- Basic SSH command to reach and complete level. Read the readme file using.
- used the
./
convention tocat
the filename.
- used
cat spaces\ in\ this\ filename
to open file for password.
- Steps :
cd hidden
ls -lah
cat .hidden
- ```cd inhere && strings ./*``
- TO find the file :
find ./ -type f -size 1033c -exec ls {} \;
- To find the file :
find / -type f -size 33c -group bandit6 -user bandit7 -exec ls -lh {} \;
cat data.txt | grep millionth
cat data.txt | uniq | sort -d | uniq -c
strings data.txt | grep =*
cat data.txt | base64 --decode
cat data.txt | tr '[a-z]' '[n-za-m]' | tr '[A-Z]' '[N-ZA-M]'
- password : 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu
xxd -r data.txt | zcat | bzcat | zcat | tar xO | tar xO | bzcat | tar xO | zcat
- bzcat : Used to decompress to standard output for bzip2 type files.
- zcat: Used to uncompress information.
- password : 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
- Copy private key to localmachine
- create key file and chmod it
- ssh using that key.
- password : 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
- copy 14 password :
cat /etc/bandit_pass/bandit14
- post it on :
telnet localhost 30000
- Password : BfMYroe26WYalil77FoDi9qh59eK5xNr
openssl s_client -connect localhost:30001
- Password : cluFn7wTiGryunymYOu4RcffSxQluehd
- diff command btw old and new
- Password : kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
- run commands through ssh.
- Password : IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
./bandit20-do cat /etc/bandit_pass/bandit20
- Password : GbKksEFF4yrVs6il55v6gwY5aVje5f0j
netcat -vvl 127.0.0.1 -p 1111
to send messages to the binary which connects on port 1111.
- Password : gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
- Check cron file which leads to the sh file and then get the password from there.
- Password : Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
- Cron file was putting the password in the tmp folder. For each user it was creating a copy in the tmp folder but in md5 format. So modifying the line in cronfile led to the file which held the password.
- Password : jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
- Create a shell script inside a folder in the the tmp folder and also a text file inside the same folder.
chmod 777
both the files. - the shell script should cat the password in the bandit_pass folder for user bandit24 into a text file in the tmp directory
- cp the shell script from current tmp folder to
/var/spool/bandit24
to make a copy of the script that will execute with the cron job. - The password is available in the text file in the tmp folder.
-
Password : UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
-
Using Brute force with netcat to add check for the password.
-
for i in {0000..9999}; do echo "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i"; done | nc localhost 30002 > /tmp/valay/bandit25.txt
- Password :
uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG
: Private Key given on lvl 25 for level 26. - Script to get password :
for i in {0000..9999};
do
echo "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i";
done | nc localhost 30002 > /tmp/valay/bandit25.txt
- Password :
5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z
- The ssh is modified to launch the
more
command and then exit. So resizing the window works for the more command. Once the window is small enough a size the more command works and the shell session doesnt exist. The more can convert to vi by pressingv
in the more interface. - Using the
:e /etc/bandit_pass/bandit26
in the more interface gets us the password file for 26. - On top of that vi can offer an access to the shell from there. issue the command :
:set shell=/bin/bash
to the vi. Once set calling:shell
to vi will open the shell for the user.
- Password :
3ba3118a22e93127a4ed485be72ef5ea
- Git clone of repository gave the output.
- Password :
0ef186ac70e04ea33b4c1853d2526fa2
- Password stored in the git history of the repository.
- Password :
bbc96594b4e001778eee9975372716b2
- Password was present on a ref which held
packed-refs
which contain the different banch references from origin. One of the branches contained the password readme.
- Password :
5b90576bedb2cc04c86a9e924ce42faf
- One of the refs in the
packed-refs
contained a ref which gave the secret viagit show f17132340e8ee6c159e0a4a6bc6f80e1da3b1aea
- Password :
47e603bb428404d265f59c42920d81e5
- Required to override a file extension present in
.gitignore
for txt files. Required to create, commit and send a text file to origin which contained a message.
- Password :
56a9bf19c63d650ce78e6ec0354ee45e
- using
$0
one can return back to original bash - and then find the password in banditpass.
- Password :
c9c3199ddf4121b10cf581a98d51caee