Bandit
Level 0
The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org, on port 2220. The username is bandit0 and the password is bandit0. Once logged in, go to the Level 1 page to find out how to beat Level 1.
ssh -p 2220 [email protected] Password: bandit0
Level 0 - Level 1
The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.
ls cat readme
Level 1 - Level 2
The password for the next level is stored in a file called - located in the home directory
ssh -p 2220 [email protected] Password: boJ9jbbUNNfktd78OOpsqOltutMc3MY1 ls -al cat ./-
Level 2 - Level 3
The password for the next level is stored in a file called spaces in this filename located in the home directory
ssh -p 2220 [email protected] password: CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9 cat spaces\ in\ this\ filename
Level 3 - Level 4
The password for the next level is stored in a hidden file in the inhere
directory.
ssh -p 2220 [email protected] Password: UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK cd inhere cat .hidden
Level 4 - Level 5
The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.
ssh -p 2220 [email protected] Password: pIwrPrtPN36QITSp3EQaw936yaFoFgAB cd inhere strings ./-file07
Level 5 - Level 6
The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:
- human-readable
- 1033 bytes in size
- not executable
ssh -p 2220 [email protected] Password: koReBOKuIDDepwhWk7jZC0RTdopnAYKh find inhere -type f -size 1033c ! -executable strings inhere/maybehere07/.file2
Level 6 - Level 7
The password for the next level is stored somewhere on the server and has all of the following properties:
- owned by user bandit7
- owned by group bandit6
- 33 bytes in size
ssh -p 2220 [email protected] Password: DXjZPULLxYr17uwoI01bNLQbtFemEgo7 find / -size 33c -user bandit7 -group bandit6 2>/dev/null cat /var/lib/dpkg/info/bandit7.password
Level 7 - Level 8
The password for the next level is stored in the file data.txt next to the word millionth
ssh -p 2220 [email protected] Password: HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs cat data.txt | grep millionth
Level 8 - Level 9
The password for the next level is stored in the file data.txt and is the only line of text that occurs only once.
ssh -p 2220 [email protected] Password: cvX2JJa4CFALtqS87jk27qwqGhBM9plV sort data.txt | uniq -u
Level 9 - Level 10
The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters.
ssh -p 2220 [email protected] Password: UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR strings data.txt | grep -E "==+"
Level 10 - Level 11
The password for the next level is stored in the file data.txt, which contains base64 encoded data.
ssh -p 2220 [email protected] Password: truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk cat data.txt | base64 -d
Level 11 - Level 12
The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions.
ssh -p 2220 [email protected] Password: IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'
Level 12 - Level 13
The password for the next level is stored in the file data.txt, which is a hex dump of a file that has been repeatedly compressed. For this level, it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)
ssh -p 2220 [email protected] Password: 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu mkdir /tmp/hello cp data.txt /tmp/hello cat data.txt |xxd -r >data2 file data2 mv data2 data2.gz gzip -dk data2.gz #1st Decompress file data2 bzip2 -d data2 #2nd Decompress file data2.out mv data2.out data3.gz gzip -dk data3.gz #3rd Decompress file data3 tar -xvf data3 #4th Decompress file data5.bin tar -xvf data5.bin #5th Decompress file data5.bin bzip2 -d data6.bin #6th Decompress file data6.bin.out tar -xvf data6.bin.out #7th Decompress file data8.bin mv data8.bin data8.gz gzip -dk data8.gz #8th Decompress file data8 cat data8
Check with
file command till you see the output compressed file. If you get an output named ASCII file, stop there.Level 13 - Level 14
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on.
ssh -p 2220 [email protected] Password: 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL ssh -i sshkey.private bandit14@localhost cat /etc/bandit_pass/bandit14
Level 14 - Level 15
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
Password: 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e telnet localhost 30000 (Paste the previous password code here) #Alternative Method echo "4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e" | nc localhost 30000
Level 15 - Level 16
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section on the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…
Password: BfMYroe26WYalil77FoDi9qh59eK5xNr openssl s_client -connect localhost:30001
Level 16 - Level 17
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First, find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
Password: cluFn7wTiGryunymYOu4RcffSxQluehd nmap -p 31000-32000 -v localhost nmap -p 31000-32000 -v localhost -sV
openssl s_client -connect localhost:31790 # Between the ports only 31518 and 31790 has SSL # But 31518 only echos. So 31790 is our port to get answer.
Level 17 - Level 18
There are 2 files in the home directory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new
NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19
Private Key for Bandit17 login :
chmod 400 bandit17.private ssh -i Documents/bandit17.private -p 2220 [email protected] diff passwords.new passwords.old cat /etc/shells
Level 18 - Level 19
The password for the next level is stored in a file readme in the home directory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.
Password: kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd # As .bashrc has only access to bash shells. We will be using a different shell to log in. ssh -p 2220 [email protected] -t "/bin/sh" cat readme
Level 19 - Level 20
To gain access to the next level, you should use the setuid binary in the home directory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass) after you have used the setuid binary.
ssh -p 2220 [email protected] Password: IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x ./bandit20-do id ./bandit20-do cat /etc/bandit_pass/bandit20
Level 20 - Level 21
There is a setuid binary in the home directory that does the following: it makes a connection to localhost on the port you specify as a command-line argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password to the next level (bandit21).
NOTE: Try connecting to your own network daemon to see if it works as you think.
ssh -p 2220 [email protected] Password: GbKksEFF4yrVs6il55v6gwY5aVje5f0j echo "GbKksEFF4yrVs6il55v6gwY5aVje5f0j" | nc -nlvp 4444 & jobs #To see if the background process is running properly ps aux #Alternative of jobs ./suconnect 4444
Level 21 - Level 22
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
ssh -p 2220 [email protected] Password: gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr cd /etc/cron.d ls -al #cronjob_bandit22 suggests itself from its name cat cronjob_bandit22 #There is a path of the script file. Let's go... ls /usr/bin/cronjob_bandit22.sh -al cat /usr/bin/cronjob_bandit22.sh # As we can see now /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv file is only readable with 644 permission cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Level 22 - Level 23
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.
ssh -p 2220 [email protected] Password: Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI cd /etc/cron.d/ ls -al # Here cronjob_bandit23 matches our choice cat cronjob_bandit23 cat /usr/bin/cronjob_bandit23.sh # We want password for bandit23 user so whoami will be bandit23 echo I am user bandit23 | md5sum | cut -d ' ' -f 1 # Run this in the terminal and get the value cat /tmp/8ca319486bfbbc3663ea0fbe81326349
Level 23 - Level 24
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…
ssh -p 2220 [email protected] Pasword: jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n cd /etc/cron.d/ ls -al cat cronjob_bandit24 cat /usr/bin/cronjob_bandit24.sh cd /var/spool ls -al mkdir /tmp/mine cd /tmp/mine touch password.txt chmod 666 password.txt touch whattodo.sh chmod 777 whattodo.sh vim whattodo.sh # Press I and Paste the below content -------------------------------------- #!/bin/bash cat /etc/bandit_pass/bandit24 > /tmp/mine/password.txt -------------------------------------- # Press Esc then type :wq to exit from vim and save ls -al # Cehck if all permissions are correct cp whattodo.sh /var/spool/bandit24/ ls -al /var/spool/bandit24/whattodo.sh # Wait for 1 min cat password.txt
Level 24 - Level 25
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pin code. There is no way to retrieve the Pincode except by going through all of the 10000 combinations, called brute-forcing.
ssh -p 2220 [email protected] Password: UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ nc localhost 30002 mkdir /tmp/lvl24 cd /tmp/lvl24 touch brute.sh vim brute.sh # Paste the below code in brute.sh ------------------------------------- #!/bin/bash for i in {0000..9999} do echo "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i" done ------------------------------------- chmod 777 brute.sh ./brute.sh >wordlist.txt nc localhost 30002 < wordlist.txt
Level 25 - Level 26
Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.
ssh -p 2220 [email protected] Password: uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG cat bandit26.sshkey# Copy Private key in your local system cat /etc/shells # /usr/bin/showtext looks new! cat /usr/bin/showtext # Logout from bandit25 # Login with that private key by making your terminal very small ssh -p 2220 [email protected] -i bandit26.private -t "/usr/bin/showtext" # Press v to open vim through less and type below command in vim :e /etc/bandit_pass/bandit26
Level 26 - Level 27
Good job getting a shell! Now hurry and grab the password for bandit27!
ssh -p 2220 [email protected] Password: 5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z # Login with small screen # Open vim and enter below command :set shell=/bin/bash :shell # Now you will get a bandit26 shell ./bandit27-do id ./bandit27-do cat /etc/bandit_pass/bandit27
Level 27 - Level 28
There is a git repository at
ssh://bandit27-git@localhost/home/bandit27-git/repo. The password for the user bandit27-git is the same as for the user bandit27.Clone the repository and find the password for the next level.
ssh -p 2220 [email protected] Password: 3ba3118a22e93127a4ed485be72ef5ea mkdir /tmp/git-bandit cd /tmp/git-bandit27 git clone ssh://bandit27-git@localhost/home/bandit27-git/repo cd repo ls -al cat README
Level 28 - Level 29
There is a git repository at
ssh://bandit28-git@localhost/home/bandit28-git/repo. The password for the user bandit28-git is the same as for the user bandit28.Clone the repository and find the password for the next level.
ssh -p 2220 [email protected] Password: 0ef186ac70e04ea33b4c1853d2526fa2 mkdir /tmp/lvl28 cd /tmp/lvl28 git clone ssh://bandit28-git@localhost/home/bandit28-git/repo cd repo cat README.md git logs git logs -p # Another option after git logs git reset --hard c086d11a00c0648d095d04c089786efef5e01264 cat README.md # Go back to previous commit hash
Level 29 - Level 30
There is a git repository at
ssh://bandit29-git@localhost/home/bandit29-git/repo. The password for the user bandit29-git is the same as for the user bandit29.Clone the repository and find the password for the next level.
ssh -p 2220 [email protected] Password: bbc96594b4e001778eee9975372716b2 mkdir /tmp/lvl29 cd /tmp/lvl29 git clone ssh://bandit29-git@localhost/home/bandit29-git/repo cd repo cat README.d git branch -a git checkout remotes/origin/dev cat README.md
Level 30 - Level 31
There is a git repository at
ssh://bandit30-git@localhost/home/bandit30-git/repo. The password for the user bandit30-git is the same as for the user bandit30.Clone the repository and find the password for the next level.
ssh -p 2220 [email protected] Password: 5b90576bedb2cc04c86a9e924ce42faf mkdir /tmp/lvl30 cd /tmp/lvl30 git clone ssh://bandit30-git@localhost/home/bandit30-git/repo cd repo cat README.md git tag git show secret
Level 31 - Level 32
There is a git repository at
ssh://bandit31-git@localhost/home/bandit31-git/repo. The password for the user bandit31-git is the same as for the user bandit31.Clone the repository and find the password for the next level.
ssh -p 2220 [email protected] Password: 47e603bb428404d265f59c42920d81e5 mkdir /tmp/lvl31 cd /tmp/lvl31 git clone ssh://bandit31-git@localhost/home/bandit31-git/repo cd repo cat README.md git branch -a # We are in same branch so no need to change touch key.txt echo "May I come in?" > key.txt git add key.txt #Oh! Noo!! It's added to .gitignore. Let's remove ls -al cat .gitignore vim .gitignore # Remove *.txt line in that file git add key.txt # Now it will work git commit -m "mypush" git push origin master
Level 32 - Level 33
After all this
git stuff its time for another escape. Good luck!ssh -p 2220 [email protected] Password: 56a9bf19c63d650ce78e6ec0354ee45e # Type $0 in terminal you will get a shell cat /etc/bandit_pass/bandit33
Want to know more about it? Click here
Level 33 - Level 34
At this moment, level 34 does not exist yet.
ssh -p 2220 [email protected] Password: c9c3199ddf4121b10cf581a98d51caee
Oops!! We just finished all levels till now.