OverTheWire - Bandit Walkthrough - Levels 30-33

OverTheWire’s wargames are offered to help learn and practice security concepts in the form of fun-filled games.

The Bandit wargame is aimed at absolute beginners and will teach them the basics needed to be able to play other wargames. All the challenges are focused on the Linux systems and their commands. It aims to get the player familiar with the Linux terminal and introduce some basic security concepts.

It consists of a total of 33 Levels. At each level, you have to find the password for the next level to continue playing. Each Level is a user that you connect as, using SSH in the bandit.labs.overthewire.org server.

In this post, we will present the solutions for Levels 30-33 of the Bandit wargame.

• See the solutions for the previous Levels 20-29.

NOTE: These walkthroughs are written and published to help other members of the community that are stuck at some Level. It is strongly advised to first try the challenges yourself until you can progress no more, and only then come back here to see the solution.

Level 30

Level Goal

There is a git repository at ssh://bandit30-git@localhost/home/bandit30-git/repo. The password for the user bandit30-git is the same as for the user bandit30. Clone the repository and find the password for the next level.

Solution

Log in to bandit30, using the password found from Level 29:

ssh -p 2220 bandit30@bandit.labs.overthewire.org

We first create a directory to work on, in /tmp, in order to work:

mkdir /tmp/mine30
cd /tmp/mine30

We then clone the git repository:

git clone ssh://bandit30-git@localhost/home/bandit30-git/repo

The password is the same as the current’s level.

There is only one README file in the repo and we can cat it:

bandit30@bandit:/tmp/mine30$ cd repo
bandit30@bandit:/tmp/mine30/repo$ cat README.md
just an empty file... muahaha

Nothing much here.

We can navigate to the .git directory:

bandit30@bandit:/tmp/mine30/repo$ cd .git

There if we cat the packed-refs file we can see a hash that corresponds to a secret tag:

bandit30@bandit:/tmp/mine30/repo/.git$ cat packed-refs
# pack-refs with: peeled fully-peeled
3aefa229469b7ba1cc08203e5d8fa299354c496b refs/remotes/origin/master
f17132340e8ee6c159e0a4a6bc6f80e1da3b1aea refs/tags/secret

We can view all of the tags in the git repo with:

bandit30@bandit:/tmp/mine30/repo$ git tag
secret

In order to see information about the tag we can use:

bandit30@bandit:/tmp/mine30/repo$ git show secret
47e603bb428404d265f59c42920d81e5

Level 31

Level Goal

There is a git repository at ssh://bandit31-git@localhost/home/bandit31-git/repo. The password for the user bandit31-git is the same as for the user bandit31. Clone the repository and find the password for the next level.

Solution

Log in to bandit31, using the password found from Level 30:

ssh -p 2220 bandit31@bandit.labs.overthewire.org

We first create a directory to work on, in /tmp, in order to work:

mkdir /tmp/mine31
cd /tmp/mine31

We then clone the git repository:

git clone ssh://bandit31-git@localhost/home/bandit31-git/repo

The password is the same as the current’s level.

There is only one README file in the repo and we can cat it:

bandit31@bandit:/tmp/mine31$ cd repo/
bandit31@bandit:/tmp/mine31/repo$ cat README.md
This time your task is to push a file to the remote repository.

Details:
    File name: key.txt
    Content: 'May I come in?'
    Branch: master

We do as he says, we create a file key.txt and we append the phrase:

bandit31@bandit:/tmp/mine31/repo$ echo 'May I come in?' > key.txt

But if we list all the files in the repo:

bandit31@bandit:/tmp/mine31/repo$ ls -al
total 24
drwxr-sr-x 3 bandit31 root 4096 Apr 19 23:58 .
drwxr-sr-x 3 bandit31 root 4096 Apr 19 23:57 ..
drwxr-sr-x 8 bandit31 root 4096 Apr 19 23:58 .git
-rw-r--r-- 1 bandit31 root    6 Apr 19 23:57 .gitignore
-rw-r--r-- 1 bandit31 root   15 Apr 19 23:58 key.txt
-rw-r--r-- 1 bandit31 root  147 Apr 19 23:57 README.md

We see a .gitignore file that ignores all .txt files:

bandit31@bandit:/tmp/mine31/repo$ cat .gitignore
*.txt

In order to push our changes to the remote repo, we have to delete it:

rm .gitignore

Now we can add and commit our changes:

git add .
git commit -m "Added key.txt, removed .gitignore"

And push them to the remote repo:

bandit31@bandit:/tmp/mine31/repo$ git push
Could not create directory '/home/bandit31/.ssh'.
# ...
Delta compression using up to 2 threads.
Compressing objects: 100% (2/2), done.
Writing objects: 100% (3/3), 289 bytes | 0 bytes/s, done.
Total 3 (delta 0), reused 0 (delta 0)
remote: ### Attempting to validate files... ####
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
remote: Well done! Here is the password for the next level:
remote: 56a9bf19c63d650ce78e6ec0354ee45e
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
To ssh://localhost/home/bandit31-git/repo
 ! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to 'ssh://bandit31-git@localhost/home/bandit31-git/repo

Level 32

Level Goal

After all this git stuff its time for another escape. Good luck!

Solution

Log in to bandit32, using the password found from Level 31:

ssh -p 2220 bandit32@bandit.labs.overthewire.org

When we log in are welcomed by the upper case shell and if we play around a little we can see that there is not a lot we can do:

WELCOME TO THE UPPERCASE SHELL
>>

All the commands are converted to uppercase and we can do nothing. But we are able to type shell variables starting with $. After testing different variables like:

>> $SHELL
WELCOME TO THE UPPERCASE SHELL
>> $HOME
sh: 1: /home/bandit32: Permission denied

We can run $0 which is generally the first argument of a script, which basically it is its name:

>> $0
$

Now we have a regular shell that we can execute commands. The shell is running with bandit33 permissions, we can check that if we are logged in as another user e.g. bandit31 and check the home directory of bandit32:

bandit31@bandit:~$ ls -la /home/bandit32/
total 28
drwxr-xr-x  2 root     root     4096 May  7  2020 .
drwxr-xr-x 41 root     root     4096 May  7  2020 ..
-rw-r--r--  1 root     root      220 May 15  2017 .bash_logout
-rw-r--r--  1 root     root     3526 May 15  2017 .bashrc
-rw-r--r--  1 root     root      675 May 15  2017 .profile
-rwsr-x---  1 bandit33 bandit32 7556 May  7  2020 uppershell

So we can just cat the password:

$ cat /etc/bandit_pass/bandit33
c9c3199ddf4121b10cf581a98d51caee

Level 33

Level Goal

At this moment, level 34 does not exist yet.

Solution

Log in to bandit33, using the password found from Level 32:

ssh -p 2220 bandit33@bandit.labs.overthewire.org

If we cat the README.txt file at our home directory:

bandit33@bandit:~$ cat README.txt
Congratulations on solving the last level of this game!

At this moment, there are no more levels to play in this game. However, we are constantly working
on new levels and will most likely expand this game with more levels soon.
Keep an eye out for an announcement on our usual communication channels!
In the meantime, you could play some of our other wargames.

If you have an idea for an awesome new level, please let us know!

The end!