Bandit: Level 27 - Level 33

Level 27 -> Level 28

- Hint

There is a git repository at ssh://bandit27-git@localhost/home/bandit27-git/repo via the port 2220. The password for the user bandit27-git is the same as for the user bandit27.

Clone the repository and find the password for the next level.

 

- git clone

git clone ssh://[user@]host.xz[:port]/path/to/repo.git/

 

bandit27@bandit:~$ cd /tmp/git
bandit27@bandit:/tmp/git$ git clone ssh://bandit27-git@localhost/home/bandit27-git/repo
Cloning into 'repo'...
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Could not create directory '/home/bandit27/.ssh' (Permission denied).
Failed to add the host to the list of known hosts (/home/bandit27/.ssh/known_hosts).

                      This is an OverTheWire game server. 
            More information on http://www.overthewire.org/wargames

!!! You are trying to log into this SSH server on port 22, which is not intended.

bandit27-git@localhost: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have 


bandit27@bandit:/tmp/git/repo$ man git clone | grep "ssh"
           When given, and the repository to clone from is accessed via ssh, this
       Git supports ssh, git, http, and https protocols (in addition, ftp, and ftps
       •   ssh://[user@]host.xz[:port]/path/to/repo.git/
       An alternative scp-like syntax may also be used with the ssh protocol:
       ./foo:bar to avoid being misinterpreted as an ssh url.
       The ssh and git protocols additionally support ~username expansion:
       •   ssh://[user@]host.xz[:port]/~[user]/path/to/repo.git/
                   [url "ssh://example.org/"]
       "ssh://example.org/path/to/repo.git" for pushes, but pulls will still use
bandit2


bandit27@bandit:/tmp/git$ git clone ssh://bandit27-git@localhost:2220/home/bandit27-git/repo
Cloning into 'repo'...
The authenticity of host '[localhost]:2220 ([127.0.0.1]:2220)' can't be established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Could not create directory '/home/bandit27/.ssh' (Permission denied).
Failed to add the host to the list of known hosts (/home/bandit27/.ssh/known_hosts).
                         _                     _ _ _   
                        | |__   __ _ _ __   __| (_) |_ 
                        | '_ \ / _` | '_ \ / _` | | __|
                        | |_) | (_| | | | | (_| | | |_ 
                        |_.__/ \__,_|_| |_|\__,_|_|\__|
                                                       

                      This is an OverTheWire game server. 
            More information on http://www.overthewire.org/wargames

bandit27-git@localhost's password: 
remote: Enumerating objects: 3, done.
remote: Counting objects: 100% (3/3), done.
remote: Compressing objects: 100% (2/2), done.
remote: Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (3/3), 286 bytes | 286.00 KiB/s, done.
bandit27@bandit:/tmp/git$ ls
repo
bandit27@bandit:/tmp/git$ cd repo
bandit27@bandit:/tmp/git/repo$ ls
README
bandit27@bandit:/tmp/git/repo$ cat README
The password to the next level is: AVanL161y9rsbcJIsFHuw35rjaOM19nR

AVanL161y9rsbcJIsFHuw35rjaOM19nR

 

 

Level 28 -> Level 29

- Hint

There is a git repository at ssh://bandit28-git@localhost/home/bandit28-git/repo via the port 2220. The password for the user bandit28-git is the same as for the user bandit28.

Clone the repository and find the password for the next level.

 

bandit28@bandit:/$ mkdir /tmp/level28
bandit28@bandit:/$ cd /tmp/level28


bandit28@bandit:/tmp/level28$ git clone ssh://bandit28-git@localhost:2220/home/bandit28-git/repo
Cloning into 'repo'...
The authenticity of host '[localhost]:2220 ([127.0.0.1]:2220)' can't be established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Could not create directory '/home/bandit28/.ssh' (Permission denied).
Failed to add the host to the list of known hosts (/home/bandit28/.ssh/known_hosts).
                         _                     _ _ _   
                        | |__   __ _ _ __   __| (_) |_ 
                        | '_ \ / _` | '_ \ / _` | | __|
                        | |_) | (_| | | | | (_| | | |_ 
                        |_.__/ \__,_|_| |_|\__,_|_|\__|
                                                       

                      This is an OverTheWire game server. 
            More information on http://www.overthewire.org/wargames

bandit28-git@localhost's password: 
remote: Enumerating objects: 9, done.
remote: Counting objects: 100% (9/9), done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 9 (delta 2), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (9/9), done.
Resolving deltas: 100% (2/2), done.

bandit28@bandit:/tmp/level28$ ls
repo
bandit28@bandit:/tmp/level28$ cd repo
bandit28@bandit:/tmp/level28/repo$ ls
README.md
bandit28@bandit:/tmp/level28/repo$ cat README.md
# Bandit Notes
Some notes for level29 of bandit.

## credentials

- username: bandit29
- password: xxxxxxxxxx

 

- git blame 명령어

git-blame(1)
    Show what revision and author last modified each line of a file.

comment_id, 수정한 사람, 수정한 시간, 줄 번호, 파일 내용

 

- git show 명령어

comment_id를 입력하면 자세히 내용을 확인할 수 있다.

bandit28@bandit:/tmp/level28/repo$ git blame README.md
^c0a8c3c (Ben Dover   2023-04-23 18:04:39 +0000 1) # Bandit Notes
^c0a8c3c (Ben Dover   2023-04-23 18:04:39 +0000 2) Some notes for level29 of bandit.
^c0a8c3c (Ben Dover   2023-04-23 18:04:39 +0000 3) 
^c0a8c3c (Ben Dover   2023-04-23 18:04:39 +0000 4) ## credentials
^c0a8c3c (Ben Dover   2023-04-23 18:04:39 +0000 5) 
^c0a8c3c (Ben Dover   2023-04-23 18:04:39 +0000 6) - username: bandit29
899ba88d (Morla Porla 2023-04-23 18:04:39 +0000 7) - password: xxxxxxxxxx
^c0a8c3c (Ben Dover   2023-04-23 18:04:39 +0000 8) 

bandit28@bandit:/tmp/level28/repo$ git show 899ba88d
commit 899ba88df296331cc01f30d022c006775d467f28 (HEAD -> master, origin/master, origin/HEAD)
Author: Morla Porla <morla@overthewire.org>
Date:   Sun Apr 23 18:04:39 2023 +0000

    fix info leak

diff --git a/README.md b/README.md
index b302105..5c6457b 100644
--- a/README.md
+++ b/README.md
@@ -4,5 +4,5 @@ Some notes for level29 of bandit.
 ## credentials
 
 - username: bandit29
-- password: tQKvmcwNYcFS6vmPHIUSI3ShmsrQZK8S
+- password: xxxxxxxxxx

 

- git log 명령어

commit history를 확인할 수 있다.

-p 옵션 : 각 커밋의 diff 결과를 보여준다.

-1 옵션 : 최근 한개의 결과만 보여준다.

-2 옵션 : 최근 두개의 결과만 보여준다.

 

bandit28@bandit:/tmp/level28/repo$ git log
commit 899ba88df296331cc01f30d022c006775d467f28 (HEAD -> master, origin/master, origin/HEAD)
Author: Morla Porla <morla@overthewire.org>
Date:   Sun Apr 23 18:04:39 2023 +0000

    fix info leak

commit abcff758fa6343a0d002a1c0add1ad8c71b88534
Author: Morla Porla <morla@overthewire.org>
Date:   Sun Apr 23 18:04:39 2023 +0000

    add missing data

commit c0a8c3cf093fba65f4ee0e1fe2a530b799508c78
Author: Ben Dover <noone@overthewire.org>
Date:   Sun Apr 23 18:04:39 2023 +0000

    initial commit of README.md
    
    
bandit28@bandit:/tmp/level28/repo$ git log -p -1
commit 899ba88df296331cc01f30d022c006775d467f28 (HEAD -> master, origin/master, origin/HEAD)
Author: Morla Porla <morla@overthewire.org>
Date:   Sun Apr 23 18:04:39 2023 +0000

    fix info leak

diff --git a/README.md b/README.md
index b302105..5c6457b 100644
--- a/README.md
+++ b/README.md
@@ -4,5 +4,5 @@ Some notes for level29 of bandit.
 ## credentials
 
 - username: bandit29
-- password: tQKvmcwNYcFS6vmPHIUSI3ShmsrQZK8S
+- password: xxxxxxxxxx

tQKvmcwNYcFS6vmPHIUSI3ShmsrQZK8S

 

 

Level 29 -> Level 30

- Hint

There is a git repository at ssh://bandit29-git@localhost/home/bandit29-git/repo via the port 2220. The password for the user bandit29-git is the same as for the user bandit29.

Clone the repository and find the password for the next level.

 

 

- 풀이

이전 문제와 동일하게 clone 후 README.md 파일을 확인한다.

bandit29@bandit:/tmp/level29/repo$ ls
README.md
bandit29@bandit:/tmp/level29/repo$ cat README.md
# Bandit Notes
Some notes for bandit30 of bandit.

## credentials

- username: bandit30
- password: <no passwords in production!>

 

 

- git branch 명령어

브랜치 목록을 표시하거나 현재 브랜치를 확인한다.

-a 옵션 : 로컬 및 원격 브랜치 목록을 모두 표시한다.

 

- git checkout 명령어

브랜치를 전환하거나 커밋을 복원한다.

git checkout <브랜치_이름>

bandit29@bandit:/tmp/level29/repo$ git branch
  dev
* master
bandit29@bandit:/tmp/level29/repo$ git branch -a
  dev
* master
  remotes/origin/HEAD -> origin/master
  remotes/origin/dev
  remotes/origin/master
  remotes/origin/sploits-dev
bandit29@bandit:/tmp/level29/repo$ git checkout dev
Switched to branch 'dev'
Your branch is up to date with 'origin/dev'.
bandit29@bandit:/tmp/level29/repo$ ll
total 20
drwxrwxr-x 4 bandit29 bandit29 4096 Sep 17 04:16 ./
drwxrwxrwx 3 bandit29 bandit29 4096 Sep 17 03:35 ../
drwxrwxr-x 2 bandit29 bandit29 4096 Sep 17 04:16 code/
drwxrwxr-x 8 bandit29 bandit29 4096 Sep 17 04:16 .git/
-rw-rw-r-- 1 bandit29 bandit29  134 Sep 17 04:16 README.md
bandit29@bandit:/tmp/level29/repo$ cat README.md
# Bandit Notes
Some notes for bandit30 of bandit.

## credentials

- username: bandit30
- password: xbhV3HpNGlTIdnjUrdAlPzc2L6y9EOnS

xbhV3HpNGlTIdnjUrdAlPzc2L6y9EOnS

 

 

Level 30 -> Level 31

There is a git repository at ssh://bandit30-git@localhost/home/bandit30-git/repo via the port 2220. The password for the user bandit30-git is the same as for the user bandit30.

 

 

bandit30@bandit:/tmp/level30/repo/.git$ ls
branches  description  HEAD   index  logs     packed-refs
config    FETCH_HEAD   hooks  info   objects  refs
bandit30@bandit:/tmp/level30/repo/.git$ cat packed-refs
# pack-refs with: peeled fully-peeled sorted 
59530d30d299ff2e3e9719c096ebf46a65cc1424 refs/remotes/origin/master
831aac2e2341f009e40e46392a4f5dd318483019 refs/tags/secret
bandit30@bandit:/tmp/level30/repo/.git$ git show secret
OoffzGDlzhAlerFJ2cAiz1D41JW1Mhmt

bandit30@bandit:/tmp/level30/repo/.git$ git show-ref
59530d30d299ff2e3e9719c096ebf46a65cc1424 refs/heads/master
59530d30d299ff2e3e9719c096ebf46a65cc1424 refs/remotes/origin/HEAD
59530d30d299ff2e3e9719c096ebf46a65cc1424 refs/remotes/origin/master
831aac2e2341f009e40e46392a4f5dd318483019 refs/tags/secret
bandit30@bandit:/tmp/level30/repo/.git$ git show 831aac2e2341f009e40e46392a4f5dd318483019
OoffzGDlzhAlerFJ2cAiz1D41JW1Mhmt


bandit30@bandit:/tmp/level30/repo/.git$ git tag
secret
bandit30@bandit:/tmp/level30/repo/.git$ git show secret
OoffzGDlzhAlerFJ2cAiz1D41JW1Mhmt

OoffzGDlzhAlerFJ2cAiz1D41JW1Mhmt

 

 

Level 31 -> Level 32

There is a git repository at ssh://bandit31-git@localhost/home/bandit31-git/repo via the port 2220. The password for the user bandit31-git is the same as for the user bandit31.

Clone the repository and find the password for the next level.

- 풀이

README.md 파일을 읽어보면 key.txt 파일을 push 하라고 되어 있다.

bandit31@bandit:~$ cd /tmp/level31
bandit31@bandit:/tmp/level31$ chmod 777 .
bandit31@bandit:/tmp/level31$ git clone ssh://bandit31-git@localhost:2220/home/bandit31-git/repo
Cloning into 'repo'...
The authenticity of host '[localhost]:2220 ([127.0.0.1]:2220)' can't be established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Could not create directory '/home/bandit31/.ssh' (Permission denied).
Failed to add the host to the list of known hosts (/home/bandit31/.ssh/known_hosts).
                         _                     _ _ _   
                        | |__   __ _ _ __   __| (_) |_ 
                        | '_ \ / _` | '_ \ / _` | | __|
                        | |_) | (_| | | | | (_| | | |_ 
                        |_.__/ \__,_|_| |_|\__,_|_|\__|
                                                       

                      This is an OverTheWire game server. 
            More information on http://www.overthewire.org/wargames

bandit31-git@localhost's password: 
remote: Enumerating objects: 4, done.
remote: Counting objects: 100% (4/4), done.
remote: Compressing objects: 100% (3/3), done.
remote: Total 4 (delta 0), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (4/4), done.

bandit31@bandit:/tmp/level31$ ls
repo
bandit31@bandit:/tmp/level31$ cd repo
bandit31@bandit:/tmp/level31/repo$ ls
README.md
bandit31@bandit:/tmp/level31/repo$ cat README.md
This time your task is to push a file to the remote repository.

Details:
    File name: key.txt
    Content: 'May I come in?'
    Branch: master

 

key.txt 파일을 만들고, push 하기 위한 과정을 진행할 때, .gitignore 파일에 의해 되지 않는다.

 

- gitignore

git으로 추적하지 않아야 하는 파일 및 디렉터리를 정의하는 파일이다.

주로 개인정보, 로그파일, 빌드 아웃풋, 중간파일 등을 gitignore 파일을 통해 추적 밖으로 제외시킨다.

프로젝트의 루트 디렉터리에 놓이며, 여러 개의 파일을 서브디렉터리에 놓아서 하위 디렉터리별로 git이 추적하지 않아야 하는 파일을 관리할 수 있다.

파일 안에 *.txt가 있어, txt 파일들은 모두 업로드가 불가하다.

bandit31@bandit:/tmp/level31/repo$ touch key.txt
bandit31@bandit:/tmp/level31/repo$ echo "May I come in?" > key.txt
bandit31@bandit:/tmp/level31/repo$ git add key.txt
The following paths are ignored by one of your .gitignore files:
key.txt
hint: Use -f if you really want to add them.
hint: Turn this message off by running
hint: "git config advice.addIgnoredFile false"

 

gitignore 파일을 수정해주면 된다.

bandit31@bandit:/tmp/level31/repo$ vi .gitignore
# *.txt


bandit31@bandit:/tmp/level31/repo$ git add key.txt
bandit31@bandit:/tmp/level31/repo$ git commit -m "test"
[master 0c63e4e] test
 1 file changed, 1 insertion(+)
 create mode 100644 key.txt
bandit31@bandit:/tmp/level31/repo$ git push origin master
The authenticity of host '[localhost]:2220 ([127.0.0.1]:2220)' can't be established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Could not create directory '/home/bandit31/.ssh' (Permission denied).
Failed to add the host to the list of known hosts (/home/bandit31/.ssh/known_hosts).
                         _                     _ _ _   
                        | |__   __ _ _ __   __| (_) |_ 
                        | '_ \ / _` | '_ \ / _` | | __|
                        | |_) | (_| | | | | (_| | | |_ 
                        |_.__/ \__,_|_| |_|\__,_|_|\__|
                                                       

                      This is an OverTheWire game server. 
            More information on http://www.overthewire.org/wargames

bandit31-git@localhost's password: 
Enumerating objects: 4, done.
Counting objects: 100% (4/4), done.
Delta compression using up to 2 threads
Compressing objects: 100% (2/2), done.
Writing objects: 100% (3/3), 318 bytes | 318.00 KiB/s, done.
Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
remote: ### Attempting to validate files... ####
remote: 
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote: 
remote: Well done! Here is the password for the next level:
remote: rmCBvG56y58BXzv98yZGdO7ATVL5dW8y 
remote: 
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote: 
To ssh://localhost:2220/home/bandit31-git/repo
 ! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to 'ssh://localhost:2220/home/bandit31-git/repo'

rmCBvG56y58BXzv98yZGdO7ATVL5dW8y

 

Level 32 -> Level 33

After all this git stuff its time for another escape. Good luck!

 

- 풀이

명령어를 입력하면 모두 대문자로 입력되고, permission denied가 뜬다.

>> ls
sh: 1: LS: Permission denied
>> pwd
sh: 1: PWD: Permission denied
>> cd
sh: 1: CD: Permission denied

 

uppershell인 것을 확인할 수 있다.

bandit31@bandit:~$ cat /etc/passwd | grep "bandit32"
bandit32:x:11032:11032:bandit level 32:/home/bandit32:/home/bandit32/uppershell
bandit31@bandit:~$

 

즉, bandit32로 로그인하면 uppershell은 사용자 입력 값을 명령행 인수로 받아 대문자로 치환하여 본쉘로 실행하는 것을 알 수 있다.

ex) 입력 값 : ls -> ./sh LS

 

- 위치 매개변수

스크립트나 프로그램이 실행될 때 전달된 명령행 인수를 저장하는 변수

  명령행 인수(arguments) : 사용자가 스크립트나 프로그램 실행할 때 명령줄에서 전달하는 값

$0 : 실행된 스크립트 또는 프로그램 파일 경로

$1, $2, $3, ... : 1부터 시작하여 순서대로 명령행 인수를 저장한다.

$* : 전체 인자 값

$@ : 전체 인자 값

$# : 매개변수 총 개수

 

uppershell 프로그램이 실행될 때, 스크립트 파일의 경로는 sh이므로,

$0을 입력하면 sh이 실행된다.

>> $0
$ echo $0
sh
$ cat /etc/bandit_pass/bandit33
odHo63fHiFqcWWJG9rLiLDtPm45KzUKy
$ python3 -c "import pty;pty.spawn('/bin/bash')"
bandit33@bandit:~$ ls
uppershell

odHo63fHiFqcWWJG9rLiLDtPm45KzUKy

 

 

Level33

bandit33@bandit:~$ ls
README.txt
bandit33@bandit:~$ cat README.txt
Congratulations on solving the last level of this game!

At this moment, there are no more levels to play in this game. However, we are constantly working
on new levels and will most likely expand this game with more levels soon.
Keep an eye out for an announcement on our usual communication channels!
In the meantime, you could play some of our other wargames.

If you have an idea for an awesome new level, please let us know!
bandit33@bandit:~$