OverTheWire — Bandit Wargames : All Level Walkthroughs (As of July 2019)

This is my write-up for overthewire.org bandit wargames.

About OverTheWire.Org Bandit Wargames
This game was designed in a ctf (capture the flag) format to help you learn the basics of linux and do so while having fun. Completing this wargame will also prepare for advanced levels of wargames. There are a total of 34 levels in bandit as of date. More maybe added in the future. Start from level 0. To move to the next higher level, find the key/flag (information/file/password) you get from the solving the current level.

Structure of the Walkthrough
Each level is broken in to 3 sections. The Level Goal, How to Complete and Lesson Learnt.
The Level Goal section sets the objective of the level.
The How to Complete provides detailed walkthrough to achieve the goal.
The Lesson Learnt section provides reference to commands used to solve the level and will enable further learning.

Recommendation:
Try to solve the level on your own. It is the only true way to learn. Use the lesson learnt section for each level to understand the command that would be useful to complete that level. If you are still stuck, go through the walk-through for the level.

Do note that there are many alternative means to achieve the objective. This walk-through details how I did it.

Enjoy learning!!

Level 0: Enter the Game

Link → Level 0

Level Goal
The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org, on port 2220. The username is bandit0 and the password is bandit0. Once logged in, go to the Level 1 page to find out how to beat Level 1.

How to Complete
To connect from your linux station using ssh, use the command below:

ssh -p 2220 bandit0@bandit.labs.overthewire.org

Once you login, you will be greeted with a welcome banner with some basic rules and tips on how to play the game.

Lesson Learnt
ssh command

Level 0 -> Level 1

Link → Level 0 -> Level 1

Level Goal
The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.

How To Complete
When you ssh into a linux machine, you will normally be placed in your home directory. To confirm type in the command pwd to see you current (present) working directory. Use the command ls to list out your directory. You will find a file named readme. To read the content of the file type in cat readme. The content of the file will be displayed, which is the password for the next level.

Lesson Learnt
Linux directory navigation basics
cat command

Level 1 -> Level 2

Link → Level 1 -> Level 2

Level Goal
The password for the next level is stored in a file called ‘-’ located in the home directory

How To Complete
Similar to last level, though the file name is ‘ -’. In order to read this file, you will need to reference the file using relative/absolute path since the character ‘-’ may also reference to any parameters of the cat command.

Lesson Learnt
Linux directory navigation basics
cat command

Level 2 → Level 3

Link → Level 2 → Level 3

Level Goal
The password for the next level is stored in a file called spaces in this filename located in the home directory.

How To Complete
Similar to previous levels, the key for next level is available in a file in the home directory. The name of the file is ‘spaces in this filename’. When you try to cat out the filename as is, since there are spaces in the name of the file, the command assumes each word separated by space to be a separate file. To complete this task, include the name of the file inside single quotes (ie. ‘spaces in this filename’) as per screenshot below.

Lesson Learnt
Dealing with Filenames with spaces/special characters

Level 3 → Level 4

Link → Level 3 → Level 4

Level Goal
The password for the next level is stored in a hidden file in the inhere directory.

How To Complete
To begin this level, login to the bandit server with the username bandit3 and password received from the previous level.

Navigate to the inhere directory using cd. On listing the file & directories using just ‘ls’, we find that there doesn’t seem to be anything in it. To list out all files including hidden ones, use the -a switch for ‘ls’. A file named ‘.hidden’ is listed in the contents. Cat out the file to get the key for the next level.

Lesson Learnt
Dealing with Filenames with spaces/special characters

Level 4 → Level 5

Link → Level 4 → Level 5

Level Goal
The password for the next level is stored in the only human-readablefile in the inhere directory. Tip: if your terminal is messedup, try the “reset” command.

How To Complete
To begin this level, login to the bandit server with the username bandit4 and password received from the previous level.

Navigate to the directory inhere found in the home folder using cd. ‘ls’ reveals a list of 10 files all beginning with ‘-file0’ and ending with numbers 0–9. You could cat out each file individually to find the file containing human readable content, or you could use a wild card * in place of the numbers 0–9. The key to next level can be found in -file07 .

Lesson Learnt
Linux Wildcards

Level 5 → Level 6

Link → Level 5 → Level 6

Level Goal
The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:
• human-readable
• 1033 bytes in size
• not executable

How To Complete
To begin this level, login to the bandit server with the username bandit5 and password received from the previous level.

Navigate to the inhere directory within the home directory. On listing content, you will find 20 directories, each with a couple of files. The level goal specifies that the file size is 1033 byte. To search for a file of that size, use the command du with the switch ‘-ab’ to display all files and sizes in byte, pipe the output to grep to search for 1033. This produces a single line output with the path to the file containing the key to the next level.

Lesson Learnt
du command
grep command
How to pipe

Level 6 → Level 7

Link → Level 6 → Level 7

Level Goal
The password for the next level is stored somewhere on the server and has all of the following properties:
• owned by user bandit7
• owned by group bandit6
• 33 bytes in size

How To Complete
To begin this level, login to the bandit server with the username bandit6 and password received from the previous level.

No files will be found in the home directory. The clue is the user and group ownership info provided. To find a file using group and/or user info, use the find command with the test switches for users and/or groups. If this command is run as is, there will be a lot of error outputs due to insufficient permission to access. Redirect the error outputs to a temporary file which could be created in the tmp folder. This gives a single line output with the name and path of the file of interest. List out the file in list format, to see the file size is indeed 33 bytes. Cat the file to get the key to level 7.

Lesson Learnt
Create a directory
find command
Output Redirection

Level 7 → Level 8

Link → Level 7 → Level 8

Level Goal
The password for the next level is stored in the file data.txt next to the word millionth.

How To Complete
To begin this level, login to the bandit server with the username bandit7 and password received from the previous level.

A file named data.txt can be found in the home directory. If you cat out the file, it contains 98567 lines of data, each beginning with a word followed by a text with 33 characters. To find a single line which contains the word millionth and the key for level 8, cat out the file and pipe the output to grep for the word millionth.

Lesson Learnt
grep command
how to pipe
word count command

Level 8 → Level 9

Link → Level 8 → Level 9

Level Goal
The password for the next level is stored in the file data.txt and is the only line of text that occurs only once

How To Complete
To begin this level, login to the bandit server with the username bandit8 and password received from the previous level.

A file named data.txt could be found in the home directory. If you cat out the file, it contains 1001 lines of data. The level goal specifies that the line of interest occurs only once, which means that there are repeated data. To identify the unique line, cat out the file; pipe it to sort command to sort the output; pipe the sorted output to uniq command with the -u switch. The result will be a single line of text, which is the key for level 9.

Lesson Learnt
grep command
how to pipe
word count command
uniq command

Level 9 → Level 10

Link → Level 9 → Level 10

Level Goal
The password for the next level is stored in the file data.txt in one of the few human-readable strings, beginning with several ‘=’characters.

How To Complete
To begin this level, login to the bandit server with the username bandit9 and password received from the previous level.

A file named data.txt could be found in the home directory. Use the command strings to extract only human readable output and pipe the result into grep to search for sequential occurrence of ‘=’ character.

Lesson Learnt
strings command
grep command
how to pipe

Level 10 → Level 11

Link → Level 10 → Level 11

Level Goal
The password for the next level is stored in the file data.txt, which contains base64 encoded data

How To Complete
To begin this level, login to the bandit server with the username bandit10 and password received from the previous level.

A file named data.txt could be found in the home directory. If you cat out the file, you will find the base64 encoded data. To decode use the base64 command with the -d switch. The output reveals the key for level 11.

Lesson Learnt
base64 command
Base64 basics

Level 11 → Level 12

Link → Level 11 → Level 12

Level Goal
The password for the next level is stored in the file data.txt,where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions.

How To Complete
To begin this level, login to the bandit server with the username bandit11 and password received from the previous level.

A file named data.txt could be found in the home directory. If you cat out the file, you will find a string of characters that makes no sense. The level goal provides the clue that the text has been transformed using rot-13 cipher, a substitution cipher which rotates the characters by 13 positions. To reverse this, we can use the ‘tr’ command by providing the original set and key set which would be rotated by 13 positions. For example, A,B,C,D.. becomes N,O,P,Q…. . Cat out the original text and pipe it into ‘tr’ with the translation set. The result will provide the key for the next level.

Lesson Learnt
tr command
ROT 13 cipher

Level 12 → Level 13

Link → Level 12 → Level 13

Level Goal
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)

How To Complete
To begin this level, login to the bandit server with the username bandit12 and password received from the previous level.

A file named data.txt could be found in the home directory. Since the file require multiple modification, create a new directory in the /tmp/ and copy data.txt over. Once copied navigate to the new directory. Cat output of the file shows a hex dump. Hex dump can be reversed using the command xxd with the ‘-r’ switch. Pipe the output of xxd into a new file data01. To check the file type of the output data01, use the ‘file’ command. It should inform that the file is a gzip compressed archive. To extract the content, use gunzip and pipe to data02. Check the file type extracted file data02 using ‘file’ command. This time, it should show that the file is bzip2 archive. To extract the content, use bunzip2 and pipe to data03. On checking the file type of data03, you should find that it is another gzip archive. On extraction of content of data03, you should get data04, which is a Posix tar archive. To extract the contents from data04, use the ‘tar’ command with the ‘-xf’ switch. A new file data5.bin extracted from data04 should be present in the directory. Repeat the above process a couple more times, until you find a file which is of file type ASCII text. The content of this file contains the key for level 13.

Lesson Learnt
How to copy files
xxd command
gzip and gunzip command
bzip2 and bunzip2 command
Output Redirection

Level 13 → Level 14

Link → Level 13 → Level 14

Level Goal
The password for the next level is stored in/etc/bandit_pass/bandit14 and can only be read by userbandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on.

How To Complete
To begin this level, login to the bandit server with the username bandit13 and password received from the previous level.

Once logged in, searching the home directory, you should find an ssh private key named sshkey.private. To login to level 14, you will need to use this ssh key. To connect to level 14, use ssh command with the ‘-i’ switch and specify the private key as a parameter. The username will be bandit14 and the server to connect to will be localhost. You should be able to login to level14 without being asked for a password. Once logged in, the password for the current level should be available in file bandit14 located at /etc/bandit_pass/ directory as mentioned in the login banner.

Lesson Learnt
ssh command

Level 14 → Level 15

Link → Level 14 → Level 15

Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.

How To Complete
To begin this level, login to the bandit server with the username bandit14 and password received from the previous level.

The password of the current level is available in the file /etc/bandit_pass/bandit14. Cat out this file and pipe it’s content to the port 30000 on the localhost using ‘nc’ or ‘netcat’ command. The server should respond with the password for the next level.

Lesson Learnt
nc or netcat command

Level 15 → Level 16

Link → Level 15 → Level 16

Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption. Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…

How To Complete
To begin this level, login to the bandit server with the username bandit15 and password received from the previous level.

The password of the current level is available in the file /etc/bandit_pass/bandit15. In order to complete this, we need to establish an SSL connection to the local server at port 30001. We also need to pipe the password of the current level to this connection. To do this, use the command as follows:

cat /etc/bandit_pass/bandit15 | openssl s_client -connect -ign_eof localhost:30001

Lesson Learnt
man page
openssl command
Secure Socket Layer/Transport Layer Security on Wikipedia
OpenSSL Cookbook — Testing with OpenSSL

Level 16 → Level 17

Link → Level 16 → Level 17

Level Goal
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.

How To Complete
To begin this level, login to the bandit server with the username bandit16 and password received from the previous level.

Once logged in, use nmap to search for open ports on the local host. You will find 2 ports that are open to connect. As before, the password for the current level is available at /etc/bandit_pass/bandit16. Cat the password out to an SSL connection to the listed ports using the OpenSSL command with the -quiet option. One of the ports will respond with a private key.

Re-run the command and direct the stdout to a new file in a new tmp directory.

Edit the file using vi/nano editor and remove the top most row. Change the permission on the file to read only for the current user using the chmod command. Use ssh and the private key to connect to level 17. Once in, get the key for level 17 from /etc/bandit_pass/bandit17.

Lesson Learnt
nmap tool
chmod command
vi editor
nano editor

Level 17 → Level 18

Link → Level 17 → Level 18

Level Goal
There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new
NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19.

How To Complete
To begin this level, login to the bandit server with the username bandit17 and password received from the previous level.

There are 2 files in the home directory. Both files have 100 lines of data. As per level goal, both files are same except for the passwords.new file updated with the key for level 18. To compare the files use the diff command. The result will show the text of data which is different in each file. The difference within passwords.new is the key to level 18.

Lesson Learnt
diff command

Level 18 → Level 19

Link → Level 18 → Level 19

Level Goal
The password for the next level is stored in a file readme in the home directory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.

How To Complete
To begin this level, try to login to the bandit server with the username bandit18 and password received from the previous level.

You will be logged in and then kicked out of session right after the banner with a message “Byebye !”. As per the level goal, this is expected and it is as a result of the modified .bashrc file for the user bandit18. The key for level 19 can be found in the readme file in the home directory. In order to read this, it is possible to execute commands to the remote machine using ssh. Use the cat command over ssh to get the key for level 19.

Lesson Learnt
ssh command

Level 19 → Level 20

Link → Level 19 → Level 20

Level Goal
To gain access to the next level, you should use the setuid binary in the home directory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.

How To Complete
To begin this level, login to the bandit server with the username bandit19 and password received from the previous level.

You will find an executable named bandit20-do in the home directory. Running the executable without any parameters provide helpful info on how to use the file. It is also to be noted that the file has the suid bit set, and the file is owned by the user bandit20 and the group bandit19. Also the file has execute bit set for the group. This means that the file when executed will be executed as bandit20. The password for all levels are available in the directory /etc/bandit_pass/ ,though each password level file has read and access permission set specifically to user of the respective level only. Use the bandit20-do executable to read the bandit20 password file to get the key to level 20.

Lesson Learnt
Linux File Permissions
Linux Executable/Binary
Linux User and Group Ownership and Permission
Stickybit, SUID and SGID

Level 20 → Level 21

Link → Level 20 → Level 21

Level Goal
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
NOTE: Try connecting to your own network daemon to see if it works as you think.

How To Complete
To begin this level, login to the bandit server with the username bandit20 and password received from the previous level.

Once logged in, you should find an executable suconnect in the home directory. On running the executable, we get a response stating the it can be used to connect to any specified port, and would respond with the password for the next level, if it receives the current level password.

In order to execute this, we will use screen utility. The utility will allow creation of multiple shell windows from the same ssh session. Using screen, create 2 windows. In the first one, connect to port 20000 (or any free port) using nc with the -l, -v & -p switch for listening, verbose and port respectively. Pass the current password to the session.

On the 2nd window, run the executable suconnect with 20000 as port parameter. It should show that it read the current password and password has matched and it sent the next password. Check back on the 1st window. The executable should have sent the key for level 21.

Lesson Learnt
nc or netcat command
screen utility

Level 21 → Level 22

Link → Level 21 → Level 22

Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

How To Complete
To begin this level, login to the bandit server with the username bandit21 and password received from the previous level.

As per the level goal, a specific program is running on a regular interval from cron. Cron is a daemon that execute scheduled commands. The commands could be a specific command or a shell scripts. To check for cron jobs, check the directory /etc/cron.d/ . There are 3 files within this directory. On reading the file cronjob_bandit22, we see that it is set to execute a shell script located in /usr/bin/ every minute. On reading the shell script, we see that it automates 2 tasks. The 1st is to change the permission on a file located in the tmp directory. The 2nd is to cat out the password for level 22 and pass it into the file in the tmp directory. If you cat out the file in the tmp directory, you will receive the key for level 22.

Lesson Learnt
cron
shell script

Level 22 → Level 23

Link → Level 22 → Level 23

Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.

How To Complete
To begin this level, login to the bandit server with the username bandit22 and password received from the previous level.

Once logged in, navigate to /etc/cron.d/ to check the files listed. Cat out cronjob_bandit23. You will find that it is a schedule to run a specific shell script as the user bandit23. Cat out the shell script. The first execution line assigns the username bandit23 to the variable myname. The next line assigns the variable mytarget, the md5 checksum value of the text ‘I am user bandit23’ derived by running md5sum on the text and extracting the first coloumn of the output using cut command. The 3rd line is a simple echo command that can be ignored. The last line cats out the password of bandit23 and stores it into a file in the /tmp/ directory with the name which would be equal to the content of mytarget variable. To get the password, run line 2 of code replacing $myname with bandit23. Then cat out /tmp/$mytarget to get the key for next level.

Lesson Learnt
cron
shell script
md5sum
cut command
Linux Variable

Level 23 → Level 24

Link → Level 23 → Level 24

Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…

How To Complete
To begin this level, login to the bandit server with the username bandit23 and password received from the previous level.

Once logged in, navigate to /etc/cron.d/ to check the files listed. Cat out cronjob_bandit24. You will find that it is a schedule to run a specific shell script every minute as the user bandit24. Cat out the shell script. Similar to the script in the previous level, a variable myname has been assigned the username bandit24. The script navigates to a directory /var/spool/bandit24 and loops through all the contents of the directory, executing each one and then deleting them. To proceed with this level, we will need to create a shell script to copy the contents of /etc/bandit_pass/bandit24 to a file we can read and place the same inside the /var/spool/bandit24 directory. Create a new working directory inside /tmp/. Change the permission for the directory to be accessible by anyone. Create a script which cats out the password and redirects it to a file within this folder. Change the permission of this script to be run by anyone. Copy the script over to /var/spool/bandit24. Wait for the cron job to complete. You will know that it is complete, when the script file you had copied over to /var/spool/bandit24 goes missing. Check the temp directory for the new file (in the example, pass.txt). Cat the file out to get the key to the next level.

Lesson Learnt
cron
shell script

Level 24 → Level 25

Link → Level 24 → Level 25

Level Goal
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode.There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.

How To Complete
To begin this level, login to the bandit server with the username bandit24 and password received from the previous level.

To complete this level, you will need to brute-force your way into getting the desired response. To receive the password for level 25, you need to send the password for the current level and a 4 digit pin separated by a space. That is a total of 10000 combinations (0000 to 9999). To proceed, create a temp directory. Within the directory, we will create 2 fiiles of 5000 lines each, splitting the 10000 combinations. This is done as the server port seems to have some kind of limitation in terms of input or connection time-out. To create the first list, use the for loop with variable i on a range of 0000 to 5000, to echo out the password<space>$i and append it into the file named list1. Repeat the same again with the range changed to 5001 to 9999 and output to list2. You should now have 2 list files, each with half of the possible combinations to try. Next cat out the lists, pipe this output to nc to localhost at port 30002 and again pipe it into the uniq command to display only unique outputs. Complete this to receive the key to level 25.

Lesson Learnt
Bruteforce Attack
Bash scripting — for loop

Level 25 -> Level 26

Link → Level 25 -> Level 26

Level Goal
Logging in to bandit26 from bandit25 should be fairly easy…The shell for user bandit26 is not /bin/bash, but something else.Find out what it is, how it works and how to break out of it.

How To Complete
To begin this level, login to the bandit server with the username bandit25 and password received from the previous level.

Once logged in, you will find the ssh private key to connect into bandit26 in the home directory. Try connecting to bandit26 via ssh using the private key. You will be able to login, but you will also be kicked out once the welcome banner and an ascii art for bandit26 is displayed.

To check whats going on, the goal statement provides a hint. The shell used for bandit26 isn’t bash. To see what it is, check the line for bandit26 on /etc/passwd. On login for bandit26, a script named showtext is run. On cat-ing out showtext, we see that it opens up a txt file via more and exits.

To interrupt more, shrink the console window to less than 5 rows (since the text.txt is less around 5 lines of text), and try connecting again. This time, the session holds within more, with a prompt to scroll for more.

Press ‘v’ to enter vi. Type :r followed by location of password file for bandit26 to receive the key for level26.

r: /etc/bandit_pass/bandit26

Lesson Learnt
passwd file
more command
vi editor

Level 26 → Level 27

Link → Level 26 → Level 27

Level Goal
Good job getting a shell! Now hurry and grab the password for bandit27!

How To Complete
To begin this level, login to the bandit server with the username bandit26 and password received from the previous level. Do note that the shell is still not bash. When connecting, ensure that the console window size is less than 5 rows. Once logged in and the window is displays the text file in more, enter ‘v’ to start vi. To break out of vi and into shell, re-set the shell variable to /bin/bash using the set command.

Type :!sh and enter to exit to shell. You will get a $ prompt. Type & enter bash to get the complete bash prompt. An executable named bandit27-do is present in the home directory. On running the executable without any parameters, we receive a hint that the executable allows you to run a command as another user. Use the executable again, with parameter cat /etc/bandit_pass/bandit27. This should get you the key to level 27.

Lesson Learnt
Spawn a TTY Shell

Level 27 → Level 28

Link → Level 27 → Level 28

Level Goal
There is a git repository at ssh://bandit27-git@localhost/home/bandit27-git/repo. The password for the user bandit27-git is the same as for the user bandit27.
Clone the repository and find the password for the next level.

How To Complete
To begin this level, login to the bandit server with the username bandit27 and password received from the previous level.

Begin by creating a temp directory. Navigate to the temp directory and clone the git repository using git clone <location> command. Enter the password for bandit27. This should clone the repo directory on to the temp directory. A new directory named repo should be available in the temp directory. Navigate into the directory to find a README file. Cat out the file to get the key to next level.

Lesson Learnt
git reference manual
git clone

Level 28 → Level 29

Link → Level 28 → Level 29

Level Goal
There is a git repository at ssh://bandit28-git@localhost/home/bandit28-git/repo. The password for the user bandit28-git is the same as for the user bandit28.
Clone the repository and find the password for the next level.

How To Complete
To begin this level, login to the bandit server with the username bandit28 and password received from the previous level.

Begin by creating a temp directory. Navigate to the temp directory and clone the git repository using git clone <location> command. Enter the password for bandit28. This should clone the repo directory on to the temp directory. A new directory named repo should be available in the temp directory. Navigate into the directory to find a README file. Cat out the file. The content shows that the password has been masked/replaced with xxxxxxxxxx.
To check the history of git commits and any related comments, run the command git show. This should get you the key to level 29.

Lesson Learnt
git show
git log

Level 29 → Level 30

Link → Level 29 → Level 30

Level Goal
There is a git repository at ssh://bandit29-git@localhost/home/bandit29-git/repo. The password for the user bandit29-git is the same as for the user bandit29.
Clone the repository and find the password for the next level.

How To Complete
To begin this level, login to the bandit server with the username bandit29 and password received from the previous level.

Begin by creating a temp directory. Navigate to the temp directory and clone the git repository using git clone <location> command. Enter the password for bandit29. This should clone the repo directory on to the temp directory. A new directory named repo should be available in the temp directory. Navigate into the directory to find a README file. Cat out the file. The content shows that the password has been changed to <no passwords in production!>. So could it possibly be in the dev branch. To check , run the command git show origin/dev. This should get your the key to level 30.

Lesson Learnt
git show
git log
tab completion

Level 30 → Level 31

Link → Level 30 → Level 31

Level Goal
There is a git repository at ssh://bandit30-git@localhost/home/bandit30-git/repo. The password for the user bandit30-git is the same as for the user bandit30.
Clone the repository and find the password for the next level.

How To Complete
To begin this level, login to the bandit server with the username bandit30 and password received from the previous level.

Begin by creating a temp directory. Navigate to the temp directory and clone the git repository using git clone <location> command. Enter the password for bandit30. This should clone the repo directory on to the temp directory. A new directory named repo should be available in the temp directory. Navigate into the directory to find a README file. Cat out the file to find nothing of value. Checking git logs, we find no previous commits, not dev branches. But on git show <tab>, secret seems to be an options, possibly a tag. On trying that out, get the key for level 31.

Lesson Learnt
git show
git log
git tag
tab completion

Level 31 → Level 32

Link → Level 31 → Level 32

Level Goal
There is a git repository at ssh://bandit31-git@localhost/home/bandit31-git/repo. The password for the user bandit31-git is the same as for the user bandit31.
Clone the repository and find the password for the next level.

How To Complete
To begin this level, login to the bandit server with the username bandit31 and password received from the previous level.

Begin by creating a temp directory. Navigate to the temp directory and clone the git repository using git clone <location> command. Enter the password for bandit31. This should clone the repo directory on to the temp directory. A new directory named repo should be available in the temp directory. Navigate into the directory to find a README file. Cat out the file to receive instructions to get the next key. To get the key for level 32, we need to create a file key.txt with a specific content with in the repo folder and push to master. Create the file and and add to git using ‘git add’ command with -f switch to force add. Commit the addition using the ‘git commit’ command, then push using ‘git push’ command to receive the key for level 32.

Lesson Learnt
git add
git commit
git push
git status

Level 32 → Level 33

Link → Level 32 → Level 33

Level Goal
After all this git stuff its time for another escape. Good luck!

How To Complete
To begin this level, login to the bandit server with the username bandit32 and password received from the previous level.

On logging into this level, you are greeted with a message “WELCOME TO UPPERCASE SHELL”. Any thing typed within this shell is converted to uppercase befor execution. Since linux commands are case sensitive, none of the commands will work. To escape out of this restrictive shell, type in $0 and enter. $0 expands to the name of the shell. This should give you regular shell access. Enter bash for full prompt. For some reason, it shows that I am already logged in as user bandit33. Get the key for level 33 from the default password location /etc/bandit_pass/bandit33.

Lesson Learnt
Bash special Parameter

Level 33 → Level 34

Link → Level 33 → Level 34

Level Goal
At this moment, level 34 does not exist yet.

How To Complete
Bandit Level 32->Level 33 was the final challenge. If you login to bandit33, there is a README file, which displays a congratulatory message.

Lesson Learnt
Stay tuned for my more write ups.
Continue for more wargames

--

--

The IT Guy | Aspiring Infosec/Cybersec Geek | OSS/H | Reader | Dreamer | Adventure Seeker

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
nwrzd

The IT Guy | Aspiring Infosec/Cybersec Geek | OSS/H | Reader | Dreamer | Adventure Seeker