Wargame — Over The Wire : Bandit Walkthrough
Wargames
The wargames offered by the OverTheWire community can help you to learn and practice security concepts in the form of fun-filled games.
To find out more about a certain wargame, just visit its page linked from the menu on the left.
Bandit
The Bandit wargame is aimed at absolute beginners. It will teach the basics needed to be able to play other wargames.
Bandit Level 0
Level Goal
The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org, on port 2220. The username is bandit0 and the password is bandit0. Once logged in, go to the Level 1 page to find out how to beat Level 1.
In this level we simply connet the bandit machine by using ssh command.
Bandit Level 0 → Level 1
Level Goal
The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.
In this level we use the cat command for reading a file.
hash for next level : boJ9jbbUNNfktd78OOpsqOltutMc3MY1
Bandit Level 1 → Level 2
Level Goal
The password for the next level is stored in a file called — located in the home directory.
In this level we can access the “ — ”directory by using the command ./-hash for next level : CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
Bandit Level 2 → Level 3
Level Goal
The password for the next level is stored in a file called spaces in this filename located in the home director.
In this level we can access the directory by double quotes because the folder name having the space between them.hash for next level : UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
Bandit Level 3 → Level 4
Level Goal
The password for the next level is stored in a hidden file in the inhere directory.
In this level we can see the hidden folder by ls -lah command.hash for next level : pIwrPrtPN36QITSp3EQaw936yaFoFgAB
Bandit Level 4 → Level 5
Level Goal
The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.
hash for next level : koReBOKuIDDepwhWk7jZC0RTdopnAYKh
Bandit Level 5 → Level 6
Level Goal
The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:
human-readable
1033 bytes in size
not executable
In this level we use find command with their respective switches.
find . -type f -readable ! -executable -size 1033chash for next level : DXjZPULLxYr17uwoI01bNLQbtFemEgo7
Bandit Level 6 → Level 7
Level Goal
The password for the next level is stored somewhere on the server and has all of the following properties:
owned by user bandit7
owned by group bandit6
33 bytes in size
In this level we use find command with their respective switches.
find / -user bandit7 -group bandit6 -size 33c 2>/dev/nullhash for next level : HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs
Bandit Level 7 → Level 8
Level Goal
The password for the next level is stored in the file data.txt next to the word millionth.
cat data.txt | grep millionthhash for next level : cvX2JJa4CFALtqS87jk27qwqGhBM9plV
Bandit Level 8 → Level 9
Level Goal
The password for the next level is stored in the file data.txt and is the only line of text that occurs only once.
cat data.txt | sort | uniq -uhash for next level : UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR
Bandit Level 9 → Level 10
Level Goal
The password for the next level is stored in the file data.txt in one of the few human-readable strings, beginning with several ‘=’ characters.
strings data.txt | grep =hash for next level : truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
Bandit Level 10 → Level 11
Level Goal
The password for the next level is stored in the file data.txt, which contains base64 encoded data.
base64 — decode data.txthash for next level : IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR
Bandit Level 11 → Level 12
Level Goal
The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions.
We used two pipes, first to decode the lowercase alphabets and then uppercase alphabets after that.
cat data.txt | tr ‘[A-Za-z]’ ‘[N-ZA-Mn-za-m]’hash for next level : 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu
Bandit Level 12 → Level 13
Level Goal
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)
1. xxd -r data.txt > reverse2. file reverse3. zcat reverse > data_zcat4. file data_zcat5. bzip2 -d data_zcat6. file data_zcat.out7. ls8. zcat data_zcat.out > data_zcat_29. file data_zcat_210. tar xvf data_zcat_211. file data5.bin12. tar xvf data5.bin13. file data6.bin14. bzip2 -d data6.bin15. file data6.bin.out16. tar xvf data6.bin.out17. file data8.bin18. zcat data8.bin > data8_zcat19. file data8_zcat20. cat data8_zcat
hash for next level : 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
Bandit Level 13 → Level 14
Level Goal
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on.
hash for next level : 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Bandit Level 14 → Level 15
Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
nc localhost 30000hash for next level : BfMYroe26WYalil77FoDi9qh59eK5xNr
Bandit Level 15 → Level 16
Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…
ign_eof : Inhibit shutting down the connection when end of file is reached in the input.hash for next level : cluFn7wTiGryunymYOu4RcffSxQluehd
Bandit Level 16 → Level 17
Level Goal
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
1 nmap -sT -A -p 31000–32000 localhost2 openssl s_client -connect localhost:31790
Bandit Level 17 → Level 18
Level Goal
There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new
NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19.
diff password.new password.oldhash for next level : kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
Bandit Level 18 → Level 19
Level Goal
The password for the next level is stored in a file readme in the home directory. Unfortunately, someone has modified . bashrc to log you out when you log in with SSH.
1. ssh bandit18@bandit.labs.overthewire.org -p 22202. ssh bandit18@bandit.labs.overthewire.org -p 2220 ls3. ssh bandit18@bandit.labs.overthewire.org -p 2220 cat readme
hash for next level : IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
Bandit Level 19 → Level 20
Level Goal
To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.
hash for next level : GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Bandit Level 20 → Level 21
Level Goal
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
NOTE: Try connecting to your own network daemon to see if it works as you think.
In this level we need two window one is for nc command and one is for running suconnect.
1 nc -lvnp 250002 ./suconnet
hash for next level : gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
Bandit Level 21 → Level 22
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
hash for next level : Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
Bandit Level 22 → Level 23
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.
1 cat /etc/cron.d/cronjob_bandit232 cat /usr/bin/cronjob_bandit23.sh3 echo I am user bandit23 | md5sum | cut -d ‘ ‘ -f 14 cat /tmp/jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
hash for next level : jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
Bandit Level 23 → Level 24
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
wait for the script for running automatically and the password will appear in the passwd file.
hash for next level : UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
Bandit Level 24 → Level 25
Level Goal
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.
hash for next level : uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG
Bandit Level 25 → Level 26
Level Goal
Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.
In This Level more command is activated when you minimize the size of tab.hash for next level : 5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z
Bandit Level 26 → Level 27
Level Goal
Good job getting a shell! Now hurry and grab the password for bandit27!
hash for next level : 3ba3118a22e93127a4ed485be72ef5ea
Bandit Level 27 → Level 28
Level Goal
There is a git repository at ssh://bandit27-git@localhost/home/bandit27-git/repo. The password for the user bandit27-git is the same as for the user bandit27.
Clone the repository and find the password for the next level.
hash for next level : 0ef186ac70e04ea33b4c1853d2526fa2
Bandit Level 28 → Level 29
Level Goal
There is a git repository at ssh://bandit28-git@localhost/home/bandit28-git/repo. The password for the user bandit28-git is the same as for the user bandit28.
Clone the repository and find the password for the next level.
hash for next level : bbc96594b4e001778eee9975372716b2
Bandit Level 29 → Level 30
Level Goal
There is a git repository at ssh://bandit29-git@localhost/home/bandit29-git/repo. The password for the user bandit29-git is the same as for the user bandit29.
Clone the repository and find the password for the next level.
1 git branch -a2 git checkout remotes/origin/dev3 git log4 git show 33ce2e95d9c5d6fb0a40e5ee9a2926903646b4e3
hash for next level : 5b90576bedb2cc04c86a9e924ce42faf
Bandit Level 30 → Level 31
Level Goal
There is a git repository at ssh://bandit30-git@localhost/home/bandit30-git/repo. The password for the user bandit30-git is the same as for the user bandit30.
Clone the repository and find the password for the next level.
hash for next level : 47e603bb428404d265f59c42920d81e5
Bandit Level 31 → Level 32
Level Goal
There is a git repository at ssh://bandit31-git@localhost/home/bandit31-git/repo. The password for the user bandit31-git is the same as for the user bandit31.
Clone the repository and find the password for the next level.
hash for next level : 56a9bf19c63d650ce78e6ec0354ee45e
Bandit Level 32 → Level 33
After all this git stuff its time for another escape. Good luck!
1 $02 /bin/bash3 cat /etc/bandit_pass/bandit33
hash for next level :c9c3199ddf4121b10cf581a98d51caee
These are the Hash for all the levels
level 1 : boJ9jbbUNNfktd78OOpsqOltutMc3MY1
level 2 : CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
leve 3 : UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
level 4 : pIwrPrtPN36QITSp3EQaw936yaFoFgAB
level 5 : koReBOKuIDDepwhWk7jZC0RTdopnAYKh
level 6 : DXjZPULLxYr17uwoI01bNLQbtFemEgo7
level 7 : HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs
level 8 : cvX2JJa4CFALtqS87jk27qwqGhBM9plV
level 9 : UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR
level 10 : truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
level 11 : IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR
level 12 : 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu
level 13 : 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
level 14 : 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
level 15 : BfMYroe26WYalil77FoDi9qh59eK5xNr
level 16 : cluFn7wTiGryunymYOu4RcffSxQluehd level 17 : -----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY----- level 18 : kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
level 19 : IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
level 20 : GbKksEFF4yrVs6il55v6gwY5aVje5f0j
level 21 : gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
level 22 : Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
level 23 : jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
level 24 : UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
level 25 : uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG
level 26 : 5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z
level 27 : 3ba3118a22e93127a4ed485be72ef5ea
level 28 : 0ef186ac70e04ea33b4c1853d2526fa2
level 29 : bbc96594b4e001778eee9975372716b2
level 30 : 5b90576bedb2cc04c86a9e924ce42faf
level 31 : 47e603bb428404d265f59c42920d81e5
level 32 : 56a9bf19c63d650ce78e6ec0354ee45e
level 33 : c9c3199ddf4121b10cf581a98d51caee
This is my First blog! Thank you for your valuable time!
Happy Hacking!!
