My OverTheWire Bandit solutions level 0-27. I found this a fun way to refresh on my lesser used Linux commands.

Level 0 -> Level 1

The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.

→ ssh bandit.labs.overthewire.org -p 2220 -l bandit0
bandit0@bandit:~$ ls -al
total 24
drwxr-xr-x  2 root    root    4096 Nov 13 15:58 .
drwxr-xr-x 29 root    root    4096 Nov 13 15:57 ..
-rw-r--r--  1 root    root     220 Sep  1  2015 .bash_logout
-rw-r--r--  1 root    root    3771 Sep  1  2015 .bashrc
-rw-r--r--  1 root    root     655 Jun 24  2016 .profile
-rw-r-----  1 bandit1 bandit0   33 Nov 13 15:58 readme
bandit0@bandit:~$ cat readme
boJ9jbbUNNfktd78OOpsqOltutMc3MY1

Level 1 -> Level 2

The password for the next level is stored in a file called - located in the home directory.

bandit1@bandit:~$ cat ./-
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

Level 2 -> Level 3

The password for the next level is stored in a file called spaces in this filename located in the home directory.

bandit2@bandit:~$ cat spaces\ in\ this\ filename
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

Level 3 -> Level 4

The password for the next level is stored in a hidden file in the inhere directory.

bandit3@bandit:~$ cd inhere
bandit3@bandit:~/inhere$ ls -al
total 12
drwxr-xr-x 2 root    root    4096 Nov 13 15:58 .
drwxr-xr-x 3 root    root    4096 Nov 13 15:58 ..
-rw-r----- 1 bandit4 bandit3   33 Nov 13 15:58 .hidden
bandit3@bandit:~/inhere$ cat .hidden
pIwrPrtPN36QITSp3EQaw936yaFoFgAB

Level 4 -> Level 5

The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.

I decided to use the file command to determine which files are human-readable.

bandit4@bandit:~/inhere$ file ./*
./-file00: data
./-file01: data
./-file02: data
./-file03: data
./-file04: data
./-file05: data
./-file06: data
./-file07: ASCII text
./-file08: data
./-file09: data
bandit4@bandit:~/inhere$ file ./* | grep "ASCII text"
./-file07: ASCII text
bandit4@bandit:~/inhere$ ls -al
total 48
-rw-r----- 1 bandit5 bandit4   33 Nov 13 15:58 -file00
-rw-r----- 1 bandit5 bandit4   33 Nov 13 15:58 -file01
-rw-r----- 1 bandit5 bandit4   33 Nov 13 15:58 -file02
-rw-r----- 1 bandit5 bandit4   33 Nov 13 15:58 -file03
-rw-r----- 1 bandit5 bandit4   33 Nov 13 15:58 -file04
-rw-r----- 1 bandit5 bandit4   33 Nov 13 15:58 -file05
-rw-r----- 1 bandit5 bandit4   33 Nov 13 15:58 -file06
-rw-r----- 1 bandit5 bandit4   33 Nov 13 15:58 -file07
-rw-r----- 1 bandit5 bandit4   33 Nov 13 15:58 -file08
-rw-r----- 1 bandit5 bandit4   33 Nov 13 15:58 -file09
drwxr-xr-x 2 root    root    4096 Nov 13 15:58 .
drwxr-xr-x 3 root    root    4096 Nov 13 15:58 ..
bandit4@bandit:~/inhere$ file ./* | grep "ASCII text"
./-file07: ASCII text
bandit4@bandit:~/inhere$ cat ./-file07
koReBOKuIDDepwhWk7jZC0RTdopnAYKh

Level 5 -> Level 6

The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:

  • human-readable
  • 1033 bytes in size
  • not executable

I looked for files with size 1033 bytes that are not executable. Since I only returned one output, I’m able to check to see if it’s human-readable using cat.

bandit5@bandit:~$ find . -type f -size 1033c ! -executable
./inhere/maybehere07/.file2
bandit5@bandit:~$ cat ./inhere/maybehere07/.file2
DXjZPULLxYr17uwoI01bNLQbtFemEgo7

Level 6 -> Level 7

The password for the next level is stored somewhere on the server and has all of the following properties:

  • owned by user bandit7
  • owned by group bandit6
  • 33 bytes in size

Using find again with the arguments that fit the above requirements. I routed all STDERR outputs to /dev/null for a cleaner output.

bandit6@bandit:~$ find / -user bandit7 -group bandit6 -size 33c 2>/dev/null
/var/lib/dpkg/info/bandit7.password

Level 7 -> Level 8

The password for the next level is stored in the file data.txt next to the word millionth.

Using grep to see what the file looks like around the word ‘millionth’. Once I had a sense of how the file is structured, I used awk to get my desired output.

bandit7@bandit:~$ grep -C 3 millionth data.txt
go  vilygVSBNRzRXSZFzIeSbajhHHRrjgln
controversially p1JE4gkWuFxTpk55Zfo3xqLe3RqhWtHX
conspiracies    tbkj5iLjadNfPTCslAvnU9nyFeHBfu1o
millionth   cvX2JJa4CFALtqS87jk27qwqGhBM9plV
wardrooms   ERG4eyK8q5eIP554LQysscc5oQuEGV8c
admissions  4vOZpSuzFUMNqJtrXVcNaheXuGDbrPCo
wearying    kS75kziqMp5mUopzJTKaJRf0SIBDWLGf
bandit7@bandit:~$ awk '/millionth/ {print $2}' data.txt
cvX2JJa4CFALtqS87jk27qwqGhBM9plV

Level 8 -> Level 9

The password for the next level is stored in the file data.txt and is the only line of text that occurs only once.

bandit8@bandit:~$ cat data.txt | sort | uniq -u
UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR

Level 9 -> Level 10

The password for the next level is stored in the file data.txt in one of the few human-readable strings, beginning with several ‘=’ characters.

strings prints out human-readable strings. My initial output using regex filtering was missing the password, so I used a simpler search.

bandit9@bandit:~$ strings data.txt | grep -e "^[=+]"
========== theOkM
=hrV`
========== password
========== is
+3CMz
=GUl
+xOU
=/wW
bandit9@bandit:~$ strings data.txt | grep =
========== theOkM
L=8@
=hrV`
========== password
========== is
H)=QU
>]".x=
{=u/,i_
{=jh
=GUl
e=y:
4H5=
)========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
=/wW
~BX=

Level 10 -> Level 11

The password for the next level is stored in the file data.txt, which contains base64 encoded data.

bandit10@bandit:~$ base64 -d data.txt
The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

Level 11 -> Level 12

The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions.

[https://en.wikipedia.org/wiki/ROT13]ROT13(https://en.wikipedia.org/wiki/ROT13) is a simple cipher where you rotate 13 places. I used tr to shift my text by 13 letters.

bandit11@bandit:~$ cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'
The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

Level 12 -> Level 13

The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)

As recommended, I created a new directory and copied the file to it.

bandit12@bandit:~$ mkdir /tmp/bandit12data
bandit12@bandit:~$ cp data.txt /tmp/bandit12data
bandit12@bandit:~$ cd /tmp/bandit12data

Since this is a hexdump, I used xxd to convert it back to the original binary. then checked its file type.

bandit12@bandit:/tmp/bandit12data$ xxd -r data.txt data.orig
bandit12@bandit:/tmp/bandit12data$ file data.orig
data.orig: gzip compressed data, was "data2.bin", last modified: Mon Nov 13 14:58:07 2017, max compression, from Unix

For gzip, I used zcat to output the decompressed file to one with the original name since I did not want to continually change the suffix. I then check the file information to see what it was compressed with and used the corresponding tool to decompress. Many decompressions later…

bandit12@bandit:/tmp/bandit12data$ gzip -d data.orig
gzip: data.orig: unknown suffix -- ignored
bandit12@bandit:/tmp/bandit12data$ zcat data.orig > data2.bin
bandit12@bandit:/tmp/bandit12data$ file data2.bin
data2.bin: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/bandit12data$ bzip2 -d data2.bin
bzip2: Can't guess original name for data2.bin -- using data2.bin.out
bandit12@bandit:/tmp/bandit12data$ file data2.bin.out
data2.bin.out: gzip compressed data, was "data4.bin", last modified: Mon Nov 13 14:58:07 2017, max compression, from Unix
bandit12@bandit:/tmp/bandit12data$ zcat data2.bin.out > data4.bin
bandit12@bandit:/tmp/bandit12data$ file data4.bin
data4.bin: POSIX tar archive (GNU)
bandit12@bandit:/tmp/bandit12data$ tar -xvf data4.bin
data5.bin
bandit12@bandit:/tmp/bandit12data$ file data5.bin
data5.bin: POSIX tar archive (GNU)
bandit12@bandit:/tmp/bandit12data$ tar -xvf data5.bin
data6.bin
bandit12@bandit:/tmp/bandit12data$ file data6.bin
data6.bin: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/bandit12data$ bzip2 -d data6.bin
bzip2: Can't guess original name for data6.bin -- using data6.bin.out
bandit12@bandit:/tmp/bandit12data$ file data6.bin.out
data6.bin.out: POSIX tar archive (GNU)
bandit12@bandit:/tmp/bandit12data$ tar -xvf data6.bin.out
data8.bin
bandit12@bandit:/tmp/bandit12data$ file data8.bin
data8.bin: gzip compressed data, was "data9.bin", last modified: Mon Nov 13 14:58:07 2017, max compression, from Unix
bandit12@bandit:/tmp/bandit12data$ zcat data8.bin > data9.bin
bandit12@bandit:/tmp/bandit12data$ file data9.bin
data9.bin: ASCII text
bandit12@bandit:/tmp/bandit12data$ cat data9.bin
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

Level 13 -> Level 14

The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on.

bandit13@bandit:~$ ls -al
total 24
drwxr-xr-x  2 root     root     4096 Nov 13 15:58 .
drwxr-xr-x 29 root     root     4096 Nov 13 15:57 ..
-rw-r--r--  1 root     root      220 Sep  1  2015 .bash_logout
-rw-r--r--  1 root     root     3771 Sep  1  2015 .bashrc
-rw-r--r--  1 root     root      655 Jun 24  2016 .profile
-rw-r-----  1 bandit14 bandit13 1679 Nov 13 15:58 sshkey.private
bandit13@bandit:~$ cat sshkey.private
[REDACTED]
bandit13@bandit:~$ ssh -i sshkey.private bandit14@localhost
bandit14@bandit:~$ cat /etc/bandit_pass/bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e

Level 14 -> Level 15

The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.

bandit14@bandit:~$ telnet localhost 30000
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr

Connection closed by foreign host.

Level 15 -> Level 16

The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.

bandit15@bandit:~$ openssl s_client -connect localhost:30001 -ign_eof
CONNECTED(00000003)
depth=0 CN = bandit
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = bandit
verify return:1
---
Certificate chain
 0 s:/CN=bandit
   i:/CN=bandit
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICsjCCAZqgAwIBAgIJAOiKeDKsXb/8MA0GCSqGSIb3DQEBCwUAMBExDzANBgNV
BAMMBmJhbmRpdDAeFw0xNzExMTEyMDA1MTJaFw0yNzExMDkyMDA1MTJaMBExDzAN
BgNVBAMMBmJhbmRpdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM94
fvfAy+PhF9WCKwCmMccdSooUfl2xTxwJ7l6tE9/uMc43CeCskmUhp6B5VQB5yVqs
nLBmDpBaDN66XqlzGTyB9gEDELOtYsX20Y48Sd7t/OY3xSV/uIkv+hU10lKSMPd/
khxVjoVdebWoTJkwOz6HX0AvaTbDSRG6oBJ4m99ssNZXGymDjENXESkNeOuxKkGH
wIlb6oNLdNTnVWcDtQF6bIofS8v6dRHykKekQ4y9ml7/FzhQJlTMymfSo48GgbNf
PWs8KMHMoCSs9byWXHs5OUScqXdC6aC7onRNODSv1/gZiwBFIjvq8+nlj7P8XgTy
OqsPvIz+FAS8EvcXH0cCAwEAAaMNMAswCQYDVR0TBAIwADANBgkqhkiG9w0BAQsF
AAOCAQEAxD1vr08ahuVDmr3/CHuQUX7w/K3pevWJcjh8xd3Zxbv4WdIEXMrIBMHI
lcmTW2z7ZqcEfnCgbqWjY7Dy1N1JN7fvkUDpJhEdYPzdr6XHlSAO+oqEy27J94xl
a8hwBJg+euFrJ5jwIU7hZqsEWppNm0uZofSlOWcue3q7V8e7dcJWo6lArPjtMWWD
DG2DPDNBIuWktcrQj6eT28Voxjn6iM2ivUWJqsvFSpQ/xwionp8A3ZfiagJKGt/C
4I1QAOqIGVLqOCP+vAjB2utsRP51vXxAeEDu/3hE9Azk/Ap0Z3Nb8XrLSNyfUUm/
oi8cAsr0CunA8qK/B6cVEHm6837xIQ==
-----END CERTIFICATE-----
subject=/CN=bandit
issuer=/CN=bandit
---
No client certificate CA names sent
---
SSL handshake has read 1015 bytes and written 631 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
    Session-ID: 36C277A25E05CBC7F1B468EBD5A4CACE1D5EF117F89E78CBAB122B3EF8A1DD23
    Session-ID-ctx:
    Master-Key: C72B2568A031FC5C3773DA8386058F770C0CEDDB70A5878FC232C9DA8C0F510F45F70D96913F7AFABB7DC4684CAA2B35
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 8d 8d 08 76 bd 8b dc 4e-f1 f1 6b ed 03 44 22 c5   ...v...N..k..D".
    0010 - a2 c4 d0 9a de fa 4b 9f-a3 df 92 4a 73 f0 08 6d   ......K....Js..m
    0020 - c0 51 85 d0 51 84 30 b5-e7 57 fb c5 fd be 04 2a   .Q..Q.0..W.....*
    0030 - 31 63 59 03 9a ac b8 b5-ce 82 78 72 67 d7 63 78   1cY.......xrg.cx
    0040 - d6 93 b1 c5 4a de 52 de-91 6c 28 03 f6 aa 86 06   ....J.R..l(.....
    0050 - b8 5f 1e 09 52 be a0 21-92 f4 a6 01 05 fd ca e2   ._..R..!........
    0060 - 36 b7 26 28 6c 1a 75 98-b4 12 5d 18 d6 43 52 e7   6.&(l.u...]..CR.
    0070 - a5 22 bc d4 36 a1 49 da-c7 7f db a7 5d ed 2c 7a   ."..6.I.....].,z
    0080 - 87 c1 53 88 75 51 2b 0a-36 d5 03 69 b3 13 f1 f1   ..S.uQ+.6..i....
    0090 - ee 73 6e ca 2a 9d 8a 26-ae b5 20 8b 71 f9 09 06   .sn.*..&.. .q...

    Start Time: 1514325241
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
BfMYroe26WYalil77FoDi9qh59eK5xNr
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehd

closed

Level 16 -> Level 17

The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.

First I scanned the port range to see which ports were open and supports SSLv3.

bandit16@bandit:~$ nmap --script ssl-enum-ciphers -p 31000-32000 localhost

Starting Nmap 7.01 ( https://nmap.org ) at 2017-12-26 23:36 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00015s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 996 closed ports
PORT      STATE SERVICE
31046/tcp open  unknown
31518/tcp open  unknown
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: indeterminate
|     cipher preference error: Too few ciphers supported
|_  least strength: A
31691/tcp open  unknown
31790/tcp open  unknown
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: indeterminate
|     cipher preference error: Too few ciphers supported
|_  least strength: A
31960/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 0.84 seconds

I only have 2 ports returned, so I manually tested them.

bandit16@bandit:~$ echo cluFn7wTiGryunymYOu4RcffSxQluehd | openssl s_client -connect localhost:31518 -ign_eof
bandit16@bandit:~$ echo cluFn7wTiGryunymYOu4RcffSxQluehd | openssl s_client -connect localhost:31790 -ign_eof

The latter yieled an RSA private key which I saved to a file and used to ssh into level 17.

bandit16@bandit:/tmp$ mkdir /tmp/bandit17
bandit16@bandit:/tmp$ cd /tmp/bandit17
bandit16@bandit:/tmp$ vim id_rsa
bandit16@bandit:/tmp$ chmod 600 id_rsa
bandit16@bandit:/tmp$ ssh -i id_rsa bandit17@localhost

Level 17 -> Level 18

There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new

bandit17@bandit:~$ diff passwords.new passwords.old
42c42
< kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
---
> 7cDk1R96wgw11eEuTk1zgbjAindhpUA5

Level 18 -> Level 19

The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.

→ ssh bandit.labs.overthewire.org -p 2220 -l bandit18 -t "bash --noprofile --norc"
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit18@bandit.labs.overthewire.org's password:
bash-4.3$ cat readme
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x

Level 19 -> Level 20

To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.

bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0j

Level 20 -> Level 21

There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).

NOTE: Changes to the infrastructure made this level more difficult. You will need to figure out a way to launch multiple commands in the same Docker instance.

NOTE 2: Try connecting to your own network daemon to see if it works as you think

Due to the infrastructure changes mentioned in note 1, launching a new shell will connect to a newly spawned Docker container. To avoid this, I have two sessions opened in tmux in the same shell. The first shell will listen in on a random port I choose (34100), and the second shell will run the suconnect binary.

Session 1:
bandit20@bandit:~$ nc -l 31400
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr

Session 2:
bandit20@bandit:~$ ./suconnect 31400
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Password matches, sending next password

Level 21 -> Level 22

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

bandit21@bandit:~$ ls -al /etc/cron.d
total 28
drwxr-xr-x   2 root root 4096 Nov 13 15:58 .
drwxr-xr-x 101 root root 4096 Dec 16 14:19 ..
-rw-r--r--   1 root root  102 Apr  5  2016 .placeholder
-rw-r--r--   1 root root  120 Nov 13 15:58 cronjob_bandit22
-rw-r--r--   1 root root  122 Nov 13 15:58 cronjob_bandit23
-rw-r--r--   1 root root  120 Nov 13 15:58 cronjob_bandit24
-rw-r--r--   1 root root  190 Oct 31 13:21 popularity-contest
bandit21@bandit:~$ cat /etc/cron.d/cronjob_bandit22
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
bandit21@bandit:~$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
bandit21@bandit:~$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

Level 22 -> Level 23

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.

bandit22@bandit:~$ ls -al /etc/cron.d
total 28
drwxr-xr-x   2 root root 4096 Nov 13 15:58 .
drwxr-xr-x 101 root root 4096 Dec 16 14:19 ..
-rw-r--r--   1 root root  102 Apr  5  2016 .placeholder
-rw-r--r--   1 root root  120 Nov 13 15:58 cronjob_bandit22
-rw-r--r--   1 root root  122 Nov 13 15:58 cronjob_bandit23
-rw-r--r--   1 root root  120 Nov 13 15:58 cronjob_bandit24
-rw-r--r--   1 root root  190 Oct 31 13:21 popularity-contest
bandit22@bandit:~$ cat /etc/cron.d/cronjob_bandit23
@reboot bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
bandit22@bandit:~$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash

myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)

echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"

cat /etc/bandit_pass/$myname > /tmp/$mytarget
bandit22@bandit:~$ whoami
bandit22
bandit22@bandit:~$ echo I am user bandit23 | md5sum | cut -d ' ' -f 1
8ca319486bfbbc3663ea0fbe81326349
bandit22@bandit:~$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

Level 23 -> Level 24

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!

NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around.

bandit23@bandit:/var/spool/bandit24$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash

myname=$(whoami)

cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
do
    if [ "$i" != "." -a "$i" != ".." ];
    then
    echo "Handling $i"
    timeout -s 9 60 ./$i
    rm -f ./$i
    fi
done

A previous level mentioned that passwords are stored in this file: /etc/bandit_pass/bandit24. Since the script will be executed before it is deleted, the following bash script will export the contents of the file to something accessable to my current bandit23 user. Note that the script has to have execute permissions to run.

bandit23@bandit:~$ cd /var/spool/bandit24
bandit23@bandit:/var/spool/bandit24$ vim script.sh
bandit23@bandit:/var/spool/bandit24$ chmod 777 script.sh
#!/bin/bash
mkdir /tmp/bandit24tmp
cat /etc/bandit_pass/bandit24 > /tmp/bandit24tmp/password.txt
bandit23@bandit:/var/spool/bandit24$ cat /tmp/bandit24tmp/password.txt
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ

Level 24 -> Level 25

A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.

I first checked to see the output of sending the password and pin to port 30002 via netcat.

bandit24@bandit:~$ echo UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 0000 | nc localhost 30002
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
Wrong! Please enter the correct pincode. Try again.
Exiting.

After inspecting the output, I wrote a quick script to brute force all 10000 combinations and outputted to a file.

bandit24@bandit:~$ mkdir /tmp/bandit24tmp
for i in $(seq -f "%04g" 0 9999); do echo UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i | nc localhost 30002; done > /tmp/bandit24tmp/output.txt

Then we grab the only unique output.

bandit24@bandit:~$ sort /tmp/bandit24tmp/output.txt | uniq -u

Correct!
The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG

Level 25 -> Level 26

Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.

This one took me a while to figure out. The SSH key to log in is clearly located in the home directory, however SSH’ing into bandit26@localhost causes the connection to close.

I first looked at what shell the user was using:

bandit25@bandit:~$ getent passwd bandit26 | cut -d: -f7
/usr/bin/showtext```

Upon further inspection, /usr/bin/showtext is a shell script:

bandit25@bandit:~$ cat /usr/bin/showtext
#!/bin/sh

export TERM=linux

more ~/text.txt
exit 0

I’m not going to give this one away, but the trick to solving this one is exploiting the properties of how more displays text to access one of the files the user has read access to and retrieving the password from there.

Level 26 -> Level 27

At this moment, level 27 does not exist yet.