Post

OverTheWire Bandit Level 30 -> 31

Solution for OverTheWire Bandit level 31 challenge

Posted
By Michael McDonagh
1 min read
OverTheWire Bandit Level 30 -> 31

Level Goal

There is a git repository at ssh://bandit30-git@localhost/home/bandit30-git/repo.
The password for the user bandit30-git is the same as for the user bandit30.

Clone the repository and find the password for the next level.

Walkthrough

Solution for the Overthewire.org Bandit level 30 -> 31

Login to the server using the password obtained from the previous level Bandit level 29 -> 30.

username: bandit30

1

ssh bandit30@bandit.labs.overthewire.org -p 2220

After logging in to the server we create a working directory in /tmp and clone the git repo.
The password is the same as the one used to login to this level.

1
2
3
4
5
6
7
8
9
10

bandit30@bandit:~$ mkdir /tmp/bandit30
bandit30@bandit:~$ cd /tmp/bandit30

bandit30@bandit:/tmp/bandit30$ git clone ssh://bandit30-git@localhost/home/bandit30-git/repo
Cloning into 'repo'...

bandit30-git@localhost's password:
remote: Counting objects: 4, done.
remote: Total 4 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (4/4), done.

First we change directory into the repo and check the README.md file

1
2
3
4

bandit30@bandit:/tmp/bandit30$ cd repo
bandit30@bandit:/tmp/bandit30/repo$ cat README.md
just an epmty file... muahaha

Nothing of interest in the README.md file.
Next check the commit logs.

1
2
3
4
5
6

bandit30@bandit:/tmp/bandit30/repo$ git log
commit 3aefa229469b7ba1cc08203e5d8fa299354c496b
Author: Ben Dover <noone@overthewire.org>
Date:   Thu May 7 20:14:54 2020 +0200

    initial commit of README.md

The only commit is the initial commit which means the file was never changed after first commit.
Next on to checking for branches.

1
2
3
4

bandit30@bandit:/tmp/bandit30/repo$ git branch -a
* master
  remotes/origin/HEAD -> origin/master
  remotes/origin/master

No other branches locally or remote. Another dead end. Next I began looking at the .git directory

1
2
3

bandit30@bandit:/tmp/bandit30/repo$ cd .git
bandit30@bandit:/tmp/bandit30/repo/.git$ ls
branches  config  description  HEAD  hooks  index  info  logs  objects  packed-refs  refs

I started checking the files in .git and packed-refs contained something of interest.

1
2
3
4

bandit30@bandit:/tmp/bandit30/repo/.git$ cat packed-refs
# pack-refs with: peeled fully-peeled
3aefa229469b7ba1cc08203e5d8fa299354c496b refs/remotes/origin/master
f17132340e8ee6c159e0a4a6bc6f80e1da3b1aea refs/tags/secret

We can see a secret tag listed in the packed-refs. Using the git tag command we can list all tags.

1
2

bandit30@bandit:/tmp/working_dir/repo$ git tag
secret

To view the secret we use git show secret and it contained the password.

1
2

bandit30@bandit:/tmp/working_dir/repo$ git show secret
47e603##########################
OverTheWire, Bandit
overthewire bandit git
This post is licensed under CC BY 4.0 by the author.