmp/git_clone5/repo$ nano key.txt
Unable to create directory /home/bandit31/.nano: Permission denied
It is required for saving/loading search history or cursor positions.
Press Enter to continue
bandit31@bandit:/tmp/git_clone5/repo$ ls
key.txt  README.md
bandit31@bandit:/tmp/git_clone5/repo$ cat key.txt 
May I come in?

Alright, now we have required file. Now we must add, commit, then push the file into git repositories. When we push the file, bandit will be doing file matching between our file and required file. If we create the right one, we can get the credential for the next level.

bandit31@bandit:/tmp/git_clone5/repo$ git add -f key.txt 
bandit31@bandit:/tmp/git_clone5/repo$ git commit -m "Adding a file"
[master 6bb9299] Adding a file
 1 file changed, 1 insertion(+)
 create mode 100644 key.txt
bandit31@bandit:/tmp/git_clone5/repo$ git push origin 
Could not create directory '/home/bandit31/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit31/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit31-git@localhost's password: 
Counting objects: 3, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (2/2), done.
Writing objects: 100% (3/3), 323 bytes | 0 bytes/s, done.
Total 3 (delta 0), reused 0 (delta 0)
remote: ### Attempting to validate files... ####
remote: 
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote: 
remote: Well done! Here is the password for the next level:
remote: 56a9bf19c63d650ce78e6ec0354ee45e
remote: 
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote: 
To ssh://localhost/home/bandit31-git/repo
 ! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to 'ssh://bandit31-git@localhost/home/bandit31-git/repo'

Level 32 → 33

After all this git stuff its time for another escape. Good luck!
It is a fucking clue 💩
But, yeey, we pass all the git stuff 👯
It is a tricky levels, because we’ll get the shell that execute out commands into uppercase. In that case, we must escape from that shell by using escape character.
You can read helpful material below:
Linux with Operating System Concepts

~# ssh bandit32@bandit.labs.overthewire.org -p 2220
WELCOME TO THE UPPERCASE SHELL
>> ls
sh: 1: LS: not found

As you can see, our “ls” is executed into “LS” in this shell. To escape from this shell, we can use the $0 to get our lovely shell back. 💌
The notation $0 returns the name of the script itself while $$ returns the PID of script’s running process.

>> $0
$ ls
uppershell
$ cd uppershell
sh: 2: cd: can't cd to uppershell
$ ls -a
.  ..  .bash_logout  .bashrc  .profile uppershell

Well, now we get our lovely shell 👊
Let’s check our credential into bandit_pass repositories. Then check it by login into bandit33. I think this is the last level we can get at this moment 😢

$ cd /etc/bandit_pass
$ ls
bandit0   bandit13  bandit18  bandit22 bandit27  bandit31  bandit6
bandit1   bandit14  bandit19  bandit23 bandit28  bandit32  bandit7
bandit10  bandit15  bandit2   bandit24 bandit29  bandit33  bandit8
bandit11  bandit16  bandit20  bandit25 bandit3   bandit4   bandit9
bandit12  bandit17  bandit21  bandit26 bandit30  bandit5
$ cat bandit33 
c9c3199ddf4121b10cf581a98d51caee

Level 33 → 34

At this moment, level 34 does not exist yet.

Ok guys, thanks for reading my first personal article, I hope you enjoy and this article would be helpful for you. Cheers 🍷