OverTheWire: Bandit — Entry in the world of CTFs Part 1

Inspired by the upcoming CTF event by TCM Security and MetaCTF, I decided to look more into cybersecurity challenges and heard that Bandit from OverTheWire is a good start for that.

The goal in Bandit is to beat one level to get into the next one by solving challenges.

Most of the tasks are pretty easy and are aimed for beginners, so do not worry if you are new to this and wonder if you can solve anything at all.

Come and join me on this journey where we go from one level to the next, learn new skills and gain knowledge together.

https://overthewire.org/wargames/bandit/

Warning: Please follow the website in case anything has changed since the making of this write-up!

Let’s get started!

Level 0

Lets start off with how to even begin these challenges. First we need to know how we can connect to them and for that we are going to use ssh (Secure Shell) with the username ‘bandit0' and also the password ‘bandit0’. (The p in the command stands for port)

ssh bandit0@bandit.labs.overthewire.org -p 2220

Level 0 → 1

Now we got to look for a file called readme, that is located in the home directory. For that we use the ls command.

After that we can use the cat command to read the contents of this file to get the password for the next level. I put the password in Mousepad so I can just copy-paste it later.

After that we can simply type exit to leave this level of the challenge and move on to the next one.

ls

cat readme

exit

Level 1 → 2

Once again we connect to the challenge with ssh but this time the username is ‘bandit1’ and the password is the one we got from the last challenge. This will continue throughout the whole Bandit challenge.

This time, we need to cat out the file called ‘-’ to get the password for the next level, but we have to use ‘./-’ instead since ‘-’ is a hyphen and it could be misunderstood by the system.

cat ./-

Copy the password and let’s move on to the next level!

Level 2 → 3

By now you should know how to connect to each new level. The file in this challenge has spaces so we have to use ‘ to read it with cat.

cat 'spaces in this filename'

Level 3 → 4

The password we need is in this challenge is in the directory called inhere. We can use the cd command to move into it and the ls -a command to see ‘.hidden’ which contains our password for the next level.

cd inhere

ls -a

cat .hidden

Level 4 → 5

The password here is in a human-readable file in the inhere directory. We start off with the cd command to get into inhere and the ls command to see what we have in the inhere directory. We see many files from -file00 up to -file09, but which one contains the password?

We can look at them one by one which is fine if there are only a handful of files but we can use ‘for i in $(ls); do file ./$i; done’ to efficiently examine each file.

We can see that one of them is an ASCII text file, so we can narrow down our search by using ‘cat’ on that particular file to find the password.

cd inhere

ls

for i in $(ls); do file ./$i; done

cat ./-file

Level 5 → 6

For this level we have to find a file in the inhere directory that has a couple of properties. For this we can use the find tool with the properties that the challenge provides us with.

cd inhere

find . -readable -size 1033c -not -executable

After that we are left with only one file where we can simply use the cat command to get our password for the next level.

Level 6 → 7

We are told that the password for the next level is stored somewhere on the server and again we are provided with some properties.

Once again we can use the find tool with the properties we got for this level to find what we are looking for.

find / -user bandit7 -group bandit6 -size 33c 2>/dev/null

Level 7 → 8

On this level the password is in the data.txt file next to the word millionth.

We can use wc (word count) to count the number of lines, words, and characters that are in the data.txt file. You will see that there are way to many to just read through the file and find it.

For this we can use cat and combine it with grep to get the information we need to go to the next level.

wc -l data.txt

cat data.txt | grep "millionth"

Level 8 → 9

We are told that the password is again stored in the data.txt file but this time it is the only line of text that occurs only once.

When you check out how often each line shows up, you’ll see they all come around 10 times, except for the one we’re after. Again we can use cat and grep but this time we include uniq -c (counts the number of occurrences of each unique line) to get the only one that is not repeated 10 times in this file.

cat data.txt | uniq -c | grep -v 10

Level 9 → 10

Back with the data.txt file but this time the password is stored in one of the few human-readable strings, preceded by several ‘=’ characters.

We can use ‘grep =’ to filter out the password we need to move to the next level.

strings data.txt | grep =

Level 10 → 11

For this level the password is once again stored in the data.txt file and it contains base64 encoded data.

When you cat the data.txt file you see that it ends with ‘==’. With that information, we can use base64 -d to decode it and retrieve our password.

cat data.txt | base64 -d

Level 11 → 12

In this challenge the password is stored in the data.txt file, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions.

With that information we can understand that we have to use ROT13 (a letter-shifting code where each letter is rotated by 13 positions in the alphabet.)

Start of with using cat data.txt and copy the output and go to https://rot13.com/ where you can unveil the hidden text (in our chase the password) and move on to the next level.

Level 12 → 13

In this level we will work with a hexdump (displays file content in a hexadecimal format for analysis) and create a directory.

You can use cat data.txt to see the hexdump if you have never seen one before.

Let’s start with using cd to move to /tmp and create a directory with the mkdir command followed with a name you want and cd into it. (If you cannot create it then you can just choose another name; perhaps it already exists)

Now we use the cp command to copy the data.txt into the folder we just created.

cp data.txt /tmp/nameyouchoose

Move to the folder and ls to see if the data.txt file is in there. With the following command we take the content of the file and convert it from a hexadecimal format back to regular text, and then save the result in a new file named hexdump.

xxd -r data.txt > hexdump

If we use file hexdump we can see it is a gzip file. Rename the hexdump into hexdump.gz with the mv command and then we use gzip -d to decompress this file.

mv hexdump hexdump.gz

gzip -d hexdump.gz

We then can use file hexdump to see that it is a bzip2 file. We change it with the mv command to a bz2 file and then follow it up with the bzip2 command.

mv hexdump hexdump.bz2

bzip2 -d hexdump.bz2

Check it again with the file command and we see it is again a gzip file. We then mv it again with gzip like we did before and we finally get a tar archive file.

Use mv to make it into a .tar file and use the tar xf hexdump.tar command. After that check it with the ls command to see the ‘data5.bin’.

When we look at data5.bin with the file command we see it is a tar file and you can remove the .tar and the .txt file with the rm command so that you end up with the data5.bin alone.

We now can mv data5.bin into data.tar and then use tar xf data.tar to get ‘data6.bin’. Check it again with data6.bin and see it is a bzip2 and mv it to .bz2, followed by bzip2 -d data.bz2. After we check it with the file command we see it is another tar file so we mv data data.tar followed by tar xf data.tar and we end up with ‘data8.bin’.

Now we mv data8.bin into data.gz and then gzip that file and check it with the file command to see it is finally done by using the cat command on the data file you are left with the password.

(This was really hard to write and if you see any mistakes please let me know)

If you made it to this point I have to say - good job!

Level 13 → 14

In this level the password is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. The big difference is that you get a private SSH key instead of a password to log into the next challenge.

If you ls you see there is a sshkey.private file. We are going to use this to connect to the next level.

ssh bandit14@localhost -p 2220 -i sshkey.private

You can check with the whoami command to see if you are user bandit14. Now you can get the password for the next level with a simple cat command.

cat /etc/bandit_pass/bandit14

Level 14 → 15

In this challenge you can get the password for the next level by submitting the password of the current level to port 30000 on localhost.

We are going to use netcat (networking tool with broad functionality, also called swiss army knife) for this.

nc localhost 30000

After you use that command you just have to paste the password from the last level in it to get the one for the next one.

Level 15 → 16

In this level the password for the next one can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL (Secure Sockets Layer) encryption.

openssl s_client -connect localhost:30001 

After the command above us we can paste the password we got and submit it to get the password for the next level.

Level 16 → 17

We can get the information we need for the next level by submitting the password of the current level to a port on localhost in the range 31000 to 32000. Only 1 server that will give us the credentials we need in this challenge, the others will simply send back what we put into it.

Start of with a tool called nmap and scan the ports they told us.

nmap localhost -p 31000-32000

After that we get a list of open ports and we can follow it up with a more accurate scan. (This might take a while so do not worry.)

nmap -p listheportshere -sV -T4

You can now see the Services that you did not see before. Connect to each of them with the openssl command and test which does not echo what you write into it.

openssl s_cleint -connect lochalhost:portnumberhere

If you found the right one you should receive a RSA PRIVATE KEY that you can save. With that you can use the chmod command so we can change the permission of the file.

chmod 600 nameofyourprivatekeyfile

With that we can use ssh to get into the next level.

ssh -i nameofyourprivatekeyfile bandit17@localhost -p 2220

Level 17 → 18

The next level’s password is in passwords.new, and it’s the only line that differs from passwords.old

For this we just use a simple diff command.

diff passwords.old passwords.new

Level 18 → 19

The password in this challenge is stored in the readme file but someone has modified .bashrc to log you out when you log in.

For this we can use a ls command into ssh.

ssh bandit18@bandit.labs.overthewire.org -p 2220 ls

We see that there is a readme file. Lets follow that up with a cat command this time.

ssh bandit18@bandit.labs.overthewire.org -p 2220 cat readme

And we get the password!

Here is the promised Part 2!

I hope you had fun doing Bandit from OverTheWire and I want to thank them for providing us with this any many more challenges that you can find on their website: https://overthewire.org/wargames/

If you are interested in a live CTF event there is one coming up (December 16th) from TCM Security and MetaCTF:

MetaCTF | Join Event

You can join the TCM discord to find a team or just join the community there if you are interested in cybersecurity and want to chat with awesome people - https://discord.gg/tcm