OverTheWire Bandit Level 31 → 32 tutorial!!

Login

Log in as bandit31 using the password you obtained from Level 30 → 31.

ssh bandit31@bandit.labs.overthewire.org -p 2220
# password: fb5S2xb7bRyFmAvQYQGEqsbhVyJqhnDy

Why? Each Bandit level is a separate UNIX user. To solve 31 → 32, you must be the bandit31 user.

Task

There’s a git repository at ssh://bandit31-git@localhost:2220/home/bandit31-git/repo The password for bandit31-git is the same as for bandit31.

Clone the repo, follow the instructions inside, and obtain the password for bandit32.

A little bit of Theory

• Repos can include server-side hooks that validate pushes and even print messages (like the next password) on successful validation.
• A .gitignore can exclude files from commits; you can still stage them with git add -f.
• Exact content and filename matter when a hook checks your push.

Further reading:

• .gitignore manual
• git add manual
• git push manual

Solution

1. Clone to a writable temp dir and open the repo

   WORKDIR=$(mktemp -d)
   cd "$WORKDIR"
   git clone ssh://bandit31-git@localhost:2220/home/bandit31-git/repo "repo-$RANDOM"
   cd repo-*
   ls -la
   cat README.md
   

   Why? /tmp is writable, and the README.md contains the exact instructions: create key.txt with content May I come in? on branch master.

   

2. Create the required file with the exact content

   printf 'May I come in?\n' > key.txt
   

   Why? printf avoids stray quotes; the hook often checks the exact string.

3. Stage the file (force add if it’s ignored)

   git add key.txt 2>/dev/null || git add -f key.txt
   git commit -m "Add key.txt as requested"
   

   Why? The repo may ignore key.txt via .gitignore. -f overrides that.

   

4. Push to master and read the hook output

   git push origin master
   

   Why? The server’s pre-receive hook validates the filename/content and prints the bandit32 password. Sometimes the push is rejected after validation (you’ll still see the password in the output); that’s fine.

   

Password

Copy the password the server prints during the git push. (Replace the placeholder below with yours.)

3O9RfhqyAlVBEZpVb6LYStshZoqoSx5K

Troubleshooting

• “key.txt is ignored” → Use git add -f key.txt.
• Hook says “Wrong!” → Ensure the file is named exactly key.txt, content is exactly May I come in? (same capitalization and ?), and you pushed to master.
• Push rejected after printing the password → Normal. You already saw the password in the remote output.
• Auth prompt → Use your bandit31 password when asked for bandit31-git@localhost’s password.

Congrats 🎉 You used a server-side Git hook to validate a push and reveal the next secret. On to bandit32!

Thanks for reading!

Until next time — Otsumachi!! 💖☄️✨