The last part of the Bandit challenges was relatively easy with most of the flags attainable with basic git knowledge, except for the last restricted shell escape. Try them here: OverTheWire Bandit
Bandit 27-28
This is as simple as it can get at this stage. Just clone the repo and cat
the README.md file. The flag is in plaintext.
Bandit 28-29
In this stage, if you cat
the README.md file, you’ll find xxxxxxx
in the place of the flag. If you do a git log
, you’ll see that the password was entered and then removed. Just checkout the previous commit with git checkout {hash}
and you’ll have your flag in the README.md
Bandit 29-30
There’s no commit history this time, and the README.md file says “no password in production”, which is a clue. Do a git branch -r
and you’ll see a development branch. Checkout into it (git checkout dev
). cat README.md
in this branch to get the flag.
Bandit 30-31
No password in previous commits or branches here. But if you do a git tag
, you’ll see a tag called “secret”. Do a git show secret
and you have your flag.
Bandit 31-32
Add and commit any random file, remove the wildcard entry from .gitignore
and push origin. The flag is in the verbose output of the commit.
Bandit 32-33
This is a restricted terminal escape challenge, very interesting. I urge you to think of creative ways of loopholing this before looking at the solution.
So the terminal converts every command into uppercase before executing. So ls
becomes LS
and cd
becomes CD
and nothing works.
One way of loopholing this behavior was symlinking a helper binary to an all caps name. I choose vim for the purpose, but cat, less or more, anything would’ve worked. Symlink the binary in your temp directory in some all caps name.
$ ln -s /usr/bin/vim /tmp/mytempdir/VIM
Now, simply running ./vim
will execute VIM and you can then read the flag file with :r /etc/bandit_pass/bandit33
in vim.
Thank you for reading