OverTheWire - Bandit (Writeup)

Welcome to my site! This writeup is going to be about OverTheWire’s Bandit. OverTheWire is a website that hosts wargames that can help you learn and practice security concepts in the form of fun-filled games. According to OverTheWire, “Bandit is a wargame aimed at absolute beginners”. In my opinion, this is absolutely one of the best CTF-style things you can do as a beginner. It teaches you the basics needed to be able to play other wargames, CTFs, and any other aspects of penetration testing: command-line basics, finding needles in a haystack (i.e. finding info in a specific file, when given access to large amounts of files/directories), user/group/other permissions, etc.

So what is Bandit? How do I play?

Bandit has 35 levels (including level 0). The Bandit server is accessible via Secure Shell (SSH). The credentials are provided to you at level 0, and completion of each level provides the password to the following level. There can be multiple ways to access the password file, but you only need to correctly do one to move on.

OverTheWire’s website: https://overthewire.org/wargames/

OverTheWire – Bandit: https://overthewire.org/wargames/bandit/

Okay, sounds good. What do I need in order to start?

Unlike many hacking sites out there, OverTheWire requires nothing to begin hacking away! No accounts, no subscriptions, just a computer with internet access and an SSH client. If you’re opting for a GUI-based SSH client I’d recommend MobaXTERM (https://mobaxterm.mobatek.net/) or Putty (https://www.putty.org/), however I typically just use the Linux terminal in my Kali instance. Dealer’s choice!

How do I connect to the server?

Before we dig in, I’ll show you how to SSH into a remote host using the Linux terminal. If you’re using a GUI-based SSH client like MobaXTERM or Putty there should be tutorials on their respective websites on how to connect to a remote host.

The typical port for SSH is 22, however Bandit’s has been changed to 2220. Here’s the SSH syntax:

ssh <user>@<IP/hostname> -p <port_number>

<user> = username to authenticate as
<IP/hostname> = The IP address or hostname of the server
-p = The port number you want to use [optional if port is 22]

That should be all the info needed to access level 0, so let’s learn how to hack!

Bandit Level 0

Access Level 0 at: https://overthewire.org/wargames/bandit/bandit0.html

Each level page gives you a hint as to how to go about completing said level. The username will carry out the same format throughout the game: bandit<level number>. So level 10 will be bandit10, level 22 will be bandit22, and so on.

This level is very simple, just ssh onto the host.

ssh bandit0@bandit.labs.overthewire.org -p 2220
[password: bandit0]

We’re in!

That’s as far as we go for level 0. We’ll use the same SSH session for level 0 –> 1, so don’t exit it yet.

Bandit Level 0 –> 1

Access Level 0 –> 1 at: https://overthewire.org/wargames/bandit/bandit1.html

Okay, now that we’ve SSH’d onto the box. We’re going to use the ‘ls’ command to do a directory listing of your current directory.

There is one file in the directory, called ‘readme’. Let’s use the ‘cat’ command to read the file.

cat readme

And just like that, the password for level 1 –> 2! Now that I’ve walked you through the basics, I’m going to assume that by this point you now understand how to SSH into a remote host, list files in the present working directory (PWD), and output the contents of the file to your screen (cat). I’m going to completely walk you through the whole process for level 1 –> 2, then all future levels I will omit SSHing to the host as I feel pasting SSH output for 35 levels will be a bit cluttered on this post.

To exit your SSH session, type ‘exit’.

Level 1 –> 2 Credentials:
Username: bandit1
Password: boJ9jbbUNNfktd78OOpsqOltutMc3MY1

Bandit Level 1 –> 2

Access level 1 –> 2 at: https://overthewire.org/wargames/bandit/bandit2.html

Let’s start by SSHing as bandit1:

ssh bandit1@bandit.labs.overthewire.org -p 2220
[Password: boJ9jbbUNNfktd78OOpsqOltutMc3MY1]

We’re in! Again.

Again, let’s use the ‘ls’ command to list the files in our PWD.

Uh-oh. They’re throwing curve balls at us already. If you try catting (hack slang for reading the file) the file you won’t get the output you’re looking for. This is a teachable moment. 90% of the job of a penetration tester (or anyone into hacking) is dedicated to research. After playing these games long enough you’ll become an expert on Googling solutions to your problems. In this case, you would Google something along the lines of “How to read a – filename in linux”. After scouring the sites and forums we should be able to find a few answers.

To cat a file that starts with a dash in Linux, we can either cat the whole file path, or you can apply the “<” symbol before the name to cancel the special meaning of the dash and redirect the file to stdin. We’ll go with the first option. To start, type ‘pwd’ to get your present working directory:

pwd

Our present working directory is /home/bandit1. So our command will look like this:

cat /home/bandit1/-

cat /home/bandit1/-

And just like that, now we have creds for the next level! Okay, like I mentioned earlier, I’m going to take the training wheels off a little bit and assume you can figure out how to connect to the host.

Level 2 –> 3 Credentials:
Username: bandit2
Password: CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

Bandit Level 2 –> 3

Access level 2 –> 3 at: https://overthewire.org/wargames/bandit/bandit3.html

Okay, you’ll notice this one has spaces in the filename. While this is typically a bad naming convention to follow, that’s besides the point. To counteract the spaces, just put quotes around the filename.

cat "spaces in this filename"

cat “spaces in this filename”

Done! Not so hard, is it? What would you have Googled to figure this out on your own?

Level 3 –> 4 Credentials:
Username: bandit3
Password: UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

Bandit Level 3 –> 4

Access level 3 –> 4 at: https://overthewire.org/wargames/bandit/bandit4.html

Why’s it blue?

Whoa, why’s the filename a different color? This indicates that this is another directory, rather than a file. We can go about this a few different ways: we can use the ‘cd’ command to change directories to ‘inhere’ and then cat the file inside, or we can use the ‘ls’ command followed by the name of the directory to list the contents of directory. I find the first is easier if we know something is inside, so let’s do that.

cd inhere

Where’s the file?

Wait, there’s nothing in here. We’ve been bamboozled. Just kidding. Linux can have what’s called a hidden file. If you put a “.” in front of a file when naming it, it will become hidden (i.e. “.hidden”).

So how do we see this hidden file?

Most commands in Linux have what are called options, this is usually a “-” and then a letter or series of letters. The ‘ls’ command also has these. Here’s the ‘ls’ command I typically use when I want to view hidden files, file permissions, and do a long listing of the files.

ls -lisa [the name lisa is easier to remember so this is what I use]

l = use a long listing format
i = print the index number of each file
s = print the allocated size of each file
a = do not ignore entries starting with .

And there you have it. This one could have been tough to figure out without any hints, but luckily OverTheWire provides hints for each level, as well as helpful commands.

Level 4 –> 5 Credentials:
Username: bandit4
Password: pIwrPrtPN36QITSp3EQaw936yaFoFgAB

Bandit Level 4 –> 5

Access level 4 –> 5 at: https://overthewire.org/wargames/bandit/bandit5.html

Okay, I’m assuming you already used the ‘cd’ command to change your directory to ‘inhere’. You probably used ‘ls’ to get a directory listing, and now you’re looking at all these files like “they all have dashes, and I don’t know which one is the right one. What do I do?”

Lucky for us, they give us hint “The password is stored in the only human-readable file”. We’re going to use the ‘file’ command to figure out which file is human readable (remember, because of the dashes we have to use the full file path):

file /home/bandit4/inhere/*
[the * is called a wildcard - this is the symbol for "everything". Meaning, if you want to list all files in a directory, use 'ls *', or if you want to read all files in a directory use 'cat *' ]

As you can see, -file07 is the only file that is made up of ASCII text (basically meaning human-readable).

Done.

Level 5 –> 6 Credentials:
Username: bandit5
Password: koReBOKuIDDepwhWk7jZC0RTdopnAYKh

Bandit Level 5 –> 6

Access level 5 –> 6 at: https://overthewire.org/wargames/bandit/bandit6.html

According to the description there’s a lot going on here. And as you can see already, there are a lot of directories to choose from. But which one is it in?

Like I said earlier, there are multiple ways to do things. I personally like to use the ‘ls’ command, but the ‘find’ command is more powerful and allows you to get very granular with your searches. We’ll use the find command for the most part.

find -type f -size 1033c

-type f = the filetype is a normal file
-size 1033c = 1033 bytes [the c is for bytes]

Found it!

As you can see, it’s located in maybehere07/.file2

Too easy

Level 6 –> 7 Credentials:
Username: bandit6
Password: DXjZPULLxYr17uwoI01bNLQbtFemEgo7

Bandit Level 6 –> 7

Access level 6 –> 7 at: https://overthewire.org/wargames/bandit/bandit7.html

They tried to throw a curveball here too. You’ll notice there’s nothing in our pwd. It says it’s located somewhere on the server. Use the help manual for find ‘find –help’ to see what we can do to look for all files starting at the root of the filesystem, owned by a specific user and group, and 33 bytes in size.

find / -user bandit7 -group bandit6 -size 33c 2>/dev/null

-user = specify the user
-group = specify the group
2>/dev/null = redirect error message to the trash (very useful, otherwise there's a lot of unnecessary output), this does work without this piece however. This is not specific to the find command.

Level 7 –> 8 Credentials:
Username: bandit7
Password: HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

Bandit Level 7 –> 8

Access level 7 –> 8 at: https://overthewire.org/wargames/bandit/bandit8.html

This one is a simple one! Remember that grep command I told you about earlier? We’ll use it here too, just grep for the word “millionth” inside data.txt. There are multiple ways to use grep, I’ll show you both of them below. You can decide which way you want to use.

cat data.txt | grep millionth
[output the contents of data.txt, then grep for the word millionth]

grep millionth data.txt
[use the grep command to search for millionth inside data.txt, then output the line to the screen]

Level 8 –> 9 Credentials:
Username: bandit8
Password: cvX2JJa4CFALtqS87jk27qwqGhBM9plV

Bandit Level 8 –> 9

Access level 8 –> 9 at: https://overthewire.org/wargames/bandit/bandit9.html

We’re going to use two commands we haven’t used previously here. sort and unique.

sort data.txt | uniq -u

sort = sorts every line in the file alphabetically
uniq -u = only displays unique lines

Level 9 –> 10 Credentials:
Username: bandit9
Password: UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR

Bandit Level 9 –> 10

Access level 9 –> 10 at: https://overthewire.org/wargames/bandit/bandit10.html

In this one you’ll use the ‘strings’ command. This command essentially just outputs all the human-readable strings from a binary file. I’m sure there’s a more efficient way to filter this one, but we got our answer!

strings data.txt | grep =

Level 10 –> 11 Credentials:
Username: bandit10
Password: truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk

Bandit Level 10 –> 11

Access level 10 –> 11 at: https://overthewire.org/wargames/bandit/bandit11.html

This one is simple. Base64 is an encoding mechanism, very simple to decode. You can paste the output into a base64 decoder online or you can use the base64 command with the -d option to decode it.

cat data.txt | base64 -d

Level 11 –> 12 Credentials:
Username: bandit11
Password: IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

Bandit Level 11 –> 12

Access level 11 –> 12 at: https://overthewire.org/wargames/bandit/bandit12.html

This one deals with the Rot13 cipher. Very easy to reverse, but very common in CTFs (as is base64). There are tons of Rot13 reversers online, but for the sake of legitimacy we’ll do it via command line.

You can read this post to see where I found the command: https://askubuntu.com/questions/1085069/how-can-i-decode-a-file-where-each-letter-has-been-replaced-with-the-letter-13-l

cat data.txt | tr '[a-z][A-Z]' '[n-za-m][N-ZA-M]'

Level 12 –> 13 Credentials:
Username: bandit12
Password: 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

Bandit Level 12 –> 13

Access level 12 –> 13 at: https://overthewire.org/wargames/bandit/bandit13.html

This one definitely takes some brainpower. I’d recommend doing some reading on hex dumps: what they are, and how to reverse them back into a binary.

Or I’ll just tell you. Step one: copy the file to the /tmp directory so we can edit the file (we don’t have permission in the current folder). Then, reverse the hexdump:

[create directory, copy file to directory, cd to directory]
mkdir /tmp/dw3113r
cp data.txt /tmp/dw3113r/
cd /tmp/dw3113r

[reverse the hex dump, output to a new file called dw3113r]
xxd -r data.txt > dw3113r

Okay cool, now we’re going to see what kind of file this is:

file dw3113r

It’s gzip’d, let’s decompress it. Since it’s a gzip’d file we have to change the name of the file to end in .gz, we’ll do so with the mv command.

mv dw3113r dw3113r.gz
gunzip dw3113r.gz

Awesome, it decompressed into a file called dw3113r. Let’s see what type of file it is (remember, after I’ve already showed you something once or twice I’m going to assume you can figure out how to do it without me typing out the commands again):

Okay, it’s bzip’d this time. Let’s rename the file to add the .bz2 extension and unzip:

mv dw3113r dw3113r.bz2
bzip2 -d dw3113r.bz2

This time it’s another gzip file. Go through the same process as the last gzip file.

Okay, this time it’s a POSIX tar archive. let’s un-tar it:

tar -xvf dw3113r

It created a file called data5.bin, which the file command says is another tar archive. Let’s follow the same steps to un-tar it.

That created a file called data6.bin, which is another bzip2 file. Decompress the bzip2 file.

Now it’s another tar archive, un-tar it.

It created data8.bin, which is a gzip file. rename and decompress.

Now it created an ASCII text file.

Wow that was a long one! Simple, but lots of moving parts.

Level 13 –> 14 Credentials:
Username: bandit13
Password: 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

Bandit Level 13 –> 14

Access level 13 –> 14 at: https://overthewire.org/wargames/bandit/bandit14.html

This level is super useful, because there will come a time during a CTF or HackTheBox machine or something where you’ll need to understand how to use SSH keys to log in as a certain user. In this case, the SSH private key is stored in the pwd. Use this command on the remote box to SSH as user bandit14 so we can get the password for the next level

ssh bandit14@localhost -i sshkey.private
[type 'yes' when it asks if you want to continue]

This should log you into the box as bandit14 without needing a password. Now let’s grab that password.

Level 14 –> 15 Credentials:
Username: bandit14
Password: 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e

Bandit Level 14 –> 15

Access level 14 –> 15 at: https://overthewire.org/wargames/bandit/bandit15.html

This level is where understanding networking comes in handy. We’re going to use a tool called netcat ‘nc’ to connect to port 30000, then when the connection is established we’ll paste the password into the terminal and press enter.

nc localhost 30000

nc command syntax:
nc <IP> <port>

Level 15 –> 16 Credentials:
Username: bandit15
Password: BfMYroe26WYalil77FoDi9qh59eK5xNr

Bandit Level 15 –> 16

Access level 15 –> 16 at: https://overthewire.org/wargames/bandit/bandit16.html

This one I would argue is a bit advanced for beginners, so take this level with a grain of salt. We have to use the openssl command with a few specific options to get this one to work.

openssl s_client -ign_eof -connect localhost:30001

s_client = implements a generic SSL/TLS client which can establish a transparent connection to a remote server speaking SSL/TLS.

-ign_eof = ignore input eof

Level 16 –> 17 Credentials:
Username: bandit16
Password: cluFn7wTiGryunymYOu4RcffSxQluehd

Bandit Level 16 –> 17

Access level 16 –> 17 at: https://overthewire.org/wargames/bandit/bandit17.html

This level is where I’d say things are starting to heat up a bit. We have to use a tool called nmap to scan the localhost for a specific port that speaks SSL that’s between 31000 and 32000.

nmap -v -sT -A -p31000-32000 127.0.0.1

-v = verbose mode [show more info]
-sT = TCP scan. SSL is run over TCP so I like to specify when I can
-A = run all checks [service version, OS detection, default scripts]
-p31000-32000 = the port range to scan
127.0.0.1 = localhost [meaning the computer will scan itself]

We can see here that port 31790 is the SSL port. Now, we need to use the openssl command to connect to the port.

openssl s_client -connect 127.0.0.1:31790
[Enter password for this level once connection is established]

It worked! Now we have an RSA private key. We don’t have permission to create files in our PWD so cd to /tmp and save the RSA output to a file called dw3113r.key

cd /tmp
nano dw3113r.key
ctrl+shift+v [paste the RSA contents]
ctrl+x [exit]
y [yes]
chmod 600 dw3113r.key [modify file permission so we can use it]

Note: you don't have permission to ls the files in /tmp, but if you type 'cat dw3113r.key' you'll still see it.

Now we’ll use the RSA private key to SSH as bandit17 [straight from the target box, not our attack box].

ssh bandit17@127.0.0.1 -i dw3113r.key

Remember, passwords are stored in /etc/bandit_pass.

cat /etc/bandit_pass/bandit17

This one definitely started heating up a bit. We had to mess with file permissions and figure out where we can create files. /tmp is typically a good location to put all your files when you exploit a box.

Level 17 –> 18 Credentials:
Username: bandit17
Password: xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn

Bandit Level 17 –> 18

Access level 17 –> 18 at: https://overthewire.org/wargames/bandit/bandit18.html

This one is easy. They give us two password files filled with a bunch of gunk. There’s only a one-line difference between the two. This is the password. Use the diff command to display all the differences between two files.

diff passwords.new passwords.old

It gave us two passwords. The first one is the right one.

Level 18 –> 19 Credentials:
Username: bandit18
Password: kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd

Bandit Level 18 –> 19

Access level 18 –> 19 at: https://overthewire.org/wargames/bandit/bandit19.html

Well this is something.. We’re getting logged out before we can even do anything. So what now? Well, ssh has an option -T which allows you to disable pseudo-terminal allocation (basically meaning we can SSH in, but we’re not really using a fully interactive or “smart” terminal, it’s a dumb terminal). It is normal not to have the regular prompt. You won’t see anything on your screen, but it’s working. You’ll still see the output.

ssh bandit18@bandit.labs.overthewire.org -p 2220 -T
[enter password]

Level 19 –> 20 Credentials:
Username: bandit19
Password: IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x

Bandit Level 19 –> 20

Access level 19 –> 20 at: https://overthewire.org/wargames/bandit/bandit20.html

This one was simple. Just run the binary to see what it is. Turns out it’s a binary that runs commands as another user. So we just need to use the binary to read the password for bandit20.

./bandit20-do cat /etc/bandit_pass/bandit20

Level 20 –> 21 Credentials:
Username: bandit20
Password: GbKksEFF4yrVs6il55v6gwY5aVje5f0j

Bandit Level 20 –> 21

Access level 20 –> 21 at: https://overthewire.org/wargames/bandit/bandit21.html

This one is definitely tough for beginners. You’ll need two SSH connections as bandit20. In the first on, you’ll use nc to set up a listener on any port of choice. In the second connection, you’ll use the binary with the chosen port number. It’ll connect to the listening port you set up, you’ll provide the password, it checks that it’s the same password, then it’ll send the new one.

[terminal 1 - set up nc listener on port 4321]
nc -nlvp 4321

[terminal 2 - connect to port using the binary]
./suconnect 4321

[terminal 1 - send old password]
GbKksEFF4yrVs6il55v6gwY5aVje5f0j

[terminal 2 - reads password, sends next pass to terminal 1]

[terminal 1 - receives new password]

And there you have it! It wasn’t as hard as it looks, but it definitely took a little thinking to figure out what to do.

Level 21 –> 22 Credentials:
Username: bandit21
Password: gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr

Bandit Level 21 –> 22

Access level 21 –> 22 at: https://overthewire.org/wargames/bandit/bandit22.html

Nice, an easy level! Cron is a program that runs whatever you want it to and whatever interval you set it to. Look in /etc/cron.d/cronjob_bandit22 and you’ll see a reference to a script called /usr/bin/cronjob_bandit22.sh. Cat this script and you’ll see that it’s outputting the contents of bandit22’s password file to a file in /tmp, open that file and you’ll get the password.

cat /etc/cron.d/cronjob_bandit22
cat /usr/bin/cronjob_bandit22

cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

See? Pretty simple!

Level 22 –> 23 Credentials:
Username: bandit22
Password: Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

Bandit Level 22 –> 23

Access level 22 –> 23 at: https://overthewire.org/wargames/bandit/bandit23.html

This one is still pretty simple, but builds off the skills you learned in the last one. The only difference is now you have to interpret what a bash script is doing.

The script is owned/executed by bandit23. The variable ‘myname’ is going to be set to ‘bandit23’. Then, it’s going to echo “I am user bandit23”, calculate the md5 hash for that string, then use the cut command to only grab the hash and remove the dash at the end. So, you need to run the command I just mentioned to get the hash. Then the hash is used as the filename in /tmp. Cat that file and you’ll get the password.

echo I am user bandit23 | md5sum | cut -d ' ' -f 1
[8ca319486bfbbc3663ea0fbe81326349]

cat /tmp/8ca319486bfbbc3663ea0fbe81326349
[jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n]

Done! See? Bash scripts are pretty simple. It’s just a series of linux commands. If you don’t know what’s going on at any step of the way try running some of the commands yourself.

Level 23 –> 24 Credentials:
Username: bandit23
Password: jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

Bandit Level 23 –> 24

Access level 23 –> 24 at: https://overthewire.org/wargames/bandit/bandit24.html

This one is actually a pretty fun one! There is a good amount of routes you can take here. Analyze what’s happening with the cron job and you’ll see that the script executes and then deletes anything in /var/spool/bandit24. We’re going to create our own bash script that outputs the contents of the bandit24 password file and tosses it into a file in /tmp. But, if you wanted to get crazy you could set up a netcat listener on your attack box, then in your custom bash script you could put some reverse netcat shellcode.

nano /var/spool/bandit24/dw3113r.sh
[Contents of dw3113r.sh below]
--------------------
#!/bin/bash
cat /etc/bandit_pass/bandit24 > /tmp/bandit24_pass
--------------------

[Now monitor for the new file]
cat /tmp/bandit24_pass

Again, solving these cron levels is all about being able to read a script and understand what it’s doing. Bash is a very easy one to start off learning because it’s all just linux commands and programming logic. Once you can figure out what bash scripts are doing, reading scripts in other languages (like python) is much easier.

Level 24 –> 25 Credentials:
Username: bandit24
Password: UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ

Bandit Level 24 –> 25

Access level 24 –> 25 at: https://overthewire.org/wargames/bandit/bandit25.html

This is where hacking gets fun, brute forcing is always a good time! We’re going to use netcat to establish a connection to port 30002, send the password for this level and a secret 4-digit code, and if the code is correct it’ll give us the new password. I wouldn’t expect a beginner to figure this one out on their own, but feel free to try!

for i in {0000..9999}; do echo UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i; done | nc 127.0.0.1 30002 | grep -v Wrong

[let's break this down a bit]
for i in {0000..9999}; = iterates through everything from 0000 to 9999

do echo <pass_string> $i; = display the password followed by the current iteration of the four-digit number

done = finishes the loop

nc 127.0.0.1 30002 = establishes nc connection to port 30002 [and each previous password+code string is sent through the connection]

grep -v Wrong = filters out each line with the word "Wrong" in it

Lots of craziness in this one. There are tons of ways this could have been done. Like a bash script rather than a bash one-liner, but i find these to be much quicker.

Level 25 –> 26 Credentials:
Username: bandit25
Password: uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG

Bandit Level 25 –> 26

Access level 25 –> 26 at: https://overthewire.org/wargames/bandit/bandit26.html

The description tells us that logging into bandit26 from bandit25 should be easy. To find out what shell a user has access to just read the /etc/passwd file.

cat /etc/passwd | grep bandit26

Okay, so when we attempt to SSH as bandit26 (using the key in our PWD) it’ll run this binary. What’s in this binary?

Easy day. It’s going to run the command “more ~/text.txt”, meaning it’ll read the contents of text.txt, and if it’s a file longer than our screen it’ll chunk it up and allow us to only see a little bit at a time. Let’s test it out.

ssh bandit26@localhost -i bandit26.sshkey

I have a pretty tall screen so the more command wasn’t necessary, it just ran the command and exited. I’m going to shorten my screen as small as possible and try again.

Perfect. So it seems like this is going to be a shell escape. You can find how to spawn a shell using mostly any command on a favorite site of mine called GTFOBins. I use it in a lot of pentests/CTFs, especially in the sudo privescs.

https://gtfobins.github.io/

According to the more manpage, I can drop into vi by typing ‘v’. Then according to GTFOBins, I can spawn a shell in vi:

[starting with the SSH command]
ssh bandit26@localhost -i bandit26.sshkey

[while on the more screen]
v

[while in the vi screen]
:set shell=/bin/sh
:shell

These are getting pretty advanced! I will say, I wish I would have run myself through every one of these levels when I was first getting into pentesting. It really is covering every aspect of what you might run into (at least during a CTF or a HTB box).

Level 26 –> 27 Credentials:
Username: bandit26
Password: 5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z (will not work)

Bandit Level 26 –> 27

Access level 26 –> 27 at: https://overthewire.org/wargames/bandit/bandit27.html

Hope you didn’t exit out of the last shell yet (like I did). If so, redo the steps and grab the password for bandit27 using the binary in your PWD.

./bandit27-do cat /etc/bandit_pass/bandit27

Level 27 –> 28 Credentials:
Username: bandit27
Password: 3ba3118a22e93127a4ed485be72ef5ea

Bandit Level 27 –> 28

Access level 27 –> 28 at: https://overthewire.org/wargames/bandit/bandit28.html

This one is a simple git clone command. Just git clone the repo they provide to use using the same password for the current level. We don’t have write privileges in our PWD so we’ll make a directory in /tmp and execute the commands from there:

mkdir /tmp/dw3113r-git
cd /tmp/dw3113r-git
git clone ssh://bandit27-git@localhost/home/bandit27-git/repo
[enter password]

Now cd into the repo and grab the password.

Level 28 –> 29 Credentials:
Username: bandit28
Password: 0ef186ac70e04ea33b4c1853d2526fa2

Bandit Level 28 –> 29

Access level 28 –> 29 at: https://overthewire.org/wargames/bandit/bandit29.html

Same thing as the last one. Make a directory in /tmp and clone the repo.

Ruh-roh. The creds are blanked out. Lucky for us git usually has version history. Let’s look at it.

git log

One commit is called ‘fix info leak’. Let’s see what the difference between the two latest commits are:

git diff edd935d60906b33f0619605abd1689808ccdd5ee c086d11a00c0648d095d04c089786efef5e01264

We got the password! Nice.

Level 29 –> 30 Credentials:
Username: bandit29
Password: bbc96594b4e001778eee9975372716b2

Bandit Level 29 –> 30

Access level 29 –> 30 at: https://overthewire.org/wargames/bandit/bandit30.html

You know the drill at this point. Clone it.

Okay, so there’s not much to go off of. Nothing in the logs either. BUT, there’s a note that says no passwords in the prod environment. Meaning, there’s probably a dev branch.

git branch -a
[notice the dev branch]
git checkout dev [to switch branches]

All done.

Level 30 –> 31 Credentials:
Username: bandit30
Password: 5b90576bedb2cc04c86a9e924ce42faf

Bandit Level 30 –> 31

Access level 30 –> 31 at: https://overthewire.org/wargames/bandit/bandit31.html

Another git challenge? Git also has what are called tags. Check to see if this repo has any tags.

git tag
[found the secret tag]
git show secret

It’s almost too easy. You just have to know what capabilities the programs you’re using has in order to know where to look. That’s what’s good about these challenges, it’s showing you all the different avenues of approach you can take and how to brainstorm to figure each challenge out.

Level 31 –> 32 Credentials:
Username: bandit31
Password: 47e603bb428404d265f59c42920d81e5

Bandit Level 31 –> 32

Access level 31 –> 32 at: https://overthewire.org/wargames/bandit/bandit32.html

This time our task is to push a file to the remote repository. It’s even nice enough to give us all the info we need! We have to push a file called key.txt with the contents ‘May I come in?’ to the master branch. Easy enough.

echo "May I come in?" > key.txt
git add key.txt -f [add key.txt to git repo]
git commit [commit changes to local repo]
git push origin [push changes to the repo origin]

And just like that, we got the password.

Level 32 –> 33 Credentials:
Username: bandit32
Password: 56a9bf19c63d650ce78e6ec0354ee45e

Bandit Level 32 –> 33

Access level 32 –> 33 at: https://overthewire.org/wargames/bandit/bandit33.html

Well, this is different. All of our commands are being converted into uppercase. The best avenue of approach is to google linux sh escapes. However, I know that typing $0 invokes a new shell and doesn’t require any letters, so nothing to convert.

$0
/bin/bash [to spawn a pretty bash shell]
cat /etc/bandit_pass/bandit33

And as quickly as it started, we’re done.

Level 33 –> 34 Credentials:
Username: bandit33
Password: c9c3199ddf4121b10cf581a98d51caee

Bandit Level 33 –> 34

Access level 33 –> 34 at: https://overthewire.org/wargames/bandit/bandit34.html

Conclusion

And that’s it! Congratulations on making it to the end! If you did legitimately choose my writeup as your source for learning this intro into the world of CTFs then I genuinely can’t thank you enough for trusting me with this. I recently got into content creation as I thoroughly enjoy helping others, so my current writing/website formatting skills are a bit choppy, but I’m working at it every day. Hopefully you got something out of this! Please leave a comment if you need any further explanation, or if you have a critique. Anything helps.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

OverTheWire – Bandit (Writeup)

Table of Contents