Axel Curmi - Over the Wire

Bandit is an online wargame offered by Over the Wire and is beginner friendly game that will teach Linux basics.

Level 00

The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org, on port 2220. The username is bandit0 and the password is bandit0. Once logged in, go to the Level 1 page to find out how to beat Level 1.

The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.

$ ssh [email protected] -p 2220

bandit0@bandit:~$ ls
readme
bandit0@bandit:~$ cat readme
NH2SXQwcBdpmTEzi3bvBHMM9H66vVXjL

We are able to view the contents of the file readme using the cat command.

Level 01

The password for the next level is stored in a file called - located in the home directory

bandit1@bandit:~$ cat ./-
rRGizSaX8Mk1RTb1CNQoXTcYZWU6lgzi

The - is a very special character in Linux; it signifies stdin. Therefore, to read a file with - rather than stdin, we must specify the path to the file (relative or absolute).

Level 02

The password for the next level is stored in a file called spaces in this filename located in the home directory

bandit2@bandit:~$ cat spaces\ in\ this\ filename
aBZ0W5EmUfAf7kHTQeOwd8bauFJ2lAiG

Spaces usually signify a separation between CLI arguments of Linux commands. However, to specify that the file contains spaces in the filename, we can escape the spaces using the backslash (\) character.

Level 03

The password for the next level is stored in a hidden file in the inhere directory.

bandit3@bandit:~$ ls -al inhere/
total 12
drwxr-xr-x 2 root    root    4096 Sep  1 06:30 .
drwxr-xr-x 3 root    root    4096 Sep  1 06:30 ..
-rw-r----- 1 bandit4 bandit3   33 Sep  1 06:30 .hidden
bandit3@bandit:~$ cat inhere/.hidden
2EW7BBsr6aMMoJ2HjW067dm8EgX26xNe

A period (.) at the start of a filename (or directory name) signify that it is a hidden file. These files are usually hidden in GUI and normal ls command execution. However, we can add the -a flag to the ls command to show all files and directories.

Level 04

The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.

bandit4@bandit:~$ ls -al inhere/
total 48
drwxr-xr-x 2 root    root    4096 Sep  1 06:30 .
drwxr-xr-x 3 root    root    4096 Sep  1 06:30 ..
-rw-r----- 1 bandit5 bandit4   33 Sep  1 06:30 -file00
-rw-r----- 1 bandit5 bandit4   33 Sep  1 06:30 -file01
-rw-r----- 1 bandit5 bandit4   33 Sep  1 06:30 -file02
-rw-r----- 1 bandit5 bandit4   33 Sep  1 06:30 -file03
-rw-r----- 1 bandit5 bandit4   33 Sep  1 06:30 -file04
-rw-r----- 1 bandit5 bandit4   33 Sep  1 06:30 -file05
-rw-r----- 1 bandit5 bandit4   33 Sep  1 06:30 -file06
-rw-r----- 1 bandit5 bandit4   33 Sep  1 06:30 -file07
-rw-r----- 1 bandit5 bandit4   33 Sep  1 06:30 -file08
-rw-r----- 1 bandit5 bandit4   33 Sep  1 06:30 -file09
bandit4@bandit:~$ file ./inhere/*
./inhere/-file00: OpenPGP Public Key
./inhere/-file01: data
./inhere/-file02: data
./inhere/-file03: data
./inhere/-file04: data
./inhere/-file05: data
./inhere/-file06: data
./inhere/-file07: ASCII text
./inhere/-file08: data
./inhere/-file09: data
bandit4@bandit:~$ cat ./inhere/-file07
lrIWWI6bB37kxfiCQZqUdOIYfr6eEeqR

We have a number of files, but only one is human-readable. We can use the file Linux command to determine the file type of a file together with the wildcard character (*) to execute this command on all files within the specified path.

Level 05

The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:

human-readable
1033 bytes in size
not executable

bandit5@bandit:~$ find inhere -readable -size 1033c ! -executable
inhere/maybehere07/.file2
bandit5@bandit:~$ cat inhere/maybehere07/.file2
P4L4vucdmLnm8I7Vl7jG1ApGSfjYKqJU

We can use the find command to find files or directories using specific CLI flags. The -readable flag can be used to return only files that are human-readable, the -size 1033c flag is used to return files containing 1033 bytes, and the ! -executable is used to return files that do not have executable bit enabled.

Level 06

The password for the next level is stored somewhere on the server and has all of the following properties:

owned by user bandit7
owned by group bandit6
33 bytes in size

bandit6@bandit:~$ find / -mount -user bandit7 -group bandit6 -size 33c 2>/dev/null
/var/lib/dpkg/info/bandit7.password
bandit6@bandit:~$ cat /var/lib/dpkg/info/bandit7.password
z7WtoNQU2XfjmMtWA8u5rN4vzqu4v99S

This level is very similar to the previous one; however, we need to search the whole system and use different CLI arguments. The -mount flag will only return files on mounted filesystems (so no /proc), the -user bandit7 and -group bandit6 will return files belonging to the corresponding user and group, while the 2>/dev/null will tell linux to redirect everything written to stderr in /dev/null - essentially telling linux to not print any errors.

Level 07

The password for the next level is stored in the file data.txt next to the word millionth.

bandit7@bandit:~$ cat data.txt
	[... REDACTED FOR SIMPLICITY ...]
toddies	        tgrciiqd0Kh3pqQ40eywnV5OkJGJycVA
weaklier	    yRhjA3UtazzuurnDvrJWAfC7HlNoaDkq
Charlotte's	    0nu16l46josIwNMq9e9KhiBqobhAEezn
subscribed	    Y00MgPFpFqqYt6auriRnPpv2IenX0Yff
Leo's	        LdfgHoMEWqdgc1CE7g6vE3jJEoSDwTW7
safaried	    BSY8oryOflJQttUUu4dJsYVZbU6rcyWh
McPherson's	    6aUjbvP7Gj3YTTuHPPjBmMSr0ZqHZ21U
backspaces	    w6UFfZkyMPCACrycbSVbSFscwfsnqt5j
Machiavellians	MIuPEEMxbTIcDkfygCyUZBqoXCW24CV5
proposing	    GVPMv4SITKEl7fnNGEK0BdiMx5Yzsj4P
nickelodeon	    mBG4SEBET5xRiieiJYeFVpLBsaxjcgOY
Iaccoca's	    g4mRe7omzIvO495UweTLCe4tLiwaKlnD
	[... REDACTED FOR SIMPLICITY ...]
bandit7@bandit:~$ grep "millionth" data.txt
millionth	    TESKZC0XvTetK0S9xNwm25STk5iWrBvP

The grep command can be used to print lines in a file that match a specific pattern, in this case "millionth".

Level 08

The password for the next level is stored in the file data.txt and is the only line of text that occurs only once.

bandit8@bandit:~$ sort data.txt | uniq -u
EN632PlfYiZbn3PhVK3XOGSlNInNE00t

We can use the uniq command with the -u flag to omit repeating lines in a file. However, the lines will need to be repeated and next to one another. We can use the sort command to sort the lines of a text file.

Level 09

The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters.

bandit9@bandit:~$ grep -a "=\{2,\}" data.txt
[... REDACTED ... ] ========== the [... REDACTED ... ] ========== password [... REDACTED ... ] ========== is [... REDACTED ... ] ========== G7w8LIi6J3kTb8A7j9LgrywtEUlyyp6s [... REDACTED ... ]

Here we can use grep again but this time we can specify the regex expression /={2,}/ to find all ocurrenses of 2 or more equals signs in the file. The -a CLI flag for grep specifies grep to process a binary file as if it were text.

Level 10

The password for the next level is stored in the file data.txt, which contains base64 encoded data.

bandit10@bandit:~$ cat data.txt
VGhlIHBhc3N3b3JkIGlzIDZ6UGV6aUxkUjJSS05kTllGTmI2blZDS3pwaGxYSEJNCg==
bandit10@bandit:~$ cat data.txt | base64 -d
The password is 6zPeziLdR2RKNdNYFNb6nVCKzphlXHBM

The base64 command can be used to convert text to and from Base64. In this case we need to decode a message from Base64; hence the -d flag.

Level 11

The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions.

bandit11@bandit:~$ cat data.txt
Gur cnffjbeq vf WIAOOSFzMjXXBC0KoSKBbJ8puQm5lIEi
bandit11@bandit:~$ cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'
The password is JVNBBFSmZwKKOP0XbFXOoW8chDz5yVRv

The message is encoded using the ROT13 Cipher. On linux we can use the tr command to translate characters into other characters (in this case shift characters by 13).

Level 12

The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)

bandit12@bandit:/tmp/blink$ cat data.txt
00000000: 1f8b 0808 7151 1063 0203 6461 7461 322e  ....qQ.c..data2.
00000010: 6269 6e00 013f 02c0 fd42 5a68 3931 4159  bin..?...BZh91AY
00000020: 2653 595d ed11 a800 001b ffff d8ff fde7  &SY]............
00000030: dff7 ffff ffcf efcf bef7 7e7f dd39 3f7f  ..........~..9?.
00000040: fafb ffbf cfbf 3eff a9fb bf7f b001 3b1b  ......>.......;.
00000050: 6d20 0f50 0034 0680 0000 34c2 01ea 0d34  m .P.4....4....4
00000060: 0000 1900 1a32 1a68 0d00 0000 0034 0000  .....2.h.....4..
00000070: 000d 0069 91ea 0c6d 5100 0068 00c8 000d  ...i...mQ..h....
00000080: 0323 4340 3d40 0d0d 1a68 01a3 4c83 401a  .#C@[email protected].@.
00000090: 687a 4034 0340 1a00 3468 0188 c868 34d0  hz@[email protected].
000000a0: 00c8 d01a 6874 d323 40d3 d206 81a1 a680  ....ht.#@.......
000000b0: d0c8 0190 d034 0340 0d00 c800 01a6 991a  .....4.@........
000000c0: 0019 3400 d000 0006 800c 4d1a 0189 a001  ..4.......M.....
000000d0: fc18 2890 6086 162a 8035 6a6b 3d5c 1382  ..(.`..*.5jk=\..
000000e0: 0a38 e6dd 214b 6fa4 3984 0192 256e e084  .8..!Ko.9...%n..
000000f0: ed6b ad67 3318 b07a 005d 0e21 dbd1 fb84  .k.g3..z.].!....
00000100: 770f 055f 0044 3086 8230 d579 2881 afe7  w.._.D0..0.y(...
00000110: 531e 3071 f859 eeae 01aa 1040 75cd 3c5b  S.0q.Y.....@u.<[
00000120: f24a 16b8 34e7 43db 9e73 56a1 3d3d fd90  .J..4.C..sV.==..
00000130: 6bc3 47a5 4c73 af13 a324 5731 b90e 2063  k.G.Ls...$W1.. c
00000140: 45ef fe11 842e 03f9 b063 8f4c fb41 0a32  E........c.L.A.2
00000150: 8fdb 7cea 82a0 ee91 4e05 c610 088e a2da  ..|.....N.......
00000160: 7536 2c72 1701 c248 7ab7 1fef 30f8 142c  u6,r...Hz...0..,
00000170: 0359 539c 5a21 4e94 6a33 9d18 6120 42a0  .YS.Z!N.j3..a B.
00000180: 6471 a01e 42a4 da3b 6eaa 5e7e edc3 f973  dq..B..;n.^~...s
00000190: 2ec7 5009 a7e8 101e a3ac b344 f2bb d9e6  ..P........D....
000001a0: 7bd7 c5fb 18b6 92ac 9fe8 aef4 673c da0c  {...........g<..
000001b0: 0cdb 0440 4869 1bd0 7d84 e1e5 85c2 1a60  ...@Hi..}......`
000001c0: 701c c9ac 50ca adf7 bba9 226f f175 1ec2  p...P....."o.u..
000001d0: 90de 557e ed09 5c3b 1886 84dc f110 24e7  ..U~..\;......$.
000001e0: 871b 6148 f224 fb71 c3d1 1096 4a48 48a2  ..aH.$.q....JHH.
000001f0: 99ea 647b 4f3b ac19 3be6 1cb9 24c3 ce48  ..d{O;..;...$..H
00000200: 829b 0182 07ef fbee dff1 40da 6f5a c7fb  [email protected]..
00000210: 5412 78a9 43dd 2198 d456 3c1f e161 2b1f  T.x.C.!..V<..a+.
00000220: 6e82 f066 70e2 67b8 ec48 d418 3e6a 0ee7  n..fp.g..H..>j..
00000230: 868a 1dcc e7b0 11ee 8b2a 8c53 0009 37f9  .........*.S..7.
00000240: 1017 0d29 485a ec30 cb90 45b8 93ff 1772  ...)HZ.0..E....r
00000250: 4538 5090 5ded 11a8 e965 cb22 3f02 0000  E8P.]....e."?...
bandit12@bandit:/tmp/blink$ xxd -r data.txt data

bandit12@bandit:/tmp/blink$ file data
data: gzip compressed data, was "data2.bin", last modified: Thu Sep  1 06:30:09 2022, max compression, from Unix, original size modulo 2^32 575
bandit12@bandit:/tmp/blink$ mv data data.gz
bandit12@bandit:/tmp/blink$ gunzip -d data.gz

bandit12@bandit:/tmp/blink$ file data
data: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/blink$ mv data data.bz2
bandit12@bandit:/tmp/blink$ bzip2 -d data.bz2

bandit12@bandit:/tmp/blink$ file data
data: gzip compressed data, was "data4.bin", last modified: Thu Sep  1 06:30:09 2022, max compression, from Unix, original size modulo 2^32 20480
bandit12@bandit:/tmp/blink$ mv data data.gz
bandit12@bandit:/tmp/blink$ gunzip -d data.gz

bandit12@bandit:/tmp/blink$ file data
data: POSIX tar archive (GNU)
bandit12@bandit:/tmp/blink$ mv data data.tar
bandit12@bandit:/tmp/blink$ tar -xf data.tar

bandit12@bandit:/tmp/blink$ file data5.bin
data5.bin: POSIX tar archive (GNU)
bandit12@bandit:/tmp/blink$ mv data5.bin data5.tar
bandit12@bandit:/tmp/blink$ tar -xf data5.tar

bandit12@bandit:/tmp/blink$ file data6.bin
data6.bin: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/blink$ mv data6.bin data6.bz2
bandit12@bandit:/tmp/blink$ bzip2 -d data6.bz2

bandit12@bandit:/tmp/blink$ file data6
data6: POSIX tar archive (GNU)
bandit12@bandit:/tmp/blink$ mv data6 data6.tar
bandit12@bandit:/tmp/blink$ tar -xf data6.tar

bandit12@bandit:/tmp/blink$ file data8.bin
data8.bin: gzip compressed data, was "data9.bin", last modified: Thu Sep  1 06:30:09 2022, max compression, from Unix, original size modulo 2^32 49
bandit12@bandit:/tmp/blink$ mv data8.bin data8.gz
bandit12@bandit:/tmp/blink$ gunzip -d data8.gz

bandit12@bandit:/tmp/blink$ file data8
data8: ASCII text
bandit12@bandit:/tmp/blink$ cat data8
The password is wbWdlBxEir4CaE8LaPhauuOo6pwRmrDw

The xxd command can be used to convert a file to and from a hexdump - the -r CLI flag will reverse the hexdump process and obtain a file from a hexdump. Then we have several layers of compression which can be compressed using the gunzip, bzip2, and tar commands.

Blink's notebook

Over the Wire - Bandit writeup