- Get link
- X
- Other Apps
- Get link
- X
- Other Apps
Bandit Level 30 Walkthrough
Level 29 ➔ Level 30: Exploring Parallel Git Branches
1. My Objective
I am currently logged in as bandit29. My task is to retrieve the password for Level 30 from another Git repository: ssh://bandit29-git@bandit.labs.overthewire.org/home/bandit29-git/repo. From my previous experience, I know that if the password isn't in the current files or the commit history, I must look somewhere else. In this level, the secret is hidden in a Branch—a separate development path that isn't currently active.
The Technical Hurdle: When I clone a repository, Git defaults to showing me the "master" or "main" branch. If a developer created a secret branch to test a feature (and forgot to delete it), the code in that branch won't show up in my folder until I specifically "Check Out" that branch.
2. The Feynman Explanation: Parallel Universes
How can a file exist and not exist at the same time? Git uses Branches to allow developers to work on different versions of a project simultaneously.
The "Choose Your Own Adventure" Analogy:
Imagine I am reading a "Choose Your Own Adventure" book. In the main story (Master Branch), the hero walks through the front door and finds an empty room.
However, at the bottom of the page, there is a tiny note: "If you want to climb through the window instead, go to Page 200."
Page 200 is a Branch. It is a parallel reality of the same story. In that version, the hero finds a treasure chest. Git works exactly like this book. Developers create branches to try new things without messing up the main story. If I only read the main pages, I'll never see the treasure. I have to "teleport" (git checkout) to the other branch to see what's hidden there.
3. Practical Solution
I will clone the repository into /tmp and then use Git's discovery tools to find the hidden branch.
# Step 1: Clone the repository
bandit29@bandit:~$ mkdir /tmp/pritom_branches
bandit29@bandit:~$ cd /tmp/pritom_branches
bandit29@bandit:/tmp/pritom_branches$ git clone ssh://bandit29-git@bandit.labs.overthewire.org:2220/home/bandit29-git/repo
bandit29@bandit:/tmp/pritom_branches$ cd repo
# Step 2: List all branches, including remote ones
bandit29@bandit:/tmp/pritom_branches/repo$ git branch -a
* master
remotes/origin/dev # FOUND IT! A development branch.
remotes/origin/master
# Step 3: Switch to the 'dev' branch to see its files
bandit29@bandit:/tmp/pritom_branches/repo$ git checkout dev
# Step 4: Check the directory for the password
bandit29@bandit:/tmp/pritom_branches/repo$ ls
README.md script.py
bandit29@bandit:/tmp/pritom_branches/repo$ cat README.md
The password is xbSAn929SAb36906sV... (Password Revealed!)
bandit29@bandit:~$ mkdir /tmp/pritom_branches
bandit29@bandit:~$ cd /tmp/pritom_branches
bandit29@bandit:/tmp/pritom_branches$ git clone ssh://bandit29-git@bandit.labs.overthewire.org:2220/home/bandit29-git/repo
bandit29@bandit:/tmp/pritom_branches$ cd repo
# Step 2: List all branches, including remote ones
bandit29@bandit:/tmp/pritom_branches/repo$ git branch -a
* master
remotes/origin/dev # FOUND IT! A development branch.
remotes/origin/master
# Step 3: Switch to the 'dev' branch to see its files
bandit29@bandit:/tmp/pritom_branches/repo$ git checkout dev
# Step 4: Check the directory for the password
bandit29@bandit:/tmp/pritom_branches/repo$ ls
README.md script.py
bandit29@bandit:/tmp/pritom_branches/repo$ cat README.md
The password is xbSAn929SAb36906sV... (Password Revealed!)
Why did I use git branch -a?
By default, the git branch command only shows you the branches you have active on your local machine. Because I just cloned the repo, I only have "master." The -a flag tells Git to show me All branches, including the ones that still live on the server (the remotes). This is how I discovered the dev branch.
🚀 My Pro Tips: Mastering Git Context
✨ Checking for Tags
Sometimes the secret isn't in a branch, but on a Tag (a fixed point in history). I always run git tag to see if there are version markers like v1.0-secret that I should investigate.
⭐ Branch Comparison
If I want to see the difference between two branches without switching, I use:
git diff master dev
This instantly shows me every line of code that exists in dev but not in master.
🔍 Deep Searches
If there are 50 branches, I won't check them manually. I use git grep "password" $(git rev-list --all). This powerful command searches for the word "password" across every single branch and every single commit in the entire repository history.
4. Why this matters
In real-world software security, developers often believe that "Old code is gone." They might delete a password on the master branch but forget that the same password is still sitting in a test-fix or staging branch. As a security researcher, I look at the entire footprint of a repository, not just the front page. Understanding branches is the difference between seeing a surface and seeing the whole structure.
Branch Explored!
I've successfully navigated the parallel versions of the code. I'll save this password and move on to Level 30 ➔ Level 31, where I'll encounter Git Tags!
Tags: #Linux #Bandit #OverTheWire #Git #GitBranches #GitCheckout #VersionControl #CyberSecurity #FeynmanTechnique #CodeWithPritom #ProTips
- Get link
- X
- Other Apps
Devoted to excellence as a Software Engineer
Comments
Post a Comment