Summary
This is my writup for the wargame Over The Wire Bandit. As I go through this series of problems, I will provide somewhat of a log of how I did it. May even provide why. Not sure. If you have any questions, you may ask me by going to the Contacts page.
Would like to note that this is in progress. May not be finished with the challenge. If you no longer see this, I’m probably done.
Bandit Introductions
The Bandit wargame is aimed at absolute beginners. It will teach the basics needed to be able to play other wargames. If you notice something essential is missing or have ideas for new levels, please let us know!
Note for beginners
This game, like most other games, is organized in levels. You start at Level 0 and try to “beat” or “finish” it. Finishing a level results in information on how to start the next level. The pages on this website for “Level
You will encounter many situations in which you have no idea what you are supposed to do. Don’t panic! Don’t give up! The purpose of this game is for you to learn the basics. Part of learning the basics, is reading a lot of new information.
There are several things you can try when you are unsure how to continue:
First, if you know a command, but don’t know how to use it, try the manual (man page) by entering “man
Connection Requirements:
- Protocol/Software Used: SSH
- Host: bandit.labs.overthewire.org
- Port 2220
Bandit Level 0:
Level Goal
The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org, on port 2220. The username is bandit0 and the password is bandit0. Once logged in, go to the Level 1 page to find out how to beat Level 1.
Commands you may need to solve this level:
ssh
Solution:
Below are the credentials for Level 0.
- Username: bandit0
- Password: bandit0
This is more so just something to get you started. Logged in using the credentials using the following command and moved on to the next level.
n3s0:~/ $ ssh bandit0@bandit.labs.overthewire.org -p 2220
Below is the banner for Bandit. Looks like login was successful.
Linux bandit.otw.local 5.4.8 x86_64 GNU/Linux
,----.. ,----, .---.
/ / \ ,/ .`| /. ./|
/ . : ,` .' : .--'. ' ;
. / ;. \ ; ; / /__./ \ : |
. ; / ` ; .'___,/ ,' .--'. ' \' .
; | ; \ ; | | : | /___/ \ | ' '
| : | ; | ' ; |.'; ; ; \ \; :
. | ' ' ' : `----' | | \ ; ` |
' ; \; / | ' : ; . \ .\ ;
\ \ ', / | | ' \ \ ' \ |
; : / ' : | : ' |--"
\ \ .' ; |.' \ \ ;
www. `---` ver '---' he '---" ire.org
Welcome to OverTheWire!
Level 0 -> Level 1
Level Goal
The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.
Commands you may need to solve this level
ls, cd, cat, file, du, find
Solution:
I’m already logged in. So, going to check the home directory. Going to need to check for anything in the home directory before I can move on to something else.
bandit0@bandit:~$ ls
readme
Looks like there is a file named readme. It’s possible this will have the password for Level 2. Read the file and it turns out that’s the case.
bandit0@bandit:~$ cat readme
boJ9jbbUNNfktd78OOpsqOltutMc3MY1
Below are the credentials for reaching the next level:
- Username: bandit1
- Password: boJ9jbbUNNfktd78OOpsqOltutMc3MY1
Bandit Level 1 -> Level 2
Level Goal
The password for the next level is stored in a file called - located in the home directory
Commands you may need to solve this level
ls, cd, cat, file, du, find
Solution:
In this level, there is a file name named - in the home directory. Dashes aren’t usually file names in linux. If they’re in the file name, they’re surrounded by some words. It is also used from stdin/stdout. Though, using a dash as the filename is perfectly legal.
Logged into Level 1 using the credentials provided and listed the contents of the home directory.
bandit1@bandit:~$ ls -la
total 24
-rw-r----- 1 bandit2 bandit1 33 Oct 16 14:00 -
drwxr-xr-x 2 root root 4096 Oct 16 14:00 .
drwxr-xr-x 41 root root 4096 Oct 16 14:00 ..
-rw-r--r-- 1 root root 220 May 15 2017 .bash_logout
-rw-r--r-- 1 root root 3526 May 15 2017 .bashrc
-rw-r--r-- 1 root root 675 May 15 2017 .profile
Looks like the file name in the home directory is indeed (-). I have to figure out how to read it. Looks like the bandit1 user has read permission to the file. The bandit2 user has both read and write permission to the file.
I know I can read the contents of the file. Problem is reading it. Below I show me attempting to read it by putting the file name in quotes. This doesn’t workout to well. The terminal just hangs.
bandit1@bandit:~$ cat "-"
Need to end it by pressing CTRL+C. Looks like the best way is to enter the full path of the file. I did this in various ways. All of which can be found below.
bandit1@bandit:~$ cat ./-
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
bandit1@bandit:~$ cat ~/-
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
bandit1@bandit:~$ cat /home/bandit1/-
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
Below are the credentials for the second level.
- Username: bandit2
- Password: CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
Bandit Level 2 -> Level 3
Level Goal
The password for the next level is stored in a file called “spaces in this filename” located in the home directory
Commands you may need to solve this level
ls, cd, cat, file, du, find
Solution:
Logged into the game server using the credentials for the bandit2 user. To see what I was looking for I used the ls command and it looks like there is a file with the name “spaces in this filename”.
bandit2@bandit:~$ ls -la
total 24
drwxr-xr-x 2 root root 4096 Oct 16 14:00 .
drwxr-xr-x 41 root root 4096 Oct 16 14:00 ..
-rw-r--r-- 1 root root 220 May 15 2017 .bash_logout
-rw-r--r-- 1 root root 3526 May 15 2017 .bashrc
-rw-r--r-- 1 root root 675 May 15 2017 .profile
-rw-r----- 1 bandit3 bandit2 33 Oct 16 14:00 spaces in this filename
Based on what I can see here, the bandit3 user has read and writer permissions and the bandit2 user has read permissions. Now time for opening the file and viewing the password. Spaces aren’t that tricky, I just had to escape them so bash knows I’m not trying to enter another command.
bandit2@bandit:~$ cat spaces\ in\ this\ filename
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
There is also another method, which is using double-quotes to read the file:
bandit2@bandit:~$ cat "spaces in this filename"
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
This also tells the terminal that this is the full file name. Below is the password provided for Level 3 and the username that will need to be used:
- Username: bandit3
- Password: UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
Bandit Level 3 -> Level 4
Level Goal
The password for the next level is stored in a hidden file in the inhere directory.
Commands you may need to solve the level
ls, cd, cat, file, du, find
Solution
To start, I sshed into the level and checked the home directory. There is a file named inhere. Which is owned by root. But, anyone can access it because others have read and execute permissions.
bandit3@bandit:~$ ls -l
total 4
drwxr-xr-x 2 root root 4096 Oct 16 14:00 inhere
Now it is time to look at the contents of the inhere directory, I do this with the ls -la command. There is a file named .hidden in the directory.
bandit3@bandit:~$ ls -la inhere/
total 12
drwxr-xr-x 2 root root 4096 Oct 16 14:00 .
drwxr-xr-x 3 root root 4096 Oct 16 14:00 ..
-rw-r----- 1 bandit4 bandit3 33 Oct 16 14:00 .hidden
After changing directories into the inhere directory, I read the file and used the following command.
bandit3@bandit:~/inhere$ cat .hidden
pIwrPrtPN36QITSp3EQaw936yaFoFgAB
This provided the password to the next level, as shown below.
- Username: bandit4
- Password: pIwrPrtPN36QITSp3EQaw936yaFoFgAB
Bandit Level 4 -> Level 5
Level Goal
The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.
Commands you may need to solve this level
ls, cd, cat, file, du, find
Solution
Based on the Level Goal, the only human-readable file in the inhere directory contains the file with the password. First I verified where the inhere directory was using the following command.
bandit4@bandit:~$ ls -l
total 4
drwxr-xr-x 2 root root 4096 Oct 16 14:00 inhere
Now it is time to look at the contents of the directory. In the inhere directory, there are ten files. The filetypes of these files could range from binaries to text files. To find the file, you will need to narrow down which files are text files.
bandit4@bandit:~$ ls -laF inhere/
total 48
drwxr-xr-x 2 root root 4096 Oct 16 14:00 ./
drwxr-xr-x 3 root root 4096 Oct 16 14:00 ../
-rw-r----- 1 bandit5 bandit4 33 Oct 16 14:00 -file00
-rw-r----- 1 bandit5 bandit4 33 Oct 16 14:00 -file01
-rw-r----- 1 bandit5 bandit4 33 Oct 16 14:00 -file02
-rw-r----- 1 bandit5 bandit4 33 Oct 16 14:00 -file03
-rw-r----- 1 bandit5 bandit4 33 Oct 16 14:00 -file04
-rw-r----- 1 bandit5 bandit4 33 Oct 16 14:00 -file05
-rw-r----- 1 bandit5 bandit4 33 Oct 16 14:00 -file06
-rw-r----- 1 bandit5 bandit4 33 Oct 16 14:00 -file07
-rw-r----- 1 bandit5 bandit4 33 Oct 16 14:00 -file08
-rw-r----- 1 bandit5 bandit4 33 Oct 16 14:00 -file09
The inhere directory’s contents has files that are all the same size, so narrowing down the correct file by size is ruled out.
I decided to use the find command to look for the file that contains text. This can be done using the command below.
This command will search through all regular files within the current directory. Then it will execute the file command on all of the files in the directory.
bandit4@bandit:~/inhere$ find . -type f -exec file {} +
./-file09: data
./-file06: data
./-file01: data
./-file02: data
./-file05: data
./-file03: data
./-file08: data
./-file07: ASCII text
./-file04: data
./-file00: data
The file named -file07 is the file that you will need. The file is an ASCII text file meaning it doesn’t contain random characters. Just text. After reading the file with the cat command, the password to the next level is visable.
bandit4@bandit:~/inhere$ cat ./-file07
koReBOKuIDDepwhWk7jZC0RTdopnAYKh
Password to the next level can be seen below.
- Username: bandit5
- Password: koReBOKuIDDepwhWk7jZC0RTdopnAYKh
Bandit Level 5 -> Level 6
Level Goal
The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:
- human-readable
- 1033 bytes in size
- not executable
Commands you may need to solve this level
ls, cd, cat, file, du, find
Solution
This was a fun one. The objective of this level was to find a file that is human-readable, 1033 bytes, and not executable. You can do all of this by using the find command. Which is a pretty powerfull command. Just takes a little reading to find the right commands that you want. I would recommend reading it’s man page.
After sshing into the level, I checked the contents of the home directory of bandit5 for the inhere directory and it was in here.
bandit5@bandit:~$ ls -l
total 4
drwxr-x--- 22 root bandit5 4096 Oct 16 14:00 inhere
Now it’s time to check the contents of the inhere/ directory. There are quite a few files in there. There are twenty to be exact.
bandit5@bandit:~$ ls -laF inhere/
total 88
drwxr-x--- 22 root bandit5 4096 Oct 16 14:00 ./
drwxr-xr-x 3 root root 4096 Oct 16 14:00 ../
drwxr-x--- 2 root bandit5 4096 Oct 16 14:00 maybehere00/
drwxr-x--- 2 root bandit5 4096 Oct 16 14:00 maybehere01/
drwxr-x--- 2 root bandit5 4096 Oct 16 14:00 maybehere02/
drwxr-x--- 2 root bandit5 4096 Oct 16 14:00 maybehere03/
drwxr-x--- 2 root bandit5 4096 Oct 16 14:00 maybehere04/
drwxr-x--- 2 root bandit5 4096 Oct 16 14:00 maybehere05/
drwxr-x--- 2 root bandit5 4096 Oct 16 14:00 maybehere06/
drwxr-x--- 2 root bandit5 4096 Oct 16 14:00 maybehere07/
drwxr-x--- 2 root bandit5 4096 Oct 16 14:00 maybehere08/
drwxr-x--- 2 root bandit5 4096 Oct 16 14:00 maybehere09/
drwxr-x--- 2 root bandit5 4096 Oct 16 14:00 maybehere10/
drwxr-x--- 2 root bandit5 4096 Oct 16 14:00 maybehere11/
drwxr-x--- 2 root bandit5 4096 Oct 16 14:00 maybehere12/
drwxr-x--- 2 root bandit5 4096 Oct 16 14:00 maybehere13/
drwxr-x--- 2 root bandit5 4096 Oct 16 14:00 maybehere14/
drwxr-x--- 2 root bandit5 4096 Oct 16 14:00 maybehere15/
drwxr-x--- 2 root bandit5 4096 Oct 16 14:00 maybehere16/
drwxr-x--- 2 root bandit5 4096 Oct 16 14:00 maybehere17/
drwxr-x--- 2 root bandit5 4096 Oct 16 14:00 maybehere18/
drwxr-x--- 2 root bandit5 4096 Oct 16 14:00 maybehere19/
To find the needed file I can use the find command. I did this in the home directory. Filter for regular file types. Set the size to 1033 bytes. To search for those I use the size flag and c after the desired size. The c in find represents bytes. Then, execute the file command on the left over results. In this case, it is the only ASCII file that meets those requirements
The command I used can be found below. Along with the file.
bandit5@bandit:~$ find . -type f -size 1033c -exec file {} \;
./inhere/maybehere07/.file2: ASCII text, with very long lines
The file that contains the password is ./inhere/maybehere07/.file2. To confirm this, I opened the file using the cat command as shown below.
bandit5@bandit:~$ cat ./inhere/maybehere07/.file2
DXjZPULLxYr17uwoI01bNLQbtFemEgo7
The password to level 6 can be found below.
- Username: bandit6
- Password: DXjZPULLxYr17uwoI01bNLQbtFemEgo7
Bandit Level 6 -> Level 7
Level Goal
The password for the next level is stored somewhere on the server and has all of the following properties:
- owned by user bandit7
- owned by group bandit6
- 33 bytes in size
Commands you may need to solve this level
ls, cd, cat, file, du, find, grep
Solution
This challenge is about as simple as the other one. To obtain the password to the next level, I needed to follow the parameters above. I utilizes the find command to obtain the name of the file. I needed to sift through some errors. But, it stood out.
Below is the commmand used and an example of the output used to commplete the level.
bandit6@bandit:~$ find / -type f -size 33c -user bandit7 -group bandit6 -exec file {} \;
find: ‘/var/spool/cron/crontabs’: Permission denied
find: ‘/var/log’: Permission denied
find: ‘/var/tmp’: Permission denied
find: ‘/var/cache/ldconfig’: Permission denied
find: ‘/var/cache/apt/archives/partial’: Permission denied
/var/lib/dpkg/info/bandit7.password: ASCII text
find: ‘/var/lib/apt/lists/partial’: Permission denied
find: ‘/var/lib/polkit-1’: Permission denied
As you can tell, there is an ASCII file named bandit7.password that can be read to find the password to level 7. Just read the file and you have the password to the next level.
bandit6@bandit:~$ cat /var/lib/dpkg/info/bandit7.password
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs
Credentials for level 7 is below.
- Username: bandit7
- Password: HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs
Bandit Level 7 -> Level 8
Level Goal
The password for the next level is stored in the file data.txt next to the word millionth
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
Solution
So, based on the level goal, the password to level 8 is stored in the data.txt file and can be found next to the word millionth. First, lets see where the file is. The data.txt file is located in the home directory of bandit7.
bandit7@bandit:~$ ls
data.txt
To find the password to the next level, all you need to do is use the grep command on the data.txt file. This will parse through the file and search for the word millionth. Once found, it provided the password in the output.
bandit7@bandit:~$ grep "millionth" data.txt
millionth cvX2JJa4CFALtqS87jk27qwqGhBM9plV
Credentials for level 8 are below.
- Username: bandit8
- Password: cvX2JJa4CFALtqS87jk27qwqGhBM9plV
Bandit Level 8 -> Level 9
Level Goal
The password for the next level is stored in the file data.txt and is the only line of text that occurs only once
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
Solution
Based on the level goal, the password for the next level is stored in the data.txt file. The password is the only line of text that occurs once. After logging into the box, I checked the directory to verify that data.txt is in the home directory.
bandit8@bandit:~$ ls
data.txt
To find the password to the next level, I read the data.txt file using the cat command. Then pipped the it through the sort command and the uniq command with the count flag. This one liner will open up the file, sort through it, and will cound the number of occurances in the file.
After looking through the data, I found a string that only has a count of one. That is the password for bandit9.
bandit8@bandit:~$ cat data.txt | sort | uniq -c
...
10 tLKyRATtoCuxMR4zZg1Dnlnr3je3bSHe
10 tmzBM5rcV9y7AM1xDHudL2yX9oefGieT
10 tWwjd16fG17vGdjutfOygVTjEGxlijOS
10 uBRx9inQTeaDZAuzEb2MadWXmkH8uW4O
1 UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR
10 vBo3qbjNEF2d3meGEkRfc3mKpjtiDz1i
10 VElUBEIhJ4yBgOBSN05WgtV2rF6kkGdz
10 vl9liaz8TKv1enUi0S2REhn01hKjjFIK
10 vVwG2mb8rU8eCuIlBhCJrZJ4GWR35nWY
...
The credentials for level 9 are below.
- Username: bandit9
- Password: UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR
Bandit Level 9 -> Level 10
Level Goal
The password for the next level is stored in the file data.txt in one of the few human-readable strings, beginning with several ‘=’ characters.
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
Solution
In this level the objective is to find one of the few human readable strings that begin with several ‘=’ characters. After logging into the lab, I checked the contents of the home directory.
bandit9@bandit:~$ ls
data.txt
To look at the data within the data.txt file, I used the strings command to pull all strings within the file. Then, used the grep command to look for all strings that have a “==”. The password for bandit10 can be found below.
bandit9@bandit:~$ strings data.txt | grep "=="
2========== the
========== password
========== isa
========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
The credentials for level 10 are below.
- Username: bandit10
- Password: truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
Bandit Level 10 -> Level 11
Level Goal
The password for the next level is stored in the file data.txt, which contains base64 encoded data.
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
Solution
In this level, you need to decode the base64 string in the data.txt file. After loggin in, have to check the home directory to make sure the data.txt file is in there.
bandit10@bandit:~$ ls
data.txt
Once verified, I read the file to verify that there was a base64 string.
andit10@bandit:~$ cat data.txt
VGhlIHBhc3N3b3JkIGlzIElGdWt3S0dzRlc4TU9xM0lSRnFyeEUxaHhUTkViVVBSCg==
Now it is time to decode the base64 string by piping the string into the base64 command to decode the string. This outputted the password for the next level.
bandit10@bandit:~$ cat data.txt | base64 -d
The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR
The credentials for level 11 are below.
- Username: bandit11
- Password: IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR
Bandit Level 11 -> Level 12
Level Goal
The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions.
Commands useful for this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
Solution
To make it to Level 12 it looks like you need to understand a little bit about ROT13.
ROT13 is a substitution cipher. It replaces the 13th letter in the alphabet with the letter after it in the alphabet.This is similar to the Caesar cipher. This was sometimes used on different online forums to hide messages intended for certain people. It’s not an effective method of obscuring your message. But, people that don’t know. Will just ignore it. Maybe.
To start out, I listed the contents of the current directory. Looks like there’s a file named data.txt. Like they said there would be.
bandit11@bandit:~$ ls
data.txt
Opening the file and reading it ouputs gibberish. As to be expected with ROT-13.
bandit11@bandit:~$ cat data.txt
Gur cnffjbeq vf 5Gr8L4qetPEsPk8htqjhRK8XSP6x2RHh
Read the file again. Only piped it to the tr command. The tr command will translate and delete characters. Basically I just changed the upper and lowercase letters to go from N-Z to A-M. That provided the output below. Which is the password.
bandit11@bandit:~$ cat data.txt | tr '[A-Za-z]' '[N-ZA-Mn-za-m]'
The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu
Below are the credentials for Level 12.
- Username: bandit12
- Password: 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu
Bandit Level 12 -> Level 13
Level Goal
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)
Commands useful for this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd, mkdir, cp, mv, file
Solution
The objective of this level is to uncompress the file named data.txt. This file is compressed in multiple ways, using multiple programs. So, this may take some time. But, that’s part of the process sometimes. Will just need to create a script at the end to automate the process later. I will go through the process first.
Going to copy the data.txt file over to the /tmp/n3s0 directory after creating it.
bandit12@bandit:~$ mkdir /tmp/n3s0
bandit12@bandit:~$ cp data.txt /tmp/n3s0
Time to check to see what the file type is using the file command. Looks like it’s an ASCII text file.
bandit12@bandit:/tmp/n3s0$ file data.txt
data.txt: ASCII text
Open up the file and this is really a hex dump. This can be reverted back to the proper using the xxd command.
bandit12@bandit:/tmp/n3s0$ cat data.txt
00000000: 1f8b 0808 0650 b45e 0203 6461 7461 322e .....P.^..data2.
00000010: 6269 6e00 013d 02c2 fd42 5a68 3931 4159 bin..=...BZh91AY
00000020: 2653 598e 4f1c c800 001e 7fff fbf9 7fda &SY.O...........
00000030: 9e7f 4f76 9fcf fe7d 3fff f67d abde 5e9f ..Ov...}?..}..^.
00000040: f3fe 9fbf f6f1 feee bfdf a3ff b001 3b1b ..............;.
00000050: 5481 a1a0 1ea0 1a34 d0d0 001a 68d3 4683 T......4....h.F.
00000060: 4680 0680 0034 1918 4c4d 190c 4000 0001 F....4..LM..@...
00000070: a000 c87a 81a3 464d a8d3 43c5 1068 0346 ...z..FM..C..h.F
00000080: 8343 40d0 3400 0340 66a6 8068 0cd4 f500 .C@.4..@f..h....
00000090: 69ea 6800 0f50 68f2 4d00 680d 06ca 0190 i.h..Ph.M.h.....
000000a0: 0000 69a1 a1a0 1ea0 194d 340d 1ea1 b280 ..i......M4.....
000000b0: f500 3406 2340 034d 3400 0000 3403 d400 ..4.#@.M4...4...
000000c0: 1a07 a832 3400 f51a 0003 43d4 0068 0d34 ...24.....C..h.4
000000d0: 6868 f51a 3d43 2580 3e58 061a 2c89 6bf3 hh..=C%.>X..,.k.
000000e0: 0163 08ab dc31 91cd 1747 599b e401 0b06 .c...1...GY.....
000000f0: a8b1 7255 a3b2 9cf9 75cc f106 941b 347a ..rU....u.....4z
00000100: d616 55cc 2ef2 9d46 e7d1 3050 b5fb 76eb ..U....F..0P..v.
00000110: 01f8 60c1 2201 33f0 0de0 4aa6 ec8c 914f ..`.".3...J....O
00000120: cf8a aed5 7b52 4270 8d51 6978 c159 8b5a ....{RBp.Qix.Y.Z
00000130: 2164 fb1f c26a 8d28 b414 e690 bfdd b3e1 !d...j.(........
00000140: f414 2f9e d041 c523 b641 ac08 0c0b 06f5 ../..A.#.A......
00000150: dd64 b862 1158 3f9e 897a 8cae 32b0 1fb7 .d.b.X?..z..2...
00000160: 3c82 af41 20fd 6e7d 0a35 2833 41bd de0c <..A .n}.5(3A...
00000170: 774f ae52 a1ac 0fb2 8c36 ef58 537b f30a wO.R.....6.XS{..
00000180: 1510 cab5 cb51 4231 95a4 d045 b95c ea09 .....QB1...E.\..
00000190: 9fa0 4d33 ba43 22c9 b5be d0ea eeb7 ec85 ..M3.C".........
000001a0: 59fc 8bf1 97a0 87a5 0df0 7acd d555 fc11 Y.........z..U..
000001b0: 223f fdc6 2be3 e809 c974 271a 920e acbc "?..+....t'.....
000001c0: 0de1 f1a6 393f 4cf5 50eb 7942 86c3 3d7a ....9?L.P.yB..=z
000001d0: fe6d 173f a84c bb4e 742a fc37 7b71 508a .m.?.L.Nt*.7{qP.
000001e0: a2cc 9cf1 2522 8a77 39f2 716d 34f9 8620 ....%".w9.qm4..
000001f0: 4e33 ca36 eec0 cd4b b3e8 48e4 8b91 5bea N3.6...K..H...[.
00000200: 01bf 7d21 0b64 82c0 3341 3424 e98b 4d7e ..}!.d..3A4$..M~
00000210: c95c 1b1f cac9 a04a 1988 43b2 6b55 c6a6 .\.....J..C.kU..
00000220: 075c 1eb4 8ecf 5cdf 4653 064e 84da 263d .\....\.FS.N..&=
00000230: b15b bcea 7109 5c29 c524 3afc d715 4894 .[..q.\).$:...H.
00000240: 7426 072f fc28 ab05 9603 b3fc 5dc9 14e1 t&./.(......]...
00000250: 4242 393c 7320 98f7 681d 3d02 0000 BB9<s ..h.=...
Looks like the file name is data2.bin in in the header of the file. So, I’ll name it that. Used the xxd with the revert (-r) flag to revert it back to its original file. Checked the contents of the current directory and it has data2.bin.
bandit12@bandit:/tmp/n3s0$ xxd -r data.txt data2.bin
bandit12@bandit:/tmp/n3s0$ ls
data2.bin data.txt
To verify, I used the file command and it looks like data2.bin is a file compressed using gzip.
bandit12@bandit:/tmp/n3s0$ file data2.bin
data2.bin: gzip compressed data, was "data2.bin", last modified: Thu May 7 18:14:30 2020, max compression, from Unix
I have to change the file name to data2.gz otherwise gunzip will not recognize it. After doing so, I use the gunzip command to decompress the file. Based on the data below. It’s name is data2.
bandit12@bandit:/tmp/n3s0$ mv data2.bin data2.gz
bandit12@bandit:/tmp/n3s0$ gunzip data2.gz
bandit12@bandit:/tmp/n3s0$ ls -la
total 844
drwxr-sr-x 2 bandit12 root 4096 Mar 14 06:07 .
drwxrws-wt 5986 root root 847872 Mar 14 06:07 ..
-rw-r--r-- 1 bandit12 root 573 Mar 14 05:38 data2
-rw-r----- 1 bandit12 root 2582 Mar 14 05:34 data.txt
Checked the file data2 using the file command to obtain the file name. Looks like bzip2 (block-sorting file compressor) was used to compress it.
bandit12@bandit:/tmp/n3s0$ file data2
data2: bzip2 compressed data, block size = 900k
Used the bzip2 command to decompress the file and it’s unable to determine what the original file name is. So, it outputs a file named data2.out.
bandit12@bandit:/tmp/n3s0$ bzip2 -d data2
bzip2: Can't guess original name for data2 -- using data2.out
I use the file command and it looks like the file was compressed using gzip.
bandit12@bandit:/tmp/n3s0$ file data2.out
data2.out: gzip compressed data, was "data4.bin", last modified: Thu May 7 18:14:30 2020, max compression, from Unix
I change the name from data2.out to data2.gz and unzip the file using gunzip.
bandit12@bandit:/tmp/n3s0$ mv data2.out data2.gz
bandit12@bandit:/tmp/n3s0$ gunzip data2.gz
Looks like the file that has been decompressed is named data2.
bandit12@bandit:/tmp/n3s0$ ls
data2 data.txt
I use the file command to check the new file and it looks like it’s a tar archive.
bandit12@bandit:/tmp/n3s0$ file data2
data2: POSIX tar archive (GNU)
I use the tar command using the -xf flags to extract the file from the archive and to specify the files name. Looks like the next file that has been exported is named data5.bin.
bandit12@bandit:/tmp/n3s0$ tar -xf data2
bandit12@bandit:/tmp/n3s0$ ls
data2 data5.bin data.txt
Checked the file again and it looks like it’s a tar archive. Again.
bandit12@bandit:/tmp/n3s0$ file data5.bin
data5.bin: POSIX tar archive (GNU)
Extracted the data6.bin file from the tar archive using the tar command with the -xf flags again.
bandit12@bandit:/tmp/n3s0$ tar -xf data5.bin
bandit12@bandit:/tmp/n3s0$ ls
data2 data5.bin data6.bin data.txt
Looks like the data6.bin file was compressed using bzip2.
bandit12@bandit:/tmp/n3s0$ file data6.bin
data6.bin: bzip2 compressed data, block size = 900k
Extracted the file using the bzip2 command with the decompression flag -d. It didn’t know what the name of the file housed in it was. So, bzip2 exported a file named data6.bin.out.
bandit12@bandit:/tmp/n3s0$ bzip2 -d data6.bin
bzip2: Can't guess original name for data6.bin -- using data6.bin.out
bandit12@bandit:/tmp/n3s0$ ls
data2 data5.bin data6.bin.out data.txt
Checked the file type of data6.bin.out. Looks like it’s another tar archive.
bandit12@bandit:/tmp/n3s0$ file data6.bin.out
data6.bin.out: POSIX tar archive (GNU)
Extracted the file named data8.bin from the file using the tar command with the extraction and file flags. (-xf)
bandit12@bandit:/tmp/n3s0$ tar -xf data6.bin.out
andit12@bandit:/tmp/n3s0$ ls
data2 data5.bin data6.bin.out data8.bin data.txt
Looks like data8.bin file has data9.bin in it and the current file is another gzip compressed file.
andit12@bandit:/tmp/n3s0$ file data8.bin
data8.bin: gzip compressed data, was "data9.bin", last modified: Thu May 7 18:14:30 2020, max compression, from Unix
Needed to rename the file to data8.gz and extract the file using the gunzip command. This exported the file named data8.
bandit12@bandit:/tmp/n3s0$ mv data8.bin data8.gz
bandit12@bandit:/tmp/n3s0$ gunzip data8.gz
bandit12@bandit:/tmp/n3s0$ ls
data2 data5.bin data6.bin.out data8 data.txt
Checked the file using the file command and it looks like we’ve finally hit the end of the road. It’s an ASCII text file.
bandit12@bandit:/tmp/n3s0$ file data8
data8: ASCII text
Neat. Looks like we now have the password for Level 13 after reading the file named data8.
bandit12@bandit:/tmp/n3s0$ cat data8
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
Below are the credentials for Level 13.
- Username: bandit13
- Password: 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
Bandit Level 13 -> Level 14
Level Goal
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on.
Commands useful for this level
ssh, telnet, nc, openssl, s_client, nmap
Solution
The objective to this challenge is to use the private key stored in the home directory of bandit13 to connect to the username bandit14. This can be done on localhost. To begin, need to make sure the file is in the home directory. Looks like there’s a file named sshkey.private in the home directory of bandit13.
bandit13@bandit:~$ ls -l
total 4
-rw-r----- 1 bandit14 bandit13 1679 May 7 2020 sshkey.private
To connect to the user account for bandit14. I use the SSH command in the following way. The -i flag allows me to specify the path to the identity or private key file. Unless the private key file is protected with a password. Anyone can enter a system using ssh without a password. Generally good practice to password protect your private key file and put it in your ssh_agent.
If you’d like to learn a little more about ssh. I would recommend it’s manual page or the book following books:
bandit13@bandit:~$ ssh -i sshkey.private bandit14@localhost
Could not create directory '/home/bandit13/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit13/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
Linux bandit.otw.local 5.4.8 x86_64 GNU/Linux
,----.. ,----, .---.
/ / \ ,/ .`| /. ./|
/ . : ,` .' : .--'. ' ;
. / ;. \ ; ; / /__./ \ : |
. ; / ` ; .'___,/ ,' .--'. ' \' .
; | ; \ ; | | : | /___/ \ | ' '
| : | ; | ' ; |.'; ; ; \ \; :
. | ' ' ' : `----' | | \ ; ` |
' ; \; / | ' : ; . \ .\ ;
\ \ ', / | | ' \ \ ' \ |
; : / ' : | : ' |--"
\ \ .' ; |.' \ \ ;
www. `---` ver '---' he '---" ire.org
Welcome to OverTheWire!
Looks like I’m logged in as the bandit14 user. The goal of this level states that the password is stored in /etc/bandit_pass/bandit14. I read this file and it provides the password for the bandit14 user.
bandit14@bandit:~$ cat /etc/bandit_pass/bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Below is the password for the next level.
- Username: bandit14
- Password: 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Bandit Level 14 -> Level 15
Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
Commands useful for this level
ssh, telnet, nc, openssl, s_client, nmap
Solution
To finish this challenge, I connected to the socket listening on localhost:30000 using Netcat. I paste the password for bandit14 and out comes the password.
bandit14@bandit:~$ nc localhost 30000
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr
Below are the username and password for Level 15
- Username: bandit15
- Password: BfMYroe26WYalil77FoDi9qh59eK5xNr
Bandit Level 15 -> Level 16
Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…
Commands useful for this level
ssh, telnet, nc, openssl, s_client, nmap
Solution
It looks like bandit16 users password can be obtained by submitting the bandit15 users password by connecting to port 30001 on localhost using TLS. So, use OpenSSL to connect and provide the password. This will then provide a new password that can be used to advance to the next level.
To do this I used the openssl command with the standard-command s_client to connect to localhost on port 30001.
bandit15@bandit:~$ openssl s_client -connect localhost:30001
In the output below, it shows that I successfully connected and the SSL/TLS handshake takes place. Once I provide the password for the bandit15 user, it provides the password for bandit16.
CONNECTED(00000003)
depth=0 CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = localhost
verify return:1
---
Certificate chain
0 s:/CN=localhost
i:/CN=localhost
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICBjCCAW+gAwIBAgIEPksiGTANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDDAls
b2NhbGhvc3QwHhcNMjEwMTAzMTkzODIzWhcNMjIwMTAzMTkzODIzWjAUMRIwEAYD
VQQDDAlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM2B6gJt
YTxcQPphtWBuM1ge8cuuvdaD4jc0LZ4PMQzqxH3xnw1pRWIJPUXHxoqbC4xxXNLk
6zR0CrLH2AfPraS3gMPy7MtmDoGpNea3XJ/t1jkcxSNPsTfoGjpHhJ686lmQLsO4
CAsLHYupe/dFwHwQYjfmp8M3rpWm8jv3kzK9AgMBAAGjZTBjMBQGA1UdEQQNMAuC
CWxvY2FsaG9zdDBLBglghkgBhvhCAQ0EPhY8QXV0b21hdGljYWxseSBnZW5lcmF0
ZWQgYnkgTmNhdC4gU2VlIGh0dHBzOi8vbm1hcC5vcmcvbmNhdC8uMA0GCSqGSIb3
DQEBBQUAA4GBAFEvYhX6w87jWnKLpx9iSVhI1cBxNS5tzzOT+XzjIiZF5v78QJcp
I7h4z4ncZVOJGazdArF+6/B2uHFT7+QKVmQNbnX/wSAEJM0Mvp9qHOlMYaRvwP34
BRXc6VqbVQ4EbPTU5UcN1Yp7lLJ4DuNYfChFpX0xCTkhIvGWqXkGecyP
-----END CERTIFICATE-----
subject=/CN=localhost
issuer=/CN=localhost
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1019 bytes and written 269 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 75B3D7B9DC9410386B8075FC83509A5029C4D38B23DE8892852620CEC6ABC90E
Session-ID-ctx:
Master-Key: C5B1E59305A3D6E76FC7E83109B79A7D7676459188FA8B7A63CFC282B5908C69CBA171384BC486C44024DB5A972FD22B
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - a9 48 f8 cd 59 86 5a b6-19 9c 9f f8 42 95 26 f2 .H..Y.Z.....B.&.
0010 - a9 e8 21 33 4e f7 eb 85-7a 95 2c 22 e6 9a 29 d7 ..!3N...z.,"..).
0020 - 59 16 a3 d8 3c 40 29 0a-89 28 83 28 fe 42 03 82 Y...<@)..(.(.B..
0030 - ce 64 d2 55 11 90 38 d1-81 72 d0 59 2f d1 a7 94 .d.U..8..r.Y/...
0040 - 7e 82 26 d9 59 1a b0 87-e9 6f ec cc 00 7f dd 90 ~.&.Y....o......
0050 - d3 67 44 31 13 e7 30 5a-1e 90 25 41 b5 53 93 c9 .gD1..0Z..%A.S..
0060 - 74 08 72 1a 3f 06 f7 b5-73 90 c5 bd 3e 6b 44 c5 t.r.?...s...>kD.
0070 - 83 ce 7f 6b be 3a b3 b8-a6 e8 29 f2 81 fe c3 17 ...k.:....).....
0080 - db e5 a3 99 57 2e 43 84-b2 8b 1d 04 b5 04 e2 41 ....W.C........A
0090 - 46 a8 27 c1 8d b2 7b 22-12 64 58 ec fa ea 31 43 F.'...{".dX...1C
Start Time: 1616307407
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
Extended master secret: yes
---
BfMYroe26WYalil77FoDi9qh59eK5xNr
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehd
closed
Username and password for the next level can be found below.
- Username: bandit16
- Password: cluFn7wTiGryunymYOu4RcffSxQluehd