To start this game and login to every level you must use a SSH Client. Host: bandit.labs.overthewire.org Port: 22 ( As of January 2018 the port is now 2220 )

Bandit Level 0 → Level 1

Level Goal
The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org, on port 2220. The username is bandit0 and the password is bandit0. Once logged in, go to the Level 1 page to find out how to beat Level 1.

➜ ~ ssh bandit0@bandit.labs.overthewire.org -p 2220 bandit0@csmckay.us:~$ ls readme bandit0@csmckay.us:~$ cat readme boJ9jbbUNNfktd78OOpsqOltutMc3MY1 bandit0@csmckay.us:~$

Bandit Level 1→ Level 2

Level Goal
The password for the next level is stored in a file called — located in the home directory

➜ ~ ssh bandit1@bandit.labs.overthewire.org -p 2220 bandit1@csmckay.us:~$ ls - bandit1@csmckay.us:~$ cat ./- CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9 bandit1@csmckay.us:~$

References https://www.google.com/search?q=dashed+filename http://tldp.org/LDP/abs/html/special-chars.html

Bandit Level 2 → Level 3

Level Goal
The password for the next level is stored in a file called spaces in this filename located in the home directory

➜ ~ ssh bandit2@bandit.labs.overthewire.org -p 2220 bandit2@csmckay.us:~$ ls spaces in this filename bandit2@csmckay.us:~$ cat spaces\ in\ this\ filename UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK bandit2@csmckay.us:~$

References https://www.google.com/search?q=spaces+in+filename

Bandit Level 3 → Level 4

Level Goal
The password for the next level is stored in a hidden file in the inhere directory.

➜ ~ ssh bandit3@bandit.labs.overthewire.org -p 2220 bandit3@csmckay.us:~$ ls inhere bandit3@csmckay.us:~$ cd inhere/ bandit3@csmckay.us:~/inhere$ ls -la total 12 drwxr-xr-x 2 root root 4096 Nov 14 2014 . drwxr-xr-x 3 root root 4096 Nov 14 2014 .. -rw-r----- 1 bandit4 bandit3 33 Nov 14 2014 .hidden bandit3@csmckay.us:~/inhere$ cat .hidden pIwrPrtPN36QITSp3EQaw936yaFoFgAB bandit3@csmckay.us:~/inhere$

Bandit Level 4 → Level 5

Level Goal
The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.

➜ ~ ssh bandit4@bandit.labs.overthewire.org -p 2220 bandit4@csmckay.us:~$ ls inhere bandit4@csmckay.us:~$ cd inhere/ bandit4@csmckay.us:~/inhere$ ls -la total 48 -rw-r----- 1 bandit5 bandit4 33 Nov 14 2014 -file00 -rw-r----- 1 bandit5 bandit4 33 Nov 14 2014 -file01 -rw-r----- 1 bandit5 bandit4 33 Nov 14 2014 -file02 -rw-r----- 1 bandit5 bandit4 33 Nov 14 2014 -file03 -rw-r----- 1 bandit5 bandit4 33 Nov 14 2014 -file04 -rw-r----- 1 bandit5 bandit4 33 Nov 14 2014 -file05 -rw-r----- 1 bandit5 bandit4 33 Nov 14 2014 -file06 -rw-r----- 1 bandit5 bandit4 33 Nov 14 2014 -file07 -rw-r----- 1 bandit5 bandit4 33 Nov 14 2014 -file08 -rw-r----- 1 bandit5 bandit4 33 Nov 14 2014 -file09 drwxr-xr-x 2 root root 4096 Oct 19 2016 . drwxr-xr-x 3 root root 4096 Nov 14 2014 .. bandit4@csmckay.us:~/inhere$ bandit4@csmckay.us:~/inhere$ cat ./-file07 koReBOKuIDDepwhWk7jZC0RTdopnAYKh bandit4@csmckay.us:~/inhere$

Bandit Level 5 → Level 6

Level Goal
The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:
human-readable
1033 bytes in size
not executable

➜ ~ ssh bandit5@bandit.labs.overthewire.org -p 2220 bandit5@csmckay.us:~$ ls inhere bandit5@csmckay.us:~$ cd inhere/ bandit5@csmckay.us:~/inhere$ ls -la total 88 drwxr-x--- 22 root bandit5 4096 Nov 14 2014 . drwxr-xr-x 3 root root 4096 Nov 14 2014 .. drwxr-x--- 2 root bandit5 4096 Nov 14 2014 maybehere00 drwxr-x--- 2 root bandit5 4096 Nov 14 2014 maybehere01 drwxr-x--- 2 root bandit5 4096 Nov 14 2014 maybehere02 drwxr-x--- 2 root bandit5 4096 Nov 14 2014 maybehere03 drwxr-x--- 2 root bandit5 4096 Nov 14 2014 maybehere04 drwxr-x--- 2 root bandit5 4096 Nov 14 2014 maybehere05 drwxr-x--- 2 root bandit5 4096 Nov 14 2014 maybehere06 drwxr-x--- 2 root bandit5 4096 Nov 14 2014 maybehere07 drwxr-x--- 2 root bandit5 4096 Nov 14 2014 maybehere08 drwxr-x--- 2 root bandit5 4096 Nov 14 2014 maybehere09 drwxr-x--- 2 root bandit5 4096 Nov 14 2014 maybehere10 drwxr-x--- 2 root bandit5 4096 Nov 14 2014 maybehere11 drwxr-x--- 2 root bandit5 4096 Nov 14 2014 maybehere12 drwxr-x--- 2 root bandit5 4096 Nov 14 2014 maybehere13 drwxr-x--- 2 root bandit5 4096 Nov 14 2014 maybehere14 drwxr-x--- 2 root bandit5 4096 Nov 14 2014 maybehere15 drwxr-x--- 2 root bandit5 4096 Nov 14 2014 maybehere16 drwxr-x--- 2 root bandit5 4096 Nov 14 2014 maybehere17 drwxr-x--- 2 root bandit5 4096 Nov 14 2014 maybehere18 drwxr-x--- 2 root bandit5 4096 Nov 14 2014 maybehere19 bandit5@csmckay.us:~/inhere$ find . -type f -readable ! -executable -size 1033c ./maybehere07/.file2 bandit5@csmckay.us:~/inhere$ cat ./maybehere07/.file2 DXjZPULLxYr17uwoI01bNLQbtFemEgo7 bandit5@csmckay.us:~/inhere$

Bandit Level 6 → Level 7

Level Goal
The password for the next level is stored somewhere on the server and has all of the following properties:
owned by user bandit7
owned by group bandit6
33 bytes in size

➜ ~ ssh bandit6@bandit.labs.overthewire.org -p 2220 bandit6@csmckay.us:~$ find / -user bandit7 -group bandit6 -size 33c 2>/dev/null /var/lib/dpkg/info/bandit7.password bandit6@csmckay.us:~$ cat /var/lib/dpkg/info/bandit7.password HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs bandit6@csmckay.us:~$

Bandit Level 7 → Level 8

Level Goal
The password for the next level is stored in the file data.txt next to the word millionth

➜ ~ ssh bandit7@bandit.labs.overthewire.org -p 2220 bandit7@csmckay.us:~$ ls data.txt bandit7@csmckay.us:~$ cat data.txt | grep "millionth" millionth cvX2JJa4CFALtqS87jk27qwqGhBM9plV bandit7@csmckay.us:~$

Bandit Level 8 → Level 9

Level Goal
The password for the next level is stored in the file data.txt and is the only line of text that occurs only once

➜ ~ ssh bandit8@bandit.labs.overthewire.org -p 2220 bandit8@csmckay.us:~$ ls data.txt bandit8@csmckay.us:~$ cat data.txt | sort | uniq -u UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR bandit8@csmckay.us:~$

References http://www.westwind.com/reference/os-x/commandline/pipes.html

Bandit Level 9 → Level 10

Level Goal
The password for the next level is stored in the file data.txt in one of the few human-readable strings, beginning with several ‘=’ characters.

➜ ~ ssh bandit9@bandit.labs.overthewire.org -p 2220 bandit9@csmckay.us:~$ ls data.txt bandit9@csmckay.us:~$ strings data.txt | grep "=" epr~F=K 7?YD= ?M=HqAH /(Ne= C=_" I========== the6 z5Y= h(8= n\H=; ========== password ========== ism N$=& l/a=L) f=C( ========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk ie)=5e bandit9@csmckay.us:~$

Bandit Level 10 → Level 11

Level Goal
The password for the next level is stored in the file data.txt, which contains base64 encoded data

➜ ~ ssh bandit10@bandit.labs.overthewire.org -p 2220 bandit10@csmckay.us:~$ ls data.txt bandit10@csmckay.us:~$ cat data.txt VGhlIHBhc3N3b3JkIGlzIElGdWt3S0dzRlc4TU9xM0lSRnFyeEUxaHhUTkViVVBSCg== bandit10@csmckay.us:~$ cat data.txt | base64 --decode The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR bandit10@csmckay.us:~$

References https://en.wikipedia.org/wiki/Base64

Bandit Level 11 → Level 12

Level Goal
The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions

➜ ~ ssh bandit11@bandit.labs.overthewire.org -p 2220 bandit11@csmckay.us:~$ ls data.txt bandit11@csmckay.us:~$ cat data.txt Gur cnffjbeq vf 5Gr8L4qetPEsPk8htqjhRK8XSP6x2RHh bandit11@csmckay.us:~$ cat data.txt | tr '[A-Za-z]' '[N-ZA-Mn-za-m]' The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu bandit11@csmckay.us:~$

References https://en.wikipedia.org/wiki/ROT13

Bandit Level 12 → Level 13

Level Goal
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)

➜ ~ ssh bandit12@bandit.labs.overthewire.org -p 2220 bandit12@csmckay.us:~$ ls data.txt bandit12@csmckay.us:~$ mkdir /tmp/kan1shka9 bandit12@csmckay.us:~$ cp data.txt /tmp/kan1shka9 bandit12@csmckay.us:~$ cd /tmp/kan1shka9 bandit12@csmckay.us:/tmp/kan1shka9$ ls data.txt bandit12@csmckay.us:/tmp/kan1shka9$ file data.txt data.txt: ASCII text bandit12@csmckay.us:/tmp/kan1shka9$ xxd -r data.txt > data_xxd_reverse bandit12@csmckay.us:/tmp/kan1shka9$ file data_xxd_reverse data_xxd_reverse: gzip compressed data, was "data2.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression bandit12@csmckay.us:/tmp/kan1shka9$ zcat data_xxd_reverse > data_zcat bandit12@csmckay.us:/tmp/kan1shka9$ file data_zcat data_zcat: bzip2 compressed data, block size = 900k bandit12@csmckay.us:/tmp/kan1shka9$ bzip2 -d data_zcat bzip2: Can't guess original name for data_zcat -- using data_zcat.out bandit12@csmckay.us:/tmp/kan1shka9$ file data_zcat.out data_zcat.out: gzip compressed data, was "data4.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression bandit12@csmckay.us:/tmp/kan1shka9$ ls data.txt data_xxd_reverse data_zcat.out bandit12@csmckay.us:/tmp/kan1shka9$ zcat data_zcat.out > data_zcat_2 bandit12@csmckay.us:/tmp/kan1shka9$ file data_zcat_2 data_zcat_2: POSIX tar archive (GNU) bandit12@csmckay.us:/tmp/kan1shka9$ tar xvf data_zcat_2 data5.bin bandit12@csmckay.us:/tmp/kan1shka9$ file data5.bin data5.bin: POSIX tar archive (GNU) bandit12@csmckay.us:/tmp/kan1shka9$ tar xvf data5.bin data6.bin bandit12@csmckay.us:/tmp/kan1shka9$ file data6.bin data6.bin: bzip2 compressed data, block size = 900k bandit12@csmckay.us:/tmp/kan1shka9$ bzip2 -d data6.bin bzip2: Can't guess original name for data6.bin -- using data6.bin.out bandit12@csmckay.us:/tmp/kan1shka9$ file data6.bin.out data6.bin.out: POSIX tar archive (GNU) bandit12@csmckay.us:/tmp/kan1shka9$ tar xvf data6.bin.out data8.bin bandit12@csmckay.us:/tmp/kan1shka9$ file data8.bin data8.bin: gzip compressed data, was "data9.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression bandit12@csmckay.us:/tmp/kan1shka9$ zcat data8.bin > data8_zcat bandit12@csmckay.us:/tmp/kan1shka9$ file data8_zcat data8_zcat: ASCII text bandit12@csmckay.us:/tmp/kan1shka9$ cat data8_zcat The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL bandit12@csmckay.us:/tmp/kan1shka9$

Key Takeaways

gzip decompress

$ zcat in_file > out_file

bzip2 decompress

$ bzip2 -d file

tar decompress

$ tar xvf file

References https://en.wikipedia.org/wiki/Hex_dump

Bandit Level 13 → Level 14

Level Goal
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on

➜ ~ ssh bandit13@bandit.labs.overthewire.org -p 2220 bandit13@csmckay.us:~$ ls sshkey.private bandit13@csmckay.us:~$ file sshkey.private sshkey.private: PEM RSA private key bandit13@csmckay.us:~$ cat sshkey.private -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEAxkkOE83W2cOT7IWhFc9aPaaQmQDdgzuXCv+ppZHa++buSkN+ gg0tcr7Fw8NLGa5+Uzec2rEg0WmeevB13AIoYp0MZyETq46t+jk9puNwZwIt9XgB ZufGtZEwWbFWw/vVLNwOXBe4UWStGRWzgPpEeSv5Tb1VjLZIBdGphTIK22Amz6Zb ThMsiMnyJafEwJ/T8PQO3myS91vUHEuoOMAzoUID4kN0MEZ3+XahyK0HJVq68KsV ObefXG1vvA3GAJ29kxJaqvRfgYnqZryWN7w3CHjNU4c/2Jkp+n8L0SnxaNA+WYA7 jiPyTF0is8uzMlYQ4l1Lzh/8/MpvhCQF8r22dwIDAQABAoIBAQC6dWBjhyEOzjeA J3j/RWmap9M5zfJ/wb2bfidNpwbB8rsJ4sZIDZQ7XuIh4LfygoAQSS+bBw3RXvzE pvJt3SmU8hIDuLsCjL1VnBY5pY7Bju8g8aR/3FyjyNAqx/TLfzlLYfOu7i9Jet67 xAh0tONG/u8FB5I3LAI2Vp6OviwvdWeC4nOxCthldpuPKNLA8rmMMVRTKQ+7T2VS nXmwYckKUcUgzoVSpiNZaS0zUDypdpy2+tRH3MQa5kqN1YKjvF8RC47woOYCktsD o3FFpGNFec9Taa3Msy+DfQQhHKZFKIL3bJDONtmrVvtYK40/yeU4aZ/HA2DQzwhe ol1AfiEhAoGBAOnVjosBkm7sblK+n4IEwPxs8sOmhPnTDUy5WGrpSCrXOmsVIBUf laL3ZGLx3xCIwtCnEucB9DvN2HZkupc/h6hTKUYLqXuyLD8njTrbRhLgbC9QrKrS M1F2fSTxVqPtZDlDMwjNR04xHA/fKh8bXXyTMqOHNJTHHNhbh3McdURjAoGBANkU 1hqfnw7+aXncJ9bjysr1ZWbqOE5Nd8AFgfwaKuGTTVX2NsUQnCMWdOp+wFak40JH PKWkJNdBG+ex0H9JNQsTK3X5PBMAS8AfX0GrKeuwKWA6erytVTqjOfLYcdp5+z9s 8DtVCxDuVsM+i4X8UqIGOlvGbtKEVokHPFXP1q/dAoGAcHg5YX7WEehCgCYTzpO+ xysX8ScM2qS6xuZ3MqUWAxUWkh7NGZvhe0sGy9iOdANzwKw7mUUFViaCMR/t54W1 GC83sOs3D7n5Mj8x3NdO8xFit7dT9a245TvaoYQ7KgmqpSg/ScKCw4c3eiLava+J 3btnJeSIU+8ZXq9XjPRpKwUCgYA7z6LiOQKxNeXH3qHXcnHok855maUj5fJNpPbY iDkyZ8ySF8GlcFsky8Yw6fWCqfG3zDrohJ5l9JmEsBh7SadkwsZhvecQcS9t4vby 9/8X4jS0P8ibfcKS4nBP+dT81kkkg5Z5MohXBORA7VWx+ACohcDEkprsQ+w32xeD qT1EvQKBgQDKm8ws2ByvSUVs9GjTilCajFqLJ0eVYzRPaY6f++Gv/UVfAPV4c+S0 kAWpXbv5tbkkzbS0eaLPTKgLzavXtQoTtKwrjpolHKIHUz6Wu+n4abfAIRFubOdN /+aLoRQ0yBDRbdXMsZN/jvY44eM+xRLdRVyMmdPtP8belRi2E2aEzA== -----END RSA PRIVATE KEY----- bandit13@csmckay.us:~$ ssh bandit14@localhost -i sshkey.private -p 2220 bandit14@csmckay.us:~$ cat /etc/bandit_pass/bandit14 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e bandit14@csmckay.us:~$

Reference https://help.ubuntu.com/community/SSH/OpenSSH/Keys

Bandit Level 14 → Level 15

Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.

bandit14@csmckay.us:~$ nc localhost 30000 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e Correct! BfMYroe26WYalil77FoDi9qh59eK5xNr bandit14@csmckay.us:~$

Reference https://www.youtube.com/watch?v=7_LPdttKXPc http://computer.howstuffworks.com/web-server5.htm https://en.wikipedia.org/wiki/IP_address https://en.wikipedia.org/wiki/Localhost http://computer.howstuffworks.com/web-server8.htm https://en.wikipedia.org/wiki/Port_(computer_networking)

Bandit Level 15 → Level 16

Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…

bandit14@csmckay.us:~$ openssl s_client -connect localhost:30001 -ign_eof CONNECTED(00000003) depth=0 CN = li190-250.members.linode.com verify error:num=18:self signed certificate verify return:1 depth=0 CN = li190-250.members.linode.com verify return:1


Certificate chain 0 s:/CN=li190-250.members.linode.com i:/CN=li190-250.members.linode.com


Server certificate -----BEGIN CERTIFICATE----- MIIC3jCCAcagAwIBAgIJAI5QiWZw4YHbMA0GCSqGSIb3DQEBCwUAMCcxJTAjBgNV BAMTHGxpMTkwLTI1MC5tZW1iZXJzLmxpbm9kZS5jb20wHhcNMTQxMTE0MTAyODA0 WhcNMjQxMTExMTAyODA0WjAnMSUwIwYDVQQDExxsaTE5MC0yNTAubWVtYmVycy5s aW5vZGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsKmy9o5z WU+1EH7Z3bB5TGQA+16zXDcEJy6tZWZ8CDrRyQXiahendp45BWUc/ZuLDo0+B3Wt ZXjofmLw/F4fmR+8X1s1fQZX2dFt920qEm7LxqzWd0c7FdHiBwwRrwhkk+3cQpOB TTGdLWEgpdmwwNZDTUdsDLzjDczPnju6T6p6ArTECztPbmTjfY4QIRtC6capL1Z+ yPJSQVAuAMEX1wTDWTGdm0VV7oW4F5cGZutf6QAP51jdhSyZuGilIPHbnj0l6Qc7 a7+OtEsEGi31aJ8KpRf7LNZ7DXCuoB3Hf75Pd6VjDgoOIagcH0NYqa75gEjBkGzs ktLWykT7ag7fKwIDAQABow0wCzAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IB AQCaZdUNAj8WDEKWdoU3LNXUBJlTJwiWBrh550PbHSQORcCz2K0kiMei1A4ojK2N dMHFGAqAeUEaxtz92p2BoFpZasAtdSa3u63tBckFhfUolIS1TC7Cj51y19ysTeep fGPFpuPCVqVPsruei8Z/iqn3bFIhQQdmumeePZQdPMwZSWHNVYC5XODd7PvNDrDu 5MZJjkz4+6LbwwAvyew62meFN2QEsYbK2Brtbhze+IjE27FGWlSw4K3jlwa409MD MTf4JU41ELaYY8G/LSNDJsBVhhkHzvXR9iCbXxNz3IL0dQDNj7h4LKhBy0q7hvqg kDzwlmBO4WKSmCAuky44cXmd -----END CERTIFICATE----- subject=/CN=li190-250.members.linode.com issuer=/CN=li190-250.members.linode.com --- No client certificate CA names sent --- SSL handshake has read 1714 bytes and written 637 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher : DHE-RSA-AES256-SHA Session-ID: 3D3C8090F26497A5D8EC930C9D4B09A577BE6E4872070FE6FB59CB073B6F9EDA Session-ID-ctx: Master-Key: E73F17121DE4869A375F9683213BD9C6F742B74819AD2A2AD69A37931DA57499C45CFFDAAEB1AE708EE83C6082EB67A2 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1495332494 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- BfMYroe26WYalil77FoDi9qh59eK5xNr Correct! cluFn7wTiGryunymYOu4RcffSxQluehdread:errno=0 bandit14@csmckay.us:~$

-ign_eof

Inhibit shutting down the connection when end of file is reached in the input.

References https://en.wikipedia.org/wiki/Transport_Layer_Security https://www.feistyduck.com/library/openssl-cookbook/online/ch-testing-with-openssl.html

Bandit Level 16 → Level 17

Level Goal
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.

bandit14@csmckay.us:~$ nmap -sT -A -p 31000-32000 localhostStarting Nmap 6.40 ( http://nmap.org ) at 2017-05-21 02:18 UTC Nmap scan report for localhost (127.0.0.1) Host is up (0.00037s latency). Not shown: 996 closed ports PORT STATE SERVICE VERSION 31046/tcp open echo 31518/tcp open msdtc Microsoft Distributed Transaction Coordinator (error) 31691/tcp open echo 31790/tcp open msdtc Microsoft Distributed Transaction Coordinator (error) 31960/tcp open echo Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsService detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 41.29 seconds bandit14@csmckay.us:~$ openssl s_client -connect localhost:31790 CONNECTED(00000003) depth=0 CN = li190-250.members.linode.com verify error:num=18:self signed certificate verify return:1 depth=0 CN = li190-250.members.linode.com verify return:1


Certificate chain 0 s:/CN=li190-250.members.linode.com i:/CN=li190-250.members.linode.com


Server certificate -----BEGIN CERTIFICATE----- MIIC3jCCAcagAwIBAgIJAI5QiWZw4YHbMA0GCSqGSIb3DQEBCwUAMCcxJTAjBgNV BAMTHGxpMTkwLTI1MC5tZW1iZXJzLmxpbm9kZS5jb20wHhcNMTQxMTE0MTAyODA0 WhcNMjQxMTExMTAyODA0WjAnMSUwIwYDVQQDExxsaTE5MC0yNTAubWVtYmVycy5s aW5vZGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsKmy9o5z WU+1EH7Z3bB5TGQA+16zXDcEJy6tZWZ8CDrRyQXiahendp45BWUc/ZuLDo0+B3Wt ZXjofmLw/F4fmR+8X1s1fQZX2dFt920qEm7LxqzWd0c7FdHiBwwRrwhkk+3cQpOB TTGdLWEgpdmwwNZDTUdsDLzjDczPnju6T6p6ArTECztPbmTjfY4QIRtC6capL1Z+ yPJSQVAuAMEX1wTDWTGdm0VV7oW4F5cGZutf6QAP51jdhSyZuGilIPHbnj0l6Qc7 a7+OtEsEGi31aJ8KpRf7LNZ7DXCuoB3Hf75Pd6VjDgoOIagcH0NYqa75gEjBkGzs ktLWykT7ag7fKwIDAQABow0wCzAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IB AQCaZdUNAj8WDEKWdoU3LNXUBJlTJwiWBrh550PbHSQORcCz2K0kiMei1A4ojK2N dMHFGAqAeUEaxtz92p2BoFpZasAtdSa3u63tBckFhfUolIS1TC7Cj51y19ysTeep fGPFpuPCVqVPsruei8Z/iqn3bFIhQQdmumeePZQdPMwZSWHNVYC5XODd7PvNDrDu 5MZJjkz4+6LbwwAvyew62meFN2QEsYbK2Brtbhze+IjE27FGWlSw4K3jlwa409MD MTf4JU41ELaYY8G/LSNDJsBVhhkHzvXR9iCbXxNz3IL0dQDNj7h4LKhBy0q7hvqg kDzwlmBO4WKSmCAuky44cXmd -----END CERTIFICATE----- subject=/CN=li190-250.members.linode.com issuer=/CN=li190-250.members.linode.com --- No client certificate CA names sent --- SSL handshake has read 1714 bytes and written 637 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher : DHE-RSA-AES256-SHA Session-ID: 20CA4FD2722C9FC893DECEE1CA87C16F698563B7116265F39D48D3D8F6853EAF Session-ID-ctx: Master-Key: FE0F0C093E12801D5CF052F1734410396EF1D35B1C85BA0DA685ED8A990E62A96221321469CA02D4C7374A628EDEECE8 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1495333239 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- cluFn7wTiGryunymYOu4RcffSxQluehd Correct! -----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama +TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT 8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM 77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3 vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY= -----END RSA PRIVATE KEY-----read:errno=0 bandit14@csmckay.us:~$

References https://en.wikipedia.org/wiki/Port_scanner

Bandit Level 17 → Level 18

Level Goal
There are 2 files in the home directory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new
NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19

➜ ~ touch sshkey.private ➜ ~ nano sshkey.private ➜ ~ cat sshkey.private -----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama +TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT 8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM 77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3 vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY= -----END RSA PRIVATE KEY----- ➜ ~ chmod 600 sshkey.private ➜ ~ ssh bandit17@bandit.labs.overthewire.org -p 2220 -i sshkey.private bandit17@csmckay.us:~$ ls passwords.new passwords.old bandit17@csmckay.us:~$ file * passwords.new: ASCII text passwords.old: ASCII text bandit17@csmckay.us:~$ diff passwords.new passwords.old 42c42 < kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd ---

BS8bqB1kqkinKJjuxL6k072Qq9NRwQpR bandit17@csmckay.us:~$

Bandit Level 18 → Level 19

Level Goal
The password for the next level is stored in a file readme in the home directory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.

➜ ~ ssh bandit18@bandit.labs.overthewire.org -p 2220 Byebye ! ➜ ~ ssh bandit18@bandit.labs.overthewire.org -p 2220 lsThis is the OverTheWire game server. More information on http://www.overthewire.org/wargamesPlease note that wargame usernames are no longer level, but wargamename e.g. vortex4, semtex2, ...Note: at this moment, blacksun is not available.bandit18@bandit.labs.overthewire.org's password: readme ➜ ~ ssh bandit18@bandit.labs.overthewire.org -p 2220 cat readmeThis is the OverTheWire game server. More information on http://www.overthewire.org/wargamesPlease note that wargame usernames are no longer level, but wargamename e.g. vortex4, semtex2, ...Note: at this moment, blacksun is not available.bandit18@bandit.labs.overthewire.org's password: IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x ➜ ~

Bandit Level 19 → Level 20

Level Goal
To gain access to the next level, you should use the setuid binary in the home directory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.

➜ ~ ssh bandit19@bandit.labs.overthewire.org -p 2220 bandit19@csmckay.us:~$ ls bandit20-do bandit19@csmckay.us:~$ file bandit20-do bandit20-do: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=08e74b8e092a91103efaab7916d75f08b887ab4d, not stripped bandit19@csmckay.us:~$ ls -la bandit20-do -rwsr-x--- 1 bandit20 bandit19 7370 Nov 14 2014 bandit20-do bandit19@csmckay.us:~$ ./bandit20-do Run a command as another user. Example: ./bandit20-do id bandit19@csmckay.us:~$ ./bandit20-do id uid=11019(bandit19) gid=11019(bandit19) euid=11020(bandit20) groups=11020(bandit20),11019(bandit19) bandit19@csmckay.us:~$ ./bandit20-do whoami bandit20 bandit19@csmckay.us:~$ ./bandit20-do cat /etc/bandit_pass/bandit20 GbKksEFF4yrVs6il55v6gwY5aVje5f0j bandit19@csmckay.us:~$

References https://en.wikipedia.org/wiki/Setuid

Bandit Level 20 → Level 21

Level Goal
There is a setuid binary in the home directory that does the following: it makes a connection to localhost on the port you specify as a command line argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
NOTE: To beat this level, you need to login twice: once to run the setuid command, and once to start a network daemon to which the setuid will connect.
NOTE 2: Try connecting to your own network daemon to see if it works as you think

➜ ~ ssh bandit20@bandit.labs.overthewire.org -p 2220 bandit20@csmckay.us:~$ ls -la suconnect -rwsr-x--- 1 bandit21 bandit20 8006 Nov 14 2014 suconnect bandit20@csmckay.us:~$ ./suconnect Usage: ./suconnect This program will connect to the given port on localhost using TCP. If it receives the correct password from the other side, the next password is transmitted back. bandit20@csmckay.us:~$

Password : gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr

Bandit Level 21 → Level 22

Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

➜ ~ ssh bandit21@bandit.labs.overthewire.org -p 2220 bandit21@csmckay.us:~$ ls bandit21@csmckay.us:~$ cd /etc/cron.d/ bandit21@csmckay.us:/etc/cron.d$ ls -l total 92 -r--r----- 1 root root 46 Nov 14 2014 behemoth4_cleanup -rw-r--r-- 1 root root 355 May 25 2013 cron-apt -rw-r--r-- 1 root root 61 Nov 14 2014 cronjob_bandit22 -rw-r--r-- 1 root root 62 Nov 14 2014 cronjob_bandit23 -rw-r--r-- 1 root root 61 May 3 2015 cronjob_bandit24 -rw-r--r-- 1 root root 62 May 3 2015 cronjob_bandit24_root -r--r----- 1 root root 47 Nov 14 2014 leviathan5_cleanup -rw------- 1 root root 233 Nov 14 2014 manpage3_resetpw_job -rw-r--r-- 1 root root 51 Nov 14 2014 melinda-stats -rw-r--r-- 1 root root 54 Jun 25 2016 natas-session-toucher -rw-r--r-- 1 root root 49 Jun 25 2016 natas-stats -r--r----- 1 root root 44 Jun 25 2016 natas25_cleanup -r--r----- 1 root root 47 Aug 3 2015 natas25_cleanup~ -r--r----- 1 root root 47 Jun 25 2016 natas26_cleanup -r--r----- 1 root root 43 Jun 25 2016 natas27_cleanup -rw-r--r-- 1 root root 510 Oct 29 2014 php5 -rw-r--r-- 1 root root 63 Jul 8 2015 semtex0-32 -rw-r--r-- 1 root root 63 Jul 8 2015 semtex0-64 -rw-r--r-- 1 root root 64 Jul 8 2015 semtex0-ppc -rw-r--r-- 1 root root 35 Nov 14 2014 semtex5 -rw-r--r-- 1 root root 396 Nov 10 2013 sysstat -rw-r--r-- 1 root root 29 Nov 14 2014 vortex0 -rw-r--r-- 1 root root 30 Nov 14 2014 vortex20 bandit21@csmckay.us:/etc/cron.d$ cat cronjob_bandit22 * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null bandit21@csmckay.us:/etc/cron.d$ cat /usr/bin/cronjob_bandit22.sh

!/bin/bash

chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv bandit21@csmckay.us:/etc/cron.d$ file /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv: ASCII text bandit21@csmckay.us:/etc/cron.d$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI bandit21@csmckay.us:/etc/cron.d$

Bandit Level 22 → Level 23

Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.

➜ ~ ssh bandit22@bandit.labs.overthewire.org -p 2220 bandit22@csmckay.us:~$ ls bandit22@csmckay.us:~$ cd /etc/cron.d bandit22@csmckay.us:/etc/cron.d$ ls -l total 92 -r--r----- 1 root root 46 Nov 14 2014 behemoth4_cleanup -rw-r--r-- 1 root root 355 May 25 2013 cron-apt -rw-r--r-- 1 root root 61 Nov 14 2014 cronjob_bandit22 -rw-r--r-- 1 root root 62 Nov 14 2014 cronjob_bandit23 -rw-r--r-- 1 root root 61 May 3 2015 cronjob_bandit24 -rw-r--r-- 1 root root 62 May 3 2015 cronjob_bandit24_root -r--r----- 1 root root 47 Nov 14 2014 leviathan5_cleanup -rw------- 1 root root 233 Nov 14 2014 manpage3_resetpw_job -rw-r--r-- 1 root root 51 Nov 14 2014 melinda-stats -rw-r--r-- 1 root root 54 Jun 25 2016 natas-session-toucher -rw-r--r-- 1 root root 49 Jun 25 2016 natas-stats -r--r----- 1 root root 44 Jun 25 2016 natas25_cleanup -r--r----- 1 root root 47 Aug 3 2015 natas25_cleanup~ -r--r----- 1 root root 47 Jun 25 2016 natas26_cleanup -r--r----- 1 root root 43 Jun 25 2016 natas27_cleanup -rw-r--r-- 1 root root 510 Oct 29 2014 php5 -rw-r--r-- 1 root root 63 Jul 8 2015 semtex0-32 -rw-r--r-- 1 root root 63 Jul 8 2015 semtex0-64 -rw-r--r-- 1 root root 64 Jul 8 2015 semtex0-ppc -rw-r--r-- 1 root root 35 Nov 14 2014 semtex5 -rw-r--r-- 1 root root 396 Nov 10 2013 sysstat -rw-r--r-- 1 root root 29 Nov 14 2014 vortex0 -rw-r--r-- 1 root root 30 Nov 14 2014 vortex20 bandit22@csmckay.us:/etc/cron.d$ cat cronjob_bandit23 * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null bandit22@csmckay.us:/etc/cron.d$ cat /usr/bin/cronjob_bandit23.sh

!/bin/bashmyname=$(whoami)

mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)echo "Copying password file /etc/bandit_pass/$myname to /tmp/$mytarget"cat /etc/bandit_pass/$myname > /tmp/$mytarget bandit22@csmckay.us:/etc/cron.d$ whoami bandit22 bandit22@csmckay.us:/etc/cron.d$ echo I am user bandit23 | md5sum | cut -d ' ' -f 1 8ca319486bfbbc3663ea0fbe81326349 bandit22@csmckay.us:/etc/cron.d$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349 jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n bandit22@csmckay.us:/etc/cron.d$

The script is run as bandit23 and not bandit22. I missed that 👽

Bandit Level 23 → Level 24

Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…

➜ ~ ssh bandit23@bandit.labs.overthewire.org -p 2220 bandit23@csmckay.us:~$ cd /etc/cron.d bandit23@csmckay.us:/etc/cron.d$ ls -l total 92 -r--r----- 1 root root 46 Nov 14 2014 behemoth4_cleanup -rw-r--r-- 1 root root 355 May 25 2013 cron-apt -rw-r--r-- 1 root root 61 Nov 14 2014 cronjob_bandit22 -rw-r--r-- 1 root root 62 Nov 14 2014 cronjob_bandit23 -rw-r--r-- 1 root root 61 May 3 2015 cronjob_bandit24 -rw-r--r-- 1 root root 62 May 3 2015 cronjob_bandit24_root -r--r----- 1 root root 47 Nov 14 2014 leviathan5_cleanup -rw------- 1 root root 233 Nov 14 2014 manpage3_resetpw_job -rw-r--r-- 1 root root 51 Nov 14 2014 melinda-stats -rw-r--r-- 1 root root 54 Jun 25 2016 natas-session-toucher -rw-r--r-- 1 root root 49 Jun 25 2016 natas-stats -r--r----- 1 root root 44 Jun 25 2016 natas25_cleanup -r--r----- 1 root root 47 Aug 3 2015 natas25_cleanup~ -r--r----- 1 root root 47 Jun 25 2016 natas26_cleanup -r--r----- 1 root root 43 Jun 25 2016 natas27_cleanup -rw-r--r-- 1 root root 510 Oct 29 2014 php5 -rw-r--r-- 1 root root 63 Jul 8 2015 semtex0-32 -rw-r--r-- 1 root root 63 Jul 8 2015 semtex0-64 -rw-r--r-- 1 root root 64 Jul 8 2015 semtex0-ppc -rw-r--r-- 1 root root 35 Nov 14 2014 semtex5 -rw-r--r-- 1 root root 396 Nov 10 2013 sysstat -rw-r--r-- 1 root root 29 Nov 14 2014 vortex0 -rw-r--r-- 1 root root 30 Nov 14 2014 vortex20 bandit23@csmckay.us:/etc/cron.d$ cat cronjob_bandit24 * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null bandit23@csmckay.us:/etc/cron.d$ cat cronjob_bandit24_root * * * root /usr/bin/cronjob_bandit24_root.sh &> /dev/null bandit23@csmckay.us:/etc/cron.d$ cat /usr/bin/cronjob_bandit24.sh

!/bin/bashmyname=$(whoami)cd /var/spool/$myname

echo "Executing and deleting all scripts in /var/spool/$myname:" for i in * .*; do if [ "$i" != "." -a "$i" != ".." ]; then echo "Handling $i" timeout -s 9 60 "./$i" rm -f "./$i" fi donebandit23@csmckay.us:/etc/cron.d$

Solution Create a directory in the /tmp/ folder. Create a shell script to copy the /etc/bandit_pass/bandit24 to our /tmp/folder. Copy the shell script to /var/spool/bandit24/. Give the shell script and the /tmp/ folder appropriate permissions.

bandit23@csmckay.us:~$ mkdir /tmp/ooo bandit23@csmckay.us:~$ nano bandit24.sh bandit23@csmckay.us:~$ cat bandit24.sh

!/bin/bash

cat /etc/bandit_pass/bandit24 >> /tmp/ooo/level24 bandit23@csmckay.us:/tmp/ooo$ chmod 777 bandit24.sh bandit23@csmckay.us:/tmp/ooo$ cp bandit24.sh /var/spool/bandit24/ bandit23@csmckay.us:/tmp/ooo$ chmod 777 /tmp/ooo bandit23@csmckay.us:/tmp/ooo$ ls /var/spool/bandit24/ bandit24.sh <----After a couple of minutes----> bandit23@csmckay.us:/tmp/ooo$ ls /var/spool/bandit24/ bandit23@csmckay.us:/tmp/ooo$ ls bandit24.sh level24 bandit23@csmckay.us:/tmp/ooo$ cat level24 UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ bandit23@csmckay.us:/tmp/ooo$

Bandit Level 24 → Level 25

Level Goal
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.

➜ ~ ssh bandit24@bandit.labs.overthewire.org -p 2220 bandit24@csmckay.us:/tmp/24$ nc localhost 30002 I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space. UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 1234 Wrong! Please enter the correct pincode. Try again.

Shell script that generated the combination of password and pin

bandit24@csmckay.us:/tmp/24$ cat brute_force.sh

!/bin/bashfor i in {1..10000}do

echo "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i" >> ./out done bandit24@csmckay.us:/tmp/24$ more out UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 1 UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 2 UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 3 UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 4 UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 5 <----snip----> bandit24@csmckay.us:/tmp/24$ cat out | nc localhost 30002 I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space. Wrong! Please enter the correct pincode. Try again. Wrong! Please enter the correct pincode. Try again. Wrong! Please enter the correct pincode. Try again. Wrong! Please enter the correct pincode. Try again. Wrong! Please enter the correct pincode. Try again. Wrong! Please enter the correct pincode. Try again. <----snip----> Wrong! Please enter the correct pincode. Try again. Wrong! Please enter the correct pincode. Try again. Wrong! Please enter the correct pincode. Try again. Correct! The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzGExiting. bandit24@csmckay.us:/tmp/24$

Bandit Level 25 → Level 26

Level Goal
Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.

➜ ~ ssh bandit25@bandit.labs.overthewire.org -p 2220 bandit25@csmckay.us:~$ ls bandit26.sshkey bandit25@csmckay.us:~$ file bandit26.sshkey bandit26.sshkey: PEM RSA private key bandit25@csmckay.us:~$ ssh bandit26@localhost -p 2220 -i bandit26.sshkey <----snip---> _ _ _ | | | () | | \ / / | | _ | || | ) / / | ' \ / | '_ \ / _ | | | / / ' \ | |) | (| | | | | (| | | | / /| () | |_./ _,|| ||_,||__|_______/ Connection to localhost closed. bandit25@csmckay.us:~$

The moment we login in we are kicked out. So lets inspect the shell this user has.

bandit25@csmckay.us:~$ cat /etc/passwd | grep bandit26 bandit26:x:11026:11026:## Bandit Level 26:/home/bandit26:/usr/bin/showtext bandit25@csmckay.us:~$

It uses a custom shell called showtext

bandit25@csmckay.us:~$ cat /usr/bin/showtext

!/bin/shmore ~/text.txt

exit 0 bandit25@csmckay.us:~$

We can safely assume that the shell uses more to read banner and later exit the shell with an exit status 0. So the trick lies in the way we use more to access the next level. Going through the man page of more we discover that there is a built in editor.

v -> Start up an editor at current line. The editor is taken from the environment variable VISUAL if defined, or EDITOR if VISUAL is not defined, or defaults to "vi" if neither VISUAL nor EDITOR is defined.

If VISUAL is defines in the environment variable it will take that editor or it will use vi by default. So we need to use this to escape the shell and spawn /bin/bash.

Trigger more
Escape shell
Read flag

bandit25@csmckay.us:~$ ssh bandit26@localhost -p 2220 -i bandit26.sshkey

Make the terminal small enough to activate more. Press v to enter visual mode

:set shell=/bin/bash :shell

You will drop into a bash shell after this.

bandit26@csmckay.us:~$ ls README.txt text.txt bandit26@csmckay.us:~$ cat README.txt Congratulations on solving the last level of this game!At this moment, there are no more levels to play in this game. However, we are constantly working on new levels and will most likely expand this game with more levels soon. Keep an eye out for an announcement on our usual communication channels! In the meantime, you could play some of our other wargame

s.If you have an idea for an awesome new level, please let us know! bandit26@csmckay.us:~$

Happy Hacking !!!

Overthewire
Bandit
Wargames
Previous PostPost with a slider and lightbox
Next PostPost with YouTube Video
Comments (2)
John Doe
Posted at 15:32h, 06 December Reply

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.

John Doe
Posted at 15:32h, 06 December Reply

It is a long established fact that a reader will be distracted by the readable content of a page when looking at its layout. The point of using Lorem Ipsum is that it has a more-or-less normal

John Doe
Posted at 15:32h, 06 December Reply

There are many variations of passages of Lorem Ipsum available, but the majority have suffered alteration in some form, by injected humour, or randomised words which don't look even slightly believable. If you are going to use a passage of Lorem Ipsum, you need to be sure there isn't anything embarrassing hidden in the middle of text.

John Doe
Posted at 15:32h, 06 December Reply

The standard chunk of Lorem Ipsum used since the 1500s is reproduced below for those interested. Sections 1.10.32 and 1.10.33 from "de Finibus Bonorum et Malorum" by Cicero are also reproduced in their exact original form, accompanied by English versions from the 1914 translation by H. Rackham.

Leave a Comment