OSCP
Search…
OSCP
All About OSCP
OSCP- One Page Repository
About the Author
Basic Linux & Windows Commands
Recon (Scanning & Enumeration)
Web Application
Brute Force
Shells
Transferring files
Priv Escalation
Post Exploitation
Pivoting
Buffer Overflow
Main Tools
MISC
CheatSheet (Short)
OSCP/ Vulnhub Practice learning
Machines Practice
My Practice on HTB Windows boxes
My Practice on Vulnhub boxes
Over the Wire (Natas)
Over The wire (Bandit)
Powered By GitBook
Over The wire (Bandit)
Over the wire - bandit :

Level 0:

To get to level 0 we need to simply SSH into Bandit with the username: bandit0 and password: bandit0

Level 0 -> 1:

The password for the next level is stored in a file called readme located in the home directory. [email protected]:~$ cat readme

Level 1 -> 2:

The password for the next level is stored in a file called - located in the home directory [email protected]:~$ cat ./-

Level 2 -> 3:

The password for the next level is stored in a file called spaces in this filename located in the home directory [email protected]:~$ cat spaces in this filename

Level 3 -> 4:

The password for the next level is stored in a hidden file in the inhere directory. [email protected]:~/inhere$ cat .hidden

Level 4 - >5:

The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.

[email protected]:~/inhere$ file ./-*

Level 5 -> 6:

The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties: - human-readable - 1033 bytes in size - not executable

[email protected]:~/inhere$ find -type f -size 1033c

Level 6 -> 7:

The password for the next level is stored somewhere on the server and has all of the following properties: - owned by user bandit7 - owned by group bandit6 - 33 bytes in size

[email protected]:~$ find / -user bandit7 -group bandit6 -size 32c 2>/dev/null

Level 7 -> 8:

The password for the next level is stored in the file data.txt next to the word millionth

[email protected]:~$ awk '/^millionth/ {print $2;}' data.txt

Level 8 -> 9:

The password for the next level is stored in the file data.txt and is the only line of text that occurs only once

[email protected]:~$ cat data.txt | sort | uniq -u

Level 9 -> 10:

The password for the next level is stored in the file data.txt in one of the few human-readable strings, beginning with several ‘=’ characters.

[email protected]:~$ strings data.txt | grep "="

Level 10 -> 11

The password for the next level is stored in the file data.txt, which contains base64 encoded data

[email protected]:~$ echo VGhlIHBhc3N3b3JkIGlzIElGdWt3S0dzRlc4TU9xM0lSRnFyeEUxaHhUTkViVVBSCg== | base64 --decode

Level 11 -> 12:

The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions

[email protected]:~$ echo Gur cnffjbeq vf 5Gr8L4qetPEsPk8htqjhRK8XSP6x2RHh | tr [a-zA-Z] [n-za-mN-ZA-M]

Level 12 -> 13:

The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the data file using cp, and rename it using mv (read the manpages!)
[email protected]:~$ mkdir /tmp/jhalon [email protected]:~$

xxd -r data.txt > /tmp/jhalon/file.bin [email protected]:/tmp/jhalon$ file file.bin

[email protected]:/tmp/jhalon$ file file.bin file.bin: gzip compressed data, was "data2.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression [email protected]:/tmp/jhalon$ zcat file.bin | file - /dev/stdin: bzip2 compressed data, block size = 900k [email protected]:/tmp/jhalon$ zcat file.bin | bzcat | file - /dev/stdin: gzip compressed data, was "data4.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression [email protected]:/tmp/jhalon$ zcat file.bin | bzcat | zcat | file - /dev/stdin: POSIX tar archive (GNU) [email protected]:/tmp/jhalon$ zcat file.bin | bzcat | zcat | tar xO | file - /dev/stdin: POSIX tar archive (GNU) [email protected]:/tmp/jhalon$ zcat file.bin | bzcat | zcat | tar xO | tar xO | file - /dev/stdin: bzip2 compressed data, block size = 900k [email protected]:/tmp/jhalon$ zcat file.bin | bzcat | zcat | tar xO | tar xO | bzcat | file - /dev/stdin: POSIX tar archive (GNU) [email protected]:/tmp/jhalon$ zcat file.bin | bzcat | zcat | tar xO | tar xO | bzcat | tar xO | file - /dev/stdin: gzip compressed data, was "data9.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression [email protected]:/tmp/jhalon$ zcat file.bin | bzcat | zcat | tar xO | tar xO | bzcat | tar xO | zcat | file - /dev/stdin: ASCII text

[email protected]:/tmp/jhalon$ zcat file.bin | bzcat | zcat | tar xO | tar xO | bzcat | tar xO | zcat The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

[email protected]:/tmp$ rm -rf jhalon

Level 13 -> 14:

The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on

[email protected]:~$ ssh -i sshkey.private [email protected]

Level 14 -> 15:

The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.

[email protected]:~$ telnet localhost 30000

Level 15 -> 16:

The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command… [email protected]:~$

openssl s_client -ign_eof -connect localhost:30001

Level 16 -> 17:

The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
[email protected]:~$ nmap -p 31000-32000 -sV localhost [email protected]:~$

echo cluFn7wTiGryunymYOu4RcffSxQluehd | openssl s_client -quiet -connect localhost:31790

Great! So let’s copy the RSA Key (Don’t forget to get the Header and Footer) and create a new file in a tmp directory.
[email protected]:/tmp/jhalon$ nano sshkey.private [email protected]:/tmp/jhalon$ chmod 600 sshkey.private [email protected]:/tmp/jhalon$ ssh -i ./sshkey.private [email protected]

Level 17 -> 18:

There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new

[email protected]:~$ diff passwords.new passwords.old

Level 18 -> 19:

The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.

Level 19 -> 20:

To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used to setuid binary.

[email protected]:~$ ./bandit20-do [email protected]:~$ ./bandit20-do cat /etc/bandit_pass/bandit20

Level 20 -> 21:

There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
NOTE: To beat this level, you need to login twice: once to run the setuid command, and once to start a network daemon to which the setuid will connect.
NOTE 2: Try connecting to your own network daemon to see if it works as you think

[email protected]:~$ nc -l 32123 < /etc/bandit_pass/bandit20 [email protected]:~$ ./suconnect 32123

Level 21 -> 22:

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

[email protected]:~$ cd /etc/cron.d/ [email protected]:/etc/cron.d$ cat cronjob_bandit22 [email protected]:/etc/cron.d$ cat /usr/bin/cronjob_bandit22.sh cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

Level 22 -> 23:

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.

[email protected]:/etc/cron.d$ echo I am user bandit23 | md5sum | cut -d ' ' -f 1 [email protected]:/etc/cron.d$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349

Level 23 -> 24:

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…
[email protected]:/etc/cron.d$ cat cronjob_bandit24 [email protected]:/etc/cron.d$ cat /usr/bin/cronjob_bandit24.sh [email protected]:/etc/cron.d$ mkdir /tmp/jhalon [email protected]:/tmp/jhalon$ nano
1
#!/bin/bash
2
3
cat /etc/bandit_pass/bandit24 > tmp/jhalon/pass
Copied!
[email protected]:/tmp/jhalon$ cp script.sh /var/spool/bandit24 [email protected]:/tmp/jhalon$ cat /tmp/jhalon/pass

Level 24 -> 25:

A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.
[email protected]:~$ mkdir /tmp/jhalon [email protected]:~$ cd /tmp/jhalon [email protected]:/tmp/jhalon$ nano
1
#!/bin/bash
2
passwd="UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ"
3
4
for a in {0-10000}
5
do
6
echo $passwd' '$a | nc localhost 30002 >> result &
7
done
8
Copied!
[email protected]:/tmp/jhalon$ chmod 755 script.sh [email protected]:/tmp/jhalon$ ./script.sh [email protected]:/tmp/jhalon$ sort result | uniq -u

Level 25 -> 26:

Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.

[email protected]:~$ cat /etc/passwd | grep bandit26 [email protected]:~$ cat /usr/bin/showtext [email protected]:~$ ssh -i bandit26.sshkey [email protected] :r /etc/bandit_pass/bandit26 Enter

3rd jan
over the wire bandit walkthrough

Level 26-27

On this level, we are not given any hints. We are on our own on this. So, we like to see what we have to work upon in the current directory. We ran ls command to find a script bandit27-do. Let’s execute the script to see if we get any message or hint. It does one better, it gives us an example. This script basically runs the command it is given as user bandit27. So now that we can run commands as user bandit27. Let’s read the password file located at /etc/bandit_pass/bandit27. Now that we have the password for the next level, we will login as bandit27 using SSH.

ls ./bandit27-do ./bandit27-do whoami ./bandit27-do cat /etc/bandit_pass/bandit27 ssh [email protected]

Level 27-28

On this level, we are informed that there is a git repository and the password for that repository is the same password that was used to login in as user bandit27. We are required to clone the repository. Now we need to have the write permission to clone a repository. So, we create a directory in the tmp directory. After cloning let’s list all the file in the repo. We find a README file. Upon reading that file we get the password for the next level.

mkdir /tmp/pavan4 cd /tmp/pavan4 git clone ssh://[email protected]/home/bandit27-git/repo ls cd repo ls cat README

Level 28-29

On this level, we are informed that there is a git repository and the password for that repository is the same password that was used to login in as user bandit28. We are required to clone the repository. Now we need to have the write permission to clone a repository. So, we create a directory in the tmp directory. After cloning let’s list all the file in the repo. We find a README file. Upon reading that file we see that password is hidden.

mkdir /tmp/pavan5 cd /tmp/pavan5 git clone ssh://[email protected]/home/bandit28-git/repo ls cd repo/ ls cat README.md

Maybe the password was inside the file but was removed. Good thing is that whenever a change is made in a git, a log entry is created. Let’s check that log, we can see that the author of git has made the latest commit named ‘fix info leak’. We need to check out this commit.

git show

Level 29-30

On this level, we are informed that there is a git repository and the password for that repository is the same password that was used to login in as user bandit29. We are required to clone the repository. Now we need to have the write permission to clone a repository. So, we create a directory in the tmp directory. Now we will clone the repository inside this directory.

mkdir /tmp/pavan6 cd /tmp/pavan6 git clone ssh://[email protected]/home/bandit29-git/repo

ls cd repo/ ls cat README.md

git branch -a git checkout dev cat README.md ssh [email protected]

Level 30-31

On this level, we are informed that there is a git repository and the password for that repository is the same password that was used to login in as user bandit30. We are required to clone the repository. Now we need to have the write permission to clone a repository. So, we create a directory in the tmp directory. Now we will clone the repository inside this directory.

mkdir /tmp/pavan7 cd /tmp/pavan7 git clone ssh://[email protected]/home/bandit30-git/repo

After cloning let’s list all the file in the repo. We find a README file. Here we are told that it is an empty file. Now it’s time to enumerate this git. Git has the ability to tag specific points in a repository’s history as being important. We can enumerate that tag. On looking carefully, we find the tag secret. On reading that tag we find the password we were looking for on this level. Now that we have the password for the next level, we will login as bandit31 using SSH.

ls cd repo ls cat README.md git tag git show secret ssh [email protected]

Level 31-32

On this level, we are informed that there is a git repository and the password for that repository is the same password that was used to login in as user bandit31. We are required to clone the repository. Now we need to have the write permission to clone a repository. So, we create a directory in the tmp directory. Now we will clone the repository inside this directory.

mkdir /tmp/pavan8 cd /tmp/pavan8 git clone ssh://[email protected]/home/bandit31-git/repo

Now we add the file to the repository and commit to that entry. And finally, push it into the origin branch. This step requires the password for the current user. As we can see in the given image that we have the password for the next level.

git add -f key.txt git commit -m "." git push origin

Level 32-33

On reaching this level, we are greeted with a message “Welcome to the Uppercase shell”. To understand what it does, we ran ls command but we got an error. On close inspection of the error message, we understand that it states that the LS command is not found. It means that the shell converts my commands to Uppercase before executing. For this level, we are given a hint “it’s time for another escape”. This made us curious about escape characters. Upon brief research, we found that we can bypass this uppercase shell using an escape character ‘$0’. We were right. We got the bash. Let’s list all files using ls -al command. We see that the owner of uppercase is bandit33. So, we can access the /etc/bandit_pass/bandit33 file to get the password for the next level. After getting the password, we will login as bandit33 using SSH.

ls $0 ls -al cat /etc/bandit_pass/bandit33 ssh [email protected]

Level 33

This is the final level for now as the bandit team is working on creating more levels. We connected to this level as use bandit33. After connecting we run ls command to see the list of files we have in the current directory. We see that we have a README file. On opening that file, we see the final flag and a brief message from the Over the Wire Team. This concludes this series for now. We will solve more levels as soon as Over the Wire team publishes more levels.

ls cat README.txt

Previous
Over the Wire (Natas)
Last modified 2yr ago
Copy link
Contents
Level 0:
Level 0 -> 1:
Level 1 -> 2:
Level 2 -> 3:
Level 3 -> 4:
Level 4 - >5:
Level 5 -> 6:
Level 6 -> 7:
Level 7 -> 8:
Level 8 -> 9:
Level 9 -> 10:
Level 10 -> 11
Level 11 -> 12:
Level 12 -> 13:
Level 13 -> 14:
Level 14 -> 15:
Level 15 -> 16:
Level 16 -> 17:
Level 17 -> 18:
Level 18 -> 19:
Level 19 -> 20:
Level 20 -> 21:
Level 21 -> 22:
Level 22 -> 23:
Level 23 -> 24:
Level 24 -> 25:
Level 25 -> 26:
Level 26-27
Level 27-28
Level 28-29
Level 29-30
Level 30-31
Level 31-32
Level 32-33
Level 33