Level Goal
The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org. The username is bandit0 and the password is bandit0. Once logged in, go to the Level 1 page to find out how to beat Level 1.
Commands you need to solve this level
ssh
Helpful Reading Material
[Secure Shell (SSH) on Wikipedia](http://en.wikipedia.org/wiki/Secure_Shell)
[How to use SSH on wikiHow](http://www.wikihow.com/Use-SSH)
Solution
# Connect to the server
ssh bandit0@bandit.labs.overthewire.org
# Enter password
bandit0
Level Goal
The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH to log into that level and continue the game.
Commands you might need to solve this level
ls, cd, cat, file, du, find
Solution
# Connect to the server
ssh bandit0@bandit.labs.overthewire.org
# Enter password
bandit0
# Check the contents of the directory
ls
# Only file readme is listed
readme
# Display the contents of the file readme
cat readme
# Password is displayed
boJ9jbbUNNfktd78OOpsqOltutMc3MY1
Level Goal
The password for the next level is stored in a file called – located in the home directory
Commands you need to solve this level
ls, cd, cat, file, du, find
Helpful Reading Material
Google Search for “dashed filename”
Advanced Bash-scripting Guide – Chapter 3 – Special Characters
Solution
# Connect to the server
ssh bandit1@bandit.labs.overthewire.org
# Enter password
boJ9jbbUNNfktd78OOpsqOltutMc3MY1
# Check the contents of the directory
ls
-
# "-" also means STDIN
# Print out the content of the file -
cat ./-
# or use
cat <-
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
Level Goal
The password for the next level is stored in a file called spaces in this filename located in the home directory
Commands you need to solve this level
ls, cd, cat, file, du, find
Helpful Reading Material
Google Search for “spaces in filename”
Solution
# Connect to the server
ssh bandit2@bandit.labs.overthewire.org
# Enter password
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
# Check the contents of the directory
ls
spaces in this filename
# Print out the content of the file - you can use cat ./sp and a Tab to complete the line
cat ./spaces\ in\ this\ filename
# Password is displayed
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
Level Goal
The password for the next level is stored in a hidden file in the inhere directory.
Commands you need to solve this level
ls, cd, cat, file, du, find
Solution
# Connect to the server
$ ssh bandit3@bandit.labs.overthewire.org
# Enter password
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
# Check the contents of the directory
$ ls
inhere
# Go into the directory
$ cd inhere
# See what is in the directory
$ ls
# As nothing is returned let's see if there are any hidden files
$ ls -la
drwxr-xr-x 2 root root 4096 Nov 14 2014 .
drwxr-xr-x 3 root root 4096 Nov 14 2014 ..
-rw-r----- 1 bandit4 bandit3 33 Nov 14 2014 .hidden
# Print out the content of the file .hidden
$ cat .hidden
# Password is displayed
pIwrPrtPN36QITSp3EQaw936yaFoFgAB
Level Goal
The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.
Commands you need to solve this level
ls, cd, cat, file, du, find
Solution
# Connect to the server
$ ssh bandit4@bandit.labs.overthewire.org
# Enter password
pIwrPrtPN36QITSp3EQaw936yaFoFgAB
# Go into the directory inhere
$ cd inhere
# See what is in the directory
$ ls
-file00 -file02 -file04 -file06 -file07~ -file09
-file01 -file03 -file05 -file07 -file08
# Determine which files are binary and which have ASCII text
$ file ./-file0{0..9}
./-file00: data
./-file01: data
./-file02: data
./-file03: data
./-file04: data
./-file05: data
./-file06: data
./-file07: ASCII text
./-file08: data
./-file09: data
# Print out the contents of the file -file07
$ cat ./-file07
# Password is displayed
koReBOKuIDDepwhWk7jZC0RTdopnAYKh
Level Goal
The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties: - human-readable - 1033 bytes in size - not executable
Commands you need to solve this level
ls, cd, cat, file, du, find
Solution
# Connect to the server
$ ssh bandit5@bandit.labs.overthewire.org
# Enter password
koReBOKuIDDepwhWk7jZC0RTdopnAYKh
# Go into the directory inhere
$ cd inhere
# See what is in the directory
$ ls
# 20 directories
maybehere00 maybehere04 maybehere08 maybehere12 maybehere16
maybehere01 maybehere05 maybehere09 maybehere13 maybehere17
maybehere02 maybehere06 maybehere10 maybehere14 maybehere18
maybehere03 maybehere07 maybehere11 maybehere15 maybehere19
# Find the file that is 1033 bytes in size
$ find ./ -size 1033c
./maybehere07/.file2
# Print out the contents of the found file
$ cat ./maybehere07/.file2
# OR
$ find . -type f -size 1033c -exec cat {} \;
# Password is displayed
DXjZPULLxYr17uwoI01bNLQbtFemEgo7
Level Goal
The password for the next level is stored somewhere on the server and has all of the following properties: - owned by user bandit7 - owned by group bandit6 - 33 bytes in size
Commands you need to solve this level
ls, cd, cat, file, du, find, grep
Solution
# Connect to the server
$ ssh bandit6@bandit.labs.overthewire.org
# Enter password
DXjZPULLxYr17uwoI01bNLQbtFemEgo7
# Search for the file with find and specified user, group and size
# Suppress Permission denied messages with 2>/dev/null
$ find / -user bandit7 -group bandit6 -size 33c 2>/dev/null
/var/lib/dpkg/info/bandit7.password
# Print out the contents of the found file
$ cat /var/lib/dpkg/info/bandit7.password
# Password is displayed
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs
Level Goal
The password for the next level is stored in the file data.txt next to the word millionth
Commands you need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
Solution
# Connect to the server
$ ssh bandit7@bandit.labs.overthewire.org
# Enter password
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs
# See what is in the directory
$ ls
data.txt
# Search for the line that includes word millionth
$ grep -w millionth data.txt
# Password is displayed
millionth cvX2JJa4CFALtqS87jk27qwqGhBM9plV
Level Goal
The password for the next level is stored in the file data.txt and is the only line of text that occurs only once
Commands you need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
Helpful Reading Material
The unix commandline: pipes and redirects
Solution
# Connect to the server
$ ssh bandit8@bandit.labs.overthewire.org
# Enter password
cvX2JJa4CFALtqS87jk27qwqGhBM9plV
# Sort the data to have all repeated lines together and then print only unique linesqq (we sorted it before as it can compare only the adjacent lines)
$ sort data.txt | uniq -u
# Password is displayed
UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR
Level Goal
The password for the next level is stored in the file data.txt in one of the few human-readable strings, beginning with several ‘=’ characters.
Commands you need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
Solution
# Connect to the server
$ ssh bandit9@bandit.labs.overthewire.org
# Enter password
UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR
# As data.txt is a binary file, we first need to convert the contents to strings
# Then search for lines that start with a several ===
$ strings data.txt | grep ^===
========== password
========== ism
========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
# Password is displayed amnong results
truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
Level Goal
The password for the next level is stored in the file data.txt, which contains base64 encoded data
Commands you need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
Helpful Reading Material
Solution
# Connect to the server
$ ssh bandit10@bandit.labs.overthewire.org
# Enter password
truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
# View the contents of the data.txt file
$ cat data.txt
VGhlIHBhc3N3b3JkIGlzIElGdWt3S0dzRlc4TU9xM0lSRnFyeEUxaHhUTkViVVBSCg==
# Decode data.txt
$ base64 -d data.txt
# Password is displayed
The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR
Level Goal
The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions
Commands you need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
Helpful Reading Material
Solution
# Connect to the server
$ ssh bandit11@bandit.labs.overthewire.org
# Enter password
IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR
# Translate characters from data.txt for 13 positions
$ cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'
# Password is displayed
The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu
Level Goal
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd, mkdir, cp, mv
Helpful Reading Material
Solution
# Connect to the server
$ ssh bandit12@bandit.labs.overthewire.org
# Enter password
5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu
# Make a new directory in /temp/ directory
$ mkdir /tmp/magic
# Copy the data file to newly created directory
$ cp data.txt /tmp/magic/
# Go to the new directory
$ cd /tmp/magic/
# Make sure the file is there
$ ls
data.txt
# Convert hexdump to a binary file
$ xxd -r data.txt > data00
# Examine what kind file it is
$ file data00
data00: gzip compressed data, was "data2.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression
# Rename file to data2.bin.gz
$ mv data00 data2.bin.gz
# Uncompress gzip
$ gzip -d data2.bin.gz
# Check the folder
$ ls
data.txt data2.bin
# Check compression for the data2.bin file
$ file data2.bin
data2.bin: bzip2 compressed data, block size = 900k
# Uncompress data2.bin with bzip2
$ bzip2 -d data2.bin
bzip2: Can't guess original name for data2.bin -- using data2.bin.out
# Check compression of thedata2.bin.out file
$ file data2.bin.out
data2.bin.out: gzip compressed data, was "data4.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression
# Rename the file to data4.bin.gz
# Uncompress with gzip
$ gzip -d data4.bin.gz
# Check the compression
$ file data4.bin
data4.bin: POSIX tar archive (GNU)
# Untar the file
$ tar -xf data4.bin
# Check the contents of the folder
$ ls
data.txt data4.bin data5.bin
# Check the compression of the data5.bin
$ file data5.bin
data5.bin: POSIX tar archive (GNU)
# Untar the file
$ tar -xf data5.bin
# Check the contents fo the folder
$ ls
data.txt data4.bin data5.bin data6.bin
# Check the compression of data6.bin
$ file data6.bin
data6.bin: bzip2 compressed data, block size = 900k
# Uncompress data6.bin with bzip2
$ bzip2 -d data6.bin
bzip2: Can't guess original name for data6.bin -- using data6.bin.out
# Check the compression of data6.bin.out
$ file data6.bin.out
data6.bin.out: POSIX tar archive (GNU)
# Untar the file
$ tar -xf data6.bin.out
# Check the contents of the folder
$ ls
data.txt data4.bin data5.bin data6.bin.out data8.bin
# Check the compression of data8.bin
$ file data8.bin
data8.bin: gzip compressed data, was "data9.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression
# Rename data8.bin to data8.bin.gz
$ mv data8.bin data8.bin.gz
# Use gzip to uncompress data8.bin
$ gzip -d data8.bin.gz
# Check the directory
$ ls
data.txt data4.bin data5.bin data6.bin.out data8.bin
# Check the file data8.bin
$ file data8.bin
data8.bin: ASCII tex
# We finaly got the uncompressed file. Get the contents of data8.bin
$ cat data8.bin
# Password is displayed
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
Level Goal
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on
Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap
Helpful Reading Material
Solution
# Connect to the server
$ ssh bandit13@bandit.labs.overthewire.org
# Enter password
8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
$ ls
sshkey.private
# Login to the server
$ ssh -i sshkey.private bandit14@localhost
# Display the password
$ cat /etc/bandit_pass/bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap
Helpful Reading Material
IP Addresses
IP Address on Wikipedia
Localhost on Wikipedia
Ports
Port (computer networking) on Wikipedia
Solution
# Connect to the server
$ ssh bandit14@bandit.labs.overthewire.org
# Enter password
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
$ nc localhost 30000
# Enter password
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
# Password is displayed
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr
Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…
Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap
Helpful Reading Material
Secure Socket Layer/Transport Layer Security on Wikipedia
OpenSSL Cookbook - Testing with OpenSSL
Solution
# Connect to the server
$ ssh bandit15@bandit.labs.overthewire.org
# Enter password
BfMYroe26WYalil77FoDi9qh59eK5xNr
$ echo BfMYroe26WYalil77FoDi9qh59eK5xNr | openssl s_client -quiet -connect localhost:30001
# Password is displayed in the output
depth=0 CN = li190-250.members.linode.com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = li190-250.members.linode.com
verify return:1
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehd
read:errno=0
Level Goal
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap
Helpful Reading Material
Solution
# Connect to the server
$ ssh bandit16@bandit.labs.overthewire.org
# Enter password
cluFn7wTiGryunymYOu4RcffSxQluehd
# Scan the ports to find out which one has SSL
# 2>&1 causes stderr of a program to be written to the same file descriptor as stdout.
# nc writes to stderr by default, pipe will only get stdout hence grep will miss the data. *
$ echo cluFn7wTiGryunymYOu4RcffSxQluehd | nc -zv localhost 31000-32000 2>&1 | grep succeeded
Connection to localhost 31046 port [tcp/*] succeeded!
Connection to localhost 31099 port [tcp/*] succeeded!
Connection to localhost 31518 port [tcp/*] succeeded!
Connection to localhost 31691 port [tcp/*] succeeded!
Connection to localhost 31790 port [tcp/*] succeeded!
Connection to localhost 31960 port [tcp/*] succeeded!
# Check the connections to see which one returns the key
$ echo cluFn7wTiGryunymYOu4RcffSxQluehd | openssl s_client -quiet -connect localhost:31790
# Copy the key by opening the file and saving it to your computer
Level Goal
There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new
NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19
Commands you may need to solve this level
cat, grep, ls, diff
Solution
# Connect to the server
$ ssh -i key bandit17@bandit.labs.overthewire.org
# Check what is in the directory
$ ls
passwords.new passwords.old
# Check the difference between files
$ diff passwords.old passwords.new
42c42
< BS8bqB1kqkinKJjuxL6k072Qq9NRwQpR
---
> kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
# Password is
kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
Level Goal
The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.
Commands you may need to solve this level
ssh, ls, cat
Solution
# Connect to the server
$ ssh bandit18@bandit.labs.overthewire.org cat readme
# Enter password
kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
# Password is
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
Level Goal
To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used to setuid binary.
Helpful Reading Material
Solution
# Connect to the server
$ ssh bandit19@bandit.labs.overthewire.org
# Enter password
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
# Execute the binary file first to get instructions on how it works
$ ./bandit20-do
Run a command as another user.
Example: ./bandit20-do id
# Run command as another user
$ ./bandit20-do cat /etc/bandit_pass/bandit20
# Password is
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Level Goal
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
NOTE: To beat this level, you need to login twice: once to run the setuid command, and once to start a network daemon to which the setuid will connect.
NOTE 2: Try connecting to your own network daemon to see if it works as you think
Commands you may need to solve this level
ssh, nc, cat
Solution
# Connect to the server
$ ssh bandit20@bandit.labs.overthewire.org
# Enter password
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
# Review which files are in the directory
$ ls
suconnect
# First conection - listening server
echo GbKksEFF4yrVs6il55v6gwY5aVje5f0j | nc -l localhost 30020
# Second connection - makes a connection to localhost and checks if password is correct
$ ./suconnect 30020
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Password matches, sending next password
# Password is displayed
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
Commands you may need to solve this level
cron, crontab, crontab(5) (use “man 5 crontab” to access this)
Solution
# Connect to the server
$ ssh bandit21@bandit.labs.overthewire.org
# Enter password
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
# Review which files are in the directory /etx/cron.d/
$ ls -la /etc/cron.d/
...
-rw-r--r-- 1 root root 61 Nov 14 2014 cronjob_bandit22
...
# Let's review what is in the file cronjob_bandit22
$ cat cronjob_bandit22
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
# Let's see what is in the shell script
$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
# We see that the file permissions are changed on the temp file
# The password is saved from /etc/.. to /tmp/...
# Let's go into the file and see if the password is there
$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
# Password is displayed
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.
Commands you may need to solve this level
cron, crontab, crontab(5) (use “man 5 crontab” to access this)
Solution
# Connect to the server
$ ssh bandit22@bandit.labs.overthewire.org
# Enter password
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
# Review which files are in the directory /etx/cron.d/
$ ls -la /etc/cron.d/
...
-rw-r--r-- 1 root root 62 Nov 14 2014 cronjob_bandit23
...
# Let's review what is in the file cronjob_bandit22 file
$ cat /etc/cron.d/cronjob_bandit23
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
# &> means you get rid of all outputs and errors by directing them to /dev/null
# Let's see what is in the shell script
$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash
myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
cat /etc/bandit_pass/$myname > /tmp/$mytarget
# Script first gets the username
# It echos "I am ", hashes it with md5 and cuts the trailing dash with the space
# Then copies the password to /tmp/
# Get the hash for user bandit23
$ echo I am user bandit23 | md5sum | cut -d' ' -f 1
8ca319486bfbbc3663ea0fbe81326349
# Get the contents of /tmp/8ca319486bfbbc3663ea0fbe81326349
$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
# Password is displayed
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…
Commands you may need to solve this level
cron, crontab, crontab(5) (use “man 5 crontab” to access this)
Solution
# Connect to the server
$ ssh bandit23@bandit.labs.overthewire.org
# Enter password
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
# Review which files are in the directory /etx/cron.d/
$ ls -la /etc/cron.d/
...
-rw-r--r-- 1 root root 61 May 3 2015 cronjob_bandit24
-rw-r--r-- 1 root root 62 May 3 2015 cronjob_bandit24_root
...
# Let's review what is in the file cronjob_bandit24 file
$ cat /etc/cron.d/cronjob_bandit24
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
# Let's see what is in the shell script
$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash
myname=$(whoami)
cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
do
if [ "$i" != "." -a "$i" != ".." ];
then
echo "Handling $i"
timeout -s 9 60 "./$i"
rm -f "./$i"
fi
done
# Every 60 seconds the script is executed and as a result all scripts in
# /var/spool/bandit24 are executed and deleted
# Go to the folder where cron job is executing scripts
$ cd /var/spool/bandit24
# Open the text editor (could also be vi, vim ...)
$ nano sh.sh
# Paste in the code that will copy the password to the /temp/withpass
#!/bin/bash
cat /etc/bandit_pass/bandit24 > /tmp/withpass
# change the permissions of the script file so that it can be executed by bandit24
$ chmod 777 sh.sh
$ cat /tmp/withpass
# Password is displayed
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
Level Goal
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.
Solution
# Connect to the server
$ ssh bandit24@bandit.labs.overthewire.org
# Enter password
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
# Check all pins and send them to port 30002
# Then filter out all responses that have the wrong pin
$ for n in {0000..9999}; do echo "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $n"; done | nc localhost 30002 | grep -v Wrong
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
Correct!
The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG
Exiting.
# Password is
uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG
Level Goal
Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.
Commands you may need to solve this level
ssh, cat, more, vi, ls, id, pwd
Solution
# Connect to the server
$ ssh bandit25@bandit.labs.overthewire.org
# Enter password
uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG
# Copy the bandit26.sshkey to local computer
# Connect to the server
ssh -i bandit26.sshkey bandit26@bandit.labs.overthewire.org
# First you see that you are immediately disconnected
# Explore why you are disconnected
$ cat /etc/passwd | grep bandit26
bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext
# Research the contents
$ cat /usr/bin/showtext
#!/bin/sh
more ~/text.txt
exit 0
# We see that more is initiated in the script so we can make the terminal window smaller to initiate it and then enter into vi editor to search for password
# Before you log in again, make sure the heigh of the terminal window is only a couple of rows
ssh -i bandit26.sshkey bandit26@bandit.labs.overthewire.org
# Now when you log in press (v) and you will enter into vi
# If you are in Insert mode press Esc to break out of it
# Get the contents of password file
:r /etc/bandit_pass/bandit26
# Password is
5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z
: -c "cat /etc/bandit_pass/bandit27"