El objetivo de Bandit es ir pasando de niveles obteniendo contraseñas. La contraseña obtenida en un nivel es el password del siguiente.
DISCLAIMER: Esta página contiene spoilers sobre el juego y sus diferentes niveles. Como hackers éticos debéis intentar pensar "Out of the Box" y resolver los niveles con vuestros propios conocimientos y investigaciones.
Bandit
The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org, on port 2220. The username is bandit0 and the password is bandit0. Once logged in, go to the next section to find out how to beat Level 1.
_ _ _ _
| |__ __ _ _ __ __| (_) |_
| '_ \ / _` | '_ \ / _` | | __|
| |_) | (_| | | | | (_| | | |_
|_.__/ \__,_|_| |_|\__,_|_|\__|
This is an OverTheWire game server.
More information on http://www.overthewire.org/wargames
bandit0@bandit.labs.overthewire.org's password:
Bandit 0
The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.
catreadmeNH2SXQwcBdpmTEzi3bvBHMM9H66vVXjL
Bandit 1
The password for the next level is stored in a file called - located in the home directory.
cat<-rRGizSaX8Mk1RTb1CNQoXTcYZWU6lgzi
Bandit 2
The password for the next level is stored in a file called spaces in this filename located in the home directory.
The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.
The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions.
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)
# Crear directorio en /tmpbandit12@bandit:~$cd/tmpbandit12@bandit:/tmp$mktemp-d/tmp/tmp.W5t1vua6G9bandit12@bandit:/tmp$cd/tmp/tmp.W5t1vua6G9bandit12@bandit:/tmp/tmp.W5t1vua6G9$cp~/data.txt.bandit12@bandit:/tmp/tmp.W5t1vua6G9$lsdata.txtbandit12@bandit:/tmp/tmp.W5t1vua6G9$mvdata.txthexdump_databandit12@bandit:/tmp/tmp.W5t1vua6G9$lshexdump_data# Revertir hexdumpcathexdump_data|headbandit12@bandit:/tmp/tmp.W5t1vua6G9$xxd-rhexdump_datacompressed_databandit12@bandit:/tmp/tmp.W5t1vua6G9$lscompressed_datahexdump_datacatcompressed_data|head# Repetir descomprimidoandit12@bandit:/tmp/tmp.W5t1vua6G9$cathexdump_data00000000:1f8b08080650b45e020364617461322e.....P.^..data2.bandit12@bandit:/tmp/tmp.W5t1vua6G9$mvcompressed_datacompressed_data.gzbandit12@bandit:/tmp/tmp.W5t1vua6G9$lscompressed_data.gzhexdump_databandit12@bandit:/tmp/tmp.W5t1vua6G9$gzip-dcompressed_data.gzbandit12@bandit:/tmp/tmp.W5t1vua6G9$lscompressed_datahexdump_data# BZIP2bandit12@bandit:/tmp/tmp.W5t1vua6G9$xxdcompressed_data00000000:425a68393141592653598e4f1cc80000BZh91AY&SY.O....andit12@bandit:/tmp/tmp.W5t1vua6G9$mvcompressed_datacompressed_data.bz2bandit12@bandit:/tmp/tmp.W5t1vua6G9$lscompressed_data.bz2hexdump_databandit12@bandit:/tmp/tmp.W5t1vua6G9$bzip2-dcompressed_data.bz2# GZIPbandit12@bandit:/tmp/tmp.W5t1vua6G9$mvcompressed_datacompressed_data.gzbandit12@bandit:/tmp/tmp.W5t1vua6G9$gzip-dcompressed_data.gz# Archivos TARbandit12@bandit:/tmp/tmp.W5t1vua6G9$xxdcompressed_data|head00000000:64617461352e62696e00000000000000data5.bin.......00000010:00000000000000000000000000000000................00000020:00000000000000000000000000000000................00000030:00000000000000000000000000000000................00000040:00000000000000000000000000000000................00000050:00000000000000000000000000000000................00000060:00000000303030303634340030303030....0000644.0000bandit12@bandit:/tmp/tmp.W5t1vua6G9$mvcompressed_datacompressed_data.tarbandit12@bandit:/tmp/tmp.W5t1vua6G9$tar-xfcompressed_data.tarbandit12@bandit:/tmp/tmp.W5t1vua6G9$lscompressed_data.tardata5.binhexdump_databandit12@bandit:/tmp/tmp.W5t1vua6G9$tar-xfdata5.bin# BZIP2bandit12@bandit:/tmp/tmp.W5t1vua6G9$xxddata6.bin00000000:425a6839314159265359080c2b0b0000BZh91AY&SY..+...bandit12@bandit:/tmp/tmp.W5t1vua6G9$bzip2-ddata6.binbzip2:Can't guess original name for data6.bin -- using data6.bin.outbandit12@bandit:/tmp/tmp.W5t1vua6G9$ lscompressed_data.tar data5.bin data6.bin.out hexdump_data# Archivo TARbandit12@bandit:/tmp/tmp.W5t1vua6G9$ tar -xf data6.bin.outbandit12@bandit:/tmp/tmp.W5t1vua6G9$ lscompressed_data.tar data5.bin data6.bin.out data8.bin hexdump_data# GZIPbandit12@bandit:/tmp/tmp.W5t1vua6G9$ xxd data8.bin00000000: 1f8b 0808 0650 b45e 0203 6461 7461 392e .....P.^..data9.bandit12@bandit:/tmp/tmp.W5t1vua6G9$ mv data8.bin data8.gzbandit12@bandit:/tmp/tmp.W5t1vua6G9$ gzip -d data8.gzbandit12@bandit:/tmp/tmp.W5t1vua6G9$ lscompressed_data.tar data5.bin data6.bin.out data8 hexdump_databandit12@bandit:/tmp/tmp.W5t1vua6G9$ cat data8The password is wbWdlBxEir4CaE8LaPhauuOo6pwRmrDw
Bandit 13
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note:localhost is a hostname that refers to the machine you are working on
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
# Primero necesitamos encontrar el password del nivel anteriorcat/etc/bandit_pass/bandit14fGrHPx402xGC7U7rXKDaxiWFTOiF0ENq# Enviar el password al puerto 30000 en localhostbandit14@bandit:~$nclocalhost30000fGrHPx402xGC7U7rXKDaxiWFTOiF0ENqCorrect!jN2kgmIXJ6fShzhT2avhotn4Zcka6tnt
Bandit 15
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…
bandit15@bandit:~$echo"jN2kgmIXJ6fShzhT2avhotn4Zcka6tnt"|openssls_client-connectlocalhost:30001-ign_eof....SNIP....---readRBLOCK---Post-HandshakeNewSessionTicketarrived:SSL-Session:Protocol:TLSv1.3Cipher:TLS_AES_256_GCM_SHA384Session-ID:84BAD1BD3A25F62C3F83D8C0DC6ABC20F3A610A5821C48A9C759BC729B9B701ESession-ID-ctx:ResumptionPSK:5A08E75E69A3844B8732C1673A0687357600E935B14FB4855D619E97B4CA9A94C14CCFC625F84D0E722DF4529E764B79PSKidentity:NonePSKidentityhint:NoneSRPusername:NoneTLSsessionticketlifetimehint:7200 (seconds)TLSsessionticket:0000-2bc199670b63234c-0cc7d61db8f45309+..g.c#L......S.0010-da9c5536142038ef-c73054d2b82fdb55..U6.8..0T../.U0020-338ec1b5e04772d9-67efb21c41979bcd3....Gr.g...A...0030-6af993d9ad467502-0be092adb59360f9j....Fu.......`.0040-b233b62628ca8b39-6d2873b4393569a6.3.&(..9m(s.95i.0050-e2143a253aedfe64-fa35d9e4f7259f45..:%:..d.5...%.E0060-bf5b6e23344e70ba-e5afe466524f1c04.[n#4Np....fRO..0070-520cf91fef7b1c60-ba99f6e86fddd6ccR....{.`....o...0080-9e8ddb1ebcae63c3-e63220cebd114c92......c..2...L.0090-8f892b294dff3362-c327feaf413e781e..+)M.3b.'..A>x. 00a0 - b8 73 cb d4 01 2c fe 7b-66 5e 91 fc 55 68 90 ea .s...,.{f^..Uh.. 00b0 - a5 4a ad 64 b4 a7 f4 a0-e4 6c 37 ba ce b2 c0 bf .J.d.....l7..... 00c0 - 28 f4 83 a8 e1 59 92 1a-64 44 86 47 58 0b f1 e4 (....Y..dD.GX... Start Time: 1698223465 Timeout : 7200 (sec) Verify return code: 10 (certificate has expired) Extended master secret: no Max Early Data: 0---read R BLOCKCorrect!JQttfApK4SeyHwDlI9SXGR50qclOAil1
Bandit 16
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
# Bucle for para encontrar puertos abiertosfor port in {31000..32000}; donc-zvlocalhost $port 2>&1|grepsucceeded&&echo"Puerto $port abierto"done# Encontramos los siguientes puertosConnectiontolocalhost (127.0.0.1) 31046 port [tcp/*] succeeded!Puerto31046abiertoConnectiontolocalhost (127.0.0.1) 31518 port [tcp/*] succeeded!Puerto31518abiertoConnectiontolocalhost (127.0.0.1) 31691 port [tcp/*] succeeded!Puerto31691abiertoConnectiontolocalhost (127.0.0.1) 31790 port [tcp/*] succeeded!Puerto31790abiertoConnectiontolocalhost (127.0.0.1) 31960 port [tcp/*] succeeded!Puerto31960abierto# Identificar servicios SSLopenssls_client-connectlocalhost:PUERTO# Recibimos respuesta positivaPuerto31518Puerto31790# Enviamos el password del nivel actual a estos puertosecho"JQttfApK4SeyHwDlI9SXGR50qclOAil1"|openssls_client-connectlocalhost:31790-ign_eof# Nos devuelve un SSH Private Key-----BEGINRSAPRIVATEKEY-----MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJimZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQJa6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTuDSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbWJGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNXx0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvDKHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBlJ9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovdd8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nCYNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8AvLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnxSatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHdHCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+ExdvtSghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0AR57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDiTtiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCgR8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiuL8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Niblh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkUYOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0bdxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=-----ENDRSAPRIVATEKEY-----# Lo copiamos en un archivonanosshkey-17chmod600sshkey-17ssh-isshkey-17bandit17@bandit.labs.overthewire.org-p2220# Ya estamos dentro# Encontrar el password en plano del nivel actualcat/etc/bandit_pass/bandit17VwOSWtCA7lRKkTfbr2IDh6awj9RNZM5e
Bandit 17
There are 2 files in the home directory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new
NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19
The password for the next level is stored in a file readme in the home directory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.
# Al hacer login por SSH nos expulsa del servidor# Evitar .bashrcssh-tbandit18@bandit.labs.overthewire.org-p2220"cat /home/bandit18/readme"hga5tuuCLF6fFzUpnagiMN8ssu9LFrdg# Nos devuelve el passwordawhqfNnAbc1naukrpqDYcF95h7HoMTrC
Bandit 19
To gain access to the next level, you should use the setuid binary in the home directory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.
bandit19@bandit:~$lsbandit20-do# Nos encontramos un archivo ejecutablebandit19@bandit:~$filebandit20-dobandit20-do: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=037b97b430734c79085a8720c90070e346ca378e, for GNU/Linux 3.2.0, not stripped
# Lo ejecutamosbandit19@bandit:~$./bandit20-doRunacommandasanotheruser.Example:./bandit20-doidbandit19@bandit:~$./bandit20-doiduid=11019(bandit19) gid=11019(bandit19) euid=11020(bandit20) groups=11019(bandit19)bandit19@bandit:~$./bandit20-docat/etc/bandit_pass/bandit20VxCazJaVykI6W36BkBU0mJTCM8rR95XT
Bandit 20
There is a setuid binary in the home directory that does the following: it makes a connection to localhost on the port you specify as a command line argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
NOTE: Try connecting to your own network daemon to see if it works as you think
bandit20@bandit:~$./suconnectUsage:./suconnect<portnumber>This program will connect to the given port on localhost using TCP. If it receives the correct password from the other side, the next password is transmitted back.
bandit20@bandit:~$./suconnect1234Read:VxCazJaVykI6W36BkBU0mJTCM8rR95XTPasswordmatches,sendingnextpassword# En otra terminal nos volvemos a conectar por SSH a Bandit 20bandit20@bandit:~$nc-nlvp1234Listeningon0.0.0.01234Connectionreceivedon127.0.0.145922VxCazJaVykI6W36BkBU0mJTCM8rR95XTNvEJF7oVjkddltPSrdKEFOllh9V1IBcq#PasswordNvEJF7oVjkddltPSrdKEFOllh9V1IBcq
Bandit 21
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.
bandit22@bandit:~$cd/etc/cron.d/bandit22@bandit:/etc/cron.d$lscronjob_bandit15_root cronjob_bandit22 cronjob_bandit24 e2scrub_all sysstat cronjob_bandit17_root cronjob_bandit23 cronjob_bandit25_root otw-tmp-dir
bandit22@bandit:/etc/cron.d$catcronjob_bandit23@rebootbandit23/usr/bin/cronjob_bandit23.sh&> /dev/null***** bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/nullbandit22@bandit:/etc/cron.d$cat/usr/bin/cronjob_bandit23.sh#!/bin/bashmyname=$(whoami)mytarget=$(echoIamuser $myname |md5sum|cut-d' '-f1)echo"Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"cat/etc/bandit_pass/$myname >/tmp/$mytarget# Necesitamos ejecutarlo como bandit23 para obtener el password# No podemos modificar el script porque no tenemos permisos de escritura, por lo que vamos a ejecutarlo manualmente# Obtener el hash MD5, que se almacena en /tmpbandit22@bandit:~$echo"I am user bandit23"|md5sum|cut-d' '-f18ca319486bfbbc3663ea0fbe81326349bandit22@bandit:~$cat/tmp/8ca319486bfbbc3663ea0fbe81326349QYw0Y2aiA672PsMmh9puTQuhoz8SyR2G
Bandit 23
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…
bandit23@bandit:/etc/cron.d$cd/etc/cron.d/bandit23@bandit:/etc/cron.d$catcronjob_bandit24@rebootbandit24/usr/bin/cronjob_bandit24.sh&> /dev/null***** bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null# Vemos el scriptbandit23@bandit:/etc/cron.d$cat/usr/bin/cronjob_bandit24.sh#!/bin/bashmyname=$(whoami)cd/var/spool/$myname/fooecho"Executing and deleting all scripts in /var/spool/$myname/foo:"for i in*.*;doif [ "$i"!="."-a"$i"!=".." ];thenecho"Handling $i" owner="$(stat--format "%U" ./$i)"if [ "${owner}"="bandit23" ]; thentimeout-s960./$ifirm-f./$ifidone
El script cronjob_bandit24.sh indica que se ejecutan todos los scripts en el directorio /var/spool/bandit24/foo. Se eliminan después de ser ejecutados. Esto implica que puedes agregar un script en ese directorio para que se ejecute.
# Creamos un script (myscript.sh) que imprima el contenido del archivo de contraseña en un lugar donde puedas verlo:mktemp-d/tmp/tmp.hTgJOFcPaHcd/tmp/tmp.hTgJOFcPaHnanomyscript.sh#!/bin/bashcat/etc/bandit_pass/bandit24>/tmp/tmp.hTgJOFcPaH/password# Le damos permisos de ejecuciónbandit23@bandit:/tmp/tmp.cwnhwiGK8y$chmod+rxmyscript.shbandit23@bandit:/tmp/tmp.cwnhwiGK8y$chmod777/tmp/tmp.cwnhwiGK8ybandit23@bandit:/tmp/tmp.cwnhwiGK8y$touchpasswordbandit23@bandit:/tmp/tmp.cwnhwiGK8y$chmod+rwxpasswordbandit23@bandit:/tmp/tmp.cwnhwiGK8y$lsmyscript.shpassword# Copia el script al directorio /var/spool/bandit24/foo:bandit23@bandit:/tmp/tmp.hTgJOFcPaH$cpmyscript.sh/var/spool/bandit24/foo/# Esperar 1 minuto a que el cron ejecute el scriptbandit23@bandit:/tmp/tmp.hTgJOFcPaH$catpasswordVAfGXJ1PBSsPSnvsjI8p759leLZ9GGar
Bandit 24
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing. You do not need to create new connections each time.
Para realizar un ataque de fuerza bruta en el pincode de bandit25, vamos a escribir un script en bash para iterar a través de todas las combinaciones posibles de 4 dígitos y enviarlas al daemon en el puerto 30002 junto con la contraseña de bandit24:
# Nos intentamos conectar por netcat a localhost puerto 30002bandit24@bandit:$nclocalhost30002I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar0000Wrong!Pleaseenterthecorrectpincode.Tryagain.# Creamos directorio temporal y accedemosbandit24@bandit:~$mktemp-d/tmp/tmp.YirnrWx7mBbandit24@bandit:~$cd/tmp/tmp.YirnrWx7mB# Creamos el script en bashbandit24@bandit:/tmp/tmp.YirnrWx7mBnanobrute-pin.sh
brute-pin.sh
#!/bin/bashfor i in {0000..9999}doecho"VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar $i"done
Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.
Copiamos la SSH Private Key a un archivo y nos conectamos por SSH a bandit 26:
ssh-isshkey-26bandit26@bandit.labs.overthewire.org-p2220Enjoyyourstay!_________||| (_) ||__ \ //||__________||_||_ ) / /_ |'_ \ / _` | '_ \ /_` ||__|// '_ \ | |_) | (_| | | | | (_| | | |_ / /| (_) | |_.__/ \__,_|_| |_|\__,_|_|\__|____\___/ Connection to bandit.labs.overthewire.org closed.# Al intentar conectarnos por SSH nos loguea bien pero nos expulsa# La pista dice que la shell para bandit26 no es /bin/bashbandit25@bandit:~$ cat /etc/passwd | grep bandit26bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext# Encontramos que ejecuta un archivo "showtext" en bashbandit25@bandit:~$ cat /usr/bin/showtext#!/bin/shexport TERM=linuxexec more ~/text.txtexit 0
exec more nos indica que debemos hacer mas pequeño el alto de nuestra terminal para acceder al archivo de texto.
Efectivamente al loguearnos ahora no nos expulsa por lo que vamos a intentar leer la contraseña de bandit 26 con el editor de texto vim. Pulsamos v para iniciar vim y nos muestra la siguiente pantalla:
Modo de edición
:e /etc/bandit_pass/bandit26
c7GvcKlw9mC7aUQaPx7nwFstuAIBw1o1
Bandit 26
Good job getting a shell! Now hurry and grab the password for bandit27!
# Al intentar conectarnos por SSH nos expulsa al igual que en el nivel anteriorEnjoyyourstay!_________||| (_) ||__ \ //||__________||_||_ ) / /_ |'_ \ / _` | '_ \ /_` ||__|// '_ \ | |_) | (_| | | | | (_| | | |_ / /| (_) | |_.__/ \__,_|_| |_|\__,_|_|\__|____\___/ Connection to bandit.labs.overthewire.org closed.# El usuario bandit26 tenia una shell diferente a /bin/bash/usr/bin/showtext# Vamos a cambiarlo con vim con la ventana pequeña::set shell=/bin/bash
En este punto podemos acceder por shell con el comando :shell
There is a git repository at ssh://bandit27-git@localhost/home/bandit27-git/repo via the port 2220. The password for the user bandit27-git is the same as for the user bandit27.
Clone the repository and find the password for the next level.
There is a git repository at ssh://bandit28-git@localhost/home/bandit28-git/repo via the port 2220. The password for the user bandit28-git is the same as for the user bandit28.
Clone the repository and find the password for the next level.
bandit28@bandit:~$gitclonessh://bandit28-git@localhost:2220/home/bandit28-git/repofatal:couldnotcreateworktreedir'repo':Permissiondenied# Creamos un directorio temporalbandit28@bandit:~$mktemp-d/tmp/tmp.7wMuSspT90bandit28@bandit:~$cd/tmp/tmp.7wMuSspT90bandit28@bandit:/tmp/tmp.7wMuSspT90$gitclonessh://bandit28-git@localhost:2220/home/bandit28-git/repoCloninginto'repo'...____||__________| (_) |_|'_ \ / _` | '_ \ /_` ||__|||_) | (_||||| (_||||_|_.__/ \__,_|_||_|\__,_|_|\__|ThisisanOverTheWiregameserver.Moreinformationonhttp://www.overthewire.org/wargamesbandit28-git@localhost's password: remote: Enumerating objects: 9, done.remote: Counting objects: 100% (9/9), done.remote: Compressing objects: 100% (6/6), done.remote: Total 9 (delta 2), reused 0 (delta 0), pack-reused 0Receiving objects: 100% (9/9), done.Resolving deltas: 100% (2/2), done.bandit28@bandit:/tmp/tmp.7wMuSspT90$ lsrepobandit28@bandit:/tmp/tmp.7wMuSspT90$ cd repobandit28@bandit:/tmp/tmp.7wMuSspT90/repo$ lsREADME.mdbandit28@bandit:/tmp/tmp.7wMuSspT90/repo$ cat README.md # Bandit NotesSome notes for level29 of bandit.## credentials- username: bandit29- password: xxxxxxxxxx# Vemos otros archivos ocultos en la carpeta repobandit28@bandit:/tmp/tmp.7wMuSspT90/repo$ ls -latotal 16drwxrwxr-x 3 bandit28 bandit28 4096 Oct 29 23:14 .drwx------ 3 bandit28 bandit28 4096 Oct 29 23:13 ..drwxrwxr-x 8 bandit28 bandit28 4096 Oct 29 23:14 .git-rw-rw-r-- 1 bandit28 bandit28 111 Oct 29 23:14 README.mdbandit28@bandit:/tmp/tmp.7wMuSspT90/repo$ cd .gitbandit28@bandit:/tmp/tmp.7wMuSspT90/repo/.git$ lsbranches config description HEAD hooks index info logs objects packed-refs refs# En la carpeta logs encontramos algo parecido a un passwordbandit28@bandit:/tmp/tmp.7wMuSspT90/repo/.git$ cd logsbandit28@bandit:/tmp/tmp.7wMuSspT90/repo/.git/logs$ lsHEAD refsbandit28@bandit:/tmp/tmp.7wMuSspT90/repo/.git/logs$ cat HEAD 0000000000000000000000000000000000000000 14f754b3ba6531a2b89df6ccae6446e8969a41f3 Ben Dover <noone@overthewire.org> 1698621247 +0000 clone: from ssh://localhost:2220/home/bandit28-git/repo
# EN la carpeta objects/pack tambien nos encontramos 2 archivos interesantesbandit28@bandit:/tmp/tmp.7wMuSspT90/repo/.git/objects$ cd pack/bandit28@bandit:/tmp/tmp.7wMuSspT90/repo/.git/objects/pack$ lspack-a8af65113ecbd080fb1996a9cc4e30f4f580a2f3.idxpack-a8af65113ecbd080fb1996a9cc4e30f4f580a2f3.pack
Los archivos con extensión .idx y .pack están asociados a Git, un sistema de control de versiones distribuido. Estos archivos forman parte de la estructura interna de Git y se utilizan para almacenar datos de manera eficiente.
.idx (Index): Este archivo es un índice binario que proporciona un acceso rápido y eficiente a los objetos almacenados en la base de datos de Git. Contiene un mapeo de nombres de objetos (hashes) a ubicaciones de disco, lo que facilita la búsqueda rápida y la recuperación de datos.
.pack (Pack): Estos archivos almacenan objetos Git comprimidos para ahorrar espacio en disco. Git utiliza la técnica de "packing" para combinar varios objetos en un solo archivo y comprimirlos. Los archivos .pack suelen estar acompañados por un archivo .idx correspondiente que sirve como índice para acceder a los objetos dentro del archivo .pack.
# Acceder al contenido del packbandit28@bandit:/tmp/tmp.7wMuSspT90/repo/.git/objects/pack$ git verify-pack -v pack-a8af65113ecbd080fb1996a9cc4e30f4f580a2f3.pack | sort -k3 -n
chainlength=1:1objectchainlength=2:1objectpack-a8af65113ecbd080fb1996a9cc4e30f4f580a2f3.pack:oknondelta:7objects7ba2d2f7eeef87bafac4745906c7a5312f68cd86blob122275825c6457b17de03b5f47fb2353b80db051d595c46e5c6457b17de03b5f47fb2353b80db051d595c46eblob18226401b3021059432503a2f1dbd069cc13c3afc37a6cb21f29f2105c227ab27d29cfa85b3773bbf3330908tree374866242107e671543d9ace63ab9265e34abaf31b051batree3748710e275285b34f49c17ebf234a873f37aeaace5ad45tree3748463b3021059432503a2f1dbd069cc13c3afc37a6cb2blob133129511# Aquí está el passa645bcc508c63f081234911d2f631f87cf469258commit19413732614f754b3ba6531a2b89df6ccae6446e8969a41f3commit23215612f08b9cc63fa1a4602fb065257633c2dae6e5651bcommit235158168# Acceder al contenido de un tree# git ls-tree <hash-tree>bandit28@bandit:/tmp/tmp.7wMuSspT90/repo/.git/objects/pack$gitls-tree42107e671543d9ace63ab9265e34abaf31b051ba100644blob7ba2d2f7eeef87bafac4745906c7a5312f68cd86README.md# No encontramos nada relevante en los tree# Acceder al contenido de un blob# git show <hash-blob>bandit28@bandit:/tmp/tmp.7wMuSspT90/repo/.git/objects/pack$gitshowb3021059432503a2f1dbd069cc13c3afc37a6cb2# Bandit NotesSomenotesforlevel29ofbandit.## credentials-username:bandit29-password:tQKvmcwNYcFS6vmPHIUSI3ShmsrQZK8S
Bandit 29
There is a git repository at ssh://bandit29-git@localhost/home/bandit29-git/repo via the port 2220. The password for the user bandit29-git is the same as for the user bandit29.
Clone the repository and find the password for the next level.
# Creamos un directorio temporalbandit29@bandit:~$mktemp-d/tmp/tmp.uAqSuX2b4ybandit29@bandit:~$cd/tmp/tmp.uAqSuX2b4ybandit29@bandit:/tmp/tmp.uAqSuX2b4y$gitclonessh://bandit29-git@localhost:2220/home/bandit29-git/repoCloninginto'repo'...____||__________| (_) |_|'_ \ / _` | '_ \ /_` ||__|||_) | (_||||| (_||||_|_.__/ \__,_|_||_|\__,_|_|\__|ThisisanOverTheWiregameserver.Moreinformationonhttp://www.overthewire.org/wargamesbandit29-git@localhost's password: remote: Enumerating objects: 16, done.remote: Counting objects: 100% (16/16), done.remote: Compressing objects: 100% (11/11), done.remote: Total 16 (delta 2), reused 0 (delta 0), pack-reused 0Receiving objects: 100% (16/16), done.Resolving deltas: 100% (2/2), done.bandit29@bandit:/tmp/tmp.uAqSuX2b4y$ lsrepobandit29@bandit:/tmp/tmp.uAqSuX2b4y$ cd repobandit29@bandit:/tmp/tmp.uAqSuX2b4y/repo$ lsREADME.mdbandit29@bandit:/tmp/tmp.uAqSuX2b4y/repo$ cat README.md # Bandit NotesSome notes for bandit30 of bandit.## credentials- username: bandit30- password: <no passwords in production!># Al igual que en el anterior nivel hay una carpeta .git ocultabandit29@bandit:/tmp/tmp.uAqSuX2b4y/repo$ ls -latotal 16drwxrwxr-x 3 bandit29 bandit29 4096 Oct 29 23:44 .drwx------ 3 bandit29 bandit29 4096 Oct 29 23:44 ..drwxrwxr-x 8 bandit29 bandit29 4096 Oct 29 23:44 .git # Carpeta oculta-rw-rw-r-- 1 bandit29 bandit29 131 Oct 29 23:44 README.mdbandit29@bandit:/tmp/tmp.uAqSuX2b4y/repo$ cd .gitbandit29@bandit:/tmp/tmp.uAqSuX2b4y/repo/.git$ lsbranches config description HEAD hooks index info logs objects packed-refs refsbandit29@bandit:/tmp/tmp.uAqSuX2b4y/repo/.git$ cd objects/bandit29@bandit:/tmp/tmp.uAqSuX2b4y/repo/.git/objects$ lsinfo packbandit29@bandit:/tmp/tmp.uAqSuX2b4y/repo/.git/objects$ cd pack/bandit29@bandit:/tmp/tmp.uAqSuX2b4y/repo/.git/objects/pack$ lspack-4d153e0bc1d6bbc4cadcf178df5ed91af05a8f2f.idxpack-4d153e0bc1d6bbc4cadcf178df5ed91af05a8f2f.pack# Verificamos el .packbandit29@bandit:/tmp/tmp.uAqSuX2b4y/repo/.git/objects/pack$ git verify-pack -v pack-4d153e0bc1d6bbc4cadcf178df5ed91af05a8f2f.pack
4364630b3b27c92aff7b36de7bb6ed2d30b60f88 commit 227 154 121d160de5f8f647f00634bbf3d49b9244275217b6 commit 250 169 16607b750deb96fe4c903a3f93e41518adb3866f336 commit 268 187 335fca34ddb7d1ff1f78df36538252aea650b0b040d commit 194 138 52273d0f769233ffc2f59595412e22f41afc6218c04 commit 228 154 660142b5e592d0aaf696b49d99d9a8427c8561e324b tree 37 48 814a4b1cf1547e5efd9834d866a770095acb6b71635 blob 134 125 862 # Aquí está el pass1af21d3f1b0e56e36ecec7175fb2a9fa9af0aeb6 blob 38 49 987 1 a4b1cf1547e5efd9834d866a770095acb6b716356208795cc5074c0f5160a3377083fdc7b3c70343 tree 68 78 10360c5f36d5895023c36035b7352c5b0113f6326550 tree 40 51 11148b137891791fe96927ad78e64b0aad7bded08bdc blob 1 10 11653d7503a65449fdbc36fa829d3faae16b644e9f69 tree 72 83 11757faa0cec7a6deda017a0ebe41d23b1c9fa3d1627 tree 37 48 1258a9476df74c81524c8049b0a9ef122a5e78715b44 tree 37 48 13062da2f39a66514440bfb172c48508fbc6ab9569ff blob 12 23 1354 2 1af21d3f1b0e56e36ecec7175fb2a9fa9af0aeb64f5f3b22dd8480c80d8fffd956bc11046fa9b575 tree 68 78 1377non delta: 14 objectschain length = 1: 1 objectchain length = 2: 1 objectpack-4d153e0bc1d6bbc4cadcf178df5ed91af05a8f2f.pack: ok# Accedemos al contenido de un blobbandit29@bandit:/tmp/tmp.uAqSuX2b4y/repo/.git/objects/pack$ git show a4b1cf1547e5efd9834d866a770095acb6b71635# Bandit NotesSome notes for bandit30 of bandit.## credentials- username: bandit30- password: xbhV3HpNGlTIdnjUrdAlPzc2L6y9EOnS
Bandit 30
There is a git repository at ssh://bandit30-git@localhost/home/bandit30-git/repo via the port 2220. The password for the user bandit30-git is the same as for the user bandit30.
Clone the repository and find the password for the next level.
bandit30@bandit:~$mktemp-d/tmp/tmp.LuHgAz3njQbandit30@bandit:~$cd/tmp/tmp.LuHgAz3njQbandit30@bandit:/tmp/tmp.LuHgAz3njQ$gitclonessh://bandit30-git@localhost:2220/home/bandit30-git/repoCloninginto'repo'...____||__________| (_) |_|'_ \ / _` | '_ \ /_` ||__|||_) | (_||||| (_||||_|_.__/ \__,_|_||_|\__,_|_|\__|ThisisanOverTheWiregameserver.Moreinformationonhttp://www.overthewire.org/wargamesbandit30-git@localhost's password: remote: Enumerating objects: 4, done.remote: Counting objects: 100% (4/4), done.remote: Total 4 (delta 0), reused 0 (delta 0), pack-reused 0Receiving objects: 100% (4/4), done.bandit30@bandit:/tmp/tmp.LuHgAz3njQ$ lsrepobandit30@bandit:/tmp/tmp.LuHgAz3njQ$ cd repobandit30@bandit:/tmp/tmp.LuHgAz3njQ/repo$ lsREADME.mdbandit30@bandit:/tmp/tmp.LuHgAz3njQ/repo$ cat README.md just an epmty file... muahaha# Al igual que en los niveles anteriores hay una carpeta ocultabandit30@bandit:/tmp/tmp.LuHgAz3njQ/repo$ ls -latotal 16drwxrwxr-x 3 bandit30 bandit30 4096 Oct 29 23:56 .drwx------ 3 bandit30 bandit30 4096 Oct 29 23:56 ..drwxrwxr-x 8 bandit30 bandit30 4096 Oct 29 23:56 .git-rw-rw-r-- 1 bandit30 bandit30 30 Oct 29 23:56 README.mdbandit30@bandit:/tmp/tmp.LuHgAz3njQ/repo$ cd .gitbandit30@bandit:/tmp/tmp.LuHgAz3njQ/repo/.git$ lsbranches config description HEAD hooks index info logs objects packed-refs refsbandit30@bandit:/tmp/tmp.LuHgAz3njQ/repo/.git$ ls -latotal 52drwxrwxr-x 8 bandit30 bandit30 4096 Oct 29 23:56 .drwxrwxr-x 3 bandit30 bandit30 4096 Oct 29 23:56 ..drwxrwxr-x 2 bandit30 bandit30 4096 Oct 29 23:56 branches-rw-rw-r-- 1 bandit30 bandit30 281 Oct 29 23:56 config-rw-rw-r-- 1 bandit30 bandit30 73 Oct 29 23:56 description-rw-rw-r-- 1 bandit30 bandit30 23 Oct 29 23:56 HEADdrwxrwxr-x 2 bandit30 bandit30 4096 Oct 29 23:56 hooks-rw-rw-r-- 1 bandit30 bandit30 137 Oct 29 23:56 indexdrwxrwxr-x 2 bandit30 bandit30 4096 Oct 29 23:56 infodrwxrwxr-x 3 bandit30 bandit30 4096 Oct 29 23:56 logsdrwxrwxr-x 4 bandit30 bandit30 4096 Oct 29 23:56 objects-rw-rw-r-- 1 bandit30 bandit30 172 Oct 29 23:56 packed-refsdrwxrwxr-x 5 bandit30 bandit30 4096 Oct 29 23:56 refs# En niveles anteriores siempre han estado los pass en objectsbandit30@bandit:/tmp/tmp.LuHgAz3njQ/repo/.git$ cd objects/bandit30@bandit:/tmp/tmp.LuHgAz3njQ/repo/.git/objects$ lsinfo packbandit30@bandit:/tmp/tmp.LuHgAz3njQ/repo/.git/objects$ cd packbandit30@bandit:/tmp/tmp.LuHgAz3njQ/repo/.git/objects/pack$ lspack-5dd047e45dd131498476a052c2995fd1aae73453.idxpack-5dd047e45dd131498476a052c2995fd1aae73453.packbandit30@bandit:/tmp/tmp.LuHgAz3njQ/repo/.git/objects/pack$ git verify-pack -v pack-5dd047e45dd131498476a052c2995fd1aae73453.pack
d39631d73f786269b895ae9a7b14760cbf40a99f commit 194 138 12831aac2e2341f009e40e46392a4f5dd318483019 blob 33 43 150 # Aquí está el passbd85592e905590f084b8df33363a46f9ac4aa708 tree 37 48 193029ba421ef4c34205d52133f8da3d69bc1853777 blob 30 38 241non delta: 4 objectspack-5dd047e45dd131498476a052c2995fd1aae73453.pack: ok# Encontramos el password en el blobbandit30@bandit:/tmp/tmp.LuHgAz3njQ/repo/.git/objects/pack$ git show 831aac2e2341f009e40e46392a4f5dd318483019OoffzGDlzhAlerFJ2cAiz1D41JW1Mhmt # Este es el password de bandit31
Bandit 31
There is a git repository at ssh://bandit31-git@localhost/home/bandit31-git/repo via the port 2220. The password for the user bandit31-git is the same as for the user bandit31.
Clone the repository and find the password for the next level.
# Creamos como siempre un directorio temporal
bandit31@bandit:~$ mktemp -d
/tmp/tmp.703FYu1tN7
bandit31@bandit:~$ cd /tmp/tmp.703FYu1tN7
bandit31@bandit:/tmp/tmp.703FYu1tN7$ git clone ssh://bandit31-git@localhost:2220/home/bandit31-git/repo
Cloning into 'repo'...
_ _ _ _
| |__ __ _ _ __ __| (_) |_
| '_ \ / _` | '_ \ / _` | | __|
| |_) | (_| | | | | (_| | | |_
|_.__/ \__,_|_| |_|\__,_|_|\__|
This is an OverTheWire game server.
More information on http://www.overthewire.org/wargames
bandit31-git@localhost's password:
remote: Enumerating objects: 4, done.
remote: Counting objects: 100% (4/4), done.
remote: Compressing objects: 100% (3/3), done.
remote: Total 4 (delta 0), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (4/4), done.
bandit31@bandit:/tmp/tmp.703FYu1tN7$ ls
repo
bandit31@bandit:/tmp/tmp.703FYu1tN7$ cd repo
bandit31@bandit:/tmp/tmp.703FYu1tN7/repo$ ls
README.md
bandit31@bandit:/tmp/tmp.703FYu1tN7/repo$ cat README.md
This time your task is to push a file to the remote repository.
Details:
File name: key.txt
Content: 'May I come in?'
Branch: master
# Debemos enviar un archivo a un repositorio remoto
bandit31@bandit:/tmp/tmp.703FYu1tN7/repo$ echo 'May I come in?' > key.txt
bandit31@bandit:/tmp/tmp.703FYu1tN7/repo$ git add -f key.txt
bandit31@bandit:/tmp/tmp.703FYu1tN7/repo$ git commit -m "Add key.txt file"
[master 47fb29d] Add key.txt file
1 file changed, 1 insertion(+)
create mode 100644 key.txt
bandit31@bandit:/tmp/tmp.703FYu1tN7/repo$ git push origin master
_ _ _ _
| |__ __ _ _ __ __| (_) |_
| '_ \ / _` | '_ \ / _` | | __|
| |_) | (_| | | | | (_| | | |_
|_.__/ \__,_|_| |_|\__,_|_|\__|
This is an OverTheWire game server.
More information on http://www.overthewire.org/wargames
bandit31-git@localhost's password:
Enumerating objects: 4, done.
Counting objects: 100% (4/4), done.
Delta compression using up to 2 threads
Compressing objects: 100% (2/2), done.
Writing objects: 100% (3/3), 329 bytes | 329.00 KiB/s, done.
Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
remote: ### Attempting to validate files... ####
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
remote: Well done! Here is the password for the next level:
remote: rmCBvG56y58BXzv98yZGdO7ATVL5dW8y
Bandit 32
After all this git stuff its time for another escape. Good luck!
# Al loguearnos entramos a una shell en mayúsculas, por lo que no funcionan los comandos
WELCOME TO THE UPPERCASE SHELL
>> ls
sh: 1: LS: Permission denied
>> cd ..
sh: 1: CD: Permission denied
>> sudo -l
sh: 1: SUDO: Permission denied
>> whoami
sh: 1: WHOAMI: Permission denied
# Para arreglarlo establecemos la variable $0
>> $0
$ ls
uppershell
$ pwd
/home/bandit32
$ cat /etc/bandit_pass/bandit33
odHo63fHiFqcWWJG9rLiLDtPm45KzUKy
Bandit 33
At this moment, level 34 does not exist yet.
bandit33@bandit:~$ ls
README.txt
bandit33@bandit:~$ cat README.txt
Congratulations on solving the last level of this game!
At this moment, there are no more levels to play in this game. However, we are constantly working
on new levels and will most likely expand this game with more levels soon.
Keep an eye out for an announcement on our usual communication channels!
In the meantime, you could play some of our other wargames.
If you have an idea for an awesome new level, please let us know!
