Bandit overthewire (14–25)

8 min readJul 27, 2022

Hey HackGeeks,

Welcome back to my blog-post. Today I will walkthrough “Bandit” overthewire challenge. I would recommend you to check this challenge. If you want to enhance your Linux skills, this challenge will be superb to practise on it. You can check this challenge at https://overthewire.org/wargames/bandit/

This blog will be a serie till level 33.

Level 14–15

The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.

Awesome, we will try to give the previous password with “echo command”.

Go to → /etc/bandit_pass/bandit to retrieve the password of bandit14

And put the password with “echo” command.

Level 15–16

The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.

Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…

Hmm interesting. I will use “openssl” command to make a connection.

In order to obtain the password of bandit16, we need to send password of bandit15 user at port 30001 in encrypted form.

What is OPENSSL?

OpenSSL is a software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end. It is widely used by Internet servers, including the majority of HTTPS websites. (source: wikipedia)

If you do not know the usage of this command server, please check this reference → https://linuxhint.com/openssl-s-client/

BOOM!! we got the password!!!

Level 16–17

The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.

In order to find open ports, we will use “nmap” command.

Awesome. We found 5 open ports. these are :

31046 -> open
31518 -> filtered
31691 -> open
31790 -> open
31960 -> open

I had early searched for the right port which was “31790” port. We want to connect with “31790”.

To do so, we need to “echo” the current password of this level.

Awesome. We got the private key.

We should create a “/tmp” directory because we are not allowed to copy and paste the “private key”

Change the mod of “private_key” to be 600 and get access through bandit17 server.

Level 17–18–19

There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new

NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19

We are willing to use “diff”

Being able to log in as “bandit18 ” we can use above password “kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd”

Awesome. It works but there is one problem, when we type the password it ends immediately thus we need to find a way to be accessed.After a while I found an awesome bypass method “pseudo bypass”

-T      Disable pseudo-tty allocation.

-t      Force pseudo-tty allocation.  This can be used to execute arbitrary 
        screen-based programs on a remote machine, which can be very useful,
        e.g. when implementing menu services.  Multiple -t options force tty
        allocation, even if ssh has no local tty.

Level 19–20

To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.

Awesome. We are able to manipulate this SETUID ELF file.

We can just use a command, where we can retrieve the password “/etc/bandit_pass/bandit20”

Boom! it works. Lets go to the next level.

Level 20–21

There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).

NOTE: Try connecting to your own network daemon to see if it works as you think.

As given, we should give the port on localhost to be listen on it. If it receives the correct password from the other side, the next password is transmitted back.

Lets give a try.

Firstly, we need to setup a listener on localhost and the password must be given to being able to receive the flag of bandit21

As you can see, we could connect to deamon server.

You need to set client and server to communicate each other. Grab your password and go to the next level.

Level 21–22

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

Awesome. It has something to do with “crontab”

Crontab stands for “cron table, ” because it uses the job scheduler cron to execute tasks; cron itself is named after “chronos, ” the Greek word for time.cron is the system process which will automatically perform tasks for you according to a set schedule.(source: GeeksforGeeks)

Hmm, as you can see we just need to go to “/etc/cron.d” directory. In order to read the password of bandit22, we ought to understand the bash script.

→ just execute /usr/bin/cronjob_bandit22.sh

do you see “/tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv” ?

this file was changed to be 644 but the operation was permitted.

→ “/tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv” run this .sh file and get your file.

Level 22–23

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.

Awesome. We just need to follow the steps.

-> echo I am user bandit23 | md5sum | cut -d ‘ ’ -f 1
-> $mytarget → /tmp/8ca319486bfbbc3663ea0fbe81326349
-> we just need to cat this out “/tmp/8ca319486bfbbc3663ea0fbe81326349”

Boom! Got the password and go to the next level.

Level 23–24

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!

NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…

Oke It seems we can create .sh file to read the password of bandit24

When you create a /tmp directory make sure that the directory is r-w-x by everyone. It seems we need to wait one minute to get our password.

Boom! we get the password!

Level 24–25

A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.

We have the password of “bandit24” user, but the 4 digit pin is unknown. However, we can use brute force technique to generate all possible combinations. It will be superb if I am going to use a bash script for that.