Bandit OverTheWire

The Bandit wargame is aimed at absolute beginners. It will teach the basics needed to be able to play other wargames.

You will learn basic Linux commands, How things work in Linux (Files, Directories, Permissions, User Roles, Port Scanning, ssh, OpenSSL, bash scripting, and git)

Find more about the wargame Bandit

ssh login: bandit.labs.overthewire.org port : 2220

sshpass -p `cat bandit0` ssh bandit0@bandit.labs.overthewire.org -p 2220

When using sshpass, I'm storing each round password in a file bandit. A simple echo and redirection would do the job.

echo Password_To_Level_X > banditX

or

ssh bandit0@bandit.labs.overthewire.org -p 2220

Rather than copy-pasting passwords every time, using sshpass helps read passwords from a file, however, not a very secure method to work with in wild. Credits to JohnHammond.

0:

• To connect to ssh, use the default password as bandit0.

  ssh bandit0@bandit.labs.overthewire.org -p 2220
  

• Enter password bandit0, Although in UNIX/LINUX environments passwords won't be visible, don't worry

0 -> 1:

Level Goal :

The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.

Solution :

• On successful login, check for files and directories using ls.

  cat readme
  

  • copy the password.
  • store it in a different file or directly use the ssh command and paste the password from the clipboard.
  • I prefer to use sshpass as it comes in handy and passwords are stored in a file so that I can use it anytime.

1 -> 2:

Level Goal :

The password for the next level is stored in a file called - located in the home directory

Solution :

• ls gives a simple -
• - is dashed filename.
• and giving any command with - as argument, makes the shell refer to stdin/stdout, i.e at /dev/stdin and /dev/stdout .
• to read the contents of the dashed file, give full path of the file.

cat ./-

• copy the password.

2 -> 3:

Level Goal :

The password for the next level is stored in a file called spaces in this filename located in the home directory

Solution :

• spaces in the filename need to be escaped, here use the escape character \ before a space.
• or simply use Tab on keyboard to auto-fill.

3 -> 4:

Level Goal :

The password for the next level is stored in a hidden file in the inhere directory.

Solution :

• change directory to inhere.
• inside folder inhere, it looks empty on normal ls.
• use ls -a to list the hidden files and directories.
• check for the contents of the hidden file using cat or more or less or whichever you like to read the contents.

4 ->5:

Level Goal :

The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.

Solution :

Given password is human-readable

• inside the inhere directory there are 10 dashed files and one of them contains the password.

• On using file command on all files that begin with -

  file ./-*
  

  * is a wildcard used to match any filename in that directory, saving ourselves a few more keystrokes

• To make things interesting, we have loops in bash which can be implemented.

  for x in {0..9}; do file ./-file0$x; done
  

• you will find the password containing file.

5 -> 6:

Level Goal :

The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:

• human-readable
• 1033 in bytes
• non-executable

  Solution :

• On checking the man page of file,
• It has an argument -readable to match readable files, using the access() system call.
• argument size n[cwbkMG], n is the units of space used based on suffix from [cwbkMG].

• b for 512-byte blocks (this is the default if no suffix is used)
• c for bytes
• w for two-byte words
• k for Kilobytes (units of 1024 bytes)
• M for Megabytes (units of 1048576 bytes)

• G for Gigabytes (units of 1073741824 bytes)

• Final command would be something like

  find -readable -size 1033c ! -executable
  

6 -> 7:

Level Goal :

The password for the next level is stored somewhere on the server and has all of the following properties:

1. owned by user bandit7
2. owned by group bandit6
3. 33 bytes in size

Solution :

• find has the argument to check user -user
• find has the argument to check group -group

find -user bandit7 -group bandit6 -size 33c

2> file redirects stderr to file

This gives a lot of error messages, which can be removed using 2>/dev/null

7 -> 8:

Level Goal :

Password is stored in data.txt, next to word millionth.

Solution :

we can sort the data and get the data easily if we have an idea of where the keyword we are looking for might come, in this case, it is the word millionth.

However, we have grep which prints lines that match a pattern.

cat data.txt| grep millionth

8 -> 9:

Level Goal :

The password for the next level is stored in the file data.txt and is the only line of text that occurs only once.

Solution :

We have a command uniq which can be used to show the unique data.

cat data.txt | sort | uniq -u

9 -> 10:

Level Goal :

The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters.

Solution :

The output of data.txt seems odd, file contains both strings and binary data which can make it difficult to read. To sort out the plain text, I ran

cat data.txt | strings

Then, I simply tried increasing = with grep and it worked xD

cat data.txt | strings | grep ====

But genuinely you should try to get all the lines that begin with =

cat data.txt | strings | grep ^=

10 -> 11:

Level Goal :

The password for the next level is stored in the file data.txt, which contains base64 encoded data

Solution :

• base64 is a type of encoding.
• Base64 is a group of binary-to-text encoding schemes that represent binary data (more specifically, a sequence of 8-bit bytes) in sequences of 24 bits that can be represented by four 6-bit Base64 digits.
• we have base64 in command line, or check online man page

  cat data.txt | sort | base64 -d
  

11 -> 12:

Level Goal:

The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions.

Solution :

• ROT13 ("rotate by 13 places") is a simple letter substitution cipher that replaces a letter with the 13th letter after it in the alphabet.
• ROT13 is a special case of the Caesar cipher which was developed in ancient Rome.
• ROT13 is the algorithm used here. we can use tr to translate the text.
• A becomes N, B becomes O ...
• Here we aim to translate all the letters from [A-Z] to [N-ZA-M]. Similarly to the lowercase alphabets.

cat data.txt | tr  '[A-Za-z]' '[N-ZA-Mn-za-m]'

12 -> 13:

Level Goal :

The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!).

Solution :

• Use file to get the type of file
• Use mv to rename the file and it's type.
• If gzip2, use -d to decompress.
• If bzip2, use -d to decompress.
• If tar, use -xvf to extract.

mkdir /tmp/randomDir && cp data.txt /tmp/randomDir
cd /tmp/randomDir && file data.txt
xxd -r data.txt newdata
file newdata

\# shows it is a gzip2 bin file
mv newdata newdata.gz
gzip -d newdata.gz
file newdata
\# shows it is a bzip2 file but lacks bz2 extension
mv newdata newdata.bz2
bzip2 -d newdata.bz2
\# for tar use `tar -xvf <fileName>`

13 ->14:

Level Goal :

The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on.

Solution :

• ssh has an argument where we can pass the private key using -i.
• The -i means that I am using an identity file in order to log in to bandit14 on the server since all of the bandit users are on the same machine, we used localhost.

  ssh bandit14@localhost -i sshkey.private
  

14 -> 15:

Level Goal :

The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.

Solution :

netcat is a tool that can open TCP connections, send UDP packets, listen on arbitrary TCP and UDP ports, do port scanning, and deal with both IPv4 and IPv6.

• The password to the current level can be found at /etc/bandit_pass/bandit14

  cat /etc/bandit_pass/bandit14 | nc localhost 30000
  

15 -> 16:

The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.

Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…

Solution :

nc is helpful to communicate over HTTP, but HTTP(s) has an extra encryption layer using SSL, for which we can use openssl. It uses

• s_client acts as a client which can establish a transparent connection to a remote server speaking SSL/TLS .
• -connect is used to connect to a host to communicate over a port.
• -ign_eof is used to ignore the end of file.

  cat /etc/bandit_pass/bandit15 | openssl s_client -connect localhost:30001 -ign_eof
  

-ign_eof is used to ignore end of file.