OverTheWire - Bandit Walkthrough (14 - 20)
Anshul NegiLevel 14
Here, we are given a private SSH key instead of a password. Additionally, we are informed that the /etc/bandit_pass/ location on the server contains the password for every level but can only be accessed when we are on that specific level.
We can log in to the next level using this key, but we are already in an SSH session. So, we will copy this key to our system and then log in using scp.
scp -P 2220 bandit13@bandit.labs.overthewire.org:~/sshkey.private .
Next, we will reduce the permissions of this key to only the owner, as it would otherwise throw an error.
chmod 700 sshkey.private
Finally, we will use this key to log in to the next level.
ssh -p 2220 -i sshkey.private bandit14@bandit.labs.overthewire.org
Level 15
In this level, you can obtain the password by sending the current level's password to port 30000 on localhost. To achieve this, you can use the nc command to transmit the password over localhost on port 30000:
echo "pass_here" | nc localhost 30000
Level 16
In this level, you can obtain the password by sending the current level's password to port 30001 on localhost using SSL encryption. To accomplish this, you can use the openssl command:
openssl s_client -connect localhost:30001
Now, enter the password.
Level 17
In this level, you are tasked with scanning ports within the range of 31000 to 32000 and identifying ports with SSL services running on them. To achieve this, you can use the following nmap command:
nmap -p 31000-32000 -sV localhost
There is an unknown SSH service running on port 31790. We will send the password over this using openssl command we used in the previous level.
openssl s_client -connect localhost:31790
Once you enter the password, you will receive the SSH key. Now, use this to log into the next level.
Level 18
In this level, we are given two files and the changed line between them is the password. We can get the changed line using the diff command.
diff passwords.old passwords.new
Level 19
In this level, the password is stored in the readme file in the homedirectory. Unfortunately, .bashrc is modified and you are immediately logged out.
As we know that the file is in the homedirectory, we can use the scp command to get files from the server to our system.
scp -P 2220 bandit18@bandit.labs.overthewire.org:* .
Level 20
In this level, we are given a setuid binary and asked to execute it.
./bandit20-do
On executing it says that we can execute commands as another user. We will now get the password from the /etc/bandit_pass.
./bandit20-do cat /etc/bandit_pass/bandit20
Subscribe to my newsletter
Read articles from Anshul Negi directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by