# Overthewire Bandit Solutions ## Level 0 We'll connect to server on port 2220 ``` ssh bandit0@bandit.labs.overthewire.org -p 2220 ``` username: bandit0 pasword: bandit0 ## Level 1 Password to level 1 is stored in a file named "readme", simply cat out the file. ``` cat readme ``` username: bandit1 password: NH2SXQwcBdpmTEzi3bvBHMM9H66vVXjL ## Level 2 At this level, we need to read a file named '-'. As the file name is a special character, we'll pass it as a variable and cat out the file. ``` cat $(find . -name '-') ``` username: bandit2 password: rRGizSaX8Mk1RTb1CNQoXTcYZWU6lgzi ## Level 3 This one is much easier than the last level :v. Enclosed the filename in quotes, single or double then cat. ``` cat 'spaces in this filename' ``` username: bandit3 password: aBZ0W5EmUfAf7kHTQeOwd8bauFJ2lAiG ## Level 4 ``` cd inhere ls -a ``` We can see there's a file named "hidden". Let's cat it out. username: bandit4 password: 2EW7BBsr6aMMoJ2HjW067dm8EgX26xNe ## Level 5 ``` cd inhere ls -a file $(find . -name "-file0*" -type f) ``` Apparently, the only file contains readable data is file07 ``` cat ./-file07 ``` username: bandit05 password: lrIWWI6bB37kxfiCQZqUdOIYfr6eEeqR ## Level 6 Similar to previous level, we go to inhere directory ``` cd inhere ls ``` Around 20 files, that would be bothersome to manually check by hand :( Once again, we tackle this problem with find command. ``` cat $(find . -size 1033c -not -executable -readable) ``` username: bandit06 password: P4L4vucdmLnm8I7Vl7jG1ApGSfjYKqJU ## Level 7 As there's no description about where the password is stored, we will search from the / directory ``` cat $(find / -group bandit6 -user bandit7 -size 33c 2>/dev/null) ``` username: bandit07 password: z7WtoNQU2XfjmMtWA8u5rN4vzqu4v99S ## Level 8 Try catting out data.txt, we got loads of data inside, which is a pain to search line by line. Utilizing grep command, we have the result. ``` bandit7@bandit:~$ grep "millionth" data.txt millionth TESKZC0XvTetK0S9xNwm25STk5iWrBvP ``` username: bandit08 password: TESKZC0XvTetK0S9xNwm25STk5iWrBvP ## Level 9 Using sort and uniq, the password can be easily retrieved. ``` sort data.txt | uniq -c | awk '$1==1 { print$2 }' ``` username: bandit9 password: EN632PlfYiZbn3PhVK3XOGSlNInNE00t ## Level 10 Use strings command to find the required password. ``` strings data.txt ``` username: bandit10 password: G7w8LIi6J3kTb8A7j9LgrywtEUlyyp6s ## Level 11 Simply decode the given base64 string. ``` bandit10@bandit:~$ cat data.txt | base64 -d The password is 6zPeziLdR2RKNdNYFNb6nVCKzphlXHBM ``` username: bandit11 password: 6zPeziLdR2RKNdNYFNb6nVCKzphlXHBM ## Level 12 Every character is rotated by 13, so we reverse those 13 characters backwards. ``` bandit11@bandit:~$ cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m' The password is JVNBBFSmZwKKOP0XbFXOoW8chDz5yVRv ``` username: bandit12 password: JVNBBFSmZwKKOP0XbFXOoW8chDz5yVRv ## Level 13 A rather tedious task, but required to have some time to look at man pages in order to complete the level. Answer is as followed. ``` bandit12@bandit:/tmp/pog$ xxd -r data.txt data bandit12@bandit:/tmp/pog$ file data data: gzip compressed data, was "data2.bin", last modified: Thu Sep 1 06:30:09 2022, max compression, from Unix, original size modulo 2^32 575 bandit12@bandit:/tmp/pog$ gzip -d data gzip: data: unknown suffix -- ignored bandit12@bandit:/tmp/pog$ mv data data.gz bandit12@bandit:/tmp/pog$ gzip -d data.gz bandit12@bandit:/tmp/pog$ ls data data.txt bandit12@bandit:/tmp/pog$ file data data: bzip2 compressed data, block size = 900k bandit12@bandit:/tmp/pog$ mv data data.bz bandit12@bandit:/tmp/pog$ bzip2 -d data.bz bandit12@bandit:/tmp/pog$ ls data data.txt bandit12@bandit:/tmp/pog$ file data bandit12@bandit:/tmp/pog$ ls data.txt bandit12@bandit:/tmp/pog$ file data.txt data.txt: ASCII text bandit12@bandit:/tmp/pog$ xxd -r data.txt d1 bandit12@bandit:/tmp/pog$ ls d1 data.txt bandit12@bandit:/tmp/pog$ file d1 d1: gzip compressed data, was "data2.bin", last modified: Thu Sep 1 06:30:09 2022, max compression, from Unix, original size modulo 2^32 575 bandit12@bandit:/tmp/pog$ mv d1 data2.gz bandit12@bandit:/tmp/pog$ gzip -dv data2.gz data2.gz: -0.9% -- replaced with data2 bandit12@bandit:/tmp/pog$ file data2 data2: bzip2 compressed data, block size = 900k bandit12@bandit:/tmp/pog$ mv data2 data2.bz bandit12@bandit:/tmp/pog$ bzip2 -dv data2.bz data2.bz: done bandit12@bandit:/tmp/pog$ ls data2 data.txt bandit12@bandit:/tmp/pog$ file data2 data2: gzip compressed data, was "data4.bin", last modified: Thu Sep 1 06:30:09 2022, max compression, from Unix, original size modulo 2^32 20480 bandit12@bandit:/tmp/pog$ mv data2 data4.gz bandit12@bandit:/tmp/pog$ gzip -dv data4.gz data4.gz: 98.0% -- replaced with data4 bandit12@bandit:/tmp/pog$ file dataaa4 dataaa4: cannot open `dataaa4' (No such file or directory) bandit12@bandit:/tmp/pog$ file data4 data4: POSIX tar archive (GNU) bandit12@bandit:/tmp/pog$ mv data4 data4.tar bandit12@bandit:/tmp/pog$ tar xvf data4.tar data5.bin bandit12@bandit:/tmp/pog$ file data5.bin data5.bin: POSIX tar archive (GNU) bandit12@bandit:/tmp/pog$ mv data5.bin data5.tar bandit12@bandit:/tmp/pog$ tar xvf data5.tar data6.bin bandit12@bandit:/tmp/pog$ file data6.bin data6.bin: bzip2 compressed data, block size = 900k bandit12@bandit:/tmp/pog$ mv data6.bin data6.bz bandit12@bandit:/tmp/pog$ bzip2 -dv data6.bz data6.bz: done bandit12@bandit:/tmp/pog$ ls data4.tar data5.tar data6 data.txt bandit12@bandit:/tmp/pog$ file data6 data6: POSIX tar archive (GNU) bandit12@bandit:/tmp/pog$ mv data6 data6.tar bandit12@bandit:/tmp/pog$ tar xvf data6.tar data8.bin bandit12@bandit:/tmp/pog$ file data8.bin data8.bin: gzip compressed data, was "data9.bin", last modified: Thu Sep 1 06:30:09 2022, max compression, from Unix, original size modulo 2^32 49 bandit12@bandit:/tmp/pog$ mv data8.bin data9.gz bandit12@bandit:/tmp/pog$ gzip -dv data9.gz data9.gz: -4.1% -- replaced with data9 bandit12@bandit:/tmp/pog$ file data9 data9: ASCII text bandit12@bandit:/tmp/pog$ cat data9 The password is wbWdlBxEir4CaE8LaPhauuOo6pwRmrDw ``` username: bandit13 password: wbWdlBxEir4CaE8LaPhauuOo6pwRmrDw ## Level 14 Login to localhost with username: bandit14 ``` ssh -i sshkey.private bandit14@localhost -p 2220 ``` ## Level 15 As the last level stated, password is stored in /etc/bandit_pass/bandit14. Let's pass it to netcat ``` bandit14@bandit:~$ cat /etc/bandit_pass/bandit14 | nc localhost 30000 Correct! jN2kgmIXJ6fShzhT2avhotn4Zcka6tnt ``` username: bandit15 password: jN2kgmIXJ6fShzhT2avhotn4Zcka6tnt ## Level 16 Follow the hints, we connected to the server. ``` bandit15@bandit:~$ openssl s_client -ign_eof -connect localhost:30001 CONNECTED(00000003) Can't use SSL_get_servername depth=0 CN = localhost verify error:num=18:self-signed certificate verify return:1 depth=0 CN = localhost verify error:num=10:certificate has expired notAfter=Oct 27 21:45:59 2022 GMT verify return:1 depth=0 CN = localhost notAfter=Oct 27 21:45:59 2022 GMT verify return:1 --- Certificate chain 0 s:CN = localhost i:CN = localhost a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA1 v:NotBefore: Oct 27 21:44:59 2022 GMT; NotAfter: Oct 27 21:45:59 2022 GMT --- Server certificate -----BEGIN CERTIFICATE----- MIIDCzCCAfOgAwIBAgIEGZyrRzANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDDAls b2NhbGhvc3QwHhcNMjIxMDI3MjE0NDU5WhcNMjIxMDI3MjE0NTU5WjAUMRIwEAYD VQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCz DVZ6um+ZeuIXThbp0QU0bfIzZZMepbCatjpCQv5GpEMSGp/+uOlalCx1vPQLJJ2S 9WYiP8N/fanG6uiBHyU4mI5EYaGKVA5pibUl+TK1/qgsmYwRYXQpKXdXD8RlXZ+M WrM6KujvOgXEJe5MlKAcEB7jjrP4SayFSPNk2QEHU5C23n0IJq8Jm46tdemqBrjq tu6ofKbJOFmO7x7dgfJMjveJXXIvqu3F08uK3BFYBURtewIM7wtwEl7+tdSJSe/A kIUAWV35EwnleYmLbp4xobhRM2qWFKjgFXcophUBoYs2hjcBS6HaLvL6hLcF3owW Biyf+KnIQ/WPDBz+YQPvAgMBAAGjZTBjMBQGA1UdEQQNMAuCCWxvY2FsaG9zdDBL BglghkgBhvhCAQ0EPhY8QXV0b21hdGljYWxseSBnZW5lcmF0ZWQgYnkgTmNhdC4g U2VlIGh0dHBzOi8vbm1hcC5vcmcvbmNhdC8uMA0GCSqGSIb3DQEBBQUAA4IBAQBN oO12FFzj/ZGLVIsQ6vHSVAoVOlIEylYmlsbGrSwp5PsnlHakviUx5mUHcTBQE7Ri oJt259YUvVL9bVbCMhAXTboLVpAzW4Q/EtadchTW3LtTECed7R7xLOb4S5C6DPHY wnDYyNnrI3k7ne2VvxfwQjiewbIXvk7XObeDSX7vVwMtJ5Ppfn95aLur18RtLokC iU1IeECVxjhV35lE2M7OKibbDJUm4+VLbkZ8FS1kwZNupZJyx7fK+V0iFoBXmFIJ KY7o1yVn3l65AQmgsNVU51ghC76U+JZy5etWwt6RMmxzCfJSL7kiQ8oS+ZhxjkKF EwPwnTQ2cikDAc33b9dh -----END CERTIFICATE----- subject=CN = localhost issuer=CN = localhost --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 1339 bytes and written 373 bytes Verification error: certificate has expired --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 10 (certificate has expired) --- --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: DAE7EA193A3A749B8954C6B969EB538BD119BFD9996671D290B574C26FAF4E87 Session-ID-ctx: Resumption PSK: B0B8C3EC1FDADE4679B543D255D7A20F35F402400BCA3A851625F509FA33F81FDFA2E77EDAFFA1D652B032CC131E3BF2 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - c1 92 74 57 d6 ad 07 fe-af ef b9 b9 e3 0a c6 b0 ..tW............ 0010 - d4 6b e7 46 c7 a3 17 26-c3 97 65 e2 62 f3 88 5f .k.F...&..e.b.._ 0020 - 95 73 1c b6 65 1a 44 ab-5a e5 64 3f 36 3d 0a f5 .s..e.D.Z.d?6=.. 0030 - 8d 51 50 19 46 17 08 d9-63 c8 cf c9 ae 22 57 7d .QP.F...c...."W} 0040 - 25 0a 5a d4 88 59 5b 65-a6 44 31 8f ea 94 c1 d7 %.Z..Y[e.D1..... 0050 - de be fc ca ab 74 ed 96-a2 25 d5 fe 6f 45 08 41 .....t...%..oE.A 0060 - 07 ae 65 c9 de c2 c2 5c-b7 d0 0a 88 bd 72 30 2f ..e....\.....r0/ 0070 - 90 47 33 be 2e 81 11 e0-20 0c 59 50 08 06 8f 1c .G3..... .YP.... 0080 - 71 da 50 7f 08 8c 7d 67-3e 04 76 78 4c ed c5 6e q.P...}g>.vxL..n 0090 - c7 fe 9d a7 bc a2 57 ab-e9 66 e0 c3 1b 2d 8a d1 ......W..f...-.. 00a0 - bb ac d2 82 df da 6c 55-e0 a4 01 e8 54 5c 25 6a ......lU....T\%j 00b0 - fa c6 3e a8 38 8e 0b d7-2c fd ca 83 aa 4b 99 1d ..>.8...,....K.. 00c0 - 7e 91 e3 88 94 d6 56 36-1b ca c6 a2 3f 7e 95 c9 ~.....V6....?~.. Start Time: 1667019354 Timeout : 7200 (sec) Verify return code: 10 (certificate has expired) Extended master secret: no Max Early Data: 0 --- read R BLOCK --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: 635A22C8567D92058B64530D588BAE3D4D3FC2CE0D2A827DBEA03A70FBB2E040 Session-ID-ctx: Resumption PSK: 6A4BD614EDF3665BC7A212831CEDB67B84D0F50CB5B606705602C25343F9396121892060ED62E027AED585B1E64C25B9 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - c1 92 74 57 d6 ad 07 fe-af ef b9 b9 e3 0a c6 b0 ..tW............ 0010 - e9 e3 c0 ae 1e 60 50 d6-8a 76 ff 94 4e af 10 d8 .....`P..v..N... 0020 - 0b 53 54 a1 0e 11 26 49-c5 37 f9 53 2c c1 36 8f .ST...&I.7.S,.6. 0030 - 14 84 05 38 d4 f6 87 90-cf 9f a2 24 43 51 93 21 ...8.......$CQ.! 0040 - 9e fa 90 1b 3d 9c a2 86-15 17 8a bb 88 ad d8 10 ....=........... 0050 - 7c 93 70 62 e1 b4 19 1e-f4 59 ca b0 71 1f c7 e3 |.pb.....Y..q... 0060 - ea 8f dc 8e 60 a5 eb 1d-8d 20 eb 85 39 f7 86 14 ....`.... ..9... 0070 - 49 48 c1 6f 25 49 92 a7-56 52 e0 2b e3 c8 8d bc IH.o%I..VR.+.... 0080 - 58 58 bc 02 d7 e1 b1 95-75 f5 44 46 56 b8 1f 53 XX......u.DFV..S 0090 - 58 b0 25 59 3f ff 16 86-03 1a 85 25 84 94 0c 01 X.%Y?......%.... 00a0 - 33 55 12 bd 29 b3 f5 bc-4f a2 18 76 9c eb 8c f7 3U..)...O..v.... 00b0 - 3f 54 a6 93 28 4e d5 7f-8a c4 9c e2 9e 65 23 3b ?T..(N.......e##; 00c0 - de 14 7f 8c 41 70 d0 5a-6c 2a 9f d6 d9 9b 99 7c ....Ap.Zl*.....| Start Time: 1667019354 Timeout : 7200 (sec) Verify return code: 10 (certificate has expired) Extended master secret: no Max Early Data: 0 --- read R BLOCK jN2kgmIXJ6fShzhT2avhotn4Zcka6tnt Correct! JQttfApK4SeyHwDlI9SXGR50qclOAil1 ``` username: bandit16 password: JQttfApK4SeyHwDlI9SXGR50qclOAil1 ## Level 17 Initially, scan for opened ports on server. ``` bandit16@bandit:~$ nmap -T 4 -sV -p 31000-32000 localhost Starting Nmap 7.80 ( https://nmap.org ) at 2022-10-29 05:08 UTC Nmap scan report for localhost (127.0.0.1) Host is up (0.00010s latency). Not shown: 996 closed ports PORT STATE SERVICE VERSION 31046/tcp open echo 31518/tcp open ssl/echo 31691/tcp open echo 31790/tcp open ssl/unknown 31960/tcp open echo 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port31790-TCP:V=7.80%T=SSL%I=7%D=10/29%Time=635CB573%P=x86_64-pc-linux- SF:gnu%r(GenericLines,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20c SF:urrent\x20password\n")%r(GetRequest,31,"Wrong!\x20Please\x20enter\x20th SF:e\x20correct\x20current\x20password\n")%r(HTTPOptions,31,"Wrong!\x20Ple SF:ase\x20enter\x20the\x20correct\x20current\x20password\n")%r(RTSPRequest SF:,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20current\x20password SF:\n")%r(Help,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20current\ SF:x20password\n")%r(SSLSessionReq,31,"Wrong!\x20Please\x20enter\x20the\x2 SF:0correct\x20current\x20password\n")%r(TerminalServerCookie,31,"Wrong!\x SF:20Please\x20enter\x20the\x20correct\x20current\x20password\n")%r(TLSSes SF:sionReq,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20current\x20p SF:assword\n")%r(Kerberos,31,"Wrong!\x20Please\x20enter\x20the\x20correct\ SF:x20current\x20password\n")%r(FourOhFourRequest,31,"Wrong!\x20Please\x20 SF:enter\x20the\x20correct\x20current\x20password\n")%r(LPDString,31,"Wron SF:g!\x20Please\x20enter\x20the\x20correct\x20current\x20password\n")%r(LD SF:APSearchReq,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20current\ SF:x20password\n")%r(SIPOptions,31,"Wrong!\x20Please\x20enter\x20the\x20co SF:rrect\x20current\x20password\n"); Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 98.15 seconds ``` As we can see, there are 2 ports with ssl enabled, but only 1 that returned an error message. Now connect to port 31790 with openssl. ``` echo "JQttfApK4SeyHwDlI9SXGR50qclOAil1" | openssl s_client -connect localhost:31790 -ign_eof ``` Now the server doesn't return any keys, but instead a RSA key. ``` -----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama +TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT 8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM 77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3 vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY= -----END RSA PRIVATE KEY----- ``` Now save it to a file. This will be used to solve the following level. ## Level 18 With the ```diff ``` command, we can check for differences between 2 files. ``` bandit17@bandit:~$ diff -c passwords.new passwords.old *** passwords.new 2022-09-01 06:30:14.607055961 +0000 --- passwords.old 2022-09-01 06:30:14.603055949 +0000 *************** *** 39,45 **** V6x7IomdjQZzKhQyBLArk9aYmZ4ZanbB MtxIvlcSt9EAT2ctwB4f0eE6BnmoNs6L L9I02Ew3NWAesqb55pgiRZ5h1Tinz1nJ ! hga5tuuCLF6fFzUpnagiMN8ssu9LFrdg 9apvPSsRg5bxOWOlmUwSC81Ebt5jSQ5f 7vegjKA3s3Jjstw5GUKdnqKInWKCV9JI v5DQA1BGlpLBfgevjvdNhnmi5d8no6gM --- 39,45 ---- V6x7IomdjQZzKhQyBLArk9aYmZ4ZanbB MtxIvlcSt9EAT2ctwB4f0eE6BnmoNs6L L9I02Ew3NWAesqb55pgiRZ5h1Tinz1nJ ! 09wUIyMU4YhOzl1Lzxoz0voIBzZ2TUAf 9apvPSsRg5bxOWOlmUwSC81Ebt5jSQ5f 7vegjKA3s3Jjstw5GUKdnqKInWKCV9JI v5DQA1BGlpLBfgevjvdNhnmi5d8no6gM ``` username: bandit18 password: hga5tuuCLF6fFzUpnagiMN8ssu9LFrdg ## Level 19 ``` > ssh -p 2220 -i bandit18 bandit18@bandit.labs.overthewire.org "cat readme" _ _ _ _ | |__ __ _ _ __ __| (_) |_ | '_ \ / _` | '_ \ / _` | | __| | |_) | (_| | | | | (_| | | |_ |_.__/ \__,_|_| |_|\__,_|_|\__| This is an OverTheWire game server. More information on http://www.overthewire.org/wargames Load key "bandit18": invalid format bandit18@bandit.labs.overthewire.org's password: awhqfNnAbc1naukrpqDYcF95h7HoMTrC ``` username: bandit19 password: awhqfNnAbc1naukrpqDYcF95h7HoMTrC ## Level 20 ``` bandit19@bandit:/etc/bandit_pass$ ~/./bandit20-do cat bandit20 VxCazJaVykI6W36BkBU0mJTCM8rR95XT ``` username: bandit20 password: VxCazJaVykI6W36BkBU0mJTCM8rR95XT ## Level 21 Open tmux, add 2 panes, 1 for netcat, 1 for suconnect Connect to server on port 8888 ``` bandit20@bandit:~$ nc -lvp 8888 Listening on 0.0.0.0 8888 ``` Now run the binary ``` bandit20@bandit:~$ ./suconnect 8888 ``` Go back to the first pane, paste in password from level 20. ``` bandit20@bandit:~$ nc -lvp 8888 Listening on 0.0.0.0 8888 Connection received on localhost 53696 VxCazJaVykI6W36BkBU0mJTCM8rR95XT NvEJF7oVjkddltPSrdKEFOllh9V1IBcq ``` username: bandit21 password: NvEJF7oVjkddltPSrdKEFOllh9V1IBcq ## Level 22 ``` bandit21@bandit:~$ cat /etc/cron.d/ cronjob_bandit15_root cronjob_bandit22 cronjob_bandit24 e2scrub_all .placeholder cronjob_bandit17_root cronjob_bandit23 cronjob_bandit25_root otw-tmp-dir sysstat ``` Have a look into /etc/cron.d/ , and we're currently at level 22, let's read cronjob_bandit22. ``` bandit21@bandit:~$ cat /etc/cron.d/cronjob_bandit22 @reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null ``` This cronjob runs a script named ```cronjob_bandit22.sh```. Try running the script and we got: ``` bandit21@bandit:~$ cronjob_bandit22.sh chmod: changing permissions of '/tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv': Operation not permitted /usr/bin/cronjob_bandit22.sh: line 3: /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv: Permission denied ``` username: bandit22 password: t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv ## Level 23