OverTheWire Bandit - Solutions

Server Information

Host	ssh://bandit.labs.overthewire.org
Port	2220

---

Level 0

(127.0.0.1) ssh bandit0@bandit.labs.overthewire.org -p 2220

🏴‍☠️ bandit0

---

Level 0 ⇨ 1

cat readme

🏴‍☠️ boJ9jbbUNNfktd78OOpsqOltutMc3MY1

---

Level 1 ⇨ 2

cat ./-

🏴‍☠️ CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

---

Level 2 ⇨ 3

cat "spaces in this filename"

🏴‍☠️ UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

---

Level 3 ⇨ 4

cat inhere/.hidden

🏴‍☠️ pIwrPrtPN36QITSp3EQaw936yaFoFgAB

---

Level 4 ⇨ 5

file ./inhere/*
cat ./inhere/-file07

🏴‍☠️ koReBOKuIDDepwhWk7jZC0RTdopnAYKh

---

Level 5 ⇨ 6

find inhere/ -type f -readable ! -executable -size 1033c
cat inhere/maybehere07/.file2

🏴‍☠️ DXjZPULLxYr17uwoI01bNLQbtFemEgo7

---

Level 6 ⇨ 7

find / -type f -user bandit7 -group bandit6 -size 33c 2>/dev/null
cat /var/lib/dpkg/info/bandit7.password

🏴‍☠️ HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

---

Level 7 ⇨ 8

cat data.txt | grep millionth

🏴‍☠️ cvX2JJa4CFALtqS87jk27qwqGhBM9plV

---

Level 8 ⇨ 9

cat data.txt | sort | uniq -c | grep -v 10

🏴‍☠️ UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR

---

Level 9 ⇨ 10

strings data.txt | grep -e [=]

🏴‍☠️ truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk

---

Level 10 ⇨ 11

base64 -d data.txt

🏴‍☠️ IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

---

Level 11 ⇨ 12

cat data.txt | tr [A-Za-z] [N-ZA-Mn-za-m]

🏴‍☠️ 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

---

Level 12 ⇨ 13

mkdir /tmp/yourname123
cp ~/data.txt .
xxd -r data.txt > data.gz
gzip -d data.gz && mv data data.bz2
bzip2 -d data.bz2 && mv data data.gz
gzip -d data.gz
tar -xf data
tar -xf data5.bin && mv data6.bin data.bz2
bzip2 -d data.bz2
tar -xf data && mv data8.bin data.gz
gzip -d data.gz
cat data

🏴‍☠️ 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

---

Level 13 ⇨ 14

(127.0.0.1) scp -P2220 bandit13@bandit.labs.overthewire.org:~/sshkey.private .
(127.0.0.1) chmod 400 sshkey.private
(127.0.0.1) ssh bandit14@bandit.labs.overthewire.org -p 2220 -i sshkey.private
cat /etc/bandit_pass/bandit14

🏴‍☠️ 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e

---

Level 14 ⇨ 15

echo 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e | nc localhost 30000

🏴‍☠️ BfMYroe26WYalil77FoDi9qh59eK5xNr

---

Level 15 ⇨ 16

echo BfMYroe26WYalil77FoDi9qh59eK5xNr | openssl s_client -connect 127.0.0.1:30001 -quiet

🏴‍☠️ cluFn7wTiGryunymYOu4RcffSxQluehd

---

Level 16 ⇨ 17

nmap -sV --script ssl* localhost -p31000-32000
echo cluFn7wTiGryunymYOu4RcffSxQluehd | openssl s_client -connect 127.0.0.1:31790 -quiet

🏴‍☠️ SSH Private Key

---

Level 17 ⇨ 18

(127.0.0.1) chmod 400 sshkey.private
(127.0.0.1) ssh bandit17@bandit.labs.overthewire.org -p 2220 -i sshkey.private
diff passwords.old passwords.new

🏴‍☠️ kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd

---

Level 18 ⇨ 19

(127.0.0.1) ssh bandit18@bandit.labs.overthewire.org -p 2220 ls -l
(127.0.0.1) ssh bandit18@bandit.labs.overthewire.org -p 2220 cat readme

🏴‍☠️ IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x

---

Level 19 ⇨ 20

./bandit20-do cat /etc/bandit_pass/bandit20

🏴‍☠️ GbKksEFF4yrVs6il55v6gwY5aVje5f0j

---

Level 20 ⇨ 21

nmap localhost
(session-1) echo "GbKksEFF4yrVs6il55v6gwY5aVje5f0j" | nc -lp 2021
(session-2) ./suconnect 2021

🏴‍☠️ gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr

---

Level 21 ⇨ 22

cat /etc/cron.d/cronjob_bandit22
bash /usr/bin/cronjob_bandit22.sh
cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

🏴‍☠️ Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

---

Level 22 ⇨ 23

cat /etc/cron.d/cronjob_bandit23
cat /usr/bin/cronjob_bandit23.sh
echo I am user bandit23 | md5sum | cut -d' ' -f1
cat /tmp/8ca319486bfbbc3663ea0fbe81326349

🏴‍☠️ jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

---

Level 23 ⇨ 24

cat /etc/cron.d/cronjob_bandit24
cat /usr/bin/cronjob_bandit24.sh
mkdir /tmp/yourname123
chmod 777 /tmp/yourname123
cd /tmp/yourname123
touch script password
chmod 777 *
echo "#!/usr/bin/env bash \n cat /etc/bandit_pass/bandit24 > /tmp/yourname123/password" > script
cp script /var/spool/bandit24/
cat password

🏴‍☠️ UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ

---

Level 24 ⇨ 25

mkdir /tmp/yourname123
cd /tmp/yourname123
echo "#!/usr/bin/env bash
for i in 0 1 2 3 4 5 6 7 8 9; do
  for j in 0 1 2 3 4 5 6 7 8 9; do
    for k in 0 1 2 3 4 5 6 7 8 9; do
      for l in 0 1 2 3 4 5 6 7 8 9; do
        echo "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i$j$k$l" >> keys
      done
    done
  done
done" > script
bash script
cat keys | nc localhost 30002

🏴‍☠️ uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG

---

Level 25 ⇨ 26

(127.0.0.1) scp -P 2220 bandit25@bandit.labs.overthewire.org:~/bandit26.sshkey .

🏴‍☠️ SSH Private Key

---

Level 26 ⇨ 27

(127.0.0.1) ssh bandit25@bandit.labs.overthewire.org -p 2220 bandit26.sshkey
(minimize the terminal and press `v`)
:set shell=/bin/bash
:!shell
./bandit27-do cat /etc/bandit_pass/bandit27

🏴‍☠️ 3ba3118a22e93127a4ed485be72ef5ea

---

Level 27 ⇨ 28

cd /tmp/yourname
git clone ssh://bandit27-git@localhost/home/bandit27-git/repo
cat repo/README

🏴‍☠️ 0ef186ac70e04ea33b4c1853d2526fa2

---

Level 28 ⇨ 29

cd /tmp/yourname
git clone ssh://bandit28-git@localhost/home/bandit28-git/repo
cd repo
git checkout c086
cat README.md

🏴‍☠️ bbc96594b4e001778eee9975372716b2

---

Level 29 ⇨ 30

cd /tmp/yourname
git clone ssh://bandit29-git@localhost/home/bandit29-git/repo
cd repo
git fetch origin dev:dev
git checkout dev
cat README.md

🏴‍☠️ 5b90576bedb2cc04c86a9e924ce42faf

---

Level 30 ⇨ 31

cd /tmp/yourname
git clone ssh://bandit30-git@localhost/home/bandit30-git/repo
cd repo
git tag
git show secret

🏴‍☠️ 47e603bb428404d265f59c42920d81e5

---

Level 31 ⇨ 32

cd /tmp/yourname
git clone ssh://bandit31-git@localhost/home/bandit31-git/repo
cd repo
echo "May I come in?" > key.txt
rm .gitignore
git add .
git commit -m "request for Level 32 password"
git push origin master

🏴‍☠️ 56a9bf19c63d650ce78e6ec0354ee45e

---

Level 32 ⇨ 33

$0
/bin/bash
cat /etc/bandit_pass/bandit33

🏴‍☠️ c9c3199ddf4121b10cf581a98d51caee