DEV Community

San Kang
San Kang

Posted on

[Write Up] Bandit Wargame Clear Log (Level 25 - 33)

#linux #wargame #bandit #overthewire

26. Bandit Level 25 → Level 26

Level Goal
Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.

NOTE: if you’re a Windows user and typically use Powershell to ssh into bandit: Powershell is known to cause issues with the intended solution to this level. You should use command prompt instead.

Commands you may need to solve this level
ssh, cat, more, vi, ls, id, pwd

How I solved it

I started by entering ls to check the files in the current directory.
I found the bandit26.sshkey file and used the cat command to view its contents.

Image description

It looked like a valid private key, so I ran ssh -i bandit26.sshkey bandit26@localhost -p 2220 to try logging into bandit26.
The bandit system asked me to confirm the connection, and I typed yes. Unfortunately, the connection closed immediately after.

Image description

Image description

To find out what shell bandit26 uses, I ran cat /etc/passwd | grep bandit26.
The result showed that the shell is a script called showtext.
I used the cat command to read it, and I found that it runs the more command.

Image description

The more command similar to cat, but it only displays one screen at a time.
I realized that if the bandit program can not shows full contents at once, the disconnection wouldn't be happen.
So I ran ssh -i bandit26.sshkey bandit26@localhost -p 2220 again and adjusted the terminal screen size much smaller than before. Then entered yes.

Image description

It worked! The connection was fine.
Next, I pressed v to enter vi editor mode. And then, I ran :set shell=/bin/bash to set the shell to bash.
After that, I entered :sh to open a shell temporarily without closing the vi editor.

Image description

Image description

Image description

Finally, I logged in Level 26, and got the password for Level 26 using `cat /etc/bandit_pass/bandit26'.

Image description

  1. ##Bandit Level 26 → Level 27

Level Goal
Good job getting a shell! Now hurry and grab the password for bandit27!

Commands you may need to solve this level
ls

How I solved it

I entered ls to check the files in the current directory.
I found the bandit27-do file and executed it to learn how I can use it.
The instruction indicated me that the file runs a command as another user.
So I executed the bandit27-do file with the id command.
The result showed me that the Efective User ID(euid) is bandit27. Efective User ID refers to the user ID that determines the permissions for a process or task.
Based on this, I executed ./bandit27-do cat /etc/bandit_pass/bandit27.
Finally, I successfully retrieved the password for the next level.

Image description

  1. ##Bandit Level 27 → Level 28

Level Goal
There is a git repository at ssh://bandit27-git@localhost/home/bandit27-git/repo via the port 2220. The password for the user bandit27-git is the same as for the user bandit27.

Clone the repository and find the password for the next level.

Commands you may need to solve this level
git

How I solved it

First of all, I ran man git to learn about the git command and its available options.
I found the clone command, which is used to clone a repository into a new directory.
Next, I created a working directory with mkdir /tmp/sank27 and moved into it using cd.

Image description

Image description

Image description

Then I entered git clone ssh://bandit27-git@localhost/home/bandit27-git/repo, but somthing was wrong---I got a "permission denied" error.

Image description

I wondered what I had missed, so I re-read the level instructions carefully.
Then I realized that I had forgotten to include the port number.
I corrected the command to git clone ssh://bandit27-git@localhost:2220/home/bandit27-git/repo. This time, the system asked for a password, so I entered the one for Level 27.
The cloning process completed successfully. I used ls to check the contents and then found a directory named repo.
I moved into it using cd and used ls again. There was a README file inside.
I read it using cat, and finally, I successfully obtained the password for the next level.

Image description

Image description

  1. ##Bandit Level 28 → Level 29

Level Goal
There is a git repository at ssh://bandit28-git@localhost/home/bandit28-git/repo via the port 2220. The password for the user bandit28-git is the same as for the user bandit28.

Clone the repository and find the password for the next level.

Commands you may need to solve this level
git

How I solved it

First, I created a working directory with mkdir /tmp/sank28 and moved into it using cd.
Then I ran git clone ssh://bandit28-git@localhost:2220/home/bandit28-git/repo, and entered the password for Level 28.

Image description

After the cloning process completed successfully. I used ls to check the contents and then found a directory named repo.
I moved into it using cd and ran ls again. There was a file named README.md, and I read it using cat.
It seemed like the file had included the password for the next level before someone edited it.
So I used the git log command to check the commit history of the file. And then I noticed that the latest commit was made to fix an information leak.

Image description

So I checked out the previous commit using git checkout command, and then re-read the README.md file with cat.
Finally, I successfully obtained the password for the next level.

Image description

  1. ##Bandit Level 29 → Level 30

Level Goal
There is a git repository at ssh://bandit29-git@localhost/home/bandit29-git/repo via the port 2220. The password for the user bandit29-git is the same as for the user bandit29.

Clone the repository and find the password for the next level.

Commands you may need to solve this level
git

How I solved it

First, I created a working directory with mkdir /tmp/sank29 and moved into it using cd.
Then I ran git clone ssh://bandit29-git@localhost:2220/home/bandit29-git/repo, and entered the password for Level 29.

Image description

After the cloning process completed successfully. I used ls to check the contents and then found a directory named repo.
I moved into it using cd and ran ls again. There was a file named README.md, and I read it using cat.
It seemed like the file had included the password for the next level before someone edited it.
I used the git log command to check the commit history of the file, but I couldn't find any useful clues.

Image description

So I ran man git to learn about the git command, its subcommands, and options.
I came across the branch command. It looked useful, but I was not sure how to use it.
So I ran git branch -h, which showed usage examples and general options.
Then I used the git branch -a to list all branches, and discovered a branch named dev`.

Image description

Image description

Image description

I guessed that developers might have stored the password, so I checked out the dev branch.
After switching, I ran ls and re-read the README.md file using cat. I successfully found the password for the next level.

Image description

  1. ##Bandit Level 30 → Level 31

Level Goal
There is a git repository at ssh://bandit30-git@localhost/home/bandit30-git/repo via the port 2220. The password for the user bandit30-git is the same as for the user bandit30.

Clone the repository and find the password for the next level.

Commands you may need to solve this level
git

How I solved it

First, I created a working directory with mkdir /tmp/sank30 and moved into it using cd.
Then I ran git clone ssh://bandit30-git@localhost:2220/home/bandit30-git/repo, and entered the password for current level.

Image description

After the cloning process completed successfully. I used ls to check the contents and then found a directory named repo.
I moved into it using cd and ran ls again. There was a file named README.md, and I read it using cat, but I couldn't find useful message.
Next, I used the git log command to check the commit history of the file, but couldn't find any useful clues.
I also ran git branch, but still I couldn't get any clues.
So I ran man git to learn about the git command, its subcommands, and options.

Image description

I came across the tag command. It looked useful, so I ran git tag to check if git tags existed.

Image description

As a result, I found a tag named secret. I wanted to read it, but the cat command didn't work for tag.

Image description

So I ran man git again, and found out the show command. I thought that it might work.
I ran git show secret, and it worked! Finally, I successfully obtained the password for the next level.

Image description

Image description

  1. ##Bandit Level 31 → Level 32

Level Goal
There is a git repository at ssh://bandit31-git@localhost/home/bandit31-git/repo via the port 2220. The password for the user bandit31-git is the same as for the user bandit31.

Clone the repository and find the password for the next level.

Commands you may need to solve this level
git

How I solved it

First, I created a working directory by running mkdir /tmp/sank31, then I moved into it.
Next, I cloned the repository using: git clone ssh://bandit31-git@localhost:2220/home/bandit31-git/repo.
After the cloning process completed, I ran ls and found a directory named repo.
I moved into repo using cd, and used ls again.

Image description

There was a file named README.md, and I read it using cat.
The file instructed me: "This time your task is to push a file to the remote repository", with details.
So, I created a file using vi, intending to name it key.txt , but I accidentally named it key.ext.

Image description

Image description

So I crrected name of the file using mv.
I already knew the steps for pushing a file to a remote git repository.
1. git add
2. git commit
3. git psuh
I first tried git add key.txt, but it didn't work. The system told me to use -f opition.
So I corrected the command gat add -f key.txt. This time, it worked.
Then I entered git commit -m "upload key.txt. It means that make a memo about "upload key.txt" for commit.
After the commit process completed, I pushed it running git push origin master. The origin in my command is a nickname for a remote repository---usually created automatically when you clone a repository.
The system prompted me for a password, so I entered the one for Level 31, and then it gave me the password for the next level.
Finally I could successfully log in for Level 32.

Image description

Image description

  1. ##Bandit Level 32 → Level 33

Level Goal
After all this git stuff, it’s time for another escape. Good luck!

Commands you may need to solve this level
sh, man

How I solved it

When I logged into bandit32, I was greeted withe the message: "WELCOME TO THE UPPERCASE SHELL".
I quickly noticed that I couldn't typed command properly---every command I entered was automatically converted to uppercase, which made them invalid in a Linux shell.
I suspected that a custom shell script was being used for this level, one that forces all input to uppercase.
If that was the case, it's likely had a shebang(#!) at the top, specifying which shell to use.
To bypass the uppercase behavior, I ran $0, which refers to the current shell script or program, and it worked.
It launched the real shell sh without the uppercase transformation.
Finally, I successfully obtained the passowordf for the next level by using cat /etc/bandit_pass/bandit33.

Image description

That's it! --- all levels of the OverTheWire Bandit Wargame completed!
I'll be takling more wargames soon, so stay tuned.
Thank you for following along!

Top comments (0)

Some comments may only be visible to logged-in visitors. Sign in to view all comments.