Bandit overthewire.org
OverTheWire.org Bandit Wargame Walkthrough. Bandit is a beginner-friendly wargame designed to teach basic command-line skills. Players progress through levels by solving increasingly complex challenges, learning essential Unix commands, and understanding shell scripting concepts. The game encourages exploration, experimentation, and resourcefulness, providing hints and guidance while promoting independent problem-solving and self-directed learning.
| Level | Solution | Description | Password |
|---|---|---|---|
| Level 0 | ssh [email protected] -p 2220 | ssh into server with port 2220. |
show passbandit0 |
| Level 0 → Level 1 | cat readme | The password for the next level is stored in a file called readme. |
show passNH2SXQwcBdpmTEzi3bvBHMM9H66vVXjL |
| Level 1 → Level 2 | cat ./- | The password for the next level is stored in a file called - located in the home directory. |
show passrRGizSaX8Mk1RTb1CNQoXTcYZWU6lgzi |
| Level 2 → Level 3 | cat “spaces in this filename” | The password for the next level is stored in a file called spaces in this filename located in the home directory. |
show passaBZ0W5EmUfAf7kHTQeOwd8bauFJ2lAiG |
| Level 3 → Level 4 | cat ./.hidden | The password for the next level is stored in a hidden file in the inhere directory. |
show pass2EW7BBsr6aMMoJ2HjW067dm8EgX26xNe |
| Level 4 → Level 5 | 1=file ./* 2=cat ./-file07 (ASCII text) |
The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command. |
show passlrIWWI6bB37kxfiCQZqUdOIYfr6eEeqR |
| Level 5 → Level 6 | find ./ -type f -size 1033c ! -executable | file somewhere under the inhere directory and has all of the following properties: 1.Human-readable. 2.1033 bytes in size 3.Not executable. |
show passP4L4vucdmLnm8I7Vl7jG1ApGSfjYKqJU |
| Level 6 → Level 7 | find / -type f -user bandit7 -group bandit6 -size 33c 2>/dev/null | stored somewhere on the server and has all of the following properties: owned by user bandit7 owned by group bandit6 33 bytes in size. |
show passz7WtoNQU2XfjmMtWA8u5rN4vzqu4v99S |
| Level 7 → Level 8 | cat data.txt | grep millionth | The password for the next level is stored in the file data.txt next to the word millionth. |
show passTESKZC0XvTetK0S9xNwm25STk5iWrBvP |
| Level 8 → Level 9 | sort data.txt | uniq -u | The password for the next level is stored in the file data.txt and is the only line of text that occurs only once. |
show passEN632PlfYiZbn3PhVK3XOGSlNInNE00t |
| Level 9 → Level 10 | strings data.txt | grep ‘==’ | stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters. |
show passG7w8LIi6J3kTb8A7j9LgrywtEUlyyp6s |
| Level 10 → Level 11 | cat data.txt | base64 -d | stored in the file data.txt, which contains base64 encoded data. |
show pass6zPeziLdR2RKNdNYFNb6nVCKzphlXHBM |
| Level 11 → Level 12 | cat data.txt | tr ‘A-Za-z’ ‘N-ZA-Mn-za-m’ | stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions. |
show passJVNBBFSmZwKKOP0XbFXOoW8chDz5yVRv |
| Level 12 → Level 13 | 1=mkdir /tmp/tmpabc 2=cp data.txt /tmp/tmpabc 3=cd /tmp/tmpabc 4=cat data.txt 5=cat data.txt | xxd -r > data 6=file data(mv data data.gz) 7=gzip -d data.gz 8=file data(mv data data.bz2) 9=bzip2 -d data.bz2 10=file data(mv data data.gz) 11=gzip -d data.gz 12=file data(mv data data.tar) 13=tar xf data.tar (rm -rf data.tar) 14=file data5.bin(mv file data5.bin data.tar) 15=tar xf data.tar 16=file data6.bin (mv data6.bin data.bz2) rm -rf data.tar 17=bzip2 -d data.bz2 18=file data(mv data data.tar) 19=tar xf data.tar (rm -rf data.tar) 20=file data8.bin(mv data8.bin data.gz) 21=gzip -d data.gz(file data:ASCII text) 22=cat data |
stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp. |
show passwbWdlBxEir4CaE8LaPhauuOo6pwRmrDw |
| Level 13 → Level 14 | option1= 1=cat sshkey.private and copy text inside2=exit. 3=create a file longkey.private 4=paste copied text and do chmod 700 longkey.private 5=ssh [email protected] -p 2220 -i longkey.private 6=cat /etc/bandit_pass/bandit14 option2= 1=login in 13 and do ls (note the file name: sshkey.private) and exit.2=now from console secure_copy to your machine: scp -P 2220 [email protected]:sshkey.private . enter previous lvl password: wbWdlBxEir4CaE8LaPhauuOo6pwRmrDw 3=chmod 700 sshkey.private4=ssh [email protected] -p 2220 -i longkey.private5=cat /etc/bandit_pass/bandit14 |
stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. |
show passfGrHPx402xGC7U7rXKDaxiWFTOiF0ENq |
| Level 14 → Level 15 | 1=cat /etc/bandit_pass/bandit14 fGrHPx402xGC7U7rXKDaxiWFTOiF0ENq 2=echo "fGrHPx402xGC7U7rXKDaxiWFTOiF0ENq" | nc localhost 30000 |
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost. |
show passCorrect! jN2kgmIXJ6fShzhT2avhotn4Zcka6tnt |
| Level 15 → Level 16 | echo “jN2kgmIXJ6fShzhT2avhotn4Zcka6tnt” | openssl s_client -connect localhost:30001 -ign_eof | The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption. |
show passCorrect! JQttfApK4SeyHwDlI9SXGR50qclOAil1 |
| Level 16 → Level 17 | option1= 1=nmap -p 31000-32000 localhost(or replace localhost with: 127.0.0.1) 2=nmap -p 31000,31046,31518,31691,31790,31960 -Av localhost output(31790/tcp open ssl/unknown) 3=echo "JQttfApK4SeyHwDlI9SXGR50qclOAil1" | openssl s_client -connect localhost:31790 -ign_eof 4=now exit and on your local machine and open text editor: vim bandit17.key (paste long rsa key) 5=chmod 600 bandit17.key 6=ssh -i bandit17.key [email protected] -p 2220 option2(less verbose output)= 1=nmap -sV -A -v -p 31000-32000 localhost | grep open 2=cat /etc/bandit_pass/bandit16 “lvl16password” 3=echo “JQttfApK4SeyHwDlI9SXGR50qclOAil1” | openssl s_client -connect localhost:31790 -ign_eof 4=now follow steps from 4 in option1 |
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it. |
show passRSA PRIVATE KEY similiar to level-13 |
| Level 17 → Level 18 | diff passwords.new passwords.old | There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new. |
show pass< hga5tuuCLF6fFzUpnagiMN8ssu9LFrdg |
| Level 18 → Level 19 | ssh [email protected] -p 2220 cat readme | The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH. |
show passawhqfNnAbc1naukrpqDYcF95h7HoMTrC |
| Level 19 → Level 20 | 1=./bandit20-do id 2=./bandit20-do cat /etc/bandit_pass/bandit20 |
To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary. |
show passVxCazJaVykI6W36BkBU0mJTCM8rR95XT |
| Level 20 → Level 21 | first open 2 terminalsterminal-1=nc -lvp 9999 terminal-2=./suconnect 9999 terminal-1=paste password |
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21). |
show passNvEJF7oVjkddltPSrdKEFOllh9V1IBcq |
| Level 21 → Level 22 | 1=cat /etc/cron.d/cronjob_bandit22 2=cat /usr/bin/cronjob_bandit22.sh 3=cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv |
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed. |
show passWdDozAdTM2z9DiFEQ2mGlwngMfj4EZff |
| Level 22 → Level 23 | 1=cat /etc/cron.d/cronjob_bandit23 2=cat /usr/bin/cronjob_bandit23.sh 3=echo I am user bandit23 | md5sum | cut -d ’ ’ -f 1 4=cat /tmp/8ca319486bfbbc3663ea0fbe81326349 |
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed. |
show passQYw0Y2aiA672PsMmh9puTQuhoz8SyR2G |
| Level 23 → Level 24 | 1=cat /etc/cron.d/cronjob_bandit24 2=cat /usr/bin/cronjob_bandit24.sh 3=mkdir /tmp/banditlevel23 (chmod 777 /tmp/banditlevel23) 4=cd /var/spool/bandit24/foo 5=echo “cat /etc/bandit_pass/bandit24 > /tmp/banditlevel23/password.txt” > test.sh 6=chmod 777 test.sh 7=cat /tmp/banditlevel23/password.txt |
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed. |
show passVAfGXJ1PBSsPSnvsjI8p759leLZ9GGar |
| Level 24 → Level 25 | 1=nc localhost 30002 2=VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 0000 3=mkdir /tmp/brute24 (cd /tmp/brute24) 4=vim
5=chmod +x script.sh 6=./script.sh | nc localhost 30002 optional= 1=./script.sh > brute.txt 2=cat brute.txt | nc localhost 3002 |
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing. |
show passThe password of user bandit25 is p7TaowMYrmu23Ol8hiZh9UvD0O9hpx8d |
| Level 25 → Level 26 | 1=cat /etc/passwd | grep -i 26 (bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext)2=cat /usr/bin/showtext (exit)3=scp -P 2220 [email protected]:bandit26.sshkey . 4=make terminal small and do=ssh -i bandit26.sshkey [email protected] -p 2220 5=press “v” to enter editor mode and type to check which shell (:set shell?) 6=:set shell=/bin/bash (type :set shell? to confirm) 7=:shell 8=cat /etc/bandit_pass/bandit26 |
Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it. |
show passc7GvcKlw9mC7aUQaPx7nwFstuAIBw1o1 |
| Level 26 → Level 27 | 1=./bandit27-do whoami2=./bandit27-do cat /etc/bandit_pass/bandit27 |
Good job getting a shell! Now hurry and grab the password for bandit27! |
show passYnQpBuifNMas1hcUFk70ZmqkhUU2EuaS |
| Level 27 → Level 28 | 1=mktemp -d(/tmp/tmp.72MhKnbXcx)2=cd /tmp/tmp.72MhKnbXcx 3=git clone ssh://bandit27-git@localhost:2220/home/bandit27-git/repo (enter previous lvl password:YnQpBuifNMas1hcUFk70ZmqkhUU2EuaS) 4=cat ./repo/README |
There is a git repository at ssh://bandit27-git@localhost/home/bandit27-git/repo via the port 2220. The password for the user bandit27-git is the same as for the user bandit27. Clone the repository and find the password for the next level. |
show passAVanL161y9rsbcJIsFHuw35rjaOM19nR |
| Level 28 → Level 29 | 1=mktemp -d (/tmp/tmp.qEFnst9Vxs)2=cd /tmp/tmp.qEFnst9Vxs 3=git clone ssh://bandit28-git@localhost:2220/home/bandit28-git/repo 4=cat repo (cat README.md)5=git log 6=git checkout f08b9cc63fa1a4602fb065257633c2dae6e5651b 7=cat README.md |
There is a git repository at ssh://bandit28-git@localhost/home/bandit28-git/repo via the port 2220. The password for the user bandit28-git is the same as for the user bandit28. Clone the repository and find the password for the next level. |
show pass## credentials - username: bandit29 - password: tQKvmcwNYcFS6vmPHIUSI3ShmsrQZK8S |
| Level 29 → Level 30 | 1=mktemp -d (/tmp/tmp.2HRilRJF3d)2=cd /tmp/tmp.2HRilRJF3d 3=git clone ssh://bandit29-git@localhost:2220/home/bandit29-git/repo4=cd repo (cat README.md)5=git log 6=git checkout fca34ddb7d1ff1f78df36538252aea650b0b040d 7=git branch -a8=git checkout remotes/origin/dev 9=cat README.md |
There is a git repository at ssh://bandit29-git@localhost/home/bandit29-git/repo via the port 2220. The password for the user bandit29-git is the same as for the user bandit29. Clone the repository and find the password for the next level. |
show passxbhV3HpNGlTIdnjUrdAlPzc2L6y9EOnS |
| Level 30 → Level 31 | 1=mktemp -d (/tmp/tmp.Z2yP6fbC8U)2=cd /tmp/tmp.Z2yP6fbC8U 3=git clone ssh://bandit30-git@localhost:2220/home/bandit30-git4=cd repo (cat README.md)5=git branch -a 6=git tag (secret) 7=git show secret |
There is a git repository at ssh://bandit30-git@localhost/home/bandit30-git/repo via the port 2220. The password for the user bandit30-git is the same as for the user bandit30. Clone the repository and find the password for the next level. |
show passOoffzGDlzhAlerFJ2cAiz1D41JW1Mhmt |
| Level 31 → Level 32 | 1=mktemp -d (/tmp/tmp.JD0KAGqH6U)2=cd /tmp/tmp.JD0KAGqH6U 3=git clone ssh://bandit31-git@localhost:2220/home/bandit31-git/repo 4=cd repo (cat README.md) [•Details: File name: key.txt Content: ‘May I come in?’ Branch: master•] 5=vim key.txt 6=May I come in? 7=ls -a 8=cat .gitignore 9=git add -f key.txt 10=git commit -m “Upload key.txt” 11=git push -u origin master |
There is a git repository at ssh://bandit31-git@localhost/home/bandit31-git/repo via the port 2220. The password for the user bandit31-git is the same as for the user bandit31. Clone the repository and find the password for the next level. |
show passremote: Well done! Here is the password for the next level: remote: rmCBvG56y58BXzv98yZGdO7ATVL5dW8y |
| Level 32 → Level 33 | 1=$0 2=cat /etc/bandit_pass/bandit33 |
After all this git stuff its time for another escape. Good luck! xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx |
show passodHo63fHiFqcWWJG9rLiLDtPm45KzUKy |
Additional comments:
Level 12:
- Aliases:
- alias rot13="tr 'A-Za-z' 'N-ZA-Mn-za-m'"
- alias rot5="tr '0-9' '5-90-4'"
Level 24
- if script gets stuck, you might want change the script to
begin count from 9999 to 0 or to divide script in 2 or less
parts so it runs through less lines:
#!/bin/bash
for i in {5555..9999}
do
echo "VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar $i"
doneLevel 27 / 28 / 29 / 30 / 31
-
dont forget to add
port 2220after localhost when git cloning
and use previous level passwords for each lvl to sign into these levels:- git clone ssh://bandit27-git@localhost
:2220/home/bandit27-git/repo - git clone ssh://bandit28-git@localhost:2220/home/bandit28-git/repo
- git clone ssh://bandit29-git@localhost:2220/home/bandit29-git/repo
- git clone ssh://bandit30-git@localhost:2220/home/bandit30-git/repo
- git clone ssh://bandit31-git@localhost:2220/home/bandit31-git/repo
- git clone ssh://bandit27-git@localhost