Bandit-OverTheWire (Level 5-33)

Only the solutions is written below, You can use :

man <command>  --- using this shows you how to use the command

Level 5→6

The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:

human-readable
1033 bytes in size
not executable

ls
cd inhere
find -type f -size 1033c
cat <filename>

Level 6→7

The password for the next level is stored somewhere on the server and has all of the following properties:

owned by user bandit7
owned by group bandit6
33 bytes in size

find / -type f -user bandit7 -group bandit6 -size 33c 2>/dev/null 
cat <filename>

Level 7→8

The password for the next level is stored in the file data.txt next to the word millionth

grep millionth data.txt

Level 8→9

The password for the next level is stored in the file data.txt and is the only line of text that occurs only once

sort data.txt | uniq -c

Level 9→10

The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters.

strings data.txt

Level 10→11

The password for the next level is stored in the file data.txt, which contains base64 encoded data

base64 -d data.txt

Level 11→12

e password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions

cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'

Level 12→13

The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work. Use mkdir with a hard to guess directory name. Or better, use the command “mktemp -d”. Then copy the datafile using cp, and rename it using mv (read the manpages!)

mkdir /tmp/abc
cp data.txt /tmp/abc/dt.txt
cd /tmp/abc
xxd -r dt.txt > data.txt
file data.txt #-- tells the file type
mv data.txt data.gz
gzip -d data.gz
file data 
mv data data.bz2
bzip2 -d data.bz2
file data
mv data data.gz
gzip -d data.gz
file data
mv data data.tar
tar -xf data.tar
file data5.bin
mv data5.bin data5.tar
tar -xf data5.tar
file data6.bin
mv data6.bin data6.bz2
bzip2 -d data6.bz2
file data6
mv data6 data.tar
tar -xf data.tar
file data8.bin
mv data8.bin data8.gz
gzip -d data8.gz
cat data8

Level 13→14

The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on

ls
# ----copy the contents of sshkey.private
# first try :
ssh -i sshkey.private bandit14@localhost -p 2220
#if this doesn't work then past then exit the bandit 13 user and create
	#a new file and paste the contents of sshkey.private there
	chmod 666 <filename> #eg.: rsa-key
	ssh -i rsa-key bandit14@bandit.labs.overthewire.org -p 2220

Level 14→15

The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.

cat /etc/bandit_pass/bandit14
#copy the password ---eg: MU4VWeTyJk8ROof1qqmcBPaLh7lDCPvS
ncat localhost 30000
#paste the copied password and enter ---

Level 15→16

The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL/TLS encryption.

Helpful note: Getting “DONE”, “RENEGOTIATING” or “KEYUPDATE”? Read the “CONNECTED COMMANDS” section in the manpage.

ncat --ssl localhost 30001
#paste the passowrd which you got in level 14-> 15

Level 16→17

The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL/TLS and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.

Helpful note: Getting “DONE”, “RENEGOTIATING” or “KEYUPDATE”? Read the “CONNECTED COMMANDS” section in the manpage.

	nmap localhost -p 31000-32000
	#try the below step only in open ports
	ncat --ssl localhost 1111 #<--- example port
	#enter the password which you got from previous level
	#if you get (Ncat: Input/output error.) try in other ports
	#you should get a rsa key --- copy that key and paste it in 
	#a new file on your main home after exiting the bandit
	#after creating the file
	chmod 600 <filename>
	ssh -i <filename> bandit17@bandit.labs.overthewire.org -p 2220

Level 17→18

There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new

NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19

diff passwords.old passwords.new  
#will show differnt passowrds try them

Level 18→19

The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.

ssh -T bandit18@bandit.labs.overthewire.org -p 2220  #no messages would be shown 
#                                                    after entering the password
ls
cat readme

Level 19→20

To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.

ls
./bandit20-do cat /etc/bandit_pass/bandit20

Level 20→21

There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).

#open bandit20 in 2 seprate terminal/shell
nc -l 12345 #run this in the first terminal and paste the password you got in lv 19
0qXahG8ZjOVMN9Ghs7iOWsCfZyXOUbYO

#and in the second terminal run
./suconnect 12345 # ----- then you will get your password in the first terminal

Level 21→22

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

cd /etc/cron.d
ls
cat cronjob_bandit22
cat /usr/bin/cronjob_bandit22.sh
cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

Level 22→23

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.

cd /etc/cron.d
cat cronjon_bandit23
cat /usr/bin/cronjob_bandit23.sh
echo I am user bandit23 | md5sum | cut -d ' ' -f 1
#you would get random words,txts copy that
cat /tmp/<copied text>

Level 23→24

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!

NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…

#---i am unable to figure out the orignal way to get the password
#   of this level .....


cat /tmp/bandit24_pass
gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8

Level 24→25

A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.
You do not need to create new connections each time.

cd /tmp/xyz
nano pincode.sh
______________________
#!/bin/bash

for i in {0..9}{0..9}{0..9}{0..9}
do
echo "gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8 $i" >> /tmp/frosty/pin.txt
done
-----------------------

chmod 777 pincode.sh
./pincode.sh

cat pin.txt | nc localhost 30002



iCi86ttT4KSNe1armKiwbQNmB3YJP3q4

Level 25→26

ogging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.

NOTE: if you’re a Windows user and typically use Powershell to ssh into bandit: Powershell is known to cause issues with the intended solution to this level. You should use command prompt instead.

ls
#----copy the rsa key to you main home file eg: "rsa-key26"
# after exiting bandit25
chmod 600 rsa-key26  #--this file has the rsa key from level 25
#minimize your terminal... make it small  
ssh -i rsa-key26 bandit26@bandit.labs.overthewire.org -p 2220

After you run this you it should show —More—()-

#after it show this you can fullscreen it 
#press v
:set shell? #---shows the shell currently being used
:set shell=/usr/bin/bash
:set shell? #--- make sure it shows /usr/bin/bash
:shell
cat /etc/bandit_pass/bandit26

#password- s0773xxkk0MXfdqOfPRVr9L3jJBUOgCZ

Level 26→27

Good job getting a shell! Now hurry and grab the password for bandit27!

#make sure you havent exited from the vim of bandit26

ls
./bandit27-do cat /etc/bandit_pass/bandit27

#after you copy the password
exit  #exit from banndit 26
:q! #exits the vi 

#password upsNCc7vzaRDx6oZC6GiR6ERwe1MowGB

Level 27→28

There is a git repository at ssh://bandit27-git@bandit.labs.overthewire.org/home/bandit27-git/repo via the port 2220. The password for the user bandit27-git is the same as for the user bandit27.