Skip to content

Instantly share code, notes, and snippets.

@Grin941

Grin941/bandit.md

Last active January 20, 2021 15:45
Show Gist options
  • Save Grin941/8d11e7509c59af9459f2c6dd6858fa92 to your computer and use it in GitHub Desktop.
Save Grin941/8d11e7509c59af9459f2c6dd6858fa92 to your computer and use it in GitHub Desktop.
Download ZIP
Bandit game challenge
Raw
bandit.md

Bandit wargame

Level 0 -> Level 1

The password for the next level is stored in a file called readme located in the home directory.

$  ssh bandit0@bandit.labs.overthewire.org -p 2220
$  cat readme

Key: boJ9jbbUNNfktd78OOpsqOltutMc3MY1

Level 1 -> Level 2

The password for the next level is stored in a file called - located in the home directory

$ ssh bandit1@bandit.labs.overthewire.org -p 2220
$ cat ./-

Key: CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

Note:

pswd file is named as -. Using - as a filename to mean stdin/stdout is a convention that a lot of programs use. When cat sees the string - as a filename, it treats it as a synonym for stdin. So cat ./- to work around this.

Level 2 -> Level 3

The password for the next level is stored in a file called spaces in this filename located in the home directory

$ ssh bandit2@bandit.labs.overthewire.org -p 2220
$ cat spaces\ in\ this\ filename

Key: UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

Level 3 -> Level 4

The password for the next level is stored in a hidden file in the inhere directory.

$ ssh bandit3@bandit.labs.overthewire.org -p 2220
$ cd ~/inhere/ && cat .hidden

Key: pIwrPrtPN36QITSp3EQaw936yaFoFgAB

Level 4 -> Level 5

The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.

$ ssh bandit4@bandit.labs.overthewire.org -p 2220
$ cd ~/inhere/ && for f in ./*; do (cat $f; echo); done;

Key: koReBOKuIDDepwhWk7jZC0RTdopnAYKh

Level 5 -> Level 6

The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:

  • human-readable
  • 1033 bytes in size
  • not executable
$ ssh bandit5@bandit.labs.overthewire.org -p 2220
$ cd ~/inhere/ && for f in $(find /home/bandit5/inhere/maybehere* \! -executable -size 1033c); do (cat $f; echo); done;

Key: DXjZPULLxYr17uwoI01bNLQbtFemEgo7

Note:

  • \! -executable - not executable file
  • 1033c - c means in bytes

Level 6 -> Level 7

The password for the next level is stored somewhere on the server and has all of the following properties:

  • owned by user bandit7
  • owned by group bandit6
  • 33 bytes in size
$ ssh bandit6@bandit.labs.overthewire.org -p 2220
$ for f in $(find / -group bandit6 -user bandit7 -size 33c 2>/dev/null); do (cat $f; echo); done;

Key: HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

Level 7 -> Level 8

The password for the next level is stored in the file data.txt next to the word millionth

$ ssh bandit7@bandit.labs.overthewire.org -p 2220
$ cat data.txt | grep millionth

Key: cvX2JJa4CFALtqS87jk27qwqGhBM9plV

Level 8 -> Level 9

The password for the next level is stored in the file data.txt and is the only line of text that occurs only once

$ ssh bandit8@bandit.labs.overthewire.org -p 2220
$ cat data.txt | sort | uniq -u

Key: UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR

Level 9 -> Level 10

The password for the next level is stored in the file data.txt in one of the few human-readable strings, beginning with several ‘=’ characters.

$ ssh bandit9@bandit.labs.overthewire.org -p 2220
$ cat data.txt | grep -a '^=*'

Key: truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk

Level 10 -> Level 11

The password for the next level is stored in the file data.txt, which contains base64 encoded data

$ ssh bandit10@bandit.labs.overthewire.org -p 2220
$ base64 -d data.txt | cat

Key: IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

Level 11 -> Level 12

The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions

$ ssh bandit11@bandit.labs.overthewire.org -p 2220
$ cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'

Key: 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

Level 12 -> Level 13

The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)

$ ssh bandit12@bandit.labs.overthewire.org -p 2220
$ mkdir /tmp/asd
$ cp data.txt /tmp/asd
$ xxd -r data.txt > myfile.tgz
$ file myfile.tgz  (myfile.tgz: gzip compressed data, was "data2.bin")
$ gzip -d myfile.tgz
$ file myfile.tar  (myfile.tar: bzip2 compressed data)
$ bzip2 -d myfile.tar
$ file myfile.tar.out  (myfile.tar.out: gzip compressed data, was "data4.bin")
$ mv myfile.tar.out myfile.tgz
$ gzip -d myfile.tgz
$ file myfile.tar  (myfile.tar: POSIX tar archive (GNU))
$ tar -xvf myfile.tar
$ file data5.bin  (data5.bin: POSIX tar archive (GNU))
$ tar -xvf data5.bin
$ file data6.bin  (data6.bin: bzip2 compressed data)
$ bzip2 -d data6.bin
$ file data6.bin.out  (data6.bin.out: POSIX tar archive (GNU))
$ tar -xvf data6.bin.out
$ file data8.bin  (data8.bin: gzip compressed data)
$ mv data8.bin data8.tgz && gzip -d data8.tgz
$ file data8.tar  (data8.tar: ASCII text)
$ cat data8.tar

Key: 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

Level 13 -> Level 14

The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on

$ ssh bandit13@bandit.labs.overthewire.org -p 2220
$ ssh bandit14@localhost -p 2220 -i ./sshkey.private
$ cat /etc/bandit_pass/bandit14

Key: 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e

Level 14 -> Level 15

The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.

$ cat /etc/bandit_pass/bandit14 | ncat 127.0.0.1 30000

Key: BfMYroe26WYalil77FoDi9qh59eK5xNr

Level 15 -> Level 16

openssl cookbook

The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.

Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…

NOTHING WORKS!!!!!!
port 30001 is closed (nmap -sV -vv -p 30000-30002 localhost shows only 30000, 30002 are opened)
$ openssl s_client -ign_eof -connect localhost:30001
140096159683840:error:0200206F:system library:connect:Connection refused:../crypto/bio/b_sock2.c:108:
140096159683840:error:2008A067:BIO routines:BIO_connect:connect error:../crypto/bio/b_sock2.c:109:
connect:errno=111

Key: cluFn7wTiGryunymYOu4RcffSxQluehd

Level 16 -> Level 17

The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.

NOTHING WORKS!!!!!!
$ openssl s_client -ign_eof -connect localhost:30001
140096159683840:error:0200206F:system library:connect:Connection refused:../crypto/bio/b_sock2.c:108:
140096159683840:error:2008A067:BIO routines:BIO_connect:connect error:../crypto/bio/b_sock2.c:109:
connect:errno=111

Key: cluFn7wTiGryunymYOu4RcffSxQluehd

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment