- Solving Bandit- over the wire as a Beginner! Have fun…
Wassup, hacker wannabes! I myself am a noob and in this blog i will show you how to make an approach to solve bandit levels as complete beginner.
Level 0
You land on level 0, which is the gateway to the game inside. To enter the series, you just need to make a ssh connection with the appropriate port 2220(which is specified in the question)as shown below:
─[✗]─[root@machine]─[~]
└──╼ #ssh bandit0@bandit.labs.overthewire.org -p 2220
This is a OverTheWire game server. More information on http://www.overthewire.org/wargamesbandit0@bandit.labs.overthewire.org's password:
password: bandit0
Level 0 →Level 1
As clearly mentioned, the password for the next level is stored in file README in the home directory. To get the password, we simply use cat command as shown below:
bandit0@bandit:~$ ls
readme
bandit0@bandit:~$ cat readme
boJ9jbbUNNfktd78OOpsqOltutMc3MY1
bandit0@bandit:~$and there you go, you now have password for next level. Now ssh to next level just like we did before:
┌─[root@machine]─[~]
└──╼ #ssh bandit1@bandit.labs.overthewire.org -p 2220
This is a OverTheWire game server. More information on http://www.overthewire.org/wargamesbandit1@bandit.labs.overthewire.org's password:
password: boJ9jbbUNNfktd78OOpsqOltutMc3MY1
Note: if you are unable to directly login to bandit1 from bandit0, then you should first log out of bandit0 and then from your main terminal, login to bandit1 as follows:
Level 1 →Level 2
Its given that password is stored in file named “-”, in the current directory. If we try to open the file using cat, we fail because such files can’t be opened directly using just their names. So we give full path to the file to see its content, as shown below:
bandit1@bandit:~$ cat /home/bandit1/-
using this password, login to bandit3 using the traditional method:
─[root@machine]─[~]
└──╼ #ssh bandit2@bandit.labs.overthewire.org -p 2220
This is a OverTheWire game server. More information on http://www.overthewire.org/wargamesbandit2@bandit.labs.overthewire.org's password:
Level 2 →Level 3
The filename for the password of next level has spaces in it. To open such files, we can either give filename enclosed in double-inverted-quotes(“”).
OR simply we can use TAB completion in cat command as shown below:
bandit2@bandit:~$ cat "spaces in this filename"
password: UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
Level 3→Level 4
The problem says that the password is hidden in a directory name as inhere. Now the thing about hidden files is that we can’t see them by normal ls command. So we have to apply appropriate options to list hidden files, as shown below:
bandit3@bandit:~/inhere$ ls -lha
total 12K
drwxr-xr-x 2 root root 4.0K Oct 16 2018 .
drwxr-xr-x 3 root root 4.0K Oct 16 2018 ..
-rw-r----- 1 bandit4 bandit3 33 Oct 16 2018 .hidden
bandit3@bandit:~/inhere$ cat .hidden
pIwrPrtPN36QITSp3EQaw936yaFoFgABLogin to next level using this password you got here.
NOTE: to study about the appropriate options, use manual page of the command. That’s the best way to learn how to use proper options.
┌─[root@machine]─[~]
└──╼ #man lsLevel 4 →Level 5
Its given that password is stored in a human-readable file in inhere directory. At this point either we can try to see content of each file using cat on each file, or we can opt a more smarter way, by using the file command.
NOTE: How do i know that i should use file command? Even i didn’t know about this command before this. On the question page, commands are listed which can be used to solve the problem. Again as i said earlier, we can use man command to learn how the command works.
bandit4@bandit:~/inhere$ file /home/bandit4/inhere/-file0*Level 5 → Level 6
We always keep our approach simple. Change directory to inhere and list all files. We need files of specific size, again by reading the man page of each command we conclude that find is the most appropriate choice with the option -size .
bandit5@bandit:~/inhere$ find . -size 1033c
./maybehere07/.file2
NOTE: here also, file names are starting with “.”(dot), so to open the file, we need to give full path to cat command.
Level 6 →Level 7
In this level, location of password is quite subtle, can be anywhere on the server. So in this case, find command plays its role. We can find the appropriate options from man page of find command.
bandit6@bandit:~$ find / -group bandit6 -user bandit7 -size 33c 2>/dev/null
NOTE: use of 2>/dev/null: this is not given in man page but we use it throw output to the /dev/null for the files on which we don’t have permissions to see. This saves our time and make the output look less vague.
Level 7 →Level 8
Password is present in the file data.txt on the line having word millionth. Again by reading man page of grep command, we can get the password.
bandit7@bandit:~$ cat data.txt | grep millionth
Level 8 → Level 9
Its given that line containing password occur only once, so first we sort the list. And then we pass the output list to uniq so that it prints only unique strings and further if we apply -c option, then along with unique strings it also gives us no.of occurrences of those unique strings.
bandit8@bandit:~$ sort data.txt | uniq -cAnd there we have our password occurring only once.
Level 9 → Level 10
Here, in the current directory we again see a file data.txt. If we try to see what’s inside it using cat, we see characters which are not human-readable.
We see that ouput is arbitrary, and we have a hard time finding our password. To see the readable strings, we use strings command and send output to grep as its given that password is followed by numerous “=” sign:
bandit9@bandit:~$ strings data.txt | grep ====
there we have our password for next level!
Level 10 → Level 11
Given that password is encoded with base64. We use man page of base64 command to see how to decode the string. Its done as follows:
bandit10@bandit:~$ cat data.txt | base64 -d
Level 11 →Level 12
Its given that , password is stored in file named data.txt where all the upper and lowercase alphabets are shifted by 13 positions. Also it gave us hint that this algorithm is called rot13. Now that we know that password is written in rot13 algorithm, we have to find a way to reverse it to retrieve the password. On reading man pages, of possible commands given on that page, we stumble upon the most appropriate one, tr command.
NOTE: we saw that man page of tr, gives us a vague idea of how it works, no need to worry, we always have the ultimate alternative, GOOGLE. From any proper article we can learn how to use tr for rot13 algorithm.
bandit11@bandit:~$ cat data.txt | tr [a-z] [n-za-m] | tr [A-Z] [N-ZA-M]
We used two pipes, to first decode the lowercase alphabets and then uppercase alphabets after that.
Level 12 →Level 13
Given that password is contained in data.txt which is hexdump of a file that has been repeatedly compressed. Things are getting tough as we progress. Again we see some new commands, on reading man pages we come to the conclusion that we need to first know about xxd command and various compressing algorithms. First we create a directory in /tmp as suggested in the question itself. First we dump the hexdump file data.txt in our newly created directory, /tmp/sudo . (test is the file where dump is stored)
bandit12@bandit:/tmp/sudo$ xxd -r /home/bandit12/data.txt > testNow we are going to follow the following steps to get to our final destination:
- check the file type with file command
bandit12@bandit:/tmp/sudo$ file test
test: gzip compressed data, was "data2.bin", last modified: Tue Oct 16 12:00:23 2018, max compression, from Unix2. we see that its compressed using gzip, so in order to unzip first we need to give it proper extension.
bandit12@bandit:/tmp/sudo$ mv test test.gz3. to unip a .gz file, use gunzip command
bandit12@bandit:/tmp/sudo$ gunzip test.gz4. Then we check the file type, and use repeat steps 2 -4, accordingly until we get our password.
bandit12@bandit:/tmp/sudo$ file test
test: bzip2 compressed data, block size = 900kFollowing screenshot tells the sequence i went through in order to get the password.
sequence of compression techniques: gzip > bzip2 >gzip > tar >tar > bzip2 >tar >gzip > (finally) ASCII text…the one which we can read.
NOTE: you must be familiar with different compression techniques, their extension and how to decompress them appropriately.
Level 13 → Level 14
To get to next level, we will be provided with ssh-keys, not the password. SO first we get keys on our local machine, and then ssh using those keys.
┌─[root@machine]─[~]
└──╼ #scp -P 2220 bandit13@bandit.labs.overthewire.org:/home/bandit13/sshkey.private .
This is a OverTheWire game server. More information on http://www.overthewire.org/wargamesbandit13@bandit.labs.overthewire.org's password:
sshkey.private 100% 1679 2.7KB/s 00:00
now we have ssh keys for next level. One thing should be heeded here, is that to specify port in scp, capital “p” (P) is used, instead of small “p”.
If we login using these keys, it prohibits us from login as it has bad permissions. After a little research, i came to the know that it should have a permission of read-execute by the owner and no permission to any other user/group. So first we set permissions:
┌─[root@machine]─[~]
└──╼ #chmod 600 sshkey.private
now we login using these keys:
┌─[root@machine]─[~]
└──╼ #ssh -i sshkey.private bandit14@bandit.labs.overthewire.org -p 2220
Level 14 → Level 15
Here we have to supply the current password, which is stored in /etc/bandit_pass/bandit14 on the localhost on port 30000. We do so by using nc command.
bandit14@bandit:~$ cat /etc/bandit_pass/bandit14 | nc localhost 30000
Level 15 → Level 16
It tells us to get the password by submitting the current password in encrypted form on localhost at port 30001. Since i am noob, i did’t have any idea what to do, but then again, man pages helped me through this too.
openssl: encryption toolkit
s_client: client program which connects to specified host using SSL/TLS(encryption).
after roaming a bit on google and reading man pages carefully, i finally found how to use this pair to get the password.
bandit15@bandit:~$ openssl s_client -connect localhost:30001then enter password of current level in the last.
Level 16 → Level 17
Its given that by submitting the current password to a single port in range 31000–32000 will give us our credentials to next level. Also only a single port support SSL among these ports. First we checked the available ports using nmap.
bandit16@bandit:~$ nmap -p- localhost
we got two ports in this range i.e 31518 and 31790. Now by trying to connect through SSL on each of these ports.
bandit16@bandit:~$ openssl s_client -connect localhost:31518
on trying SSL on port 31518, it leaves us here where we don’t get any output on typing anything, so this option is now eliminated and we have only port left i.e. 31790 which is likely to give us credentials.
Supplying current password, through SSL on this port:
bandit16@bandit:~$ cat /etc/bandit_pass/bandit16 | openssl s_client -connect localhost:31790 -ign_eof > /tmp/ansNOTE: -ign_eof must be used to avoid termination of output and it must be used after the port number. Guess what! this also came from man page of s_client
We saw that it gives us sshkeys for next level. So again we do the same thing as we did on level 13 i.e. getting keys on local machine, changing permissions and then use those keys to ssh into the next level.
Level 17 → Level 18
This level is pretty easy. It just intends to teach us a new command, diff. It says that password is in passwords.new file and is the only line differing from those in passwords.old file. We just had to see the difference between the content of two files:
bandit17@bandit:~$ diff passwords.old passwords.new
we have our password, the one starting with k, as that was the one in passwords.new file.
Level 18 → Level 19
Its given that the .bashrc file is modified in such a way that it logs us out as soon as we try to login with the correct passsword. Looks like we have to supply the appropriate command to be executed with the ssh-login. After reading a bit of man page for ssh, i found that we simply write the command to be executed in ssh-login as follows:
ssh -p 2220 bandit18@bandit.labs.overthewire.org cat readme
Level 19 → Level 20
Here we have a setuid binary.
The thing about setuid is that it runs as the owner of the file no matter which use is executing it. How to use them:
bandit19@bandit:~$ ./bandit20-do
(i.e ./full_path_to_the_binary_file)It tells us to supply an id as argument.
After completing so many levels, we now know that passwords are stored in /etc/bandit_pass/ directory.
So in order to get the password we executed the binary as follows:
bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
And there we have password for next level.
Level 20 →Level 21
This level is quite interesting as it teaches about new commands like tmux and screen. Also it makes us aware about different ways to use nc. First, we will split the screen in two parts, tmux:
bandit20@bandit:~$ tmuxThen after that, to split the screen, press ctrl+b, then shift+%.
we have a binary which makes the connection to port specified as argument and then returns the password for next level if correct current password is supplied.
bandit20@bandit:~$ ./suconnect
Usage: ./suconnect <portnumber>
This program will connect to the given port on localhost using TCP. If it receives the correct password from the other side, the next password is transmitted back. looks like, we know what we have to do, on left terminal we supply password of current level (bandit20) to nc and start a listener on port of our choice. And on the right one, we use that binary to chech if the supplied argument is correct or not. We can get the current password from the file/etc/bandit_passs/bandit20.
starting listener with nc on port 6969:
bandit20@bandit:~$ nc -lp 6969Level 21 →Level 22
If you are not familiar with cronjobs then i suggest you should read a little on man page of cron and crontab. List of cronjobs are stored in the file /etc/cron.d/ . First have a look, at what the job is doing.
bandit21@bandit:~$ cat /etc/cron.d/cronjob_bandit22
Its telling its running bash script /usr/bin/cronjob_bandit22.sh To know what the script is doing, we open it using cat.
bandit21@bandit:~$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
It clearly, tells us where our password is stored. Opening file to see password:
Level 22 →Level 23
Even though, its all based on bash script, its not that tough to roger. You need basic understanding of whats written in the script. Again by checking the cronjobs and opening the script as shown:
lets see whats happening in the script.
- a variable myname which contains the current username i.e. bandit23(as it is given in cron.d/cronjob_bandit23 that it will be performed by user bandit23)
- next variable mytarget contains the the string “I am user bandit23” in encrypted with md5sum algorithm
- in the final step, the password of bandit23 which is stored in /etc/bandit_pass/bandit23 is given to /tmp/”whatever the md5sum we get” file
Now we, can’t run the script as we don’t own it. but we can follow the above steps manually in order to get to the password we need. Its shown as follows:
there you have your password for next level!!
Level 23 →Level 24
Again first we checked the cronjob in /etc/cron.d/cronjob_bandit24 and then opened up the script it was running i.e /usr/bin/cronjob_bandit24.sh. We get something like this:
we can conclude two things:
- there is directory /var/spool/bandit24
- all the scripts in that directory are getting executed and then instantly getting deleted.
Well this makes our work a bit easier. NO need to create a new script. Instead, we can just put the script in previous question to that directory, it will eventually get executed and we will retrieve the password just like we did in previous level.
we did nothing new, just copied the script, placed it correctly and repeated the steps in previous level. And thus, we have password for next level.
Smart!! Ain’t it?
Level 24 →Level 25
Here we have two options, either we try all the 10000 combinations manually one by one or we can opt a bit smarter way i.e. create a script that prints those combinations as required. NO need to worry much, it just needs a for loop to create those numbers. The script looks as follows:
Its given that a daemon is listening on port 30002 so we have to make connection to localhost on that port and at the same time supply bandit24_password with that pincode to nc in order to get the password.
bandit24@bandit:~$ bash /tmp/script.sh | nc localhost 30002
NOTE: you have to give some efforts in order to learn bash if you are not aware of any programming language. It would be a little tough but not impossible.
Level 25 → Level 26(& then to Level27 as they are connected)
First lets see what we have in our home directory:
bandit25@bandit:~$ ls
bandit26.sshkeyMay be thats what they meant by easy. We have ssh keys for next level. Lets try to login using those keys:
We see that we get kicked out as soon as we try to login to bandit26. OK! i agree, its getting tricky now!
Its been given that shell for bandit26 is not /bin/bash, then the first thing we should do is to check the shell type of bandit26. Its given in /etc/passwd file:
bandit25@bandit:~$ cat /etc/passwd | grep bandit26
bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext
The shell type for bandit26 is /usr/bin/showtext. Its not usual, so lets have a look at this.
As the file shows, it opens a file ~/text.txt, (which is most probably in bandit26’s home directory) , using more command. Honestly, even i couldn’t figure it out myself so i went to ……guesses?!! GOOGLE! So hats off to the creators and to those who managed to solve it on their own. It was really a creative piece of work.
To avoid getting kicked out, minimize your terminal so that the more command becomes active and that’s it, this is the shell for bandit26!
Now we are controlling the shell from more. Press “v” to enter vim mode. In this mode, we give commands after “:”. So the first thing we would do is to set the correct shell for bandit26 i.e. /bin/bash.
:set shell=/bin/bash 1,3 Top
Now, call the shell, again same method , type shell after “:”.
NOTE: after setting and call the shell, you can now maximize the terminal, if you want, as the shell is no longer going to kick you out as its not opening in more.
Now we see , we have a setuid binary here. We try to run it and it gives us its usage.
Just like we did in Level 19, type the command you want to execute as an argument to this binary and it will be performed with bandit27 privileges. Obviously the first thing, that we will do is to see bandit27’s password:
bandit26@bandit:~$ ./bandit27-do cat /etc/bandit_pass/bandit27
3ba3118a22e93127a4ed485be72ef5ea
& thus we have our password to next level!!!
Level 27 →Level 28
Here comes git. We do as suggested, clone the given git repository and proceed further:
NOTE: we don’t have right permission to create directory in our home directory so we created a directory /tmp/kali1 and cloned the git repo there itself.
We see that we only have one file “README”, we open it and there we have password for the next level.
Level 28 →Level 29
First we did the same thing, make a directory /tmp/kali2, cloned the repository there and checked the “README.md” file we had there. We see something as follows:
By looking at this, we can conclude that there could be some changes made to the file. So we check the past logs by git logs.
NOTE: to every commit, a hash is provided to keep it unique and to see what changes are made.
by looking at comments, we went on with the first option, git show “hash”:
and we got it!
Level 29 →Level 30
Same steps , making directory and cloning the git repository:
It says no passwords in production. We even checked the logs but nothing interesting came out. So we check other branches out.
bandit29@bandit:/tmp/kali3/repo$ git show-branch --all
We have some branches which are remote. So we see the remote available branches and then switch to them.
bandit29@bandit:/tmp/kali3/repo$ git remote
origin
bandit29@bandit:/tmp/kali3/repo$ git remote show origin
Could not create directory '/home/bandit29/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit29/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargamesbandit29-git@localhost's password:
* remote origin
Fetch URL: ssh://bandit29-git@localhost/home/bandit29-git/repo
Push URL: ssh://bandit29-git@localhost/home/bandit29-git/repo
HEAD branch: master
Remote branches:
dev tracked
master tracked
sploits-dev tracked
Local branch configured for 'git pull':
master merges with remote master
Local ref configured for 'git push':
master pushes to master (up to date)
now we check our branch, and we see that we are at a remote branch:
here we see logs, and then check each log by their hash to see what commit has been made:
and we see our gateway to next level!
Level 30 → Level 31
After cloning the repo in /tmp/kali4, i checked the file, this came out:
bandit30@bandit:/tmp/kali4/repo$ ls
README.md
bandit30@bandit:/tmp/kali4/repo$ cat README.md
just an epmty file... muahahaSo i checked other branches and logs of current branch (like we did in previous two levels), but nothing interesting came out.
Now at this point, i had no idea what to do, so i went on to see what’s what in .git directory. I was also reading about different directories while traversing through them. Then i stumbled upon a file called “packed-ref”. It contained hashes to refs/tags/secret , which looked interesting .
So i checked that particular hash and i got the password!
bandit30@bandit:/tmp/kali4/repo/.git$ git show f17132340e8ee6c159e0a4a6bc6f80e1da3b1aea
47e603bb428404d265f59c42920d81e5
NOTE: This was a noob’s approach to solve this. But i am providing here the link to a more informative source, where you can get idea about how to solve smartly.
Level 31 → Level 32
After cloning to the directory /tmp/kali5, i did a long listing of files in that directory. I found these:
then i read README.md:
bandit31@bandit:/tmp/kali5/repo$ cat README.md
This time your task is to push a file to the remote repository.Details:
File name: key.txt
Content: 'May I come in?'
Branch: master
Okay, so they are telling us to push a file with given name and content. Also while long listing the files, we say a file named .gitignore. After reading about it on google, i found that the .gitignore file specified intentionally untracked files to ignore. We can remove the .gitignore file first then push the file to the repository again.
bandit31@bandit:/tmp/kali5/repo$ rm .gitignore
bandit31@bandit:/tmp/kali5/repo$ ls -lah
total 16K
drwxr-sr-x 3 bandit31 root 4.0K Jan 16 20:34 .
drwxr-sr-x 3 bandit31 root 4.0K Jan 16 20:27 ..
drwxr-sr-x 8 bandit31 root 4.0K Jan 16 20:27 .git
-rw-r--r-- 1 bandit31 root 147 Jan 16 20:27 README.mdNow we come to pushing the file. First we add then we commit to complete our push.
oh yeah! we get the password.
Level 32 →Level 33
As soon as we login to level 32 , we are dropped in a UPPERCASE SHELL. We see that everything we type is converted to uppercase alpahbets.
We can try and invoke a command that doesn’t involve letters. Let’s try and invoke bash by typing in $0. (its something related to bash scripting).
>> $0
$then we call /bin/bash to get a proper bash shell, for our user bandit33.
$ /bin/bash
bandit33@bandit:~$Now, final step , see the password file.
Hell Yeah!! we just completed the saga. You can now take a sigh of relief. You know what’s even more satisfying, ?! seeing the following screen
NOTE: here we learned, how even as a noob(no disrespect), we can learn new commands by reading their man pages and through GOOGLE, of courses. I showed my ways of solving, there may be some other better alternatives also.
This is my maiden blog! Thank you for your valuable time!
