OverTheWire —Ultimate Bandit Walkthrough
Today, we will play a war-game called Bandit. It has a collection of 34 levels. OverTheWire Organization hosts this war-game. Absolute Beginners are the target audience. It teaches the basics of most Linux commands in a fun and challenging way. To play this war-game, go to the Bandit website by clicking here.
Level 0
This is a pretty simple level. It teaches us to connect to a host using SSH. This is going to teach players the usage of SSH command.
We got the required information from reading the instruction page.
Host: bandit.labs.overthewire.org
Port: 2220
Username: bandit0
Password: bandit0
We used the above information to login using ssh as shown in the given image.
ssh bandit0@bandit.labs.overthewire.org -p 2220This level doesn’t require anything else other than logging in. Time to move in on the next level.
Level 0–1
Now, from the bandit0 shell, we need to find the password for logging as the next user. To find that password, we are going to list files in the directory. Our target is to find a file named readme. After finding that file, we need to read the password stored inside that file.
We use the ls command to list the files in the current directory. We found the readme file. Now to read the password we will use the cat command. After that, we are going to use the password to login into next level using SSH
ls -la
cat readme
ssh bandit1@localhostLevel 1–2
We are informed that the password for the next level is stored inside a file named -(hyphen). So, to find it we use the ls command. Now comes the part where we have to read the file. As the file is named -(hyphen) we won’t be able to read it simply by cat command. As cat command considers -(hyphen) as stdin/Stout. If we directly use cat command, it won’t be able to understand that hyphen is a file name. So, we will prefix the command with the path ./, This will help us to read the password stored as shown in the given figure. Since we found the password for the user bandit2. We will use it to get an SSH connection as bandit2.
ls
cat ./-
ssh bandit2@localhostLevel 2–3
We are informed that the password for the next level is stored inside a file named spaces in this filename. So, to find it we use the ls command. Now comes the part where we have to read the file. As the file is named spaces in this filename, we won’t be able to read it simply by cat command. As cat command reads files name only until space as it considers space as null ‘/0’. If we directly use cat command, it won’t be able to find the file. So, we will write the name of the file in quotes, this will help us to read the password stored as shown in the given figure. Since we found the password for the user bandit3. We will use it to get an SSH connection as bandit3.
ls
cat 'spaces in this filename'
ssh bandit3@localhostLevel 3–4
We are informed that the password for the next level is stored inside a directory named inhere. So, to find it we use the ls command. Now, after traversing inside inhere directory we run ls command again. Now it might be the case that the file is hidden. So, we run ls command with -al parameter. It lists all files including the hidden one. And we found the .hidden file. In Linux, the file with a dot(.) in front of the name of the file makes it hidden. Now we would simply use the cat command to read the password stored in the file. Since we found the password for the user bandit4. We will use it to get an SSH connection as bandit4.
ls
cd inhere/
ls
ls -al
cat .hidden
ssh bandit4@localhostLevel 4–5
We are informed that the password for the next level is stored inside a human-readable file. So, to find it we use the ls command. Now, after traversing inside inhere directory we run ls command again. This gives us a bunch of files as shown in the image. We will use the file command to get the information about the files. From files command, we now know that the file07 contains ASCII text. It is mostly readable text. So, let’s read it using cat command. This gives us the password for the next level. We will use it to get an SSH connection as bandit5.
ls -la
cd inhere/
ls
file ./*
cat ./-file07
ssh bandit5@localhostLevel 5–6
We are informed that the password for the next level is stored inside a directory named inhere. So, to find it we use the ls command. Now, after traversing inside inhere directory we run ls command again. This gives us a bunch of files as shown in the image. We will use the file size to find the file. Find command has the parameter of size in which we have to use ‘c’ for depicting size in bytes. From find command, we now know that the file2 contains the password. So, let’s read it using cat command. This gives us the password for the next level. We will use it to get an SSH connection as bandit6.
ls
cd inhere/
ls
find . -size 1033c
cat ./maybehere07/.file2
ssh bandit6@localhostLevel 6–7
We are informed that the password for the next level is stored somewhere on the server. So, finding the file over the server would be a lot trickier if we are using ls. So, we will try to widen our scope of search using the find command. We are hinted that the user of the file is bandit7 and it is a part of group bandit 6. We will add this information as parameters in the find command. We are given the size too. Let’s add that too. Now as we can see in the given image, we successfully located the password file hidden over the server.
find / -user bandit7 -group bandit6 -size 33ccat /var/lib/dpkg/info/bandit7.password
ssh bandit7@localhostFrom find command, we now know that the bandit7.password contains the credentials. So, let’s read it using cat command. This gives us the password for the next level. We will use it to get an SSH connection as bandit7.
Level 7–8
We are informed that the password for the next level is stored inside a file named data.txt. So, to find it we use the ls command. Now we are hinted that the password is written next to the word millionth in the data.txt file. This means if we find the millionth word, we find the password. We are going to use the grep command for finding millionth. Here we using the (|) Unix pipe. The Pipe connects the standard output from the first command and feeds it as standard input to the second command. In our case, first cat command reads the file and then the data inside the file is sent to grep command to work on. This gives us the password for the next level. We will use it to get an SSH connection as bandit8.
ls
cat data.txt | grep millionth
ssh bandit8@localhostLevel 8–9
We are informed that the password for the next level is stored inside a file named data.txt. It is hinted that the password is the only line of text that occurs only once. Here we are going to use sort command to sort the text inside the data.txt file. But still, the file contains a lot of repeating statements so we will use the uniq command to print the not repeating statement. We are using multiple pipes here to get a filtered result. This gives us the password for the next level. We will use it to get an SSH connection as bandit9.
cat data.txt | sort | uniq -u
ssh bandit9@localhostLevel 9–10
We are informed that the password for the next level is stored inside a file named data.txt. We are hinted that the password is followed by several ‘=’ characters. Now if we are to use the cat command our screen would be filled with unreadable mesh. So, to get a more refined approach we are going to use strings command which prints character sequences that are at least 4 characters long. And to get to the exact location of the password, we are going to use grep. This gives us the password for the next level. We will use it to get an SSH connection as bandit10.
ls
strings data.txt | grep =
ssh bandit10@localhostLevel 10–11
We are informed that the password for the next level is stored inside a file named data.txt. So, to find it we use the ls command. Now, we are hinted that the password is encrypted in Base64. Now we can either read the file with cat command and decode the Base64 manually but we have a command in Linux that can do the heavy lifting for us. So, we use piping to use cat command and base64 command with d parameter to read and decode the text simultaneously. This gives us the password for the next level. We will use it to get an SSH connection as bandit11.
ls
cat data.txt | base64 --decode
ssh bandit11@localhostLevel 11–12
We are informed that the password for the next level is stored inside a file named data.txt. So, to find it we use the ls command. Now, we are hinted that the file containing the password has changed the format of letters in such a way that all the lowercase and uppercase letters have been rotated by 13 positions. If we can remember right that exactly what happens in ROT13 encryption. Now, to convert the text, we can use the ‘tr’ command. This command translates characters depending on the parameters provided. We used n-z and a-m because tr won’t continue to translate after the Z. This gives us the password for the next level. We will use it to get an SSH connection as bandit12.
ls
cat data.txt | tr a-zA-Z n-za-mN-ZA-M
ssh bandit12@localhostLevel 12–13
We are informed that the password for the next level is stored inside a directory named inhere. So, to find it we use the ls command. We are hinted that the file containing the password is in the form of a hex dump. Just out of curiosity, let’s read the file using the cat command. As we can see in the given image that the password is not at all readable. We are also told that the password file has been repeatedly compressed. Now to decompress we are going to need a directory with read and write permissions. The tmp directory in root contains the required permissions.
ls
cat data.txtSo, let’s create a directory inside the tmp directory. Here we named it pavan. Now for further operations let’s copy the file in the directory we just created. Now let’s traverse to our directory using the cd command. Now we check if we have our file in this directory. Now to understand the type of file we are going to use the file command it returns us the type of file. On running the command, we are informed that the file is ASCII text. But as we saw earlier that it is not readable. The xxd command is used in Linux to make the hexdump of a file. It is also used to reverse this process. Let’s use it to retrieve the original file. We are going to use the ‘r’ parameter to revert the process and provide it with a filename where it should store its output. Here we will name it data1
Now it’s time to check the retrieved file, we use the file command again. This tells us that it is a gzip compressed file.
Now decompress first, we need to rename the file and provide it with a proper gzip extension. We are going to use the move command for this. We renamed the file as data2.gz. Now using the gzip command and -d parameter, we decompress the file.
mkdir /tmp/pavan
cp data.txt /tmp/pavan
cd /tmp/pavan
ls
file data.txt
xxd -r data.txt data1
file data1
mv data1 data2.gz
gzip -d data2.gzNow it’s time to check the retrieved file, we use the file command again. This tells us that it is a bzip2 compressed file.
Now to decompress first, we need to rename the file and provide it with a proper bzip2 extension. We are going to use the move command for this. We renamed the file as data3.bz2. Now using the bzip2 command and -d parameter, we decompress the file.
Now it’s time to check the retrieved file, we use the file command again. This tells us that it is a gzip compressed file.
Now decompress first, we need to rename the file and provide it with a proper gzip extension. We are going to use the move command for this. We renamed the file as data4.gz. Now using the gzip command and -d parameter, we decompress the file.
Now it’s time to check the retrieved file, we use the file command again. This tells us that it is a tar archive file.
Now to extract we will use the tar command with xvf parameters. This gives us a file named data5.bin
file data2
mv data2 data3.bz2
bzip2 -d data3.bz2
file data3
mv data3 data4.gz
gzip -d data4.gz
file data4
tar -xvf data4Now it’s time to check the retrieved file, we use the file command again. This tells us that it is a tar archive file. Now to extract we will use the tar command with xvf parameters. This gives us a file named data6.bin
Now it’s time to check the retrieved file, we use the file command again. This tells us that it is a bzip2 compressed file.
Now decompress first, we need to rename the file and provide it with a proper bzip2 extension. We are going to use the move command for this. We renamed the file as data7.bz2. Now using the bzip2 command and -d parameter, we decompress the file.
Now it’s time to check the retrieved file, we use the file command again. This tells us that it is a tar archive file. Now to extract we will use the tar command with xvf parameters. This gives us a file named data8.bin
file data5.bin
tar -xvf data5.bin
file data6.bin
mv data6.bin data7.bz2
bzip2 -d data7.bz2
file data7
tar -xvf data7Now it’s time to check the retrieved file, we use the file command again. This tells us that it is a gzip compressed file.
Now decompress first, we need to rename the file and provide it with a proper gzip extension. We are going to use the move command for this. We renamed the file as data9.gz. Now using the gzip command and -d parameter, we decompress the file.
Now to understand the type of file we are going to use the file command it returns us the type of file. On running the command, we are informed that the file is ASCII text. This might be a readable file. We use the cat command to read the file. This gives us the password for the next level. We will use it to get an SSH connection as bandit13.
file data8.bin
mv data8.bin data9.gz
gzip -d data9.gz
file data9
cat data9
ssh bandit13@localhostLevel 13–14
We are informed that we are not going to get a password for the next level. Instead, we are given an ssh private key. So, to get to the next level we are going to use that ssh private key. Firstly, let’s find that private key using the ls command. We found the private key. Now we will use it to get an SSH connection as bandit14.
ls
ssh bandit14@localhost -i sshkey.privateLevel 14–15
In the previous one, we got the password for level 14 and have successfully connected as user bandit14. We are informed that the password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost. First, we retrieve the password for the current level. We used the cat command to print the password as shown in the given image. To connect to port 30000, we are using telnet. After connecting we enter the current password it is checked and upon matching the password for the next level is printed on the screen. We will use this password to get an SSH connection as bandit15
cat /etc/bandit_pass/bandit14
telnet localhost 30000
ssh bandit15@localhostLevel 15–16
On this level, we are informed that the password for the next level is retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption. We use the openssl command with parameters like s_client that implements that we are the connecting as the client using the hostname localhost at port 30001. We use -ign_eof to inhibit shutting the connection when the end of file is reached in the input.
openssl s_client -connect localhost:30001 -ign_eofAfter establishing the connection, we provide it with the password for the bandit15. It is verified and after verification, the password for the next level is provided. We will use this password to get an SSH connection as bandit16.
ssh bandit16@localhostLevel 16–17
Initially, we are informed that the credentials for the next level can be retrieved by connecting to a port within the range of 31000 to 32000 and submitting the password of bandit16. We use Nmap to scan the ports to get the exact port from the range. As we can see in the output of the Nmap scan that on port 31790 there is a message that hints that we need to enter the password on that port.
nmap -A localhost -p 31000-32000Now we will connect to this port using openssl as localhost.
openssl s_client -connect localhost:31790After connecting to the port, we will have to enter the password of bandit16. This password goes under verification. Upon a successful match, we are provided with an RSA key.
Now to use this RSA key, we need to create a private key. But we can’t do this inside the home directory as we lack necessary permissions. So, we create a directory in /tmp directory using mkdir command. On traversing to that newly created directory, we will create a private key. We can name it anything we want. Here we are using the nano editor to create the private key.
mkdir /tmp/pavan_ssh
cd /tmp/pavan_ssh
nano pavan.privateAfter running the nano command, we will be prompted to press the Enter key to continue. On doing that the private key will be opened to edit using nano. Now we will paste the RSA key we found earlier. Now to exit we will press Ctrl and x keys simultaneously. There would be a prompt asking us to save the updates. We will press ‘y’ followed by this, nano will ask us if we want to rename the file. After this, we would have successfully created a private key using the RSA we were provided before.
SSH won’t allow any private key with such open permissions. So, we will have to change the permissions. We will use the chmod command to apply the permissions equivalent to 600. This means that only the owner can read and write the file. We will use this private key to get an SSH connection as bandit17.
chmod 600 pavan.private
ssh bandit17@localhost -i pavan.privateLevel 17–18
Upon logging in as bandit17, we run the ls command to look for any files. We see that we have two files, password.new and password.old. Now we have informed that password for the next level the only line that has been changed between both files. We will use the diff command to find that password. And the diff command gives us the required password. We will use this password to get an SSH connection as bandit18.
ls
diff passwords.old passwords.new
ssh bandit18@localhostNow on providing with the correct password our connection was closed. This is because the authors of this level have modified the .bashrc file to log us out of ssh. We will use the -t parameter to disable the pseudo -tty allocation. As this is making our session vulnerable to get closed. Let’s connect ssh again as shown in the given image.
ssh -T bandit18@localhostThis time we got a shell, it may be not visible but it is there. We can run commands here. First, let’s try the ls command. This gives us the readme file. Upon reading that file, we get what seems like credentials for the next level. We will use this password to get an SSH connection as bandit19.
ls
cat readme
ssh bandit19@localhostLevel 19–20
After successfully getting the ssh to user bandit19, we start with ls command to see what we got this time. We have a file that seems like a script. We tried to run to see the working of the script. We are shown that the script runs a command as another user. Now we were informed that the password is stored at /etc/bandit_pass/. So, we run the script with the cat command to read the password for the next level. We will use this password to get an SSH connection as bandit20.
ls
./bandit20-do
./bandit20-do cat /etc/bandit_pass/bandit20
ssh bandit20@localhostLevel 20–21
We are informed that there is a setuid binary in this level whose job is to make a connection to localhost on a port and read the password used to login as bandit20 and then send the password for the next level. First, let’s see the files we have using the command ls. We have a script suconnect. On running this command without any parameters, we see that it requires a port to connect to. Now here is the part where it gets tricky. The image given below is one instance of the shell. We will execute to the point where we run suconnect without parameters and create other instance of the same shell. Run a netcat listener over another instance on the same port we are planning to suconnect. But we need to start listener before running the suconnect. On running the suconnect. Netcat will grab a session. Now we enter the password that we used to login as user bandit20. As we can see that the password, we entered is read by the suconnect and when the password is verified. Password for the next level is sent to the listener.
ls
./suconnect
./suconnect 4444Image shown below is the execution of the first instance.
nc -lvp 4444Image shown below is the execution of the second instance.
Now that we have the password for the next level, we move back to our first instance and used the password to login as user bandit21 using SSH.
ssh bandit21@localhostLevel 21–22
In the previous one, we got the password for level 21 and have successfully connected as user bandit21. We are informed that there is a cron script running and we need to enumerate /etc/cron.d/ for the password. So, we traversed to that path. We use ls command to show the list of files inside the directory. As the next level is bandit22 so we read the cronjob_bandit22 using cat command. It shows that there is a script at /usr/bin/cronjob_bandit22.sh. So, we read that script to find that it writes the password for the next user inside a file that is located inside the tmp directory. On reading that file we got the password we required to get on to the next level.
cd /etc/cron.d/
ls
cat cronjob_bandit22
cat /usr/bin/cronjob_bandit22.sh
cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgvNow that we have the password for the next level, we will login as bandit22 using SSH.
ssh bandit22@localhostLevel 22–23
On this level, we are informed that there is a cron script running and we need to enumerate /etc/cron.d/ for the password. So, we traversed to that path. We use ls command to show the list of files inside the directory. As the next level is bandit23 so we read the cronjob_bandit23 using cat command. It shows that there is a script at /usr/bin/cronjob_bandit23.sh. So, we read that script using cat command. This script has a variable called myname which is the output of the command whoami. Which basically return bandit22. Next, the operation is done on this variable. It prints “I am user bandit22” and it is encrypted in MD5. This hash is used to name the file which has the password for the next level. Now to get the password for the bandit23 user, we run the command with the value for the variable myname set to bandit23. This will give us the hash value which further gives the name of the file in the tmp directory.
cd /etc/cron.d/
ls
cat cronjob_bandit23
cat /usr/bin/cronjob_bandit23.sh
/usr/bin/cronjob_bandit23.sh
echo I am user bandit23 | md5sum | cut -d ' ' -f 1
cat /tmp/8ca319486bfbbc3663ea0fbe81326349Now that we have the password for the next level, we will login as bandit23 using SSH.
ssh bandit23@localhostLevel 23–24
On this level, we are informed that there is a cron script running and we need to enumerate /etc/cron.d/ for the password. So, we traversed to that path. We use ls command to show the list of files inside the directory. As the next level is bandit24 so we read the cronjob_bandit24 using cat command. It shows that there is a script at /usr/bin/cronjob_bandit24.sh. So, we read that script using cat command. We see that we have a script with a variable named myname which consists of the output of the whoami command. The script first changes the name directory to /var/spool and then executes files with the variable myname file. And after executing it deletes all files inside that directory.
cd /etc/cron.d/
ls -la
cat cronjob_bandit24
cat /usr/bin/cronjob_bandit24.shNow to get the password for the next directory we will have to create a script of our own so that we can put it inside the /var/spool that will cat the password file from the /etc/bandit_pass/bandit24. We will have to save the file with the name of the next user in order to run the file as a cron job successfully.
mkdir /tmp/Ignite123
cd /tmp/Ignite123
nano bandit24.shAfter creating a file using nano, we will write the script that will read the password from the /etc/bandit_pass and writes in the file inside the directory we just created.
#!/bin/bash
cat /etc/bandit_pass/bandit24 >> /tmp/Ignite123/level24Now to execute successfully, we will have to give proper read and write permissions to the script we just created and also to the directory we created.
chmod 777 bandit24.sh
cp bandit24.sh /var/spool/bandit24/
chmod 777 /tmp/Ignite123We will have to wait for some time. We got a bit stuck here as we didn’t wait for enough. Have a bit of patience, it will take some time. After that when we list the files inside the directory, we see that a new file is created and upon reading the contents of that file, we find the password that we were looking for in this level. Now that we have the password for the next level, we will login as bandit24 using SSH.
ls
cat level24Now, if the above-mentioned method doesn’t work for you. This is another method to grab the password. It is based on the method that we did at an earlier level. In the previous level we wrote the I am user bandit23 now that we have to grab the password for bandit24 we will write I am user bandit24 and convert it to MD5 and use that text as a directory for the password for the next level. We prefer this method because is obviously faster and easier.
echo I am user bandit24 | md5sum | cut -d ' ' -f 1
cat /tmp/ee4ee1703b083edac9f8183e4ae70293
ssh bandit24@localhostLevel 24–25
On this level, we are informed that a background process is running. It is listening at post 30002 and will give the password for the next level. And we will have to feed it the password for the current level. But wait there is a catch. We will also have to provide a 4-digit secret passcode which will have to Bruteforce as we have absolutely no clue about it. Now to apply Bruteforce we will have to create a Dictionary. As always, we will be needing to read and write permissions to create a script. So, we will create a directory inside the tmp directory. Let’s create a script using nano.
nc localhost 30002
cd /tmp/pavan2
nano bruteforcer.shAfter creating the script file, we will have to create a file that would act as a dictionary. We are told that we will have to feed the daemon running on port 30002 the password of the current level followed by a 4-digit passcode. So, we ran a loop that lists all the 4 digits and writes those inside a file called output. This file will act as a dictionary.
#!/bin/bash
passwd="UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ"
for i in {8000..8999}
do
echo $passwd' '$i >> output.txt
doneNow before running the above script, let’s first give it proper permissions. After that, we will run the script. Now, to apply Bruteforce, we will have to use piping (|). We will first read the password we created inside the output.txt than we will feed its output to the nc at 30002 port. Further, we will feed the output to a file called result. This will make reading the password easier. Now using the sort command combined with the uniq command, we will extract the correct password easily. Now that we have the password for the next level, we will login as bandit25 using SSH.
chmod 777 bruteforcer.sh
./bruteforcer.sh
cat output.txt | nc localhost 30002 >> result.txt
sort result.txt | uniq -u
ssh bandit25@localhostNote: When we were trying the Bruteforce, there were times when we were getting a session timeout error. To resolve this, don’t Bruteforce from 0 to 9999. Instead, divide the dictionary into small sections like 0 to 1000 and 1001 to 2000 and so on.
Level 25–26
On this level, we are informed that the shell for user bandit26 is not bin bash. So, we will have to figure it out. After logging in as bandit25, we ran the ls command to list all the files inside the directory. This gave an ssh key. So, we tried to login with it.
ls
ssh bandit26@localhost -i bandit26.sshkeyWe saw that a session was generated but it displayed a pattern as below and then the session was closed.
After a bit enumeration, here and there. It hit us to check the /etc/passwd file. As this was a machine with lots of users so we used the grep command to get a refined result for the bandit26 user. It gave us a file called showtext. We read the file showtext using the cat command. It shows us that ‘more’ is used with the text file that shows us the pattern we saw before. Now, this gave us an idea that we need to provoke the more command. To do this we will have to decrease the size of the terminal so that it can’t display that pattern.
cat /etc/passwd | grep bandit26
cat /usr/bin/showtextSo, we decreased the size of the terminal as shown in the image and then again tried to login. This will trigger the ‘more’. Now press ‘v’ to enable vi editor.
Now, we will write the following command to invoke a shell here as shown in the given image.
:set shell=/bin/bashAs we can see in the given image that we have the shell for bandit26.
:shLevel 26–27
On this level, we are not given any hints. We are on our own on this. So, we like to see what we have to work upon in the current directory. We ran ls command to find a script bandit27-do. Let’s execute the script to see if we get any message or hint. It does one better, it gives us an example. This script basically runs the command it is given as user bandit27. So now that we can run commands as user bandit27. Let’s read the password file located at /etc/bandit_pass/bandit27. Now that we have the password for the next level, we will login as bandit27 using SSH.
ls
./bandit27-do
./bandit27-do whoami
./bandit27-do cat /etc/bandit_pass/bandit27
ssh bandit27@localhostLevel 27–28
On this level, we are informed that there is a git repository and the password for that repository is the same password that was used to login in as user bandit27. We are required to clone the repository. Now we need to have the write permission to clone a repository. So, we create a directory in the tmp directory. After cloning let’s list all the file in the repo. We find a README file. Upon reading that file we get the password for the next level.
mkdir /tmp/pavan4
cd /tmp/pavan4
git clone ssh://bandit27-git@localhost/home/bandit27-git/repo
ls
cd repo
ls
cat READMENow that we have the password for the next level, we will login as bandit28 using SSH.
ssh bandit28@localhostLevel 28–29
On this level, we are informed that there is a git repository and the password for that repository is the same password that was used to login in as user bandit28. We are required to clone the repository. Now we need to have the write permission to clone a repository. So, we create a directory in the tmp directory. After cloning let’s list all the file in the repo. We find a README file. Upon reading that file we see that password is hidden.
mkdir /tmp/pavan5
cd /tmp/pavan5
git clone ssh://bandit28-git@localhost/home/bandit28-git/repo
ls
cd repo/
ls
cat README.mdMaybe the password was inside the file but was removed. Good thing is that whenever a change is made in a git, a log entry is created. Let’s check that log, we can see that the author of git has made the latest commit named ‘fix info leak’. We need to check out this commit.
git logTo see the changes made in the commit, we will use the git show command to read the changes made. As expected, we found the password inside this commit.
git show 073c27c130e6ee407e12faad1dd3848a110c4f95Now that we have the password for the next level, we will login as bandit29 using SSH.
ssh bandit29@localhostLevel 29–30
On this level, we are informed that there is a git repository and the password for that repository is the same password that was used to login in as user bandit29. We are required to clone the repository. Now we need to have the write permission to clone a repository. So, we create a directory in the tmp directory. Now we will clone the repository inside this directory.
mkdir /tmp/pavan6
cd /tmp/pavan6
git clone ssh://bandit29-git@localhost/home/bandit29-git/repoAfter cloning let’s list all the file in the repo. We find a README file. Here we are told that there is no password in production. Now its time to enumerate this git.
ls
cd repo/
ls
cat README.mdWe list all the branches in this git using the git branch command. It shows us that we. have another branch called dev. Let’s check out this branch for the password. After switching to this branch, we run ls command to see that we have a README file. Upon reading that file we get the credentials.
git branch -a
git checkout dev
cat README.mdNow that we have the password for the next level, we will login as bandit30 using SSH.
ssh bandit30@localhostLevel 30–31
On this level, we are informed that there is a git repository and the password for that repository is the same password that was used to login in as user bandit30. We are required to clone the repository. Now we need to have the write permission to clone a repository. So, we create a directory in the tmp directory. Now we will clone the repository inside this directory.
mkdir /tmp/pavan7
cd /tmp/pavan7
git clone ssh://bandit30-git@localhost/home/bandit30-git/repoAfter cloning let’s list all the file in the repo. We find a README file. Here we are told that it is an empty file. Now it’s time to enumerate this git. Git has the ability to tag specific points in a repository’s history as being important. We can enumerate that tag. On looking carefully, we find the tag secret. On reading that tag we find the password we were looking for on this level. Now that we have the password for the next level, we will login as bandit31 using SSH.
ls
cd repo
ls
cat README.md
git tag
git show secret
ssh bandit31@localhostLevel 31–32
On this level, we are informed that there is a git repository and the password for that repository is the same password that was used to login in as user bandit31. We are required to clone the repository. Now we need to have the write permission to clone a repository. So, we create a directory in the tmp directory. Now we will clone the repository inside this directory.
mkdir /tmp/pavan8
cd /tmp/pavan8
git clone ssh://bandit31-git@localhost/home/bandit31-git/repoAfter cloning let’s list all the file in the repo. We find a README file. Here we are told that in order to get the password for the next level, we have to push a file in the remote repository. This file must be named key.txt and should contain the content May I come in?
ls
cd repo/
ls
cat README.md
nano key.txtSo, we create a text file name key using nano and enter the phrase “May I come in?” in it.
Now we add the file to the repository and commit to that entry. And finally, push it into the origin branch. This step requires the password for the current user. As we can see in the given image that we have the password for the next level.
git add -f key.txt
git commit -m "."
git push originNow that we have the password for the next level, we will login as bandit32 using SSH.
ssh bandit32@localhostLevel 32–33
On reaching this level, we are greeted with a message “Welcome to the Uppercase shell”. To understand what it does, we ran ls command but we got an error. On close inspection of the error message, we understand that it states that the LS command is not found. It means that the shell converts my commands to Uppercase before executing. For this level, we are given a hint “it’s time for another escape”. This made us curious about escape characters. Upon brief research, we found that we can bypass this uppercase shell using an escape character ‘$0’. We were right. We got the bash. Let’s list all files using ls -al command. We see that the owner of uppercase is bandit33. So, we can access the /etc/bandit_pass/bandit33 file to get the password for the next level. After getting the password, we will login as bandit33 using SSH.
ls
$0
ls -al
cat /etc/bandit_pass/bandit33
ssh bandit33@localhostLevel 33
This is the final level for now as the bandit team is working on creating more levels. We connected to this level as use bandit33. After connecting we run ls command to see the list of files we have in the current directory. We see that we have a README file. On opening that file, we see the final flag and a brief message from the Over the Wire Team. This concludes this series for now. We will solve more levels as soon as Over the Wire team publishes more levels.
ls
cat README.txtAnd I believed you enjoyed it.🥂🤸♂️
Feel free to Subscribe for more content 🔔, clap 👏🏻 and share the article With anyone you’d like.
