Bandit writeup

Level 0

Logging into the game using SSH

'''bash
ssh bandit0@bandit.labs.overthewire.org -p 2220
Password: bandit0

Level 0 to level 1

Reading the readme file:

bandit0@bandit:~$ ls
readme
bandit0@bandit:~$ cat readme
boJ9jbbUNNfktd78OOpsqOltutMc3MY1
```bash
This gives the password for the next level.
Logging out of L-0

bandit0@bandit:~$ exit logout Connection to bandit.labs.overthewire.org closed.

# Level 1 to level 2
Logging in to Level 1

~ ssh bandit1@bandit.labs.overthewire.org -p 2220 Password: boJ9jbbUNNfktd78OOpsqOltutMc3MY1

Finding the files present:

bandit1@bandit:~$ ls

bandit1@bandit:~$ cat - ≈^C

As we can see, `cat` command doesn't work with a dashed filename
Instead, so as to hide the special character from `cat`, we direct the `cat` command to the file location.

bandit1@bandit:~$ cat /home/bandit1/-
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

Logging out of L-1

bandit1@bandit:~$ exit logout Connection to bandit.labs.overthewire.org closed.

# Level 2 → Level 3

~ ssh bandit2@bandit.labs.overthewire.org -p 2220 Password: CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

Accessing a file with spaces in its name:
To read a file name with spaces, use quotes (' ')

 bandit2@bandit:~$ ls
 spaces in this filename
 bandit2@bandit:~$ cat 'spaces in this filename'
 UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
 bandit2@bandit:~$ exit
 logout
 Connection to bandit.labs.overthewire.org closed.


# Level 3 → Level 4

 ssh bandit3@bandit.labs.overthewire.org -p 2220
 Password: UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

Navigating into inhere:

 bandit3@bandit:~$ ls
 inhere
 bandit3@bandit:~$ cd inhere
 bandit3@bandit:~/inhere$ ls
This shows no output, because the file concerned is hidden.
`ls -a` shows the hidden file as well

 bandit3@bandit:~/inhere$ ls -a
 .  ..  .hidden
 bandit3@bandit:~/inhere$ cat .hidden
 pIwrPrtPN36QITSp3EQaw936yaFoFgAB

Logging out of L-3

 bandit3@bandit:~/inhere$ exit
 logout
 Connection to bandit.labs.overthewire.org closed.


# Level 4 → Level 5
 ssh bandit4@bandit.labs.overthewire.org -p 2220
     Password: pIwrPrtPN36QITSp3EQaw936yaFoFgAB

Checking for human readable file:

 bandit4@bandit:~$ ls
 inhere
 bandit4@bandit:~$ cd inhere
 bandit4@bandit:~/inhere$ ls
Checking File details:

 -file00  -file02  -file04  -file06  -file08
 -file01  -file03  -file05  -file07  -file09
 bandit4@bandit:~/inhere$ ls -l
 total 40
 -rw-r----- 1 bandit5 bandit4 33 May  7  2020 -file00
 -rw-r----- 1 bandit5 bandit4 33 May  7  2020 -file01
 -rw-r----- 1 bandit5 bandit4 33 May  7  2020 -file02
 -rw-r----- 1 bandit5 bandit4 33 May  7  2020 -file03
 -rw-r----- 1 bandit5 bandit4 33 May  7  2020 -file04
 -rw-r----- 1 bandit5 bandit4 33 May  7  2020 -file05
 -rw-r----- 1 bandit5 bandit4 33 May  7  2020 -file06
 -rw-r----- 1 bandit5 bandit4 33 May  7  2020 -file07
 -rw-r----- 1 bandit5 bandit4 33 May  7  2020 -file08
 -rw-r----- 1 bandit5 bandit4 33 May  7  2020 -file09
 bandit4@bandit:~/inhere$ file ./*   //checking file types
 ./-file00: data
 ./-file01: data
 ./-file02: data
 ./-file03: data
 ./-file04: data
 ./-file05: data
 ./-file06: data
 ./-file07: ASCII text
 ./-file08: data
 ./-file09: data
As can be observed, `-file07` is human readable.

 bandit4@bandit:~/inhere$ cat ./-file07
 koReBOKuIDDepwhWk7jZC0RTdopnAYKh
Logging out of L-4

 bandit4@bandit:~/inhere$ exit
 logout
 Connection to bandit.labs.overthewire.org closed.


# Level 5 → Level 6
 ssh bandit5@bandit.labs.overthewire.org -p 2220
     Password: koReBOKuIDDepwhWk7jZC0RTdopnAYKh

Checking file details:

 bandit5@bandit:~$ cd inhere
 bandit5@bandit:~/inhere$ ls
 maybehere00  maybehere04  maybehere08  maybehere12  maybehere16
 maybehere01  maybehere05  maybehere09  maybehere13  maybehere17
 maybehere02  maybehere06  maybehere10  maybehere14  maybehere18
 maybehere03  maybehere07  maybehere11  maybehere15  maybehere19
 bandit5@bandit:~/inhere$ file ./*
 ./maybehere00: directory
 ./maybehere01: directory
 ./maybehere02: directory
 ./maybehere03: directory
 ./maybehere04: directory
 ./maybehere05: directory
 ./maybehere06: directory
 ./maybehere07: directory
 ./maybehere08: directory
 ./maybehere09: directory
 ./maybehere10: directory
 ./maybehere11: directory
 ./maybehere12: directory
 ./maybehere13: directory
 ./maybehere14: directory
 ./maybehere15: directory
 ./maybehere16: directory
 ./maybehere17: directory
 ./maybehere18: directory
 ./maybehere19: directory

Using find command, applying required filters:

 bandit5@bandit:~/inhere$ find . -type f ! -executable -size 1033c
 ./maybehere07/.file2
 bandit5@bandit:~/inhere$ cat ./maybehere07/.file2
 DXjZPULLxYr17uwoI01bNLQbtFemEgo7
Logging out of L-5

 bandit4@bandit:~/inhere$ exit
 logout
 Connection to bandit.labs.overthewire.org closed.


# Level 6 → Level 7
 ssh bandit6@bandit.labs.overthewire.org -p 2220
     Password: DXjZPULLxYr17uwoI01bNLQbtFemEgo7

Similar to previous level, direct application of find command:

 bandit6@bandit:~$ ls -a
 .  ..  .bash_logout  .bashrc  .profile
 bandit6@bandit:~$ find /  -group bandit6 -user bandit7 -size 33c

This gives the path of the concerned file:

 /var/lib/dpkg/info/bandit7.password
 bandit6@bandit:~$ cat /var/lib/dpkg/info/bandit7.password
 HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

Moving on to the next level:

 ssh bandit7@localhost
 Could not create directory '/home/bandit6/.ssh'.
 The authenticity of host 'localhost (127.0.0.1)' can't be established.
 ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
 Are you sure you want to continue connecting (yes/no)? yes

# Level 7 → Level 8
 Password: HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

Checking the files present:

 bandit7@bandit:~$ ls
 data.txt

Printing the lines in the file which has "millionth" in it:

 bandit7@bandit:~$ grep -h "millionth" data.txt
 millionth cvX2JJa4CFALtqS87jk27qwqGhBM9plV

OR

 bandit7@bandit:~$ cat data.txt | grep millionth
 millionth cvX2JJa4CFALtqS87jk27qwqGhBM9plV

Moving on to the next level:

 ssh bandit8@localhost
 Could not create directory '/home/bandit6/.ssh'.
 The authenticity of host 'localhost (127.0.0.1)' can't be established.
 ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
 Are you sure you want to continue connecting (yes/no)? yes

# Level 8 → Level 9
 Password: cvX2JJa4CFALtqS87jk27qwqGhBM9plV

Using `sort`, and `uniq` to print the uniq text in the file. `-u` flag used so as to print **only** the unique text:

 bandit8@bandit:~$ ls
 data.txt
 sort data.txt| uniq -u
 UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR

Moving on to the next level:

 bandit8@bandit:~$ ssh bandit9@localhost
 Could not create directory '/home/bandit8/.ssh'.
 The authenticity of host 'localhost (127.0.0.1)' can't be established.
 ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
 Are you sure you want to continue connecting (yes/no)? yes


# Level 9 → Level 10
 Password: UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR

Trying the method used in the previous level:

 bandit9@bandit:~$ ls
 data.txt
 bandit9@bandit:~$ grep -h "=====" data.txt
 Binary file data.txt matches

`data.txt` is a binary file, grep doesn't work directly, so I use `strings`, piping it out to `grep`:

 bandit9@bandit:~$ strings data.txt | grep ====
Prints the lines staring with "====":

 ========== the*2i"4
 ========== password
 Z)========== is
 &========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
Moving on to the next level:

 bandit9@bandit:~$ ssh bandit10@localhost
 Could not create directory '/home/bandit9/.ssh'.
 The authenticity of host 'localhost (127.0.0.1)' can't be established.
 ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
 Are you sure you want to continue connecting (yes/no)? yes

# Level 10 → Level 11
 Password: truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk

`Base64` Encoded text is present in `data.txt`, which is decoded as follows:

 bandit10@bandit:~$ ls
 data.txt
 bandit10@bandit:~$ cat data.txt| base64 --decode
 The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

Moving on to the next level:

 bandit10@bandit:~$ ssh bandit11@localhost
 Could not create directory '/home/bandit10/.ssh'.
 The authenticity of host 'localhost (127.0.0.1)' can't be established.
 ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
 Are you sure you want to continue connecting (yes/no)? yes


# Level 11 → Level 12
 Password: truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
Encryption `Rot13` has been used, which is decoded as follows:


 bandit11@bandit:~$ ls
 data.txt
 bandit11@bandit:~$ cat data.txt

Encoded text:

 Gur cnffjbeq vf 5Gr8L4qetPEsPk8htqjhRK8XSP6x2RHh
Command to decode the cipher:

 bandit11@bandit:~$ cat data.txt| tr ‘n-za-mN-ZA-M’ ‘a-zA-Z’
 The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

Moving to the next level:

 bandit11@bandit:~$ ssh bandit12@localhost
 Could not create directory '/home/bandit11/.ssh'.
 The authenticity of host 'localhost (127.0.0.1)' can't be established.
 ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
 Are you sure you want to continue connecting (yes/no)? yes


# Level 12 → Level 13
 Password: 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

We need to reverse the hexdump of the file:

 bandit12@bandit:~$ ls
 data.txt
 bandit12@bandit:~$ mkdir /tmp/shrek
 bandit12@bandit:~$ cat data.txt | xxd -r > /tmp/shrek/copy

Now multiple decompressions, some of the snippets are:

mv copy copy.gz
gzip -d copy.gz

mv copy copy.bz2
bzip2 -d copy.bz2

bandit12@bandit:/tmp/shrek$ tar -xvf copy
data5.bin
bandit12@bandit:/tmp/shrek$ file data5.bin

Finally after a number of decompressions, we get a plain text file:

 The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

Moving to the next level:

 bandit3@bandit:/tmp/shrek$ exit
 logout
 Connection to bandit.labs.overthewire.org closed.

# Level 13 → Level 14
 ssh bandit13@bandit.labs.overthewire.org -p 2220
     Password: 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
Display SSH keys:

 bandit13@bandit:~$ cat sshkey.private

Moving to the next level using that SSH key:

 bandit13@bandit:~$ ssh bandit14@localhost -i sshkey.private
 Could not create directory '/home/bandit13/.ssh'.
 The authenticity of host 'localhost (127.0.0.1)' can't be established.
 ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
 Are you sure you want to continue connecting (yes/no)? yes


# Level 14 → Level 15
Submitting the password of the current level to port 30000 on localhost:

 bandit14@bandit:~$ cat /etc/bandit_pass/bandit14
 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
 bandit14@bandit:~$ echo "4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e" | nc localhost 30000
 Correct!
 BfMYroe26WYalil77FoDi9qh59eK5xNr
Moving to the next level;

 bandit14@bandit:~$ ssh bandit15@localhost
 The authenticity of host 'localhost (127.0.0.1)' can't be established.
 ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
 Are you sure you want to continue connecting (yes/no)? yes

# Level 15 → Level 16
 Password: BfMYroe26WYalil77FoDi9qh59eK5xNr
Submitting the password of the current level to port 30001 on localhost using SSL encryption:

 bandit15@bandit:~$ echo "BfMYroe26WYalil77FoDi9qh59eK5xNr" | openssl s_client -connect localhost:30001 -ign_eof

Which gives the password for the next level:

 Correct!
 cluFn7wTiGryunymYOu4RcffSxQluehd



# Level 16 → Level 17
 Password: cluFn7wTiGryunymYOu4RcffSxQluehd

`nmap` scan:

 bandit16@bandit:~$ nmap -A localhost -p 31000-32000

Amidst a ton of text displayed, this gives us a hint that `31790` is the required port:

 31790/tcp open  ssl/unknown
 | fingerprint-strings:
 |   FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SIPOptions, SSLSessionReq, TLSSessionReq:
 |_    Wrong! Please enter the correct current password

Connecting to port `31790`

 bandit16@bandit:~$ openssl s_client -connect localhost:31790
Enter password of bandit16 when prompted:
RSA key will be displayed.
Log out:

 bandit13@bandit:~$ exit
 logout
 Connection to bandit.labs.overthewire.org closed.

Make a local copy of the RSA key:

 touch rsa
 code rsa
 chmod 400 rsa


# Level 17 → Level 18
Log in using the RSA key found in the prevoius level:

 ssh bandit17@bandit.labs.overthewire.org -p 2220 -i rsa
Finding the only varying text in the two files:

 bandit17@bandit:~$ ls
 passwords.new  passwords.old
 bandit17@bandit:~$ diff passwords.new passwords.old
The first one is the required password:

 42c42
 < kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
 ---
 > w0Yfolrc5bwjS4qw5mq1nnQi6mF03bii
Moving to the next level:

 bandit17@bandit:~$ ssh bandit18@localhost
 The authenticity of host 'localhost (127.0.0.1)' can't be established.
 ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
 Are you sure you want to continue connecting (yes/no)? yes

# Level 18 → Level 19
Logging in normally using simple SSH command leads to termination of the process due to the execution of the `.bashrc` file.
-T flag helps us overcome that:

 ssh -T bandit18@localhost
 Password: kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd

We get a shell where we can type in bash commands:

 ~ ls
 readme
 ~ cat readme
 IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x

Exit this shell
 ^Z
Move on to the next level:

 ssh bandit19@localhost
 The authenticity of host 'localhost (127.0.0.1)' can't be established.
 ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
 Are you sure you want to continue connecting (yes/no)? yes


# Level 19 → Level 20
 Password: IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
Checking the files present:

 bandit19@bandit:~$ ls
 bandit20-do
 bandit19@bandit:~$ ./bandit20-do
 Run a command as another user.
   Example: ./bandit20-do id
 bandit19@bandit:~$ ./bandit20-do id
 uid=11019(bandit19) gid=11019(bandit19) euid=11020(bandit20) groups=11019(bandit19)


If we use a simple cat command, we cannot access the file as only user bandit20 has the required permissions:

 bandit19@bandit:~$ cat /etc/bandit_pass/bandit20
 cat: /etc/bandit_pass/bandit20: Permission denied

To feed our commands disguised as another user:

 bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
 GbKksEFF4yrVs6il55v6gwY5aVje5f0j

Which gives us the password for the next level.