Bandit is a game for beginners in Linux and Bash. As it is a great guide for learning the command line and Linux. So we will continue with the game here is the link for the next level.
Bandit overthewire wargames level 21 – 25
Level 26→30
- Host: bandit.labs.overthewire.org
- port: 2220
bandit level 25 → 26
As we are instructed the shell for user bandit 26 is not /bin/bash, but something else. We will understand how it works and bypass it. But for that first, we use ‘ls’ command. As we can see its an ssh key to login bandit 26. After trying to login we see a message “Connection to localhost closed.” As we know shell is different for bandit26 as a result we cannot connect. After that, we will find the shell of bandit26. All information related environment of users is stored in /etc/passwd. But we only need information on bandit26 so we will use grep command and see the shell is /usr/bin/showtext. Then we read the contents of the file using cat command.
- ls
- ssh -i bandit26.sshkey [email protected]
- cat /etc/passwd | grep bandit26
- cat /usr/bin/showtext
As written in last line of /usr/bin/showtext we will resize the terminal to minimal because it will trigger show more. After that we will sign in using sshkey.
- ssh -i bandit26.sshkey [email protected]
As we see after logging in using ssh –More– will be triggered. Now we can enter inside using a command-line editor. Firstly we will press v to enter the text editor that is set in the $EDITOR shell variable.
- v
Once we are inside editor we can get password using command ‘:e /etc/bandit_pass/bandit26’, as this command will read the content of the file /etc/bandit_pass/bandit26.
- :e /etc/bandit_pass/bandit26
bandit level 26 → 27
We will continue from we left on previous level. Firstly, we will get shell of bandit 27 and get the password. So to get the shell, we will set shell parameter as /bin/bash “:set shell=/bin/bash”. After that we will access the shell by typing “:shell”
- :set shell=/bin/bash
- :shell
As we perform all the steps we will get the shell and we can verify it by whoami command.
- whoami
After getting the shell for bandit26 we type ls -l command to see the file along with there permission and ownership. As we can see bandit27-do has ownership by bandit27 means it can be run as bandit27. So we will run the command as bandit27 and get the password.
- ls -l
- ./bandit27-do cat /etc/bandit_pass/bandit27
bandit level 27 → 28
As we are instructed we have to get a git repository and find the password in it. First, we will make a temporary directory in /tmp folder then we will use “git clone” to download the repository in our temporary folder. We will enter the password of the git repository the same as the password of the bandit27 user.
- mkdir /tmp/git-27
- cd /tmp/git-27
- git clone ssh://[email protected]/home/bandit27-git/repo
After downloading the git repository we use “git log” and see there is only one commit as README. Then we will use cat command to get the password from the README file.
- cd /repo
- git log
- cat README
bandit level 28 → 29
As we are instructed we have to get a git repository and find the password in it. First, we will make a temporary directory in /tmp folder then we will use “git clone” to download the repository in our temporary folder. Then we will enter the password of the git repository the same as the password of the bandit28 user.
- mkdir /tmp/git-28
- cd /tmp/git-28
- git clone ssh://[email protected]/home/bandit28-git/repo
After download git repository we use git log command to see the information about all the commits made. As we can see there is commit called add missing data. There is a probability that missing data is password for next level.
- git log
After that we will go to the commit with comment add missing data. So we will use git checkout “commit-ID” to go inside that commit. Then we use cat command to read the content of README.md and get the password.
- git checkout c086d
- cat README.md
bandit level 29 → 30
As we are instructed we will get a git repository and find the password in it. First, we will make a temporary directory in /tmp folder then we will use “git clone” to download the repository in our temporary folder. Then we will enter the password of the git repository the same as the password of the bandit29 user.
- mkdir /tmp/git-29
- cd /tmp/git-29
- git clone ssh://[email protected]/home/bandit29-git/repo
After that we see all the commits using git log. But we dont find any useful information regarding password.
- ls
- cd repo
- git log
So we see if there are other branches in the commit because password can be hidden in other branches. Then we use “git branch -a” command to see all the branches in current repository. As we can see one of the branches is called /remotes/origin/master. So we switch to this branch using “git checkout dev” command.
- git branch -a
- git checkout dev
After that we use ls command to see the files. Then we use cat command to read the contents of README.md file and get the password for next level.
- ls
- cat README.md
[…] Bandit overthewire wargames level 26 – 30 […]
[…] Bandit overthewire wargames level 26 – 30 […]