Level 1
use cat ./- to prevent - from being interpreted as flag prefix
Level 2
use quotes or backslash to prevent whitespaces in the filename from being interpreted as argument delimiters
Level 3
with ls -A we observe there is a hidden file which contains the password
Level 4
use file ./* to find the file encoded in ascii then use the method in level 1 to print it
Level 5
use find . -size 1033c to locate the password file
Level 6
use find / -size 33c -user bandit7 -group bandit6 to locate the password file
Level 7
cat the file and grep the line containing “millionth”
Level 8
sort + uniq -u
Level 9
use strings to filter all unreadable content and then search for the password
Level 10
base64 decode – base64 --decode *
Level 11
the data file has been encrypted by rot13 algorithm, apply the same algorithm again we can reverse the encryption
Level 12
reverse the hexdump with xxd -r and then reverse a series of compressions and packagings to get the password
Level 13
use -i option of ssh with the provided credential to get into the next level
Level 14
use nc localhost 30000 to communicate with password server and send the current level password under /etc/bandit_pass
Level 15
initialize a SSL connection via openssl s_client -connect localhost:30001 and then send the current level password
Level 16
use nmap -sV to locate ports that talk SSL and for each send the current level password, observe port 31790 sends back ssh credential for the next level
Level 17
diff the two files
Level 18
ssh with -t /bin/sh option to specify another shell
Level 19
in this level we can use the given executable to run any command as bandit20, print the password file under /etc/bandit_pass directly as bandit20
Level 20
create a nc server listening at some port X with current level password as message to send, and then run the executable to connect to port X
Level 21
go to /etc/cron.d and observe there is a job scheduled by user bandit22 which periodically calls /usr/bin/cronjob_bandit22.sh, examine the script and observe it sends the password to some temp file under /tmp
Level 22
like the previous level, find the script scheduled by the nest level user; observe that the password is sent to some file under /tmp, compute the filename using the method in the script
Level 23
read the schedule script and observe that it would execute all scripts of the current user under /var/spool/bandit24/foo; create a temp file under /tmp and write a script under this directory which prints the password to the file just created, wait for the script to be executed; note to change files permission
Level 24
use seq -w 0000 9999 to create the list of all possible pincodes, then write a script to brute force the password (apply uniq -u on the results to filter error messages quickly)
Level 25
observe that the login script first calls more and then exit => shrink the graphic window so that more won’t terminate immediately, press v to enter vim mode, finally use vim command e /etc/bandit_pass/bandit26 to get the password
Level 26
after entering vim mode, set shell to be /bin/bash and use the shell command of vim to enter the shell; observe there is an executable enables us to execute any command as the next level user, use it to print the password
Level 27
clone the git repo via ssh and password is stored in README
1 | cd $(mktemp -d) |
Level 28
use git show to examine historical changes of the file, catch the password which is removed in the most recent commmit
Level 29
no password in production => password may be stored in some other branch
use git branch -r to list all remote branches, git checkout to dev branch, use git log -p to examine file differeces in commit history, find the password
Level 30
observe there is a tag named secret with git tag, print the tagging message with git show secret and get the password
Level 31
just follow the instruction in README.md, prepare the new commit and push to the remote repo
Level 32
use $0 to escape the uppercase shell, observe that the current identity is the next level user, print the password directly