emileclarkb/ctfs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ctfs/overthewire/bandit/passwords.md
Emile Clark-Boman 500329a86b OverTheWire
2025-07-15 22:44:06 +10:00

159 lines
5.8 KiB
Markdown
Raw Blame History

bandit0: bandit0
bandit1: ZjLjTmM6FvvyRnrb2rfNWOZOTa6ip5If
`cat readme`
bandit2: 263JGJPfgU6LtdEvgfWU1XP5yac29mFx
`cat ./-`
bandit3: MNk8KNH3Usiio41PRUEoDFPqfxLPlSmx
bandit4: 2WmrDFRmJIq3IPxneAaMGhap0pFhF3NJ
bandit5: 4oQYVPkxZOOEOO5pTW81FB8j8lxXGUQw
bandit6: HWasnPhtq9AVKe0dmk45nxy20cvUa6EG
`find inhere/ -type f -print 2>/dev/null | xargs -d '\n' ls -l | grep 1033`
bandit7: morbNTDkSW6jIlUc0ymOdMaLnOlFVAaj
`cat $(find / -type f -user bandit7 -group bandit6 2>/dev/null)`
bandit8: dfwvzFQi4mU0wfNbFOe9RoWskMLg7eEc
`<data.txt grep millionth`
bandit9: 4CKMh1JI91bUIZZPXDqGanal4xvAg0JM
`sort data.txt | uniq -u`
bandit10: FGUW5ilLVJrxX9kMYMmlN4MgbpfMiqey
`strings data.txt | grep "^=="`
bandit11: dtR173fZKb0RRsDFSGsg2RWnpNVj3qRr
`cat data.txt | base64 -d`
bandit12: 7x16WNeHIi5YkIhWsfFIqoognUTyj9Q4
`<data.txt tr 'A-Za-z' 'N-ZA-Mn-za-m'`
bandit13: FO5dwFsc0cbaIiH0h8J2eUks2vdTDwAn
```bash
#!/usr/bin/env bash
set -e
WORKING=$(mktemp -d)
xxd -r ~/data.txt $WORKING/data.bin
# then run `tar xf`, `gzip -d`, `bzip2 -d` a million times
```
bandit14: MU4VWeTyJk8ROof1qqmcBPaLh7lDCPvS
```bash
#!/usr/bin/env bash
KEY="./id_bandit14"
scp -P 2220 bandit13@bandit.labs.overthewire.org:~/sshkey.private $KEY
ssh-keygen -y -f $KEY > "$KEY.pub"
chmod 600 $KEY*
# login with private key
ssh bandit14@bandit.labs.overthewire.org -p 2220 -i ./id_bandit14
# >>> echo /etc/bandit_pass/bandit14
```
bandit15: 8xCjnmgoKbGLhHFAZlGE5Tmu4M2tKJQo
`echo "MU4VWeTyJk8ROof1qqmcBPaLh7lDCPvS" | nc localhost 30000`
bandit16: kSkvUpMQ7lBYyCM4GBPvCvT1BfWRy0Dx
`openssl s_client -connect localhost:30001`
bandit17: STORED IN `keys/id_bandit17*`
```bash
# get all open ports
nmap localhost -T5 -p31000-32000
| grep open
| awk '{print substr($1, 1, 5)}'
```
bandit18: x2gLTTjFwMOhQ8oWNbMN362QKxfRqGlO
`diff passwords.old passwords.new`
bandit19: cGWpMaKXVwDUNgPAVJbWYuGHVn9zl3j8
`ssh bandit19@bandit.labs.overthewire.org -p 2220 -t /bin/sh`
bandit20: 0qXahG8ZjOVMN9Ghs7iOWsCfZyXOUbYO
`./bandit20-do cat /etc/bandit_pass/bandit20`
bandit21: EeoULMCra2q0dSkYj561DX7s1CpBuOBt
```
tmux new -s imbaud
# Ctrl-b + "
BOX=$(mktemp) && echo "0qXahG8ZjOVMN9Ghs7iOWsCfZyXOUbYO" > $BOX && <$BOX nc -l -p 5555
# Ctrl-b + o
~/suconnect 5555
```
bandit22: tRae0UfB9v0UzbCdn9cY0gQnds9GF58Q
`/etc/cron.d/cronjob_bandit22` references binary `/usr/bin/cronjob_bandit22.sh`
which complains about bad privileges for `/tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv`
then cat out the temp file and BOOM
bandit23: 0Zf11ioIjMVN551jX3CmStKLYqjk54Ga
Similar solution to previous one with `/etc/cron.d/cronjob_bandit23`
`cat /tmp/$(echo I am user bandit23 | md5sum | cut -d ' ' -f 1)`
bandit24: gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8
```bash
# terminal 1:
nc -l -p 5555
# terminal 2:
echo -e "#\!/bin/bash\ncat /etc/bandit_pass/bandit24
| nc localhost 5555" > /var/spool/bandit24/foo/gibme
```
bandit25: iCi86ttT4KSNe1armKiwbQNmB3YJP3q4
'''bash
python3 -c "from itertools import product; [print(''.join(D)) for D in product((str(x) for x in range(10)), repeat=4)]"
| xargs -L1 echo "gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8"
| nc localhost 30002
| grep -v "Wrong"
'''
bandit26: s0773xxkk0MXfdqOfPRVr9L3jJBUOgCZ
First copy the private key from bandit25's home
Then `cat /etc/passwd | grep bandit26` to find what shell bandit26 uses:
# bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext
`cat /usr/bin/showtext` to see it runs the `more` pager then exits.
`more` will enter "command" mode if the terminal window is too small
to view the paged contents, which allows us to run the `v` command
which opens the content in vim instead. Next, do `:set shell=/bin/bash`
and then run vim's `:shell` to GTFO
bandit27: upsNCc7vzaRDx6oZC6GiR6ERwe1MowGB
From bandit26 in bash: `./bandit27-do cat /etc/bandit_pass/bandit27`
bandit28: Yz9IpL0sBcCeuG7m9uQFt8ZNpS4HZRcN
```bash
BOX=$(mktemp -d); echo $BOX
git clone ssh://bandit27-git@localhost:2220/home/bandit27-git/repo $BOX
# use same password as bandit27 login
cd $BOX
# then check README
```
bandit29: 4pT1t5DENaYuqnqvadYs1oE4QLCdjmJ7
Do same as bandit28 for `/home/bandit28-git/repo`, then:
`git show fb0df1358b1ff146f581651a84bae622353a71c0:README.md`
bandit30: qp30ex3VLz5MDG1n91YowTv4Q8l7CDZL
Do what bandit29 did but then:
```bash
git branch -r # list all remote branches
git fetch --all
```
bandit31: fb5S2xb7bRyFmAvQYQGEqsbhVyJqhnDy
Similar to bandit30 but use:
```bash
git tag
git show secret # show the "secret" tag
```
bandit32: 3O9RfhqyAlVBEZpVb6LYStshZoqoSx5K
Simply `rm .gitignore` then `git add .; git commit -m "AHHHHH"; git push -u origin`
bandit33: tQdtbs5D5i2vJwkO8mEyYEyTL8izoeJ0
```bash
# use symbols since uppercase messes everything up
$0 # the shell runs "sh <CMD>" so "sh $0" => "sh sh"
cat /etc/bandit_pass/bandit33
```
```
>>> bandit33@bandit:~/README.md <<<
Congratulations on solving the last level of this game!
At this moment, there are no more levels to play in this game. However, we are constantly working
on new levels and will most likely expand this game with more levels soon.
Keep an eye out for an announcement on our usual communication channels!
In the meantime, you could play some of our other wargames.
If you have an idea for an awesome new level, please let us know!
```
Learnings:
```
Connect over SSL/TLS (like telnet/nc does) using openssl:
`openssl s_client -connect HOST:PORT -quiet`
Note: commands starting with "k" will trigger "KEYUPDATE"
run openssl with the `-quiet` flag to avoid this
https://docs.openssl.org/3.0/man1/openssl-s_client/#connected-commands
The pager "more" goes into a command mode if the terminal is too small to display
the content. Which allows us to run any command we want.
Git:
git show <COMMIT>:file/path/here # print a file content at specific hash
git branch -r # list all branches stored on the remote
```
Reference in a new issue View git blame Copy permalink