Hello and Assalamualaikum. Today we gonna try to play Bandit wargames. To start this game, you must connect to the server by using any SSH client such as putty or MobaXTerm. You can use any operating system such windows, linux and mac, but if you are running virtual machine, it may failed to connect to overthewire.org server if it is configured to NAT. You may resolve it by changing NAT to Bridged Adapter. Im using hackintosh, but it does not really a big deal 😆.

The first is just pretty straight forward. We just need to connect to bandit.labs.overthewire.org server with username: bandit0 and password bandit0 on port 2220.

ssh [email protected] -p 2220

Now we have to connect to the server with username: bandit1, but the password is stored on readme. Remember we already connect to bandit0 user before on level 0. So we can use find command to find specific file name. Then we can use ls to list out all files on current directory as you can see readme is on our current directory.

Then we can read the readme file by using cat command.

So the password for bandit1 is boJ9jbbUNNfktd78OOpsqOltutMc3MY1. Now we can ssh to the same server for bandit1 by using the password.

ssh [email protected] -p 2220

We are bandit1 now. If we run whoami command, it will tell you about the username for current user.

The goal is to find password for bandit2 on bandit1 home directory. If we try to list the file by using ls command, we can see a file named '-'. This is dashed filename and the way to read the file is by giving full path of the file. We can use pwd to know current path.

We also can use other syntax such as:

The password for next user is CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9 and try to ssh to bandit2.

ssh [email protected] -p 2220

On current directory, there is a file named space in the filename. The file name is containing spaces, and the way to read the file are by using quotes '' or escape \ for spaces. You also can type cat, type the first character of the file and press tab.

The password is UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK.

The goal is to find password on hidden file in inhere directory. Use cd to change directory and list out the file in currect directory. It will prompt nothing. The challenge already said that the file is a hidden file, so we can use ls -la to view hidden file.

As you can see, there are .hidden file, any file started with dot . will treat as hidden file. Thus, the password is pIwrPrtPN36QITSp3EQaw936yaFoFgAB.

The goal is to find password on a file that is stored in human-readable file in the inhere directory. You have to change directory to inhere folder and list out the files. If we try to read one of the file, it give garbage character. That is binary file which is cannot be represented in ASCII table. We can use file command to know what type of the file. The file type is data but we want ASCII file. We can use * to check all file.

As you can see, there is only one ASCII format on -file07. You also can use grep -i to grep only ASCII character. -i means ignore case.

So the password is koReBOKuIDDepwhWk7jZC0RTdopnAYKh.

The next goals to find password on somewhere file on inhere directory and the file have these properties:

1. human-readable
2. 1033 bytes in size
3. not executable

We can use find command to find specific file with specific properties.

find . -size 1033c -exec ls -sh {} + | xargs file | grep -i ascii

• find : command to find
• .(dot) : current directory
• 1033c : 1033 byte, c = byte, k = kilo can refer here
• -exec ls -sh {} + : list all file under directory with file size
• | : let you to have two or more command in one line
• grep -i : filter only ascii and ignore case sensitive

UPDATED: Add ! -executable to find non executable file. find . -size 1033c ! -executable -exec ls -sh {} + | xargs file | grep -i ascii

Only one file listed and you can read the file.

The password is DXjZPULLxYr17uwoI01bNLQbtFemEgo7.

The password for the next level is stored somewhere on the server and has all of the following properties:

1. owned by user bandit7
2. owned by group bandit6
3. 33 bytes in size

The hint is stored somewhere, this means we gonna find it on all directories. We can start to find it on root folder (/). If you confuse between / and /root, you can read here. In this challenge, we still use find command and some options.

find / -type f -group bandit6 -user bandit7 -size 33c -print 2>/dev/null

• find : command to find
• / : root directory, parent dir
• -type f : choose regular file type
• -group bandit6 : specify the user is bandit6
• -user bandit7 : specify the user is bandit7
• -size 33c : specify the size of the must 33byte. The flag can refer here
• -print 2>/dev/null : removes error or dont display error

Only one file found.

The password is HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs.

The password for the next level is stored in the file data.txt next to the word millionth. This is pretty straight forward. We just read the file and grep millionth.

cat data.txt | grep -i millionth

The password is cvX2JJa4CFALtqS87jk27qwqGhBM9plV.

The password for the next level is stored in the file data.txt and is the only line of text that occurs only once. This means we have to remove duplicate data and this can be archieve using sort and uniq -u to sort unique data.

The password is UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR.

The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters. If we try to read the file using cat, it will throw garbage character. Those characters are binary and cannot be converted into ASCII format.

To read ASCII character, we can use strings command to read human-readble text and filter '=' using grep.

The password is truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk.

The password for the next level is stored in the file data.txt, which contains base64 encoded data. We have to decode base64 format encoded using base64 -d, -d stands for decode. You can read more here.

The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR.

The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions. This is classic CTF(Capture The Flag) questions which is called ROT13. We can decode the message using tr. 'A-Za-z' 'N-ZA-Mn-za-m' tell us to replace A to N, B to O and etc. You can read it more here.

cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'

The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu.

On this level, the password is stored on data.txt in hexdump format. Hexdump convert any binary or data into hex format and if you notice the data also contains ASCII text on the right side. The hint for this level is repeatly compressed, thus we have to repeatly decompress the file. First we have to covert the hexdump into binary file. At this moment, we dont know the type of the file, it can be zip file, png, jpeg, exe and etc. But first we have to create folder on tmp directory because on our current directory, we dont have permission to create file. Use mkdir to create directory and cp to copy file from source to destination.

mkdir /tmp/test
cp data.txt /tmp/test

Now we can convert the hexdump format into binary file using xxd -r to revert the hexdump and save it into a file named data. Then, use file to check the type of binary file. For this example, it is gzip file, thus we must rename the file extension to .gz. Then try to decompress the data.gz using gzip -d data.gz. Since it is repeatly compressed file, we have to repeadly decompress the file as well. The steps just involves:

1. check the type of binary file by using file.
2. rename the file extension based on first step.
3. decompress the file.
4. If the output file from decompressed is not an text file, repeat the process to step 1 again.

File extensions that involves are .gz, .bz2, and .tar only. Tools can use:

1. gzip -d : .gz only, -d stands for decode
2. bzip2 -d : .bzip2 only, -d stands for decode
3. tar xvf : .tar only, x-extract, v-verbose, f-file name type. details

The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL.

The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. There is a file named sshkey.private which contain RSA Private key. So we just have to copy the RSA file and save into our machine. Then, ssh to the server using bandit14 as the user.

ssh -i sshkey.private [email protected] -p 2220

Now we can read the password at /etc/bandit_pass/bandit14.

The password is 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e.

The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost. We can send data by using echo to send data and netcat nc to connect to the localhost. Ip address for the localhost is 127.0.0.1.

The password is BfMYroe26WYalil77FoDi9qh59eK5xNr.

The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption. We can use openssl s_client to connect to the server that use SSL. Netcat does not support SSL.

echo "BfMYroe26WYalil77FoDi9qh59eK5xNr" | openssl s_client -connect 127.0.0.1:30001 -ign_eof

or

echo "BfMYroe26WYalil77FoDi9qh59eK5xNr" | openssl s_client -connect 127.0.0.1:30001 -quiet

You can see the password if you scroll untill the bottom. -ign_eof is for inhibit shutting down the connection when end of file is reached in the input. We also can use -quiet and the function same like -ign_eof but it does not print session and certification information.

The password is cluFn7wTiGryunymYOu4RcffSxQluehd.

The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000.

1. Find out which ports is exists
2. Then find port who speak on SSL
3. Only one port will give the password, other will send back whatever you give.

To find open port in range 31000-32000 on server, we can use nmap to scan port on the network.

nmap -sV -T4 -v -p 31000-32000 127.0.0.1 

• -sV : scan service
• -T4 : Speed time
• -v : verbose mode
• -p : specify port range
• 127.0.0.1 : localhost ip address

If we scroll down, we'll there are 5 ports open, and two ports have SSL. One is SSl/echo and one is SSl/unknown.

We can try both ports, and the right one will not print back the data you sent before.

echo "cluFn7wTiGryunymYOu4RcffSxQluehd" | openssl s_client -connect 127.0.0.1:31790 -quiet

Now just copy the RSA KEY and save into a file name sshkey2.private or anything you like, give read and write permission using chmod, and try to connect to the server with bandit17 user.

chmod 600 sshkey2.private
ssh -i sshkey2.private [email protected] -p 2220

And thats it

There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new. You can use diff to find the difference in both files.

diff passwords.old passwords.new

The password is kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd.

The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH. We have to ssh to server using bash --noprofile to start a shell without any user configuration since someone already modified bash configuration. Read more here and here.

ssh [email protected] -p 2220 "bash --noprofile --norc"

The password is IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x.

To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary. After login, you can see there is a binary file. If we try to run, it says to give any command to run as other user.

When we try to read the password on /etc/bandit_pass/bandit20, it says permission denied. We dont have permission to read the password. Noted that when we use ls -la to check permission on password file, we can see only group bandit20 can read the password file. Thats why we cannot read the password file since we are bandit19.

But when we check permission on binary file, it has group bandit20, thus, we can read the password by using bandit20-do.

./bandit20-do cat /etc/bandit_pass/bandit20

The password is GbKksEFF4yrVs6il55v6gwY5aVje5f0j.

There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21). This level need you to run two separate terminal or split the terminal to see the differences. Im using iTerm2 to split the window, you can use Tmux or other terminal emulator.

First, on the left side, we gonna set a listener using nc on port 1234. You can use any port except other than already used by this server. Then on the right side, we gonna connect to the port 1234 using ./suconnect.

After that, on the left side, copy bandit20's password and paste on the terminal and press enter.

Then, the suconnect will check if the password is correct or not, icorrect, it will reply bandit21's password.

The password is gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr.

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed. First, when we see all data on /etc/cron.d/, there are multiple files in it, but there is only one file that we interested to which is cronjob_bandit22 since this challenge is level 22. After read the file, we found out that it will a execute bash file which is /usr/bin/cronjob_bandit22.sh.

Then, we try to read the file and found out it give permission to a file named /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv and put bandit22 password in it from /etc/bandit_pass/bandit22.

The password is Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI.

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed. Under /etc/cron.d/, we only interested on /etc/cron.d/cronjob_bandit23. After read the file, it execute a bash file named /usr/bin/cronjob_bandit23.sh.

Next we need to read /usr/bin/cronjob_bandit23.sh file. Based on the code, we know it store whoami value on myname variable, store md5 hash of myname on mytarget variable, print some data, and read password of current user then save on a file based on mytarget value. Right now we only want bandit23's password, and we only have execute permission on the file.

The solution for this is we going to create our own variable and change whoami to bandit23, because current user right now is bandit22. Now set mytarget into some kind of hash and print back the variable. The value of mytarget will be the password file name on /tmp/ directory.

myname="bandit23"
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
echo $mytarget
cat /tmp/8ca319486bfbbc3663ea0fbe81326349

The password is jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n.