bandit0: bandit0
bandit1: ZjLjTmM6FvvyRnrb2rfNWOZOTa6ip5If
	`cat readme`
bandit2: 263JGJPfgU6LtdEvgfWU1XP5yac29mFx
	`cat ./-`
bandit3: MNk8KNH3Usiio41PRUEoDFPqfxLPlSmx
bandit4: 2WmrDFRmJIq3IPxneAaMGhap0pFhF3NJ
bandit5: 4oQYVPkxZOOEOO5pTW81FB8j8lxXGUQw
bandit6: HWasnPhtq9AVKe0dmk45nxy20cvUa6EG
	`find inhere/ -type f -print 2>/dev/null | xargs -d '\n' ls -l | grep 1033`
bandit7: morbNTDkSW6jIlUc0ymOdMaLnOlFVAaj
	`cat $(find / -type f -user bandit7 -group bandit6 2>/dev/null)`
bandit8: dfwvzFQi4mU0wfNbFOe9RoWskMLg7eEc
	`<data.txt grep millionth`
bandit9: 4CKMh1JI91bUIZZPXDqGanal4xvAg0JM
	`sort data.txt | uniq -u`
bandit10: FGUW5ilLVJrxX9kMYMmlN4MgbpfMiqey
	`strings data.txt | grep "^=="`
bandit11: dtR173fZKb0RRsDFSGsg2RWnpNVj3qRr
	`cat data.txt | base64 -d`
bandit12: 7x16WNeHIi5YkIhWsfFIqoognUTyj9Q4
	`<data.txt tr 'A-Za-z' 'N-ZA-Mn-za-m'`
bandit13: FO5dwFsc0cbaIiH0h8J2eUks2vdTDwAn
	```bash
	#!/usr/bin/env bash
	set -e
	WORKING=$(mktemp -d)
	xxd -r ~/data.txt $WORKING/data.bin
	# then run `tar xf`, `gzip -d`, `bzip2 -d` a million times
	```
bandit14: MU4VWeTyJk8ROof1qqmcBPaLh7lDCPvS
	```bash
	#!/usr/bin/env bash
	KEY="./id_bandit14"
	scp -P 2220 bandit13@bandit.labs.overthewire.org:~/sshkey.private $KEY
	ssh-keygen -y -f $KEY > "$KEY.pub"
	chmod 600 $KEY*
	# login with private key
	ssh bandit14@bandit.labs.overthewire.org -p 2220 -i ./id_bandit14
	# >>> echo /etc/bandit_pass/bandit14
	```
bandit15: 8xCjnmgoKbGLhHFAZlGE5Tmu4M2tKJQo
	`echo "MU4VWeTyJk8ROof1qqmcBPaLh7lDCPvS" | nc localhost 30000`
bandit16: kSkvUpMQ7lBYyCM4GBPvCvT1BfWRy0Dx
	`openssl s_client -connect localhost:30001`
bandit17: STORED IN `keys/id_bandit17*`
	```bash
	# get all open ports
	nmap localhost -T5 -p31000-32000 
		| grep open 
		| awk '{print substr($1, 1, 5)}'
	```
bandit18: x2gLTTjFwMOhQ8oWNbMN362QKxfRqGlO
	`diff passwords.old passwords.new`
bandit19: cGWpMaKXVwDUNgPAVJbWYuGHVn9zl3j8
	`ssh bandit19@bandit.labs.overthewire.org -p 2220 -t /bin/sh`
bandit20: 0qXahG8ZjOVMN9Ghs7iOWsCfZyXOUbYO
	`./bandit20-do cat /etc/bandit_pass/bandit20`
bandit21: EeoULMCra2q0dSkYj561DX7s1CpBuOBt
	```
	tmux new -s imbaud
	# Ctrl-b + "
	BOX=$(mktemp) && echo "0qXahG8ZjOVMN9Ghs7iOWsCfZyXOUbYO" > $BOX && <$BOX nc -l -p 5555
	# Ctrl-b + o
	~/suconnect 5555
	```
bandit22: tRae0UfB9v0UzbCdn9cY0gQnds9GF58Q
	`/etc/cron.d/cronjob_bandit22` references binary `/usr/bin/cronjob_bandit22.sh`
	which complains about bad privileges for `/tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv`
	then cat out the temp file and BOOM
bandit23: 0Zf11ioIjMVN551jX3CmStKLYqjk54Ga
	Similar solution to previous one with `/etc/cron.d/cronjob_bandit23`
	`cat /tmp/$(echo I am user bandit23 | md5sum | cut -d ' ' -f 1)`
bandit24: gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8
	```bash
	# terminal 1:
	nc -l -p 5555
	# terminal 2:
	echo -e "#\!/bin/bash\ncat /etc/bandit_pass/bandit24 
		| nc localhost 5555" > /var/spool/bandit24/foo/gibme
	```
bandit25: iCi86ttT4KSNe1armKiwbQNmB3YJP3q4
	'''bash
	python3 -c "from itertools import product; [print(''.join(D)) for D in product((str(x) for x in range(10)), repeat=4)]" 
		| xargs -L1 echo "gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8" 
		| nc localhost 30002 
		| grep -v "Wrong"
	'''
bandit26: s0773xxkk0MXfdqOfPRVr9L3jJBUOgCZ
	First copy the private key from bandit25's home
	Then `cat /etc/passwd | grep bandit26` to find what shell bandit26 uses:
	# bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext
	`cat /usr/bin/showtext` to see it runs the `more` pager then exits.
	`more` will enter "command" mode if the terminal window is too small
	to view the paged contents, which allows us to run the `v` command
	which opens the content in vim instead. Next, do `:set shell=/bin/bash`
	and then run vim's `:shell` to GTFO
		
bandit27: upsNCc7vzaRDx6oZC6GiR6ERwe1MowGB
	From bandit26 in bash: `./bandit27-do cat /etc/bandit_pass/bandit27`
bandit28: Yz9IpL0sBcCeuG7m9uQFt8ZNpS4HZRcN
	```bash
	BOX=$(mktemp -d); echo $BOX
	git clone ssh://bandit27-git@localhost:2220/home/bandit27-git/repo $BOX
	# use same password as bandit27 login
	cd $BOX
	# then check README
	```
bandit29: 4pT1t5DENaYuqnqvadYs1oE4QLCdjmJ7
	Do same as bandit28 for `/home/bandit28-git/repo`, then:
	`git show fb0df1358b1ff146f581651a84bae622353a71c0:README.md`
bandit30: qp30ex3VLz5MDG1n91YowTv4Q8l7CDZL
	Do what bandit29 did but then:
	```bash
	git branch -r # list all remote branches
	git fetch --all
	```
bandit31: fb5S2xb7bRyFmAvQYQGEqsbhVyJqhnDy
	Similar to bandit30 but use:
	```bash
	git tag
	git show secret # show the "secret" tag	
	```
bandit32: 3O9RfhqyAlVBEZpVb6LYStshZoqoSx5K
	Simply `rm .gitignore` then `git add .; git commit -m "AHHHHH"; git push -u origin`
bandit33: tQdtbs5D5i2vJwkO8mEyYEyTL8izoeJ0
	```bash
	# use symbols since uppercase messes everything up
	$0 # the shell runs  "sh <CMD>" so "sh $0" => "sh sh"
	cat /etc/bandit_pass/bandit33
	```

```
>>> bandit33@bandit:~/README.md <<<
Congratulations on solving the last level of this game!

At this moment, there are no more levels to play in this game. However, we are constantly working
on new levels and will most likely expand this game with more levels soon.
Keep an eye out for an announcement on our usual communication channels!
In the meantime, you could play some of our other wargames.

If you have an idea for an awesome new level, please let us know!
``` 

Learnings:
```
Connect over SSL/TLS (like telnet/nc does) using openssl:
	`openssl s_client -connect HOST:PORT -quiet`
	Note: commands starting with "k" will trigger "KEYUPDATE"
		  run openssl with the `-quiet` flag to avoid this	
	https://docs.openssl.org/3.0/man1/openssl-s_client/#connected-commands
	
The pager "more" goes into a command mode if the terminal is too small to display
the content. Which allows us to run any command we want.

Git:
	git show <COMMIT>:file/path/here # print a file content at specific hash
	git branch -r # list all branches stored on the remote
```