Bandit Soluciones

Jul 7, 2021 · 7 min read · bash ·

Son juegos de guerra ofrecidos por la comunidad OverTheWire que nos ayudan a aprender y practicar conceptos de seguridad en forma de juegos divertidos.

El enlace para poder jugar un momento: Over the wire, Bandit

Iniciamos!!!

Usuario: bandit0
Puerto: 2220
Contraseña: bandit0
URL: banditlabs.overthewire.org

Bandit Level 0 → Level 1

SSH : ssh -o PubkeyAuthentication=no -p2220 bandit0@bandit.labs.overthewire.org
Solución:

1$ cat readme
2boJ9jbbUNNfktd78OOpsqOltutMc3MY1

Bandit Level 1 → Level 2

SSH: ssh -o PubkeyAuthentication=no -p2220 bandit1@bandit.labs.overthewire.org
Solución:

1$ cat /home/bandit1/-
2CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

Bandit Level 2 → Level 3

SSH: ssh -o PubkeyAuthentication=no -p2220 bandit2@bandit.labs.overthewire.org
Solución:

1$ cat spaces\ in\ this\ filename
2UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

Bandit Level 3 → Level 4

SSH: ssh -o PubkeyAuthentication=no -p2220 bandit3@bandit.labs.overthewire.org
Solución:

1$ cd inhere/
2$ ls -la
3$ cat .hidden
4pIwrPrtPN36QITSp3EQaw936yaFoFgAB

Bandit Level 4 → Level 5

SSH: ssh -o PubkeyAuthentication=no -p2220 bandit4@bandit.labs.overthewire.org
Solución:

1$ cd inhere/
2$ ls -la
3$ file /home/bandit4/inhere/-*
4$ cat /home/bandit4/inhere/-file07
5koReBOKuIDDepwhWk7jZC0RTdopnAYKh

Bandit Level 5 → Level 6

SSH: ssh -o PubkeyAuthentication=no -p2220 bandit5@bandit.labs.overthewire.org
Solución:

1$ find . -size 1033c ! -executable
2$ cat ./inhere/maybehere07/.file2
3DXjZPULLxYr17uwoI01bNLQbtFemEgo7

Bandit Level 6 → Level 7

SSH: ssh -o PubkeyAuthentication=no -p2220 bandit6@bandit.labs.overthewire.org
Solución:

1$ find / -size 33c -group bandit6 -user bandit7 2>/dev/null
2$ ls -l /var/lib/dpkg/info/bandit7.password
3$ cat /var/lib/dpkg/info/bandit7.password
4HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

Bandit Level 7 → Level 8

SSH: ssh -o PubkeyAuthentication=no -p2220 bandit7@bandit.labs.overthewire.org
Solución:

1$ grep 'millionth' data.txt
2millionth	cvX2JJa4CFALtqS87jk27qwqGhBM9plV

Bandit Level 8 → Level 9

SSH: ssh -o PubkeyAuthentication=no -p2220 bandit8@bandit.labs.overthewire.org
Solución:

1$ cat data.txt | sort | uniq -u
2UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR

Bandit Level 9 → Level 10

SSH: ssh -o PubkeyAuthentication=no -p2220 bandit9@bandit.labs.overthewire.org
Solución:

1$ strings data.txt | grep '='
2========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk

Bandit Level 10 → Level 11

SSH: ssh -o PubkeyAuthentication=no -p2220 bandit10@bandit.labs.overthewire.org
Solución:

1$ cat data.txt
2$ base64 -d data.txt 
3The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

Bandit Level 11 → Level 12

SSH: ssh -o PubkeyAuthentication=no -p2220 bandit11@bandit.labs.overthewire.org
Solución:

1$ cat data.txt | tr a-zA-Z n-za-mN-ZA-M
2The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

Bandit Level 12 → Level 13

SSH: ssh -o PubkeyAuthentication=no -p2220 bandit12@bandit.labs.overthewire.org
Solución:

1$ mkdir /tmp/fcch
2$ cp data.txt /tmp/fcch/data.raw
3$ cd /tmp/fcch/
4$ xxd -r data.raw > data1
5## $ file nombre_datos
6## $ gzip -cd data1 > data2
7## $ bzip2 -d data2 output_file: data2.out
8## $ tar -xvf data*
9The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

Bandit Level 13 → Level 14

SSH: ssh -o PubkeyAuthentication=no -p2220 bandit13@bandit.labs.overthewire.org
Solución:

1$ cat sshkey.private
2$ ssh -i sshkey.private bandit14@localhost 
3$ cat /etc/bandit_pass/bandit14
44wcYUJFw0k0XLShlDzztnTBHiqxU3b3e

Bandit Level 14 → Level 15

SSH: ssh -i sshkey.private bandit14@localhost
Solución:

1$ cat /etc/bandit_pass/bandit14
2$ telnet localhost 30000
3BfMYroe26WYalil77FoDi9qh59eK5xNr

Bandit Level 15 → Level 16

SSH: ssh -o PubkeyAuthentication=no -p2220 bandit15@bandit.labs.overthewire.org
Solución:

1$ echo 'BfMYroe26WYalil77FoDi9qh59eK5xNr' | openssl s_client -quiet -connect localhost:30001
2cluFn7wTiGryunymYOu4RcffSxQluehd

Bandit Level 16 → Level 17

SSH: ssh -o PubkeyAuthentication=no -p2220 bandit16@bandit.labs.overthewire.org
Solución:

 1$ nmap -sT localhost -p 31000-32000
 2$ echo fcch | nc localhost 31046
 3## Lo mismo
 4$ echo fcch | nc localhost 31518
 5## Nada
 6$ echo fcch | nc localhost 31691
 7## Lo mismo
 8$ echo fcch | nc localhost 31790
 9## Nada
10$ echo fcch | nc localhost 31960
11## Lo mismo
12$ echo cluFn7wTiGryunymYOu4RcffSxQluehd | openssl s_client -quiet -connect localhost:31518
13cluFn7wTiGryunymYOu4RcffSxQluehd ## Se descarta
14$ echo cluFn7wTiGryunymYOu4RcffSxQluehd | openssl s_client -quiet -connect localhost:31790
15-----BEGIN RSA PRIVATE KEY-----
16MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
17imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
18Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
19DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
20JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
21x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
22KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
23J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
24d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
25YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
26vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
27+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
288c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
29SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
30HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
31SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
32R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
33Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
34R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
35L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
36blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
37YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
3877pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
39dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
40vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
41-----END RSA PRIVATE KEY-----
42$ mkdir /tmp/fcch-16
43$ cd /tmp/fcch-16
44$ vim sshkey.private ## Paste ssh key
45$ chmod 600 sshkey.private
46$ ssh -i sshkey.private bandit17@localhost
47## Como se obtuvo la clave ssh privada para el nivel 17 entonces se pasa al reto 18

Bandit Level 17 → Level 18

SSH: ssh -i sshkey.private bandit17@localhost
Solución:

1$ diff passwords.old passwords.new
2$ grep kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd passwords.new
3kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd

Bandit Level 18 → Level 19

SSH: ssh -o PubkeyAuthentication=no -p2220 bandit18@bandit.labs.overthewire.org "cat /home/bandit18/readme"
Solución:

1$ ssh -o PubkeyAuthentication=no -p2220 bandit18@bandit.labs.overthewire.org "cat /home/bandit18/readme"
2IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x

Bandit Level 19 → Level 20

SSH: ssh -o PubkeyAuthentication=no -p2220 bandit19@bandit.labs.overthewire.org
Solución:

 1$ ls -l 
 2$ file bandit20-do
 3$ ./bandit20-do
 4$ ./bandit20-do --help
 5$ find / -user bandit20 2>/dev/null
 6$ cat /etc/dpkg/.info20.txt
 7$ ./bandit20-do cat /etc/dpkg//.info20.txt
 8$ cat /etc/bandit_pass/bandit20
 9$ ./bandit20-do cat /etc/bandit_pass/bandit20
10GbKksEFF4yrVs6il55v6gwY5aVje5f0j

Bandit Level 20 → Level 21

SSH: ssh -o PubkeyAuthentication=no -p2220 bandit20@bandit.labs.overthewire.org
Solución:

1$ nc -l -p 4321
2$ nc localhost 4321
3$ echo "GbKksEFF4yrVs6il55v6gwY5aVje5f0j" | nc -l -p 4321 &
4$ ./suconnect 4321
5gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr

Bandit Level 21 → Level 22

SSH: ssh -o PubkeyAuthentication=no -p2220 bandit21@bandit.labs.overthewire.org
Solución:

1$ cd /etc/cron.d/
2$ ls -l
3$ cat cronjob_bandit22
4$ /usr/bin/cronjob_bandit22.sh
5$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
6Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

Bandit Level 22 → Level 23

SSH: ssh -o PubkeyAuthentication=no -p2220 bandit22@bandit.labs.overthewire.org
Solución:

 1$ cd /etc/cron.d/
 2$ ls -l 
 3$ cat cronjob_bandit23
 4$ cat /usr/bin/cronjob_bandit23.sh
 5-- #!/bin/bash
 6-- myname=$(whoami)
 7-- mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
 8-- echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
 9-- cat /etc/bandit_pass/$myname > /tmp/$mytarget
10$ /usr/bin/cronjob_bandit23.sh
11## whoami = bandit22
12$ myname=bandit23
13$ mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
14$ echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
15$ cat /etc/bandit_pass/$myname > /tmp/$mytarget
16$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
17jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

Bandit Level 23 → Level 24

SSH: ssh -o PubkeyAuthentication=no -p2220 bandit23@bandit.labs.overthewire.org
Solución:

 1$ cd /etc/cron.d/
 2$ ls -l 
 3$ cat cronjob_bandit24
 4$ cat /usr/bin/cronjob_bandit24.sh
 5$ mkdir /tmp/fcchx
 6$ cd /tmp/fcchx
 7$ touch getx.sh
 8$ chmod 777 getx.sh
 9$ ls -la getx.sh
10$ vim getx.sh
11-- #!/bin/bash
12-- cat /etc/bandit_pass/bandit24 > /tmp/fcchx/password
13$ touch password
14$ chmod 666 password
15$ ls -la password
16$ cp getx.sh /var/spool/bandit24/
17## Wait 5 sec.
18$ cat password
19UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ

Bandit Level 24 → Level 25

SSH: ssh -o PubkeyAuthentication=no -p2220 bandit24@bandit.labs.overthewire.org
Solución:

 1$ cd /tmp
 2$ mkdir fcch-pass25; cd fcch-pass25; touch genpass.sh
 3$ vim genpass.sh
 4-- #!/bin/bash
 5-- pass=UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
 6-- for i in {0000..9999} 
 7-- do
 8--    echo $pass $i >> pass25.txt
 9-- done
10$ cat pass25,txt | nc localhost 30001
11uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG

Bandit Level 25 → Level 26

SSH: ssh -o PubkeyAuthentication=no -p2220 bandit25@bandit.labs.overthewire.org
Solución:

 1$ file bandit26.sshkey
 2$ ssh -i bandit26.sshkey bandit26@localhost
 3$ cat /etc/passwd
 4$ cat /etc/passwd | grep bandit26
 5$ cat /usr/bin/showtext
 6-- #!/bin/sh
 7-- export TERM=linux
 8-- more ~/text.txt
 9-- exit 0
10# Por el comando "more" en el script se debe redimensionar la ventana de la terminal a un tamaño pequeño.
11$ ssh -i bandit26.sshkey bandit26@localhost
12# -- More -- con esta pantalla podemos ingresar a la pantalla de ayuda del comando "More" tecleando "h", luego podemos iniciar el editor vi tecleando la tecla "v" (/usr/bin/vi), dentro del editor tecleamos ":set shell=/bin/bash" y aun dentro de vi ":shell".
13$ cat /etc/bandit_pass/bandit26
145czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z

Bandit Level 26 → Level 27

SSH: ssh -i bandit26.sshkey bandit26@localhost
Solución:

1$ ls -la
2$ file bandit27-do
3$ cat text.txt
4$ ./bandit27-do id
5$ ./bandit27-do whoami
6$ echo 'cat /etc/bandit_pass/bandit27' > /tmp/getpass27.sh
7$ chmod a+x /tmp/getpass27.sh
8$ ./bandit27-do /tmp/getpass27.sh
93ba3118a22e93127a4ed485be72ef5ea

Bandit Level 27 → Level 28

SSH: ssh -o PubkeyAuthentication=no -p2220 bandit27@bandit.labs.overthewire.org
Solución:

1$ mkdir /tmp/fcch-git
2$ cd /tmp/fcch-git
3$ git clone ssh://bandit27-git@localhost/home/bandit27-git/repo
4$ cat repo/README
5The password to the next level is: 0ef186ac70e04ea33b4c1853d2526fa2

Bandit Level 28 → Level 29

SSH: ssh -o PubkeyAuthentication=no -p2220 bandit28@bandit.labs.overthewire.org
Solución:

 1$ mkdir /tmp/fcch28git
 2$ cd /tmp/fcch28git
 3$ git clone ssh://bandit28-git@localhost/home/bandit28-git/repo
 4$ cd repo
 5$ ls -la 
 6$ ls -la .git
 7$ git log
 8$ git diff b67405defc6ef44210c53345fc953e6a21338cc7 186a1038cc54d1358d42d468cdc8e3cc28a93fcb
 9$ git diff b67405defc6ef44210c53345fc953e6a21338cc7 073c27c130e6ee407e12faad1dd3848a110c4f95
10$ git diff 186a1038cc54d1358d42d468cdc8e3cc28a93fcb 073c27c130e6ee407e12faad1dd3848a110c4f95
11bbc96594b4e001778eee9975372716b2

Bandit Level 29 → Level 30

SSH: ssh -o PubkeyAuthentication=no -p2220 bandit29@bandit.labs.overthewire.org
Solución:

1$ mkdir /tmp/fcch29git
2$ cd /tmp/fcch29git
3$ cat README.md
4$ git branch
5$ git branch -a
6$ git checkout dev
7$ git log 
8$ git diff 33ce2e95d9c5d6fb0a40e5ee9a2926903646b4e3 a8af722fccd4206fc3780bd3ede35b2c03886d9b
95b90576bedb2cc04c86a9e924ce42faf

Bandit Level 30 → Level 31

SSH: ssh -o PubkeyAuthentication=no -p2220 bandit30@bandit.labs.overthewire.org
Solución:

 1$ git clone ssh://bandit30-git@localhost/home/bandit30-git/repo
 2$ cd repo
 3$ cat README.md
 4$ git branch -a
 5$ git show-branch --all
 6$ git log
 7$ cat .git/packed-refs
 8$ git show-ref --tags -d
 9$ git show --name-only secret
1047e603bb428404d265f59c42920d81e5

Bandit Level 31 → Level 32

SSH: ssh -o PubkeyAuthentication=no -p2220 bandit31@bandit.labs.overthewire.org
Solución:

 1$ mkdir /tmp/fcch31git
 2$ cd /tmp/fcch31git
 3$ git clone ssh://bandit31-git@localhost/home/bandit31-git/repo
 4$ cd repo
 5$ ls -la
 6$ cat README.md
 7$ touch key.txt
 8$ vim key.txt
 9-- May I come in?
10$ cat .gitignore
11-- *.txt
12$ git add	-f key.txt
13$ git commit -m 'add key'
14$ git push origin master
15-- remote: Well done! Here is the password for the next level:
16-- remote: 56a9bf19c63d650ce78e6ec0354ee45e

Bandit Level 32 → Level 33

SSH: ssh -o PubkeyAuthentication=no -p2220 bandit32@bandit.labs.overthewire.org
Solución:

1$ ls
2$ clear
3>> $0
4$ pwd
5$ ls -la 
6$ file uppershell
7$ cat uppershell
8$ cat /etc/bandit_pass/bandit33
9c9c3199ddf4121b10cf581a98d51caee

Bandit Level 33 → Level 34

At this moment, level 34 does not exist yet.

Referencias

Over the wire, Bandit

Traducciones:

"English" |