The Bandit wargame taught me the basics needed to be able to play other wargames.

Level 0 –> 1

Login : ssh bandit0@bandit.labs.overthewire.org -p 2220

Password : bandit0

Steps to resolve :

  1. cat readme

Level 1 -> 2

Login : ssh bandit1@bandit.labs.overthewire.org -p 2220

Password : ZjLjTmM6FvvyRnrb2rfNWOZOTa6ip5If

Steps to resolve :

  1. cat ./- prefix the filename with a path

Level 2 -> 3

Login : ssh bandit2@bandit.labs.overthewire.org -p 2220

Password : 263JGJPfgU6LtdEvgfWU1XP5yac29mFx

Steps to resolve :

  1. cat ./'--spaces in this filename--'

Level 3 -> 4

Login : ssh bandit3@bandit.labs.overthewire.org -p 2220

Password : MNk8KNH3Usiio41PRUEoDFPqfxLPlSmx

Steps to resolve :

  1. ls -la inhere
  2. cat inhere/...Hiding-From-You

Level 4 -> 5

Login : ssh bandit4@bandit.labs.overthewire.org -p 2220

Password : 2WmrDFRmJIq3IPxneAaMGhap0pFhF3NJ

Steps to resolve :

  1. file inhere/*
  2. cat inhere/-file07

Key Concepts :

  • Command file = identify file types

Level 5 -> 6

Login : ssh bandit5@bandit.labs.overthewire.org -p 2220

Password : 4oQYVPkxZOOEOO5pTW81FB8j8lxXGUQw

Steps to resolve :

  1. find inhere -size 1033c ! -executable
  2. cat inhere/maybehere07/.file2

Key Concepts :

  • Command find = search files in a given directory
  • Man Page (Linux Manual Pages)
  • -size 1033c = exactly 1033 bytes (c=bytes, k=kilobytes, M=megabytes)
  • ! -executable = excludes files with execute permission

Level 6 -> 7

Login : ssh bandit6@bandit.labs.overthewire.org -p 2220

Password : HWasnPhtq9AVKe0dmk45nxy20cvUa6EG

Steps to resolve :

  1. find / -user bandit7 -group bandit6 2>/dev/null = discard all lines with error or find / -user bandit7 -group bandit6 2>&1 | grep -v 'Permission denied' = only remove the lines with ‘Permission denied’
  2. cat /var/lib/dpkg/info/bandit7.password

Key Concepts :

  • 2 = stderr = standard error, which is a stream of data that is generated by computer programs when they encounter an error or an exceptional condition.
  • &1 = stdout, which is the default output stream in a computer program
  • /dev/null = a special file that DISCARDS all data written to it

Level 7 -> 8

Login : ssh bandit7@bandit.labs.overthewire.org -p 2220

Password : morbNTDkSW6jIlUc0ymOdMaLnOlFVAaj

Steps to resolve :

  1. grep 'millionth' data.txt

Level 8 -> 9

Login : ssh bandit8@bandit.labs.overthewire.org -p 2220

Password : dfwvzFQi4mU0wfNbFOe9RoWskMLg7eEc

Steps to resolve :

  1. sort data.txt | uniq -u

Key Concepts :

  • Command uniq works only when the content is sorted

Level 9 -> 10

Login : ssh bandit9@bandit.labs.overthewire.org -p 2220

Password : 4CKMh1JI91bUIZZPXDqGanal4xvAg0JM

Steps to resolve :

  1. strings data.txt | grep '=='

Key Concepts :

  • Command strings = print the strings of printable characters in files (not binary)

Level 10 -> 11

Login : ssh bandit10@bandit.labs.overthewire.org -p 2220

Password : FGUW5ilLVJrxX9kMYMmlN4MgbpfMiqey

Steps to resolve :

  1. base64 -d data.txt

Level 11 -> 12

Login : ssh bandit11@bandit.labs.overthewire.org -p 2220

Password : dtR173fZKb0RRsDFSGsg2RWnpNVj3qRr

Steps to resolve :

  1. cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'

Level 12 -> 13

Login : ssh bandit12@bandit.labs.overthewire.org -p 2220

Password : 7x16WNeHIi5YkIhWsfFIqoognUTyj9Q4

Steps to resolve :

  1. mktemp -d to get a tmp dir like /tmp/tmp.EgxY8rs4RE
  2. cp data.txt /tmp/tmp.EgxY8rs4RE/data.txt
  3. cd /tmp/tmp.EgxY8rs4RE
  4. xxd -r data.txt > data to convert hexdump to binary
  5. file data results in data: gzip compressed data...
  6. mv data data.gz to perform 7
  7. gzip -d data.gz results in data
  8. file data results in data: bzip2 compressed data...
  9. mv data data.bz2
  10. bzip2 -d data.bz2 results in data repeat decoding…
  11. file data results in data: POSIX tar archive (GNU)
  12. tar -xf data, -x extracts files from an archive, -f specifies the archive name repeat decoding…
  13. file data8.bin results in data8.bin: ASCII text
  14. cat data8.bin

Key Concepts :

  • hexdump = a textual hexadecimal view (on screen or paper) of computer data
  • gzip = fast and widely used Compression Method with DEFLATE algorithm
  • bzip2 = slow but higher compression ratios than gzip using a different algorithm
  • tar = Archiver, which Bundles multiple files and directories into a single archive file

Level 13 -> 14

Login : ssh bandit13@bandit.labs.overthewire.org -p 2220

Password : FO5dwFsc0cbaIiH0h8J2eUks2vdTDwAn

Steps to resolve :

  1. scp -P 2220 bandit13@bandit.labs.overthewire.org:./sshkey.private ./bandit14-sshkey
  2. chmod 600 bandit14-sshkey

Level 14 -> 15

Login : ssh bandit14@bandit.labs.overthewire.org -p 2220 -i bandit14-sshkey

Password : bandit14-sshkey

Steps to resolve :

  1. cat /etc/bandit_pass/bandit14
  2. echo 'MU4VWeTyJk8ROof1qqmcBPaLh7lDCPvS' | nc localhost 30000

Key Concepts :

  • Command nc = sends/receives raw data over network connections using TCP/UDP
    • nc -l 1234 in Terminal 1 (listener)
    • nc localhost 1234 in Terminal 2 (connector and speaker)
    • nc localhost 1234 < file.txt = Send File Over Network
      • < operator: Redirects file content as input to nc

Level 15 -> 16

Login : ssh bandit15@bandit.labs.overthewire.org -p 2220

Password : 8xCjnmgoKbGLhHFAZlGE5Tmu4M2tKJQo

Steps to resolve :

  1. echo '8xCjnmgoKbGLhHFAZlGE5Tmu4M2tKJQo' | openssl s_client -connect localhost:30001 -quiet

Key Concepts :

  • openssl s_client = establish TCP connection + adds SSL/TLS encryption
  • -quiet = suppress certificate and connection info, show only data

Level 16 -> 17

Login : ssh bandit16@bandit.labs.overthewire.org -p 2220

Password : kSkvUpMQ7lBYyCM4GBPvCvT1BfWRy0Dx

Steps to resolve :

  1. nmap localhost -p 31000-32000
  2. openssl s_client -connect localhost:31790 -quiet

Key Concepts :

  • Command nmap = Sends packets to ports and analyzes responses to determine:
    • Which ports are open
    • What services are running
    • nmap localhost or Scan specific port range nmap -p 31000-32000 localhost

Level 17 -> 18

Login : ssh bandit17@bandit.labs.overthewire.org -p 2220 -i bandit17-sshkey

Password : bandit17-sshkey

Steps to resolve :

  1. diff passwords.old passwords.new

Level 18 -> 19

Login : ssh bandit18@bandit.labs.overthewire.org -p 2220

Password : x2gLTTjFwMOhQ8oWNbMN362QKxfRqGlO

Steps to resolve :

  1. ssh bandit18@bandit.labs.overthewire.org -p 2220 cat ./readme

Level 19 -> 20

Login : ssh bandit19@bandit.labs.overthewire.org -p 2220

Password : cGWpMaKXVwDUNgPAVJbWYuGHVn9zl3j8

Steps to resolve :

  1. ./bandit20-do
  2. ./bandit20-do cat /etc/bandit_pass/bandit20

Key Concepts :

  • setuid = allow users to run a file with owner’s or group’s permission
    • ls -l bandit20-do results in -rwsr-x--- 1 bandit20 bandit19 14884 Oct 14 09:26 bandit20-do, s is the mark for setuid

Level 20 -> 21

Login : ssh bandit20@bandit.labs.overthewire.org -p 2220

Password : 0qXahG8ZjOVMN9Ghs7iOWsCfZyXOUbYO

Steps to resolve :

  1. nc -l -p 1234 < /etc/bandit_pass/bandit20 in Terminal 1
  2. ./suconnect 1234 in Terminal 2

Key Concepts :

  • nc -l < file or echo '???' | nc -l = send text to the connector when connected

Level 21 -> 22

Login : ssh bandit21@bandit.labs.overthewire.org -p 2220

Password : EeoULMCra2q0dSkYj561DX7s1CpBuOBt

Steps to resolve :

  1. ls /etc/cron.d/
  2. cat /etc/cron.d/cronjob_bandit22 results in * * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
  3. cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

Level 22 -> 23

Login : ssh bandit22@bandit.labs.overthewire.org -p 2220

Password : tRae0UfB9v0UzbCdn9cY0gQnds9GF58Q

Steps to resolve :

  1. cat /usr/bin/cronjob_bandit23.sh
  2. echo I am user bandit23 | md5sum | cut -d ' ' -f 1
  3. cat /tmp/8ca319486bfbbc3663ea0fbe81326349

Level 23 -> 24

Login : ssh bandit23@bandit.labs.overthewire.org -p 2220

Password : 0Zf11ioIjMVN551jX3CmStKLYqjk54Ga

Steps to resolve :

  1. cat /usr/bin/cronjob_bandit24.sh
  2. mktemp -d results in /tmp/tmp.hjOM8y07KX
  3. chmod 703 /tmp/tmp.hjOM8y07KX to allow bandit24 to create a file in this tmp dir
  4. vim /var/spool/bandit24/foo/cp_passwd.sh
#!/bin/bash
cp /etc/bandit_pass/bandit24 /tmp/tmp.hjOM8y07KX/bandit24_passwd
chmod 404 /tmp/tmp.hjOM8y07KX/bandit24_passwd
  1. chmod 665 /var/spool/bandit24/foo/cp_passwd.sh
  2. cat /tmp/tmp.hjOM8y07KX/bandit24_passwd

Key Concepts :

  • Tmp dir needs Both write and execute permissions by others for bandit24 to run cp to copy a file there because the system checks if bandit24 can enter there before copying.
    • Execute (x) on directory = permission to enter/traverse the directory such as cd.
    • Write (w) on directory = permission to create/delete files in the directory.

Level 24 -> 25

Login : ssh bandit24@bandit.labs.overthewire.org -p 2220

Password : gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8

Steps to resolve :

  1. nc localhost 30002
  2. mktemp -d results in /tmp/tmp.nD5ZtWkbKg
  3. cd /tmp/tmp.nD5ZtWkbKg
  4. vim brute-forcing.sh
#!/bin/bash

bandit24_pass=gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8
for pin in {0000..9999}; do
        echo "$bandit24_pass $pin"
done | nc localhost 30002 | grep -v 'Wrong' > bandit25_passwd
  1. chmod 764 brute-forcing.sh
  2. ./brute-forcing.sh
  3. cat bandit25_passwd

Key Concepts :

  • In shell script, echo with
    • Double quotes “…” can expand variables = “$var” → value of var
    • Single quotes ‘…’ cannot expand variables = ‘$var’ → literal $var

Level 25 -> 26

Login : ssh bandit25@bandit.labs.overthewire.org -p 2220

Password : iCi86ttT4KSNe1armKiwbQNmB3YJP3q4

Steps to resolve :

  1. cat bandit26.sshkey
  2. grep 'bandit26' /etc/passwd results in bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext
  3. cat /usr/bin/showtext
#!/bin/sh

export TERM=linux

exec more ~/text.txt
exit 0

Key Concepts :

  • /etc/passwd = user account information
    • username:password:UID:GID:comment:home_directory:shell
    • x means encrypted password is in /etc/shadow
    • shell = login shell = Program that runs when user logs in such as ssh
    • /usr/bin/showtext = custom login shell, usually /bin/bash or /bin/sh

Level 26 -> 27

Login : ssh bandit26@bandit.labs.overthewire.org -p 2220 -i bandit26-sshkey

Password : bandit26-sshkey

Steps to resolve :

  1. make terminal window smallest when ssh
  2. press v in more
  3. :!/bin/bash to get bash shell as bandit26
  4. ./bandit27-do cat /etc/bandit_pass/bandit27

Key Concepts :

  • :!command = run shell command from vi

Level 27 -> 28

Login : ssh bandit27@bandit.labs.overthewire.org -p 2220

Password : upsNCc7vzaRDx6oZC6GiR6ERwe1MowGB

Steps to resolve :

  1. git clone ssh://bandit27-git@bandit.labs.overthewire.org:2220/home/bandit27-git/repo
  2. cat repo/README

Level 28 -> 29

Login : ssh bandit28@bandit.labs.overthewire.org -p 2220

Password : Yz9IpL0sBcCeuG7m9uQFt8ZNpS4HZRcN

Steps to resolve :

  1. git clone ssh://bandit28-git@bandit.labs.overthewire.org:2220/home/bandit28-git/repo
  2. cd repo
  3. git log -p = get git commit history with diff

Level 29 -> 30

Login : ssh bandit29@bandit.labs.overthewire.org -p 2220

Password : 4pT1t5DENaYuqnqvadYs1oE4QLCdjmJ7

Steps to resolve :

  1. git clone ssh://bandit29-git@bandit.labs.overthewire.org:2220/home/bandit29-git/repo
  2. cd repo
  3. cat README.md
  4. git branch -a
  5. git checkout dev
  6. cat README.md

Level 30 -> 31

Login : ssh bandit30@bandit.labs.overthewire.org -p 2220

Password : qp30ex3VLz5MDG1n91YowTv4Q8l7CDZL

Steps to resolve :

  1. git clone ssh://bandit30-git@bandit.labs.overthewire.org:2220/home/bandit30-git/repo
  2. cd repo
  3. git tag results in secret or git show-ref = list all refs such as branches, tags, HEAD, and so on.
  4. git show secret

Key Concepts :

  • tags are Named fixed pointers to commits
  • HEAD is Pointer to current branch/commit
  • origin = nickname for remote repository

Level 31 -> 32

Login : ssh bandit31@bandit.labs.overthewire.org -p 2220

Password : fb5S2xb7bRyFmAvQYQGEqsbhVyJqhnDy

Steps to resolve :

  1. git clone ssh://bandit31-git@bandit.labs.overthewire.org:2220/home/bandit31-git/repo
  2. cd repo
  3. cat README.md
  4. vim key.txt
May I come in?
  1. cat .gitignore results in *.txt
  2. > .gitignore or truncate -s 0 .gitignore
  3. git add .
  4. git commit -m"add key.txt, delete '*.txt' in .gitignore"
  5. git push

Level 32 -> 33

Login : ssh bandit32@bandit.labs.overthewire.org -p 2220

Password : 3O9RfhqyAlVBEZpVb6LYStshZoqoSx5K

Steps to resolve :

  1. $0
  2. cat /etc/bandit_pass/bandit33

Key Concepts :

  • $0 = expand to the name of the shell or shell script
    • $0 is set to them at shell initialization
    • At first, $0 will be set to -bash for a login shell
    • Every time you run a script, $0 will be set to its path or name depending on how to run a script

Level 33 -> 34

Login : ssh bandit33@bandit.labs.overthewire.org -p 2220

Password : tQdtbs5D5i2vJwkO8mEyYEyTL8izoeJ0

Steps to resolve :

  1. cat README.txt
Congratulations on solving the last level of this game!

Thank you for taking your time to read.