Bandit Walkthrough

Level 0 >> Level 1


1. Search for the required file and read it.


Type this in terminal


cat readme

ssh -p 2220


ls will provide a list of files and folders in the current directory.

Then we’ll use the cat command to read the file and copy its contents.

Finally we’ll ssh into the server with username as bandit 1 and password as boJ9jbbUNNfktd78OOpsqOltutMc3MY1

Level 1 >> Level 2


1. The answer lies in a good knowledge of filenames and arguments of any Linux command.

2. How about studying absolute and relative file paths.


Type this in terminal

cat ./-

ssh -p 2220

Alternatively you can also use

cat /home/bandit1/-

ssh -p 2220


OK so now you’ll be wondering that why cat – didn’t gave you the password. Well, try to think where else would you use a hyphen in CLI. That’s it. To specify flags like -A ,-l, etc. So when you provided a hyphen to the cat command it expected a flag but wasn’t given one. That’s why when we provide it with the full path of the file the confusion was easily resolved.

Finally we’ll ssh into the server with username as bandit 2 and password as CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

Level 2 >> Level 3


1. The question gives you the filename and you know the command to read files. That’s all the hint you’ll need.

2. While you’re reading a novel, what’s that symbol used to denote the sentence said by a character.


Type this in terminal

cat “spaces in this filename”


A space in a filename is generally avoided when you work a lot in command line interface and is replaced with an underscore. This is done so that the commands execute smoothly. Alternatively a filename with spaces can be enclosed in double quotes and the same functionality can be perceived.

Finally we’ll ssh into the server with username as bandit 3 and password as UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

Level 3 >> Level 4


1. Take a look at the manual of ls


Type this in terminal

cd inhere

ls -a

cat .hidden

ssh -p 2220


The -a flag of ls is used to display the hidden files in a directory. This could come in handy when you want to edit the .profile and .bashrc files.

Finally we’ll ssh into the server with username as bandit 4 and password as pIwrPrtPN36QITSp3EQaw936yaFoFgAB

Level 4 >> Level 5


1. You might wanna see the usage of file command.


This CTF can be solved in 2 ways :

Boring way: cat every file until you find the password. Brute force way.

Pentester style: determine file types in one swoop and open the required file.

Type this in the terminal

cd inhere

file ./-file0*

cat ./-file07

ssh -p 2220


Finally we’ll ssh into the server with username as bandit 5 and password as koReBOKuIDDepwhWk7jZC0RTdopnAYKh

Level 5 >> Level 6


1. This one is a bit difficult. You’ll require a pretty fine usage of find command. Read its manual and try to integrate the provided requirements of the file in it.


Type this in the terminal

cd inhere

find -size 1033c -readable

cat ./maybehere07/.file2

ssh -p 2220


We’ll use the find command and integrate it with the provided specifications of the file. The size is given as 1033 bytes and thus we’ll use its flag -size 1033c where c is used to denote bytes. We can use k for kilobytes, m for megabytes and g for gigabytes. One more thing to note here is that -size 1033c searches for a file with an exact size of 1033 bytes. If in case we need to search for a file which has less than it then we will use the same flag with a minus size like this -size -1033c and a plus size if the required file’s size is more than that.

We used the -readable flag to specify that the file is readable. If the file was also executable then we would have also used -executable flag.

Finally we’ll ssh into the server with username as bandit 6 and password as DXjZPULLxYr17uwoI01bNLQbtFemEgo7

Level 6 >> Level 7


1. Exactly similar to the previous one. Do a quick find on the server.


cd /

find -size 33c -user bandit7 -group bandit6

cat /var/lib/dpkg/info/bandit7.password


The question says that the file can be anywhere on the server. Therefore we start from the root directory. After executing the find command you’ll notice that a lot of filenames will turn up. But among all those files only bandit7.password is the correct one as it doesn’t come up with permission denied error.

Finally we’ll ssh into the server with username as bandit 7 and password as HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

Level 7 >> Level 8


1. Ever heard about output redirection on linux command line.

2. Its a simple question of finding a word in a file but on CLI.


Type the command on terminal

cat data.txt | grep millionth


One way to solve this problem is brute force method where you’ll be searching the entire file manually for the word millionth. Take a note that brute force is a frowned upon method and we only use it as a last measure. If you execute wc data.txt on terminal then you’ll realise that it contains a lot of lines thus this method is a waste of effort here.

Another method is to use a text editor (CLI or GUI) and simply find the string.

What we did here is that we printed the entire file and passed it to grep along with millionth as the argument. Grep searched the entire file for it and printed the line that contained it. 

Finally we’ll ssh into the server with username as bandit 8 and password as cvX2JJa4CFALtqS87jk27qwqGhBM9plV

Level 8 >> Level 9


1. The answer lies in the combined usage of sort and uniq commands.


Type this in terminal

sort data.txt | uniq -u


The solution can be understood easily that the file contains lots of lines and out of them only one line is unique. So the answer comes out straight that you have to find the unique line which must be easy enough with the uniq command. But if you read its man page there’s a line which states that it can only compare two lines’ similarity when one is placed below another. This can be solved with the sort command. The answer after this is pretty straight forward that we took its output and fed it to the uniq command with -c flag which reports only the unique lines and thus we got our answer.

Finally we’ll ssh into the server with username as bandit 9 and password as UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR

Level 9 >> Level 10


1. You gotta find a way to search for all human readable strings inside the file.

2. The hint is also written in the previous sentence. Read above


Type this in terminal

strings data.txt | grep =


Strings command is used to gather all the human readable strings in a file. Then we pipe it through a grep command with equals sign as the parameter to obtain the required string.

Finally we’ll ssh into the server with username as bandit 9 and password as truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk

Level 10 >> Level 11


1. What you need for this one is a terminal command. Take a closer look at the question and you might stumble upon it.


Type this in terminal

cat data.txt | base64 -d


Don’t even think about doing this manually. Simply learn the base64 command and use it. Base64 is an encoding/decoding method which is used to convert binary data to text and vice versa. Take a look at wikipedia if you want an indepth look at it.

Finally we’ll ssh into the server with username as bandit 10 and password as IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

Level 11 >> Level 12


1. You have to add 13 to every character. If you’re unable to find a command for it try creating a script which would perform this for you.


Type this in terminal

cat data.txt | tr [A-Z] [N-ZA-M] | tr [a-z] [n-za-m]


This is a well known algorithm to encrypt/decrypt data known as rotate13. In this we add 13 to every character to encode the data. To decrypt it we again add 13 to it which brings it to its original state. In the above command we convert uppercase letters written like [A-Z] = ABCDEFGHIJKLMNOPQRSTUVWXYZ to [N-ZA-M] = NOPQRSTUVWXYZABCDEFGHIJKLM. If you study them you’ll realise that 13 has been added to A to get N, B to get O, etc.

Finally we’ll ssh into the server with username as bandit 12 and password as 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

Level 12 >> Level 13




Type this in terminal

mkdir /tmp/techno

cp data.txt /tmp/techno/

cd /tmp/techno/

touch data2.txt

xxd -r data.txt > data2.txt

file data2.txt

mv data2.txt data2.gz

gzip -d data2.gz

file data2

mv data2

bzip2 -d

file data2

mv data2 data2.gz

gzip -d data2.gz

file data2

tar -xf data2

file data5.bin

tar -xf data5.bin


bzip2 -df data6.bin

mv data6.bin

file data6.bin.out

tar -xf data6.bin.out

file data8.bin

mv data8.bin data8.gz

gzip -d data8.gz


file data8

cat data8


At every step use file command to check the file’s type. Then rename it to the file’s type by changing its extension. And then finally decode it. Keep doing it until you get a ASCII file. Cat it to get the password.

Finally we’ll ssh into the server with username as bandit 13 and password as 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

Level 13 >> Level 14


1. What does the word private mean to you. Consider that you have a picture that is private to you, then who else is allowed to access it?


cat sshkey.private

copy its contents to a new file on your system. Let it be named mysshkey.private

chmod 600 mysshkey.private

ssh -i mysshkey.private -p 2220


The server gives you a file which will be used as the password for bandit14. Now when you’ll copy the file to your system and try to use it as it is then you’ll encounter an error which says that bad permissions are given to the file. This is something to take time with and understand before proceeding further. The extension of the file says that it is a private key. What this means is that only a particular user on the system is allowed to access it. When we create a new file on a system then by defaut its permissions are as follows: read & write to user, read & write to group and read to the owner. The file says that it is a private file therefore we change its permission to 600 which effectively gives read and write permission to user and strips aways all the permission given to the group and owner. Now the file is private to the user and ready to be used

Finally we’ll ssh into the server with username as bandit 14 and password as the new file.

Level 14 >> Level 15


1. Use netcat

2. Use netcat with output redirection


Type these in terminal

cat /etc/bandit_pass/bandit14

echo “4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e” | nc localhost 30000


Netcat is used for a lot of different purposes but here we’ll use it to send data to localhost. We will echo the password and pipe it to netcat on port 30000.

This will give us the password for level 15 which is BfMYroe26WYalil77FoDi9qh59eK5xNr. This can be used to ssh into the server with username as bandit15 and on port 2220.

Level 15 >> Level 16


1. Don’t try netcat.

2. Instead try openssl with s_client


Type this in terminal

openssl s_client -ign_eof -connect localhost:30001

then type in the password of level 15 : BfMYroe26WYalil77FoDi9qh59eK5xNr


Now you might be thinking that isn’t it just like the previous one. You just have to encrypt the password using openssl and send it to localhost on port 30001. Well, it isn’t this simple. Firstly, because you don’t know the encryption algorithm to convert the password with openssl. Secondly, port 30001 is ssl encrypted and thus your whole connection has to be through openssl to make it encrypted to connect to port 30001 else it will not connect to it. Thats the main reason why we used ssl for establishing our connection and not nc.

Also why did we use -ign_eof. If you have done file handling in a programming language you must have seen that after your operations you don’t abruptly end the program but save/quit the file first. Since we didn’t had a way to do it with ssl therefore we used -ign_eof to end the file safely while also requesting the server to not end the connection after we have sent our data as we are also expecting a result from your side (password for level 16 in our case). Then you can simply ssh into the server with username as bandit16 and password as cluFn7wTiGryunymYOu4RcffSxQluehd.

Level 16 >> Level 17


1. What you understand from this is that you have to initiate a port scan. Hmm… whats the best way to scan a port.

2. Port scan gave you the open ports but do they have a listener or do they have SSL. If yes then which version. Wait a second, version. Now that rings a bell doesn’t it.


This can be solved in two ways:

Method 1: Brute Force

nc -zv localhost 31000-32000

openssl s_client -connect localhost:31691

openssl s_client -connect localhost:31960

openssl s_client -connect localhost:31046

openssl s_client -connect localhost:31518

openssl s_client -connect localhost:31790

Method 2 : Using tools

nmap -sV -p 31000-32000 localhost

openssl s_client -connect localhost:31790


We can approach this by scanning for the ports in the given range to determine whether we have an open port or not. But this method could return a long list of ports which would be difficult to brute force into. Instead of this we can use netcat to search for listener ports as they would be open by default. But they could be listeners for anything ssh, ftp, ssl, http, etc. However the list of ports would be small and thus easy to brute force. But as I have said before, brute force is our last approach hence I would like you to stay away from this method. However keep it in mind for your future endeavours.

The best method is to search for the services running on the open ports between the given range which gives us the required port in a single shot. Then its easy to connect to and send the password of the previous level. Finally we’ll connect to the next level with ssh -i RSA.private -p 2220 where RSA.private is the RSA key that I obtained from this level.

Level 17 >> Level 18


1. Can be done manually, no doubt in that. But won’t that be brute force and what do I say about brute force. Its the last option to solve a problem. So try to find some other way. This one’s easy you really don’t need a hint for it.


Type these in terminal

ssh -i RSA.private -p 2220

diff passwords.old


Diff command compares two text files and returns the differences in them if they exist. One thing to note here is that if we write diff file1 file2 then the result would first display the line of file1 and then file2, i.e. the order of files remain same.

Password for level 18 is kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd.

Level 18 >> Level 19


1. Think of this like you are a courier boy who has to deliver the courier at a random house but the moment you open the door and enter the house, the main door throws you out and shuts itself down on your face. Now think of what option do you have to deliver the package through the door. Its a basic ssh workaround.


Type this in terminal

ssh -p 2220 cat readme


We attached the cat command to the ssh command so that both the commands execute as if they are one. So the server has to give you enough time to ssh into it so that it can throw you out. That split second is enough for you to get your work done. By the way, this one was fun wasn’t it.

Password for level 19 is IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x.

Level 19 >> Level 20


1. Hint is in the question itself. Read it carefully.


Type this in terminal

./bandit20-do cat /etc/bandit_pass/bandit20


The question says to execute the file to know how it works. Upon executing the file it says that you can run a command as if you’re another user. The password of all levels is stored in /etc/bandit_pass but you are only allowed to see the password of the current level as you don’t have the required permissions to display the password of any other level. But this is exactly what the file does. It allows you to run a command as if you’re another user. So we cat the password of bandit20 by using this file and obtain our password.

Password for level 20 is GbKksEFF4yrVs6il55v6gwY5aVje5f0j.

Level 20 >> Level 21


1. If you don’t have a port that is listening to you then you make one.


You’ll need to login to bandit 20 from two terminals.

On terminal 1: echo “GbKksEFF4yrVs6il55v6gwY5aVje5f0j” | nc -l -p 1234

On terminal 2: ./suconnect 1234


The question says that there will be a listener which will send the password of level 20 when someone connects to it via suconnect file. So we make that listener port by ourselves. On terminal 1 we setup a listener on port 1234 which sends GbKksEFF4yrVs6il55v6gwY5aVje5f0j when someone connects to it. On second terminal we connect to this port using the suconnect file and it sends the reply back to first terminal as the password for level 21.

Password for level 21 is gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr.

Level 21 >> Level 22


Follow the trail. This ones pretty easy.

Solution & Explanation

1. Enter the server of level 21

$ ssh -p 2220

2. The question asks us to look at the configuration file in /etc/cron.d/

$ cd /etc/cron.d

3. Cat the file

$ cat cronjob_bandit22

Its output is

@reboot bandit22 /usr/bin/ &> /dev/null

* * * * bandit22 /usr/bin/ &> /dev/null

This shows that every second the standard output and standard error of is being written to the black hole ( /dev/null ).

4. So lets examine this file

$ cat /usr/bin/

Its output is:


chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

5. It says that the password of bandit22 is being written in the tmp folder. So lets cat it.

$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

Voila we have our password for level 22: Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

Level 22 >> Level 23


1. Proceed similar to the previous problem and cat the script. Now the hint is: what you need has already been produced and saved. Now the question remains whether you know what you need and whether you can find it or not. Just remember that what you need already exists in a temporary location.

Solution & Explanation

1. SSH into level 22 with password: Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

$ ssh -p 2220

2. Move to the given location

$ cd /etc/cron.d

3. Search for the required file

$ ls -l

4. Cat it

$ cat cronjob_bandit15_root

Its output points us to /usr/bin/

5. Open the file

$ cat /usr/bin/

Its output says: !/bin/bash


mytarget=$(echo I am user $myname | md5sum | cut -d ‘ ‘ -f 1)

echo “Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget”

cat /etc/bandit_pass/$myname > /tmp/$mytarget

Now try to understand it. myname contains your name so, myname=bandit22

And mytarget contains the md5sum of echo I am user bandit22 so, mytarget=8169b67bd894ddbb4412f91573b38db3

Following the code it will save the password of bandit22 to /tmp/8169b67bd894ddbb4412f91573b38db3

But this is not what you want as you already have the password of bandit22. Thats how you sshed into the server in the first place. What you need is the password of bandit23.

6. Find the md5sum of echo I am bandit23

$ echo I am user bandit23 | md5sum | cut -d ‘ ‘ -f 1

Output: 8ca319486bfbbc3663ea0fbe81326349

7. Finding the password

$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349

Output: jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

So the password of level 23 is jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

Level 23 >> Level 24


1. This one is difficult so try to focus and spend some time on it. You’ve got to understand the working of the file. Also remember the sole purpose of the existence of cron.

Solution & Explanation

1. SSH into level 23 with password: jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

$ ssh -p 2220

2. Move to the given location

$ cd /etc/cron.d

3. Display the file

$ cat cronjob_bandit24

It will point you to /usr/bin/

4. Display that file

$ cat /usr/bin/

Now try to understand the script. It says that it will read and then delete every file stored in /var/spool/bandit24 with the access level of bandit24. And this file runs every minute with the help of cron

5. Get permissions of the /var/spool/bandit24.

ls -l /var/spool/

You’ll see that you are not allowed to read this folder but are allowed to write in it.

Now the information that you have obtained upto now is that you can write a script in /var/spool/bandit24 with your level of access and it will run every minute with the access level of bandit24. The password of every level is stored in /etc/bandit_pass/ but the current user can only access the password of current level. The way we’ll use this script is that we’ll read the password of bandit24 from /etc/bandit_pass/bandit24

6. Create a temporary folder to work in

$ mkdir /tmp/mydir

7. Make a script

$ touch

8. Write these lines in it using nano

$ nano


cat /etc/bandit_pass/bandit24 > /tmp/mydir/passfile

9. Give all users the permission to execute this file and write in this folder

$ chmod a+x && chmod a+w .

10. Copy the file to /var/spool/bandit24/ and wait for one minute

$ cp /var/spool/bandit24/

11. After a cron cycle you’ll see the password in passfile

$ cat passfile

Output: UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ

So the password of level 24 is UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ

Level 24 >> Level 25


1. Try creating a script but before that netcat into localhost with the given port to understand the way in which you are supposed to provide the output to the server.

Solution & Explanation

1. SSH into level 24 with password: UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ

$ ssh -p 2220

2. I created a script called myscript using python to combine password and pin

pin = 1000

password = “UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ”

f = open(“list_of_passwords.txt”,”w+”)

while pin<10000:

f.write(password + ” ” + str(pin) + “n”)

pin = pin + 1


3. Then I ran it and got list_of_passwords.txt as output

$ python3 myscript

The output looks like this:

UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 1000

UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 1001

UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 1002

UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 1003

UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 1004

UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 1005

UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 1006

UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 1007

UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 1008





UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 9999

4. Then I passed it to the given port number

cat list_of_passwords.txt | nc localhost 30002

5. After several failed password attempts I received the password for the next level

So the password of level 25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG

Level 25 >> Level 26 and Level 26 >> Level 27


1. This question is pretty tricky and difficult. Try to split the question in four statements. Questions 1,2 & 3 are easy but no. 4 is where the difficulty of this level begins. I don’t think I can provide any hints for that other than the use of google for more command.

2. Lots of people were unable to solve this one so don’t worry if you’re unable to too.

3. Even the answer that I’m writing is not mine but taken from a writeup.

Solution & Explanation

1. SSH into level 25 with password: uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG

$ ssh -p 2220

2. Finding the access for bandit26 is actually very easy

$ ls

OUTPUT – bandit26.sshkey

Now the problem here is that when you use this key to log into the bandit26 user then it will throw you out of the server before you can do something. I’ll solve this issue in this writeup too.

3. Now which shell is being used by bandit26. Actually this information and a lot of other useful info about users can be seen in passwd file

$ cat /etc/passwd

4. You’ll see that the shell being used is /usr/bin/showtext. So cat it

$ cat /usr/bin/showtext

5. The shell being used mores the file text.txt and exits. This is the tricky part. Here we’ll exploit the more command. This command displays a screenful of text on your screen and then gives you the ability to scroll through it. So we’ll reduce the size of our terminal window to the minimum possible by dragging its lower boundary to the uppermost level and then execute the following command

$ ssh -i bandit26.sshkey -p 2220

until we get the –More–(50%)

6. Once we get –More–(50%) written on the bottom of our window, we’ll press v. This will launch the text editor that is set in the $EDITOR shell variable at the line being viewed.

7. Then we’ll find the password of bandit26

$ :e /etc/bandit_pass/bandit26


8. We’ll solve the next level here too

9. Execute the following command

$ :set shell=/bin/bash

10. Now we have our friendly old bash on bandit26. When you’ll run bandit27-do it will give you a message that you can run a command as another user. We have already solved a similar question in previous level. So we will cat the password file of bandit27 here to obtain the password.

$ ./bandit27-do cat /etc/bandit_pass/bandit27

OUTPUT: 3ba3118a22e93127a4ed485be72ef5ea

So the password of level 26 is 5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z and of level 27 is 3ba3118a22e93127a4ed485be72ef5ea

Level 27 >> Level 28


1. No hints needed. This is literally the easiest level ever.

Solution & Explanation

1. SSH into level 27 with password: 3ba3118a22e93127a4ed485be72ef5ea

$ ssh -p 2220

2. The question asks us to save the contents of a file to a location and analyze it. So I made a temporary directory using mktemp

$ mktemp -d

OUTPUT: /tmp/tmp.rbvmMa3KEm

3. Changing directory

$ cd /tmp/tmp.rbvmMa3KEm

4. Cloning the repository

$ git clone ssh://bandit27-git@localhost/home/bandit27-git/repo

5. Changing directory and reading the file

$ cd repo && cat README

OUTPUT: The password to the next level is: 0ef186ac70e04ea33b4c1853d2526fa2

The password of level 28 is 0ef186ac70e04ea33b4c1853d2526fa2

Level 28 >> Level 29


1. Similar to the previous one. The extra info you need is a list of changes made to the file. This is usually done to check which line made error in a code. Now whats the word for such a file.

Solution & Explanation

1. SSH into level 28 with password: 0ef186ac70e04ea33b4c1853d2526fa2

$ ssh -p 2220

2. Make a temporary directory

$ mktemp -d

OUTPUT: /tmp/tmp.IsVcAiExO0

3. Move to this directory

$ cd tmp/tmp.IsVcAiExO0

4. Clone the repository

$ git clone sh://bandit29-git@localhost/home/bandit29-git/repo

5. List the files in the directory

$ ls


6. Read the file

$ cat

No useful information can be obtained from it

7. So we read the logs of this repository to see the changes made by the authors

$ git log -p

This gives us the password for the next level.

The password of level 29 is bbc96594b4e001778eee9975372716b2

Level 29 >> Level 30


1. A repo is divided into various branches. Try changing them.

Solution & Explanation

1. SSH into level 29 with password: bbc96594b4e001778eee9975372716b2

$ ssh -p 2220

2. Proceed exactly as the previous level and clone the repository.

3. The output of doesn’t provide any useful info. So we try changing the repositories. To check our current repo use the following command:

$ git branch

OUTPUT: * master

4. To get a list of all other branches use

$ git branch -r


origin/HEAD -> origin/master




5. Switch to dev repository

$ git checkout dev

6. Now try reading the

$ cat

The password of level 30 is 5b90576bedb2cc04c86a9e924ce42faf

Level 30 >> Level 31


1. Read about tags in git.

Solution & Explanation

1. SSH into level 30 with password: 5b90576bedb2cc04c86a9e924ce42faf

$ ssh -p 2220

2. So I read the and found no useful information.

3. Then I started to see the contents of every file and found refs/tags/secret in .git/packed-refs. This is the only interesting piece of information that I’ve found till now. So I searched about tags on google. They are like a constant piece of information which is usually used to store the version of the project being worked upon. So I checked the repo for any available tags.

$ git tag -l

OUTPUT: secret

4. Maybe its just a hunch or maybe I’m onto something. I wasn’t sure so I decided to pursue it and it was fairly easy to do so. While searching about tags I also found the command to look into the contents of a tag.

$ git show secret

OUTPUT: 47e603bb428404d265f59c42920d81e5

The password of level 31 is 47e603bb428404d265f59c42920d81e5

Level 31 >> Level 32


1. No hint needed

Solution & Explanation

1. SSH into level 31 with password: 47e603bb428404d265f59c42920d81e5

$ ssh -p 2220

2. Read the file


This time your task is to push a file to the remote repository.


File name: key.txt

Content: ‘May I come in?’

Branch: master

3. Create the file and add the content to it

$ touch key.txt && echo “May I come in?” > key.txt

4. Preparing the file for pushing it into the branch. This is called staging

$ git add key.txt -f

5. Pushing the file in the branch

$ git push origin master

The password of level 32 is 56a9bf19c63d650ce78e6ec0354ee45e

Level 32 >> Level 33


1. Start with $0

Solution & Explanation

1. SSH into level 32 with password: 56a9bf19c63d650ce78e6ec0354ee45e

$ ssh -p 2220

2. I started with simple commands but none of them were executing. Then I realised that its because they are being converted to uppercase letters. Actually thats what the message at the beginning meant.

3. So I started with $0 which would invoke it again.

4. Now I was able to execute the bash commands. But I had no clue about what I had to do. So after try some random things I executed whoami command.

$ whoami

OUTPUT: bandit33

5. And to my surprise I was bandit33 and not bandit32.

6. Then the way forward was clear. I simply used cat to display the password

$ cat /etc/bandit_pass/bandit33

The password of level 33 is c9c3199ddf4121b10cf581a98d51caee

Level 33 >> Level 34

Solution & Explanation

1. SSH into level 33 with password: c9c3199ddf4121b10cf581a98d51caee

$ ssh -p 2220