- Get link
- X
- Other Apps
- Get link
- X
- Other Apps
Bandit Level 32 Walkthrough
Level 31 ➔ Level 32: Triggering Secrets via Git Push
1. My Objective
I am currently logged in as bandit31. My mission is to retrieve the password for Level 32 from a new Git repository: ssh://bandit31-git@bandit.labs.overthewire.org/home/bandit31-git/repo. In the previous levels, I only had to read the data I found. This time, the README inside the repo tells me I must upload (push) a specific file to the server to get the password in return.
The Shift in Strategy: I am moving from being a passive observer to an active participant. I need to create a file, commit it to my local version of the project, and send it back to the "Master" server.
2. The Feynman Explanation: The Vending Machine
How can I get a secret from a server by giving it a file? I use the logic of a simple automated transaction.
The Token and the Response Analogy:
Imagine I am standing in front of a high-tech Vending Machine (the Git Server). I want the prize inside, but there are no buttons to press.
Instead, the machine has a slot and a sign that says: "Insert a coin named key.txt with the secret message 'May I have the password?' inside."
1. I create that specific coin at my desk (Local Repo).
2. I walk to the machine and slide the coin into the slot (Git Push).
3. The machine scans the coin. If it's correct, it spits out a receipt containing the secret password.
In technical terms, the server has a Git Hook. This is a script that runs automatically the moment it receives a "Push." It checks the files I sent, and if it sees the right one, it sends back a message to my terminal with the password.
3. Practical Solution
I will clone the repository, read the instructions, and then perform the necessary Git actions to "pay" the server.
# Step 1: Clone the repository
bandit31@bandit:~$ mkdir /tmp/pritom_push
bandit31@bandit:~$ cd /tmp/pritom_push
bandit31@bandit:/tmp/pritom_push$ git clone ssh://bandit31-git@bandit.labs.overthewire.org:2220/home/bandit31-git/repo
bandit31@bandit:/tmp/pritom_push$ cd repo
# Step 2: Read README.md to see the requirement
bandit31@bandit:/tmp/pritom_push/repo$ cat README.md
This time create a file named 'key.txt' with content 'May I have the password?' and push it.
# Step 3: Create the file, add it, and commit it locally
bandit31@bandit:/tmp/pritom_push/repo$ echo 'May I have the password?' > key.txt
bandit31@bandit:/tmp/pritom_push/repo$ git add key.txt
bandit31@bandit:/tmp/pritom_push/repo$ git commit -m "sending key"
# Step 4: Push the change to the master branch
bandit31@bandit:/tmp/pritom_push/repo$ git push origin master
# The server processes the push and replies:
remote: Correct!
remote: The password for the next level is: rm16Ng6pE6vSAr4S019SAb36906sV...
bandit31@bandit:~$ mkdir /tmp/pritom_push
bandit31@bandit:~$ cd /tmp/pritom_push
bandit31@bandit:/tmp/pritom_push$ git clone ssh://bandit31-git@bandit.labs.overthewire.org:2220/home/bandit31-git/repo
bandit31@bandit:/tmp/pritom_push$ cd repo
# Step 2: Read README.md to see the requirement
bandit31@bandit:/tmp/pritom_push/repo$ cat README.md
This time create a file named 'key.txt' with content 'May I have the password?' and push it.
# Step 3: Create the file, add it, and commit it locally
bandit31@bandit:/tmp/pritom_push/repo$ echo 'May I have the password?' > key.txt
bandit31@bandit:/tmp/pritom_push/repo$ git add key.txt
bandit31@bandit:/tmp/pritom_push/repo$ git commit -m "sending key"
# Step 4: Push the change to the master branch
bandit31@bandit:/tmp/pritom_push/repo$ git push origin master
# The server processes the push and replies:
remote: Correct!
remote: The password for the next level is: rm16Ng6pE6vSAr4S019SAb36906sV...
Why did git push solve it?
By pushing my commit, I triggered a server-side script (a hook) designed by the OverTheWire team. This script immediately inspected the incoming commit. When it found a file named key.txt with the exact string it was looking for, it executed a "print" command that sent the password back through the SSH tunnel to my screen.
🚀 My Pro Tips: Mastering the Upload
✨ The '.gitignore' Trap
Sometimes you try to add a file (git add key.txt) and Git says: "The following paths are ignored by one of your .gitignore files." If this happens, I use the Force flag: git add -f key.txt. This overrides the "ignore" rules and forces Git to track the file.
⭐ Why 'origin master'?
In Git, origin is the nickname for the server I cloned from. master is the name of the main timeline. By typing git push origin master, I am being 100% explicit about where I want my code to go.
🔍 Checking Remote URLs
If I ever forget where my code is going, I type git remote -v. It will show me the exact SSH address of the server I am connected to.
4. Why this matters
I see this logic in modern CI/CD (Continuous Integration/Continuous Deployment) pipelines. When a developer pushes code to GitHub, it often triggers an automated test or a server deployment. From a security perspective, understanding "Hooks" is vital because an attacker might try to modify these server-side scripts to run malicious commands every time code is uploaded. Mastering the push/pull cycle is a core skill for any developer or security engineer.
Mission Pushed!
I've successfully triggered the server-side response. I'll save this password and move on to Level 32 ➔ Level 33, the final level of the Bandit journey!
Tags: #Linux #Bandit #OverTheWire #Git #GitPush #GitCommit #ServerHooks #CICD #CyberSecurity #FeynmanTechnique #CodeWithPritom #ProTips
- Get link
- X
- Other Apps
Devoted to excellence as a Software Engineer
Comments
Post a Comment