May 19, 2020 Reading time: 6 minutes

Bandit Level 1

• Level 0 description page https://overthewire.org/wargames/bandit/bandit0.html
• All you need to do is to log in using ssh

Bandit Level 2

Bandit Level 25

• A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for
  bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going
  through all of the 10000 combinations, called brute-forcing.

• bandit24@bandit:~$ mktemp -d
  /tmp/tmp.NLpcFsoiTB
  
  Write a script to return each combination of the pin.
  
  #!/bin/bash
  for i in {0000..9999}
  do
  echo "30002 UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i"
  done
• Then redirect the output of the script to brute_force.txt
• bandit24@bandit:~$ nc localhost 30002 < brute_force.txt
• the server will end the script when the correct pin number is found
• Correct!
  The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG

Bandit Level 26

• bandit25@bandit:~$ cat bandit26.sshkey
  -----BEGIN RSA PRIVATE KEY-----
  MIIEpQIBAAKCAQEApis2AuoooEqeYWamtwX2k5z9uU1Afl2F8VyXQqbv/LTrIwdW
  pTfaeRHXzr0Y0a5Oe3GB/+W2+PReif+bPZlzTY1XFwpk+DiHk1kmL0moEW8HJuT9
  /5XbnpjSzn0eEAfFax2OcopjrzVqdBJQerkj0puv3UXY07AskgkyD5XepwGAlJOG
  xZsMq1oZqQ0W29aBtfykuGie2bxroRjuAPrYM4o3MMmtlNE5fC4G9Ihq0eq73MDi
  1ze6d2jIGce873qxn308BA2qhRPJNEbnPev5gI+5tU+UxebW8KLbk0EhoXB953Ix
  3lgOIrT9Y6skRjsMSFmC6WN/O7ovu8QzGqxdywIDAQABAoIBAAaXoETtVT9GtpHW
  qLaKHgYtLEO1tOFOhInWyolyZgL4inuRRva3CIvVEWK6TcnDyIlNL4MfcerehwGi
  il4fQFvLR7E6UFcopvhJiSJHIcvPQ9FfNFR3dYcNOQ/IFvE73bEqMwSISPwiel6w
  e1DjF3C7jHaS1s9PJfWFN982aublL/yLbJP+ou3ifdljS7QzjWZA8NRiMwmBGPIh
  Yq8weR3jIVQl3ndEYxO7Cr/wXXebZwlP6CPZb67rBy0jg+366mxQbDZIwZYEaUME
  zY5izFclr/kKj4s7NTRkC76Yx+rTNP5+BX+JT+rgz5aoQq8ghMw43NYwxjXym/MX
  c8X8g0ECgYEA1crBUAR1gSkM+5mGjjoFLJKrFP+IhUHFh25qGI4Dcxxh1f3M53le
  wF1rkp5SJnHRFm9IW3gM1JoF0PQxI5aXHRGHphwPeKnsQ/xQBRWCeYpqTme9amJV
  tD3aDHkpIhYxkNxqol5gDCAt6tdFSxqPaNfdfsfaAOXiKGrQESUjIBcCgYEAxvmI
  2ROJsBXaiM4Iyg9hUpjZIn8TW2UlH76pojFG6/KBd1NcnW3fu0ZUU790wAu7QbbU
  i7pieeqCqSYcZsmkhnOvbdx54A6NNCR2btc+si6pDOe1jdsGdXISDRHFb9QxjZCj
  6xzWMNvb5n1yUb9w9nfN1PZzATfUsOV+Fy8CbG0CgYEAifkTLwfhqZyLk2huTSWm
  pzB0ltWfDpj22MNqVzR3h3d+sHLeJVjPzIe9396rF8KGdNsWsGlWpnJMZKDjgZsz
  JQBmMc6UMYRARVP1dIKANN4eY0FSHfEebHcqXLho0mXOUTXe37DWfZza5V9Oify3
  JquBd8uUptW1Ue41H4t/ErsCgYEArc5FYtF1QXIlfcDz3oUGz16itUZpgzlb71nd
  1cbTm8EupCwWR5I1j+IEQU+JTUQyI1nwWcnKwZI+5kBbKNJUu/mLsRyY/UXYxEZh
  ibrNklm94373kV1US/0DlZUDcQba7jz9Yp/C3dT/RlwoIw5mP3UxQCizFspNKOSe
  euPeaxUCgYEAntklXwBbokgdDup/u/3ms5Lb/bm22zDOCg2HrlWQCqKEkWkAO6R5
  /Wwyqhp/wTl8VXjxWo+W+DmewGdPHGQQ5fFdqgpuQpGUq24YZS8m66v5ANBwd76t
  IZdtF5HXs2S5CADTwniUS5mX1HO9l5gUkk+h0cH5JnPtsMCnAUM+BRY=
  -----END RSA PRIVATE KEY-----

• Put the key in a file and chmod to 0600 (or 0400) to secure it
• ssh -i private_key.txt bandit26@bandit.labs.overthewire.org -p 2220

• Once you log in, it kicks you straight out again. See here for solution --> https://medium.com/@coturnix97/overthewires-bandit-25-26-shell-355d78fd2f4d

• ./bandit27.do cat /etc/bandit_pass/bandit27
• 3ba3118a22e93127a4ed485be72ef5ea
• Login with ssh to bandit27

Bandit Level 27

• Clone the git repo and find the password
• mktemp -d
• cd /tmp/tmp.xlD72j7q6i
• git clone ssh://bandit27-git@localhost/home/bandit27-git/repo
• Cloning into 'repo'...
  Could not create directory '/home/bandit27/.ssh'.
  The authenticity of host 'localhost (127.0.0.1)' can't be established.
  ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
  Are you sure you want to continue connecting (yes/no)? yes
  Failed to add the host to the list of known hosts (/home/bandit27/.ssh/known_hosts).
  This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
  
  bandit27-git@localhost's password:
  remote: Counting objects: 3, done.
  remote: Compressing objects: 100% (2/2), done.
  remote: Total 3 (delta 0), reused 0 (delta 0)
  Receiving objects: 100% (3/3), done.
  bandit27@bandit:/tmp/tmp.xlD72j7q6i$ ls
  repo
  bandit27@bandit:/tmp/tmp.xlD72j7q6i$ cd repo/
  bandit27@bandit:/tmp/tmp.xlD72j7q6i/repo$ ls
  README
  bandit27@bandit:/tmp/tmp.xlD72j7q6i/repo$ cat README
  The password to the next level is: 0ef186ac70e04ea33b4c1853d2526fa2