(setq plaintext 'everywhere)


Bandit (OverTheWire)

Table of Contents

1 Introduction

[2022-10-17 Mon]

This is a writeup for the overthewire.org war game Bandit. The password for each level is stored in a file named banditX.txt where X is the level number. Then use 

sshpass -p "$(cat banditX.txt)" ssh banditX@bandit.labs.overthewire.org -p 2220

to connect to the server without having to manually type the password for each level.

2 Level 0

The password for this level is given: bandit0. Simply connect to the server with SSH to port 2220. The password for the next level is stored in a file called readme. 

bandit0@bandit:~$ ls
readme
bandit0@bandit:~$ cat readme
boJ9jbbUNNfktd78OOpsqOltutMc3MY1

3 Level 1

The password to the next level is located in a file named '-', to cat out the contents of this file use the full path to the file from the home directory. 

bandit1@bandit:~$ ls
-
bandit1@bandit:~$ cat ~/-
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

4 Level 2

The password is in a file with spaces in the name. To cat out the contents either use backslashes before the spaces or surround the entire file name with single or double quotes. 

bandit2@bandit:~$ ls -al
total 24
drwxr-xr-x  2 root    root    4096 May  7  2020 .
drwxr-xr-x 41 root    root    4096 May  7  2020 ..
-rw-r--r--  1 root    root     220 May 15  2017 .bash_logout
-rw-r--r--  1 root    root    3526 May 15  2017 .bashrc
-rw-r--r--  1 root    root     675 May 15  2017 .profile
-rw-r-----  1 bandit3 bandit2   33 May  7  2020 spaces in this filename
bandit2@bandit:~$ cat spaces\ in\ this\ filename
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

5 Level 3

The password is in a hidden file inside the directory 'inhere'. To cat out the contents move into the inhere directory and cat out the file. 

bandit3@bandit:~$ ls -al
total 24
drwxr-xr-x  3 root root 4096 May  7  2020 .
drwxr-xr-x 41 root root 4096 May  7  2020 ..
-rw-r--r--  1 root root  220 May 15  2017 .bash_logout
-rw-r--r--  1 root root 3526 May 15  2017 .bashrc
drwxr-xr-x  2 root root 4096 May  7  2020 inhere
-rw-r--r--  1 root root  675 May 15  2017 .profile
bandit3@bandit:~$ cd inhere/
bandit3@bandit:~/inhere$ ls -al
total 12
drwxr-xr-x 2 root    root    4096 May  7  2020 .
drwxr-xr-x 3 root    root    4096 May  7  2020 ..
-rw-r----- 1 bandit4 bandit3   33 May  7  2020 .hidden
bandit3@bandit:~/inhere$ cat .hidden
pIwrPrtPN36QITSp3EQaw936yaFoFgAB

6 Level 4

The password is the only human readable file inside the directory 'inhere'. When listing all the files in the directory notice that the file names start with a '-', which means that to use the files as input to a command it requires the full path from the home directory to be able to execute the command. To find the file that contains human readable content use the command 'file' and the regular expression * to execute the command on all files inside the directory. 

bandit4@bandit:~$ ls -al
total 24
drwxr-xr-x  3 root root 4096 May  7  2020 .
drwxr-xr-x 41 root root 4096 May  7  2020 ..
-rw-r--r--  1 root root  220 May 15  2017 .bash_logout
-rw-r--r--  1 root root 3526 May 15  2017 .bashrc
drwxr-xr-x  2 root root 4096 May  7  2020 inhere
-rw-r--r--  1 root root  675 May 15  2017 .profile
bandit4@bandit:~$ ls -al inhere/
total 48
drwxr-xr-x 2 root    root    4096 May  7  2020 .
drwxr-xr-x 3 root    root    4096 May  7  2020 ..
-rw-r----- 1 bandit5 bandit4   33 May  7  2020 -file00
-rw-r----- 1 bandit5 bandit4   33 May  7  2020 -file01
-rw-r----- 1 bandit5 bandit4   33 May  7  2020 -file02
-rw-r----- 1 bandit5 bandit4   33 May  7  2020 -file03
-rw-r----- 1 bandit5 bandit4   33 May  7  2020 -file04
-rw-r----- 1 bandit5 bandit4   33 May  7  2020 -file05
-rw-r----- 1 bandit5 bandit4   33 May  7  2020 -file06
-rw-r----- 1 bandit5 bandit4   33 May  7  2020 -file07
-rw-r----- 1 bandit5 bandit4   33 May  7  2020 -file08
-rw-r----- 1 bandit5 bandit4   33 May  7  2020 -file09
bandit4@bandit:~$ file inhere/-file0*
inhere/-file00: data
inhere/-file01: data
inhere/-file02: data
inhere/-file03: data
inhere/-file04: data
inhere/-file05: data
inhere/-file06: data
inhere/-file07: ASCII text
inhere/-file08: data
inhere/-file09: data
bandit4@bandit:~$ cat inhere/-file07
koReBOKuIDDepwhWk7jZC0RTdopnAYKh

7 Level 5

The directory 'inhere' contains several directories which contains files. One of these files contains the password, this file has the following properties: size = 1033 bytes, is human-readable and is not executable. The find command can be used to find this file. The size flag can be used to find files of a specific size and the perm flag in conjunction with the \! operator can be used to find files that are not executable. To find the files that contain human readable text the exec flag can be used to execute the file command just like in level 4. Lastly pipe the result of find into grep with the text ASCII to find all files that satisfy the required conditions. 

bandit5@bandit:~$ ls -Al
total 16
-rw-r--r--  1 root root     220 May 15  2017 .bash_logout
-rw-r--r--  1 root root    3526 May 15  2017 .bashrc
drwxr-x--- 22 root bandit5 4096 May  7  2020 inhere
-rw-r--r--  1 root root     675 May 15  2017 .profile
bandit5@bandit:~$ ls -Al inhere/
total 80
drwxr-x--- 2 root bandit5 4096 May  7  2020 maybehere00
drwxr-x--- 2 root bandit5 4096 May  7  2020 maybehere01
drwxr-x--- 2 root bandit5 4096 May  7  2020 maybehere02
drwxr-x--- 2 root bandit5 4096 May  7  2020 maybehere03
drwxr-x--- 2 root bandit5 4096 May  7  2020 maybehere04
drwxr-x--- 2 root bandit5 4096 May  7  2020 maybehere05
drwxr-x--- 2 root bandit5 4096 May  7  2020 maybehere06
drwxr-x--- 2 root bandit5 4096 May  7  2020 maybehere07
drwxr-x--- 2 root bandit5 4096 May  7  2020 maybehere08
drwxr-x--- 2 root bandit5 4096 May  7  2020 maybehere09
drwxr-x--- 2 root bandit5 4096 May  7  2020 maybehere10
drwxr-x--- 2 root bandit5 4096 May  7  2020 maybehere11
drwxr-x--- 2 root bandit5 4096 May  7  2020 maybehere12
drwxr-x--- 2 root bandit5 4096 May  7  2020 maybehere13
drwxr-x--- 2 root bandit5 4096 May  7  2020 maybehere14
drwxr-x--- 2 root bandit5 4096 May  7  2020 maybehere15
drwxr-x--- 2 root bandit5 4096 May  7  2020 maybehere16
drwxr-x--- 2 root bandit5 4096 May  7  2020 maybehere17
drwxr-x--- 2 root bandit5 4096 May  7  2020 maybehere18
drwxr-x--- 2 root bandit5 4096 May  7  2020 maybehere19
bandit5@bandit:~$ find ~/inhere/ -size 1033c \! -perm /a+x -exec file {} + | grep ASCII
/home/bandit5/inhere/maybehere07/.file2: ASCII text, with very long lines
bandit5@bandit:~$ cat ~/inhere/maybehere07/.file2
DXjZPULLxYr17uwoI01bNLQbtFemEgo7

8 Level 6

The file containing the password is somewhere on the server with the following properties: size = 33 bytes, owned by user bandit7 and owned by group bandit6. To clean up the 'permission denied' in output from this command redirect the stderr to /dev/null with '2> /dev/null'. 

bandit6@bandit:~$ find / -type f -user bandit7 -group bandit6 -size 33c 2> /dev/null
/var/lib/dpkg/info/bandit7.password
bandit6@bandit:~$ cat /var/lib/dpkg/info/bandit7.password
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

9 Level 7

The password is in the file 'data.txt' next to the word millionth. Grep can be used to find the line that contains that word. 

bandit7@bandit:~$ ls -Al
total 4100
-rw-r--r-- 1 root    root        220 May 15  2017 .bash_logout
-rw-r--r-- 1 root    root       3526 May 15  2017 .bashrc
-rw-r----- 1 bandit8 bandit7 4184396 May  7  2020 data.txt
-rw-r--r-- 1 root    root        675 May 15  2017 .profile
bandit7@bandit:~$ grep millionth data.txt
millionth       cvX2JJa4CFALtqS87jk27qwqGhBM9plV

10 Level 8

The password is in the file 'data.txt' and is the line that only occurs once in the file. Uniq -u can filter out all duplicate lines that are adjacent. To find the only unique line in the text the input must first be sorted with sort. 

bandit8@bandit:~$ ls -Al
total 48
-rw-r--r-- 1 root    root      220 May 15  2017 .bash_logout
-rw-r--r-- 1 root    root     3526 May 15  2017 .bashrc
-rw-r----- 1 bandit9 bandit8 33033 May  7  2020 data.txt
-rw-r--r-- 1 root    root      675 May 15  2017 .profile
bandit8@bandit:~$ sort data.txt | uniq -u
UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR

11 Level 9

The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters. Strings can be used to print all the human readable characters and grep to find all the lines that contain one or more '='. 

bandit9@bandit:~$ ls -Al
total 32
-rw-r--r-- 1 root     root      220 May 15  2017 .bash_logout
-rw-r--r-- 1 root     root     3526 May 15  2017 .bashrc
-rw-r----- 1 bandit10 bandit9 19379 May  7  2020 data.txt
-rw-r--r-- 1 root     root      675 May 15  2017 .profile
bandit9@bandit:~$ strings data.txt | grep =
========== the*2i"4
=:G e
========== password
<I=zsGi
Z)========== is
A=|t&E
Zdb=
c^ LAh=3G
*SF=s
&========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
S=A.H&^

12 Level 10

The password for the next level is stored in the file data.txt, which contains base64 encoded data. To decode base64 use the command base64 with the flag -d. 

bandit10@bandit:~$ ls -Al
total 16
-rw-r--r-- 1 root     root      220 May 15  2017 .bash_logout
-rw-r--r-- 1 root     root     3526 May 15  2017 .bashrc
-rw-r----- 1 bandit11 bandit10   69 May  7  2020 data.txt
-rw-r--r-- 1 root     root      675 May 15  2017 .profile
bandit10@bandit:~$ base64 -d data.txt
The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

13 Level 11

The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions. Tr can be used to translate a set of characters to another set of characters and therefore perform a ROT13 algorithm. 

bandit11@bandit:~$ ls -Al
total 16
-rw-r--r-- 1 root     root      220 May 15  2017 .bash_logout
-rw-r--r-- 1 root     root     3526 May 15  2017 .bashrc
-rw-r----- 1 bandit12 bandit11   49 May  7  2020 data.txt
-rw-r--r-- 1 root     root      675 May 15  2017 .profile
bandit11@bandit:~$ cat data.txt | tr [a-zA-Z] [n-za-mN-ZA-M]
The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

14 Level 12

The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. To get the password first reverse the hex dump with xxd and then decompress the file as many times as necessary with the correct tool. To find out which tool to use, use the file command. 

bandit12@bandit:~$ mkdir /tmp/bandit12dir
bandit12@bandit:~$ cd !$
cd /tmp/bandit12dir
bandit12@bandit:/tmp/bandit12dir$ cp ~/data.txt .

bandit12@bandit:/tmp/bandit12dir$ xxd -r data.txt > out

bandit12@bandit:/tmp/bandit12dir$ file out
out: gzip compressed data, was "data2.bin", last modified: Thu May  7 18:14:30 2020, max compression, from Unix
bandit12@bandit:/tmp/bandit12dir$ mv out out.gz
bandit12@bandit:/tmp/bandit12dir$ gzip -d out.gz
bandit12@bandit:/tmp/bandit12dir$ ls
data.txt  out

bandit12@bandit:/tmp/bandit12dir$ file out
out: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/bandit12dir$ mv out out.bz2
bandit12@bandit:/tmp/bandit12dir$ bzip2 -d out.bz2
bandit12@bandit:/tmp/bandit12dir$ ls
data.txt  out

bandit12@bandit:/tmp/bandit12dir$ file out
out: gzip compressed data, was "data4.bin", last modified: Thu May  7 18:14:30 2020, max compression, from Unix
bandit12@bandit:/tmp/bandit12dir$ mv out out.gz
bandit12@bandit:/tmp/bandit12dir$ gzip -d out.gz
bandit12@bandit:/tmp/bandit12dir$ ls
data.txt  out
bandit12@bandit:/tmp/bandit12dir$ file out
out: POSIX tar archive (GNU)

bandit12@bandit:/tmp/bandit12dir$ tar -xf out
bandit12@bandit:/tmp/bandit12dir$ ls
data5.bin  data.txt  out
bandit12@bandit:/tmp/bandit12dir$ file data5.bin
data5.bin: POSIX tar archive (GNU)
bandit12@bandit:/tmp/bandit12dir$ tar -xf data5.bin
bandit12@bandit:/tmp/bandit12dir$ ls
data5.bin  data6.bin  data.txt  out

bandit12@bandit:/tmp/bandit12dir$ file data6.bin
data6.bin: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/bandit12dir$ mv data6.bin data.bz2
bandit12@bandit:/tmp/bandit12dir$ bzip2 -d data.bz2
bandit12@bandit:/tmp/bandit12dir$ ls
data  data5.bin  data.txt  out

bandit12@bandit:/tmp/bandit12dir$ file data
data: POSIX tar archive (GNU)
bandit12@bandit:/tmp/bandit12dir$ tar -xf data
bandit12@bandit:/tmp/bandit12dir$ ls
data  data5.bin  data8.bin  data.txt  out

bandit12@bandit:/tmp/bandit12dir$ file data8.bin
data8.bin: gzip compressed data, was "data9.bin", last modified: Thu May  7 18:14:30 2020, max compression, from Unix
bandit12@bandit:/tmp/bandit12dir$ mv data8.bin data.gz
bandit12@bandit:/tmp/bandit12dir$ gzip -d data.gz
gzip: data already exists; do you wish to overwrite (y or n)? y
bandit12@bandit:/tmp/bandit12dir$ ls
data  data5.bin  data.txt  out

bandit12@bandit:/tmp/bandit12dir$ file data
data: ASCII text
bandit12@bandit:/tmp/bandit12dir$ cat data
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

15 Level 13

The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. To become the bandit14 user use the sshkey.private in the ssh command and connect to the localhost as bandit14. Then cat out the password. 

bandit13@bandit:~$ ls
sshkey.private
bandit13@bandit:~$ ssh -i sshkey.private bandit14@localhost
Could not create directory '/home/bandit13/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can not be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit13/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

bandit14@bandit:~$ cat /etc/bandit_pass/bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e

16 Level 14

The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost. Use netcat or telnet to connect to the localhost on port 30000 and enter the password of level 14. 

bandit14@bandit:~$ nc localhost 30000
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr

17 Level 15

The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption. Use openssl with s_client to connect to the localhost at port 30001. 

bandit15@bandit:~$ openssl s_client -connect localhost:30001
CONNECTED(00000003)
...
BfMYroe26WYalil77FoDi9qh59eK5xNr
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehd

closed

18 Level 16

The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it. Use nmap to scan all the port in the range 31000-32000 and use the flag -sV to check if the port uses SSL. The password for the next level is a RSA key. Store it in a file with permissions 0400 so it can only be read by the user. And use SSH and the private key to login to the server for the next level just like in level 13. 

bandit16@bandit:~$ nmap localhost -p 31000-32000 -sV

Starting Nmap 7.40 ( https://nmap.org ) at 2021-12-10 20:03 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00031s latency).
Not shown: 996 closed ports
PORT      STATE SERVICE     VERSION
31046/tcp open  echo
31518/tcp open  ssl/echo
31691/tcp open  echo
31790/tcp open  ssl/unknown
31960/tcp open  echo

bandit16@bandit:~$ openssl s_client -connect localhost:31790
---
cluFn7wTiGryunymYOu4RcffSxQluehd
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----

closed

19 Level 17

There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new Using the diff command without flags will give the changed line. 

bandit17@bandit:~$ ls -Al
total 28
-rw-r----- 1 bandit17 bandit17   33 Jul 11  2020 .bandit16.password
-rw-r--r-- 1 root     root      220 May 15  2017 .bash_logout
-rw-r--r-- 1 root     root     3526 May 15  2017 .bashrc
-rw-r----- 1 bandit18 bandit17 3300 May  7  2020 passwords.new
-rw-r----- 1 bandit18 bandit17 3300 May  7  2020 passwords.old
-rw-r--r-- 1 root     root      675 May 15  2017 .profile
drwxr-xr-x 2 root     root     4096 Jul 11  2020 .ssh
bandit17@bandit:~$ diff passwords.new passwords.old
42c42
< kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
---
> w0Yfolrc5bwjS4qw5mq1nnQi6mF03bii

Meaning kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd is the password for level 18.

20 Level 18

The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH. To execute a command immediately after connecting to the remote server give the ssh command the flag -o (stands for option, and allows for adding utility that is not covered by the flags, such as executing a command remotely), followed by RemoteCommand="some command" where some commmand is the desired command. 

bryan@xps:~/overthewire$ sshpass -p `cat bandit18.txt` ssh bandit18@bandit.labs.overthewire.org -p 2220 -o RemoteCommand="cat readme"
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x

21 Level 19

To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary. The bandit20-do binary the effective user id (euid) to that of bandit20, meaning that the command given to bandit20-do will be run as the user bandit20 and therefore allows for reading the password file of bandit20. 

bandit19@bandit:~$ ls -Al
total 20
-rwsr-x--- 1 bandit20 bandit19 7296 May  7  2020 bandit20-do
-rw-r--r-- 1 root     root      220 May 15  2017 .bash_logout
-rw-r--r-- 1 root     root     3526 May 15  2017 .bashrc
-rw-r--r-- 1 root     root      675 May 15  2017 .profile
bandit19@bandit:~$ ./bandit20-do
Run a command as another user.
  Example: ./bandit20-do id
bandit19@bandit:~$ ./bandit20-do id
uid=11019(bandit19) gid=11019(bandit19) euid=11020(bandit20) groups=11019(bandit19)
bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0j

22 Level 20

There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21). First it is necessary to create a netcat background process that starts listening on some port. Then use the suconnect binary to connect to that port and lastly enter the password of level 20 in the netcat process. 

bandit20@bandit:~$ ls -Al
total 24
-rw-r--r-- 1 root     root       220 May 15  2017 .bash_logout
-rw-r--r-- 1 root     root      3526 May 15  2017 .bashrc
-rw-r--r-- 1 root     root       675 May 15  2017 .profile
-rwsr-x--- 1 bandit21 bandit20 12088 May  7  2020 suconnect

bandit20@bandit:~$ nc -lp 4444 &
[1] 18082
bandit20@bandit:~$ ./suconnect 4444 &
[2] 18155
bandit20@bandit:~$ jobs
[1]+  Stopped                 nc -lp 4444
[2]-  Running                 ./suconnect 4444 &
bandit20@bandit:~$ fg %1
nc -lp 4444
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Password matches, sending next password
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
[2]-  Done                    ./suconnect 4444

23 Level 21

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in etc/cron.d for the configuration and see what command is being executed. When looking at the contents of etc/cron.d the file that stands out most is cronjob_bandit22, which is executing a shell script in usr/bin. When trying to execute this script it points to some file in tmp and this file contains the password for level 22. 

bandit21@bandit:~$ ls -Al /etc/cron.d/
total 28
-rw-r--r-- 1 root root  62 May 14  2020 cronjob_bandit15_root
-rw-r--r-- 1 root root  62 Jul 11  2020 cronjob_bandit17_root
-rw-r--r-- 1 root root 120 May  7  2020 cronjob_bandit22
-rw-r--r-- 1 root root 122 May  7  2020 cronjob_bandit23
-rw-r--r-- 1 root root 120 May 14  2020 cronjob_bandit24
-rw-r--r-- 1 root root  62 May 14  2020 cronjob_bandit25_root
-rw-r--r-- 1 root root 102 Oct  7  2017 .placeholder
bandit21@bandit:~$ cat /etc/cron.d/cronjob_bandit22
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
 * * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
bandit21@bandit:~$ cronjob_bandit22.sh
chmod: changing permissions of '/tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv': Operation not permitted
/usr/bin/cronjob_bandit22.sh: line 3: /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv: Permission denied
bandit21@bandit:~$ ls -Al /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
-rw-r--r-- 1 bandit22 root 33 Dec 13 12:05 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
bandit21@bandit:~$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

24 Level 22

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in etc/cron.d for the configuration and see what command is being executed. The same as level 21 the cronjob is executing a script named cronjob_bandit23. Analyzing what the script does reveals that is copying the password to a file in tmp. The name of the file is in the mytarget variable which is part of md5 hash, where the hash contains the user name (which is bandit23). Executing the mytarget line of the script in a shell and replacing the $myname with bandit23 will return the file that contains the password. 

bandit22@bandit:~$ ls -Al /etc/cron.d/
total 28
-rw-r--r-- 1 root root  62 May 14  2020 cronjob_bandit15_root
-rw-r--r-- 1 root root  62 Jul 11  2020 cronjob_bandit17_root
-rw-r--r-- 1 root root 120 May  7  2020 cronjob_bandit22
-rw-r--r-- 1 root root 122 May  7  2020 cronjob_bandit23
-rw-r--r-- 1 root root 120 May 14  2020 cronjob_bandit24
-rw-r--r-- 1 root root  62 May 14  2020 cronjob_bandit25_root
-rw-r--r-- 1 root root 102 Oct  7  2017 .placeholder
bandit22@bandit:~$ cat /etc/cron.d/cronjob_bandit23
@reboot bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
 * * * * * bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
bandit22@bandit:~$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/sh

myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)

echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"

cat /etc/bandit_pass/$myname > /tmp/$mytarget
bandit22@bandit:~$ cat /tmp/`echo I am user bandit23 | md5sum | cut -d ' ' -f 1`
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

25 Level 23

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in etc/cron.d for the configuration and see what command is being executed. The cronjob is for this level is executing and remove all shell scripts in var/spool/bandit24. To get the password create a script in that directory that cat's out the contents of /etc/bandit_pass/bandit24 to a location where it is accessable to us now (bandit23). Don't forget to change the permission on the shell script and the created directory in tmp. 

bandit23@bandit:~$ ls -Al /etc/cron.d/
total 28
-rw-r--r-- 1 root root  62 May 14  2020 cronjob_bandit15_root
-rw-r--r-- 1 root root  62 Jul 11  2020 cronjob_bandit17_root
-rw-r--r-- 1 root root 120 May  7  2020 cronjob_bandit22
-rw-r--r-- 1 root root 122 May  7  2020 cronjob_bandit23
-rw-r--r-- 1 root root 120 May 14  2020 cronjob_bandit24
-rw-r--r-- 1 root root  62 May 14  2020 cronjob_bandit25_root
-rw-r--r-- 1 root root 102 Oct  7  2017 .placeholder
bandit23@bandit:~$ cat /etc/cron.d/cronjob_bandit24
@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
 * * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
bandit23@bandit:~$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/sh

myname=$(whoami)

cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
do
    if [ "$i" != "." -a "$i" != ".." ];
    then
        echo "Handling $i"
        owner="$(stat --format "%U" ./$i)"
        if [ "${owner}" = "bandit23" ]; then
            timeout -s 9 60 ./$i
        fi
        rm -f ./$i
    fi
done

bandit23@bandit:/var/spool/bandit24$ mkdir /tmp/b100/
bandit23@bandit:/var/spool/bandit24$ chmod 666 /tmp/b100/
bandit23@bandit:/var/spool/bandit24$ vim catpwd.sh
#!/bin/sh
cat /etc/bandit_pass/bandit24 > /tmp/b100/pwd

bandit23@bandit:/var/spool/bandit24$ cat /tmp/b100/pwd
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ

26 Level 24

A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing. To get the password write a script that loops over all 10000 possible pin code and give that as input to netcat. The correct pincode is 2588. 

bandit24@bandit:~$ mkdir /tmp/b100
bandit24@bandit:~$ cd !$
bandit24@bandit:~$ vim /tmp/b100/bf.sh
#!/bin/sh
b24="UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ"
for i in {0000..9999}; do
    echo "$b24 $i"
done

bandit24@bandit:~$ chmod +x /tmp/b100/bf.sh
bandit24@bandit:~$ ./bf.sh | nc localhost 30002
I am the pincode checker for user bandit25. Please enter the password for user
bandit24 and the secret pincode on a single line, separated by a space.
...
Wrong! Please enter the correct pincode. Try again.
Wrong! Please enter the correct pincode. Try again.
Wrong! Please enter the correct pincode. Try again.
Correct!
The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG

27 Level 25-26

Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/sh, but something else. Find out what it is, how it works and how to break out of it. After using ssh with the RSA key for bandit26 the connection is immediately closed. Inspecting the /etc/passwd file to find out what shell bandit26 is using shows: /usr/bin/showtext, which is executing 'more ~/text.txt'. In the more environment it is possible to execute commands with ':!command', the trick is to make the window very small such that the text printed by ~/text.txt does not fit entirely in the window (you need to scroll to see it all), this makes the output appear in the more environment (you can now increase the size of the window again), then enter 'v' to enter vi mode and then ':e /etc/bandit_pass/bandit26' to get the password of this level. The password of user bandit26 is 5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z

Currently we do not have permission to read /etc/bandit_pass/bandit27, so first let set the shell to /bin/sh so we can execute normal commands (from within more): ':set shell=/bin/sh'. In the home folder you can now find a file called bandit27-do which behave similar to how bandit20-do works. Finally enter (still from within more) ':!~/bandit27-do cat /etc/bandit_pass/bandit27 to get the password. Password bandit27: 3ba3118a22e93127a4ed485be72ef5ea 

bandit25@bandit:~$ ls -Al
total 24
-rw-r----- 1 bandit25 bandit25   33 May 14  2020 .bandit24.password
-r-------- 1 bandit25 bandit25 1679 May  7  2020 bandit26.sshkey
-rw-r--r-- 1 root     root      220 May 15  2017 .bash_logout
-rw-r--r-- 1 root     root     3526 May 15  2017 .bashrc
-rw-r----- 1 bandit25 bandit25    4 May 14  2020 .pin
-rw-r--r-- 1 root     root      675 May 15  2017 .profile
bandit25@bandit:~$ ssh -i bandit26.sshkey bandit26@localhost
...
  Enjoy your stay!

  _                     _ _ _   ___   __
 | |                   | (_) | |__ \ / /
 | |__   __ _ _ __   __| |_| |_   ) / /_
 | '_ \ / _` | '_ \ / _` | | __| / / '_ \
 | |_) | (_| | | | | (_| | | |_ / /| (_) |
 |_.__/ \__,_|_| |_|\__,_|_|\__|____\___/
Connection to localhost closed.
bandit25@bandit:~$ cat /etc/passwd | grep bandit26
bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext
bandit25@bandit:~$ cat /usr/bin/showtext
#!/bin/sh

export TERM=linux

more ~/text.txt
exit 0

28 Level 27

There is a git repository at ssh://bandit27-git@localhost/home/bandit27-git/repo. The password for the user bandit27-git is the same as for the user bandit27. Clone the repository and find the password for the next level.

Create a new directory in the /tmp directory and clone the specified repository. The password is in the '/repo/README' file. 

bandit27@bandit:~$ mkdir /tmp/newdir
bandit27@bandit:~$ cd !$
cd /tmp/newdir
bandit27@bandit:/tmp/newdir$ git clone ssh://bandit27-git@localhost/home/bandit27-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit27/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can not be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit27/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

bandit27-git@localhosts password:
remote: Counting objects: 3, done.
remote: Compressing objects: 100% (2/2), done.
remote: Total 3 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (3/3), done.
bandit27@bandit:/tmp/newdir$ ls -Al
total 4
drwxr-sr-x 3 bandit27 root 4096 Feb 27 18:46 repo
bandit27@bandit:/tmp/newdir$ ls -Al repo/
total 8
drwxr-sr-x 8 bandit27 root 4096 Feb 27 18:46 .git
-rw-r--r-- 1 bandit27 root   68 Feb 27 18:46 README
bandit27@bandit:/tmp/newdir$ cat repo/README
The password to the next level is: 0ef186ac70e04ea33b4c1853d2526fa2

29 Level 28

There is a git repository at ssh://bandit28-git@localhost/home/bandit28-git/repo. The password for the user bandit28-git is the same as for the user bandit28. Clone the repository and find the password for the next level.

First create a new directory in '/tmp', and then clone the given repository. The git repo again contains a README but the password is, 'xx…x', hidden. 'git show' returns the previous versions of the README file and what was changed in between commits. Analyzing the output gives the password for bandit29: bbc96594b4e001778eee9975372716b2 

bandit28@bandit:/tmp/newdir$ mkdir /tmp/newdirr
bandit28@bandit:/tmp/newdir$ cd !$
cd /tmp/newdirr
bandit28@bandit:/tmp/newdirr$ git clone ssh://bandit28-git@localhost/home/bandit28-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit28/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can not be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit28/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

bandit28-git@localhosts password:
remote: Counting objects: 9, done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 9 (delta 2), reused 0 (delta 0)
Receiving objects: 100% (9/9), done.
Resolving deltas: 100% (2/2), done.
bandit28@bandit:/tmp/newdirr$ ls
repo
bandit28@bandit:/tmp/newdirr$ ls repo/
README.md
bandit28@bandit:/tmp/newdirr$ cat repo/README.md
# Bandit Notes
Some notes for level29 of bandit.

## credentials

- username: bandit29
- password: xxxxxxxxxx
bandit28@bandit:/tmp/newdrr$ cd repo/
bandit28@bandit:/tmp/newdrr/repo$ git show
commit edd935d60906b33f0619605abd1689808ccdd5ee
Author: Morla Porla <morla@overthewire.org>
Date:   Thu May 7 20:14:49 2020 +0200

    fix info leak

diff --git a/README.md b/README.md
index 3f7cee8..5c6457b 100644
--- a/README.md
+++ b/README.md
@@ -4,5 +4,5 @@ Some notes for level29 of bandit.
 ## credentials

 - username: bandit29
-- password: bbc96594b4e001778eee9975372716b2
+- password: xxxxxxxxxx

30 Level 29

There is a git repository at ssh://bandit29-git@localhost/home/bandit29-git/repo. The password for the user bandit29-git is the same as for the user bandit29. Clone the repository and find the password for the next level.

Again clone the given repo in a directory in 'tmp' and 'cat' out the contents of the README. The <no password in production!> hints at there being multiple branches, to list them all 'git branch -a'. Change to the 'dev' branch with 'git checkout dev'. This branch also has a README which contains the password for bandit30: 5b90576bedb2cc04c86a9e924ce42faf. 

bandit29@bandit:~$ mkdir /tmp/newdrr
bandit29@bandit:~$ cd !$
cd /tmp/newdrr
bandit29@bandit:/tmp/newdrr$ git clone ssh://bandit29-git@localhost/home/bandit29-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit29/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can not be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit29/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

bandit29-git@localhosts password:
remote: Counting objects: 16, done.
remote: Compressing objects: 100% (11/11), done.
remote: Total 16 (delta 2), reused 0 (delta 0)
Receiving objects: 100% (16/16), done.
Resolving deltas: 100% (2/2), done.
bandit29@bandit:/tmp/newdrr$ cd repo/
bandit29@bandit:/tmp/newdrr/repo$ ls
README.md
bandit29@bandit:/tmp/newdrr/repo$ cat README.md
# Bandit Notes
Some notes for bandit30 of bandit.

## credentials

- username: bandit30
- password: <no passwords in production!>

bandit29@bandit:/tmp/newdrr/repo$ git branch -a
- master
  remotes/origin/HEAD -> origin/master
  remotes/origin/dev
  remotes/origin/master
  remotes/origin/sploits-dev
bandit29@bandit:/tmp/newdrr/repo$ git checkout dev
Branch dev set up to track remote branch dev from origin.
Switched to a new branch 'dev'
bandit29@bandit:/tmp/newdrr/repo$ ls
code  README.md
bandit29@bandit:/tmp/newdrr/repo$ cat README.md
# Bandit Notes
Some notes for bandit30 of bandit.

## credentials

- username: bandit30
- password: 5b90576bedb2cc04c86a9e924ce42faf

31 Level 30

There is a git repository at ssh://bandit30-git@localhost/home/bandit30-git/repo. The password for the user bandit30-git is the same as for the user bandit30. Clone the repository and find the password for the next level.

Just as the previous exercises clone the repo and 'cat README', which has no useful contents. So lets explorer the '.git' directory which contains a file named 'packed-refs'. This file contains hashes of tags and heads, most notably in this case a hash of 'refs/tags/secret'. Doing a 'git show' for this has results in the password for bandit31: 47e603bb428404d265f59c42920d81e5. 

bandit30@bandit:~$ mkdir /tmp/newdrr
bandit30@bandit:~$ cd !$
cd /tmp/newdrr
bandit30@bandit:/tmp/newdrr$ git clone ssh://bandit30-git@localhost/home/bandit30-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit30/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can not be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit30/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

bandit30-git@localhosts password:
remote: Counting objects: 4, done.
Receiving objects: 100% (4/4), 297 bytes | 0 bytes/s, done.
remote: Total 4 (delta 0), reused 0 (delta 0)
bandit30@bandit:/tmp/newdrr$ ls repo/
README.md
bandit30@bandit:/tmp/newdrr$ cat repo/README.md
just an epmty file... muahaha
bandit30@bandit:/tmp/newdrr$ cd repo/
bandit30@bandit:/tmp/newdrr/repo$ ls -Al .git/
total 44
drwxr-sr-x 2 bandit30 root 4096 Mar  2 09:35 branches
-rw-r--r-- 1 bandit30 root  276 Mar  2 09:35 config
-rw-r--r-- 1 bandit30 root   73 Mar  2 09:35 description
-rw-r--r-- 1 bandit30 root   23 Mar  2 09:35 HEAD
drwxr-sr-x 2 bandit30 root 4096 Mar  2 09:35 hooks
-rw-r--r-- 1 bandit30 root  137 Mar  2 09:35 index
drwxr-sr-x 2 bandit30 root 4096 Mar  2 09:35 info
drwxr-sr-x 3 bandit30 root 4096 Mar  2 09:35 logs
drwxr-sr-x 4 bandit30 root 4096 Mar  2 09:35 objects
-rw-r--r-- 1 bandit30 root  165 Mar  2 09:35 packed-refs
drwxr-sr-x 5 bandit30 root 4096 Mar  2 09:35 refs
bandit30@bandit:/tmp/newdrr/repo$ cat .git/packed-refs
# pack-refs with: peeled fully-peeled
3aefa229469b7ba1cc08203e5d8fa299354c496b refs/remotes/origin/master
f17132340e8ee6c159e0a4a6bc6f80e1da3b1aea refs/tags/secret
bandit30@bandit:/tmp/newdrr/repo$ git show f17132340e8ee6c159e0a4a6bc6f80e1da3b1aea
47e603bb428404d265f59c42920d81e5

32 Level 31

There is a git repository at ssh://bandit31-git@localhost/home/bandit31-git/repo. The password for the user bandit31-git is the same as for the user bandit31. Clone the repository and find the password for the next level.

After clone the repo and looking at the contents of the 'README' is clear that the file 'key.txt' must be push to the remote repository. So create the 'key.txt' file with the contents 'May I come in?'. Then to push it to the remote repo you need three commands: 'git add -f [filename]' (the 'f' flag is necessary because the '.gitignore' is set to ignore all '.txt' files), 'git commit -m [message]' and 'git push'. After the push the output will show the password for bandit32: 56a9bf19c63d650ce78e6ec0354ee45e 

bandit31@bandit:~$ mkdir /tmp/newdrr
bandit31@bandit:~$ cd !$
cd /tmp/newdrr
bandit31@bandit:/tmp/newdrr$ git clone ssh://bandit31-git@localhost/home/bandit31-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit31/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can not be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit31/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

bandit31-git@localhosts password:
remote: Counting objects: 4, done.
remote: Compressing objects: 100% (3/3), done.
remote: Total 4 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (4/4), done.
bandit31@bandit:/tmp/newdrr$ cd repo/
bandit31@bandit:/tmp/newdrr/repo$ cat README.md
This time your task is to push a file to the remote repository.

Details:
    File name: key.txt
    Content: 'May I come in?'
    Branch: master

bandit31@bandit:/tmp/newdrr/repo$ ls -Al
total 12
drwxr-sr-x 8 bandit31 root 4096 Mar  2 09:58 .git
-rw-r--r-- 1 bandit31 root    6 Mar  2 09:58 .gitignore
-rw-r--r-- 1 bandit31 root  147 Mar  2 09:58 README.md
bandit31@bandit:/tmp/newdrr/repo$ echo 'May I come in?' > key.txt
bandit31@bandit:/tmp/newdrr/repo$ ls
key.txt  README.md
bandit31@bandit:/tmp/newdrr/repo$ git add key.txt
The following paths are ignored by one of your .gitignore files:
key.txt
Use -f if you really want to add them.
bandit31@bandit:/tmp/newdrr/repo$ git add -f key.txt
bandit31@bandit:/tmp/newdrr/repo$ git commit -m 'add key.txt'
[master fd1861c] add key.txt
 1 file changed, 1 insertion(+)
 create mode 100644 key.txt
bandit31@bandit:/tmp/newdrr/repo$ git push
Could not create directory '/home/bandit31/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can not be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit31/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

bandit31-git@localhosts password:
Counting objects: 3, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (2/2), done.
Writing objects: 100% (3/3), 321 bytes | 0 bytes/s, done.
Total 3 (delta 0), reused 0 (delta 0)
remote: ### Attempting to validate files... ####
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
remote: Well done! Here is the password for the next level:
remote: 56a9bf19c63d650ce78e6ec0354ee45e
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
To ssh://localhost/home/bandit31-git/repo
 ! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to 'ssh://bandit31-git@localhost/home/bandit31-git/repo'

33 Level 32

After all this git stuff its time for another escape. Good luck!

The trick to escape the uppercase shell is to use the environment variable $0 which returns the file name of the command that executed the process in this case '/bin/sh'. From here simply 'cat' out the password of bandit33. 

WELCOME TO THE UPPERCASE SHELL
>> $0
$ cat /etc/bandit_pass/bandit33
c9c3199ddf4121b10cf581a98d51caee


If something is not working, please create an issue here.