Home TechnicalOverthewire Bandit Speedrun

OverTheWire: Bandit Speedrun

Published Oct 24, 2025

⋅

Updated Oct 24, 2025

⋅

10 minutes read

Level 0 -> 1

You gotta login to the server with SSH:

SSH: ssh bandit0@bandit.labs.overthewire.org -p 2220 Password: bandit0

Retrieve next level's password via:

bandit0@bandit:~$ cat readme
ZjLjTmM6FvvyRnrb2rfNWOZOTa6ip5If

Level 1 -> 2

SSH: ssh bandit1@bandit.labs.overthewire.org -p 2220 password: ZjLjTmM6FvvyRnrb2rfNWOZOTa6ip5If

Retrieve next level's password via:

bandit1@bandit:~$ cat ./-
263JGJPfgU6LtdEvgfWU1XP5yac29mFx

Level 2 -> 3

SSH: ssh bandit2@bandit.labs.overthewire.org -p 2220 Password: 263JGJPfgU6LtdEvgfWU1XP5yac29mFx

Retrieve next level's password via:

bandit2@bandit:~$ cat ./--spaces\ in\ this\ filename--
MNk8KNH3Usiio41PRUEoDFPqfxLPlSmx

Level 3 -> 4

SSH: ssh bandit3@bandit.labs.overthewire.org -p 2220 Password: MNk8KNH3Usiio41PRUEoDFPqfxLPlSmx

Once you're logged in, cd into the /inhere/ dir:

bandit3@bandit:~$ cd ./inhere/

Then, list the hidden directories:

bandit3@bandit:~/inhere$ ls -a
.  ..  ...Hiding-From-You

The password is within the ...Hidden-From-You file:

bandit3@bandit:~/inhere$ cat ...Hiding-From-You
2WmrDFRmJIq3IPxneAaMGhap0pFhF3NJ

Level 4 -> 5

SSH: ssh bandit4@bandit.labs.overthewire.org -p 2220 Password: 2WmrDFRmJIq3IPxneAaMGhap0pFhF3NJ

Once you're logged in, cd into the /inhere/ dir:

bandit3@bandit:~$ cd ./inhere/

There are bunch of files here that are not human-readable, use the following command to find the human-readable file:

bandit4@bandit:~/inhere$ file ./*
./-file00: data
./-file01: data
./-file02: data
./-file03: data
./-file04: data
./-file05: data
./-file06: data
./-file07: ASCII text
./-file08: data
./-file09: data

./-file07 is ASCII text:

bandit4@bandit:~/inhere$ cat ./-file07
4oQYVPkxZOOEOO5pTW81FB8j8lxXGUQw

Level 5 -> 6

SSH: ssh bandit5@bandit.labs.overthewire.org -p 2220 Password: 4oQYVPkxZOOEOO5pTW81FB8j8lxXGUQw

Once you're logged in, cd into the /inhere/ dir:

bandit3@bandit:~$ cd ./inhere/

Take a look at what's inside ./inhere:

bandit5@bandit:~/inhere$ ls -la
total 88
drwxr-x--- 22 root bandit5 4096 Oct 14 09:26 .
drwxr-xr-x  3 root root    4096 Oct 14 09:26 ..
drwxr-x---  2 root bandit5 4096 Oct 14 09:26 maybehere00
drwxr-x---  2 root bandit5 4096 Oct 14 09:26 maybehere01
drwxr-x---  2 root bandit5 4096 Oct 14 09:26 maybehere02
drwxr-x---  2 root bandit5 4096 Oct 14 09:26 maybehere03
drwxr-x---  2 root bandit5 4096 Oct 14 09:26 maybehere04
drwxr-x---  2 root bandit5 4096 Oct 14 09:26 maybehere05
drwxr-x---  2 root bandit5 4096 Oct 14 09:26 maybehere06
drwxr-x---  2 root bandit5 4096 Oct 14 09:26 maybehere07
drwxr-x---  2 root bandit5 4096 Oct 14 09:26 maybehere08
drwxr-x---  2 root bandit5 4096 Oct 14 09:26 maybehere09
drwxr-x---  2 root bandit5 4096 Oct 14 09:26 maybehere10
drwxr-x---  2 root bandit5 4096 Oct 14 09:26 maybehere11
drwxr-x---  2 root bandit5 4096 Oct 14 09:26 maybehere12
drwxr-x---  2 root bandit5 4096 Oct 14 09:26 maybehere13
drwxr-x---  2 root bandit5 4096 Oct 14 09:26 maybehere14
drwxr-x---  2 root bandit5 4096 Oct 14 09:26 maybehere15
drwxr-x---  2 root bandit5 4096 Oct 14 09:26 maybehere16
drwxr-x---  2 root bandit5 4096 Oct 14 09:26 maybehere17
drwxr-x---  2 root bandit5 4096 Oct 14 09:26 maybehere18
drwxr-x---  2 root bandit5 4096 Oct 14 09:26 maybehere19

Use the properties from the question to find the target file:

bandit5@bandit:~$ find . -type f -size 1033c -not -executable -exec file {} + | grep ASCII
./inhere/maybehere07/.file2: ASCII text, with very long lines (1000)

./inhere/maybehere07/.file2 is ASCII:

bandit5@bandit:~$ cat ./inhere/maybehere07/.file2
HWasnPhtq9AVKe0dmk45nxy20cvUa6EG

Level 6 -> 7

SSH: ssh bandit6@bandit.labs.overthewire.org -p 2220 Password: HWasnPhtq9AVKe0dmk45nxy20cvUa6EG

Find the file owned by user bandit7 & owned by group bandit6 and is 33 bytes in size:

bandit6@bandit:~$ find / -type f -user bandit7 -group bandit6 -size 33c 2>/dev/null
/var/lib/dpkg/info/bandit7.password

Get the password:

bandit6@bandit:~$ cat /var/lib/dpkg/info/bandit7.password
morbNTDkSW6jIlUc0ymOdMaLnOlFVAaj

Level 7 -> 8

SSH: ssh bandit7@bandit.labs.overthewire.org -p 2220 Password: morbNTDkSW6jIlUc0ymOdMaLnOlFVAaj

Since the password is in the same line as the word millionth

bandit7@bandit:~$ cat data.txt | grep millionth
millionth	dfwvzFQi4mU0wfNbFOe9RoWskMLg7eEc

Level 8 -> 9

SSH: ssh bandit8@bandit.labs.overthewire.org -p 2220 Password: dfwvzFQi4mU0wfNbFOe9RoWskMLg7eEc

You gotta find the line that only occures once:

bandit8@bandit:~$ sort data.txt | uniq -u
4CKMh1JI91bUIZZPXDqGanal4xvAg0JM

Level 9 -> 10

SSH: ssh bandit9@bandit.labs.overthewire.org -p 2220 Password: 4CKMh1JI91bUIZZPXDqGanal4xvAg0JM

You just need to filter out the lines that inclues more than one "=" sign:

bandit9@bandit:~$ strings data.txt | grep ===
========== the
========== password
E========== is
5========== FGUW5ilLVJrxX9kMYMmlN4MgbpfMiqey

Level 10 -> 11

SSH: ssh bandit10@bandit.labs.overthewire.org -p 2220 Password: FGUW5ilLVJrxX9kMYMmlN4MgbpfMiqey

bandit10@bandit:~$ base64 -d data.txt
The password is dtR173fZKb0RRsDFSGsg2RWnpNVj3qRr

Decode data.txt:

bandit10@bandit:~$ base64 -d data.txt
The password is dtR173fZKb0RRsDFSGsg2RWnpNVj3qRr

Level 11 -> 12

SSH: ssh bandit11@bandit.labs.overthewire.org -p 2220 Password: dtR173fZKb0RRsDFSGsg2RWnpNVj3qRr

You gotta replace the characters using tr command, I coppied this solution from https://mayadevbe.me/posts/overthewire/bandit/level12/

bandit11@bandit:~$ strings data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'
The password is 7x16WNeHIi5YkIhWsfFIqoognUTyj9Q4

Level 12 -> 13

SSH: ssh bandit12@bandit.labs.overthewire.org -p 2220 Password: 7x16WNeHIi5YkIhWsfFIqoognUTyj9Q4

Repeatedly decompress the data till you get the password.

Here's the full solution as of 25th October, 2025 (the order of compressions may change in the future):

bandit12@bandit:~$ ls
data.txt
bandit12@bandit:~$ mktemp -d
/tmp/tmp.G9sjaV8m6G
bandit12@bandit:~$ cd /tmp/tmp.G9sjaV8m6G
bandit12@bandit:/tmp/tmp.G9sjaV8m6G$ cp ~/data.txt data.txt
bandit12@bandit:/tmp/tmp.G9sjaV8m6G$ ls
data.txt
bandit12@bandit:/tmp/tmp.G9sjaV8m6G$ mv data.txt hexdump
bandit12@bandit:/tmp/tmp.G9sjaV8m6G$ ls
hexdump
bandit12@bandit:/tmp/tmp.G9sjaV8m6G$ xxd -r hexdump data
bandit12@bandit:/tmp/tmp.G9sjaV8m6G$ ls
data  hexdump
bandit12@bandit:/tmp/tmp.G9sjaV8m6G$ mv data data.gz
bandit12@bandit:/tmp/tmp.G9sjaV8m6G$ gzip -d data.gz
bandit12@bandit:/tmp/tmp.G9sjaV8m6G$ ls
data  hexdump
bandit12@bandit:/tmp/tmp.G9sjaV8m6G$ file data
data: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/tmp.G9sjaV8m6G$ mv data data.bz2
bandit12@bandit:/tmp/tmp.G9sjaV8m6G$ bzip2 -d data.bz2
bandit12@bandit:/tmp/tmp.G9sjaV8m6G$ ls
data  hexdump
bandit12@bandit:/tmp/tmp.G9sjaV8m6G$ file data
data: gzip compressed data, was "data4.bin", last modified: Tue Oct 14 09:26:00 2025, max compression, from Unix, original size modulo 2^32 20480
bandit12@bandit:/tmp/tmp.G9sjaV8m6G$ mv data data.gz
bandit12@bandit:/tmp/tmp.G9sjaV8m6G$ gzip -d data.gz
bandit12@bandit:/tmp/tmp.G9sjaV8m6G$ file data
data: POSIX tar archive (GNU)
bandit12@bandit:/tmp/tmp.G9sjaV8m6G$ mv data data.tar
bandit12@bandit:/tmp/tmp.G9sjaV8m6G$ tar -xf data.tar
bandit12@bandit:/tmp/tmp.G9sjaV8m6G$ file data.tar
data.tar: POSIX tar archive (GNU)
bandit12@bandit:/tmp/tmp.G9sjaV8m6G$ ls
data5.bin  data.tar  hexdump
bandit12@bandit:/tmp/tmp.G9sjaV8m6G$ file data5.bin
data5.bin: POSIX tar archive (GNU)
bandit12@bandit:/tmp/tmp.G9sjaV8m6G$ rm -rf data.tar
bandit12@bandit:/tmp/tmp.G9sjaV8m6G$ mv data5.bin data.tar
bandit12@bandit:/tmp/tmp.G9sjaV8m6G$ tar -xf data.tar
bandit12@bandit:/tmp/tmp.G9sjaV8m6G$ ls
data6.bin  data.tar  hexdump
bandit12@bandit:/tmp/tmp.G9sjaV8m6G$ file data6.bin
data6.bin: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/tmp.G9sjaV8m6G$ mv data6.bin data.bz2
bandit12@bandit:/tmp/tmp.G9sjaV8m6G$ bzip2 -d data.bz2
bandit12@bandit:/tmp/tmp.G9sjaV8m6G$ ls
data  data.tar  hexdump
bandit12@bandit:/tmp/tmp.G9sjaV8m6G$ file data
data: POSIX tar archive (GNU)
bandit12@bandit:/tmp/tmp.G9sjaV8m6G$ mv data data.tar
bandit12@bandit:/tmp/tmp.G9sjaV8m6G$ tar -xf data.tar
bandit12@bandit:/tmp/tmp.G9sjaV8m6G$ ls
data8.bin  data.tar  hexdump
bandit12@bandit:/tmp/tmp.G9sjaV8m6G$ file data8.bin
data8.bin: gzip compressed data, was "data9.bin", last modified: Tue Oct 14 09:26:00 2025, max compression, from Unix, original size modulo 2^32 49
bandit12@bandit:/tmp/tmp.G9sjaV8m6G$ mv data8.bin data.gz
bandit12@bandit:/tmp/tmp.G9sjaV8m6G$ gzip -d data.gz
bandit12@bandit:/tmp/tmp.G9sjaV8m6G$ ls
data  data.tar  hexdump
bandit12@bandit:/tmp/tmp.G9sjaV8m6G$ file data
data: ASCII text
bandit12@bandit:/tmp/tmp.G9sjaV8m6G$ cat data
The password is FO5dwFsc0cbaIiH0h8J2eUks2vdTDwAn

Level 13 -> 14

SSH: ssh bandit13@bandit.labs.overthewire.org -p 2220 Password: FO5dwFsc0cbaIiH0h8J2eUks2vdTDwAn

There is a ssh key in the home directory of this machine, transfer the file to your own machine:

scp -P 2220 bandit13@bandit.labs.overthewire.org:sshkey.private .

Update the file access:

chmod 700 sshkey.private

Connect to level 14 via the ssh key:

ssh -i sshkey.private bandit14@bandit.labs.overthewire.org -p 2220

Level 14 -> 15

SSH: ssh -i sshkey.private bandit14@bandit.labs.overthewire.org -p 2220 Password: (ssh key from the prev level)

You gotta submit the current level's password to localhost:30000:

bandit14@bandit:~$ cat /etc/bandit_pass/bandit14
MU4VWeTyJk8ROof1qqmcBPaLh7lDCPvS
bandit14@bandit:~$ nc localhost 30000
MU4VWeTyJk8ROof1qqmcBPaLh7lDCPvS
Correct!
8xCjnmgoKbGLhHFAZlGE5Tmu4M2tKJQo

Level 15 -> 16

SSH: ssh bandit15@bandit.labs.overthewire.org -p 2220 Password: 8xCjnmgoKbGLhHFAZlGE5Tmu4M2tKJQo

The password can be retrieved using SSL encryption, connect to the localhost server and send the password from the current level:

bandit15@bandit:~$ openssl s_client -connect localhost:30001
...
8xCjnmgoKbGLhHFAZlGE5Tmu4M2tKJQo
Correct!
kSkvUpMQ7lBYyCM4GBPvCvT1BfWRy0Dx
 
closed

Level 16 -> 17

SSH: ssh bandit16@bandit.labs.overthewire.org -p 2220 Password: kSkvUpMQ7lBYyCM4GBPvCvT1BfWRy0Dx

Retrieve the ssh key by submitting the bandit16's password to port 31790:

bandit16@bandit:~$ openssl s_client -connect localhost:31790 -quiet
Can't use SSL_get_servername
depth=0 CN = SnakeOil
verify error:num=18:self-signed certificate
verify return:1
depth=0 CN = SnakeOil
verify return:1
kSkvUpMQ7lBYyCM4GBPvCvT1BfWRy0Dx
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----

Level 17 -> 18

SSH: ssh -i sshkey.private bandit17@bandit.labs.overthewire.org -p 2220 Password: (ssh key from the prev level)

Find the line that is is different between two files:

bandit17@bandit:~$ diff passwords.old passwords.new
42c42
< BMIOFKM7CRSLI97voLp3TD80NAq5exxk
---
> x2gLTTjFwMOhQ8oWNbMN362QKxfRqGlO

Level 18 -> 19

SSH: ssh bandit18@bandit.labs.overthewire.org -p 2220 Password: x2gLTTjFwMOhQ8oWNbMN362QKxfRqGlO

You'll get automatically logged out from this server whenever you try to login, you need to run the commands remotely:

$ ssh bandit18@bandit.labs.overthewire.org -p 2220 ls
readme
$ ssh bandit18@bandit.labs.overthewire.org -p 2220 cat readme
bandit18@bandit.labs.overthewire.org's password:
cGWpMaKXVwDUNgPAVJbWYuGHVn9zl3j8

Level 19 -> 20

SSH: ssh bandit19@bandit.labs.overthewire.org -p 2220 Password: cGWpMaKXVwDUNgPAVJbWYuGHVn9zl3j8

Use the ./bandit20-do script to run commands as bandit20 user:

bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
0qXahG8ZjOVMN9Ghs7iOWsCfZyXOUbYO

Level 20 -> 21

SSH: ssh bandit20@bandit.labs.overthewire.org -p 2220 Password: 0qXahG8ZjOVMN9Ghs7iOWsCfZyXOUbYO

Use netcat to create a connection in server mode:

bandit20@bandit:~$ nc -lvp 2222
Listening on 0.0.0.0 2222

Run ./suconnet with the port you used for the connection`

./suconnet 2222

Then submit the bandit20's password to the netcat connection to retrieve the next level's password:

bandit20@bandit:~$ nc -lvp 2222
Listening on 0.0.0.0 2222
Connection received on localhost 46044
0qXahG8ZjOVMN9Ghs7iOWsCfZyXOUbYO
EeoULMCra2q0dSkYj561DX7s1CpBuOBt

Level 21 -> 22

SSH: ssh bandit21@bandit.labs.overthewire.org -p 2220 Password: EeoULMCra2q0dSkYj561DX7s1CpBuOBt

There is a cron job running /usr/bin/cronjob_bandit22.sh every minutes, follow the cron job's script to retrieve the password from /tmp dir:

bandit21@bandit:~$ ls -la /etc/cron.d
total 60
drwxr-xr-x   2 root root  4096 Oct 14 09:29 .
drwxr-xr-x 128 root root 12288 Oct 14 10:38 ..
-r--r-----   1 root root    47 Oct 14 09:26 behemoth4_cleanup
-rw-r--r--   1 root root   123 Oct 14 09:19 clean_tmp
-rw-r--r--   1 root root   120 Oct 14 09:26 cronjob_bandit22
-rw-r--r--   1 root root   122 Oct 14 09:26 cronjob_bandit23
-rw-r--r--   1 root root   120 Oct 14 09:26 cronjob_bandit24
-rw-r--r--   1 root root   201 Apr  8  2024 e2scrub_all
-r--r-----   1 root root    48 Oct 14 09:27 leviathan5_cleanup
-rw-------   1 root root   138 Oct 14 09:28 manpage3_resetpw_job
-rwx------   1 root root    52 Oct 14 09:29 otw-tmp-dir
-rw-r--r--   1 root root   102 Mar 31  2024 .placeholder
-rw-r--r--   1 root root   396 Jan  9  2024 sysstat
bandit21@bandit:~$ cat /etc/cron.d/cronjob_bandit22
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
bandit21@bandit:~$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
bandit21@bandit:~$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
tRae0UfB9v0UzbCdn9cY0gQnds9GF58Q

Level 22 -> 23

SSH: ssh bandit22@bandit.labs.overthewire.org -p 2220 Password: tRae0UfB9v0UzbCdn9cY0gQnds9GF58Q

The cron script generates a filename by MD5 hashing "I am user bandit23" and writes bandit23's password to that file in /tmp:

bandit22@bandit:~$ ls -la /etc/cron.d
total 60
drwxr-xr-x   2 root root  4096 Oct 14 09:29 .
drwxr-xr-x 128 root root 12288 Oct 14 10:38 ..
-r--r-----   1 root root    47 Oct 14 09:26 behemoth4_cleanup
-rw-r--r--   1 root root   123 Oct 14 09:19 clean_tmp
-rw-r--r--   1 root root   120 Oct 14 09:26 cronjob_bandit22
-rw-r--r--   1 root root   122 Oct 14 09:26 cronjob_bandit23
-rw-r--r--   1 root root   120 Oct 14 09:26 cronjob_bandit24
-rw-r--r--   1 root root   201 Apr  8  2024 e2scrub_all
-r--r-----   1 root root    48 Oct 14 09:27 leviathan5_cleanup
-rw-------   1 root root   138 Oct 14 09:28 manpage3_resetpw_job
-rwx------   1 root root    52 Oct 14 09:29 otw-tmp-dir
-rw-r--r--   1 root root   102 Mar 31  2024 .placeholder
-rw-r--r--   1 root root   396 Jan  9  2024 sysstat
bandit22@bandit:~$ cat /etc/cron.d/cronjob_bandit23
@reboot bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
bandit22@bandit:~$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash
 
myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
 
echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
 
cat /etc/bandit_pass/$myname > /tmp/$mytarget
bandit22@bandit:~$ echo I am user bandit23 | md5sum | cut -d ' ' -f 1
8ca319486bfbbc3663ea0fbe81326349
bandit22@bandit:~$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
0Zf11ioIjMVN551jX3CmStKLYqjk54Ga

Level 23 -> 24

SSH: ssh bandit23@bandit.labs.overthewire.org -p 2220 Password: 0Zf11ioIjMVN551jX3CmStKLYqjk54Ga

Similar to previous level, there is a cron job running on the server. you gotta inject a script to this cron job to retrieve the next level's password

bandit23@bandit:~$ mkdir /tmp/yaz123
bandit23@bandit:~$ cd /tmp/yaz123
bandit23@bandit:/tmp/yaz123$ vim script.sh

Use this script, remember to rename the dir to whatever you used for your temp dir:

#!/bin/bash
cat /etc/bandit_pass/bandit24 > /tmp/yaz123/password

Create a password file and modify the dir access, then copy the script to the cron dir:

bandit23@bandit:/tmp/yaz123$ touch password
bandit23@bandit:/tmp/yaz123$ chmod 777 -R /tmp/yaz123
bandit23@bandit:/tmp/yaz123$ cp script.sh /var/spool/bandit24/foo

Wait for a min and then retrieve the password:

bandit23@bandit:/tmp/yaz123$ cat password
gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8

Level 24 -> 25

SSH: ssh bandit24@bandit.labs.overthewire.org -p 2220 Password: gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8

You gotta use the following script to connect to the port via netcat:

#!/bin/bash
 
for i in {0000..9999}
do
        echo gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8 $i >> x.txt
done
 
cat x.txt | nc localhost 30002 > result.txt

Create and run the script and grep for the password:

bandit24@bandit:~$ mktemp -d
/tmp/tmp.cVWr0tTOai
bandit24@bandit:~$ cd /tmp/tmp.cVWr0tTOai
bandit24@bandit:/tmp/tmp.cVWr0tTOai$ vim script.sh
bandit24@bandit:/tmp/tmp.cVWr0tTOai$ chmod +x script.sh
bandit24@bandit:/tmp/tmp.cVWr0tTOai$ ./script.sh
bandit24@bandit:/tmp/tmp.cVWr0tTOai$ sort result.txt | grep -v "Wrong!"
 
Correct!
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
The password of user bandit25 is iCi86ttT4KSNe1armKiwbQNmB3YJP3q4

Level 25 -> 26 -> 27

SSH: ssh bandit25@bandit.labs.overthewire.org -p 2220 Password: iCi86ttT4KSNe1armKiwbQNmB3YJP3q4k

Retrieve the ssh key for bandit 26:

$ scp -P 2220 bandit25@bandit.labs.overthewire.org:bandit26.sshkey .

Once connected, you have to enter into vim mode and change the shell:

:set shell=/bin/sh

then enter shell:

:shell

then retrieve the bandit27 password:

$ ./bandit27-do cat /etc/bandit\_pass/bandit27
upsNCc7vzaRDx6oZC6GiR6ERwe1MowGB

Level 27 -> 28

From bandit27, you gotta start cloning bunch of repos from the server via ssh:

$ git clone ssh://bandit27-git@bandit.labs.overthewire.org:2220/home/bandit27-git/repo

Password: upsNCc7vzaRDx6oZC6GiR6ERwe1MowGB

Then simply retrieve the password:

$ cat repo/README
The password to the next level is: Yz9IpL0sBcCeuG7m9uQFt8ZNpS4HZRcN

Level 28 -> 29

Clone the repo:

$ git clone ssh://bandit28-git@bandit.labs.overthewire.org:2220/home/bandit27-git/repo

Password: Yz9IpL0sBcCeuG7m9uQFt8ZNpS4HZRcN

Use git log to view the commit history, there is a commit which has info leak, pick the commit and use git show to view the commit and pickup the password.

Level 29 -> 30

Clone the repo

$ git clone ssh://bandit29-git@bandit.labs.overthewire.org:2220/home/bandit29-git/repo

Password: 4pT1t5DENaYuqnqvadYs1oE4QLCdjmJ7

Once you clone the repo, checkout to dev branch and retrieve the password from README.md:

qp30ex3VLz5MDG1n91YowTv4Q8l7CDZL

Level 30 -> 31

$ git clone ssh://bandit30-git@bandit.labs.overthewire.org:2220/home/bandit30-git/repo

Password: qp30ex3VLz5MDG1n91YowTv4Q8l7CDZL

Once you clone the repo, you just need to display the secret tag:

git show secret
fb5S2xb7bRyFmAvQYQGEqsbhVyJqhnDy

Level 31 -> 32

$ git clone ssh://bandit31-git@bandit.labs.overthewire.org:2220/home/bandit31-git/repo

Password: fb5S2xb7bRyFmAvQYQGEqsbhVyJqhnDy

Add key.txt file with content of "May I come in?"

Then commit the file and push it to the remote server, you can retrieve the password from the response once you push the commit:

➜  repo git:(master) echo "May I come in?" > key.txt
➜  repo git:(master) git add -f key.txt
➜  repo git:(master) ✗ git commit -a
[master b38277a] hello
 1 file changed, 1 insertion(+)
 create mode 100644 key.txt
➜  repo git:(master) git push
                         _                     _ _ _
                        | |__   __ _ _ __   __| (_) |_
                        | '_ \ / _` | '_ \ / _` | | __|
                        | |_) | (_| | | | | (_| | | |_
                        |_.__/ \__,_|_| |_|\__,_|_|\__|
 
 
                      This is an OverTheWire game server.
            More information on http://www.overthewire.org/wargames
 
backend: gibson-0
bandit31-git@bandit.labs.overthewire.org's password:
Enumerating objects: 4, done.
Counting objects: 100% (4/4), done.
Delta compression using up to 12 threads
Compressing objects: 100% (2/2), done.
Writing objects: 100% (3/3), 319 bytes | 319.00 KiB/s, done.
Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
remote: ### Attempting to validate files... ####
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
remote: Well done! Here is the password for the next level:
remote: 3O9RfhqyAlVBEZpVb6LYStshZoqoSx5K
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
To ssh://bandit.labs.overthewire.org:2220/home/bandit31-git/repo
 ! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to 'ssh://bandit.labs.overthewire.org:2220/home/bandit31-git/repo'

Level 32 -> 33

SSH: ssh bandit32@bandit.labs.overthewire.org -p 2220 Password: 3O9RfhqyAlVBEZpVb6LYStshZoqoSx5K

Break out of the uppsercase shell and retrieve the password:

>> $0
$ ls -la
total 36
drwxr-xr-x   2 root     root      4096 Oct 14 09:26 .
drwxr-xr-x 150 root     root      4096 Oct 14 09:29 ..
-rw-r--r--   1 root     root       220 Mar 31  2024 .bash_logout
-rw-r--r--   1 root     root      3851 Oct 14 09:19 .bashrc
-rw-r--r--   1 root     root       807 Mar 31  2024 .profile
-rwsr-x---   1 bandit33 bandit32 15140 Oct 14 09:26 uppershell
$ cat /etc/bandit\_pass/bandit33
tQdtbs5D5i2vJwkO8mEyYEyTL8izoeJ0

Level 33 -> 34

SSH: ssh bandit33@bandit.labs.overthewire.org -p 2220 Password: tQdtbs5D5i2vJwkO8mEyYEyTL8izoeJ0

PreviousI Vibe Coded a Regex Engine (Or did I?)

t.me/kyx8n