Over The Wire - Bandit

The wargames offered by the OverTheWire community can help you to learn and practice security concepts in the form of fun-filled games.

Ongoing

Over The Wire - Bandit

After all of the BashNinja challenges in the NeverLAN CTF, one of our club members brought this to our attention. Bandit is the recommended starting point for the Over the Wire wargames, and is heavily Bash-based with some Git for good measure. While it is requested that players not provide spoilers, including write-ups, that ship sailed quite some time ago. Since there are already numerous write-ups for Bandit out there, I'd much rather that people had somewhere to learn something new from my trials, mistakes, and successes.

Level 0

Just logging into an SSH session. Ground rules: Usernames are somegame0, somegame1, etc Most Levels are stored in /somegame/ Passwords for each Level are stored in /etc/somegame_pass.

Level 0 -> 1

The password for the next Level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a Level, use SSH (on port 2220) to log into that Level and continue the game.

The home folder just contains a readme file containing:

boJ9jbbUNNfktd78OOpsqOltutMc3MY1

Level 1 -> 2

The password for the Level is stored in a file called - located in the home directory

This time the only file in the folder is "-"

Now, cat - doesn't work, so we try cat ./-

CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

Level 2 -> 3

The password for the Level is stored in a file called spaces in this filename located in the home directory

I cat'd the file using tab complete on the filename, but we could have put it in quotes

UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

Level 3 -> 4

The password for the Level is stored in a hidden file in the inhere directory.

I moved to the inhere directory, but there were no files visible using ls, so I tried ls -al and found .hidden

pIwrPrtPN36QITSp3EQaw936yaFoFgAB

Level 4 -> 5

The password for the Level is stored in the only human-readable file in the inheredirectory. Tip: if your terminal is messed up, try the “reset” command.

Again, I moved to the inhere directory. I cat’d each of the 10 equal-size files, and file07 had human-readable text

koReBOKuIDDepwhWk7jZC0RTdopnAYKh

Level 5 -> 6

The password for the Level is stored in a file somewhere under the inhere directory and has all of the following properties:
• human-readable
• 1033 bytes in size
• not executable

Now we’ve got folders and folders of files, so we can display a recursive directory tree sorted by size to narrow things down.

ls -alRS

The only 1033-byte file is /maybehere07/.file2

We could also have used find ./ -type f -size 1033c

And if there were still too many results, we could have also used “! -executable” and/or “-readable”

DXjZPULLxYr17uwoI01bNLQbtFemEgo7

Level 6 -> 7

The password for the Level is stored somewhere on the server and has all of the following properties:
• owned by user bandit7
• owned by group bandit6
• 33 bytes in size

I started with find / -type f -size 33c

And this time there were too many results, so I added: -group bandit6 -user bandit7

That returned lots of permission denials cluttering up results, so we add: 2> /dev/null

/var/lib/dpkg/info/bandit7.password

We can cat that file directly, or skip this step and just add: -exec cat {} \;

HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

Level 7 -> 8

The password for the Level is stored in the file data.txt next to the word millionth

I cat'd the data.txt file and piped the result to grep millionth: cat data.txt | grep millionth

cvX2JJa4CFALtqS87jk27qwqGhBM9plV

Level 8 -> 9

The password for the Level is stored in the file data.txt and is the only line of text that occurs only once

I sorted the data.txt and piped the result to uniq -c: sort data.txt | uniq -c

Only one occurrence of:

UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR

Level 9 -> 10

The password for the Level is stored in the file data.txt in one of the few human-readable strings, beginning with several ‘=’ characters.

Cat'ing the file to grep doesn’t work because it thinks it’s a binary file. Grepping the == string directly from the file also returns no strings, just Binary file data.txt matches. So, I used -a to process the binary file as if it were text: grep -a == data.txt

truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk

Level 10 -> 11

The password for the Level is stored in the file data.txt, which contains base64 encoded data

Cat'ing data.txt outputs a base64-encoded string ending in ==, so I piped the result to base64 -d

The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

Level 11 -> 12

The password for the Level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions

Cat'ing data.txt, we get:

Gur cnffjbeq vf 5Gr8L4qetPEsPk8htqjhRK8XSP6x2RHh

I copied that into the ROT13 tool on Rumkin ciphers

The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

Level 12 -> 13

The password for the Level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this Level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)

1) Cat the file – original name data2.bin
2) Copy the file as data2.txt
3) Reverse the hexdump: xxd -r data2.txt output.bin
4) Check file type: file output.bin -> gzip’d
5) Rename the file output.gz and gunzip
6) Check file type: file output -> bzip2
7) Copy file to ungz and bzip -d ungz
8) Check file type: file ungz.out -> gzip’d
9) Copy file to unbz.gz and gunzip
10) Check file type: file unbz -> tar’d
11) Copy file to twiceungz.tar and tar -xf
12) Check file type: file data5.bin -> tar’d
13) Copy file to untar.tar and tar -xf
14) Check file type: file data6.bin -> bzip2
15) Copy file to 2untars and bzip -d 2untars
16) Check file type: file 2untars.out -> tar’d
17) Copy file to tiring.tar and tar -xf
18) Check file type: file data8.bin -> gzip’d
19) Copy file to 8.gz and gunzip
20) Check file type: file 8 -> ASCII text!
21) Cat 8

The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

Level 13 -> 14

The password for the Level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this Level, you don’t get the next password, but you get a private SSH key that can be used to log into the Level. Note: localhost is a hostname that refers to the machine you are working on

This folder contains an RSA private key: sshkey.private

Ssh -I sshkey.private bandit14@localhost

Level 14 -> 15

The password for the Level can be retrieved by submitting the password of the current Level to port 30000 on localhost.

Cat /etc/bandit_pass/bandit14

4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e

Nc localhost 30000

But we get no prompt, and when I exited I got “Wrong! Please enter the correct current password” error message

I resumed the nc session and provided the bandit14 password

Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr

Level 15 -> 16

The password for the Level can be retrieved by submitting the password of the current Level to port 30001 on localhost using SSL encryption. Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command… Openssl s_client -connect localhost:30001

We get a connection, but again no prompt, so I supplied the bandit15 password as in the previous level

Correct!
cluFn7wTiGryunymYOu4RcffSxQluehd

Level 16 -> 17

The credentials for the Level can be retrieved by submitting the password of the current Level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.

I started with an Nmap scan of the port range 31000-32000 on localhost:

Nmap -p31000-32000 localhost

Two ports are open, 31518 and 31790, so let's see what services are on those ports.

Nmap -A -p3151-31790 localhost

Port 31790 shows open ssl/unknown and a reply of “Wrong! Please enter the correct current password”

Openssl s_client -connect localhost:31790

I supplied the bandit17 password and it returns an RSA private key

vi private.key in a temp folder

Ssh -I private.key bandit17@localhost

This returns the error :

Permissions 0644 for 'private.key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "private.key": bad permissions

Need to change the permissions to be more restrictive:
Chmod 700 private.key
and try again

This time we can log into Bandit17, and cat thepassword in /etc/bandit_pass/bandit17:

xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn

Level 17 -> 18

There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the Level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new NOTE: if you have solved this Level and see ‘Byebye!’ when trying to log into bandit18, this is related to the Level, bandit19

Let's see what the difference is between the old file and the new file.

diff passwords.old passwords.new

< hlbSBPAWJmL6WFDb06gpTx1pPButblOA - this is from the old file

> kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd - this is from the new file

The new one works

Level 18 -> 19

The password for the Level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH

As noted in 17->18, we get the Byebye! note and are logged off of bandit18 as soon as we log in.

So, we need to add "bash --noprofile --norc" to the ssh attempt

That logs us in with a minimal shell, and we can cat the readme file in the current directory:

IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x

Level 19 -> 20

To gain access to the Level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this Level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.

Running the ./banditdo-20 script without any arguments returns this help:

Run a command as another user. – presumably as bandit20
Example: ./bandit20-do id

So, let's use it to cat the bandit20 password file

./bandit20-do cat /etc/bandit_pass/bandit20

GbKksEFF4yrVs6il55v6gwY5aVje5f0j

Level 20 -> 21

There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous Level (bandit20). If the password is correct, it will transmit the password for the Level (bandit21). NOTE: Try connecting to your own network daemon to see if it works as you think

This one took some fiddling.

./suconnect 31790 starts a session of some kind with the local host, but entering the bandit20 password as in previous Levels does nothing

./suconnect 31790 & runs in the background and gives us the following help:

Usage: ./suconnect <portnumber>
This program will connect to the given port on localhost using TCP. If it receives the correct password from the other side, the next password is transmitted back.

So, we need to start a netcat listening on that same port.

Nc -vv -l -p 31790 &

except we get an error trying it on the previously noted ports:
Error: retrying local 0.0.0.0:31790 : Address already in use

So, we switch to an unused port:

Nc -vv -l -p 31800

./suconnect 31800

And for now, we get no results.

We need to pass the current password to the listener nc so that it is presented to suconnect when it connects

Nc -vv -l -p 31800 < /etc/bandit_pass/bandit20

And we need to break out of process with ctrl-z and restart the process (job 1) in the background with bg 1

./suconnect 31800

connect to [127.0.0.1] from localhost [127.0.0.1] 53468
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Password matches, sending next password
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
sent 33, rcvd 33

Level 21 -> 22

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

Let's see what's in the cron.d directory

ls /etc/cron.d

There are a couple of files in here, so let's look at the one for bandit22

cat /etc/cron.d/cronjob_bandit22

@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null

If we try to run that script:

/usr/bin/cronjob_bandit22.sh

we get:

chmod: changing permissions of '/tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv': Operation not permitted

Which tells us where to look next:

cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

Level 22 -> 23

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed. NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this Level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.

Well, we know that there are a few files in cron.d, so let's look at the one for bandit23

cat /etc/cron.d/cronjob_bandit23

@reboot bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null

We can cat the script it refers to:

cat /usr/bin/cronjob_bandit23.sh

#!/bin/bash

myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
cat /etc/bandit_pass/$myname > /tmp/$mytarget

So, we got a script that copies the file we don't have permissions to read, into a temp folder with permissions that allow us to read the file

/usr/bin/cronjob_bandit23.sh

Copying passwordfile /etc/bandit_pass/bandit22 to /tmp/8169b67bd894ddbb4412f91573b38db3

So, let's cat that file:

cat /tmp/8169b67bd894ddbb4412f91573b38db3

Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

Oops...this just gives us bandit22’s password. So, this takes the current user’s name and creates a mytarget file destination using:

echo I am user $myname | md5sum | cut -d ' ' -f 1

It takes “I am user [current user]” makes an md5 hash of it and cuts off the – at the end.

Running that command at the CLI, but for bandit23:

echo I am user bandit23 | md5sum | cut -d ' ' -f 1

8ca319486bfbbc3663ea0fbe81326349

Now we can cat the file

cat /tmp/8ca319486bfbbc3663ea0fbe81326349

jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

Level 23 -> 24

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed. NOTE: This Level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this Level! NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…

Time to look at bandit24's cron job

cat /etc/cron.d/cronjob_bandit24

@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null

And what does that script look like?

cat /usr/bin/cronjob_bandit24.sh

#!/bin/bash

myname=$(whoami)

cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
do
 if [ "$i" != "." -a "$i" != ".." ];
 then
 echo "Handling $i"
 timeout -s 9 60 ./$i
 rm -f ./$i
 fi
done

So, it's executing each script in /var/spool/[current user], and waiting 60 seconds before killing each script and removing it. I can’t see the contents of /var/spool/bandit24 due to permissions, but the cron script runs as bandit24.

I can create a script in the /var/spool/bandit24 folder that copies the contents of the folder out to somewhere the permissions are more forgiving:

#!/bin/bash
cd /var/spool/bandit24
cp -r * /tmp/bandit123/

We do nee to chmod the script to 777, so anyone can read/write/execute it, and chmod the destination folder to 744, so that anyone (including bandit24) can write to it.

Then we log out, wait about 2 minutes (cron is running every minute on the minute), and log back in to check the contents of /tmp/bandit123.

And, as planned, copied to my folder are a bunch of directories and zalabomafoo .sh, which cats the bandit24 password file to /tmp/zalabamafoo

cat /tmp/zalabamafoo

UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ

Level 24 -> 25

A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.

nc localhost 30002
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.

First things first, lets create a file with the bandit24 password paired with all of the pincodes to attempt:

for i in {0000..9999}; do echo "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i" >> /tmp/bandit123/attempts; done

Then we send that list through to the pincode checker

nc localhost 30002 < /tmp/bandit123/attempts

Naturally, we get lots of:
Wrong! Please enter the correct pincode. Try again.

Until, finally we get:

Correct!
The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG

Level 25 -> 26

Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.

This time, our home directory once again contains a private key: bandit26.sshkey

We can ssh into bandit26 using those credentials

ssh -i bandit26.sshkey bandit26@localhost

And it does log into bandit26, but logs out immediately, so I tried to add "bash --noprofile --norc", but found it unresponsive when it tried to log in.

So, let's try sending Bourne shell commands in our ssh connection via a file called shells

#!/bin/sh
echo $shell

ssh -i bandit26.sshkey bandit26@localhost < shells

But all we get is:

::::::::::::::
/home/bandit26/text.txt
::::::::::::::

Thinking I was getting some result from $shell, I tried new content for shells

#!/bin/sh
printf “%s” “$(</home/bandit26/text.txt)”

This shell, however was not running my code, just displaying more of what it is set to display before disconnecting

I can figure out what shells are available:

cat /etc/shells

# /etc/shells: valid login shells
/bin/sh
/bin/dash
/bin/bash
/bin/rbash
/usr/bin/screen
/usr/bin/tmux
/usr/bin/showtext

So, what is bandit26 using? We can find that information in the passwd file

cat /etc/passwd

bandit26:x:11026:11026:bandit Level 26:/home/bandit26:/usr/bin/showtext

Showtext, huh? This is not a standard shell:

#!/bin/sh

export TERM=linux

more ~/text.txt
exit 0

and appears to be a Bourne shell that just starts a linux terminal and mores the bandit26 home directory’s text.txt before exiting

On this one I took a clue, although I should have just persevered and researched the more command more and vi after that.

But looking online and scrolling very carefully, I got the hint that commands can be executed from within more while its running, but we need to reduce the window size of our current terminal to force more to pause part way through displaying the contents of text.txt.

From there, ? will display the commands available, including v to Start up /usr/bin/vi at current line. Once in vi, it is possible to edit new files using :e <filename> -> :e /etc/bandit_pass/bandit26

5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z

Level 26 -> 27

Good job getting a shell! Now hurry and grab the password for bandit27!

Oops, I don’t have a shell, yet, just a password, which does just the same as logging in with the private key.

Here's where I should have researched vi more thoroughly, because vi does have a :shell command to open a shell, which is what we really need now. Except that just keeps opening the showtext shell. So, we need to change the shell, which some another careful scroll through the 25->26 spoiler shows can be done in vi using

:set shell=/bin/bash

Then we can use :sh in vi and interact with bandit26 normally

In the home folder there is a bandit27-do command

./bandit27-do

Run a command as another user.
Example: ./bandit27-do id

And using that to cat bandit27’s password as we did in 19 -> 20

./bandit27-do cat /etc/bandit_pass/bandit27

3ba3118a22e93127a4ed485be72ef5ea

Level 27 -> 28

There is a git repository at ssh://bandit27-git@localhost/home/bandit27-git/repo. The password for the user bandit27-git is the same as for the user bandit27. Clone the repository and find the password for the Level.

At this point, the only command line experience I'd had with Git was with cloning repos, and that's where we start:

git clone ssh://bandit27-git@localhost/home/bandit27-git/repo

fatal: could not create work tree dir 'repo': Permission denied

Well, not quite, because there are no write permissions on the home directory; we have to do it in /tmp/bandit27

cd /tmp/bandit27

git clone ssh://bandit27-git@localhost/home/bandit27-git/repo

fatal: destination path 'repo' already exists and is not an empty directory.

It does?

ls

folder git kameel README repo

Oops, there were already a few other peoples’ attempts are in here, so:

mkdir test

cd test/

git clone ssh://bandit27-git@localhost/home/bandit27-git/repo

This clones the repo to this directory, and that contains a folder called repo with a file called README

cat README

The password to the Level is: 0ef186ac70e04ea33b4c1853d2526fa2

Level 28 -> 29

There is a git repository at ssh://bandit28-git@localhost/home/bandit28-git/repo. The password for the user bandit28-git is the same as for the user bandit28. Clone the repository and find the password for the Level.

Hmmm…same as before? Let’s try.

Not quite. The contents of the README.md file in the repo folder is less than helpful:

# Bandit Notes
Some notes for Level29 of bandit.

## credentials

- username: bandit29
- password: xxxxxxxxxx

So, let’s see if there are any hidden files in here – sure enough a .git folder containing all sorts of other files and folders

Cat'ing the files here, we find HEAD contains a reference to a refs/heads/master, which cat'd gives:

073c27c130e6ee407e12faad1dd3848a110c4f95

A few other similar files contain the same string, but this is longer than the previous passwords.

Checking the logs of commits to this repo using git log, we can see three commits:

git log

commit 073c27c130e6ee407e12faad1dd3848a110c4f95
Author: Morla Porla <morla@overthewire.org>
Date: Tue Oct 16 14:00:39 2018 +0200

 fix info leak

commit 186a1038cc54d1358d42d468cdc8e3cc28a93fcb
Author: Morla Porla <morla@overthewire.org>
Date: Tue Oct 16 14:00:39 2018 +0200

 add missing data

commit b67405defc6ef44210c53345fc953e6a21338cc7
Author: Ben Dover <noone@overthewire.org>
Date: Tue Oct 16 14:00:39 2018 +0200

 initial commit of README.md

We get differencing details using git log -p

commit 073c27c130e6ee407e12faad1dd3848a110c4f95
Author: Morla Porla <morla@overthewire.org>
Date: Tue Oct 16 14:00:39 2018 +0200

 fix info leak

diff --git a/README.md b/README.md
index 3f7cee8..5c6457b 100644
--- a/README.md
+++ b/README.md
@@ -4,5 +4,5 @@ Some notes for Level29 of bandit.
## credentials

- username: bandit29
-- password: bbc96594b4e001778eee9975372716b2
+- password: xxxxxxxxxx


commit 186a1038cc54d1358d42d468cdc8e3cc28a93fcb
Author: Morla Porla <morla@overthewire.org>
Date: Tue Oct 16 14:00:39 2018 +0200

 add missing data

diff --git a/README.md b/README.md
index 7ba2d2f..3f7cee8 100644
--- a/README.md
+++ b/README.md
@@ -4,5 +4,5 @@ Some notes for Level29 of bandit.
## credentials

- username: bandit29
-- password: <TBD>

Level 29 -> 30

There is a git repository at ssh://bandit29-git@localhost/home/bandit29-git/repo. The password for the user bandit29-git is the same as for the user bandit29. Clone the repository and find the password for the Level.

I’m sensing a theme…

cat README.md

# Bandit Notes
Some notes for bandit30 of bandit.

## credentials

- username: bandit30
- password: <no passwords in production!>

git log

commit 84abedc104bbc0c65cb9eb74eb1d3057753e70f8
Author: Ben Dover <noone@overthewire.org>
Date: Tue Oct 16 14:00:41 2018 +0200

 fix username

commit 9b19e7d8c1aadf4edcc5b15ba8107329ad6c5650
Author: Ben Dover <noone@overthewire.org>
Date: Tue Oct 16 14:00:41 2018 +0200

 initial commit of README.md

git log -p

commit 84abedc104bbc0c65cb9eb74eb1d3057753e70f8
Author: Ben Dover <noone@overthewire.org>
Date: Tue Oct 16 14:00:41 2018 +0200

 fix username

diff --git a/README.md b/README.md
index 2da2f39..1af21d3 100644
--- a/README.md
+++ b/README.md
@@ -3,6 +3,6 @@ Some notes for bandit30 of bandit.

## credentials

-- username: bandit29
+- username: bandit30
- password: <no passwords in production!>


commit 9b19e7d8c1aadf4edcc5b15ba8107329ad6c5650
Author: Ben Dover <noone@overthewire.org>
Date: Tue Oct 16 14:00:41 2018 +0200

 initial commit of README.md

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..2da2f39
--- /dev/null
+++ b/README.md
@@ -0,0 +1,8 @@
+# Bandit Notes
+Some notes for bandit30 of bandit.

Maybe we’re on a different branch of the repo…

git branch -a

* master
remotes/origin/HEAD -> origin/master
remotes/origin/dev
remotes/origin/master
remotes/origin/sploits-dev

let’s check the differences

git diff origin/master remotes/origin/dev
warning: refname 'origin/master' is ambiguous.
warning: refname 'remotes/origin/dev' is ambiguous.
diff --git a/README.md b/README.md
index 1af21d3..39b87a8 100644
--- a/README.md
+++ b/README.md
@@ -4,5 +4,5 @@ Some notes for bandit30 of bandit.
## credentials

- username: bandit30
-- password: <no passwords in production!>
+- password: 5b90576bedb2cc04c86a9e924ce42faf

diff --git a/code/gif2ascii.py b/code/gif2ascii.py
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/code/gif2ascii.py
@@ -0,0 +1 @@
+

Level 30 -> 31

There is a git repository at ssh://bandit30-git@localhost/home/bandit30-git/repo. The password for the user bandit30-git is the same as for the user bandit30. Clone the repository and find the password for the Level.

Cat'ing the README.md returns:

just an epmty file... muahaha

git log

commit 3aa4c239f729b07deb99a52f125893e162daac9e
Author: Ben Dover <noone@overthewire.org>
Date: Tue Oct 16 14:00:44 2018 +0200

 initial commit of README.md

git log -p

commit 3aa4c239f729b07deb99a52f125893e162daac9e
Author: Ben Dover <noone@overthewire.org>
Date: Tue Oct 16 14:00:44 2018 +0200

 initial commit of README.md

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..029ba42
--- /dev/null
+++ b/README.md
@@ -0,0 +1 @@
+just an epmty file... muahaha

git branch -a

* master
remotes/origin/HEAD -> origin/master
remotes/origin/master

git diff master remotes/origin/master

Well, that gives us nothing

Let’s look around in the folders

cat packed-refs

# pack-refs with: peeled fully-peeled
3aa4c239f729b07deb99a52f125893e162daac9e refs/remotes/origin/master
f17132340e8ee6c159e0a4a6bc6f80e1da3b1aea refs/tags/secret

/tags/secret sounds promising. Let's see about using that tag to return the repo to that point

git update-ref -d refs/tags/secret

git pull

Could not create directory '/home/bandit30/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit30/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

bandit30-git@localhost's password:
From ssh://localhost/home/bandit30-git/repo
* [new tag] secret -> secret
Already up-to-date.
bandit30@bandit:/tmp/bandit30/test/repo$ ls -al ./.git/refs/tags/
total 12
drwxr-xr-x 2 bandit30 bandit30 4096 Feb 18 01:10 .
drwxr-xr-x 5 bandit30 bandit30 4096 Feb 18 00:34 ..
-rw-r--r-- 1 bandit30 bandit30 41 Feb 18 01:10 secret

Bingo!

cat ./.git/refs/tags/secret

f17132340e8ee6c159e0a4a6bc6f80e1da3b1aea

Well, almost...it's not the password, but the tag reference for the commit we want

git show secret

47e603bb428404d265f59c42920d81e5

Level 31 -> 32

There is a git repository at ssh://bandit31-git@localhost/home/bandit31-git/repo. The password for the user bandit31-git is the same as for the user bandit31. Clone the repository and find the password for the Level.

Oh boy.

cat README.md

This time your task is to push a file to the remote repository.

Details:
 File name: key.txt
 Content: 'May I come in?'
 Branch: master

Sounds easy enough, but we have a .gitignore to contend with this time. I recognise this from making commits in the Git Desktop app; these are the files you don't want to commit (e.g. DS_Store files).

cat .gitignore

*.txt

So, we need to create a key.txt file with the content “May I come in?”, get rid of the ignore, and push the commit to the remote master repo…

git commit -m 'Please let me in'

[master 3fcf339] Please let me in
1 file changed, 1 insertion(+)
create mode 100644 key.txt

git push

Could not create directory '/home/bandit31/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit31/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

bandit31-git@localhost's password:
Counting objects: 3, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (2/2), done.
Writing objects: 100% (3/3), 326 bytes | 0 bytes/s, done.
Total 3 (delta 0), reused 0 (delta 0)
remote: ### Attempting to validate files... ####
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
remote: Well done! Here is the password for the Level:
remote: 56a9bf19c63d650ce78e6ec0354ee45e
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
To ssh://localhost/home/bandit31-git/repo
! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to 'ssh://bandit31-git@localhost/home/bandit31-git/repo'

Level 32 -> 33

After all this git stuff its time for another escape. Good luck!

This time we are greeted with "WELCOME TO THE UPPERCASE SHELL"

Let's see what in here:

ls

sh: 1: LS: not found

So, everything gets upper-cased but the commands are case sensitive.

\u0073\u0068

sh: 1: U0073U0068: not found

And it strips the \, so unicode isn't going to get us around the capitalisation. It doesn’t accept Unicode or html encoding.

Ctrl-c doesn't just escape the capitalisation; it escapes the whole ssh session

Maybe we can change shells?

$shell=/bin/bash
sh: 1: /home/bandit32/uppershell=/BIN/BASH: not found

$shell='/bin/bash'
sh: 1: /home/bandit32/uppershell=/BIN/BASH: not found

$SHELL=
sh: 1: /home/bandit32/uppershell=: not found

OK, the environment variables are all uppercase, so maybe they can change the shell variable:

$SHELL=$BASH
sh: 1: /home/bandit32/uppershell=: not found

$PWD
sh: 1: /home/bandit32: Permission denied

$0

Finally, no error...let's look around

ls

uppershell

AHA! Uppershell is the file responsible for uppercasing all of the input

cat /etc/bandit_pass/bandit32

cat: /etc/bandit_pass/bandit32: Permission denied

Wait...permission denied? Why? Who am I?

id

uid=11033(bandit33) gid=11032(bandit32) groups=11032(bandit32)

Oh, I'm already bandit33 here...well, that makes this easier.

cat /etc/bandit_pass/bandit33

c9c3199ddf4121b10cf581a98d51caee

Level 33 -> 34

At this moment, Level 34 does not exist yet.

I ssh’d in and provided the password, and I got no prompt, but we already know that doesn't mean we don't have a shell

ls

README.txt

cat README.txt

Congratulations on solving the last Level of this game!

At this moment, there are no more Levels to play in this game. However, we are constantly working on new Levels and will most likely expand this game with more Levels soon. Keep an eye out for an announcement on our usual communication channels! In the meantime, you could play some of our other wargames.

If you have an idea for an awesome new Level, please let us know!

FINAL RESULTS

Final Score: 32/34 - Complete with 2 hints