Description:
OverTheWire Bandit is a series of wargames hosted on the OverTheWire website. These wargames are designed to help users learn and practice basic Linux commands and system security concepts in a hands-on, interactive environment.
The Bandit wargame consists of multiple levels, each of which presents a different challenge or puzzle related to system exploitation, privilege escalation, or other security-related tasks. As players progress through the levels, they encounter increasingly complex scenarios that require them to apply their knowledge of Linux commands, scripting, and security principles to solve.
Bandit is a great resource for beginners to gain practical experience in cybersecurity and Linux system administration. It provides a safe and controlled environment for learning, allowing users to experiment and make mistakes without causing harm to real systems.
“Throughout this journey, we’ll start by practicing basic Linux commands and gradually advance to more complex ones. With each step, we’ll uncover the key to the next challenge, honing our skills and deepening our understanding of system security. So let’s gear up, embrace the thrill of exploration, and embark on this exhilarating quest towards mastery! ”.
LEVEL 0
“The credentials for the first step in Bandit are defined : bandit0
as username andbandit.labs.overthewire.org
as host on the port 2220
. We will utilize these credentials to establish an SSH
connection and obtain our initial key”.
ssh bandit0@bandit.labs.overthewire.org -p 2220
LEVEL 0–1
“Let’s dive in and initiate our journey by accessing the system to unlock the secrets of the first challenge” .
NH2SXQwcBdpmTEzi3bvBHMM9H66vVXjL
“Additionally, we can execute the following command ,and we’ll complete our journey by utilizing this command, simplifying the process for a more organized, formal, and readable experience ” .
#This command writes the string "bandit0" to a file named "passlvl0".
#The ">" operator redirects the output of the echo command (which prints "bandit0") to a file named "passlvl0".
echo bandit0 > passlvl0:
#sshpass :is a utility used for non-interactively performing ssh password authentication. It allows you to specify the password in the command line.
#-p $(cat passlvl0) :is an argument to sshpass. It reads the password from the file "passlvl0" using cat command substitution ($(...)), which is then passed to sshpass.
#ssh bandit0@bandit.labs.overthewire.org -p 2220 : initiates an SSH connection to the specified server "bandit.labs.overthewire.org" on port 2220 (instead of the default port 22).
#bandit0@ :specifies the username to be used for the SSH connection. In this case, it's "bandit0".
sshpass -p $(cat passlvl0) ssh bandit0@bandit.labs.overthewire.org -p 2220
echo bandit0 > passlvl0 ; sshpass -p $(cat passlvl0) ssh bandit0@bandit.labs.overthewire.org -p 2220
“Readme
file holds the next challenge key , just type ls
and then cat Readme
”.
NH2SXQwcBdpmTEzi3bvBHMM9H66vVXjL
LEVEL 1–2
“Using this key as passcode, proceed to connect with the next Bandit account bandit1
”.
echo NH2SXQwcBdpmTEzi3bvBHMM9H66vVXjL > passlvl1 ; sshpass -p $(cat passlvl1) ssh bandit1@bandit.labs.overthewire.org -p 2220
“We’ve located a folder, but it’s named differently and can’t be open , to access to it, we’ll employ './’
”.
rRGizSaX8Mk1RTb1CNQoXTcYZWU6lgzi
LEVEL 2–3
“Next , ..” .
echo rRGizSaX8Mk1RTb1CNQoXTcYZWU6lgzi > passlvl2 ; sshpass -p $(cat passlvl2) ssh bandit2@bandit.labs.overthewire.org -p 2220
“ The challenge here is the file name containing spaces, rendering it unopenable with conventional commands , so we can use cat *
”.
aBZ0W5EmUfAf7kHTQeOwd8bauFJ2lAiG
OR
“We can circumvent the issue of spaces in the filename by using the backslash '\’
before each space to bypass them ”.
cat spaces\ in\ this\ filename
LEVEL 3–4
“Next , ..”.
echo aBZ0W5EmUfAf7kHTQeOwd8bauFJ2lAiG > passlvl3 ; sshpass -p $(cat passlvl3) ssh bandit3@bandit.labs.overthewire.org -p 2220
“The challenge here is to uncover the hidden folder named.hidden
by utilizing thels -la
command , -a
switch shows all files, including hidden ones , and -l
switch displays detailed information about each file or directory”.
2EW7BBsr6aMMoJ2HjW067dm8EgX26xNe
LEVEL 4–5
“Next , ..”.
echo 2EW7BBsr6aMMoJ2HjW067dm8EgX26xNe > passlvl4 ; sshpass -p $(cat passlvl4) ssh bandit4@bandit.labs.overthewire.org -p 2220
“In this challenge, we encounter 9 files with the first character being '-’
,While we can open them using./filename
, there’s a catch , manually opening 9 files is impractical. Thus, we’ll employ a Bash
script to automate the process and identify which file contains the key”.
for i in $(ls) ; do file ./$i ; done
“File7 contains ASCII text
, indicating that our secret key is located within it”.
lrIWWI6bB37kxfiCQZqUdOIYfr6eEeqR
LEVEL 5–6
“Next , .. ”.
echo lrIWWI6bB37kxfiCQZqUdOIYfr6eEeqR > passlvl5 ; sshpass -p $(cat passlvl5) ssh bandit5@bandit.labs.overthewire.org -p 2220
“In this challenge, we’re provided with 17 folders and instructed that the password for the next level is stored in a file within the inhere
directory. The file must meet these criteria: it’s human-readable, 1033 bytes in size, and not executable. To locate it, we’ll execute the command :”.
find . -readable -size 1033c -not -executable
“To search through all directories for files that are readable, have a size of 1033 bytes, and are not executable”.
P4L4vucdmLnm8I7Vl7jG1ApGSfjYKqJU
LEVEL 6–7
“Next , ..”.
echo P4L4vucdmLnm8I7Vl7jG1ApGSfjYKqJU > passlvl6 ; sshpass -p $(cat passlvl6) ssh bandit6@bandit.labs.overthewire.org -p 2220
“In this challenge, we’ll search for the password for the next level, which is stored somewhere on the server. The password must meet some criteria , so we’ll execute the command .”
find / -user bandit7 -group bandit6 -size 33c
“To search through all directories starting from the root for files owned by user bandit7, owned by group bandit6, and with a size of 33 bytes” .
“We’ve discovered /var/lib/dpkg/info/bandit7.password
without permission restrictions”.
z7WtoNQU2XfjmMtWA8u5rN4vzqu4v99S
OR
“ We can use 2> /dev/null
” .
find / -user bandit7 -group bandit6 -size 33c 2> /dev/null
“to remove and filter all directories with restricted permissions ”.
LEVEL 7–8
“Next , ..”.
echo z7WtoNQU2XfjmMtWA8u5rN4vzqu4v99S > passlvl7 ; sshpass -p $(cat passlvl7) ssh bandit7@bandit.labs.overthewire.org -p 2220
“In this challenge, the password for the next level is stored in the file data.txt
next to the word Millionth
”.
cat data.txt
“Since manually locating the key is impractical due to the numerous lines, we’ll utilize the grep
command to filter the lines and focus solely on the line containing Millionth
with the ‘|’
to merge the two commands .
cat data.txt | grep "millionth"
TESKZC0XvTetK0S9xNwm25STk5iWrBvP
LEVEL 8–9
“Next , ..”.
echo TESKZC0XvTetK0S9xNwm25STk5iWrBvP > passlvl8 ; sshpass -p $(cat passlvl8) ssh bandit8@bandit.labs.overthewire.org -p 2220
“In this challenge, the password for the next level is stored in the file data.txt
, and it’s the only line of text that occurs once ”.
“To find it, we’ll first sort the content, then use the Uniq
command with the -u
option to display only the key that appears once. When used with uniq
,-u
prints only lines that are not repeated in the input ”.
sort data.txt | uniq -u
EN632PlfYiZbn3PhVK3XOGSlNInNE00t
LEVEL 9–10
“Next , ..”.
echo EN632PlfYiZbn3PhVK3XOGSlNInNE00t > passlvl9 ; sshpass -p $(cat passlvl9) ssh bandit9@bandit.labs.overthewire.org -p 2220
“ the password for the next level is stored in the file data.txt
within one of the few human-readable strings, which are preceded by several =
characters. To find it, we’ll use theStrings
command to display all human-readable strings in the file and then locate our key ”.
strings data.txt | grep ==
“Subsequently, we’ll usegrep
to filter lines, displaying only those containing ==
”.
G7w8LIi6J3kTb8A7j9LgrywtEUlyyp6s
LEVEL 10–11
“Next , ..”.
echo G7w8LIi6J3kTb8A7j9LgrywtEUlyyp6s > passlvl10 ; sshpass -p $(cat passlvl10) ssh bandit10@bandit.labs.overthewire.org -p 2220
“In level 10, the passcode is stored in the file data.txt
, which contains base64
encoded data, our objective is to decode this data and unveil the key ”.
cat data.txt | base64 -d
“So, we’ll use the base64
command with the -d
option to decode the key ”.
6zPeziLdR2RKNdNYFNb6nVCKzphlXHBM
LEVEL 11–12
“Next , ..”.
echo 6zPeziLdR2RKNdNYFNb6nVCKzphlXHBM > passlvl11 ; sshpass -p $(cat passlvl11) ssh bandit11@bandit.labs.overthewire.org -p 2220
“In this task, the key is encoded with ROT13
, meaning it has been rotated by 13 positions. To decode it, we’ll use an online ROT13
decoder tool ”.
JVNBBFSmZwKKOP0XbFXOoW8chDz5yVRv
LEVEL 12–13
“Next , ..” .
echo JVNBBFSmZwKKOP0XbFXOoW8chDz5yVRv > passlvl12 ; sshpass -p $(cat passlvl12) ssh bandit12@bandit.labs.overthewire.org -p 2220
“Our task involves dealing with a multi-layered zipped file, where we’ll explore diverse methods to unzip it ”.
xxd -r data2.txt > data
xxd -r data2.txt > data
gzip -d file.gz
mv file data.bz2
bzip2 -d data.bz2
mv data file.gz
gzip -d file.gz
mv file data.tar
tar xf data.tar
mv data5.bin data.tar
tar xf data.tar
mv data6.bin file.bz2
bzip2 -d file.bz2
mv file data.tar
tar xf data.tar
mv data8.bin file.gz
gzip -d file.gz
cat file
wbWdlBxEir4CaE8LaPhauuOo6pwRmrDw
LEVEL 13–14
“Next , .. ”.
echo wbWdlBxEir4CaE8LaPhauuOo6pwRmrDw > passlvl13 ; sshpass -p $(cat passlvl13) ssh bandit13@bandit.labs.overthewire.org -p 2220
“In this challenge, our objective is to access the Bandit14
user. To achieve this, we’ll utilize the sshkey.private
file as key to establish a connection to Localhost
as the Bandit14
user ”.
ssh bandit14@localhost -p 2220 -i sshkey.private
“After gaining access to theBandit14
user, we’ll navigate to /etc/bandit_pass/bandit14
to retrieve the password since it’s unaccessible to Bandit13
”.
“And we did it !! ”.
fGrHPx402xGC7U7rXKDaxiWFTOiF0ENq
LEVEL 14–15
“Next ,to retrieve the password for the next level, we’ll submit the password of the current level to port 30000
on Localhost
using the netcat
command. This will open a session with localhost, and upon submitting the last key from the previous task, we’ll receive the new key.”
nc 127.0.0.1 30000
jN2kgmIXJ6fShzhT2avhotn4Zcka6tnt
LEVEL 15–16
“Next , ..”.
echo jN2kgmIXJ6fShzhT2avhotn4Zcka6tnt > passlvl15 ; sshpass -p $(cat passlvl15) ssh bandit15@bandit.labs.overthewire.org -p 2220
“ Similar to the previous task, the password for the next level can be obtained by submitting the current level’s password to port 30001
on Localhost
, but this time using SSL
, we’ll accomplish this using the command ”.
openssl s_client -connect localhost:30001
“And then submit the key”.
JQttfApK4SeyHwDlI9SXGR50qclOAil1
LEVEL 16–17
“Next , ..”
echo JQttfApK4SeyHwDlI9SXGR50qclOAil1 > passlvl16 ; sshpass -p $(cat passlvl16) ssh bandit16@bandit.labs.overthewire.org -p 2220
“The credentials for the next level can be obtained by submitting the current level’s password to a port on Localhost
within the range of 31000
to 32000
. Firstly, we’ll use the NMAP
to identify which ports within this range have a server listening on them. Subsequently, we’ll determine which of these open ports use SSL
and which do not. Ultimately, only one server will provide us with the next credentials , we used the -p
option to specify the port range and -sV
to retrieve the service version running on each port , and -T4
to use a moderately aggressive timing template, which is set to -T3
by default btw.
nmap -p 31046,31518,31691,31790,31960 localhost -sV -T4
“As you can see, we’ve identified two ports :31518
and 31790
. Port 31518 is running onSSL/ECHO
. Let’s attempt to connect to it to verify if it’s the correct one ”.
openssl s_client -connect localhost:31518
“Unfortunately, the connection to port 31518
wasn’t the correct one”.
“Let’s try connecting to port 31790
”.
openssl s_client -connect localhost:31790
“oow ,this time when we submitted the key, it provided us with anRSA private key
”.
“We’ll save this key into a file ” .
“And attempt to establish a connection to the next session using this key
“.
ssh -i key bandit17@localhost -p 2220