OverTheWire: Bandit Level 21 to Level 22

Level goal: A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed

This level is very simple, as hinted by the clue, just navigate to the /etc/cron.d directory and look for the files, you will noticed the cronjob_bandit22 files.

When opened to view the content of the cronjob, it seems that the job basically triggers a script located at /usr/bin/cronjob_bandit22.sh


To more accurately grep the files and read its content, we can perform the following grep,

ls -l | grep cronjob

Below are the list of files.


Since cronjob_bandit22.sh is the only file which is related to this level, let’s view its content.

[email protected]:/usr/bin$ cat cronjob_bandit22.sh
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

Now we know that the password is stored in the /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv


[email protected]:/usr/bin$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

The password to gain access to the next level is Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI.

OverTheWire: Bandit Level 20 to Level 21

Level goal: There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).

NOTE: To beat this level, you need to login twice: once to run the setuid command, and once to start a network daemon to which the setuid will connect.

NOTE 2: Try connecting to your own network daemon to see if it works as you think


In this level, basically we need to setup a listener service to listen on any port, and then use the binary submit this level’s password to it. If It is correct, it will provide the password to the next level.

First, let’s check what are the ports opened.


Now you setup your own listener which echo the current level password when any clients connected.


Now you setup another terminal and try to check if the service is there (of course it will be there) and perform testing by trying to connect,


Notice that nmap port scan has detected the service at port 60000 which you have set up in the other terminal? Now, use the suconnect binary to establish connectivity to port 60000


Password matches, now the next password is sent to the server listener.


The password to gain access to the next level is gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr.

OverTheWire: Bandit Level 19 to Level 20


Level goal: To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used to setuid binary.

In this level, we will be working on a file which has its setuid set.

[email protected]:~$ file bandit20-do
bandit20-do: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=08e74b8e092a91103efaab7916d75f08b887ab4d, not stripped

It’s interesting because it allows us to run a command or do anything as bandit20.

[email protected]:~$ ./bandit20-do
Run a command as another user.
Example: ./bandit20-do id
[email protected]:~$ ./bandit20-do cat /etc/bandit_pass/bandit20


The password to gain access to the next level is GbKksEFF4yrVs6il55v6gwY5aVje5f0j.

OverTheWire: Bandit Level 18 to Level 19


Level goal: The password for the next level is stored in a file readme in the home directory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.

In this level, we need to connect using the ssh -t. The -t parameter basically opens a pseudo-tty within the session, with output in the same screen. The ssh session closes when the command completes. This way, you can quickly run a command before the connectivity closes and kicks you out with a “Byebye!”.

[email protected]:~$ ssh -t [email protected] cat readme
 The authenticity of host 'localhost (' can't be established.
 ECDSA key fingerprint is 05:3a:1c:25:35:0a:ed:2f:cd:87:1c:f6:fe:69:e4:f6.
 {... REMOVED ...}
 Permissions 0640 for '/home/bandit17/.ssh/id_rsa' are too open.
 It is required that your private key files are NOT accessible by others.
 This private key will be ignored.
 bad permissions: ignore key: /home/bandit17/.ssh/id_rsa
 [email protected]'s password:
 Connection to localhost closed.

Next, we run the same commands to check what is in the “readme” file.

[email protected]'s password:
Connection to localhost closed.

The password to gain access to the next level is IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x.

OverTheWire: Bandit Level 17 to Level 18


Level goal: There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.newand is the only line that has been changed between passwords.old and passwords.new

NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19.

Here you see 2 password files. As the hint goes, New vs Old, the first thing to come to mind is to perform the diff function.

[email protected]:~$ diff passwords.new passwords.old
< kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
> BS8bqB1kqkinKJjuxL6k072Qq9NRwQpR

The password is kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd. To verify whether this is the correct password, we will follow the hint, which is to try to connect to bandit18 and see if we see the “Byebye!” message.


The password to gain access to the next level is kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd.