Info

From the OverTheWire website:

The wargames offered by the OverTheWire community can help you to learn and practice security concepts in the form of fun-filled games.

~ OverTheWire.org

Bandit

Bandit is the first series of challenges and it’s recommended to start with these.

The Bandit wargame is aimed at absolute beginners. It will teach the basics needed to be able to play other wargames.

~ OverTheWire.org

Make sure you following along on the website to get more info on the goal of the challenges and the skills that you’ll learn from them.

Always first try to do a challenge yourself.
You’ll learn more and might find methodologies or techniques that work better for you.

This write-up contains the solution of levels 30 to 40.
Need to go back for levels 20 to 30?

Level 30 -> 31

Connect with the OverTheWire infrastructure using the credentials retrieved in the previous level.

$ ssh bandit30@bandit.labs.overthewire.org -p 2220                
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
                          
bandit30@bandit.labs.overthewire.org's password:

We start of (again) with creating a directory to clone the git repo into.

bandit30@bandit:~$ mkdir /tmp/bandit30
bandit30@bandit:~$ cd /tmp/bandit30
bandit30@bandit:/tmp/bandit30$ git clone ssh://bandit30-git@localhost/home/bandit30-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit30/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit30/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

bandit30-git@localhost's password: 
remote: Counting objects: 4, done.
remote: Total 4 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (4/4), done.

bandit30@bandit:/tmp/bandit30$ ls
repo
bandit30@bandit:/tmp/bandit30$ cd repo/
bandit30@bandit:/tmp/bandit30/repo$ ls
README.md
bandit30@bandit:/tmp/bandit30/repo$ cat README.md 
just an epmty file... muahaha

Ben likes to have a laugh…

bandit30@bandit:/tmp/bandit30/repo$ git log -p --all
commit 3aa4c239f729b07deb99a52f125893e162daac9e
Author: Ben Dover <noone@overthewire.org>
Date:   Tue Oct 16 14:00:44 2018 +0200

    initial commit of README.md

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..029ba42
--- /dev/null
+++ b/README.md
@@ -0,0 +1 @@
+just an epmty file... muahaha

Let’s look around and see if we can find any other interesting files. Especially the .git folder might contain some leads, since this hidden folder contains the configurations and metadata of the repository.

bandit30@bandit:/tmp/bandit30/repo/.git$ cat packed-refs 
# pack-refs with: peeled fully-peeled 
3aa4c239f729b07deb99a52f125893e162daac9e refs/remotes/origin/master
f17132340e8ee6c159e0a4a6bc6f80e1da3b1aea refs/tags/secret

You can find more information on the use of references and tags in the git documentation.

Using git cat-file, we can see the contents of the included file to which the “secret” tag refers to.

bandit30@bandit:/tmp/bandit30/repo$ git cat-file
usage: git cat-file (-t [--allow-unknown-type] | -s [--allow-unknown-type] | -e | -p | <type> | --textconv | --filters) [--path=<path>] <object>
   or: git cat-file (--batch | --batch-check) [--follow-symlinks] [--textconv | --filters]

<type> can be one of: blob, tree, commit, tag
    -t                    show object type
    -s                    show object size
    -e                    exit with zero when there's no error
    -p                    pretty-print object's content
    --textconv            for blob objects, run textconv on object's content
    --filters             for blob objects, run filters on object's content
    --path <blob>         use a specific path for --textconv/--filters
    --allow-unknown-type  allow -s and -t to work with broken/corrupt objects
    --buffer              buffer --batch output
    --batch[=<format>]    show info and content of objects fed from the standard input
    --batch-check[=<format>]
                          show info about objects fed from the standard input
    --follow-symlinks     follow in-tree symlinks (used with --batch or --batch-check)
    --batch-all-objects   show all objects with --batch or --batch-check

You can use both the hash as the tag as a reference.

bandit30@bandit:/tmp/bandit30/repo$ git cat-file -p f17132340e8ee6c159e0a4a6bc6f80e1da3b1aea
47##########e5

bandit30@bandit:/tmp/bandit30/repo$ git cat-file -p secret
47##########e5

Level 31 -> Level 32 

bandit31@bandit:/tmp$ mkdir /tmp/bandit31
bandit31@bandit:/tmp$ cd /tmp/bandit31
bandit31@bandit:/tmp/bandit31$ git clone ssh://bandit31-git@localhost/home/bandit31-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit31/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit31/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

bandit31-git@localhost's password: 
remote: Counting objects: 4, done.
remote: Compressing objects: 100% (3/3), done.
remote: Total 4 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (4/4), done.

This time, we need to add something to the repo.

The .gitignore file specifies intentionally untracked files to ignore. You can use this file to keep metadata, private and/or irrelevant files from ending up in the repo. *.txt means that files with txt as extension won’t be tracked.

bandit31@bandit:/tmp/bandit31/repo$ ls -al
total 20
drwxr-sr-x 3 bandit31 root 4096 Jan 18 00:01 .
drwxr-sr-x 3 bandit31 root 4096 Jan 18 00:01 ..
drwxr-sr-x 8 bandit31 root 4096 Jan 18 00:01 .git
-rw-r--r-- 1 bandit31 root    6 Jan 18 00:01 .gitignore
-rw-r--r-- 1 bandit31 root  147 Jan 18 00:01 README.md

bandit31@bandit:/tmp/bandit31/repo$ cat README.md 
This time your task is to push a file to the remote repository.

Details:
    File name: key.txt
    Content: 'May I come in?'
    Branch: master

bandit31@bandit:/tmp/bandit31/repo$ cat .gitignore
*.txt

First, create the file as per the requirements stated above.

bandit31@bandit:/tmp/bandit31/repo$ echo "May I come in?" > key.txt

Add it to the repository. Notice that because of the .gitignore file, we’ll need to “force” git into adding our file.

bandit31@bandit:/tmp/bandit31/repo$ git status                                                
On branch master                                                                              
Your branch is up-to-date with 'origin/master'.                                               
nothing to commit, working tree clean                                                         
bandit31@bandit:/tmp/bandit31/repo$ git add key.txt                                           
The following paths are ignored by one of your .gitignore files:                              
key.txt                                                                                       
Use -f if you really want to add them.                                                        
bandit31@bandit:/tmp/bandit31/repo$ git add -f key.txt                                        
bandit31@bandit:/tmp/bandit31/repo$ git status                                                
On branch master                                                                              
Your branch is up-to-date with 'origin/master'. 
Changes to be committed:
  (use "git reset HEAD <file>..." to unstage)

        new file:   key.txt

Next, commit our changes and push them to the repository.

bandit31@bandit:/tmp/bandit31/repo$ git commit -m "May I come in?"
[master e5c7ff1] May I come in?
 1 file changed, 1 insertion(+)
 create mode 100644 key.txt
bandit31@bandit:/tmp/bandit31/repo$ git push
Could not create directory '/home/bandit31/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit31/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

bandit31-git@localhost's password: 
Counting objects: 3, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (2/2), done.
Writing objects: 100% (3/3), 326 bytes | 0 bytes/s, done.
Total 3 (delta 0), reused 0 (delta 0)
remote: ### Attempting to validate files... ####
remote: 
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote: 
remote: Well done! Here is the password for the next level:
remote: 56##########5e
remote: 
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote: 
To ssh://localhost/home/bandit31-git/repo
 ! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to 'ssh://bandit31-git@localhost/home/bandit31-git/repo'

The challenge creator added a hook that triggers on a repo push, gives us the password if our push fits the criteria and finally rejects our modification so we don’t impact the source repository.

Level 32 -> Level 33

After all this git stuff its time for another escape. Good luck!

~ OverTheWire.org

Bandit32 seems to be running a special shell. Our challenge is to break out of it.

$ssh bandit32@bandit.labs.overthewire.org -p 2220                                        
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
[...]
WELCOME TO THE UPPERCASE SHELL
>>

Looking at the passwd file (as Bandit31) gives us a bit more information on the shell Bandit32 runs in. It seems to be a script in the home directory of Bandit32, which we can’t read since we don’t have the necessary permissions.

bandit31@bandit:~$ cat /etc/passwd | grep bandit32
bandit32❌11032:11032:bandit level 32:/home/bandit32:/home/bandit32/uppershell

bandit31@bandit:~$ cat /home/bandit32/uppershell                                              
cat: /home/bandit32/uppershell: Permission denied

This shell appears to convert all our commands in uppercase. Since linux is case-sensitive, this means our regular commands don’t work.

>> ls
sh: 1: LS: not found
>> pwd
sh: 1: PWD: not found
>> whoami
sh: 1: WHOAMI: not found

It also looks like our commands are treated like strings.

>> "pwd"
sh: 1: PWD: not found
>> 'pwd'
sh: 1: PWD: not found
>> "
sh: 2: Syntax error: Unterminated quoted string
>> '
sh: 2: Syntax error: Unterminated quoted string
>>

Let’s test some other escape characters.

It looks like parameter expansion works. Using $0 opens Bash as $0 expands to the name of the shell or shell script.

>> ls
sh: 1: LS: not found
>> $0
$ ls
uppershell

It looks like we’re in the context of user Bandit33 who’s member of the group Bandit32. This means we can read (most of) the files either Bandit32 or Bandit33 have access to.

$ id
uid=11033(bandit33) gid=11032(bandit32) groups=11032(bandit32)

$ cat /etc/bandit_pass/bandit33
c9##########ee

Level 33 -> Level 34

We’ve reached the final level of the Bandit series. 🎉

bandit33@bandit:~$ ls
README.txt
bandit33@bandit:~$ cat README.txt 
Congratulations on solving the last level of this game!

At this moment, there are no more levels to play in this game. However, we are constantly work
ing
on new levels and will most likely expand this game with more levels soon.
Keep an eye out for an announcement on our usual communication channels!
In the meantime, you could play some of our other wargames.

If you have an idea for an awesome new level, please let us know!

And here ends the Bandit challenge.

Up next: Leviathan!