Levels 0-26. As of 5/24/16 there is no level 27.
Level 0
Login into remote server using ssh
Commandss:
ssh username@host
The password is bandit0.
*SSH stands for "secure shell," an encrypted network protocol that allows a user to login to a remote network securely over an unsecured network.
Level 1
Find the password in the readme, use it to ssh into the next level
Commands:
View all the files. Note: In general, I use ls -la to see everything including hidden dotfiles. In this case it's not needed.
ls
cat readme
Output the content of the readme file to stdout. Since it's just the password we can get away with using cat , otherwise if it was a lot of text we can use less or more .
*Learning to list all files in a directory, and output a file to stdout. Cat stands for concatenate files and print to stdout.
You can ssh into the next level by using ssh username@localhost
Level 2
Find the password in a file called "-"
Commands:
First ls to see all the files. "-" is the only one. You cannot do cat - ; - is a special character used to mean stdin/stdout. When used with cat, bash doesn't recognize a filename but sees it as stdin. Go ahead, try to cat - to better understand the shell is waiting for your input.
The solutions is to prefix with ./ meaning lookin in this level of the directory for file called -
cat ./-
*Note: you don't need to use all the Commandss that overthewire suggests in order to solve this level. You'll see they throw out red herrings in many levels.
Level 3
Find password in a file called spaces.
Commands:
cat spaces\ in\ this\ filename
*You can easily tab and let the shell do predictive text.
Level 4
Password hidden in /inhere
Commands:
ls -la
Shows all files in directory, including hidden dotfiles. We see a file called ".hidden"
cat .hidden or cat ./.hidden
Either works. The latter in bash will autofill using predictive text if you hit the tab key.
Level 5
Find password in the only human readable file in the directory inhere
Commands:
cd inhere
ls -la
find ./ -type f | xargs file | grep text
This last Commands is the most important. It means: find; in this directory; with the option to search for type f which is a file; pipe the result, and read items from stdin for file; pipe the result, look for string text.
Once you find the file
cat filename
Level 6
Find password in a file with certain specs.
Commands:
cd inhere
ls -la
find ./ -type f | xargs file | grep text | size -1033c
Find in this directory, a file; pipe result, read items from stdin for file; pipe result, look for the string 'text'; pipe result, look for a file with a size of 1033 bytes.
cat filename
Level 7
Look for a file with certain specs.*
Commands:
ls -la
find ./ -user bandit7 -group bandit6 -size 33c 2>/dev/null
I cd'ed into the root directory; you could just say find / .
Find in this directory a file with the options: user = bandit7; group = bandit6; size = 33 bytes; any stderr (represented by '2'), redirect them (shovel) to /dev/null. The last bit is a way to get rid of garbage output, like files where permission is denied.
cat filename
Level 8
Grep with context a certain file*
Commands:
ls
grep millionth data.txt
This works because grep looks for a match to the expression, then outputs the entire line where it's found. If the file was formatted differently we would have to use context flags like -B and -A and a number to get the text around the hit.
Level 9
Grep a file for a unique string
Commands:
cat filename | sort | uniq -u
Output a certain file; sort the output; print out only the unique string or line in the file (the flag -u).
Level 10
Find in a file the password, convert from base64
Commands:
strings filename
base64 encoding takes binary data and translates it to characters (64 of 'em). Useful when sending using protocols that may interpret the binary as control characters, as some protocols (hello telnet) are made for streaming text.
I don't like this level; you have to parse through the output with your eyeballs since password is on a totally different line and there's no hints. It's confusing.
Level 11
Decode file from base64
Commands:
base64 -d filename
Level 12
Learn about rot13!
Commands:
cat filename | tr [a-zA-Z] [n-za-mN-ZA-M]
Output a file; pipe results, translate a character set, (lowercase a to z, uppercase A to Z), to a character set beginning with the 13th letter of the alphabet, n, to z continue with a to m, doing the same for uppercase letters.
This is an example of a caesar's cipher, an early form of encryption using simple transposition. ROT13 has a nice history of usage in the early days of the internet by newsgroups.
Level 13
Reverse hexdump; extract, extract, extract..
Commands:
mkdir /tmp/name
cd /tmp/name
xxd -r data.txt > result
file result
zcat result > new_result
file new_result
bzip2 -d new_result
ls
file new_result.out
zcat new_result.out > newer_result
file newer_result
tar -xvf newer_result
tar -xvf data5.bin
file data6.bin
bzip2 -d data6.bin
file data6.bin.out
tar -xvf data6.bin.out
file data8.bin.out
zcat data8.bin.out
Success! As irritating as this level is, the repetition is good for you (and bad for your carpal tunnel). Get in the habit of looking at the details of files, and extracting them.
Level 13
Use ssh to get the next level password
Commands:
ssh -i sshkey.private bandit14@localhost
cat /etc/bandit_pass/bandit14
The -i flag means identity; filename of the file holding your key; username@server. You drop into the bandit14 shell, and access the password file.
Level 14
Using the password we have, submit it to a specific port on localhost.
Commands:
telnet -l bandit15 localhost 30000
password
I chose to use telnet since we are just sending a small string to the port.
Level 15
Connect to a sp. port using SSL
Commands: openssl s_client -connect localhost:30001 -ign_eof password
An intro to secure sockets layer (SSL), a network protocol for secure networking. The -ign_eof flag is needed because it means ignore the end of the file and keep the connection alive, otherwise you will get an error.
Protocol is OpenSSL; server to client, with option of connect; connect to a sp. port on localhost; ignore the end of file.
Level 16
Scan ports within in a range on sp. server; find the ones using SSL; find the only one that doesn't echo.
Commands: nmap -p 31000-32000 localhost -sV openssl s_client -connect localhost:31518 password openssl s_client -connect localhost:31790 password
touch /tmp/dir_name/sshkey.private
chmod 600 sshkey.private
cd /tmp/dir_name/
nano sshkey.private (paste the your rsa key there, save, exit nano editor)
ssh -i sshkey.private bandit17@localhost
Intro to nmap for port scanning. The -sV flag will return what the server is running. I ignored anything listed as echo.
chmod 600 is necessary otherwise you'll get a bad permissions error when ssh'in into bandit17 shell. 600 is 'owner can r-w.'
Level 17
Get the diff between two files
Commands:
diff file1 file2
ssh bandit18@localhost
Level 18
cat the password from a file before you're logged out
Commands:
ssh bandit18@localhost cat readme
The shell will execute Commandss before the connection closes out when they're concat'd.
Level 19
Get the password using a setuid binary file
Commands:
ls
./bandit20-do
./bandit20-do whoami
./bandit20-do cat /etc/bandit_pass/bandit20
Similar to what we learned in a previous level that we can peek at files by cat'ing them. The setuid file gives access to level 20 permissions, and if we concatenate our Commandss we can cat the password we need.
Level 20
Use setuid and network daemon to get the password*
Commands:
Open 2 tabs in terminal as user bandit20.
In the first shell:
./suconnect
In the second shell:
nc -l portnumber
In the first shell:
./suconnect 12345
In the second shell: password for level 20
Using TCP as the protocol we use netcat to listen on a specific port and connect to it using the setuid binary. A daemon is any process that runs in the background and isn't under the direct control of the user.
Level 21
Explore /cron.d to find the script being executed and what it does.*
Commands:
cd /etc/cron.d
ls -la
cat ./cronjob_bandit22
cat /usr/bin/cronjob_bandit22.sh
cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Understanding shell scripts: chmod 644 changes a file's permissions to be read/written by any user; & appends to a file; >/dev/null pushes the file into what I call the garbage directory.
Level 22
Same as above.*
cd /etc/cron.d
cat cronjob_bandit23
cat /usr/bin/cronjob_bandit23.sh
echo I am user bandit23 | md5sum | cut -d ' ' -f 1
cat /tmp/8ca319486bfbbc3663ea0fbe81326349
Level 23
Get the password using a cron job*
cat cronjob_bandit24
cat /usr/bin/cronjob_bandit24.sh
cd /tmp/dir_name
touch script.sh
chmod 777 script.sh
nano script.sh
In the nano editor:
#!/bin/bash
cat /etc/bandit_pass/bandit24 >> /tmp/dir_name/bandit24
cp script.sh /var/spool/bandit24
ls
cat bandit24
Understanding shell scripts. The shell script in /var/spool/bandit24/ has access to all the bandit24 files--we don't as bandit23 which is why when we cd into that directory we can see there are many files but we don't have permission to view them. Since the script in that directory gets called regularly we can simply place a script to cat the bandit24 password file into that directory that gets executed by the cron script.
Level 24
Connect to a sp. port on localhost, brute force a pin to get password.*
Commands:
cd /tmp/dir_name/
touch script.sh
chmod 777 -R script.sh
nano script.sh
In nano:
#!/bin/bash/env ruby
password = "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ"
vals = (0..9).to_a
pins = vals.repeated_permutation(4).to_a
pins.each do |pin|
echo #{password} #{pin.join('')} | nc localhost 30002 >> result &
end
ruby ./script.sh
grep -A 1 Correct! result
This level was hard for me not because of the scripting because I ran into errors that would terminate my script before it was finished, particularly the error: [FATAL] Failed to create timer thread (errno: 11) and getting resource not available.
I chose to write the script in ruby; I wanted to use repeated permutation but could've just written a for loop. You can write a simple for loop in bash script with brace expansion or delimit your loop by initiating with 0 and ending with 9999.
Level 25
Commands:
ssh -i bandit26.sshkey bandit26@localhost
We get kicked out of the shell.
cd /etc/
cat passwd
Look for bandit 26
cat passwd | grep bandit26
cat /usr/bin/showtext
resize terminal window to 30% or less
ssh -i bandit26.sshkey bandit26@localhost
more
v
:e /etc/bandit_pass/bandit26
more Commands prevents us from being kicked out of the shell because the file is larger than can be displayed, so waits for input from the user before letting the rest of the file execute. While more waits for input we can give additional Commandss, like v. V opens the vi text editor, and we can give a Commands to read a certain file and get the password.