Browse Category


OverTheWire: Bandit Level 22 to Level 23

Level goal: A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints


Like what we have done in the previous level, let’s navigate to the /etc/cron.d path and check the cronjob files.

Notice that cronjob_bandit23 is will be running the /usr/bin/ script? Let’s view its content.

bandit22@melinda:/etc/cron.d$ cat /usr/bin/

mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)

echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"

cat /etc/bandit_pass/$myname > /tmp/$mytarget


Yes, you have guessed correct. When this script is being run, it will write the currently logged-on user’s password into a file.


The file name is basically a md5 hash of “echo I am user bandit22 | md5sum | cut –d ‘ ‘ –f 1”

Since we need the password of bandit23, let’s manually run the hash and use its hash as the directory name. The password might be there, provided that someone with the bandit23 credentials has already ran this script (they probably have).


The password to gain access to the next level is jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n.

OverTheWire: Bandit Level 21 to Level 22

Level goal: A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed

This level is very simple, as hinted by the clue, just navigate to the /etc/cron.d directory and look for the files, you will noticed the cronjob_bandit22 files.

When opened to view the content of the cronjob, it seems that the job basically triggers a script located at /usr/bin/


To more accurately grep the files and read its content, we can perform the following grep,

ls -l | grep cronjob

Below are the list of files.


Since is the only file which is related to this level, let’s view its content.

bandit21@melinda:/usr/bin$ cat
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

Now we know that the password is stored in the /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv


bandit21@melinda:/usr/bin$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

The password to gain access to the next level is Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI.

OverTheWire: Bandit Level 20 to Level 21

Level goal: There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).

NOTE: To beat this level, you need to login twice: once to run the setuid command, and once to start a network daemon to which the setuid will connect.

NOTE 2: Try connecting to your own network daemon to see if it works as you think


In this level, basically we need to setup a listener service to listen on any port, and then use the binary submit this level’s password to it. If It is correct, it will provide the password to the next level.

First, let’s check what are the ports opened.


Now you setup your own listener which echo the current level password when any clients connected.


Now you setup another terminal and try to check if the service is there (of course it will be there) and perform testing by trying to connect,


Notice that nmap port scan has detected the service at port 60000 which you have set up in the other terminal? Now, use the suconnect binary to establish connectivity to port 60000


Password matches, now the next password is sent to the server listener.


The password to gain access to the next level is gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr.

OverTheWire: Bandit Level 19 to Level 20


Level goal: To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used to setuid binary.

In this level, we will be working on a file which has its setuid set.

bandit19@melinda:~$ file bandit20-do
bandit20-do: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=08e74b8e092a91103efaab7916d75f08b887ab4d, not stripped

It’s interesting because it allows us to run a command or do anything as bandit20.

bandit19@melinda:~$ ./bandit20-do
Run a command as another user.
Example: ./bandit20-do id
bandit19@melinda:~$ ./bandit20-do cat /etc/bandit_pass/bandit20


The password to gain access to the next level is GbKksEFF4yrVs6il55v6gwY5aVje5f0j.

OverTheWire: Bandit Level 18 to Level 19


Level goal: The password for the next level is stored in a file readme in the home directory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.

In this level, we need to connect using the ssh -t. The -t parameter basically opens a pseudo-tty within the session, with output in the same screen. The ssh session closes when the command completes. This way, you can quickly run a command before the connectivity closes and kicks you out with a “Byebye!”.

bandit17@melinda:~$ ssh -t bandit18@localhost cat readme
 The authenticity of host 'localhost (' can't be established.
 ECDSA key fingerprint is 05:3a:1c:25:35:0a:ed:2f:cd:87:1c:f6:fe:69:e4:f6.
 {... REMOVED ...}
 Permissions 0640 for '/home/bandit17/.ssh/id_rsa' are too open.
 It is required that your private key files are NOT accessible by others.
 This private key will be ignored.
 bad permissions: ignore key: /home/bandit17/.ssh/id_rsa
 bandit18@localhost's password:
 Connection to localhost closed.

Next, we run the same commands to check what is in the “readme” file.

bandit18@localhost's password:
Connection to localhost closed.

The password to gain access to the next level is IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x.