2026-02-13T07:43:10Z

Justus: Created page with "Here's what I see when I run Metroflip<ref>[https://github.com/luu176/Metroflip Metroflip] ''github.com''</ref> with the <code>ufbt cli</code> attached, running the command <code>log debug</code>: <pre>… 518343 [D][Iso14443_4aPoller] Read ATS success … 518432 [D][Type4TagPoller] Select application 518437 [E][Type4TagPoller] APDU failed: 6A82 518465 [D][Iso14443_4aPoller] Read ATS success 518467 [D][EMVPoller] Send select PPSE 518473 [E][EMVPoller] Failed to parse ap..."

Here's what I see when I run Metroflip<ref>[https://github.com/luu176/Metroflip Metroflip] ''github.com''</ref> with the <code>ufbt cli</code> attached, running the command <code>log debug</code>:

<pre>…
518343 [D][Iso14443_4aPoller] Read ATS success
…
518432 [D][Type4TagPoller] Select application
518437 [E][Type4TagPoller] APDU failed: 6A82
518465 [D][Iso14443_4aPoller] Read ATS success
518467 [D][EMVPoller] Send select PPSE
518473 [E][EMVPoller] Failed to parse application
518487 [I][NfcScanner] Detected 1 protocols
518489 [I][Metroflip:Scene:Auto] test
518594 [I][Metroflip:Scene:Auto] proto: 2
518596 [I][Metroflip:Scene:Parse] Parse scene entered - card_type: atr, data_loaded: false
518601 [I][Metroflip:Scene:Parse] Tag is either T-Mobilitat or T-Money
518605 [I][Metroflip:Scene:Parse] Card is valid, loading plugin for: atr
…
518680 [D][Iso14443_4aPoller] Read ATS success
518695 [I][Metroflip:Scene:Parse] Wrong card event received - switching to unknown scene
…</pre>
Meanwhile on the Flipper Zero screen, Metroflip prints the following:

<pre>atr

This card is currently
unsupported / fully locked</pre>

In <code>scenes/metroflip_scene_parse.c</code> the following conditional determines if a card is T-money:

<syntaxhighlight lang="c">void metroflip_scene_parse_on_enter(void* context) {
// ...
} else if (app->hist_bytes[0] == 0x04 && app->hist_bytes[1] == 0x09) {
// This branch is not hit.
// the program then assumes that the card is "locked"
// ...</syntaxhighlight>
The program skips this conditional because the ''hist_bytes'' don't line up with the T-Money card from 2018 that I've used in Seoul.

In my original pull request<ref>https://github.com/luu176/Metroflip/pull/77 “Implement T-Money balance parsing”</ref> I’ve reported the following information as dumped by the Flipper Zero's NFC app:

<pre>Filetype: Flipper NFC device
Version: 4
# Device type can be ISO14443-3A, ISO14443-3B, ISO14443-4A, ISO14443-4B, ISO15693-3, FeliCa, NTAG/Ultralight, Mifare Classic, Mifare Plus, Mifare DESFire, SLIX, ST25TB, NTAG4xx, Type 4 Tag, EMV
Device type: ISO14443-4A
# UID is common for all formats
UID: XX XX XX XX
# ISO14443-3A specific data
ATQA: 00 04
SAK: 20
# ISO14443-4A specific data
T0: 78
TA(1): 80
TB(1): B0
TC(1): 02
T1...Tk: 04 09 22 02</pre>

Maintainer '''luu176''' meanwhile said that they found the following ''ATR'':

<pre>3B 88 80 01 04 02 00 20 00 71 C1 40 DF</pre>
Meanwhile, a friend gave me a newer T-Money card. Flipper Zero prints the following dump for this card:

<pre>Filetype: Flipper NFC device
Version: 4
# Device type can be ISO14443-3A, ISO14443-3B, ISO14443-4A, ISO14443-4B, ISO15693-3, FeliCa, NTAG/Ultralight, Mifare Classic, Mifare Plus, Mifare DESFire, SLIX, ST25TB, NTAG4xx, Type 4 Tag, EMV
Device type: ISO14443-4A
# UID is common for all formats
UID: XX XX XX XX
# ISO14443-3A specific data
ATQA: 00 04
SAK: 20
# ISO14443-4A specific data
T0: 78
TA(1): 77
TB(1): C1
TC(1): 02
T1...Tk: 0E 51 31 01</pre>Notice the difference in the <code>T1...Tk</code> bytes. The older card has <code>04 09 22 02</code> and the newer card has <code>0E 51 31 01</code>.

I refer to the '''Smart card ATR parsing'''<ref>[https://smartcard-atr.apdu.fr/ Smart card ATR parsing] ''smartcard-atr.apdu.fr''</ref> tool and enter luu176's ATR. The tool gives the following response<ref>[https://smartcard-atr.apdu.fr/parse?ATR=3B+88+80+01+04+02+00+20+00+71+C1+40+DF "Parsing ATR: 3B 88 … result"] ''smartcard-atr.apu.fr''</ref>:

* TS = 0x3B - Direct Convention
* T0 = 0x88 Y(1): b1000, K: 8 (historical bytes)
* TD(1) = 0x80 Y(i+1) = b1000, Protocol T=0
* ----
* TD(2) = 0x01 Y(i+1) = b0000, Protocol T=1
* ----
* Historical bytes 04 02 00 20 00 71 C1 40
* Category indicator byte: 0x04 (proprietary format) ".. .q.@"
* TCK = 0xDF '''correct checksum'''
<references />

My Number

2026-02-12T22:56:22Z

Justus: /* Reliability */

This page captures some of my thoughts about the Japanese My Number (個人番号<ref>[https://ja.wikipedia.org/wiki/%E5%80%8B%E4%BA%BA%E7%95%AA%E5%8F%B7 個人番号] ''ja.wikipedia.org''</ref>) system.

The law that set the path for the My Number system in Japan is called 「行政手続における特定の個人を識別するための番号の利用等に関する法律」<ref name=":0">[https://laws.e-gov.go.jp/law/425AC0000000027 行政手続における特定の個人を識別するための番号の利用等に関する法律] ''law.e-gov.go.jp''</ref> which I will call '''My Number law''' for the rest of this article. The My Number law first came into effect in April 4, 2017. The most recent version of the My Number law came into force on December 12, 2025.

This article presents concerns from a technical and privacy point of view. This article does not present a legal analysis and I'm not a lawyer.

== One number for everything ==
<blockquote>第一章　総則

（目的）

第一条　この法律は　…　個人番号　…　の有する特定の個人　…　を識別する機能を活用し、並びに当該機能によって異なる分野に属する情報を照合してこれらが同一の者に係るものであるかどうかを確認することができる…。<ref name=":0" /></blockquote>The idea of the My Number law is to assign a unique number to every person that you can use to tell persons apart. The 厚生労働省 and 法務省 intent to use this system as a unique identifier that many other public and private systems can attach personally identifiable information (PII) to. Here's are some examples of PII that currently is connected to someone's My Number:

* Name
* Date of birth
* Gender
* Address history
* Electronic Health Records
* Immigration and residence status
* Personal income and tax information
* Information about family members
* Bank account information

=== Problem ===
Any party that knows someone's personal number and has access to the data repositories that store any of the above records can access someone's PII. Apart from legit use cases, the major concern here is that if someone has access to data repositories that they should not have access to, they can gain sensitive information about a person without that person's knowledge.

== Linked to a physical card ==
Several government ministries urge citizens to apply for a physical '''My Number Card'''. This My Number Card shows the following sensitive information about a person:

* Full name
* Current address
* Date of birth
* Expiry date
* Previous home addresses
* Personal number

The My Number Card further is equipped with smart card functionality that lets you conduct various official businesses using its integrated digital certificate. With this digital certificate, you can sign or identify yourself. The smart card is protected by several passcodes:

* 住民基本台帳用: Passcode that allows you to change information about you on the card when going to town hall. (4 digits)
* 券面事項入力補助用: Passcode that lets you electronically transfer address, name, and other information about you to other devices. (4 digits)
* 利用者証明用電子証明書用: Passcode that lets you identify yourself when authenticating with the マイナポータル, when printing your registration information (住民票), or when going to the hospital (4 digits)
* 署名用電子証明書用: Passcode that lets you use the digital signing feature in your card. Example: Personal tax filings when using the e-Tax system. (6-16 digits)

=== Problem ===

* Theft or Loss: Losing the physical card means that anyone can see all of the sensitive information printed on the card.
* Single point of failure: Losing this card means that you can't conduct any of the official business in the preceding list.
* Single point of failure (medical): You can't prove that you have health insurance if you don't have your My Number Card

== Unchangeable number ==
There are no provisions for changing your personal number.

=== Problem ===

* Your PII accessible in eternity: If an unauthorized third party learns your personal number and can unlawfully access any data repository that links your personal number to sensitive information, they can access this sensitive information in eternity.

== Passcodes written on paper ==
When you apply for a My Number Card, you need to set the four passcodes as described in [[#Linked to a physical card]]. At Kitazawa Town Hall (北沢総合支所 ) <ref>[https://www.city.setagaya.lg.jp/02205/8489.html 北沢総合支所] ''www.city.setagaya.lg.jp''</ref>in Setagaya City, town hall employees asked me in 2023 to write down my passcodes on a piece of paper and hand it to them. The employees would then set the passcodes themselves and give me the card.

=== Problem ===

* Third party can learn passcode: If the pass codes are not shredded properly or if an unauthorized party somehow gains access to the pieces of paper with passcodes on them, they're able to conduct most relevant official business against your will - if they're able to retrieve your card as well. This is an unacceptable risk.
* Town hall employees know your passcode: Since you're instructing town hall employees to set your passcode, they know your passcode. They can conduct official business against your will. If you don't change your passcode immediately, they may wait for a few months, retrieve your card (for example when visiting town hall a second time), and use the card without your authorization. The fact that it's possible at all is concerning.
* No good passcode hygiene: There are no instructions on how to choose a safe passcode that is difficult to guess or brute force. While the My Number card locks you out after a number of unsuccessful passcode entry attempts, you can just set your birth year as a passcode and someone can guess this passcode by looking at your date of birth written on the card that they've just stolen from you.

== Other concerns ==

* '''Misinformation''': 厚生労働省 deliberately does not tell citizens that they can use their health insurance without a My Number card, for example by obtaining a 資格確認証, a plastic card without any electronic functionality. I personally only know a few people that know this. And they're the ones that told me.
* '''Waste of tax money''': If you visually compare the 資格確認証 and 健康保険証 issued by 協会けんぽう you will notice that they mostly look the same. One's in yellow, and the other one's in blue. To think that the government spent 10 years rolling out the My Number health insurance card scheme, and a yellow plastic card offering all the functionality that you need, shows that the My Number health insurance card scheme is not effective. When you consider that after all of this busywork, I get another card that looks the same as my old one, you may think: ''Why didn't they just keep the card blue?''
* '''Usability:''' To use any of the electronic functionality, you need to be at least somewhat competent at using IT systems. If you're not good at it, you can't do the following:
** Go to the doctor
** File your taxes online
** Conduct any other official, electronic business
* '''Reliability of My Number card in hospitals''': For various reliability reasons<ref>「やむを得ず10割負担」が3倍に急増 [https://www.ben54.jp/news/3154 マイナ保険証「今後トラブルがゼロになることはない」医師団体が“紙の保険証”復活訴える「有効期限切れ」など増加] ''www.ben54.jp''</ref>, or if you forget your passcode, patients can be asked to pay the full amount for medical treatments<ref>高齢の母が病院で「マイナ保険証」の受付操作ができず、10割負担で「4000円」の支払いを求められたとのこと。機械の操作が難しいなら「資格確認書」だけ使うべきでしょうか？ [https://financial-field.com/living/entry-362846 高齢の母が病院で「マイナ保険証」の受付操作ができず、10割負担で「4000円」の支払いを求められたとのこと。機械の操作が難しいなら「資格確認書」だけ使うべきでしょうか？] ''financial-field.com''</ref> on the spot. You then need to apply for a refund from your health insurance<ref>[https://tetsuzuki-planner.jp/plan/iryouhishikyuushinsei マイナ保険証がなくて10割負担…医療費の返金手続き(療養費支給申請)] ''tetsuzuki-planner.jp''</ref>. Almost 70 % of hospitals recently reported technical difficulties.<ref name=":1">「マイナ保険証に関する最新の実態調査で、2025年8月以降も69.8%の医療機関でマイナ保険証に関するトラブルが発生していることが判明したと明らかにした。」

「調査結果によると、マイナ保険証の利用率は徐々に上昇しているものの、直近の利用率が40%未満の医療機関が半数以上を占めたという。」

[https://archive.is/d2Slz#selection-479.2-479.78 マイナ保険証「今後トラブルがゼロになることはない」医師団体が“紙の保険証”復活訴える「有効期限切れ」など増加] ''news.yahoo.co.jp - archive.is''</ref>
* '''Certificate expiry''': If you forget to renew the electronic certificate on your my number card, you can't go to the hospital anymore or have to pay the full amount yourself. Again, for older people this presents a problem.<ref>マイナ保険証トラブル「有効期限切れ」が倍増　資格確認できず「いったん10割負担」も多く発生　保団連調査 [https://www.tokyo-np.co.jp/article/465316 マイナ保険証トラブル「有効期限切れ」が倍増　資格確認できず「いったん10割負担」も多く発生　保団連調査] ''www.tokyo-np.co.jp''</ref>
* '''Low adoption''': Less than 50% of citizens use the My Number health insurance card scheme <ref name=":1" />

== References ==

My Number

2026-01-31T09:00:57Z

Justus: Created page with "This page captures some of my thoughts about the Japanese My Number (個人番号<ref>https://ja.wikipedia.org/wiki/%E5%80%8B%E4%BA%BA%E7%95%AA%E5%8F%B7</ref>) system. The law that set the path for the My Number system in Japan is called 「行政手続における特定の個人を識別するための番号の利用等に関する法律」<ref>https://laws.e-gov.go.jp/law/425AC0000000027</ref> which I will call '''My Number law''' for the rest of this article. The My..."

This page captures some of my thoughts about the Japanese My Number (個人番号<ref>https://ja.wikipedia.org/wiki/%E5%80%8B%E4%BA%BA%E7%95%AA%E5%8F%B7</ref>) system.

The law that set the path for the My Number system in Japan is called 「行政手続における特定の個人を識別するための番号の利用等に関する法律」<ref>https://laws.e-gov.go.jp/law/425AC0000000027</ref> which I will call '''My Number law''' for the rest of this article. The My Number law first came into effect in April 4, 2017. The most recent version of the My Number law came into force on December 12, 2025.

This article presents concerns from a technical and privacy point of view. This article does not present a legal analysis and I'm not a lawyer.

== One number for everything ==
<blockquote>第一章　総則

（目的）

第一条　この法律は　…　個人番号　…　の有する特定の個人　…　を識別する機能を活用し、並びに当該機能によって異なる分野に属する情報を照合してこれらが同一の者に係るものであるかどうかを確認することができる…。<ref>https://laws.e-gov.go.jp/law/425AC0000000027#Mp-Ch_1-At_1</ref></blockquote>The idea of the My Number law is to assign a unique number to every person that you can use to tell persons apart. The 厚生労働省 and 法務省 intent to use this system as a unique identifier that many other public and private systems can attach personally identifiable information (PII) to. Here's are some examples of PII that currently is connected to someone's My Number:

* Name
* Date of birth
* Gender
* Address history
* Electronic Health Records
* Immigration and residence status
* Personal income and tax information
* Information about family members
* Bank account information

=== Problem ===
Any party that knows someone's personal number and has access to the data repositories that store any of the above records can access someone's PII. Apart from legit use cases, the major concern here is that if someone has access to data repositories that they should not have access to, they can gain sensitive information about a person without that person's knowledge.

== Linked to a physical card ==
Several government ministries urge citizens to apply for a physical '''My Number Card'''. This My Number Card shows the following sensitive information about a person:

* Full name
* Current address
* Date of birth
* Expiry date
* Previous home addresses
* Personal number

The My Number Card further is equipped with smart card functionality that lets you conduct various official businesses using its integrated digital certificate. With this digital certificate, you can sign or identify yourself. The smart card is protected by several passcodes:

* 住民基本台帳用: Passcode that allows you to change information about you on the card when going to town hall. (4 digits)
* 券面事項入力補助用: Passcode that lets you electronically transfer address, name, and other information about you to other devices. (4 digits)
* 利用者証明用電子証明書用: Passcode that lets you identify yourself when authenticating with the マイナポータル, when printing your registration information (住民票), or when going to the hospital (4 digits)
* 署名用電子証明書用: Passcode that lets you use the digital signing feature in your card. Example: Personal tax filings when using the e-Tax system. (6-16 digits)

=== Problem ===

* Theft or Loss: Losing the physical card means that anyone can see all of the sensitive information printed on the card.
* Single point of failure: Losing this card means that you can't conduct any of the official business in the preceding list.
* Single point of failure (medical): You can't prove that you have health insurance if you don't have your My Number Card

== Unchangeable number ==
There are no provisions for changing your personal number.

=== Problem ===

* Your PII accessible in eternity: If an unauthorized third party learns your personal number and can unlawfully access any data repository that links your personal number to sensitive information, they can access this sensitive information in eternity.

== Passcodes written on paper ==
When you apply for a My Number Card, you need to set the four passcodes as described in [[#Linked to a physical card]]. At Kitazawa Town Hall (北沢総合支所 ) <ref>https://www.city.setagaya.lg.jp/02205/8489.html</ref>in Setagaya City, town hall employees asked me in 2023 to write down my passcodes on a piece of paper and hand it to them. The employees would then set the passcodes themselves and give me the card.

=== Problem ===

* Third party can learn passcode: If the pass codes are not shredded properly or if an unauthorized party somehow gains access to the pieces of paper with passcodes on them, they're able to conduct most relevant official business against your will - if they're able to retrieve your card as well. This is an unacceptable risk.
* Town hall employees know your passcode: Since you're instructing town hall employees to set your passcode, they know your passcode. They can conduct official business against your will. If you don't change your passcode immediately, they may wait for a few months, retrieve your card (for example when visiting town hall a second time), and use the card without your authorization. The fact that it's possible at all is concerning.
* No good passcode hygiene: There are no instructions on how to choose a safe passcode that is difficult to guess or brute force. While the My Number card locks you out after a number of unsuccessful passcode entry attempts, you can just set your birth year as a passcode and someone can guess this passcode by looking at your date of birth written on the card that they've just stolen from you.

== Other concerns ==

* '''Misinformation''': 厚生労働省 deliberately does not tell citizens that they can use their health insurance without a My Number card, for example by obtaining a 資格確認証, a plastic card without any electronic functionality. I personally only know a few people that know this. And they're the ones that told me.
* '''Waste of tax money''': If you visually compare the 資格確認証 and 健康保険証 issued by 協会けんぽう you will notice that they mostly look the same. One's in yellow, and the other one's in blue. To think that the government spent 10 years rolling out the My Number health insurance card scheme, and a yellow plastic card offering all the functionality that you need, shows that the My Number health insurance card scheme is not effective. When you consider that after all of this busywork, I get another card that looks the same as my old one, you may think: ''Why didn't they just keep the card blue?''
* '''Usability:''' To use any of the electronic functionality, you need to be at least somewhat competent at using IT systems. If you're not good at it, you can't do the following:
** Go to the doctor
** File your taxes online
** Conduct any other official, electronic business
* '''Reliability of My Number card in hospitals''': For various reliability reasons<ref>「やむを得ず10割負担」が3倍に急増

https://www.ben54.jp/news/3154</ref>, or if you forget your passcode, patients can be asked to pay the full amount for medical treatments<ref>高齢の母が病院で「マイナ保険証」の受付操作ができず、10割負担で「4000円」の支払いを求められたとのこと。機械の操作が難しいなら「資格確認書」だけ使うべきでしょうか？

https://financial-field.com/living/entry-362846</ref> on the spot. You then need to apply for a refund from your health insurance<ref>https://tetsuzuki-planner.jp/plan/iryouhishikyuushinsei</ref>. Almost 70 % of hospitals recently reported technical difficulties.<ref>マイナ保険証に関する最新の実態調査で、2025年8月以降も69.8%の医療機関でマイナ保険証に関するトラブルが発生していることが判明したと明らかにした。

https://archive.is/d2Slz#selection-479.2-479.78</ref>
* '''Certificate expiry''': If you forget to renew the electronic certificate on your my number card, you can't go to the hospital anymore or have to pay the full amount yourself. Again, for older people this presents a problem.<ref>マイナ保険証トラブル「有効期限切れ」が倍増　資格確認できず「いったん10割負担」も多く発生　保団連調査 https://www.tokyo-np.co.jp/article/465316</ref>
* '''Low adoption''': Less than 50% of citizens use the My Number health insurance card scheme <ref>マイナ保険証の利用率は徐々に上昇しているものの、直近の利用率が40%未満の医療機関が半数以上トラブルの「有効期限切れ」45.2%は、約1年前の調査時（20.1%）と比較して割合が倍増マイナ保険証「今後トラブルがゼロになることはない」医師団体が“紙の保険証”復活訴える

https://x.com/shahokyo1/status/2017165227964375343</ref><ref>調査結果によると、マイナ保険証の利用率は徐々に上昇しているものの、直近の利用率が40%未満の医療機関が半数以上を占めたという。

https://archive.is/d2Slz (https://news.yahoo.co.jp/articles/b8cb0ee6b84db4ac1c9473625007e3e3a3e58254)</ref>

== Reliability ==

User:Justus

2026-01-31T08:01:26Z

Justus: Created page with "Hi! This is my user page on the justus.pw WIki."

Hi! This is my user page on the justus.pw WIki.

Category:OverTheWire

2026-01-30T07:37:27Z

Justus: 1 revision imported

These are my writeups for the [https://overthewire.org/wargames/ OverTheWire wargames].

OverTheWire Bandit walkthrough

2026-01-30T07:37:27Z

Justus: 1 revision imported

This article contains a walkthrough for all 34 levels of the Bandit wargame on [https://overthewire.org OverTheWire].

* Link to Bandit wargame: https://overthewire.org/wargames/bandit/

The OverTheWire wargames have been on the web for a long time. You don’t have to pay anything to play them. The OverTheWire maintainers are volunteering a lot of time to teach everyone about Linux security. Please consider [https://overthewire.org/information/donate.html donating to OverTheWire].

I’ve solved most of the levels in Bandit around 2017. I thought it would be useful to write up the shell commands I’ve used to solve each level without giving away the solution password themselves. Use this guide if you feel stuck and try your best coming up with your own original shell invocations.

I’ve marked all passwords in the command outputs with <code>XXX...</code> or <code>YYY...</code>.

And most importantly, have fun :)


= Bandit level 0 =

Link to this level: https://overthewire.org/wargames/bandit/bandit0.html

To solve level 0, you need to log in to <code>bandit0</code> with password <code>bandit0</code> using SSH on <code>bandit.labels.overthewrite.org</code> and port 2220.

Connect with <code>ssh</code> by using the following command:

<syntaxhighlight lang="bash">ssh bandit0@bandit.labs.overthewire.org -p 2220</syntaxhighlight>
When you connect successfully, you should see a message like this:

<pre> _ _ _ _
| |__ __ _ _ __ __| (_) |_
| '_ \ / _` | '_ \ / _` | | __|
| |_) | (_| | | | | (_| | | |_
|_.__/ \__,_|_| |_|\__,_|_|\__|

This is an OverTheWire game server.
More information on http://www.overthewire.org/wargames

...

Enjoy your stay!

bandit0@bandit:~$</pre>

= Bandit level 1 =

Link to this level: https://overthewire.org/wargames/bandit/bandit1.html

Connect to this level’s account using the following command:

<syntaxhighlight lang="bash"># The password is the same as level 0
ssh bandit0@bandit.labs.overthewire.org -p 2220</syntaxhighlight>
Read out the file called <code>readme</code> using the <code>cat</code> command and learn the password for the next level:

<syntaxhighlight lang="bash">cat readme</syntaxhighlight>
This prints out the following:

<pre>Congratulations on your first steps into the bandit game!!
Please make sure you have read the rules at https://overthewire.org/rules/
If you are following a course, workshop, walkthrough or other educational activity,
please inform the instructor about the rules as well and encourage them to
contribute to the OverTheWire community so we can keep these games free!

The password you are looking for is: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</pre>
Note the password contained within the <code>readme</code> file and proceed to the next level’s account on Bandit.


= Bandit level 2 =

Link to this level: https://overthewire.org/wargames/bandit/bandit2.html

Use <code>ssh</code> to connect to the <code>bandit1</code> account on Bandit:

<syntaxhighlight lang="bash"># Use the password from the previous level here:
ssh bandit1@bandit.labs.overthewire.org -p 2220</syntaxhighlight>
This level stores its password in a file called <code>-</code>. Trying to just read out the file using the command <code>cat -</code> doesn’t work. The program <code>cat</code> assumes that you are passing it something over standard input.

Refer to the manual of <code>cat</code>, retrieved on Bandit using <code>man cat</code>. Here you can see that <code>cat</code> interprets the file called <code>-</code> in a specific way:


<blockquote>NAME cat - concatenate files and print on the standard output

SYNOPSIS cat [OPTION]… [FILE]…

DESCRIPTION Concatenate FILE(s) to standard output.

With no FILE, or when FILE is -, read standard input.
</blockquote>

The solution is to prepend the filename <code>-</code> with a <code>./</code>. The following command reveals the password for the next level:

<syntaxhighlight lang="bash">cat ./-</syntaxhighlight>

= Bandit level 3 =

Link to this level: https://overthewire.org/wargames/bandit/bandit3.html

Connect to <code>bandit</code> using the following command:

<syntaxhighlight lang="bash"># Enter password from level 1
ssh bandit2@bandit.labs.overthewire.org -p 2220</syntaxhighlight>
Solve the next level by escaping all spaces in the target filename. In bash, put a backward slash <code>\</code> before any spaces in a filename.

Here’s how to escape spaces in the filename <code>spaces in this filename</code> and print out its contents:

<syntaxhighlight lang="bash">cat spaces\ in\ this\ filename
# You can also type this:
cat "spaces in this filename"
# or this
cat 'spaces in this filename'</syntaxhighlight>
Note the password and use it in the next level.


= Bandit level 4 =

Link to this level: https://overthewire.org/wargames/bandit/bandit4.html

This level has a hidden filename. In many UNIX operating systems, filenames are “hidden” if they start with a period <code>.</code> character.

Connect to the <code>bandit3</code> account using the following command:

<syntaxhighlight lang="bash"># Enter password from level 3
ssh bandit3@bandit.labs.overthewire.org -p 2220</syntaxhighlight>
Then run the following command to show the password for the next level:

<syntaxhighlight lang="bash">cat inhere/.hidden</syntaxhighlight>
Note the password and use it in the next level.


= Bandit level 5 =

Link to this level: https://overthewire.org/wargames/bandit/bandit5.html

This level has a bunch of files in the <code>inhere</code> directory. Only one of them is human-readable and contains the password. Your task is to find this file.

Connect to the level using <code>ssh</code>:

<syntaxhighlight lang="bash"># Use password from level 3 to log in
ssh bandit4@bandit.labs.overthewire.org -p 2220</syntaxhighlight>
Find out what files are in the <code>inhere</code> directory:

<pre>bandit4@bandit:~$ ls inhere
-file00 -file01 -file02 -file03 -file04 -file05 -file06 -file07 -file08 -file09</pre>
Using the <code>head</code> command, you can print the beginning of each file and the name of that file. Try running <code>head inhere/*</code> and find the file that has the password for the next level:

<pre>bandit4@bandit:~$ head inhere/*
==> inhere/-file00 <==
QRrtZi H
|ȧ^
==> inhere/-file01 <==
7L3Yͯ ŴEY V&hF
==> inhere/-file02 <==
O̫`\-⃐Hx2K
==> inhere/-file03 <==
ix#e>VOp{ MUb4
==> inhere/-file04 <==
gQeE}:gj8<.e
==> inhere/-file05 <==
S 0]7b<~
==> inhere/-file06 <==
G=1B׃"
W9ؽ5
==> inhere/-file07 <==
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

==> inhere/-file08 <==
K~+9"T*Z$"r

==> inhere/-file09 <==</pre>
In my case, <code>inhere/-file07</code> was the winner. Note the password and use it in the next level.


= Bandit level 6 =

Link to this level: https://overthewire.org/wargames/bandit/bandit6.html

This level has you look for a specific file within the <code>inhere</code> directory. The file isn’t executable, 1033 bytes long, and human-readable. The <code>find</code> command is useful for finding a file using specific criteria like these.

First, connect to this level using <code>ssh</code>:

<syntaxhighlight lang="bash"># Use the password from level 5
ssh bandit5@bandit.labs.overthewire.org -p 2220</syntaxhighlight>
This is the <code>find</code> invocation that found the file for me.

<syntaxhighlight lang="bash">find inhere -type f -size 1033c -exec cat {} \;</syntaxhighlight>
The flags used here do the following:

* <code>-type f</code> looks for regular files.
* <code>-size 1033c</code> looks for a file exactly 1033 bytes long.
* <code>-exec cat {} \;</code> prints the contents of the file using <code>cat</code> if found.

Find may print out a bunch of gibberish files as well. Note the password and use it in the next level.


= Bandit level 7 =

Link to this level: https://overthewire.org/wargames/bandit/bandit7.html

This level is a continuation of the previous level. Use <code>find</code> again to solve it. This time, the winning file belongs to the user <code>bandit7</code>, is owned by the group <code>bandit6</code>, and is 33 bytes long. The file could be anywhere on the system and not only in the <code>bandit6</code> user’s home directory.

First, connect to the level using <code>ssh</code>:

<syntaxhighlight lang="bash">ssh bandit6@bandit.labs.overthewire.org -p 2220</syntaxhighlight>
Use the following <code>find</code> invocation to find the file:

<syntaxhighlight lang="bash">find / -size 33c \
-user bandit7 \
-group bandit6 -exec head {} \; 2> /dev/null</syntaxhighlight>
The arguments used for the <code>find</code> command used this time do the following:

* The <code>/</code> argument makes <code>find</code> search starting from the filesystem root.
* <code>-size 33c</code> only looks for 33 byte long files.
* <code>-user bandit7</code> looks for files belonging to the user <code>bandit7</code>.
* <code>-group bandit6</code> looks for files belonging to the group <code>bandit6</code>.
* <code>-exec head {}\;</code> prints the contents of any file matching these criteria.
* <code>2> /dev/null</code> tells Bash to discard any errors

Discarding errors is important here because the <code>find</code> command produces a lot of errors when scanning through the complete filesystem. In the machines filesystems there are a lot of files that the <code>bandit6</code> user isn’t allowed to access. The <code>find</code> command informs you of every error that it encounters when reading files. This can cause it to produce a lot of output and makes finding the file you are looking for difficult.


= Bandit level 8 =

Link to this level: https://overthewire.org/wargames/bandit/bandit8.html

In this level, you need to search the file <code>data.txt</code> for the next level’s password. The password is written right next to the string <code>millionth</code>. Use the <code>grep</code> command to solve this level.

Connect to the level using <code>ssh</code>:

<syntaxhighlight lang="bash">ssh bandit7@bandit.labs.overthewire.org -p 2220</syntaxhighlight>
The following regular expression used with <code>grep</code> finds the word <code>millionth</code> and anything written after it:

<pre>millionth.*</pre>
Here’s how to use it with the <code>grep</code> command:

<syntaxhighlight lang="bash">grep -e 'millionth.*' data.txt</syntaxhighlight>
You should see something like the following:

<pre>millionth XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</pre>
Note the password written after <code>millionth</code> and use it for the next level.


= Bandit level 9 =

Link to this level: https://overthewire.org/wargames/bandit/bandit9.html

In this level, you need to find a line that occurs only once in a file called <code>data.txt</code>. Every other line in this file appears at least twice.

Connect using <code>ssh</code>:

<syntaxhighlight lang="bash">ssh bandit8@bandit.labs.overthewire.org -p 2220</syntaxhighlight>
Use <code>sort</code> piped into <code>uniq --unique</code> to first sort the lines, exclude duplicate lines, and then only output the lines that appear exactly once.

<syntaxhighlight lang="bash">sort < data.txt | uniq --unique</syntaxhighlight>
This prints the password for the next level.


= Bandit level 10 =

Link to this level: https://overthewire.org/wargames/bandit/bandit10.html

This level wants you to use <code>grep</code> to search for the password for the next level. The password is one of the only human-readable strings and is preceded by at least one <code>=</code> character.

Connect using <code>ssh</code>:

<syntaxhighlight lang="bash">ssh bandit9@bandit.labs.overthewire.org -p 2220</syntaxhighlight>
Use the <code>strings</code> command to extract human-readable strings from a file. Pipe the result into <code>grep</code> and only output lines that start with at least two <code>=</code> characters. These two commands put together look like this:

<syntaxhighlight lang="bash">strings data.txt | grep -e '^=='</syntaxhighlight>
The output for this invocation looks like this:

<pre>========== passwordk^
========== is
========== XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</pre>
Note down the password and use it in Bandit level 11.


= Bandit level 11 =

Link to this level: https://overthewire.org/wargames/bandit/bandit11.html

This level gives you the password in a file called <code>data.txt</code>. This file contains [https://en.wikipedia.org/wiki/Base64 Base64] encoded data that you have to decode to get the password.

Connect using <code>ssh</code>:

<syntaxhighlight lang="bash">ssh bandit10@bandit.labs.overthewire.org -p 2220</syntaxhighlight>
Run the following command and observe the output:

<syntaxhighlight lang="bash">base64 -d data.txt</syntaxhighlight>
You should see something like the following:

<pre>The password is XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</pre>

= Bandit level 12 =

Link to this level: https://overthewire.org/wargames/bandit/bandit12.html

In this level, the file <code>data.txt</code> contains a [https://en.wikipedia.org/wiki/ROT13 ROT13] encoded password. To continue to the next level, you have to find a way to decode this password.

Connect using <code>ssh</code>:

<syntaxhighlight lang="bash">ssh bandit11@bandit.labs.overthewire.org -p 2220</syntaxhighlight>
If you scroll down the Wikipedia article linked here, you can find the solution for decoding ROT13 with <code>tr</code> [https://en.wikipedia.org/wiki/ROT13#tr here].

Run the following <code>tr</code> invocation to find the next level’s password:

<syntaxhighlight lang="bash">tr 'A-Za-z' 'N-ZA-Mn-za-m' < data.txt</syntaxhighlight>
You should see the following output after running this command:

<pre>The password is JVNBBFSmZwKKOP0XbFXOoW8chDz5yVRv</pre>

= Bandit level 13 =

Link to this level: https://overthewire.org/wargames/bandit/bandit13.html

This level has you unpack, decode, or decompress a file 8 times to find the password. The order of operation from start to finish is:

# Compress with <code>gzip</code>
# Archive with <code>tar</code>
# Archive with <code>tar</code> a second time
# Archive with <code>tar</code> a third time
# Compress with <code>gzip</code>
# Compress with <code>bzip2</code>
# Compress with <code>gzip</code>
# Convert to hex dump with <code>xxd</code>

When unpacking this file, you need to run these operations in reverse.

Connect using <code>ssh</code>:

<syntaxhighlight lang="bash">ssh bandit12@bandit.labs.overthewire.org -p 2220</syntaxhighlight>
To convert the hex dump back into binary data, use <code>xxd -r</code>:

<syntaxhighlight lang="bash">xxd -r < data.txt</syntaxhighlight>
This outputs binary data to your terminal and won’t immediately be useful. To see what format this binary output is, pipe the output of <code>xxd -r</code> into <code>file -</code> like so:

<syntaxhighlight lang="bash">xxd -r < data.txt | \
file -</syntaxhighlight>
This should print that it’s <code>gzip</code> compressed data:

<pre>/dev/stdin: gzip compressed data, was "data2.bin"
last modified: Thu Oct 5 06:19:20 2023, max compression, from Unix</pre>
Decompress this data using <code>zcat</code> and check the output format like so:

<syntaxhighlight lang="bash">xxd -r < data.txt | \
zcat | \
file -</syntaxhighlight>
This time <code>file</code> tells you that the data is <code>bzip2</code> compressed:

<pre>/dev/stdin: bzip2 compressed data, block size = 900k</pre>
Decompress this data using <code>bzip2 --decompress --force</code> and output it to standard out with the <code>--stdout</code> flag. This way, you can pipe the output into the next program. Inspect the contents again using <code>file -</code>:

<syntaxhighlight lang="bash">xxd -r < data.txt | zcat | \
bzip2 --decompress --force --stdout | file -</syntaxhighlight>
<code>file</code> tells you that the output is a <code>tar</code> archive:

<pre>/dev/stdin: POSIX tar archive (GNU)</pre>
Now, to unpack the contents, decompress the contents into a new temporary directory:

<syntaxhighlight lang="bash"># change into temporary directory
cd $(mktemp -d)
# Will CD into something like this:
# /var/folders/k8/jnlz0xdn5jd48zttf3ktv7200000gn/T/tmp.0eOTs8AHV5
xxd -r < $HOME/data.txt | \
zcat | \
bzip2 --decompress --force --stdout | \
zcat | \
tar -xf -</syntaxhighlight>
Now check the contents of each unpacked file using <code>file</code>:

<syntaxhighlight lang="bash"># Still in the same temporary directory as above
file *</syntaxhighlight>
<code>file</code> reports that there is one file <code>data5.bin</code> containing another tar archive:

<syntaxhighlight lang="bash">data5.bin: POSIX tar archive (GNU)</syntaxhighlight>
Unpack the archive using the following command:

<syntaxhighlight lang="bash"># Unpack data5.bin into the current directory
tar xvf data5.bin</syntaxhighlight>
This unpacks a file called <code>data6.bin</code>. This file is another <code>tar</code> archive. Here’s how you can unpack <code>data6.bin</code>:

<syntaxhighlight lang="bash"># Unpack data6.bin into the same directory
tar xvf data6.bin</syntaxhighlight>
The file <code>data6.bin</code> contains a <code>gzip</code> compressed file called <code>data8.bin</code>.

In total, you should now have three uncompressed files:

<pre># Contents of current temporary directory
data5.bin data6.bin data8.bin</pre>
Here’s what <code>file</code> reports when you run it on <code>data8.bin</code>:

<syntaxhighlight lang="bash">data8.bin: gzip compressed data, was "data9.bin", last modified: Thu Oct 5 06:19:20 2023, max compression, from Unix, original size modulo 2^32 49</syntaxhighlight>
Print the contents of <code>data8.bin</code> by using <code>zcat</code>:

<syntaxhighlight lang="bash">zcat data8.bin</syntaxhighlight>
Note the password contained in the file and use it in the next level:

<pre>The password is XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</pre>

= Bandit level 14 =

Link to this level: https://overthewire.org/wargames/bandit/bandit14.html

This level gives you an SSH key that you can use to log into Bandit level 14. Connect to level 13 using SSH:

<syntaxhighlight lang="bash">ssh bandit13@bandit.labs.overthewire.org -p 2220</syntaxhighlight>
After you connect, print out the SSH private key contained in <code>sshkey.private</code> and store it on your own machine:

<syntaxhighlight lang="bash">cat sshkey.private</syntaxhighlight>
The SSH private key looks like this:

<pre>-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAxkkOE83W2cOT7IWhFc9aPaaQmQDdgzuXCv+ppZHa++buSkN+
... rest left out
/+aLoRQ0yBDRbdXMsZN/jvY44eM+xRLdRVyMmdPtP8belRi2E2aEzA==
-----END RSA PRIVATE KEY-----</pre>
Store the whole private key in a file called <code>level_14.key</code> and use it in the next level.


= Bandit level 15 =

Link to this level: https://overthewire.org/wargames/bandit/bandit15.html

In this level, you need to send the current level’s password to a TCP server listening on port 30000 on the same machine. Where’s the current level’s password if the only thing you have is the SSH key? Passwords for each level are stored in <code>/etc/bandit_pass</code>. Each password file for a level is only accessible by that levels’ account. For example, the user <code>bandit14</code> can access the file <code>/etc/bandit_pass/bandit14</code>.

Connect to the level using <code>ssh</code> and give it the private key file <code>level_14.key</code> from the last level.

<syntaxhighlight lang="bash">ssh bandit14@bandit.labs.overthewire.org -p 2220 -i level_14.key</syntaxhighlight>
If SSH complains about the key at <code>level_14.key</code> being world readable, run the following command to fix its permissions:

<syntaxhighlight lang="bash">chmod 400 level_14.key</syntaxhighlight>
After you’ve connected, read out the password for <code>bandit14</code> stored in <code>/etc/bandit_pass/bandit14</code>.

<syntaxhighlight lang="bash"># Read out the password and note it
cat /etc/bandit_pass/bandit14</syntaxhighlight>
Use <code>nc</code> to pass the password to port 30000 on the same machine:

<syntaxhighlight lang="bash"># Contents of `/etc/bandit_pass/bandit14`
# v
echo "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" | nc localhost 30000</syntaxhighlight>
When you run this command, the server on port 30000 gives you the password for the next level. Write it down and use it for the next level.


= Bandit level 16 =

Link to this level: https://overthewire.org/wargames/bandit/bandit16.html

To solve level 16, you need to forward the current level’s password to a server listening on the same machine. The difference to level 15 is that this time you need to connect to it using TLS encryption.

Connect to the level using <code>ssh</code>:

<syntaxhighlight lang="bash">ssh bandit15@bandit.labs.overthewire.org -p 2220 -i /dev/null</syntaxhighlight>
The command that you can use to connect to a server using TLS encryption is called <code>openssl s_client</code>. OpenSSL is full of useful tools for certificate related operations and features a TLS client called <code>s_client</code> as well.

Here’s the command that solves this level:

<syntaxhighlight lang="bash"># Password from level 15
# v
echo "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" | \
openssl s_client -quiet -connect localhost:30001</syntaxhighlight>
When you pass the <code>-quiet</code> flag to <code>openssl s_client</code>, it won’t print connection status or certificate information. This information is useful for debugging, but can be noisy when you just want to see the flag.

After you run the preceding command, you should receive the password for the next level.


= Bandit level 17 =

Link to this level: https://overthewire.org/wargames/bandit/bandit17.html

To solve this level, you need to do 3 things:

# Find which port on the current machine between 31000 and 32000 is open.
# Find out which of these open ports lets you connect with TLS.
# Connect to the right port and send the current level’s password and get the next level’s password.

Connect to the current level using <code>ssh</code>:

<syntaxhighlight lang="bash">ssh bandit16@bandit.labs.overthewire.org -p 2220 -i /dev/null</syntaxhighlight>
I admit that I’ve brute-forced this level. I tried all 1000 ports and directly connected with <code>openssl s_client</code>. This script discards all error messages to <code>/dev/null</code>. The output is long and verbose. If you scroll through the output, you should eventually see the private key for the next level. Here’s the script that you can just paste and run in the SSH session:

<syntaxhighlight lang="bash">for i in $(seq 31000 32000); do
echo "Trying port $i"
# Current level's password
# v
echo "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" | \
openssl s_client -quiet -connect "localhost:$i" 2>/dev/null
done</syntaxhighlight>
The OpenSSL invocation is the same as in the previous level and uses <code>-quiet</code> again. This script pipes any error messages when OpenSSL fails to connect to <code>/dev/null</code> and thus discards them. The script runs for a while and at some point you should see the following output:

<pre>[...]
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
...
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----
[...]</pre>
Save this private key in a file called <code>level_17.key</code> and move on to the next level.


= Bandit level 18 =

Link to this level: https://overthewire.org/wargames/bandit/bandit18.html

In this level, you need to spot the difference between two files <code>passwords.old</code> and <code>passwords.new</code>. Only one line has changed, and the changed line in <code>passwords.new</code> is the password for the next level.

Connect to <code>bandit17</code> using <code>ssh</code> with the private key <code>level_17.key</code> from the last level.

<syntaxhighlight lang="bash"># Fix key permissions if necessary
chmod 400 level_17.key
ssh bandit17@bandit.labs.overthewire.org -p 2220 -i level_17.key</syntaxhighlight>
Use the <code>diff</code> command to print out the differences between <code>passwords.old</code> and <code>passwords.new</code> like so:

<syntaxhighlight lang="bash">diff -u passwords.old passwords.new</syntaxhighlight>
You should see the following output. The line marked with a <code>+</code> character in the beginning tells you what the new line in <code>passwords.new</code> is. The line with the <code>-</code> character is the line in <code>passwords.old</code> that someone has deleted.

<pre>--- passwords.old 2024-07-17 15:57:13.545795226 +0000
+++ passwords.new 2024-07-17 15:57:13.549795225 +0000
@@ -XX,7 +XX,7 @@
OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
-OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
+NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO</pre>
The password is obfuscated in this output. The line marked with the <code>+</code> character is the password for the next level.


= Bandit level 19 =

Link to this level: https://overthewire.org/wargames/bandit/bandit19.html

Messing with SSH to escape user shell configurations is a real method that penetration testers use.

A recent vulnerability report, [https://www.cve.org/CVERecord?id=CVE-2024-47516 CVE-2024-47516] in Fedora Pagure shows this. [https://fenrisk.com/pagure Read the full report here]

The authors identify weaknesses that when combined allow users to run arbitrary code when connecting to <code>git@gitinstance.com</code> with an SSH client. This is a no-privilege, low-complexity, and network exploitable vulnerability with high CIA impact.

In this level, you need to leverage a similar vulnerability and read out the <code>readme</code> file in user <code>bandit18</code>’s home directory. Directly connecting with <code>ssh</code> doesn’t work. The <code>.bashrc</code> is set to automatically kick you out.

To read out the <code>readme</code> file, pass the command that you want to run directly to SSH. This is how to do it:

<syntaxhighlight lang="bash">ssh bandit18@bandit.labs.overthewire.org -p 2220 \
cat readme</syntaxhighlight>
This is what you should see when it runs successfully, where <code>XXX...</code> is the password for the next level:

<pre> _ _ _ _
| |__ __ _ _ __ __| (_) |_
| '_ \ / _` | '_ \ / _` | | __|
| |_) | (_| | | | | (_| | | |_
|_.__/ \__,_|_| |_|\__,_|_|\__|

This is an OverTheWire game server.
More information on http://www.overthewire.org/wargames

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</pre>

= Bandit level 20 =

Link to this level: https://overthewire.org/wargames/bandit/bandit20.html

In this level you need to use a setuid command to gain another user’s privileges. The challenge server stores Bandit level password in the <code>/etc/bandit_pass/</code> directory. Each Bandit level user can only access their own password in there. For this level, you connect as <code>bandit19</code> and you can only read the password in <code>/etc/bandit_pass/bandit19</code>. To read out the password for <code>bandit20</code>, you need to be able to become <code>bandit20</code>, at least temporarily. The <code>bandit19</code> user’s home directory contains a setuid binary that can run commands as the user <code>bandit20</code>. The goal is to use this binary and read out the user <code>bandit20</code>’s password in the <code>/etc/bandit_pass/</code> directory.

Connect to <code>bandit19</code> using <code>ssh</code>:

<syntaxhighlight lang="bash">ssh bandit19@bandit.labs.overthewire.org -p 2220</syntaxhighlight>
Here’s the setuid binary that lets you become <code>bandit20</code>:

<syntaxhighlight lang="bash">./bandit20-do</syntaxhighlight>
Run without any arguments, <code>bandit-20</code> prints the following:

<pre>Run a command as another user.
Example: ./bandit20-do id</pre>
This is how you can read out the user <code>bandit20</code>’s password file:

<syntaxhighlight lang="bash">./bandit20-do cat /etc/bandit_pass/bandit20</syntaxhighlight>
Note the password that it prints out and use it in the next level.


= Bandit level 21 =

Link to this level: https://overthewire.org/wargames/bandit/bandit21.html

In this level, you need to send your password to a specific port using a setuid binary.

Connect to this level:

<syntaxhighlight lang="bash">ssh bandit20@bandit.labs.overthewire.org -p 2220</syntaxhighlight>
<syntaxhighlight lang="bash">nc -l 20000 # ctrl-z
./suconnect 20000 # ctrl-z
fg %1
# type password from the last level</syntaxhighlight>
Here’s how it should look like, with comments denoted with a <code>#</code> symbol:

<pre># Start nc and listen on port 20000
bandit20@bandit:~$ nc -l 20000
# Put nc -l in the background by pressing ctrl-z
^Z
[1]+ Stopped nc -l 20000
# Start ./suconnect and connect to port 20000
bandit20@bandit:~$ ./suconnect 20000
# Put ./suconnect 20000 in the background by pressing ctrl-z
^Z
[2]+ Stopped ./suconnect 20000
# Put nc -l 20000 back in the foreground
bandit20@bandit:~$ fg %1
nc -l 20000
# Type the password from the last level
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# Put nc -l 20000 in the background
^Z
[1]+ Stopped nc -l 20000
# Put ./suconnect 20000 in the foreground
bandit20@bandit:~$ fg %2
./suconnect 20000
# It shows you that it read the password correctly
Read: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# The ./suconnect 20000 sends the password to nc -l 20000 and quits
Password matches, sending next password
# Put nc -l 20000 in the foreground
bandit20@bandit:~$ fg %1
nc -l 20000
# This is the password for the next level
YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY</pre>
Note the password that the <code>nc -l</code> receives and use it in the next level.


= Bandit level 22 =

Link to this level: https://overthewire.org/wargames/bandit/bandit22.html

In this level, you need to understand what a specific <code>cron</code> job is doing to read out the password. Connect with SSH:

<syntaxhighlight lang="bash">ssh bandit21@bandit.labs.overthewire.org -p 2220</syntaxhighlight>
Find the <code>cron</code> job description in <code>/etc/cron.d</code> and understand where it writes the password for the next level:

<pre># List all cron job configurations
bandit21@bandit:~$ ls /etc/cron.d/
cronjob_bandit22 cronjob_bandit23 cronjob_bandit24 e2scrub_all otw-tmp-dir sysstat

# Read out the configuration for bandit22
bandit21@bandit:~$ cat /etc/cron.d/cronjob_bandit22
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null

# List the bandit22 user's cron job info at /usr/bin/cronjob_bandit22.sh
bandit21@bandit:~$ ls -l /usr/bin/cronjob_bandit22.sh
-rwxr-x--- 1 bandit22 bandit21 130 Jul 17 15:57 /usr/bin/cronjob_bandit22.sh

# Read out the cronjob file at /usr/bin/cronjob_bandit22.sh
bandit21@bandit:~$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
cat /etc/bandit_pass/bandit22 > /tmp/YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY

# Read out the password written to the temporary file:
bandit21@bandit:~$ cat /tmp/YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</pre>

= Bandit level 23 =

Link to this level: https://overthewire.org/wargames/bandit/bandit23.html

This level is almost like the last level. The shell script that the <code>cron</code> job invokes is a bit more involved. Once you figure out how it determines the filenames, you can read out the password.

Connect to this level with SSH:

<syntaxhighlight lang="bash">ssh bandit22@bandit.labs.overthewire.org -p 2220</syntaxhighlight>
Here are the steps I took to find the password:

<pre># List all cron configurations
bandit22@bandit:~$ ls /etc/cron.d
cronjob_bandit22 cronjob_bandit23 cronjob_bandit24 e2scrub_all otw-tmp-dir sysstat

# Read out the cron configuration for bandit23
bandit22@bandit:~$ cat /etc/cron.d/cronjob_bandit23
@reboot bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null

# Read out the cron job's script:
bandit22@bandit:~$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash

myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)

echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"

cat /etc/bandit_pass/$myname > /tmp/$mytarget

# Find the hash $mytarget used for the filename
bandit22@bandit:~$ echo I am user bandit23 | md5sum | cut -d ' ' -f 1
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

# Read out the file contents
bandit22@bandit:~$ cat /tmp/$(echo I am user bandit23 | md5sum | cut -d ' ' -f 1)
ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ</pre>

= Bandit level 24 =

Link to this level: https://overthewire.org/wargames/bandit/bandit24.html

In this level, you have to trick a <code>cron</code> job into executing your script instead.

Connect to the level using SSH:

<syntaxhighlight lang="bash">ssh bandit23@bandit.labs.overthewire.org -p 2220</syntaxhighlight>
There’s a <code>cron</code> job in <code>/usr/bin/cronjob_bandit24.sh</code>. You can trick it into running your script by putting an executable file in the right place:

<pre>bandit23@bandit:~$ cat /etc/cron.d/
cronjob_bandit22 cronjob_bandit24 otw-tmp-dir sysstat
cronjob_bandit23 e2scrub_all .placeholder
bandit23@bandit:~$ cat /etc/cron.d/cronjob_bandit24
@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
bandit23@bandit:~$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash

myname=$(whoami)

cd /var/spool/$myname/foo
echo "Executing and deleting all scripts in /var/spool/$myname/foo:"
for i in * .*;
do
if [ "$i" != "." -a "$i" != ".." ];
then
echo "Handling $i"
owner="$(stat --format "%U" ./$i)"
if [ "${owner}" = "bandit23" ]; then
timeout -s 9 60 ./$i
fi
rm -f ./$i
fi
done

bandit23@bandit:~$ ls /var/spool/bandit24</pre>
Here’s the command I used to write an executable shell script into <code>/var/spool/bandit24</code>. The shell script uses the <code>install</code> command to copy over the password file:

<syntaxhighlight lang="bash">cat > /var/spool/bandit24/foo/cat_passwd <<EOF
#!/bin/bash
install --mode=444 /etc/bandit_pass/bandit24 /tmp/bandit_pass_bandit24
EOF
chmod +x /var/spool/bandit24/foo/cat_passwd
sleep 60
cat /tmp/bandit_pass_bandit24</syntaxhighlight>
Finally, this is how you can then print out the password:

<syntaxhighlight lang="bash">cat /tmp/bandit_pass_bandit24</syntaxhighlight>
Note the password and use it in the next level.


= Bandit level 25 =

Link to this level: https://overthewire.org/wargames/bandit/bandit25.html

Solve this level by connecting to port 30002 on <code>localhost</code> and giving it the right password. The password is a combination of the last level’s password and a random 4 digit pin. The <code>seq</code> command is useful for brute-forcing passwords.

Connect to the level with <code>ssh</code>:

<syntaxhighlight lang="bash">ssh bandit24@bandit.labs.overthewire.org -p 2220</syntaxhighlight>
Here’s the command that finds you the password. This filters out any lines that contain the string <code>Wrong!</code>. That way, you won’t get overwhelmed with ''wrong password'' messages.

<syntaxhighlight lang="bash">seq -f "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX %4g" 0 9999 |
socat STDIO TCP4:localhost:30002 |
grep -v Wrong!</syntaxhighlight>
After a while, this is what you should see once you send it the right code:

<pre>I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
Correct!
The password of user bandit25 is YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY</pre>
Note the password and use it in the next level.


= Bandit level 26 =

Link to this level: https://overthewire.org/wargames/bandit/bandit26.html

To solve this level, you need to find a way to escape the <code>bandit26</code> user’s default shell. First, connect to the <code>bandit25</code> user and see what shell <code>bandit26</code> is using:

<syntaxhighlight lang="bash">ssh bandit25@bandit.labs.overthewire.org -p 2220</syntaxhighlight>
This command filters out the <code>bandit25</code> and <code>bandit26</code> users from the password file located at <code>/etc/passwd</code>:

<syntaxhighlight lang="bash">cat /etc/passwd | grep -e bandit25 -e bandit26</syntaxhighlight>
The <code>bandit25</code> user’s shell is <code>/bin/bash</code>, which is a regular shell. The <code>bandit26</code> user uses an uncommon shell located at <code>/usr/bin/showtext</code>. See the two user’s entries in the <code>/etc/passwd</code> file here:

<pre>bandit25:x:11025:11025:bandit level 25:/home/bandit25:/bin/bash
bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext</pre>
To confirm what content the shell at <code>/usr/bin/showtext</code> has, examine the file using <code>ls</code> and <code>cat</code> like so:

<syntaxhighlight lang="bash">ls -la /usr/bin/showtext</syntaxhighlight>
Here you can see that <code>/usr/bin/showtext</code> is a 58 byte large executable file:

<pre>-rwxr-xr-x 1 root root 58 Jul 17 15:57 /usr/bin/showtext</pre>
Show the contents of <code>/usr/bin/showtext</code> using <code>cat /usr/bin/showtext</code>:

<syntaxhighlight lang="bash">#!/bin/sh

export TERM=linux

exec more ~/text.txt
exit 0</syntaxhighlight>
All that the <code>/usr/bin/showtext</code> command does is read out the contents of a file called <code>text.txt</code> in the current user’s directory. Note that you can change what the tilde <code>~</code> character expands to by passing a different <code>$HOME</code> variable.

Try running the <code>/usr/bin/showtext</code> program while logged in as <code>bandit25</code>:

<pre>bandit25@bandit:~$ /usr/bin/showtext
more: cannot open /home/bandit25/text.txt: No such file or directory
bandit25@bandit:~$ HOME=/home/bandit26 /usr/bin/showtext
more: cannot open /home/bandit26/text.txt: Permission denied</pre>
<code>/usr/bin/showtext</code> doesn’t work since you don’t have a <code>text.txt</code> file in your own home directory. Changing the home directory to be the <code>bandit26</code> user’s home directory doesn’t solve it either, since you don’t have access to the <code>bandit26</code> user’s data in their home directory.

Inspect your home directory with <code>ls $HOME</code> and find the SSH key for the <code>bandit26</code> user:

<pre>bandit25@bandit:~$ ls $HOME
bandit26.sshkey</pre>
Print the contents of this file using <code>cat $HOME/bandit26.sshkey</code>:

<pre>-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEApis2AuoooEqeYWamtwX2k5z9uU1Afl2F8VyXQqbv/LTrIwdW
...
IZdtF5HXs2S5CADTwniUS5mX1HO9l5gUkk+h0cH5JnPtsMCnAUM+BRY=
-----END RSA PRIVATE KEY-----</pre>
Copy the contents of this file to your computer into a file called <code>bandit26.sshkey</code>. Change this file’s permissions so that only you can read it:

<syntaxhighlight lang="bash"># Assuming you use the wayland clipboard
wl-paste > bandit26.sshkey
chmod 400 bandit26.sshkey</syntaxhighlight>
Connect to the <code>bandit26</code> user with the SSH key at <code>bandit26.sshkey</code>

<syntaxhighlight lang="bash">ssh -i bandit26.sshkey bandit26@bandit.labs.overthewire.org -p 2220</syntaxhighlight>
All that the <code>/usr/bin/showtext</code> command does is show the contents of a short text file using the <code>more</code> command. The connection then terminates immediately because <code>more</code> quits after printing all text.

<pre>[...]
_ _ _ _ ___ __
| | | (_) | |__ \ / /
| |__ __ _ _ __ __| |_| |_ ) / /_
| '_ \ / _` | '_ \ / _` | | __| / / '_ \
| |_) | (_| | | | | (_| | | |_ / /| (_) |
|_.__/ \__,_|_| |_|\__,_|_|\__|____\___/
Connection to bandit.labs.overthewire.org closed.</pre>
There’s a way to trick the <code>more</code> command into not quitting immediately. While <code>more</code> is running, you can make it read other files, open an editor or execute commands.

Make your terminal small and connect to the <code>bandit26</code> user again. If you are using a tiling window manager, making the terminal float can help as well.

<syntaxhighlight lang="bash">ssh -i bandit26.key bandit26@bandit.labs.overthewire.org -p 2220</syntaxhighlight>
While <code>more</code> is running, press <code>vv</code> to enter the <code>vim</code> editor. Inside <code>vim</code> type <code>:e /etc/bandit_pass/bandit26<ENTER></code>.

You can now see the password:

<pre>YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY</pre>
You can even enter a full shell inside the <code>vim</code> editor using the following:

<syntaxhighlight lang="vim">set shell=/bin/sh
:shell</syntaxhighlight>
Note the password and use it in the next level.


= Bandit level 27 =

Link to this level: https://overthewire.org/wargames/bandit/bandit27.html

Solve this level by using the same trick as in the previous level. Connect using SSH:

<syntaxhighlight lang="bash">ssh bandit26@bandit.labs.overthewire.org -p 2220</syntaxhighlight>
Make your terminal small so that the <code>more</code> command doesn’t quit immediately. When you’re inside <code>more</code>, press <code>vv</code> to open <code>vim</code>. Inside vim enter the following command:

<syntaxhighlight lang="vim">:set shell=/bin/sh<CR>:shell</syntaxhighlight>
This launches a shell. Run the following inside the shell to print the next level’s password:

<syntaxhighlight lang="sh">./bandit27-do cat /etc/bandit_pass/bandit27
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</syntaxhighlight>
Note the password and use it to connect to the next level.


= Bandit level 28 =

Link to this level: https://overthewire.org/wargames/bandit/bandit28.html

This level was a lot of fun to solve. It’s good to keep in mind how much information can leak through git repositories.

Connect to the level using <code>ssh</code>:

<syntaxhighlight lang="bash">ssh bandit27@bandit.labs.overthewire.org -p 2220</syntaxhighlight>
Go into a temporary directory that you create using the <code>mktemp -d</code> command. Inside the temporary directory, clone the git repository at the following address:

<pre>ssh://bandit27-git@localhost:2220/home/bandit27-git/repo</pre>
Here are the commands you can run to achieve this.

<syntaxhighlight lang="bash">cd $(mktemp -d)
git clone ssh://bandit27-git@localhost:2220/home/bandit27-git/repo</syntaxhighlight>
List all files in the repository that you have checked out using the <code>find</code> command:

<syntaxhighlight lang="bash">find repo</syntaxhighlight>
You should see a <code>README</code> file listed among the files:

<pre>[...]
repo/README</pre>
Read out the contents of the <code>README</code> file using the <code>cat</code> command:

<syntaxhighlight lang="bash">cat repo/README</syntaxhighlight>
Note the password contained in the <code>README</code> file and use it in the next level.

<pre>The password to the next level is: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</pre>

= Bandit level 29 =

Link to this level: https://overthewire.org/wargames/bandit/bandit29.html

Like in the last level, you have to find credentials in a git repository that someone forgot to take out. Connect to the level using <code>ssh</code>:

<syntaxhighlight lang="bash">ssh bandit28@bandit.labs.overthewire.org -p 2220</syntaxhighlight>
Once you are connected, check out the repository and list its contents using the following commands:

<syntaxhighlight lang="bash"># Create a temporary directory and change into it
cd $(mktemp -d)
# Clone the repository
git clone ssh://bandit28-git@localhost:2220/home/bandit28-git/repo
# List the contents
ls -la repo</syntaxhighlight>
<pre>total 16
drwxrwxr-x 3 bandit28 bandit28 4096 Aug 31 01:26 .
drwx------ 3 bandit28 bandit28 4096 Aug 31 01:26 ..
drwxrwxr-x 8 bandit28 bandit28 4096 Aug 31 01:26 .git
-rw-rw-r-- 1 bandit28 bandit28 111 Aug 31 01:26 README.md</pre>
This level has a <code>README.md</code> file just like in level 28. Run <code>cat</code> on it to check if it contains any credentials:

<syntaxhighlight lang="bash">cat repo/README.md</syntaxhighlight>
Someone removed the credentials in the <code>README.md</code> file and replaced them with <code>x</code> characters.

<pre># Bandit Notes
Some notes for level29 of bandit.

## credentials

- username: bandit29
- password: xxxxxxxxxx
</pre>
If someone removed the password, perhaps the password was in the repository before? Use <code>git log -p</code> on the <code>README.md</code> file to list all changes to it.

<syntaxhighlight lang="bash">git log -p README.md</syntaxhighlight>
If you scroll down a bit, you should see the previous password like here:

<pre>[...]
commit 73f5d0435070c8922da12177dc93f40b2285e22a
Author: Morla Porla <morla@overthewire.org>
Date: Wed Jul 17 15:57:30 2024 +0000

add missing data

diff --git a/README.md b/README.md
index 7ba2d2f..d4e3b74 100644
--- a/README.md
+++ b/README.md
@@ -4,5 +4,5 @@ Some notes for level29 of bandit.
## credentials

- username: bandit29
-- password: <TBD>
+- password: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
[...]</pre>
Note the password and use it in the next level.


= Bandit level 30 =

Link to this level: https://overthewire.org/wargames/bandit/bandit30.html

Again, this level is a git repository forensics challenge. Connect to it using <code>ssh</code>:

<syntaxhighlight lang="bash">ssh bandit29@bandit.labs.overthewire.org -p 2220</syntaxhighlight>
Clone the repository into a temporary directory:

<syntaxhighlight lang="bash">cd $(mktemp -d)
git clone ssh://bandit29-git@localhost:2220/home/bandit29-git/repo</syntaxhighlight>
Inside the repository, search for the password in the <code>README.md</code> file. This time, it’s somewhere else:

<pre>bandit29@bandit:/tmp/tmp.T3dxdml6c7$ cd repo
bandit29@bandit:/tmp/tmp.T3dxdml6c7/repo$ ls -a
. .. .git README.md
bandit29@bandit:/tmp/tmp.T3dxdml6c7/repo$ cat README.md
# Bandit Notes
Some notes for bandit30 of bandit.

## credentials

- username: bandit30
- password: <no passwords in production!></pre>
Even checking the <code>git log</code> for the <code>README.md</code> file doesn’t reveal any credentials. Try it yourself:

<syntaxhighlight lang="bash">git log -p</syntaxhighlight>
Here’s the transcript:

<pre>...

commit 5a53eb83a43bac1f0b4e223e469b40ef68a4b6e6
Author: Ben Dover <noone@overthewire.org>
Date: Wed Jul 17 15:57:31 2024 +0000

initial commit of README.md

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..2da2f39
--- /dev/null
+++ b/README.md
@@ -0,0 +1,8 @@
+# Bandit Notes
+Some notes for bandit30 of bandit.
+
+## credentials
+
+- username: bandit29
+- password: <no passwords in production!>
+</pre>
It looks like the password was never committed in the first place. Maybe the password is in another branch. List the names of all git branches using the following command:

<syntaxhighlight lang="bash">git branch -a</syntaxhighlight>
The git repository contains the following branches:

<pre>* master
origin
remotes/origin/HEAD -> origin/master
remotes/origin/dev
remotes/origin/master
remotes/origin/sploits-dev</pre>
Going through each branch, you should finally find the password in the <code>origin/dev</code> branch:

<syntaxhighlight lang="bash">git log -p origin/dev</syntaxhighlight>
Here’s the password in the first commit in the <code>origin/dev</code> branch:

<pre>commit eef534022d1ecc3b41d6de068501c4db4154b2c7 (origin/dev)
Author: Morla Porla <morla@overthewire.org>
Date: Wed Jul 17 15:57:31 2024 +0000

add data needed for development

diff --git a/README.md b/README.md
index 1af21d3..bc6ad3d 100644
--- a/README.md
+++ b/README.md
@@ -4,5 +4,5 @@ Some notes for bandit30 of bandit.
## credentials

- username: bandit30
-- password: <no passwords in production!>
+- password: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

# Rest of git log -p origin/dev abbreviated</pre>
Note the password and use it to connect to level 31.


= Bandit level 31 =

Link to this level: https://overthewire.org/wargames/bandit/bandit31.html

This is another git repository forensics challenge. Connect to the level using <code>ssh</code>:

<syntaxhighlight lang="bash">ssh bandit30@bandit.labs.overthewire.org -p 2220</syntaxhighlight>
Clone the repository using the following commands:

<syntaxhighlight lang="bash">cd $(mktemp -d)
git clone ssh://bandit30-git@localhost:2220/home/bandit30-git/repo
cd repo</syntaxhighlight>
This time, the password is neither in the git log for the main branch or any other branch. Instead, take a look at the git tags using <code>git tag -l</code>:

<syntaxhighlight lang="bash">git tag -l
# This lists one tag called `secret`</syntaxhighlight>
This lists one git tag called <code>secret</code>. Show the git commit that belongs to this tag by running the following command:

<syntaxhighlight lang="bash">git show secret
#> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</syntaxhighlight>
Note the password and use it in the next level.


= Bandit level 32 =

Link to this level: https://overthewire.org/wargames/bandit/bandit32.html

To solve this level, you need to create a specific commit and send it to a git remote. When the git remote receives the correct file, it gives you the password for the next level. Connect to this level using <code>ssh</code>.

<syntaxhighlight lang="bash">ssh bandit31@bandit.labs.overthewire.org -p 2220</syntaxhighlight>
Clone the repository into a temporary directory:

<syntaxhighlight lang="bash">cd $(mktemp -d)
git clone ssh://bandit31-git@localhost:2220/home/bandit31-git/repo
cd repo</syntaxhighlight>
Create a file called <code>key.txt</code> and commit it to your local repository:

<syntaxhighlight lang="bash">cat > key.txt <<EOF
May I come in?
EOF
git add -f key.txt
git commit -m yo</syntaxhighlight>
Push your changes to origin with the following <code>git push</code> invocation:

<pre>git push origin master</pre>
The git commit hook in <code>origin</code> takes over and gives you the password for the next level.

<pre> _ _ _ _
| |__ __ _ _ __ __| (_) |_
| '_ \ / _` | '_ \ / _` | | __|
| |_) | (_| | | | | (_| | | |_
|_.__/ \__,_|_| |_|\__,_|_|\__|

This is an OverTheWire game server.
More information on http://www.overthewire.org/wargames

bandit31-git@localhost's password:
Enumerating objects: 4, done.
Counting objects: 100% (4/4), done.
Delta compression using up to 2 threads
Compressing objects: 100% (2/2), done.
Writing objects: 100% (3/3), 317 bytes | 317.00 KiB/s, done.
Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
remote: ### Attempting to validate files... ####
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
remote: Well done! Here is the password for the next level:
remote: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
To ssh://localhost:2220/home/bandit31-git/repo
! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to 'ssh://localhost:2220/home/bandit31-git/repo'</pre>
Note the password that the <code>pre-receive</code> hooks prints out and use it in the next level. This might be a good opportunity to double-check your usage of git hooks.


= Bandit level 33 =

Link to this level: https://overthewire.org/wargames/bandit/bandit33.html

In this level, you need to escape a custom shell that turns all commands into uppercase. For example, when you run <code>cat</code>, the shell turns it into a <code>CAT</code>.

Connect to this level using <code>ssh</code>:

<syntaxhighlight lang="bash">ssh bandit32@bandit.labs.overthewire.org -p 2220</syntaxhighlight>
Here’s what you’re prompted with when connecting:

<pre>[...]
For more information regarding individual wargames, visit
http://www.overthewire.org/wargames/

For support, questions or comments, contact us on discord or IRC.

Enjoy your stay!

WELCOME TO THE UPPERCASE SHELL</pre>
To see what exactly this uppercase shell is, I connected to the previous level and inspect the <code>/etc/passwd</code> password file. Here’s how you can print out the record for the <code>bandit32</code> user from this level:

<syntaxhighlight lang="bash">grep /etc/passwd -e bandit32</syntaxhighlight>
The <code>bandit32</code> user’s shell is in <code>/home/bandit32/uppershell</code>:

<pre>bandit32:x:11032:11032:bandit level 32:/home/bandit32:/home/bandit32/uppershell</pre>
It’s not possible to view the contents of <code>uppershell</code> as <code>bandit31</code>. The file belongs to <code>bandit32</code>.

After trying a lot, this is the command that eventually solved the challenge for me:

<syntaxhighlight lang="sh"># Run the name of the current shell as a command
$0</syntaxhighlight>
And this is it. I have no idea why this works. Normally, one would suppose that this just runs <code>/home/bandit32/uppershell</code> again.

Print out the password:

<syntaxhighlight lang="bash">cat /etc/bandit_pass/bandit33</syntaxhighlight>
Epic laser boom. You’ve solved all levels in the Bandit wargame. Use the password and connect to the next level for an epic win epic message.


= Bandit level 34 =

Link to this level: https://overthewire.org/wargames/bandit/bandit34.html

Connect to this level using <code>ssh</code>:

<syntaxhighlight lang="bash">ssh bandit33@bandit.labs.overthewire.org -p 2220</syntaxhighlight>
Print the <code>README.txt</code> file in this level’s home directory using <code>cat README.txt</code> and celebrate:


<blockquote>Congratulations on solving the last level of this game!
</blockquote>
<blockquote>At this moment, there are no more levels to play in this game. However, we are constantly working on new levels and will most likely expand this game with more levels soon. Keep an eye out for an announcement on our usual communication channels! In the meantime, you could play some of our other wargames.
</blockquote>
<blockquote>If you have an idea for an awesome new level, please let us know!
</blockquote>

The Bandit wargame is a great shell command teacher. Give it a try if you are interested in learning how to get weird with the shell. Impress people at parties with obscure knowledge about Bash.

Here are two useful resources that helped me solve the challenges:

* [https://gtfobins.github.io/ <code>GTFOBins</code>] to learn how to escape certain programs like <code>more</code>.
* [https://linux.die.net/man/ Linux man pages on die.net] to read manuals for many programs in your browser

[[Category:OverTheWire]]

Category:Garden

2026-01-30T06:54:15Z

Justus: Created page with "This category contains pages that were originally a part of the justus.pw Digital Garden<ref>https://www.justus.pw/garden.html</ref>."

This category contains pages that were originally a part of the justus.pw Digital Garden<ref>https://www.justus.pw/garden.html</ref>.

Attic on Nix Darwin

2026-01-30T06:50:58Z

Justus: Add to Garden

Here are some snippets of code required to configure and run [https://docs.attic.rs/ attic] on macOS with [https://github.com/LnL7/nix-darwin <code>nix-darwin</code>], and use it as an optional cache.


= Files required =

To make <code>nix-darwin</code> configure attic correctly, you need a configuration module̵ <code>attic.nix</code> and a configuration <code>atticd.toml</code> for attic to use during runtime to use the correct paths for storage.


= User creation =

First, create a user and group called <code>attic</code> to host the attic server on your machine. In the <code>attic.nix</code> file, add the following:

<syntaxhighlight lang="nix"># attic.nix
{ config, pkgs, ... }:
{
users.groups.attic = {
# Adjust the gid to your liking
gid = 603;
};
users.users.attic = {
createHome = false;
description = "attic user";
gid = 603;
# Adjust the uid to your liking
uid = 603;
isHidden = true;
};
users.knownGroups = [ "attic" ];
users.knownUsers = [ "attic" ];
}</syntaxhighlight>
This Nix configuration hides the attic user, and it can’t log in since shell set to <code>sbin/nologin</code>.


= Attic configuration =

Create a configuration file <code>atticd.toml</code> and add the following contents:

<pre class="toml"># atticd.toml
# Socket address to listen on, you might want to adjust the port used.
listen = "127.0.0.1:18080"

# Optionally, configure allowed hosts here
allowed-hosts = []

[database]
# Attic's database is located in /var/attic/db.sqlite
url = "sqlite:///var/attic/db.sqlite?mode=rwc"

# Whether to enable sending on periodic heartbeat queries
#
# If enabled, a heartbeat query will be sent every minute
#heartbeat = false

[storage]
# Store everything locally in /var/attic/storage
type = "local"
path = "/var/attic/storage"

# Default values from
# https://github.com/zhaofengli/attic/blob/main/server/src/config-template.toml
[chunking]
nar-size-threshold = 65536 # chunk files that are 64 KiB or larger
min-size = 16384 # 16 KiB
avg-size = 65536 # 64 KiB
max-size = 262144 # 256 KiB

[compression]
type = "zstd"
#level = 8

[garbage-collection]
# The frequency to run garbage collection at
interval = "12 hours"</pre>
Write the attic configuration to <code>/etc/attic/atticd.toml</code> using the following Nix snippet:

<syntaxhighlight lang="nix"># attic.nix
{ config, pkgs, ... }:
{
# ...
environment.etc = {
atticd = {
source = ./atticd.toml;
target = "attic/atticd.toml";
};
};
# ...
}</syntaxhighlight>

= Credentials file =

Next, feed 32 bytes of random data into <code>base64</code>. Pipe these 32 bytes into a secret, read-only file that only <code>attic</code> can open:

<syntaxhighlight lang="bash">openssl rand 32 |
base64 |
sudo tee /etc/attic/secret.base64 > /dev/null
sudo chown attic:attic /etc/attic/secret.base64
sudo chmod 400 /etc/attic/secret.base64</syntaxhighlight>

= Attic service file =

Next, tell <code>nix-darwin</code> to add a launchd service using the following snippet in the same <code>attic.nix</code> file:

<syntaxhighlight lang="nix"># attic.nix
{ config, pkgs, ... }:
let
logPath = "/var/log/atticd";
attic-client = pkgs.attic-client;
attic-server = pkgs.attic-server;
in
{
environment.systemPackages = [
attic-client
attic-server
];
launchd.daemons.attic = {
script = ''
ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64="$(cat /etc/attic/secret.base64)"
export ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64
exec ${attic-server}/bin/atticd --config /etc/attic/atticd.toml
'';
serviceConfig = {
KeepAlive = true;
StandardOutPath = "${logPath}/attic.stdout.log";
StandardErrorPath = "${logPath}/attic.stderr.log";
UserName = "attic";
};
};
}</syntaxhighlight>
The preceding launchd daemon script reads the attic secret token into an environment variable and starts the attic server using the configuration stored in <code>atticd.toml</code>.

Make sure that you have a attic runtime directory:

<syntaxhighlight lang="bash">sudo mkdir -m700 /var/attic
sudo chown attic:attic /var/attic</syntaxhighlight>

= Configuring the client =

Import <code>attic.nix</code> into your main <code>nix-darwin</code> configuration:

<syntaxhighlight lang="nix"># darwin-configuration.nix
{ config, pkgs, ... }:
{
imports = [
# ...
./attic.nix
# ...
];
}</syntaxhighlight>
Then, rebuild your <code>nix-darwin</code> system using <code>darwin-rebuild switch</code>. On my system, I use the following invocation:

<syntaxhighlight lang="bash">darwin-rebuild switch --flake $DOTFILES/nix/generic</syntaxhighlight>
Next, create a JSON Web Token (JWT) for a cache named after your computer’s name. You can use this JWT with your local Nix builder:

<syntaxhighlight lang="bash">sudo -u attic \
ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64="$(sudo -u attic cat /etc/attic/secret.base64)" \
atticadm make-token \
--config /etc/attic/atticd.toml \
--sub "$(hostname)" \
--validity "1 month" \
--pull "$(hostname)-*" \
--push "$(hostname)-*" \
--delete "$(hostname)-*" \
--create-cache "$(hostname)-*" \
--configure-cache "$(hostname)-*" \
--configure-cache-retention "$(hostname)-*" \
--destroy-cache "$(hostname)-*"</syntaxhighlight>
The JWT created in his preceding <code>make-token</code> command has broad permissions. Please adjust permissions to your liking. attic outputs the JWT token in your shell session.

Finally, try logging in with the generated token:

<syntaxhighlight lang="bash"># Port configured in atticd.toml
attic login "$(hostname)" http://127.0.0.1:18080 "$YOUR_TOKEN"</syntaxhighlight>
Did it work? Great. To tell the Nix builder to use attic as its cache, it needs to have credentials available in a <code>netrc</code> file. Furthermore, you need to add the cache’s public key as a trusted key.

First, retrieve the public key and <code>netrc</code> file. The preceding <code>attic login</code> invocation created a <code>config.toml</code> file in <code>$HOME/.config/attic</code>, which conveniently contains the JWT token for a <code>netrc</code> file.

<syntaxhighlight lang="bash"># This will try to grab the netrc information that attic created after logging
# in
sed -n -E -e 's/token = "(.+)"/machine .+\npassword \1/p' \
$HOME/.config/attic/config.toml |
sudo tee /etc/nix/netrc
sudo chmod 440 /etc/nix/netrc
# Let me know if this sed expression worked</syntaxhighlight>
You can show the public key using <code>attic cache info</code>:

<syntaxhighlight lang="bash">attic cache info "$(hostname)-default"</syntaxhighlight>
You should see the following output:

<pre> Public: false
Public Key: XXXXXXX-default:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Binary Cache Endpoint: https://XXXXXXXXXXXXX:18080/XXXXXXX-default
API Endpoint: https://XXXXXXXXXXXXX:18080/
Store Directory: /nix/store
Priority: 41
Upstream Cache Keys: ["cache.nixos.org-1"]
Retention Period: Global Default</pre>
Store the preceding information in <code>attic.nix</code>:

<syntaxhighlight lang="nix"># attic.nix
{ ... } :
let
# make sure to insert the correct hostname here:
hostname = "your-hostname";
# Insert the public key that you have created in the previous step
public-key = "";
# Make sure the hostname, port, and cache name are correct
cache-url = "http://127.0.0.1:18080/${hostname}-default";
in
{
nix.settings.substituters = [ cache-url ];
nix.settings.trusted-public-keys = [

"${hostname}-default:${public-key}"
];
nix.settings.trusted-substituters = [ cache-url ];
# This file was created using the preceding sed script
nix.settings.netrc-file = "/etc/nix/netrc";
}</syntaxhighlight>

= Testing the cache =

Now, rebuild <code>nix-darwin</code> one more time. Every time you run Nix commands after that, Nix consults the local attic cache first. You can try this with any command:

<syntaxhighlight lang="bash"># This will look up hello in your local cache first
nix run nixpkgs#hello</syntaxhighlight>

= Troubleshooting =

Does Nix complain that your local cache isn’t a binary cache? Check that you can access the attic cache using curl first:

<syntaxhighlight lang="bash"># Might have copy the netrc file somewhere user-readable
curl --netrc-file /etc/nix/netrc -v -n \
"http://localhost:18080/$(hostname)-default/nix-cache-info"</syntaxhighlight>
You should be able to see the following result:

<pre>[...]
< content-type: text/x-nix-cache-info
< date: Sat, 07 Sep 2024 08:15:50 GMT
< content-length: 51
<
WantMassQuery: 1
StoreDir: /nix/store
Priority: 41
[...]</pre>
This way, you can see if the credentials are correct or not, and if your computer can reach attic at all.

Furthermore, watch the attic logs under <code>/var/log/atticd</code> for any error messages. You should be able to observe the following log output:

<pre>==> /var/log/atticd/attic.stderr.log <==
[...]
Attic Server 0.1.0 (release)
Running migrations...
Starting API server...
Listening on 127.0.0.1:18080...

==> /var/log/atticd/attic.stdout.log <==</pre>

= Further reading =

* <code>nix-darwin</code>: https://github.com/LnL7/nix-darwin
* attic source code repository: https://github.com/zhaofengli/attic
* attic NixOS configuration: https://github.com/zhaofengli/attic/blob/main/nixos/atticd.nix
* How to serve and configure Nix store (not cache) via HTTP: https://nix.dev/manual/nix/2.18/package-management/binary-cache-substituter
[[Category:Garden]]

Attic on Nix Darwin

2026-01-30T05:01:41Z

Justus: Created page with "Here are some snippets of code required to configure and run [https://docs.attic.rs/ attic] on macOS with [https://github.com/LnL7/nix-darwin <code>nix-darwin</code>], and use it as an optional cache. = Files required = To make <code>nix-darwin</code> configure attic correctly, you need a configuration module̵ <code>attic.nix</code> and a configuration <code>atticd.toml</code> for attic to use during runtime to use the correct paths f..."

Echidna Tricks

2026-01-30T04:55:09Z

Justus: Justus moved page Echidna Tricks to Echidna tricks: spelling

#REDIRECT [[Echidna tricks]]

Echidna tricks

2026-01-30T04:55:09Z

Justus: Justus moved page Echidna Tricks to Echidna tricks: spelling

Here are some useful tricks for getting the best out of [https://github.com/crytic/echidna Echidna].

Echidna is a fuzzing tool for smart contracts written in [https://docs.soliditylang.org/en/v0.8.30/ Solidity]. Solidity smart contracts primarily work on the [https://ethereum.org/en/ Ethereum] blockchain. Some smart contracts are responsible for managing large amounts of cryptocurrency. With Echidna you can evaluate the security of smart contracts.

Compared to code scanners and formal methods, Echidna is good at finding transactions that can trigger ''unintended'' behavior in smart contracts. Since Echidna is a [https://en.wikipedia.org/wiki/Fuzzing#Aware_of_program_structure coverage-guided fuzzer], it’s also good at finding ways to hit the entire code surface of a smart contract.

To test a smart contract with Echidna, you have to define a testing interface that Echidna can use to interact with your contract under test. This interfaces contains either [https://secure-contracts.com/program-analysis/echidna/basic/assertion-checking.html assertions] or [https://secure-contracts.com/program-analysis/echidna/introduction/how-to-test-a-property.html properties]. You can select which kind of test Echidna should perform using the command line flag <code>--test-mode</code>.


= Configuration options =

Echidna has a lot of [https://secure-contracts.com/program-analysis/echidna/configuration.html configuration options]. Here are some options that I recently used when going through the [https://github.com/crytic/building-secure-contracts/tree/master/program-analysis/echidna Building Secure Contracts Echidna tutorial]:

* <code>testMode</code>: When working through the tutorials, I’ve only ever used <code>property</code> or <code>assertion</code>.
* <code>deployer</code> and <code>sender</code>: Set these to the same value to ensure that the same account makes all transactions. <code>deployer</code> takes a single address, <code>sender</code> accepts a list of strings.
* <code>cryticArgs</code>: Set <code>["--solc-remaps", "prefix=target"]</code> if you have dependencies somewhere else. Example: <code>@openzeppelin=../node_modules/@openzeppelin</code> if your Node.js modules are in the parent directory.
* <code>balanceContract</code>: Give this some Ether so that the contract under test can deploy and fund other contracts.
* <code>balanceAddr</code>: Give <code>deployer</code> and <code>sender</code> Ether using this setting.
* <code>shrinkLimit</code>: Shrinking stops too early? Set the limit to a higher number than the default <code>5000</code>.
* <code>testLimit</code>: Tests stop too early? Add more iterations using this setting.

Here’s how it can look like when you combine some of these settings:

<syntaxhighlight lang="yaml"># Give both the Test contract, as well as the sender 100 Wei
balanceContract: 100
balanceAddr: 100
# Run in assertion mode
testMode: assertion
# Let Echidna interact with the public interfaces of all contracts
allContracts: true
# You can leave out leading zeros in addresses
# This address deploys your contract
deployer: "0x30000"
# These addresses interact with your contracts
sender:
- "0x10000"
- "0x20000"
- "0x30000"
# Don't let Echidna send Ether to the test contract
filterBlackList: true
filterFunctions:
- "Test.fallback()"
cryticArgs:
- "--solc-remaps"
- "@openzeppelin=../node_modules/@openzeppelin"
# Run 20 workers in parallel. Adjust to the number of CPU cores
workers: 20
# Attempt to shrink an interesting case 10,000 times
shrinkLimit: 10000
# Run 1 million tests
testLimit: 1000000</syntaxhighlight>
When you create your configuration file, you can tell Echidna to use it with the <code>--config</code> command line flag. Here’s how to run Echidna using the configuration file <code>echidna.yaml</code>.

<syntaxhighlight lang="bash">echidna --config echidna.yaml --contract Test test.sol</syntaxhighlight>
This assumes your test contract is called <code>Test</code> and is in a file called <code>test.sol</code>:


= Resources =

* [https://github.com/crytic/building-secure-contracts/tree/master Building Secure Contracts]
* [https://secure-contracts.com/program-analysis/echidna/index.html Echidna tutorial from secure-contracts.com]
* [https://secure-contracts.com/program-analysis/echidna/configuration.html Echidna Configuration options]
* [https://ethernaut.openzeppelin.com/ Ethernaut challenge]

DNS things

2026-01-30T04:54:21Z

Justus: Created page with "This article contains interesting things that I’ve come across while learning more about DNS.  = Anatomy of a DNS request = Here’s how you can run a '''full DNS request''' for the domain <code>zombo.com</code> using <code>dig</code>: <syntaxhighlight lang="bash">dig +trace +all zombo.com</syntaxhighlight> When you run a full DNS request, <code>dig</code> retrieves the <code>A</code> DNS record for a domain by..."

This article contains interesting things that I’ve come across while learning more about DNS.



= Anatomy of a DNS request =

Here’s how you can run a '''full DNS request''' for the domain <code>zombo.com</code> using <code>dig</code>:

<syntaxhighlight lang="bash">dig +trace +all zombo.com</syntaxhighlight>
When you run a full DNS request, <code>dig</code> retrieves the <code>A</code> DNS record for a domain by querying the whole chain of the '''Fully Qualified Domain Name''' (FQDN) <code>zombo.com.</code>. When a DNS client queries a FQDN, it starts at the root <code>.</code>, and recursively work its way down to query <code>.com.</code>, and then <code>.zombo.com</code>. The precise sequence of queries that <code>dig</code> performs depends on each response.

With a full DNS request, you can query DNS records for domains '''from scratch''' without needing any DNS resolver or DNS cache.

This is the transcript, split by individual query.


== Startup information ==

First, <code>dig</code> prints some general information, like the command that received, or its version:

<pre>; <<>> DiG 9.18.28 <<>> +trace +all zombo.com
;; global options: +cmd</pre>

== Root name server ==

Next, <code>dig</code> queries the '''DNS resolver''' configured for the network this computer runs in. The DNS resolver has the IP address <code>10.0.48.1</code> and runs on a Ubiquiti Dream Router.

<code>dig</code> asks for the <code>NS</code> record for the name <code>.</code>. It receives a long list of <code>NS</code> records in the answer section. Each of these records starts with a single lowercase letter and ends on <code>.root-servers.net.</code>. Each of these names represent a '''root name server''' that <code>dig</code> can then ask for <code>zombo.com</code>.

Furthermore, the querying the name <code>.</code> also gives us back a few <code>A</code> and <code>AAAA</code> records for each of these root name servers. This tells <code>dig</code> what the IPv4 and IPv6 addresses of each of these root name servers are.

<pre>;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38385
;; flags: qr rd ra; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 27

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;. IN NS

;; ANSWER SECTION:
. 190794 IN NS b.root-servers.net.
. 190794 IN NS m.root-servers.net.
. 190794 IN NS h.root-servers.net.
. 190794 IN NS i.root-servers.net.
. 190794 IN NS j.root-servers.net.
. 190794 IN NS d.root-servers.net.
. 190794 IN NS a.root-servers.net.
. 190794 IN NS g.root-servers.net.
. 190794 IN NS f.root-servers.net.
. 190794 IN NS c.root-servers.net.
. 190794 IN NS e.root-servers.net.
. 190794 IN NS k.root-servers.net.
. 190794 IN NS l.root-servers.net.
. 445435 IN RRSIG NS 8 0 518400 20250118170000 20250105160000 26470 . m7C4icJMnOILA5mlMR9oDLoQBWE0Y9sPoqbXSoVUVrTKgWDbZNOrlMig xBubsOExXwQ4XZg3jwmh6FckcIMly1ZMIfZycMxWvyIvOrgxnBAt4Gu1 sMC4bn45v2BIaMHCaSLwW1jUB+MvrCPhBeYQJsfeLkRBi3W2VPwFIV60 BmPt2/i8jCJrkxx8bOaDGuTGFdwm1L62Ri2+QrewsbRGOcWpJHptJI/h Di61Q/C043YHHhc9w037cKYFeP8dupWS8RLcW/jIELTXhW2FrgETv285 3RndOgaFb9RBoTUo16i3lge1KIMZoS2eksoGQEt8kfgfYVrIKTrwQpf6 Z5NvCQ==

;; ADDITIONAL SECTION:
a.root-servers.net. 104582 IN A 198.41.0.4
b.root-servers.net. 276147 IN A 170.247.170.2
c.root-servers.net. 368518 IN A 192.33.4.12
d.root-servers.net. 187359 IN A 199.7.91.13
e.root-servers.net. 187359 IN A 192.203.230.10
f.root-servers.net. 199714 IN A 192.5.5.241
g.root-servers.net. 216475 IN A 192.112.36.4
h.root-servers.net. 240623 IN A 198.97.190.53
i.root-servers.net. 532693 IN A 192.36.148.17
j.root-servers.net. 320888 IN A 192.58.128.30
k.root-servers.net. 271911 IN A 193.0.14.129
l.root-servers.net. 357258 IN A 199.7.83.42
m.root-servers.net. 104622 IN A 202.12.27.33
a.root-servers.net. 113505 IN AAAA 2001:503:ba3e::2:30
b.root-servers.net. 294399 IN AAAA 2801:1b8:10::b
c.root-servers.net. 331660 IN AAAA 2001:500:2::c
d.root-servers.net. 32858 IN AAAA 2001:500:2d::d
e.root-servers.net. 307198 IN AAAA 2001:500:a8::e
f.root-servers.net. 408208 IN AAAA 2001:500:2f::f
g.root-servers.net. 353355 IN AAAA 2001:500:12::d0d
h.root-servers.net. 234104 IN AAAA 2001:500:1::53
i.root-servers.net. 390219 IN AAAA 2001:7fe::53
j.root-servers.net. 463450 IN AAAA 2001:503:c27::2:30
k.root-servers.net. 37861 IN AAAA 2001:7fd::1
l.root-servers.net. 225301 IN AAAA 2001:500:9f::42
m.root-servers.net. 118907 IN AAAA 2001:dc3::35

;; Query time: 18 msec
;; SERVER: 10.0.48.1#53(10.0.48.1) (UDP)
;; WHEN: Tue Jan 07 10:26:18 JST 2025
;; MSG SIZE rcvd: 1109</pre>
Some other noteworthy things about the first DNS response:

* The '''opcode''' in the answer is <code>QUERY</code>. The sender of the DNS query sets this value, in this case <code>dig</code>. See <code>opcode: QUERY</code> in line 2.
* The DNS resolver set the <code>QUERY</code> flag to <code>1</code>, which means that this an '''answer''' to a DNS query. You can see this in the second line in <code>QUERY: 1</code>. In the DNS protocol Request For Comments (RFC), [https://datatracker.ietf.org/doc/html/rfc1035#section-4.1.1 RFC 1035] the <code>QUERY</code> field is instead called <code>QR</code>.
* The resolver tells <code>dig</code> that it includes 14 '''answer records''' in this response. You can see this in the second line in <code>ANSWER: 14</code>. The DNS protocol specification calls this header value <code>ANCOUNT</code>.
* The answer contains 27 '''additional records'''. The DNS protocol specification calls this value <code>ARCOUNT</code>. These are values that <code>dig</code> hasn’t requested directly. Instead, the resolver still wants <code>dig</code> to know about these.
* If you manually count the records in the <code>ADDITIONAL</code> section, you may only see 26 records. I don’t know why that’s the case.
* The query response contains no '''authority records'''.


== Finding the top-level domain name server ==

Proceeding with the next query, <code>dig</code> asks the root name server <code>j.root-servers.net</code> for the FQDN <code>zombo.com.</code>. The root name server returns 13 <code>AUTHORITY</code> records that <code>dig</code> can query next to continue resolving <code>zombo.com.</code>. Furthermore, the <code>AUTHORITY</code> section contains the DNSSEC records <code>DS</code> and <code>RRSIG</code>. A recent version of <code>dig</code> is able to check DNSSEC signatures using the <code>+dnssec</code> flag. See [https://serverfault.com/a/154075 this Stack Exchange answer] for more information.

<code>root-servers.net</code> doesn’t hold records for <code>.com</code> domains itself, so it points <code>dig</code> to ask <code>gtld-servers.net.</code> next instead. <code>gtld-servers.net</code> is responsible for '''resolving .com domains'''.

<pre>;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1157
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 27

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1472
;; QUESTION SECTION:
;zombo.com. IN A

;; AUTHORITY SECTION:
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 86400 IN DS 19718 13 2 8ACBB0CD28F41250A80A491389424D341522D946B0DA0C0291F2D3D7 71D7805A
com. 86400 IN RRSIG DS 8 1 86400 20250119210000 20250106200000 26470 . DQQ9SqKUcniHKVr6zFNzs6wHLVZ6CdfSFMr3q8tCwh+mLPrKCTRlbnpS TmJy1M8YDEDvrrBO0EFx1rr+cGwcB2RiIfOnLl8c2942n5aOpR+3tZB0 sCP1KFv1+BhiD1RL8dff+rMNJ8+0BWNgsID8/MmI+y8UB/70YERAz/W0 AmOhbN/pHkfgvZfbtrOs6Msz+wcUR17wRCOLazyFnBE19EWnek9SYhj9 Jw440nEZ1Kopi+KqWXG0K+kt1HqZS3J2kkO/TmHyU780F/fOtRP/dWmX 06gSiBe4cCSe3Hs7aHlIe2LwH/ICioNdJj0WjzFJ8IDoC+vmLdRkXh4b NVJHoQ==

;; ADDITIONAL SECTION:
a.gtld-servers.net. 172800 IN A 192.5.6.30
b.gtld-servers.net. 172800 IN A 192.33.14.30
c.gtld-servers.net. 172800 IN A 192.26.92.30
d.gtld-servers.net. 172800 IN A 192.31.80.30
e.gtld-servers.net. 172800 IN A 192.12.94.30
f.gtld-servers.net. 172800 IN A 192.35.51.30
g.gtld-servers.net. 172800 IN A 192.42.93.30
h.gtld-servers.net. 172800 IN A 192.54.112.30
i.gtld-servers.net. 172800 IN A 192.43.172.30
j.gtld-servers.net. 172800 IN A 192.48.79.30
k.gtld-servers.net. 172800 IN A 192.52.178.30
l.gtld-servers.net. 172800 IN A 192.41.162.30
m.gtld-servers.net. 172800 IN A 192.55.83.30
a.gtld-servers.net. 172800 IN AAAA 2001:503:a83e::2:30
b.gtld-servers.net. 172800 IN AAAA 2001:503:231d::2:30
c.gtld-servers.net. 172800 IN AAAA 2001:503:83eb::30
d.gtld-servers.net. 172800 IN AAAA 2001:500:856e::30
e.gtld-servers.net. 172800 IN AAAA 2001:502:1ca1::30
f.gtld-servers.net. 172800 IN AAAA 2001:503:d414::30
g.gtld-servers.net. 172800 IN AAAA 2001:503:eea3::30
h.gtld-servers.net. 172800 IN AAAA 2001:502:8cc::30
i.gtld-servers.net. 172800 IN AAAA 2001:503:39c1::30
j.gtld-servers.net. 172800 IN AAAA 2001:502:7094::30
k.gtld-servers.net. 172800 IN AAAA 2001:503:d2d::30
l.gtld-servers.net. 172800 IN AAAA 2001:500:d937::30
m.gtld-servers.net. 172800 IN AAAA 2001:501:b1f9::30

;; Query time: 11 msec
;; SERVER: 192.58.128.30#53(j.root-servers.net) (UDP)
;; WHEN: Tue Jan 07 10:26:18 JST 2025
;; MSG SIZE rcvd: 1169</pre>

== Top-level domain name server ==

Here’s what happens when <code>dig</code> asks the '''Top Level Domain (TLD) name server''' <code>d.gtld-servers.net</code> for <code>zombo.com.</code>. Verisign operates the servers at <code>gtld-servers.net</code>. Here are some noteworthy things about the reply that <code>d.gtld-servers.net</code> gives back to <code>dig</code>:

* The response contains signed NSEC3 records. [https://dnsinstitute.com/documentation/dnssec-guide/ch06s02.html NSEC3 records are complex], and I don’t understand them well right now.
* Verisign tells <code>dig</code> that the authoritative name servers are with <code>liquidweb.com</code>, specifically: <code>ns.liquidweb.com</code> and <code>ns1.liquidweb.com</code>.
* <code>dig</code> also receives the <code>A</code> records for the two <code>liquidweb.com</code> name server

Here’s the DNS query response that <code>dig</code> prints out:

<pre>;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29896
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;zombo.com. IN A

;; AUTHORITY SECTION:
zombo.com. 172800 IN NS ns.liquidweb.com.
zombo.com. 172800 IN NS ns1.liquidweb.com.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 900 IN NSEC3 1 1 0 - CK0Q3UDG8CEKKAE7RUKPGCT1DVSSH8LL NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 900 IN RRSIG NSEC3 13 2 900 20250111002631 20250103231631 29942 com. HiG6TuJBV47MnPmttWN98zHscsehwlRhgzemiswIdlmKh993eKxhdUbB d4hhuK7piTIFoZ4Gi/THENgJJKuCmg==
E5F0ON130HM3M2JQH41BK2763KA5559S.com. 900 IN NSEC3 1 1 0 - E5F126VHCT3KQ620F4OFQ11HB5BJBFRT NS DS RRSIG
E5F0ON130HM3M2JQH41BK2763KA5559S.com. 900 IN RRSIG NSEC3 13 2 900 20250113013526 20250106002526 29942 com. 0SoW/r4xPtu4bnmOTSLtkwb9ezAyCHkI1XLAQPRWvu0x7xCBVwguEw8j eR+ZHeLU4x5n5q7d/3/1n/uH2x6kig==

;; ADDITIONAL SECTION:
ns.liquidweb.com. 172800 IN A 69.16.222.254
ns1.liquidweb.com. 172800 IN A 69.16.223.254

;; Query time: 10 msec
;; SERVER: 192.31.80.30#53(d.gtld-servers.net) (UDP)
;; WHEN: Tue Jan 07 10:26:18 JST 2025
;; MSG SIZE rcvd: 472</pre>

== Registrar name server ==

<code>d.gtld-servers.net</code> told <code>dig</code> that it should ask <code>ns.liquidweb.com</code> for <code>zombo.com.</code>. Here’s the response <code>dig</code> receives after querying <code>zombo.com</code>’s '''authoritative name''' server. The response contains a single <code>A</code> record for <code>zombo.com</code>’s IPv4 address.

Note that the previous DNS queries had no <code>ANSWER</code> section, not counting the query for <code>.</code> in the beginning. Every DNS query response before <code>dig</code> asks <code>ns.liquidweb.com</code> contained <code>AUTHORITY</code> and <code>ADDITIONAL</code> records.

<pre>;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37369
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1680
;; QUESTION SECTION:
;zombo.com. IN A

;; ANSWER SECTION:
zombo.com. 300 IN A 50.28.52.163

;; Query time: 9 msec
;; SERVER: 69.16.222.254#53(ns.liquidweb.com) (UDP)
;; WHEN: Tue Jan 07 10:26:18 JST 2025
;; MSG SIZE rcvd: 54</pre>
This illustrates the recursive nature of DNS name resolution. <code>dig</code> is able to query any DNS record ''from scratch''. It can do so without needing to know each individual name server responsible for a single domain. Instead, <code>dig</code> figures out which name servers it has to ask on the way to reach the final authoritative name server.

In this example, the authoritative name server is with <code>liquidweb.com</code>. An authoritative name server for a domain name can change in the future. Being able to perform recursive queries and always retrieving accurate information is important for inter-networking.

The DNS security extensions (DNSSEC) further increase the reliability of this system. <code>dig</code> can verify the whole chain of DNS responses. You can see for yourself how <code>dig</code> utilizes DNSSEC by starting <code>dig</code> using the <code>+dnssec</code> flag.


== Reference ==

This [https://serverfault.com/a/1045018 Stack Exchange answer] has more information on how to query a domain name and receive a complete trace.

The section [https://en.wikipedia.org/wiki/Domain_Name_System#DNS_message_format DNS message format] in the Wikipedia article on the Domain Name System explains all the header flags in detail.


= DNS zone transfer protocol =

The Internet Engineering Task Force (IETF) published [https://datatracker.ietf.org/doc/html/rfc5936 RFC 5936] in June 2010. This document specifies the DNS zone transfer protocol, also called Authoritative Transfer (AXFR).

The RFC says that there ''SHOULD'' be means to restrict sessions to specific clients, but doesn’t specify them further. Access controls are only ''RECOMMENDED''. See [https://datatracker.ietf.org/doc/html/rfc5936#section-5 section 5] of RFC 5936:

<pre>[...]
A DNS implementation SHOULD provide means to restrict AXFR sessions
to specific clients.
[...]
A general-purpose implementation is RECOMMENDED to implement access
controls based upon "Secret Key Transaction Authentication for DNS
(TSIG)" [RFC2845] and/or "DNS Request and Transaction Signatures
( SIG(0)s )" [RFC2931].</pre>

== A CVE missing critical details ==

Check out [https://nvd.nist.gov/vuln/detail/CVE-1999-0532 CVE-1999-0532]. It lists the following vulnerability:

<blockquote>A DNS server allows zone transfers.
</blockquote>

The CVE doesn’t contain any other description, such as affected software or version. Judging by this [https://access.redhat.com/solutions/3173331 Red Hat Solution], this affects the Berkeley Internet Name Domain (BIND) version 9 server on Red Hat Enterprise Linux (RHEL) 6 and 7. RHEL 6 was first released in 2010, and RHEL 7 is from 2013. The timelines don’t add up, since the CVE is from 1999.

This CVE reads like a CWE, since it describes an abstract vulnerability. Compare for example [https://cwe.mitre.org/data/definitions/276.html CWE-276: incorrect default permissions].

2026-01-05T07:39:56Z

Justus: 1 revision imported

local p = {}
-- Returns the permission required to perform a given action on a given title.
-- If no title is specified, the title of the page being displayed is used.
function p._main(action, pagename)
local title
if type(pagename) == 'table' and pagename.prefixedText then
title = pagename
elseif pagename then
title = mw.title.new(pagename)
else
title = mw.title.getCurrentTitle()
end
pagename = title.prefixedText
if action == 'autoreview' then
local level = mw.ext.FlaggedRevs.getStabilitySettings(title)
level = level and level.autoreview
if level == 'review' then
return 'reviewer'
elseif level ~= '' then
return level
else
return nil -- not '*'. a page not being PC-protected is distinct from it being PC-protected with anyone able to review. also not '', as that would mean PC-protected but nobody can review
end
elseif action ~= 'edit' and action ~= 'move' and action ~= 'create' and action ~= 'upload' and action ~= 'undelete' then
error( 'First parameter must be one of edit, move, create, upload, undelete, autoreview', 2 )
end
if title.namespace == 8 then -- MediaWiki namespace
if title.text:sub(-3) == '.js' or title.text:sub(-4) == '.css' or title.contentModel == 'javascript' or title.contentModel == 'css' then -- site JS or CSS page
return 'interfaceadmin'
elseif title.baseText == "Gadgets-definition" then
return 'interfaceadmin'
else -- any non-JS/CSS MediaWiki page
return 'sysop'
end
elseif title.namespace == 2 and title.isSubpage then
if title.contentModel == 'javascript' or title.contentModel == 'css' then -- user JS or CSS page
return 'interfaceadmin'
elseif title.contentModel == 'json' then -- user JSON page
return 'sysop'
end
end
if action == 'undelete' then
return 'sysop'
end
local level = title.protectionLevels[action] and title.protectionLevels[action][1]
if level == 'sysop' or level == 'editprotected' then
return 'sysop'
elseif title.cascadingProtection.restrictions[action] and title.cascadingProtection.restrictions[action][1] then -- used by a cascading-protected page
return 'sysop'
elseif level == 'templateeditor' then
return 'templateeditor'
elseif action == 'move' then
local blacklistentry = mw.ext.TitleBlacklist.test('edit', pagename) -- Testing action edit is correct, since this is for the source page. The target page name gets tested with action move.
if blacklistentry and not blacklistentry.params.autoconfirmed then
return 'templateeditor'
elseif title.namespace == 6 then
return 'filemover'
elseif level == 'extendedconfirmed' then
return 'extendedconfirmed'
else
return 'autoconfirmed'
end
end
local blacklistentry = mw.ext.TitleBlacklist.test(action, pagename)
if blacklistentry then
if not blacklistentry.params.autoconfirmed then
return 'templateeditor'
elseif level == 'extendedconfirmed' then
return 'extendedconfirmed'
else
return 'autoconfirmed'
end
elseif level == 'editsemiprotected' then -- create-semiprotected pages return this for some reason
return 'autoconfirmed'
elseif level then
return level
elseif action == 'upload' then
return 'autoconfirmed'
elseif action == 'create' and title.namespace % 2 == 0 and title.namespace ~= 118 then -- You need to be registered, but not autoconfirmed, to create non-talk pages other than drafts
if title.namespace == 0 then
return 'autoconfirmed' -- Per [[WP:ACPERM]], you need to be autoconfirmed to create pages in mainspace
end
return 'user'
else
return '*'
end
end

setmetatable(p, { __index = function(t, k)
return function(frame)
return t._main(k, frame.args[1])
end
end })

return p

Module:Effective protection expiry

2026-01-05T07:39:56Z

Justus: 1 revision imported

local p = {}

-- Returns the expiry of a restriction of an action on a given title, or unknown if it cannot be known.
-- If no title is specified, the title of the page being displayed is used.
function p._main(action, pagename)
local title
if type(pagename) == 'table' and pagename.prefixedText then
title = pagename
elseif pagename then
title = mw.title.new(pagename)
else
title = mw.title.getCurrentTitle()
end
pagename = title.prefixedText
if action == 'autoreview' then
local stabilitySettings = mw.ext.FlaggedRevs.getStabilitySettings(title)
return stabilitySettings and stabilitySettings.expiry or 'unknown'
elseif action ~= 'edit' and action ~= 'move' and action ~= 'create' and action ~= 'upload' then
error( 'First parameter must be one of edit, move, create, upload, autoreview', 2 )
end
local rawExpiry = mw.getCurrentFrame():callParserFunction('PROTECTIONEXPIRY', action, pagename)
if rawExpiry == 'infinity' then
return 'infinity'
elseif rawExpiry == '' then
return 'unknown'
else
local year, month, day, hour, minute, second = rawExpiry:match(
'^(%d%d%d%d)(%d%d)(%d%d)(%d%d)(%d%d)(%d%d)$'
)
if year then
return string.format(
'%s-%s-%sT%s:%s:%s',
year, month, day, hour, minute, second
)
else
error('internal error in Module:Effective protection expiry; malformed expiry timestamp')
end
end
end

setmetatable(p, { __index = function(t, k)
return function(frame)
return t._main(k, frame.args[1])
end
end })

return p

Template:Center

2026-01-05T07:39:55Z

Justus: 1 revision imported

<div class="center" {{safesubst<noinclude />:#if: {{{style|}}} | style="{{{style}}}"}}>{{{1|[[Category:Pages using center with no arguments]]}}}</div>{{safesubst<noinclude />:#invoke:Check for unknown parameters|check|unknown=[[Category:Pages using center with unknown parameters|_VALUE_{{PAGENAME}}]]|preview=Page using [[Template:Center]] with unknown parameter "_VALUE_"|ignoreblank=y| 1 | style }}<noinclude>
{{documentation}}
</noinclude>