In this small tutorial we will explain how to solve the Bandit challenges from OverTheWire.
0 -> 1
ssh
bandit0@bandit.labs.overthewire.org
bandit0
bandit0@melinda:~$ cat readme
boJ9jbbUNNfktd78OOpsqOltutMc3MY1
1 -> 2
ssh
bandit1@bandit.labs.overthewire.org
boJ9jbbUNNfktd78OOpsqOltutMc3MY1
bandit1@melinda:~$ cat ./-
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
2 -> 3
ssh
bandit2@bandit.labs.overthewire.org
-p22
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
bandit2@melinda:~$ cat spaces\ in\ this\ filename
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
3 -> 4
ssh
bandit3@bandit.labs.overthewire.org
-p22
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
bandit3@melinda:~$ cat inhere/.hidden
pIwrPrtPN36QITSp3EQaw936yaFoFgAB
4 -> 5
ssh
bandit4@bandit.labs.overthewire.org
-p22
pIwrPrtPN36QITSp3EQaw936yaFoFgAB
bandit4@melinda:$ cd inhere/inhere$ cat ./-file07
bandit4@melinda:
koReBOKuIDDepwhWk7jZC0RTdopnAYKh
5 -> 6
ssh
bandit5@bandit.labs.overthewire.org
-p22
koReBOKuIDDepwhWk7jZC0RTdopnAYKh
bandit5@melinda:$ cd inhere//inhere$ find . -type f -size 1033c -name “[[:print:]]*” ! -executable
bandit5@melinda:
./maybehere07/.file2
bandit5@melinda:~/inhere$ cat ./maybehere07/.file2
DXjZPULLxYr17uwoI01bNLQbtFemEgo7
6 -> 7
ssh
bandit6@bandit.labs.overthewire.org
-p22
DXjZPULLxYr17uwoI01bNLQbtFemEgo7
bandit6@melinda:$ find / -type f -size 33c -user bandit7 -group bandit6$ cat /var/lib/dpkg/info/bandit7.password
bandit6@melinda:
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs
7 -> 8
ssh
bandit7@bandit.labs.overthewire.org
-p22
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs
bandit7@melinda:~$ grep millionth data.txt
millionth cvX2JJa4CFALtqS87jk27qwqGhBM9plV
8 -> 9
ssh
bandit8@bandit.labs.overthewire.org
-p22
cvX2JJa4CFALtqS87jk27qwqGhBM9plV
bandit8@melinda:~$ cat data.txt |sort|uniq -c
1 UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR
9 -> 10
ssh
bandit9@bandit.labs.overthewire.org
-p22
UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR
bandit9@melinda:~$ strings data.txt |grep ‘====’
I========== the6
========== password
========== ism
========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
10 -> 11
ssh
bandit10@bandit.labs.overthewire.org
-p22
truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
bandit10@melinda:~$ strings data.txt |base64 -d
The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR
11 -> 12
ssh
bandit11@bandit.labs.overthewire.org
-p22
IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR
bandit11@melinda:$ alias rot13=“tr ‘[A-Za-z]’ ‘[N-ZA-Mn-za-m]’”$ echo -e “Gur cnffjbeq vf 5Gr8L4qetPEsPk8htqjhRK8XSP6x2RHh”|rot13
bandit11@melinda:
The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu
12 -> 13
ssh
bandit12@bandit.labs.overthewire.org
-p22
5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu
bandit12@melinda:$ mkdir /tmp/kr0m$ cp data.txt /tmp/kr0m/
bandit12@melinda:
bandit12@melinda:/tmp/kr0m$ xxd -r data.txt foobar.bin
bandit12@melinda:/tmp/kr0m$ file foobar.bin
foobar.bin: gzip compressed data, was "data2.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression
bandit12@melinda:/tmp/kr0m$ mv foobar.bin foobar.bin.gz
bandit12@melinda:/tmp/kr0m$ gunzip foobar.bin.gz
bandit12@melinda:/tmp/kr0m$ file foobar.bin
bandit12@melinda:/tmp/kr0m$ gunzip foobar.bin.gz
bandit12@melinda:/tmp/kr0m$ file foobar.bin
foobar.bin: bzip2 compressed data, block size = 900k
bandit12@melinda:/tmp/kr0m$ bzip2 -d foobar.bin.gz2
bzip2: Can't guess original name for foobar.bin.gz2 -- using foobar.bin.gz2.out
bandit12@melinda:/tmp/kr0m$ file foobar.bin.gz2.out
foobar.bin.gz2.out: gzip compressed data, was "data4.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression
bandit12@melinda:/tmp/kr0m$ mv foobar.bin.gz2.out foobar.bin.gz
bandit12@melinda:/tmp/kr0m$ gunzip foobar.bin.gz
bandit12@melinda:/tmp/kr0m$ file foobar.bin
bandit12@melinda:/tmp/kr0m$ gunzip foobar.bin.gz
bandit12@melinda:/tmp/kr0m$ file foobar.bin
foobar.bin: POSIX tar archive (GNU)
bandit12@melinda:/tmp/kr0m$ tar -xvf foobar.bin
data5.bin
bandit12@melinda:/tmp/kr0m$ file data5.bin
data5.bin: POSIX tar archive (GNU)
bandit12@melinda:/tmp/kr0m$ mv data5.bin data5.bin.tar
bandit12@melinda:/tmp/kr0m$ tar -xvf data5.bin.tar
bandit12@melinda:/tmp/kr0m$ tar -xvf data5.bin.tar
data6.bin
bandit12@melinda:/tmp/kr0m$ file data6.bin
data6.bin: bzip2 compressed data, block size = 900k
bandit12@melinda:/tmp/kr0m$ mv data6.bin data6.bin.gz2
bandit12@melinda:/tmp/kr0m$ bzip2 -d data6.bin.gz2
bandit12@melinda:/tmp/kr0m$ bzip2 -d data6.bin.gz2
bzip2: Can't guess original name for data6.bin.gz2 -- using data6.bin.gz2.out
bandit12@melinda:/tmp/kr0m$ file data6.bin.gz2.out
data6.bin.gz2.out: POSIX tar archive (GNU)
bandit12@melinda:/tmp/kr0m$ mv data6.bin.gz2.out data6.bin.tar
bandit12@melinda:/tmp/kr0m$ tar -xvf data6.bin.tar
bandit12@melinda:/tmp/kr0m$ file data8.bin
bandit12@melinda:/tmp/kr0m$ tar -xvf data6.bin.tar
bandit12@melinda:/tmp/kr0m$ file data8.bin
data8.bin: gzip compressed data, was "data9.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression
bandit12@melinda:/tmp/kr0m$ mv data8.bin data8.bin.gz
bandit12@melinda:/tmp/kr0m$ gunzip data8.bin.gz
bandit12@melinda:/tmp/kr0m$ file data8.bin
bandit12@melinda:/tmp/kr0m$ gunzip data8.bin.gz
bandit12@melinda:/tmp/kr0m$ file data8.bin
data8.bin: ASCII text
bandit12@melinda:/tmp/kr0m$ cat data8.bin
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
13 -> 14
ssh
bandit13@bandit.labs.overthewire.org
-p22
8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
bandit13@melinda:~$ cat sshkey.private
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAxkkOE83W2cOT7IWhFc9aPaaQmQDdgzuXCv+ppZHa++buSkN+
gg0tcr7Fw8NLGa5+Uzec2rEg0WmeevB13AIoYp0MZyETq46t+jk9puNwZwIt9XgB
ZufGtZEwWbFWw/vVLNwOXBe4UWStGRWzgPpEeSv5Tb1VjLZIBdGphTIK22Amz6Zb
ThMsiMnyJafEwJ/T8PQO3myS91vUHEuoOMAzoUID4kN0MEZ3+XahyK0HJVq68KsV
ObefXG1vvA3GAJ29kxJaqvRfgYnqZryWN7w3CHjNU4c/2Jkp+n8L0SnxaNA+WYA7
jiPyTF0is8uzMlYQ4l1Lzh/8/MpvhCQF8r22dwIDAQABAoIBAQC6dWBjhyEOzjeA
J3j/RWmap9M5zfJ/wb2bfidNpwbB8rsJ4sZIDZQ7XuIh4LfygoAQSS+bBw3RXvzE
pvJt3SmU8hIDuLsCjL1VnBY5pY7Bju8g8aR/3FyjyNAqx/TLfzlLYfOu7i9Jet67
xAh0tONG/u8FB5I3LAI2Vp6OviwvdWeC4nOxCthldpuPKNLA8rmMMVRTKQ+7T2VS
nXmwYckKUcUgzoVSpiNZaS0zUDypdpy2+tRH3MQa5kqN1YKjvF8RC47woOYCktsD
o3FFpGNFec9Taa3Msy+DfQQhHKZFKIL3bJDONtmrVvtYK40/yeU4aZ/HA2DQzwhe
ol1AfiEhAoGBAOnVjosBkm7sblK+n4IEwPxs8sOmhPnTDUy5WGrpSCrXOmsVIBUf
laL3ZGLx3xCIwtCnEucB9DvN2HZkupc/h6hTKUYLqXuyLD8njTrbRhLgbC9QrKrS
M1F2fSTxVqPtZDlDMwjNR04xHA/fKh8bXXyTMqOHNJTHHNhbh3McdURjAoGBANkU
1hqfnw7+aXncJ9bjysr1ZWbqOE5Nd8AFgfwaKuGTTVX2NsUQnCMWdOp+wFak40JH
PKWkJNdBG+ex0H9JNQsTK3X5PBMAS8AfX0GrKeuwKWA6erytVTqjOfLYcdp5+z9s
8DtVCxDuVsM+i4X8UqIGOlvGbtKEVokHPFXP1q/dAoGAcHg5YX7WEehCgCYTzpO+
xysX8ScM2qS6xuZ3MqUWAxUWkh7NGZvhe0sGy9iOdANzwKw7mUUFViaCMR/t54W1
GC83sOs3D7n5Mj8x3NdO8xFit7dT9a245TvaoYQ7KgmqpSg/ScKCw4c3eiLava+J
3btnJeSIU+8ZXq9XjPRpKwUCgYA7z6LiOQKxNeXH3qHXcnHok855maUj5fJNpPbY
iDkyZ8ySF8GlcFsky8Yw6fWCqfG3zDrohJ5l9JmEsBh7SadkwsZhvecQcS9t4vby
9/8X4jS0P8ibfcKS4nBP+dT81kkkg5Z5MohXBORA7VWx+ACohcDEkprsQ+w32xeD
qT1EvQKBgQDKm8ws2ByvSUVs9GjTilCajFqLJ0eVYzRPaY6f++Gv/UVfAPV4c+S0
kAWpXbv5tbkkzbS0eaLPTKgLzavXtQoTtKwrjpolHKIHUz6Wu+n4abfAIRFubOdN
/+aLoRQ0yBDRbdXMsZN/jvY44eM+xRLdRVyMmdPtP8belRi2E2aEzA==
-----END RSA PRIVATE KEY-----
bandit13@melinda:~$ logout
14 -> 15
vi .ssh/vertex
ssh -i .ssh/vertex
bandit14@bandit.labs.overthewire.org
-p22
bandit14@melinda:~$ cat /etc/bandit_pass/bandit14
bandit14@melinda:~$ cat /etc/bandit_pass/bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
ssh
bandit14@bandit.labs.overthewire.org
-p22
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
bandit14@melinda:~$ telnet localhost 30000
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr
Connection closed by foreign host.
15 -> 16
ssh
bandit15@bandit.labs.overthewire.org
-p22
BfMYroe26WYalil77FoDi9qh59eK5xNr
bandit15@melinda:~$ openssl s_client -ign_eof -connect localhost:30001
CONNECTED(00000003)
depth=0 CN = li190-250.members.linode.com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = li190-250.members.linode.com
verify return:1
---
Certificate chain
0 s:/CN=li190-250.members.linode.com
i:/CN=li190-250.members.linode.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC3jCCAcagAwIBAgIJAI5QiWZw4YHbMA0GCSqGSIb3DQEBCwUAMCcxJTAjBgNV
BAMTHGxpMTkwLTI1MC5tZW1iZXJzLmxpbm9kZS5jb20wHhcNMTQxMTE0MTAyODA0
WhcNMjQxMTExMTAyODA0WjAnMSUwIwYDVQQDExxsaTE5MC0yNTAubWVtYmVycy5s
aW5vZGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsKmy9o5z
WU+1EH7Z3bB5TGQA+16zXDcEJy6tZWZ8CDrRyQXiahendp45BWUc/ZuLDo0+B3Wt
ZXjofmLw/F4fmR+8X1s1fQZX2dFt920qEm7LxqzWd0c7FdHiBwwRrwhkk+3cQpOB
TTGdLWEgpdmwwNZDTUdsDLzjDczPnju6T6p6ArTECztPbmTjfY4QIRtC6capL1Z+
yPJSQVAuAMEX1wTDWTGdm0VV7oW4F5cGZutf6QAP51jdhSyZuGilIPHbnj0l6Qc7
a7+OtEsEGi31aJ8KpRf7LNZ7DXCuoB3Hf75Pd6VjDgoOIagcH0NYqa75gEjBkGzs
ktLWykT7ag7fKwIDAQABow0wCzAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IB
AQCaZdUNAj8WDEKWdoU3LNXUBJlTJwiWBrh550PbHSQORcCz2K0kiMei1A4ojK2N
dMHFGAqAeUEaxtz92p2BoFpZasAtdSa3u63tBckFhfUolIS1TC7Cj51y19ysTeep
fGPFpuPCVqVPsruei8Z/iqn3bFIhQQdmumeePZQdPMwZSWHNVYC5XODd7PvNDrDu
5MZJjkz4+6LbwwAvyew62meFN2QEsYbK2Brtbhze+IjE27FGWlSw4K3jlwa409MD
MTf4JU41ELaYY8G/LSNDJsBVhhkHzvXR9iCbXxNz3IL0dQDNj7h4LKhBy0q7hvqg
kDzwlmBO4WKSmCAuky44cXmd
-----END CERTIFICATE-----
subject=/CN=li190-250.members.linode.com
issuer=/CN=li190-250.members.linode.com
---
No client certificate CA names sent
---
SSL handshake has read 1714 bytes and written 637 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : DHE-RSA-AES256-SHA
Session-ID: 4752AD4270FEFE9AE3B505AD5AB5AA08FF30F9EF24914ACBEB87F293DE7FCDBA
Session-ID-ctx:
Master-Key: 3228D00C43C71BB4171E1EF3191C3C928C7B512E53716ECBABDA1BEF9747681ED98F33233474BB1467103E928580365A
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1476341975
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
BfMYroe26WYalil77FoDi9qh59eK5xNr
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehd
read:errno=0
16 -> 17
ssh
bandit16@bandit.labs.overthewire.org
-p22
cluFn7wTiGryunymYOu4RcffSxQluehd
bandit16@melinda:~$ nmap localhost -p 31000-32000
Starting Nmap 6.40 ( http://nmap.org ) at 2016-10-13 07:04 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0024s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
31046/tcp open unknown
31518/tcp open unknown
31691/tcp open unknown
31790/tcp open unknown
31960/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds
bandit16@melinda:~$ openssl s_client -ign_eof -connect localhost:31790
CONNECTED(00000003)
depth=0 CN = li190-250.members.linode.com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = li190-250.members.linode.com
verify return:1
---
Certificate chain
0 s:/CN=li190-250.members.linode.com
i:/CN=li190-250.members.linode.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC3jCCAcagAwIBAgIJAI5QiWZw4YHbMA0GCSqGSIb3DQEBCwUAMCcxJTAjBgNV
BAMTHGxpMTkwLTI1MC5tZW1iZXJzLmxpbm9kZS5jb20wHhcNMTQxMTE0MTAyODA0
WhcNMjQxMTExMTAyODA0WjAnMSUwIwYDVQQDExxsaTE5MC0yNTAubWVtYmVycy5s
aW5vZGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsKmy9o5z
WU+1EH7Z3bB5TGQA+16zXDcEJy6tZWZ8CDrRyQXiahendp45BWUc/ZuLDo0+B3Wt
ZXjofmLw/F4fmR+8X1s1fQZX2dFt920qEm7LxqzWd0c7FdHiBwwRrwhkk+3cQpOB
TTGdLWEgpdmwwNZDTUdsDLzjDczPnju6T6p6ArTECztPbmTjfY4QIRtC6capL1Z+
yPJSQVAuAMEX1wTDWTGdm0VV7oW4F5cGZutf6QAP51jdhSyZuGilIPHbnj0l6Qc7
a7+OtEsEGi31aJ8KpRf7LNZ7DXCuoB3Hf75Pd6VjDgoOIagcH0NYqa75gEjBkGzs
ktLWykT7ag7fKwIDAQABow0wCzAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IB
AQCaZdUNAj8WDEKWdoU3LNXUBJlTJwiWBrh550PbHSQORcCz2K0kiMei1A4ojK2N
dMHFGAqAeUEaxtz92p2BoFpZasAtdSa3u63tBckFhfUolIS1TC7Cj51y19ysTeep
fGPFpuPCVqVPsruei8Z/iqn3bFIhQQdmumeePZQdPMwZSWHNVYC5XODd7PvNDrDu
5MZJjkz4+6LbwwAvyew62meFN2QEsYbK2Brtbhze+IjE27FGWlSw4K3jlwa409MD
MTf4JU41ELaYY8G/LSNDJsBVhhkHzvXR9iCbXxNz3IL0dQDNj7h4LKhBy0q7hvqg
kDzwlmBO4WKSmCAuky44cXmd
-----END CERTIFICATE-----
subject=/CN=li190-250.members.linode.com
issuer=/CN=li190-250.members.linode.com
---
No client certificate CA names sent
---
SSL handshake has read 1714 bytes and written 637 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : DHE-RSA-AES256-SHA
Session-ID: DA74667E06E24EA181951E7F117010B61980075AC16E164A69223182E9698C6E
Session-ID-ctx:
Master-Key: 05534180311AFEDCDFCD20FF5D42CB714DD8974EAABD83480BB9AE533E9778F783ED0E864D704B8996E35E118181D77C
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1476342385
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
cluFn7wTiGryunymYOu4RcffSxQluehd
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----
read:errno=0
17 -> 18
vi .ssh/vertex
ssh
bandit17@bandit.labs.overthewire.org
-p22
bandit17@melinda:~$ diff passwords.new passwords.old
bandit17@melinda:~$ diff passwords.new passwords.old
42c42
< kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
---
> BS8bqB1kqkinKJjuxL6k072Qq9NRwQpR
ssh
bandit18@bandit.labs.overthewire.org
-p22
kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
Byebye !
18 -> 19
ssh -t
bandit18@bandit.labs.overthewire.org
-p22 /bin/sh
kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
$ cat readme
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
19 -> 20
ssh
bandit19@bandit.labs.overthewire.org
-p22
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
bandit19@melinda:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
20 -> 21
ssh
bandit20@bandit.labs.overthewire.org
-p22
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
bandit20@melinda:$ nc -l -p 7777$ ./suconnect 7777
bandit20@melinda:
bandit20@melinda:~$ nc -l -p 7777
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
bandit20@melinda:~$ ./suconnect 7777
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Password matches, sending next password
bandit20@melinda:~$ nc -l -p 7777
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
21 -> 22
ssh
bandit21@bandit.labs.overthewire.org
-p22
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
bandit21@melinda:~$ ls -la /usr/bin/cronjob_bandit*
-rwxr-x--- 1 bandit22 bandit21 130 Nov 14 2014 /usr/bin/cronjob_bandit22.sh
-rwxr-x--- 1 bandit23 bandit22 211 Nov 14 2014 /usr/bin/cronjob_bandit23.sh
-rwxr-x--- 1 bandit24 bandit23 257 May 3 2015 /usr/bin/cronjob_bandit24.sh
-rwx------ 1 root root 186 May 3 2015 /usr/bin/cronjob_bandit24_root.sh
bandit21@melinda:~$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
bandit21@melinda:~$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
22 -> 23
ssh
bandit22@bandit.labs.overthewire.org
-p22
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
bandit22@melinda:~$ ls -la /usr/bin/cronjob_bandit*
-rwxr-x--- 1 bandit22 bandit21 130 Nov 14 2014 /usr/bin/cronjob_bandit22.sh
-rwxr-x--- 1 bandit23 bandit22 211 Nov 14 2014 /usr/bin/cronjob_bandit23.sh
-rwxr-x--- 1 bandit24 bandit23 257 May 3 2015 /usr/bin/cronjob_bandit24.sh
-rwx------ 1 root root 186 May 3 2015 /usr/bin/cronjob_bandit24_root.sh
bandit22@melinda:~$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash
myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
cat /etc/bandit_pass/$myname > /tmp/$mytarget
bandit22@melinda:~$ echo I am user bandit23 | md5sum | cut -d ’ ’ -f 1
8ca319486bfbbc3663ea0fbe81326349
bandit22@melinda:~$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
23 -> 24
ssh
bandit23@bandit.labs.overthewire.org
-p22
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
bandit23@melinda:~$ ls -la /usr/bin/cronjob_bandit*
-rwxr-x--- 1 bandit22 bandit21 130 Nov 14 2014 /usr/bin/cronjob_bandit22.sh
-rwxr-x--- 1 bandit23 bandit22 211 Nov 14 2014 /usr/bin/cronjob_bandit23.sh
-rwxr-x--- 1 bandit24 bandit23 257 May 3 2015 /usr/bin/cronjob_bandit24.sh
-rwx------ 1 root root 186 May 3 2015 /usr/bin/cronjob_bandit24_root.sh
bandit23@melinda:~$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash
myname=$(whoami)
cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
do
if [ "$i" != "." -a "$i" != ".." ];
then
echo "Handling $i"
timeout -s 9 60 "./$i"
rm -f "./$i"
fi
done
bandit23@melinda:~$ ls -la /var/spool/
total 169
drwxr-xr-x 6 root root 4096 May 3 2015 .
drwxr-xr-x 15 root root 4096 Nov 14 2014 ..
drwxrwxrwx 2 bandit24 bandit23 151552 Oct 13 08:32 bandit24
drwxr-xr-x 5 root root 4096 Apr 20 2014 cron
lrwxrwxrwx 1 root root 7 Apr 20 2014 mail -> ../mail
drwxr-xr-x 2 root root 4096 Apr 11 2014 plymouth
drwx------ 2 syslog adm 4096 Dec 4 2013 rsyslog
bandit23@melinda:~$ vi /var/spool/bandit24/kr0m.sh
#! /bin/bash
cat /etc/bandit_pass/bandit24 > /tmp/bandit24pass
chown bandit23:bandit23 /tmp/bandit24pass
chmod 777 /var/spool/bandit24/kr0m.sh
Wait
watch ‘cat /tmp/bandit24pass’
bandit23@melinda:~$ cat /tmp/bandit24pass
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
24 -> 25
ssh
bandit24@bandit.labs.overthewire.org
-p22
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
To go faster, we open 8 consoles:
bandit24@melinda:$ for i in $(seq -w 0 1250); do echo I: $i && echo UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i | nc localhost 30002 |grep -v ‘separated by a space’ | grep -v ‘Try again’; done
bandit24@melinda:$ for i in $(seq -w 1251 2500); do echo I: $i && echo UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i | nc localhost 30002 |grep -v ‘separated by a space’ | grep -v ‘Try again’; done
bandit24@melinda:$ for i in $(seq -w 2501 3750); do echo I: $i && echo UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i | nc localhost 30002 |grep -v ‘separated by a space’ | grep -v ‘Try again’; done
bandit24@melinda:$ for i in $(seq -w 3751 5000); do echo I: $i && echo UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i | nc localhost 30002 |grep -v ‘separated by a space’ | grep -v ‘Try again’; done
bandit24@melinda:$ for i in $(seq -w 5001 6250); do echo I: $i && echo UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i | nc localhost 30002 |grep -v ‘separated by a space’ | grep -v ‘Try again’; done
bandit24@melinda:$ for i in $(seq -w 6251 7500); do echo I: $i && echo UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i | nc localhost 30002 |grep -v ‘separated by a space’ | grep -v ‘Try again’; done
bandit24@melinda:$ for i in $(seq -w 7501 8750); do echo I: $i && echo UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i | nc localhost 30002 |grep -v ‘separated by a space’ | grep -v ‘Try again’; done
bandit24@melinda:$ for i in $(seq -w 8751 9999); do echo I: $i && echo UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i | nc localhost 30002 |grep -v ‘separated by a space’ | grep -v ‘Try again’; done
bandit24@melinda:
bandit24@melinda:
bandit24@melinda:
bandit24@melinda:
bandit24@melinda:
bandit24@melinda:
bandit24@melinda:
I: 5669
Correct!
The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG
25 -> 26
ssh
bandit25@bandit.labs.overthewire.org
-p22
uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG
bandit25@melinda:~$ grep bandit26 /etc/passwd
bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext
bandit25@melinda:~$ cat /usr/bin/showtext
#!/bin/sh
more ~/text.txt
exit 0
bandit25@melinda:~$ cat /home/bandit26/text.txt
cat: /home/bandit26/text.txt: Permission denied
bandit25@melinda:~$ ls -la /home/bandit26/text.txt
-rw-r----- 1 bandit26 bandit26 258 Nov 16 2014 /home/bandit26/text.txt
bandit25@melinda:~$ ls -la /usr/bin/showtext
-rwxr-xr-x 1 root root 34 Nov 16 2014 /usr/bin/showtext
bandit25@melinda:~$ ls -la /home/bandit26/text.txt
-rw-r----- 1 bandit26 bandit26 258 Nov 16 2014 /home/bandit26/text.txt
bandit25@melinda:~$ cat bandit26.sshkey
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEApis2AuoooEqeYWamtwX2k5z9uU1Afl2F8VyXQqbv/LTrIwdW
pTfaeRHXzr0Y0a5Oe3GB/+W2+PReif+bPZlzTY1XFwpk+DiHk1kmL0moEW8HJuT9
/5XbnpjSzn0eEAfFax2OcopjrzVqdBJQerkj0puv3UXY07AskgkyD5XepwGAlJOG
xZsMq1oZqQ0W29aBtfykuGie2bxroRjuAPrYM4o3MMmtlNE5fC4G9Ihq0eq73MDi
1ze6d2jIGce873qxn308BA2qhRPJNEbnPev5gI+5tU+UxebW8KLbk0EhoXB953Ix
3lgOIrT9Y6skRjsMSFmC6WN/O7ovu8QzGqxdywIDAQABAoIBAAaXoETtVT9GtpHW
qLaKHgYtLEO1tOFOhInWyolyZgL4inuRRva3CIvVEWK6TcnDyIlNL4MfcerehwGi
il4fQFvLR7E6UFcopvhJiSJHIcvPQ9FfNFR3dYcNOQ/IFvE73bEqMwSISPwiel6w
e1DjF3C7jHaS1s9PJfWFN982aublL/yLbJP+ou3ifdljS7QzjWZA8NRiMwmBGPIh
Yq8weR3jIVQl3ndEYxO7Cr/wXXebZwlP6CPZb67rBy0jg+366mxQbDZIwZYEaUME
zY5izFclr/kKj4s7NTRkC76Yx+rTNP5+BX+JT+rgz5aoQq8ghMw43NYwxjXym/MX
c8X8g0ECgYEA1crBUAR1gSkM+5mGjjoFLJKrFP+IhUHFh25qGI4Dcxxh1f3M53le
wF1rkp5SJnHRFm9IW3gM1JoF0PQxI5aXHRGHphwPeKnsQ/xQBRWCeYpqTme9amJV
tD3aDHkpIhYxkNxqol5gDCAt6tdFSxqPaNfdfsfaAOXiKGrQESUjIBcCgYEAxvmI
2ROJsBXaiM4Iyg9hUpjZIn8TW2UlH76pojFG6/KBd1NcnW3fu0ZUU790wAu7QbbU
i7pieeqCqSYcZsmkhnOvbdx54A6NNCR2btc+si6pDOe1jdsGdXISDRHFb9QxjZCj
6xzWMNvb5n1yUb9w9nfN1PZzATfUsOV+Fy8CbG0CgYEAifkTLwfhqZyLk2huTSWm
pzB0ltWfDpj22MNqVzR3h3d+sHLeJVjPzIe9396rF8KGdNsWsGlWpnJMZKDjgZsz
JQBmMc6UMYRARVP1dIKANN4eY0FSHfEebHcqXLho0mXOUTXe37DWfZza5V9Oify3
JquBd8uUptW1Ue41H4t/ErsCgYEArc5FYtF1QXIlfcDz3oUGz16itUZpgzlb71nd
1cbTm8EupCwWR5I1j+IEQU+JTUQyI1nwWcnKwZI+5kBbKNJUu/mLsRyY/UXYxEZh
ibrNklm94373kV1US/0DlZUDcQba7jz9Yp/C3dT/RlwoIw5mP3UxQCizFspNKOSe
euPeaxUCgYEAntklXwBbokgdDup/u/3ms5Lb/bm22zDOCg2HrlWQCqKEkWkAO6R5
/Wwyqhp/wTl8VXjxWo+W+DmewGdPHGQQ5fFdqgpuQpGUq24YZS8m66v5ANBwd76t
IZdtF5HXs2S5CADTwniUS5mX1HO9l5gUkk+h0cH5JnPtsMCnAUM+BRY=
-----END RSA PRIVATE KEY-----
bandit25@melinda:~$ logout
vi .ssh/vertex
ssh -i .ssh/vertex
bandit26@bandit.labs.overthewire.org
-p22
We resize the terminal to make it very small so that the txt does not fit.
We enter edit mode of more:
v
We read the pass file:
:r /etc/bandit_pass/bandit26
5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z