Bandit
level 0
The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.
We can use ls
to list the directories and files in our present directory.
In order to display the file contents, we can use cat
.
level 1
The password for the next level is stored in a file called - located in the home directory
If we just try to cat
the file, we enter the interactive mode.
The key is to make sure that cat
understands that -
is a filename and not an indication of us wanting to enter interactive mode.
The way we can achieve this goal is by including the filename in single / double quotes.
level 2
The password for the next level is stored in a file called spaces in this filename located in the home directory
One way to solve this challenge is again by including the filename inside single / double quotes.
Another way is by inserting a backslash before every space.
level 3
The password for the next level is stored in a hidden file in the inhere directory.
If we cd
into inhere
and check for the files present in the directory, we are met with nothing.
Hidden files are generally used to store configurations or user settings.
ls
has an option a
which if provided, tells it to list all the files, even the hidden ones.
There's our hidden file.
level 4
The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.
Let's begin by finding a file that is readable using find
command with the readable
option.
All the files are readable.
Fortunately, find
allows us to give other commands if we use the exec
option.
The exec
option itself takes as argument the command that we want to execute.
There's two files that have ASCII
format. This greatly reduced our search-space.
level 5
The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:
human-readable
1033 bytes in size
not executable
We can provide the size
option to specify the file size.
We are appending 1033 with c because that is the suffix for bytes as specified in the man page.
Let's read the file.
level 6
The password for the next level is stored somewhere on the server and has all of the following properties:
owned by user bandit7
owned by group bandit6
33 bytes in size
The user
option to specify the user that owns the file.
Similarly, the group
option to specify the group that owns the file.
As we can see a bunch of the results are files which we don't have permission to access, except one. You could try to find this file by just going through the results, but there is a better way.
We can clear out the results by only showing files that don't give Permission denied.
level 7
The password for the next level is stored in the file data.txt next to the word millionth
This level is pretty simple, we just have to pipe the cat
result with grep
and provide millionth
as the pattern.
level 8
The password for the next level is stored in the file data.txt and is the only line of text that occurs only once
We have to sort the file so that every repeating string is placed along with the duplicate strings. ( This step is necessary, if you directly try to use uniq
, it won't work. )
Next we pipe the output with the uniq
command and provide the u
option. ( uniq
needs the duplicate strings to be next to each other. )
level 9
The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters.
We can use strings
, instead of cat in order to see the sequences of printable characters and pipe the result with grep.
level 10
The password for the next level is stored in the file data.txt, which contains base64 encoded data
The base64
command allows users to perform base64 operations.
If we provide the d
option, it will decode the input.
level 11
The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions
We can use the tr
command to translate the string.
Here's how it works.
The characters are mapped to the character at offset 13.
level 12
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)
Once we have set up our directory, we can cat out the file.
As we can see the file contains hexdump
which we need to convert back into binary
The xxd
command is what creates a hexdump
but if we specify the r
option it will reverse the hexdump
into binary
.
We stored the output into a file.
Let's check the file-type using the file
command.
We can see that the file is gzip
compressed.
In order to decompress the file we have to rename the file so that it has .gz
extension. This can be done using the mv
command.
Now we can decompress the data.gz
file using gzip
along with it's d
option.
Let's check the file-type of this new file.
This time it's bzip2
compressed.
Let's rename it to data.bz2
.
Now we can decompress it with the bzip2
command and d
option.
Another file.
Let's check the file-type.
Again gzip
compressed.
We can decompress this by following the same steps as before and check the file-type.
Alas! something different.
This time it's a tar archive.
These file compressions are repeated quite a few times, so you can just follow the same steps and get the flag.
level 13
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on
SSH is a service that allows us to connect to a remote system.
In order to use the key and not be prompted to enter a password, we have to use the i
option.
The passwords are stored in the /etc/bandit_pass
directory. Since we are already in the bandit14 level, we should be able to cat the password.
level 14
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
We can use Netcat or nc
in linux to send messages to different hosts.
level 15
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption. Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…
SSL encryption is a method to ensure a secure connection between client and server.
openssl
is a tool that allows users to have SSL encryption over their messages.
The s_client
establishes a connection with a remote server. The quiet
option is used to limit the data displayed on the terminal.
level 16
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
We can use nmap
in order to find the open ports on our localhost.
Let's conduct a more in-depth scan of these specific ports.
The sV
option enables version detection and the T5
option specifies speed.
We get an RSA key this time. Save this RSA key in a file for the next level.
We can now connect to level17
using ssh
.
level 17
There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between **passwords.old and passwords.new. NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19
This level is fairly simple, we just have to look at the changes made in the file using the diff
command.
We can see that glZreTEH1V3cGKL6g4conYqZqaEj0mte
has been replaced with hga5tuuCLF6fFzUpnagiMN8ssu9LFrdg
.
level 18
The password for the next level is stored in a file readme in the home directory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.
One thing about ssh
is that it can run commands without being in the shell.
This allows us to pass commands appended to the ssh
connection.
level 19
To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.
As we can see the file has the setuid
bit set. And the file is owned by bandit20
.
Setuid allows the user to run the file with the privileges of the person that owns the binary file.
Let's see how this works in practical by first checking our id.
Now if we check id on running the binary file:
We can see our euid
(effective user id) is set to the id of bandit20
.
This means we can run another command with the privileges of bandit20
.
And we have our password.
Last updated