Here are the notes I take when walking through the Bandit in OverTheWire ‘s wargame.
Level0 -> Level1 1 2 3 4 5 6 7 8 bandit0@bandit:~$ cat readme Congratulations on your first steps into the bandit game!! Please make sure you have read the rules at https://overthewire.org/rules/ If you are following a course, workshop, walkthrough or other educational activity, please inform the instructor about the rules as well and encourage them to contribute to the OverTheWire community so we can keep these games free! The password you are looking for is: ZjLjTmM6FvvyRnrb2rfNWOZOTa6ip5If
So the passwd is ZjLjTmM6FvvyRnrb2rfNWOZOTa6ip5If
Level1 -> Level2 1 2 bandit1@bandit:~$ cat ./- 263JGJPfgU6LtdEvgfWU1XP5yac29mFx
Level2 -> Level3 1 2 bandit2@bandit:~$ cat ./'--spaces in this filename--' MNk8KNH3Usiio41PRUEoDFPqfxLPlSmx
Level3 -> Level4 1 2 3 4 5 6 bandit3@bandit:~$ ls inhere bandit3@bandit:~$ ls -a ./inhere . .. ...Hiding-From-You bandit3@bandit:~$ cat ./inhere/...Hiding-From-You 2WmrDFRmJIq3IPxneAaMGhap0pFhF3NJ
Level4 -> Level5 1 2 3 4 5 6 7 8 bandit4@bandit:~/inhere$ ls -file00 -file02 -file04 -file06 -file08 -file01 -file03 -file05 -file07 -file09 bandit4@bandit:~/inhere$ cat ./* \�G�I�d�� �`"��g��� '������Y��:bl�A��t�1�ν%gM������� ��u.Tq`h���Ee�+�<��"!^"�Jߑߟ����>jŠ��C�f�w��f>�<?��>��@F��kYq~Jjs�o��;���6���d�H@�9��I�}�v,��C�����Cy>f�|7�`i�} �ت�=ؑ�Hz����1�Uk�U���켼�U4oQYVPkxZOOEOO5pTW81FB8j8lxXGUQw x����/vSژ�5f`}�3Y�ׯ��=9]�
After trials, I find this the passwd: 4oQYVPkxZOOEOO5pTW81FB8j8lxXGUQw
Level5 -> Level6 1 2 3 bandit5@bandit:~/inhere$ cat $(find . -type f -size 1033c) HWasnPhtq9AVKe0dmk45nxy20cvUa6EG bandit5@bandit:~/inhere$
Here we should know that -type f selects the normal file type, and -size 1033c selects the file with the size of 1033 bytes (c here stands for char).
Level6 -> Level7 1 2 bandit6@bandit:/$ cat $(find . -type f -user bandit7 -group bandit6 -size 33c 2>/dev/null) morbNTDkSW6jIlUc0ymOdMaLnOlFVAaj
Here we use -user and -group to filter the file that is owned by a certain user and a certain group.
Level7 -> Level8 1 2 bandit7@bandit:~$ cat data.txt | grep millionth millionth dfwvzFQi4mU0wfNbFOe9RoWskMLg7eEc
Level8 -> Level9 1 2 bandit8@bandit:~$ sort data.txt | uniq -c | grep '1 ' 1 4CKMh1JI91bUIZZPXDqGanal4xvAg0JM
Level9 -> Level10 1 2 3 4 5 bandit9@bandit:~$ strings ./data.txt | grep '==' ========== the ========== password Q========== is% >u`9J========== FGUW5ilLVJrxX9kMYMmlN4MgbpfMiqey
Level10 -> Level11 1 2 bandit10@bandit:~$ base64 -d ./data.txt The password is dtR173fZKb0RRsDFSGsg2RWnpNVj3qRr
Level11 -> Level12 1 2 bandit11@bandit:~$ cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m' The password is 7x16WNeHIi5YkIhWsfFIqoognUTyj9Q4
Level12 -> Level13 1 2 3 4 5 6 bandit12@bandit:/tmp/haoine159$ ls data data5.bin data6.bin bandit12@bandit:/tmp/haoine159$ file data data: ASCII text bandit12@bandit:/tmp/haoine159$ cat data The password is FO5dwFsc0cbaIiH0h8J2eUks2vdTDwAn
In this level, the data.txt is a hex dump extracted from a compressed file, which is compressed from a compressed file, layer by layer, with different type of compression tool. So we need to check the file type with file and discompress it again and again, until it become an ACSII text file.
Level13 -> Level14 login as bandit14 use the ssh with the private key, then cat passwd.
1 2 3 4 5 6 7 8 9 bandit13@bandit:~$ ssh -i sshkey.private -p 2220 bandit14@localhost bandit14@bandit:/etc/bandit_pass$ ls bandit0 bandit13 bandit18 bandit22 bandit27 bandit31 bandit6 bandit1 bandit14 bandit19 bandit23 bandit28 bandit32 bandit7 bandit10 bandit15 bandit2 bandit24 bandit29 bandit33 bandit8 bandit11 bandit16 bandit20 bandit25 bandit3 bandit4 bandit9 bandit12 bandit17 bandit21 bandit26 bandit30 bandit5 bandit14@bandit:/etc/bandit_pass$ cat bandit14 MU4VWeTyJk8ROof1qqmcBPaLh7lDCPvS
Level14 -> Level15 1 2 3 4 bandit14@bandit:~$ nc localhost 30000 MU4VWeTyJk8ROof1qqmcBPaLh7lDCPvS Correct! 8xCjnmgoKbGLhHFAZlGE5Tmu4M2tKJQo
Level15 -> Level16 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 bandit15@bandit:~$ openssl s_client -connect localhost:30001 CONNECTED(00000003) Can't use SSL_get_servername depth=0 CN = SnakeOil verify error:num=18:self-signed certificate verify return:1 depth=0 CN = SnakeOil verify return:1 --- Certificate chain 0 s:CN = SnakeOil i:CN = SnakeOil a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256 v:NotBefore: Jun 10 03:59:50 2024 GMT; NotAfter: Jun 8 03:59:50 2034 GMT --- Server certificate -----BEGIN CERTIFICATE----- MIIFBzCCAu+gAwIBAgIUBLz7DBxA0IfojaL/WaJzE6Sbz7cwDQYJKoZIhvcNAQEL BQAwEzERMA8GA1UEAwwIU25ha2VPaWwwHhcNMjQwNjEwMDM1OTUwWhcNMzQwNjA4 MDM1OTUwWjATMREwDwYDVQQDDAhTbmFrZU9pbDCCAiIwDQYJKoZIhvcNAQEBBQAD ggIPADCCAgoCggIBANI+P5QXm9Bj21FIPsQqbqZRb5XmSZZJYaam7EIJ16Fxedf+ jXAv4d/FVqiEM4BuSNsNMeBMx2Gq0lAfN33h+RMTjRoMb8yBsZsC063MLfXCk4p+ 09gtGP7BS6Iy5XdmfY/fPHvA3JDEScdlDDmd6Lsbdwhv93Q8M6POVO9sv4HuS4t/ jEjr+NhE+Bjr/wDbyg7GL71BP1WPZpQnRE4OzoSrt5+bZVLvODWUFwinB0fLaGRk GmI0r5EUOUd7HpYyoIQbiNlePGfPpHRKnmdXTTEZEoxeWWAaM1VhPGqfrB/Pnca+ vAJX7iBOb3kHinmfVOScsG/YAUR94wSELeY+UlEWJaELVUntrJ5HeRDiTChiVQ++ wnnjNbepaW6shopybUF3XXfhIb4NvwLWpvoKFXVtcVjlOujF0snVvpE+MRT0wacy tHtjZs7Ao7GYxDz6H8AdBLKJW67uQon37a4MI260ADFMS+2vEAbNSFP+f6ii5mrB 18cY64ZaF6oU8bjGK7BArDx56bRc3WFyuBIGWAFHEuB948BcshXY7baf5jjzPmgz mq1zdRthQB31MOM2ii6vuTkheAvKfFf+llH4M9SnES4NSF2hj9NnHga9V08wfhYc x0W6qu+S8HUdVF+V23yTvUNgz4Q+UoGs4sHSDEsIBFqNvInnpUmtNgcR2L5PAgMB AAGjUzBRMB0GA1UdDgQWBBTPo8kfze4P9EgxNuyk7+xDGFtAYzAfBgNVHSMEGDAW gBTPo8kfze4P9EgxNuyk7+xDGFtAYzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3 DQEBCwUAA4ICAQAKHomtmcGqyiLnhziLe97Mq2+Sul5QgYVwfx/KYOXxv2T8ZmcR Ae9XFhZT4jsAOUDK1OXx9aZgDGJHJLNEVTe9zWv1ONFfNxEBxQgP7hhmDBWdtj6d taqEW/Jp06X+08BtnYK9NZsvDg2YRcvOHConeMjwvEL7tQK0m+GVyQfLYg6jnrhx egH+abucTKxabFcWSE+Vk0uJYMqcbXvB4WNKz9vj4V5Hn7/DN4xIjFko+nREw6Oa /AUFjNnO/FPjap+d68H1LdzMH3PSs+yjGid+6Zx9FCnt9qZydW13Miqg3nDnODXw +Z682mQFjVlGPCA5ZOQbyMKY4tNazG2n8qy2famQT3+jF8Lb6a4NGbnpeWnLMkIu jWLWIkA9MlbdNXuajiPNVyYIK9gdoBzbfaKwoOfSsLxEqlf8rio1GGcEV5Hlz5S2 txwI0xdW9MWeGWoiLbZSbRJH4TIBFFtoBG0LoEJi0C+UPwS8CDngJB4TyrZqEld3 rH87W+Et1t/Nepoc/Eoaux9PFp5VPXP+qwQGmhir/hv7OsgBhrkYuhkjxZ8+1uk7 tUWC/XM0mpLoxsq6vVl3AJaJe1ivdA9xLytsuG4iv02Juc593HXYR8yOpow0Eq2T U5EyeuFg5RXYwAPi7ykw1PW7zAPL4MlonEVz+QXOSx6eyhimp1VZC11SCg== -----END CERTIFICATE----- subject=CN = SnakeOil issuer=CN = SnakeOil --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 2103 bytes and written 373 bytes Verification error: self-signed certificate --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 4096 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 18 (self-signed certificate) --- --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: B4DB9ECF39B6A7796C89DED37A840CCD26E3F7F0704BC2D78814B89B813E3759 Session-ID-ctx: Resumption PSK: B5D54876CF674F514AB366F6591C950BC8DC2D0FEB4AC0F564DB5EA1BF930F52FA27E9B40AB15E73127E7EBDAA3FA464 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - c2 df 63 0f 5f 7e d1 9f-4d c2 84 c8 b7 ec 8b 16 ..c._~..M....... 0010 - 3a 8b 6a cf 4a db f2 e9-ef 35 71 27 7d e2 b2 49 :.j.J....5q'}..I 0020 - d2 fa 77 a1 c1 76 0a 1d-f9 10 ba ce b7 7b b5 66 ..w..v.......{.f 0030 - e9 d1 30 02 6d 0e ff 55-91 2a 03 6a 3d ec 18 b4 ..0.m..U.*.j=... 0040 - 17 e9 54 c4 25 cd 6b f1-8d c2 73 8a a3 84 86 93 ..T.%.k...s..... 0050 - 00 6b 03 75 89 f6 5c 45-b0 84 73 c4 36 a9 be 15 .k.u..\E..s.6... 0060 - 8b 79 29 55 45 af c3 0a-6e 9d cd ef 70 c4 af a5 .y)UE...n...p... 0070 - 5a 69 3a cd 38 c6 d4 b4-a4 88 6d 5a 14 6e d8 56 Zi:.8.....mZ.n.V 0080 - b6 ef bc 5b 14 3a ab 09-e3 e6 b4 14 f3 70 3f e8 ...[.:.......p?. 0090 - f1 c4 43 ac 9a eb 06 c9-c4 c5 12 31 22 aa dc 52 ..C........1"..R 00a0 - b9 b0 70 7d dd ec 97 f8-eb b1 d1 85 4a 78 5c 50 ..p}........Jx\P 00b0 - 70 e8 bb b7 6c 98 fc 84-bb 75 ba 34 0f a1 52 ab p...l....u.4..R. 00c0 - 16 f5 e8 ec ea 73 75 8a-b8 54 34 f6 2f 0c c7 6b .....su..T4./..k 00d0 - b9 59 cb b6 4e 5a 2f 1e-e4 31 cd b6 fa 7a 73 aa .Y..NZ/..1...zs. Start Time: 1759460255 Timeout : 7200 (sec) Verify return code: 18 (self-signed certificate) Extended master secret: no Max Early Data: 0 --- read R BLOCK --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: EB9BE7C27A4F4AE63B10C52C5C3FBE5A3A800B9BDAA8DD67DA7B3353F28842BD Session-ID-ctx: Resumption PSK: 34992F874A3E5EBDBD162282308167C7FE9AABAB3AFA0EA9529B1B99B4289CEDB63E7AAFB8969F7A6BB297510CF257AD PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - c2 df 63 0f 5f 7e d1 9f-4d c2 84 c8 b7 ec 8b 16 ..c._~..M....... 0010 - 44 33 f3 5d e0 83 34 2e-a8 18 de ba cd 99 8b f9 D3.]..4......... 0020 - c8 00 28 b0 37 77 39 5b-e7 2b c4 3b 03 e3 eb c7 ..(.7w9[.+.;.... 0030 - 0f a2 eb 3e 76 80 80 cb-72 3f 87 d5 5f 6c 68 26 ...>v...r?.._lh& 0040 - 4a 37 99 31 0f eb d7 de-44 82 0c 03 e9 68 af be J7.1....D....h.. 0050 - 43 42 2a 18 f4 52 57 3d-f2 a6 0f 36 3f 66 90 c1 CB*..RW=...6?f.. 0060 - c2 8e b0 1c 75 f7 05 98-71 9e 3a f2 f9 2f f7 ec ....u...q.:../.. 0070 - 97 a2 02 03 48 f9 63 0a-30 05 23 3b 53 9e f0 c7 ....H.c.0.#;S... 0080 - 13 28 52 d6 6a 9b 18 60-79 60 60 27 f8 01 cc 95 .(R.j..`y``'.... 0090 - 19 c6 39 0a 97 b7 90 3e-cb 13 a2 53 24 8c 9d 51 ..9....>...S$..Q 00a0 - 91 90 4d 45 e0 9e e7 89-33 40 26 6f 21 b5 0d 99 ..ME....3@&o!... 00b0 - 61 f7 49 16 9a b3 c5 60-27 60 6c c7 b1 f8 a0 60 a.I....`'`l....` 00c0 - b2 4a af e3 ce 8d b5 cf-58 e3 67 1c 2f 26 20 04 .J......X.g./& . 00d0 - 9c 7f 98 71 7c 75 ad 21-00 ed 3c 5e 4c c3 45 49 ...q|u.!..<^L.EI Start Time: 1759460255 Timeout : 7200 (sec) Verify return code: 18 (self-signed certificate) Extended master secret: no Max Early Data: 0 --- read R BLOCK 8xCjnmgoKbGLhHFAZlGE5Tmu4M2tKJQo Correct! kSkvUpMQ7lBYyCM4GBPvCvT1BfWRy0Dx closed
Level16 -> Level17 This challenge got me blocked and I used AI to solve this:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 bandit16@bandit:~$ pw='kSkvUpMQ7lBYyCM4GBPvCvT1BfWRy0Dx'; for p in {31000..32000}; do timeout 0.12 bash -c ">/dev/tcp/127.0.0.1/$p" 2>/dev/null || continue; echo "===== port $p ====="; if echo | timeout 2 openssl s_client -connect 127.0.0.1:$p 2>&1 | grep -qE 'BEGIN CERTIFICATE|SSL-Session|Server certificate'; then printf "%s\n" "$pw" | timeout 3 openssl s_client -quiet -connect 127.0.0.1:$p 2>/dev/null || true; else printf "%s\n" "$pw" | timeout 3 nc -w 2 127.0.0.1 $p 2>/dev/null || true; fi; done ===== port 31046 ===== kSkvUpMQ7lBYyCM4GBPvCvT1BfWRy0Dx ===== port 31518 ===== kSkvUpMQ7lBYyCM4GBPvCvT1BfWRy0Dx ===== port 31691 ===== kSkvUpMQ7lBYyCM4GBPvCvT1BfWRy0Dx ===== port 31790 ===== Correct! -----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama +TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT 8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM 77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3 vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY= -----END RSA PRIVATE KEY----- ===== port 31960 ===== kSkvUpMQ7lBYyCM4GBPvCvT1BfWRy0Dx
Here we get a RSA private key instead of a direct password, so we need to try this on our local machine
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 $ echo "-----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama +TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT 8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM 77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3 vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY= -----END RSA PRIVATE KEY-----" > key.1 $ chmod 600 key.1 $ ssh -i key.1 -p 2220 bandit17@bandit.labs.overthewire.org
Level17 -> Level18 1 2 3 4 5 bandit17@bandit:~$ diff $(ls) 42c42 < x2gLTTjFwMOhQ8oWNbMN362QKxfRqGlO --- > gvE89l3AhAhg3Mi9G2990zGnn42c8v20
So the password of bandit18 is x2gLTTjFwMOhQ8oWNbMN362QKxfRqGlO.
Level18 -> Level19 1 2 3 4 5 6 7 8 9 10 11 12 13 14 ❯ ssh -p 2220 bandit18@bandit.labs.overthewire.org "cat readme" _ _ _ _ | |__ __ _ _ __ __| (_) |_ | '_ \ / _` | '_ \ / _` | | __| | |_) | (_| | | | | (_| | | |_ |_.__/ \__,_|_| |_|\__,_|_|\__| This is an OverTheWire game server. More information on http://www.overthewire.org/wargames backend: gibson-0 bandit18@bandit.labs.overthewire.org's password: cGWpMaKXVwDUNgPAVJbWYuGHVn9zl3j8
Level19 -> Level20 1 2 bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20 0qXahG8ZjOVMN9Ghs7iOWsCfZyXOUbYO
Level20 -> Level21 1 2 3 4 5 6 7 8 9 bandit20@bandit:~$ nc -lvnp 12345 <<< "0qXahG8ZjOVMN9Ghs7iOWsCfZyXOUbYO" & [1] 4129162 bandit20@bandit:~$ Listening on 0.0.0.0 12345 bandit20@bandit:~$ ./suconnect 12345 Connection received on 127.0.0.1 59596 Read: 0qXahG8ZjOVMN9Ghs7iOWsCfZyXOUbYO Password matches, sending next password EeoULMCra2q0dSkYj561DX7s1CpBuOBt [1]+ Done nc -lvnp 12345 <<< "0qXahG8ZjOVMN9Ghs7iOWsCfZyXOUbYO"
Level21 -> Level22 1 2 3 4 5 6 7 8 9 10 11 12 13 14 bandit21@bandit:~$ ls /etc/cron.d behemoth4_cleanup cronjob_bandit24 otw-tmp-dir clean_tmp e2scrub_all sysstat cronjob_bandit22 leviathan5_cleanup cronjob_bandit23 manpage3_resetpw_job bandit21@bandit:~$ cat /etc/cron.d/cronjob_bandit22 @reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null * * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null bandit21@bandit:~$ cat /usr/bin/cronjob_bandit22.sh # !/bin/bash chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv bandit21@bandit:~$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv tRae0UfB9v0UzbCdn9cY0gQnds9GF58Q
Level22 -> Level23 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 bandit22@bandit:~$ ls /etc/cron.d behemoth4_cleanup cronjob_bandit24 otw-tmp-dir clean_tmp e2scrub_all sysstat cronjob_bandit22 leviathan5_cleanup cronjob_bandit23 manpage3_resetpw_job bandit22@bandit:~$ cat /etc/cron.d/cronjob_bandit23 @reboot bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null * * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null bandit22@bandit:~$ cat /usr/bin/cronjob_bandit23.sh # !/bin/bash myname=$(whoami) mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1) echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget" cat /etc/bandit_pass/$myname > /tmp/$mytarget
Here we could see that the file /usr/bin/cronjob_bandit23.sh is copying the password of bandit23 into a file, whose name is the hash result from string 'I am user bandit23', every minute a time, so we could manually generate that hash result and cat that file.
1 2 bandit22@bandit:~$ cat /tmp/$(echo 'I am user bandit23 | md5sum | cut -d ' ' -f 1) 0Zf11ioIjMVN551jX3CmStKLYqjk54Ga
Level23 -> Level24 