Over The Wire: Bandit Challenges

Bandit Level 0 -> Level 1

From their website:

The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.

http://overthewire.org/wargames/bandit/bandit1.html

The hint they gave is very straight forward. Simply run the ls command in order to list the contents of the current directory (which is defaulted to /home).

bandit0@bandit:~$ ls
readme

After running ls you will see the readme file. In order to view the content of the file run the cat command and pass it the readme file as an argument.

bandit0@bandit:~$ cat readme

After running this command you will be shown the password.
Use the password to log in to the next level.


Bandit Level 1 -> Level 2

The password for the next level is stored in a file called located in the home directory

http://overthewire.org/wargames/bandit/bandit2.html

Upon SSH’ing into the bandit1 account, you can run the ls command in the /home directory to list the file that is mentioned in the hint.

bandit1@bandit:~$ ls
-

You may initially think that you could simply run

bandit1@bandit:~$ cat -

But in doing so, it will only cause the terminal session to hang. Now, there are two different methods you can use in order to display the password. (There may be more, but these are the 2 that I found).

The reason behind this being that file names are normally associated with files for STDIN/STDOUT. To read/open dash (-) files, you have to specify the full path ./, or you can use < to redirect the output to STDIN.

But in this case, it will not work as the is the only character in the file name.

bandit1@bandit:~$ cat ./-

bandit1@bandit:~$ cat < -

After running either of these commands, you will be shown the password.
Use the password to log in to the next level.


Bandit Level 2 -> Level 3

The password for the next level is stored in a file called spaces in this filename located in the home directory

http://overthewire.org/wargames/bandit/bandit3.html

In order to read/open a file that has spaces in the filename, you have to delimit the spaces in the filename with a backslash \ . An easy way to do this is to type cat s, then hit tab to autocomplete the argument.

bandit2@bandit:~$ cat spaces\ in\ this\ filename

After running this command, you will be shown the password.
Use the password to log in to the next level.


Bandit Level 3 -> Level 4

The password for the next level is stored in a hidden file in the inhere directory.

http://overthewire.org/wargames/bandit/bandit4.html

The key word for this challenge is hidden. Hidden files are a special type of file that are “hidden”. They’re not actually hidden, hidden files are filenames that begin with a .

.<filename>

So to begin, list out of the contents of the home directory and you’ll find the inhere directory. Change into the inhere directory and list the contents, and? …

bandit3@bandit:~$ ls
inhere
bandit3@bandit:~$ cd inhere/
bandit3@bandit:~/inhere$ ls
bandit3@bandit:~/inhere$ 

Nothing?
Well, the thing with hidden files is that they are hidden from regular viewing/opening; in order to view them you have to pass the -a argument to the ls command.

bandit3@bandit:~/inhere$ ls -al
total 12
drwxr-xr-x 2 root    root    4096 Oct 16  2018 .
drwxr-xr-x 3 root    root    4096 Oct 16  2018 ..
-rw-r----- 1 bandit4 bandit3   33 Oct 16  2018 .hidden

Then in order to view the password within the .hidden file.
Also, if I may offer a tip, it is generally better to get int he habit of running the ls command with the -la arguments added. It shows all the files within the directory as well as lists them in a vertical format making it easier to read, as well as giving other helpful info.

bandit3@bandit:~/inhere$ cat .hidden

After running this command, you will be shown the password.
Use the password to log in to the next level.


Bandit Level 4 -> Level 5

The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.

http://overthewire.org/wargames/bandit/bandit5.html

Once again, the password can be found within a file in the inhere directory. However, the file is not hidden and there are 10 files to look through this time.

Also notice that each file begins with a dash (-) so refer to the prior challenge in how to open those files. So change into the directory and list out the files.

bandit4@bandit:~$ cd inhere/
bandit4@bandit:~/inhere$ ls -la
total 48
drwxr-xr-x 2 root    root    4096 Oct 16  2018 .
drwxr-xr-x 3 root    root    4096 Oct 16  2018 ..
-rw-r----- 1 bandit5 bandit4   33 Oct 16  2018 -file00
-rw-r----- 1 bandit5 bandit4   33 Oct 16  2018 -file01
-rw-r----- 1 bandit5 bandit4   33 Oct 16  2018 -file02
-rw-r----- 1 bandit5 bandit4   33 Oct 16  2018 -file03
-rw-r----- 1 bandit5 bandit4   33 Oct 16  2018 -file04
-rw-r----- 1 bandit5 bandit4   33 Oct 16  2018 -file05
-rw-r----- 1 bandit5 bandit4   33 Oct 16  2018 -file06
-rw-r----- 1 bandit5 bandit4   33 Oct 16  2018 -file07
-rw-r----- 1 bandit5 bandit4   33 Oct 16  2018 -file08
-rw-r----- 1 bandit5 bandit4   33 Oct 16  2018 -file09
bandit4@bandit:~/inhere$ 

10 files, all look identical except for the filenames. Each file is the same size 33 bytes, each file has the same permissions, same user & group.
But we know one of them has to contain the password for the next level.

If you’re looking at the OTW website and notice the Commands you may need to solve this level section. Definitely use those suggestions, you can either Google them, or use the man command to access the manual for the command to find out more about each one.

bandit4@bandit:~/inhere$ man <command>

In this case, the only one that would be of any use to us would be the file command. So be sure to Google it and find out more about it or use the man command.
Let’s run the file command against the first file in the directory listing.

bandit4@bandit:~/inhere$ file ./-file00
./-file00: data
bandit4@bandit:~/inhere$ 

You may be thinking of trying to open this file…

bandit4@bandit:~/inhere$ cat ./-file00
??????????~%	C[?걱>??| ?

What? Gibberish? Definitely not the password, that is not what we’re looking for.
Now, you could manually check each file to see which one we’re looking for, that would be fine, but how about we automate this a bit and make it quicker?

We can use the * character to automate things for us.

bandit4@bandit:~/inhere$ file ./-file0*
./-file00: data
./-file01: data
./-file02: data
./-file03: data
./-file04: data
./-file05: data
./-file06: data
./-file07: ASCII text
./-file08: data
./-file09: data

./-file07: ASCII text tells us that the file is of type ASCII text, which is human-readable.
So that would be the file containing the password.

bandit4@bandit:~/inhere$ cat ./-file07

After running this command, you will be shown the password.
Use the password to log in to the next level.


Bandit Level 5 -> Level 6

The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:
– human-readable
– 1033 bytes in size
– not executable

http://overthewire.org/wargames/bandit/bandit6.html

Again with the inhere directory, cd into that directory and list whats there.

bandit5@bandit:~/inhere$ ls -la
total 88
drwxr-x--- 22 root bandit5 4096 Oct 16  2018 .
drwxr-xr-x  3 root root    4096 Oct 16  2018 ..
drwxr-x---  2 root bandit5 4096 Oct 16  2018 maybehere00
drwxr-x---  2 root bandit5 4096 Oct 16  2018 maybehere01
drwxr-x---  2 root bandit5 4096 Oct 16  2018 maybehere02
drwxr-x---  2 root bandit5 4096 Oct 16  2018 maybehere03
drwxr-x---  2 root bandit5 4096 Oct 16  2018 maybehere04
drwxr-x---  2 root bandit5 4096 Oct 16  2018 maybehere05
drwxr-x---  2 root bandit5 4096 Oct 16  2018 maybehere06
drwxr-x---  2 root bandit5 4096 Oct 16  2018 maybehere07
drwxr-x---  2 root bandit5 4096 Oct 16  2018 maybehere08
drwxr-x---  2 root bandit5 4096 Oct 16  2018 maybehere09
drwxr-x---  2 root bandit5 4096 Oct 16  2018 maybehere10
drwxr-x---  2 root bandit5 4096 Oct 16  2018 maybehere11
drwxr-x---  2 root bandit5 4096 Oct 16  2018 maybehere12
drwxr-x---  2 root bandit5 4096 Oct 16  2018 maybehere13
drwxr-x---  2 root bandit5 4096 Oct 16  2018 maybehere14
drwxr-x---  2 root bandit5 4096 Oct 16  2018 maybehere15
drwxr-x---  2 root bandit5 4096 Oct 16  2018 maybehere16
drwxr-x---  2 root bandit5 4096 Oct 16  2018 maybehere17
drwxr-x---  2 root bandit5 4096 Oct 16  2018 maybehere18
drwxr-x---  2 root bandit5 4096 Oct 16  2018 maybehere19
bandit5@bandit:~/inhere$ 

Hmm, 20 different directories to look through. Like earlier, you should make a habit of looking into the “Commands you may need to solve this level“. For this challenge, the find command can be extra useful.

If you have read through the man page(s) for the find command (which you should have!) or Googled it. You should be able to easily see that there are arguments available to pass to the find command to filer the results based upon the given properties for the challenge.
These args are:
-readable
-size
-executable

So with this knowledge, we can run the find command to track down this file.

bandit5@bandit:~/inhere$ find . -readable -size 1033c ! -executable
./maybehere07/.file2
bandit5@bandit:~/inhere$ 

So we run the find command and tell it to start in the current directory which is what the dot ( . ) means. Then we pass in the -readable arg, the -size arg with a value of 1033c, the c tells us we’re looking for bytes, and finally we’re looking for a non executable file so passing ! -executable. The exclamation point is used in programming to represent the opposite of what follows it, since there is an -executable option but not a -not-exectuable, we use the ! to show files that are not executable.

We have found the file ./maybehere07/.file2

bandit5@bandit:~/inhere$ cat ./maybehere07/.file2

After running this command, you will be shown the password.
Use the password to log in to the next level.


Bandit Level 6 -> Level 7

The password for the next level is stored somewhere on the server and has all of the following properties:
– owned by user bandit7
– owned by group bandit6
– 33 bytes in size

http://overthewire.org/wargames/bandit/bandit7.html

No more inhere directory, this time the password file is stored somewhere on the server. So using the knowledge we gained from the previous exercise of the find command, we can use some different options available to us to track down the file.

These will be the -user, -group options of the find command, as well as the -size option we used in the previous challenge. So lets use these options and pass in the parameters mentioned above.

bandit6@bandit:~$ find / -user bandit7 -group bandit6 -size 33c

What did you get? A lot of output or errors? A bit confusing to look at right?
To fix this, we can use a new little trick in order to filter out errors from outputting to the console. Add the following to the end of the command to reduce the amount of output by redirecting stderr and any errors out to the null directory.

2>/dev/null
bandit6@bandit:~$ find / -user bandit7 -group bandit6 -size 33c 2>/dev/null
/var/lib/dpkg/info/bandit7.password
bandit6@bandit:~/inhere$ cat /var/lib/dpkg/info/bandit7.password

After running this command, you will be shown the password.
Use the password to log in to the next level.


Bandit Level 7 -> Level 8

The password for the next level is stored in the file data.txt next to the word millionth.

http://overthewire.org/wargames/bandit/bandit8.html

This one is pretty simple, they give you the file where the password is stored. Did you already run cat on the file thinking that the password would just appear?

Yeah, I did too at first. Let’s just say, scrolling through the 98,567 lines looking for the password may be doable, but it would be stupid. Let’s automate this!

Did you look up the recommended commands yet? If not, FOR SHAME! Now go look up grep in the man pages or Google it. We’re going to need it.

bandit7@bandit:~$ cat data.txt | grep millionth

After running this command, you will be shown the password.
Use the password to log in to the next level.


Bandit Level 8 -> Level 9

The password for the next level is stored in the file data.txt and is the only line of text that occurs only once.

http://overthewire.org/wargames/bandit/bandit9.html

Once again we have a text file with a ton of data within, and as the goal above explains, the line that the password is on only occurs once in the file. The commands we’re looking for are sort and uniq.

bandit8@bandit:~$ cat data.txt | sort | uniq -u

After running this command, you will be shown the password.
Use the password to log in to the next level.


Bandit Level 9 -> Level 10

The password for the next level is stored in the file data.txt in one of the few human-readable strings, beginning with several ‘=’ characters.

http://overthewire.org/wargames/bandit/bandit10.html

This level is actually pretty easy, the file just contains mostly gibberish and we have to find the password nested within. To do this we need to display the actual printable characters in the file, and then we need to look for the multiple equals signs.

bandit9@bandit:~$ strings data.txt | grep "="

After running this command, you will be shown the password. (You’ll know which one it is!)
Use the password to log in to the next level.


Bandit Level 10 -> Level 11

The password for the next level is stored in the file data.txt, which contains base64 encoded data.

http://overthewire.org/wargames/bandit/bandit11.html

Another easy one, be sure to check out the base64 command. Since the data is bas64 encoded, we have to decode it.

bandit10@bandit:~$ cat data.txt | base64 --decode

After running this command, you will be shown the password.
Use the password to log in to the next level.


Bandit Level 11 -> Level 12

The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions.

http://overthewire.org/wargames/bandit/bandit12.html

This challenge introduces a new cipher, ROT13. This can be done in several different ways, but I will provide 2 easy ways that you could go about solving this. One will be command line based, the other will be done by using a website. The easier of the two is using the website cryptii which offers several different ways to encipher/decipher text.

First things first, lets see what the encoded message is, the file is data.txt which is in the home directory.

bandit11@bandit:~$ cat data.txt 
Gur cnffjbeq vf 5Gr8L4qetPEsPk8htqjhRK8XSP6x2RHh

Now, you can take the encoded message and copy & paste it into the web page to decode it. Which will provide the password to the next level.

Or, if you want to stay put in the terminal, you can run the following:

bandit11@bandit:~$ cat data.txt | tr '[A-Za-z]' '[N-ZA-Mn-za-m]'

Cat out the data file and pipe it to the tr command (translate). The first set of letters in the brackets is the base alphabet, the second is the second that represent what the encoded text will be represented as.

ROT13 shifts the letters 13 positions, so A = N, B = O, etc. That is what the second set of bracketed text represents.

After running that command

After running this command, you will be shown the password.
Use the password to log in to the next level.


Bandit Level 12 -> Level 13

The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir.

For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)

http://overthewire.org/wargames/bandit/bandit13.html

In order to get the password for this level, the file is hexdumped AND is compressed multiple times. If you tried to do it in t he home directory, guess what? Yep, didn’t work did it?

So we need to follow the hint and copy the file to the /tmp directory.

bandit12@bandit:~$ cp data.txt /tmp/temp/data.txt
bandit12@bandit:~$ cd /tmp/temp
bandit12@bandit:/tmp/temp$ ls
data5.bin  data6  data8  data.txt  new  pedaGae  -r

You can see the file is copied to the directory for us to work with. Next we need to reverse the hexdumped file to a binary file, in order to do that we can use the xxd command.

bandit12@bandit:/tmp/temp$ xxd -r data.txt data.bin

Now use the trusty file command that we have used time and time again to find out the info on the newly created binary. You should see that it is a gzip compressed file

bandit12@bandit:/tmp/temp$ file data.bin 
data.bin: gzip compressed data, was "data2.bin", last modified: Tue Oct 16 12:00:23 2018, max compression, from Unix

Next we need to “uncompress” the file, and see what the next compression we have to work with is. We are not really uncompressing the file, but checking what the compression on it is after the gzip is taken off

bandit12@bandit:/tmp/temp$ zcat data.bin | file -
/dev/stdin: bzip2 compressed data, block size = 900k

So now the next compression we have to get through is bzip2

Leave a Reply