OverTheWire | Bandit | Levels 30-34
Summary:
A write-up providing help with the Bandit wargame on the OverTheWire website, consisting of a series of 32 levels, followed by an additional challenge using an 'uppercase shell' trick at Level 33, that covers various Linux and shell scripting topics. The challenges range from basic navigation to more advanced topics like SSH authentication, file permissions, and Git usage.
Wargame Name: Bandit | Difficulty: Easy | OS: Linux
The aim of this walkthrough is to provide help with the Bandit wargame on the OverTheWire website. Please note that no flags or passwords are directly provided here. Only one of the many ways to solve the challenges.
The wargame is available under Bandit wargame.
High-Level Summary:
- Level 29 | Stealing a password from another user's git repository
- Level 30 | Stealing a password from another user's git repository
- Level 31 | Creating a new SSH key pair for authentication
- Level 32 | Using
gitto push changes to a remote repository
Note: Throughout this tutorial/walkthrough the words password and flag are used interchangeably.
Quick intro and start config
Basic idea: finish level x to get level x+1. The general connection via ssh can look like this, where x stands for the current level:
ssh [email protected] -p 2220
| SSH connection | |
|---|---|
| Host | bandit.labs.overthewire.org |
| Port | 2220 |
Level 29 -> Level 30
Level Goal: There is a git repository at ssh://bandit29-git@localhost/home/bandit29-git/repo. The password for the user bandit29-git is the same as for the user bandit29.
Clone the repository and find the password for the next level.
Solution: We repeat the cloning the same way as we did on the previous two levels. Checking out the cloned README.md file leaves us with:
cat README.md
# Bandit Notes
Some notes for bandit30 of bandit.
## credentials
- username: bandit30
- password: <no passwords in production!>
Sadly, no flag here. But there is a hint that there may be more branches in our repo. To list both the remote and the local branches use the -a flag.
git branch -a
dev
* master
remotes/origin/HEAD -> origin/master
remotes/origin/dev
remotes/origin/master
remotes/origin/sploits-dev
If we change over to the development branch, the flag can be found in the README.md file. ( Only the dev branch contains the flag.)
# change over to the dev branch
git checkout dev
# grab the flag
cat README.md
Level 30 -> Level 31
Level Goal: There is a git repository at ssh://bandit30-git@localhost/home/bandit30-git/repo. The password for the user bandit30-git is the same as for the user bandit30.
Clone the repository and find the password for the next level.
Solution: After cloning the repo as in the previous levels, we are again greeted with no flag in the README.md file. Even looking at multiple branches does not return anything interesting. But looking around does give us an idea to check out the git tags.
# list the git tags
git tag -l
secret
That's definitely something we need to look into. So we use the git show command in order to check the tagging message, which is stored with the tag.
git show secret
<flag>
The tagging message is exactly what we were looking for: our next flag/password.
Level 31 -> Level 32
Level Goal: There is a git repository at ssh://bandit31-git@localhost/home/bandit31-git/repo. The password for the user bandit31-git is the same as for the user bandit31.
Clone the repository and find the password for the next level.
Solution: Just like before, cloning first, followed by a quick recon. The exact task is written in the README.md file.
cat README.md
This time your task is to push a file to the remote repository.
Details:
File name: key.txt
Content: 'May I come in?'
Branch: master
So, let's do exactly that.
# first create and modify the key.txt file as required
echo 'May I come in?' > key.txt
# then check out the .gitignore file
cat .gitignore
*.txt
# blocks all the txt files :/
Now, change the .gitignore file to allow the key.txt file.
# allow our key.txt file
echo '!key.txt' >> .gitignore
For a successful push, an email and a name is required. Let's configure them.
# configure a local git user name and email
git config user.name "bandit31-git"
git config user.email [email protected]
Almost finished. All we have to do now is to save our changes. Using git, this is done by first staging the changed files with the git add command. Then commit those changes with the git commit command. And lastly, upload these changes with the git push command.
# stage all the changed files
git add .
...
# commit those changes
git commit -m "modified .gitignore to allow .txt files; added key.txt as required"
...
# finally, push your changes
git push
_ _ _ _
| |__ __ _ _ __ __| (_) |_
| '_ \ / _` | '_ \ / _` | | __|
| |_) | (_| | | | | (_| | | |_
|_.__/ \__,_|_| |_|\__,_|_|\__|
This is an OverTheWire game server.
More information on http://www.overthewire.org/wargames
[email protected]'s password:
Enumerating objects: 6, done.
Counting objects: 100% (6/6), done.
Delta compression using up to 4 threads
Compressing objects: 100% (2/2), done.
Writing objects: 100% (4/4), 376 bytes | 376.00 KiB/s, done.
Total 4 (delta 0), reused 0 (delta 0), pack-reused 0
remote: ### Attempting to validate files... ####
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
remote: Well done! Here is the password for the next level:
remote: <flag>
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
To ssh://bandit.labs.overthewire.org:2220/home/bandit31-git/repo
! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to 'ssh://bandit.labs.overthewire.org:2220/home/bandit31-git/repo'
If we did everything right, the next flag is returned after we finish uploading our repo changes.
Level 32 -> Level 33
Level Goal: After all this git stuff its time for another escape. Good luck!
Solution: I was kinda stuck at this level for a while. But after a little bit of searching, I came across a very nice walkthrough walkthrough. So using the same trick:
# once we log in we are greeted with the welcome message and then some
WELCOME TO THE UPPERCASE SHELL
# break the uppercase shell with $0
>> $0
...
# grab the flag
$ cat /etc/bandit_pass/bandit33
<flag>
$
Level 33 -> Level 34
Level Goal: At this moment, level 34 does not exist yet.
Solution: It is still nice to log in :) There is a README.txt file in our home directory. Check it out.
bandit33@bandit:~$ cat README.txt
Congratulations on solving the last level of this game!
At this moment, there are no more levels to play in this game. However, we are constantly working
on new levels and will most likely expand this game with more levels soon.
Keep an eye out for an announcement on our usual communication channels!
In the meantime, you could play some of our other wargames.
If you have an idea for an awesome new level, please let us know!
bandit33@bandit:~$
And with this, we successfully finished the bandit wargame. It was very nice, kudos to the creators. :)