1. Bandit

The Bandit is aimed at absolute beginners specially who want to learn and play CTF’s. It will teach the basics needed to be able to play other wargames.

SSH to bandit.labs.overthewire.org, on port 2220. Username for each level is bandit[X] where X is the number of level.


Bandit ssh -p 2220 bandit1@bandit.labs.overthewire.org


Level 0 : boJ9jbbUNNfktd78OOpsqOltutMc3MY1


Level 1 : bandit1@bandit:~$ cat ./-
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9


Level 2 : bandit2@bandit:~$ ls
spaces in this filename
bandit2@bandit:~$ file spaces\ in\ this\ filename
spaces in this filename: ASCII text
bandit2@bandit:~$ cat spaces\ in\ this\ filename
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK


Level 3 : bandit3@bandit:~/inhere$ cat .hidden
pIwrPrtPN36QITSp3EQaw936yaFoFgAB


Level 4 : bandit4@bandit:~/inhere$ cat ./-file07
koReBOKuIDDepwhWk7jZC0RTdopnAYKh


Level 5 : bandit5@bandit:~/inhere$ find -size 1033c
./maybehere07/.file2
bandit5@bandit:~/inhere$ cat maybehere07/.file
.file1 .file2 .file3
bandit5@bandit:~/inhere$ cat maybehere07/.file2
DXjZPULLxYr17uwoI01bNLQbtFemEgo7


Level 6 : bandit6@bandit:/$ find -user bandit7 -group bandit6 -size 33c
bandit6@bandit:/$ cat /var/lib/dpkg/info/bandit7.password
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs


Level 7 : bandit7@bandit:~$ cat data.txt | grep millionth
millionth cvX2JJa4CFALtqS87jk27qwqGhBM9plV


Level 8 : bandit8@bandit:~$ cat data.txt | sort | uniq -u
UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR


Level 9 : strings data.txt => truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk


Level 10 : base64 -d data.txt => IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR


Level 11 : for ROT13 bandit11@bandit:~$ cat data.txt | tr ‘[A-Za-z]’ ‘[N-ZA-Mn-za-m]’
The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu


Level 12 :

  1. xxd -rs dump flag.txt
  2. type flag.txt
  3. file data.txt
  4. mv data.txt data.gz
  5. gunzip data.gz
  6. ls
  7. file data
  8. bzip2 -d data
  9. ls
  10. file data.out
  11. mv data.out data.gz
  12. gunzip data.gz
  13. ls
  14. file data
  15. ls
  16. tar xvf data
  17. ls
  18. file data5.bin
  19. tar xvf data5.bin
  20. file data6.bin
  21. ls
  22. bzip2 -d data6.bin
  23. ls
  24. file data6.bin.out
  25. tar xvf data6.bin.out
  26. file data8.bin
  27. ls
  28. mv data8.bin data8.gz
  29. clear
  30. ls
  31. gunzip data8.gz
  32. ls
  33. file data8
  34. cat data8

bandit12@bandit:/tmp/max123$ cat data8
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL


Level 13 : bandit13@bandit:~$ cat sshkey.private
—–BEGIN RSA PRIVATE KEY—–
MIIEpAIBAAKCAQEAxkkOE83W2cOT7IWhFc9aPaaQmQDdgzuXCv+ppZHa++buSkN+
gg0tcr7Fw8NLGa5+Uzec2rEg0WmeevB13AIoYp0MZyETq46t+jk9puNwZwIt9XgB
ZufGtZEwWbFWw/vVLNwOXBe4UWStGRWzgPpEeSv5Tb1VjLZIBdGphTIK22Amz6Zb
ThMsiMnyJafEwJ/T8PQO3myS91vUHEuoOMAzoUID4kN0MEZ3+XahyK0HJVq68KsV
ObefXG1vvA3GAJ29kxJaqvRfgYnqZryWN7w3CHjNU4c/2Jkp+n8L0SnxaNA+WYA7
jiPyTF0is8uzMlYQ4l1Lzh/8/MpvhCQF8r22dwIDAQABAoIBAQC6dWBjhyEOzjeA
J3j/RWmap9M5zfJ/wb2bfidNpwbB8rsJ4sZIDZQ7XuIh4LfygoAQSS+bBw3RXvzE
pvJt3SmU8hIDuLsCjL1VnBY5pY7Bju8g8aR/3FyjyNAqx/TLfzlLYfOu7i9Jet67
xAh0tONG/u8FB5I3LAI2Vp6OviwvdWeC4nOxCthldpuPKNLA8rmMMVRTKQ+7T2VS
nXmwYckKUcUgzoVSpiNZaS0zUDypdpy2+tRH3MQa5kqN1YKjvF8RC47woOYCktsD
o3FFpGNFec9Taa3Msy+DfQQhHKZFKIL3bJDONtmrVvtYK40/yeU4aZ/HA2DQzwhe
ol1AfiEhAoGBAOnVjosBkm7sblK+n4IEwPxs8sOmhPnTDUy5WGrpSCrXOmsVIBUf
laL3ZGLx3xCIwtCnEucB9DvN2HZkupc/h6hTKUYLqXuyLD8njTrbRhLgbC9QrKrS
M1F2fSTxVqPtZDlDMwjNR04xHA/fKh8bXXyTMqOHNJTHHNhbh3McdURjAoGBANkU
1hqfnw7+aXncJ9bjysr1ZWbqOE5Nd8AFgfwaKuGTTVX2NsUQnCMWdOp+wFak40JH
PKWkJNdBG+ex0H9JNQsTK3X5PBMAS8AfX0GrKeuwKWA6erytVTqjOfLYcdp5+z9s
8DtVCxDuVsM+i4X8UqIGOlvGbtKEVokHPFXP1q/dAoGAcHg5YX7WEehCgCYTzpO+
xysX8ScM2qS6xuZ3MqUWAxUWkh7NGZvhe0sGy9iOdANzwKw7mUUFViaCMR/t54W1
GC83sOs3D7n5Mj8x3NdO8xFit7dT9a245TvaoYQ7KgmqpSg/ScKCw4c3eiLava+J
3btnJeSIU+8ZXq9XjPRpKwUCgYA7z6LiOQKxNeXH3qHXcnHok855maUj5fJNpPbY
iDkyZ8ySF8GlcFsky8Yw6fWCqfG3zDrohJ5l9JmEsBh7SadkwsZhvecQcS9t4vby
9/8X4jS0P8ibfcKS4nBP+dT81kkkg5Z5MohXBORA7VWx+ACohcDEkprsQ+w32xeD
qT1EvQKBgQDKm8ws2ByvSUVs9GjTilCajFqLJ0eVYzRPaY6f++Gv/UVfAPV4c+S0
kAWpXbv5tbkkzbS0eaLPTKgLzavXtQoTtKwrjpolHKIHUz6Wu+n4abfAIRFubOdN
/+aLoRQ0yBDRbdXMsZN/jvY44eM+xRLdRVyMmdPtP8belRi2E2aEzA==
—–END RSA PRIVATE KEY—–


Level 14 : ssh -p 2220 -i sshkey.private bandit14@bandit.labs.overthewire.org {make sure to change permission of SSH keys to 600}
bandit14@bandit:~$ cd /etc/bandit_pass/
bandit14@bandit:/etc/bandit_pass$ cat bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e


Level 15 : bandit14@bandit:/etc/bandit_pass$ echo 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e | nc localhost 30000
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr


Level 16 : bandit15@bandit:~$ echo BfMYroe26WYalil77FoDi9qh59eK5xNr | openssl s_client -ign_eof -connect localhost:30001
cluFn7wTiGryunymYOu4RcffSxQluehd


Level 17 : bandit16@bandit:~$ echo cluFn7wTiGryunymYOu4RcffSxQluehd | openssl s_client -ign_eof -connect localhost:31790
—–BEGIN RSA PRIVATE KEY—–
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
—–END RSA PRIVATE KEY—–


Level 18 : bandit17@bandit:~$ diff passwords.old passwords.new
42c42
< 6vcSC74ROI95NqkKaeEC2ABVMDX9TyUr

> kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd {Key}


Level 19 : root@kali:~/Desktop# ssh -t -p 2220 bandit18@bandit.labs.overthewire.org /bin/sh
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit18@bandit.labs.overthewire.org’s password:
$ ls
readme
$ cat readme
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x


Level 20 : bandit19@bandit:~$ ls -ltr
total 8
-rwsr-x— 1 bandit20 bandit19 7408 Dec 28 14:34 bandit20-do
bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0j


Level 21 : bandit20@bandit:~$ bandit20@bandit:~$ echo GbKksEFF4yrVs6il55v6gwY5aVje5f0j | nc -l 2222
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr

====bandit20@bandit:~$ ./suconnect 2222
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j (Old Password)


Level 22 : bandit21@bandit:~$ less /usr/bin/cronjob_bandit22.sh
bandit21@bandit:~$ less /usr/bin/cronjob_bandit22.sh
bandit21@bandit:~$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI


Level 23 : bandit22@bandit:~$ less /usr/bin/cronjob_bandit23.sh
#!/bin/bash

myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ‘ ‘ -f 1)

echo “Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget”

cat /etc/bandit_pass/$myname > /tmp/$mytarget

Run same command for Mytarget but use bandit 23 as name because its taking for current user

bandit22@bandit:/usr/bin$ echo I am user bandit23 | md5sum | cut -d ‘ ‘ -f 1
8ca319486bfbbc3663ea0fbe81326349
bandit22@bandit:/usr/bin$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n


Level 24 : less /usr/bin/cronjob_bandit24.sh
#!/bin/bash

myname=$(whoami)

cd /var/spool/$myname
echo “Executing and deleting all scripts in /var/spool/$myname:”
for i in * .*;
do
if [ “$i” != “.” -a “$i” != “..” ];
then
echo “Handling $i”
timeout -s 9 60 ./$i
rm -f ./$i
fi
done

New Script created by me to copy password:
#!/bin/bash
#bandit24=$(echo I am user bandit24 | md5sum | cut -d ‘ ‘ -f 1)
echo “Copying passwordfile /etc/bandit_pass/bandit24 to /tmp/bandit24”
cat /etc/bandit_pass/bandit24 > /tmp/bandit24/banditpass.txt

bandit23@bandit:/tmp/bandit24$ ls -l
total 8
-rwxrwxrwx 1 bandit23 bandit23 210 May 16 07:21 banditpass.sh
-rw-rw-r– 1 bandit24 bandit24 33 May 16 07:22 banditpass.txt
bandit23@bandit:/tmp/bandit24$ cat banditpass.txt
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ


Level 25 : mkdir /tmp/bandit25/
vi getpass.sh
#!/bin/bash
passwd=”UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ”
for a in {0..9}{0..9}{0..9}{0..9}
do
echo $passwd’ ‘$a >> combinations.txt
done

cat combinations.txt | nc localhost 30002 >> final.txt
sort final.txt | uniq -u
The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG

Leave a Reply

Your email address will not be published. Required fields are marked *

nineteen − 8 =