Bandit

Bandit

⚠️ DISCLAIMER ⚠️
This write-up is for archival and educational purpose. I really encourage you to try first and read any materials given in the lab. Use this write-up as your last resort.
Happy learning and good luck! :) –fr.🔮

Level: 20/33

Contents.

Details

• Level 0
• Level 0 → Level 1
• Level 1 → Level 2
• Level 2 → Level 3
• Level 3 → Level 4
• Level 4 → Level 5
• Level 5 → Level 6
• Level 6 → Level 7
• Level 7 → Level 8
• Level 8 → Level 9
• Level 9 → Level 10
• Level 10 → Level 11
• Level 11 → Level 12
• Level 12 → Level 13
• Level 13 → Level 14
• Level 14 → Level 15
• Level 15 → Level 16
• Level 16 → Level 17
• Level 17 → Level 18
• Level 18 → Level 19
• Level 19 → Level 20
• Level 20 → Level 21

Level 0

Connect SSH.

commands: ssh <username>@<remote> -p <port>

$ ssh bandit0@bandit.labs.overthewire.org -p 2220

Level 0 → Level 1

Read file.

commands: cat <filename>

$ cat readme
# ^D or type "exit" to exit ssh
$ ssh bandit1@bandit.labs.overthewire.org -p 2220

Level 1 → Level 2

Read file with special characters.

commands: cat

$ cat ./-

Level 2 → Level 3

Read file with spaces.

commands: cat

$ cat "spaces in this filename"

Level 3 → Level 4

Change directory, see hidden files.

commands: cd <directory>, ls -la

$ cd inhere
$ ls -la # or just `la` for short

Level 4 → Level 5

Check file types (iterable).

commands: cd, file <filename>

$ cd inhere
$ file ./*

Level 5 → Level 6

Find file with specific properties.

commands: find

$ find . -size 1033c

Level 6 → Level 7

Find file with specific properties and owner.

commands: find

$ find / -user bandit7 -group bandit6 -size 33c 2>/dev/null

*) The 2>/dev/null at the end of the find command tells your shell to redirect the standard error messages to /dev/null. source

Level 7 → Level 8

Search word in file.

commands: grep <pattern> <filename>

$ grep millionth data.txt

Level 8 → Level 9

Find unique data in file.

commands: sort, uniq

$ sort data.txt | uniq -u

Level 9 → Level 10

Read human-readable strings, search word in file.

commands: strings <filename>, grep

$ strings data.txt | grep ==

Level 10 → Level 11

Read file, decode base64 data.

commands: cat, base64

$ cat data.txt | base64 -d

Level 11 → Level 12

Read file, decode ROT13.

commands: cat, tr

$ cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'

Level 12 → Level 13

• Extract files.
• Convert hexdump to binary.
• Make new directory, copy datafile, rename file.

commands: gzip, bzip2 -d or bunzip2, tar -xf, xxd, mkdir, cp <source> <directory>, mv <source> <directory>

# make new dir and change dir
$ mkdir /tmp/ur_uname
$ cd /tmp/ur_uname

# copy file to current dir
$ cp ~/data.txt .

# convert hexdump to .gz file
$ xxd -r data.txt > data.gz

# extract gzip file
$ gzip -d data.gz

# extract bzip2 file
$ bzip2 -d data

$ mv data.out data.gz   # rename file
$ gzip -d data.gz

# extract tar file
$ tar -xf data
$ tar -xf data5.bin

$ bunzip2 data6.bin     # another way to extract bzip2
$ tar -xf data6.bin.out
$ mv data8.bin data8.gz
$ gzip -d data8.gz
$ cat data8

Tips: use ls to see what files have been created after extracting a file and file command to check the output's file type. Also use mv to rename the file if necessary.

Level 13 → Level 14

Connect SSH using private key.

commands: ssh -i

$ ssh -i sshkey.private bandit14@bandit.labs.overthewire.org -p 2220

bandit14@bandit:~$ cat /etc/bandit_pass/bandit14

Level 14 → Level 15

Connect and send data over a network connection.

commands: echo, nc <host> <port>

❗ should log into bandit13 first.

$ echo [password] | nc 127.0.0.1 30000
# or just run the `nc <host> <port>` and then paste the password

source

Level 15 → Level 16

Send data using SSL encryption.

commands: openssl s_client, echo

$ echo [password] | openssl s_client -connect 127.0.0.1:30001 -ign_eof
# or run the `openssl` with/-out -ign_eof, then paste the password

source

Level 16 → Level 17

Scan network within port range.

commands: nmap

$ nmap -sV localhost -p31000-32000 # or `nmap -A -T4`
$ echo [password] | openssl s_client -connect localhost:31790 -ign_eof

# copy the creds to a new key file then connect to bandit17
# if there's a "<key> are too open" error,
# run this and connect again
$ chmod 400 <key_filename>

nmap -sV: determine service/version info
nmap -A: enable OS and version detection, script scanning, and traceroute
nmap -T4: (optional?) faster execution

soure

Level 17 → Level 18

Compare files line by line.

commands: diff <file1> <file2>

❗ should log into bandit16 first.

$ diff passwords.old passwords.new

%<   lines from FILE1
%>   lines from FILE2
%=   lines common to FILE1 and FILE2

Level 18 → Level 19

Read file directly through SSH login.

commands: ssh, cat

$ ssh bandit18@bandit.labs.overthewire.org -p 2220 "cat readme"

Level 19 → Level 20

Just use the setuid binary as told.

💡Hint: I figure that the binary is like the sudo command but for bandit20 user, not super-user 🤓

commands: cat

$ ./bandit20-do cat /etc/bandit_pass/bandit20

Level 20 → Level 21

Connect to your own network daemon. Read this

commands: nc -l <port>

# You need to open 2 terminal tabs
# 00 - 1st tab
$ nc -l <port>

# 01 - 2nd tab
$ ./suconnect <port>

# 02 - paste the password on the 1st tab