Detailed solutions for Git levels and shell escape challenges in Bandit.
Key Concept: Bypassing .gitignore and validation through Git Hooks.
The server requires us to submit a specific file to the remote repository to validate our identity and obtain the next credential.
First, we download the repository to our local machine. As a best practice, we create a directory where we will clone repo.
git clone ssh://bandit31-git@bandit.labs.overthewire.org:2220/home/bandit31-git/repo
cd repo
We create the key.txt file with the exact content required by the challenge.
echo "May I come in?" > key.txt
.gitignore)When attempting to add the file with git add, the system will reject it because there is a rule in the .gitignore file that ignores all .txt files.
To bypass this restriction, we use the -f (force) parameter.
git add -f key.txt
We perform a local commit and push the changes to the server.
🔐 Note: The password used for the
pushcommand is the same one used to clone the repository:
f*5S2xb7bRyFmAvQYQGEqs*********y
git commit -m "Adding access key"
git push origin master
3*9RfhqyAlVBEZpVb6LYStsh*******K
Even if the git push command returns an error at the end, the password will appear in the terminal output due to the server configuration.