OverTheWire - Bandit

Bandit Level 0

Level Goal

The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org, on port 2220. The username is bandit0 and the password is bandit0. Once logged in, go to the Level 1 page to find out how to beat Level 1.

➜ ssh bandit.labs.overthewire.org -p 2220 -l bandit0

bandit0@bandit:~$ ls
readme
bandit0@bandit:~$ cat readme
NH2SXQwcBdpmTEzi3bvBHMM9H66vVXjL

Bandit Level 1

Level Goal

The password for the next level is stored in a file called - located in the home directory

➜ ssh bandit.labs.overthewire.org -p 2220 -l bandit1

bandit1@bandit:~$ ls
-
bandit1@bandit:~$ cat ./-
rRGizSaX8Mk1RTb1CNQoXTcYZWU6lgzi

Simply - won't work since most command take arguments from -

./- indicates that - is a file in current directory.

Bandit Level 2

Level Goal

The password for the next level is stored in a file called spaces in this filename located in the home directory

➜ ssh bandit.labs.overthewire.org -p 2220 -l bandit2

bandit2@bandit:~$ ls
spaces in this filename
bandit2@bandit:~$ cat spaces\ in\ this\ filename # Solution 1
aBZ0W5EmUfAf7kHTQeOwd8bauFJ2lAiG
bandit2@bandit:~$ cat "spaces in this filename"  # Solution 2
aBZ0W5EmUfAf7kHTQeOwd8bauFJ2lAiG

Write start of the filename and hit TAB to autocomplete.

Bandit Level 3

Level Goal

The password for the next level is stored in a hidden file in the inhere directory.

➜ ssh bandit.labs.overthewire.org -p 2220 -l bandit3

bandit3@bandit:~$ ls
inhere
bandit3@bandit:~$ ls inhere/
bandit3@bandit:~$ ls -la inhere/
total 12
drwxr-xr-x 2 root    root    4096 Apr 23 18:04 .
drwxr-xr-x 3 root    root    4096 Apr 23 18:04 ..
-rw-r----- 1 bandit4 bandit3   33 Apr 23 18:04 .hidden
bandit3@bandit:~$ cat inhere/.hidden
2EW7BBsr6aMMoJ2HjW067dm8EgX26xNe

Since file is hidden we can use ls -a to see all the files. (-l flag for list)

Bandit Level 4

Level Goal

The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.

➜ ssh bandit.labs.overthewire.org -p 2220 -l bandit4

bandit4@bandit:~$ ls
inhere
bandit4@bandit:~$ ls inhere/
-file00  -file01  -file02  -file03  -file04  -file05  -file06  -file07  -file08  -file09
bandit4@bandit:~$ file inhere/*
inhere/-file00: data
...
inhere/-file07: ASCII text
inhere/-file08: data
inhere/-file09: Non-ISO extended-ASCII text, with no line terminators
bandit4@bandit:~$ cat inhere/-file07
lrIWWI6bB37kxfiCQZqUdOIYfr6eEeqR

file command can be used to see file type.

* wildcard to apply command to all files

Bandit Level 5

Level Goal

The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:

human-readable
1033 bytes in size
not executable

➜ ssh bandit.labs.overthewire.org -p 2220 -l bandit5

bandit5@bandit:~$ find . -type f -size 1033c -readable ! -executable -exec cat {} \;
P4L4vucdmLnm8I7Vl7jG1ApGSfjYKqJU

The command could be explored here

Bandit Level 6

Level Goal

The password for the next level is stored somewhere on the server and has all of the following properties:

owned by user bandit7
owned by group bandit6
33 bytes in size

➜ ssh bandit.labs.overthewire.org -p 2220 -l bandit6

bandit6@bandit:~$ find / -user bandit7 -group bandit6 -size 33c -exec cat {} \; 2>/dev/null
z7WtoNQU2XfjmMtWA8u5rN4vzqu4v99S

The command could be explored here Search dir is / root directory, because we are searching "somewhere on the server"

2> redirects error stream into specified path, /dev/null means nowhere (into the void).

Bandit Level 7

Level Goal

The password for the next level is stored in the file data.txt next to the word millionth

➜ ssh bandit.labs.overthewire.org -p 2220 -l bandit7

bandit7@bandit:~$ grep "millionth" data.txt
millionth       TESKZC0XvTetK0S9xNwm25STk5iWrBvP

grep is a tool for searching patterns in files

Bandit Level 8

Level Goal

The password for the next level is stored in the file data.txt and is the only line of text that occurs only once

➜ ssh bandit.labs.overthewire.org -p 2220 -l bandit8

bandit8@bandit:~$ cat data.txt | sort | uniq -u
EN632PlfYiZbn3PhVK3XOGSlNInNE00t

The command could be explored here

Bandit Level 9

Level Goal

The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters.

➜ ssh bandit.labs.overthewire.org -p 2220 -l bandit9

bandit9@bandit:~$ file data.txt
data.txt: data
bandit9@bandit:~$ strings data.txt | grep "="
4========== the#
...
========== password
...
========== is
...
========== G7w8LIi6J3kTb8A7j9LgrywtEUlyyp6s
...

strings - print the printable characters in files

Bandit Level 10

Level Goal

The password for the next level is stored in the file data.txt, which contains base64 encoded data

➜ ssh bandit.labs.overthewire.org -p 2220 -l bandit10

bandit10@bandit:~$ cat data.txt
VGhlIHBhc3N3b3JkIGlzIDZ6UGV6aUxkUjJSS05kTllGTmI2blZDS3pwaGxYSEJNCg==
bandit10@bandit:~$ cat data.txt | base64 -d
The password is 6zPeziLdR2RKNdNYFNb6nVCKzphlXHBM

What is Base64?

Bandit Level 11

Level Goal

The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions

➜ ssh bandit.labs.overthewire.org -p 2220 -l bandit11

bandit11@bandit:~$ cat data.txt
Gur cnffjbeq vf WIAOOSFzMjXXBC0KoSKBbJ8puQm5lIEi
bandit11@bandit:~$ cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'
The password is JVNBBFSmZwKKOP0XbFXOoW8chDz5yVRv

What is Rot13? (Quick tool: https://rot13.com)

tr command translates characters.

Bandit Level 12

Level Goal

The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)

import subprocess
import binascii
import re
import os
import gzip
import bz2
import tarfile


def hexdump_to_file(infile, outfile):
    with open(infile) as data, open(outfile, "wb") as out:
        for line in data.readlines():
            out.write(
                binascii.unhexlify(
                    ''.join(re.findall(r'[a-fA-F0-9]{4}', line)[2:])
                )
            )


def file_output(file):
    return subprocess.check_output(["file", file]).decode().strip()


def unarchive(infile, outfile):
    file_type = file_output(infile).lower()

    if "gzip" in file_type:
        extension = "gz"
        archive = gzip
    elif "bzip2" in file_type:
        extension = "bz2"
        archive = bz2
    elif "tar" in file_type or infile.endswith(".bin"):
        with tarfile.open(infile, "r") as arc:
            arc.extractall(".")
            name = arc.getnames()[0]
        os.remove(infile)
        return name
    else:
        raise Exception("Unexpected Archive Format...")

    file_new = f"{os.path.basename(infile)}.{extension}"
    os.rename(infile, file_new)
    with archive.open(file_new, "rb") as arc, open(outfile, "wb") as out:
        out.write(arc.read())
    os.remove(file_new)
    return outfile


infile = "./data.txt"
outfile = "./data.out"

hexdump_to_file(infile, outfile)
while "ASCII" not in file_output(outfile):
    outfile = unarchive(outfile, "./data.out")

with open(outfile) as f:
    print(f.read().strip())

➜ ssh bandit.labs.overthewire.org -p 2220 -l bandit12

bandit12@bandit:~$ cd `mktemp -d` # Creates temporary directory and moves into it
bandit12@bandit:/tmp/tmp.bxlVRgI6th$ vi solve.py # CopyPasta
bandit12@bandit:/tmp/tmp.bxlVRgI6th$ cp ~/data.txt . # Copy file
bandit12@bandit:/tmp/tmp.bxlVRgI6th$ python3 solve.py # Solve
The password is wbWdlBxEir4CaE8LaPhauuOo6pwRmrDw

The intended solution must be to use linux commands (bzip2, gz, tar), but I decided to automate process.

Bandit Level 13

Level Goal

The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on

➜ ssh bandit.labs.overthewire.org -p 2220 -l bandit13

bandit13@bandit:~$ ls -alh
...
-rw-r-----  1 bandit14 bandit13 1.7K Apr 23 18:04 sshkey.private # id_rsa
bandit13@bandit:~$ ssh localhost -p 2220 -l bandit14 -i sshkey.private # Login as bandit14
bandit14@bandit:~$ cat /etc/bandit_pass/bandit14
fGrHPx402xGC7U7rXKDaxiWFTOiF0ENq

Bandit Level 14

Level Goal

The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.

➜ ssh bandit.labs.overthewire.org -p 2220 -l bandit14

bandit14@bandit:~$ echo /etc/bandit_pass/bandit14 | nc localhost 30000
Correct!
jN2kgmIXJ6fShzhT2avhotn4Zcka6tnt

What is Netcat?

Bandit Level 15

Level Goal

The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.

Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…

➜ ssh bandit.labs.overthewire.org -p 2220 -l bandit15

bandit14@bandit:~$ openssl s_client -connect localhost:30001
---
read R BLOCK
jN2kgmIXJ6fShzhT2avhotn4Zcka6tnt # Input
Correct!
JQttfApK4SeyHwDlI9SXGR50qclOAil1
# OR 
bandit14@bandit:~$ ncat --ssl localhost 30001 # nc doens't do https
jN2kgmIXJ6fShzhT2avhotn4Zcka6tnt # Input
Correct!
JQttfApK4SeyHwDlI9SXGR50qclOAil1

What is OpenSSL?

Bandit Level 16

Level Goal

The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.

➜ ssh bandit.labs.overthewire.org -p 2220 -l bandit16

bandit16@bandit:~$ nmap localhost -p 31000-32000 # Find Open Ports
Starting Nmap 7.80 ( https://nmap.org ) at 2023-07-07 18:20 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000077s latency).
Not shown: 996 closed ports
PORT      STATE SERVICE
31046/tcp open  unknown
31518/tcp open  unknown
31691/tcp open  unknown
31790/tcp open  unknown
31960/tcp open  unknown

bandit16@bandit:~$ nmap -sV -p 31046,31518,31691,31790,31960 localhost # Look For SSL Services
Starting Nmap 7.80 ( https://nmap.org ) at 2023-07-07 18:24 UTC
Stats: 0:00:06 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 0.00% done
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000093s latency).

PORT      STATE SERVICE     VERSION
31046/tcp open  echo
31518/tcp open  ssl/echo
31691/tcp open  echo
31790/tcp open  ssl/unknown
31960/tcp open  echo
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port31790-TCP:V=7.80%T=SSL%I=7%D=7/7%Time=64A8587F%P=x86_64-pc-linux-gn
SF:u%r(GenericLines,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20cur
SF:rent\x20password\n")%r(GetRequest,31,"Wrong!\x20Please\x20enter\x20the\
SF:x20correct\x20current\x20password\n")%r(HTTPOptions,31,"Wrong!\x20Pleas
SF:e\x20enter\x20the\x20correct\x20current\x20password\n")%r(RTSPRequest,3
SF:1,"Wrong!\x20Please\x20enter\x20the\x20correct\x20current\x20password\n
SF:")%r(Help,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20current\x2
SF:0password\n")%r(SSLSessionReq,31,"Wrong!\x20Please\x20enter\x20the\x20c
SF:orrect\x20current\x20password\n")%r(TerminalServerCookie,31,"Wrong!\x20
SF:Please\x20enter\x20the\x20correct\x20current\x20password\n")%r(TLSSessi
SF:onReq,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20current\x20pas
SF:sword\n")%r(Kerberos,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x2
SF:0current\x20password\n")%r(FourOhFourRequest,31,"Wrong!\x20Please\x20en
SF:ter\x20the\x20correct\x20current\x20password\n")%r(LPDString,31,"Wrong!
SF:\x20Please\x20enter\x20the\x20correct\x20current\x20password\n")%r(LDAP
SF:SearchReq,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20current\x2
SF:0password\n")%r(SIPOptions,31,"Wrong!\x20Please\x20enter\x20the\x20corr
SF:ect\x20current\x20password\n");

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 97.97 seconds

bandit16@bandit:~$ ncat --ssl localhost 31790
JQttfApK4SeyHwDlI9SXGR50qclOAil1
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----

Bandit Level 17

Level Goal

There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new

NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19

# .\bandit17.id_rsa => Private Key From Previous Challenge
➜ ssh bandit.labs.overthewire.org -p 2220 -l bandit17 -i .\bandit17.id_rsa

bandit17@bandit:~$ diff passwords.old passwords.new
42c42
< glZreTEH1V3cGKL6g4conYqZqaEj0mte
---
> hga5tuuCLF6fFzUpnagiMN8ssu9LFrdg

diff - Compare Files Line By Line

Bandit Level 18

Level Goal

The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.

# SSH Can Execute Commands (e.g.: "/bin/sh" To Spawn Shell)
➜ ssh bandit.labs.overthewire.org -p 2220 -l bandit18 /bin/sh
id # Are We Bandit18?
uid=11018(bandit18) gid=11018(bandit18) groups=11018(bandit18)
ls -alh # List Files
total 24K
drwxr-xr-x  2 root     root     4.0K Apr 23 18:04 .
drwxr-xr-x 70 root     root     4.0K Apr 23 18:05 ..
-rw-r--r--  1 root     root      220 Jan  6  2022 .bash_logout
-rw-r-----  1 bandit19 bandit18 3.8K Apr 23 18:04 .bashrc
-rw-r--r--  1 root     root      807 Jan  6  2022 .profile
-rw-r-----  1 bandit19 bandit18   33 Apr 23 18:04 readme
cat readme # Read Flag
awhqfNnAbc1naukrpqDYcF95h7HoMTrC
exit # Exit

Execute Command Using SSH

Bandit Level 19

Level Goal

To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.

➜ ssh bandit.labs.overthewire.org -p 2220 -l bandit19

bandit19@bandit:~$ ./bandit20-do
Run a command as another user.
  Example: ./bandit20-do id
  
bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
VxCazJaVykI6W36BkBU0mJTCM8rR95XT

Bandit Level 20

Level Goal

There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).

NOTE: Try connecting to your own network daemon to see if it works as you think

➜ ssh bandit.labs.overthewire.org -p 2220 -l bandit20

bandit20@bandit:~$ echo -n 'VxCazJaVykI6W36BkBU0mJTCM8rR95XT' | nc -lp 4444 &
[3] 1199884

bandit20@bandit:~$ ./suconnect 4444
Read: VxCazJaVykI6W36BkBU0mJTCM8rR95XT
Password matches, sending next password
NvEJF7oVjkddltPSrdKEFOllh9V1IBcq
[3]+  Done                    echo -n 'VxCazJaVykI6W36BkBU0mJTCM8rR95XT' | nc -lp 4444

Run netcat in background with & and serve password (echo text) whenever something connects.

Bandit Level 21

Level Goal

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

➜ ssh bandit.labs.overthewire.org -p 2220 -l bandit21

bandit21@bandit:~$ cd /etc/cron.d

bandit21@bandit:/etc/cron.d$ ls -lh
total 36K
-rw-r--r-- 1 root root  62 Apr 23 18:04 cronjob_bandit15_root
-rw-r--r-- 1 root root  62 Apr 23 18:04 cronjob_bandit17_root
-rw-r--r-- 1 root root 120 Apr 23 18:04 cronjob_bandit22
-rw-r--r-- 1 root root 122 Apr 23 18:04 cronjob_bandit23
-rw-r--r-- 1 root root 120 Apr 23 18:04 cronjob_bandit24
-rw-r--r-- 1 root root  62 Apr 23 18:04 cronjob_bandit25_root
-rw-r--r-- 1 root root 201 Jan  8  2022 e2scrub_all
-rwx------ 1 root root  52 Apr 23 18:05 otw-tmp-dir
-rw-r--r-- 1 root root 396 Feb  2  2021 sysstat

bandit21@bandit:/etc/cron.d$ cat cronjob_bandit22 # View Cronjob
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null

bandit21@bandit:/etc/cron.d$ ls -lh /usr/bin/cronjob_bandit22.sh # Check Permissions
-rwxr-x--- 1 bandit22 bandit21 130 Apr 23 18:04 /usr/bin/cronjob_bandit22.sh

bandit21@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit22.sh # View Script
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

bandit21@bandit:/etc/cron.d$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
WdDozAdTM2z9DiFEQ2mGlwngMfj4EZff

Bandit Level 22

Level Goal

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.

➜ ssh bandit.labs.overthewire.org -p 2220 -l bandit22

bandit22@bandit:~$ cd /etc/cron.d

bandit22@bandit:/etc/cron.d$ ls -h
cronjob_bandit15_root  cronjob_bandit22  cronjob_bandit24       e2scrub_all  sysstat
cronjob_bandit17_root  cronjob_bandit23  cronjob_bandit25_root  otw-tmp-dir

bandit22@bandit:/etc/cron.d$ cat cronjob_bandit23 # View Cronjob
@reboot bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null

bandit22@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit23.sh # View Script
#!/bin/bash
myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
cat /etc/bandit_pass/$myname > /tmp/$mytarget

bandit22@bandit:/etc/cron.d$ echo "I am user $(whoami)"
I am user bandit22

bandit22@bandit:/etc/cron.d$ echo "I am user bandit23" | md5sum
8ca319486bfbbc3663ea0fbe81326349-

bandit22@bandit:/etc/cron.d$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
QYw0Y2aiA672PsMmh9puTQuhoz8SyR2G

Bandit Level 23

Level Goal

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!

NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…

➜ ssh bandit.labs.overthewire.org -p 2220 -l bandit23

bandit23@bandit:~$ cd /etc/cron.d

bandit23@bandit:/etc/cron.d$ cat cronjob_bandit24 # View Cronjob
@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null

bandit23@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit24.sh # View Script
#!/bin/bash
myname=$(whoami)
cd /var/spool/$myname/foo || exit 1 # If cd Fails Program Will Exit
echo "Executing and deleting all scripts in /var/spool/$myname/foo:"
for i in * .*; # * -> Visible Files, .* -> Hidden Files
do
    if [ "$i" != "." -a "$i" != ".." ]; # If Not Current Directory or Parent Directory
    then
        echo "Handling $i" 
        owner="$(stat --format "%U" ./$i)" # Check For Owner
        if [ "${owner}" = "bandit23" ]; then # Execute Files Created By bandit23
            timeout -s 9 60 ./$i 
        fi
        rm -rf ./$i # Delete Scripts
    fi
done

bandit23@bandit:/etc/cron.d$ cd `mktemp -d`

bandit23@bandit:/tmp/tmp.WP2yI80AKP$ echo -e '#!/bin/bash\ncat /etc/bandit_pass/bandit24 > /tmp/tmp.WP2yI80AKP/flag' > getflag

bandit23@bandit:/tmp/tmp.WP2yI80AKP$ cat getflag # Payload
#!/bin/bash
cat /etc/bandit_pass/bandit24 > /tmp/tmp.WP2yI80AKP/flag 

bandit23@bandit:/tmp/tmp.WP2yI80AKP$ chmod +x getflag # Make File Executable

bandit23@bandit:/tmp/tmp.WP2yI80AKP$ chmod 777 /tmp/tmp.WP2yI80AKP # Allow Other Users To Write In Current Directory

bandit23@bandit:/tmp/tmp.WP2yI80AKP$ cp getflag /var/spool/bandit24/foo/ # Copy File To Be Executed

# Wait...

bandit23@bandit:/tmp/tmp.WP2yI80AKP$ cat flag 
VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar

After a minute flag will be written in given path. You can you watch command to not check ls everytime.

e.g.: watch ls (Quit -> Ctrl+C)

Bandit Level 24

Level Goal

A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing. You do not need to create new connections each time

# Build Up Buffer Of All Password + PIN Combinations
# Dump It Inside `netcat` Listener
# Save Results In `results` In Case You Miss It
bandit24@bandit:/tmp/tmp.q0T7KkBSEg$ (for pin in {0000..9999}; do echo "VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar $pin"; done) | nc localhost 30002 | tee results
...
Wrong! Please enter the correct pincode. Try again.
Wrong! Please enter the correct pincode. Try again.
Correct!
The password of user bandit25 is p7TaowMYrmu23Ol8hiZh9UvD0O9hpx8d

Exiting.

Bandit Level 25

Level Goal

Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.

➜ ssh bandit.labs.overthewire.org -p 2220 -l bandit25

bandit25@bandit:~$ cat /etc/passwd | grep bandit26
bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext

bandit25@bandit:~$ cat /usr/bin/showtext
#!/bin/sh
export TERM=linux
exec more ~/text.txt # <--- Exploitable
exit 0

more can execute commands in a subshell, but the subshell is /usr/bin/showtext. We can enter vi with v, change shell and finally spawn shell.

# Minimize Terminal Vertically, So At Least 1 Line Is Visibile
# It's Important Because `more` Shouldn't Exit
bandit25@bandit:~$ ssh localhost -p 2220 -l bandit26 -i bandit26.sshkey

Press: v # To Enter vi
Type: :set shell=/bin/bash # Change Shell
Type: :shell # Spawn Shell
Enter

bandit26@bandit:~$ id
uid=11026(bandit26) gid=11026(bandit26) groups=11026(bandit26)
 
bandit26@bandit:~$ cat /etc/bandit_pass/bandit26
c7GvcKlw9mC7aUQaPx7nwFstuAIBw1o1

Bandit Level 26

Level Goal

Good job getting a shell! Now hurry and grab the password for bandit27!

# See "Bandit Level 25" To Get In bandit26
bandit26@bandit:~$ ./bandit27-do cat /etc/bandit_pass/bandit27
YnQpBuifNMas1hcUFk70ZmqkhUU2EuaS

Bandit Level 27

Level Goal

There is a git repository at ssh://bandit27-git@localhost/home/bandit27-git/repo via the port 2220. The password for the user bandit27-git is the same as for the user bandit27.