OverTheWire-Bandit
What is OverTheWire bandit?
The war games offered by OverTheWire community can help you to learn and practice security concepts in the form of fun-filled games.
Target audience:
The bandit wargame is for beginners at Linux/UNIX environment and are facing problems while learning the real-time use of Linux commands. It goes over simple Linux commands and ramps up into more advanced techniques as the game gets into higher levels.And Bandit is one of the wargames offered by OverTheWire.
Objective:
Find the password file.The password will give access to the next level.
Table of content:
Bandit currently consist of 34 levels.We will go through the levels one by one with a clear explanation on how to solve each levels using different linux commands.Let’s dive into it right away.
Note:
- Commands used in every level will be given in a snippet.
- Screenshots will be provided where ever necessary.
There are two methods to login to the next level:
1. Connect to another Level via a separate SSH session.
2. Connect to next Level from the current level SSH session.
It’s a matter of convenience
Here we use the 1st method.
For help:
You will encounter many situations in which you have no idea what you are supposed to do.There are several things we can try to surpass those:
- If you know a command but don’t know how to use it, you can try using manual by entering “man <command>”.
- If there is no man page, the command might be a shell built-in. In that case use the “help <X>” command.
- If you are still stuck, never hesitate to google.
Level 0
It is a simple level.It teaches us how to use ssh command to connect to a ssh host.
We have the following information:
Host: bandit.labs.overthewire.org
Port: 2220
Username: bandit0
Password: bandit0
ssh bandit0@bandit.labs.overthewire.org -p 2220We use the above command to connect to the bandit server on port 2220.
This level doesn’t require anything other than logging in.
Level 0–1
Now, from the bandit0 shell, we need to find the password for the next user.
To find the password we are going to list the files in the directory, to list we use the command ls.
After listing the files we can see a file called readme.
To see the contents inside the readme file we use the command cat.
After viewing ,we will be using the password to login to next level.
lscat readmessh bandit1@bandit.labs.overthewire.org -p 2220
Level 1–2
We were told that the password is located in the file named — (hyphen).
We cannot use cat to list the file since the cat command considers — (hyphen) as stdin/stdout.
To list the content of the file we should specify the command with the path like ./filename
After getting the password we use to login to the next level.
lscat ./-ssh bandit1@bandit.labs.overthewire.org -p 2220
Level 2–3
We were told that the password for the next level is located in the file named “spaces in this filename”.
If we use cat command directly we won’t be able to find the file since the cat command reads files name only until space as it considers space as null ‘/0’ .
So we use / in between the space of the file name.
lscat spaces\ in\ this\ filenamessh bandit3@bandit.labs.overthewire.org -p 2220
Level 3–4
We are informed that the password file is located inside the directory named inhere.
To go to the directory we use the command cd which means change directory.
When we list the files, we may not see hidden files.To list the hidden files inside the directory we use ls -al command.
In linux the file name starting with . (dot) is a hidden file.
To list the content of the hidden file we use the command cat .hidden.
cd inherels -alcat .hiddenssh bandit4@bandit.labs.overthewire.org -p 2220
Level 4–5
We are provided with an information that the file containing the password is a human-readable file.
After traversing into the directory, to see the file type of every file inside the directory we use the command file ./* .
After listing the file type we can see ./-file07 as ASCII text.
So we can use cat to list the ./file07 file.
cd inherefile ./*cat ./-file07ssh bandit5@bandit.labs.overthewire.org -p 2220
Level 5–6
We are informed that the password file is a human readable and 1033 bytes in size.
After traversing into the directory inhere, we use the command “find” to find the file.
The file command takes parameter of size in which we have to use ‘c’ for depicting size in bytes.
This will list the file matching the parameter given.
After that we can use cat to see the content of the file.
cd inherefind . -size 1033ccat maybehere07/.file2ssh bandit6@bandit.labs.overthewire.org -p 2220
Level 6–7
We are given with the information that the password for the next level is stored somewhere on the server with the following properties:
- owned by user bandit7
- owned by group bandit6
- 33 bytes in size
So we use these properties as parameter with the find command.
After finding the file we can use cat to list the content of the file.
cd inherefind / -user bandit7 -group bandit6 -size 33ccat /var/lib/dpkg/info/bandit7.passwordssh bandit7@bandit.labs.overthewire.org -p 2220
Level 7–8
We were told that the password for the next level is stored inside a file named data.txt and the password is written next to the word “millionth”.
So we use the command grep to find the exact word millionth.We will pipe (|) the grep command and its parameter with the cat command.The Pipe connects the standard output from the first command and feeds it as standard input to the second command.
cat data.txt | grep millionthssh bandit8@bandit.labs.overthewire.org -p 2220
Level 8–9
We were told that the password is inside the a file named data.txt and we are hinted that the password is the only line of text that occurs only once.
So we use “sort” command to sort the text and we use uniq command to print the non repeating word.These commands are connected using the pipe (|).
cat data.txt | sort | uniq -ussh bandit9@bandit.labs.overthewire.org -p 2220
Level 9–10
We are informed that the password for the next level is stored inside a file named data.txt. We are hinted that the password is followed by several ‘=’ characters.
If we see the content of the file using cat we are filled with many unreadable strings.
So to sort out the unreadable strings we use strings command with the grep to see the content.
strings data.txt | grep =ssh bandit10@bandit.labs.overthewire.org -p 2220
Level 10–11
We are informed that the password for the next level is stored in the file data.txt, which contains base64 encoded data.
So to decode the password we use the command base64 with a d parameter piped with the cat command to view the password.
cat data.txt | base64 --decodessh bandit11@bandit.labs.overthewire.org -p 2220
Level 11–12
We are informed that the file containing the password has changed in such a way ,where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions.
To decode the password we use the command tr which translates the text according to the parameter given.
As we were told that the password is rotated 13 positions, this means a becomes n & n becomes a. b becomes o & o becomes b and so on.
cat data.txt | tr a-zA-Z n-za-mN-ZA-Mssh bandit12@bandit.labs.overthewire.org -p 2220
Level 12–13
We were told that the password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed.
We were hinted that creating a new directory may be useful for this level.
mkdir /tmp/myname123cp data.txt /tmp/myname123xxd -r data.txt > datamv data file.gzgzip -d file.gzmv file file.bz2bzip2 -d file.bz2mv file file.gzgzip -d file.gzmv file file.tartar xf file.tarmv data5.bin file.tartar xf file.tarmv data6.bin file.bz2 bzip2 -d file.bz2mv file data7.bz2tar -xvf data7.bz2mv data8.bin data9.gzgzip -d data9.gzcat data9ssh bandit13@bandit.labs.overthewire.org -p 2220
We use tar, bizip2, tar commands to decompress the files.Since it repeatedly compressed we use these commands repeatedly to get the final file.
Note: Use the file command to know the type of file and use the commands to appropriately to decompress the file.
Level 13–14
We were told that the password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14.
We were hinted that we don’t get the next password, but we get a private SSH key that can be used to log into the next level.
Note:localhost is a hostname that refers to the machine were are working on.
ssh bandit14@localhost -i sshkey.private
Now we have used the ssh key found to login to the next level.
Level 14–15
We have successfully logged into level 14 by completing the challenge in level 13.We were told that the password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
Here we use a tool called netcat to connect to level 15 localhost to know the password for level 15.cat /etc/bandit_pass/bandit14
ncat localhost 30000"Enter the password"ssh bandit15@bandit.labs.overthewire.org -p 2220
Level 15–16
We are informed that the password for the next level can be retrieved by submitting the password for the current level to port 30001 on localhost using ssl encryption.
So we use the command --ssl with ncat to get the password for the next level.
ncat --ssl localhost 30001"Enter the password"ssh bandit16@bandit.labs.overthewire.org -p 2220
Level 16–17
We were told that the credentials for the next level can be retrieved by submitting the password of the current levelto a port on localhost in the range 31000 to 32000.
We were hinted to find out which of these ports have a server listening on them and find which those speak ssl and which don’t.
There is only 1 server which gives the password for the next level and rest will simply return back whatever we send.
To scan the port range 31000 to 32000 we use a tool nmap. By using nmap we can find which port uses ssl.
Then nmap lists us several open ports.We have to sort out the right port
After finding the ssl port we use ncat with ssl to connect to that port to retrieve the password.
nmap localhost -p 31000-32000ncat --ssl localhost 31790"Enter the password"
After entering the command we will be prompted with ssh private key.
Then we have to create a temporary directory and store the ssh private key in a file.
ssh won’t allow any file with open permission so we have to change the file’s permission to allow only owner to read and write the file.
File’s permission can be changed by using the command chmod with a parameter 600.
We have to use the ssh private key stored file to access the next level.
mkdir /tmp/giri_sshcd /tmp/giri_shhvi giri-key"Paste the key inside the file"chmod 600 giri-keyssh bandit17@localhost -i giri-key
Level 17-18
We were told that the password for the next level is stored in the file named “passwords.new”.
We are hinted that the password is the only line that has been changed between passwords.old and passwords.new.
And we were also told that when we find the password we will be prompted “bye bye” which is a hint to the next level.
To find the password we use the command diff.
diff passwords.new passwords.oldssh bandit18@bandit.labs.overthewire.org -p 2220
Level 18–19
We can see that we can’t login into the next level using the password retrieved in the previous level.
This is because the authors of bandit had modified the .bashrc to log us out of ssh.
So we have to use the bourne shell aka sh.
To login as sh we have to add the command /bin/sh while logging in with ssh.
To know the difference between bash and sh click the link below:
https://stackoverflow.com/questions/5725296/difference-between-sh-and-bash/5725402#5725402
After getting the shell we can see a readme file containing the password for the next level.
ssh bandit18@bandit.labs.overthewire.org -p 2220 /bin/shcat readmessh bandit19@bandit.labs.overthewire.org -p 2220
After finding the ssl port we use ncat with ssl to connect to that port to retrieve the password.
Level 19–20
We can see a executable file script named bandit20-do.
When we try to execute it,we can see that the script runs command as another user.
As we were told that the password of the next level is in the usual place,we try to run the script with the cat command trying to list the password for the next level bandit20.
./bandit20-do cat /etc/bandit_pass/bandit20ssh bandit20@bandit.labs.overthewire.org -p 2220
Level 20–21
We were informed that there is a setuid binary in the homedirectory that does the following:
i)It makes a connection to localhost on the port we specify as a commandline argument.
ii)It then reads a line of text from the connection and compares it to the password in the previous level i.e bandit20.
iii)If the password is correct, it will transmit the password for the next level (bandit21).
So to make the connection we first create a listening port from which we can make a connection to it to retrieve the password.
We were hinted that the when the suconnect makes a connection it should receive the correct password from the listening side so we attach the password as a parameter by using echo command.
To make a listening port we use the tool ncat.
Finally we pipe the echo command and its parameter with ncat and its parameters to create a listening port which will send the connector the password to verify.
After creating the listening port, we try to connect to the listening port using suconnect.
Remember we use a separate terminal for listening and a separate terminal for connection.
When suconnect tries to connect to the listening port it receives the password for verification ,when it identifies the correct password it then gives us the password for the next level.
echo "GbKksEFF4yrVs6il55v6gwY5aVje5f0j" | ncat -l localhost 12345 -> Creating a listening tcp session./suconnect 12345 -> Connecting to the open port 12345ssh bandit21@bandit.labs.overthewire.org -p 2220
Level 21–22
We were informed that there is a program is running automatically at regular intervals from cron ,which is a time based job scheduler.
We were hinted to go the mentioned cron directory.
When we traversed into that directory, we can see list of files.We need the password for the next level i.e bandit22.So we use cat command to see what’s inside cronjob_bandit22 file.
Now we can see a path to a file named cronjob_bandit22.sh.When we try to see what’s inside that file, we can see that it again gives us a path to a file named t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv.
When we try to see what’s inside, we get the password for next level.
lscat cronjob_bandit22cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgvssh bandit22@bandit.labs.overthewire.org -p 2220
Level 22–23
Same as the previous level we were told to read the cron file in our case it’s cronjob_bandit23.
When we read the file we can see it directs us to a file in some other location.
When we try to read that file, we are prompted with some bash scripts.
The script has a variable named myname which is the output of the command
whoami.By default it returns bandit22 since we are as a user bandit22.It prints “I am user bandit22” and it is encrypted in MD5. This hash points to the file which has the password for the next level.
So now we have to change the variable name bandit23 to get the password for it.
By doing this we get the hash file for the user bandit23, then we can use the hash file to get the password.
cd /etc/cron.dcat cronjob_bandit23cat /usr/bin/cronjob_bandit23.shecho I am user bandit23 | md5sum | cut -d ' ' -f 1cat /tmp/8ca319486bfbbc3663ea0fbe81326349ssh bandit23@bandit.labs.overthewire.org -p 2220
Level 23–24
The password for the next level i.e bandit24 can be obtained in 2 ways.
1st way:
When we are in the shell of user bandit22, we execute the same procedure that we used to gain the password for the user bandit23.
But we have to change the user name to bandit24 in place of bandit23.
When we run the echo command by modifying the user name, we get a hash,by using that hash we can print the password for the user bandit24.
2nd way:
We can see ,as usual we were informed to read the file inside cron.d folder in our case it’s cronjob_bandit24 file.
When try to read it, we are prompted with a pathway to a file.
After we try to read the file that is specified previously, we can see a bash script.
To gain the password for the next file,as hinted we have to create a file with a bash script which will be instructed to read the password from the /etc/bandit_pass and write it inside the file we create.
The bash script instructs to write a file named password.txt inside the folder we created now.
After creating the file and the folder,we have to give required permission to those.
Then we have to run the file which have the bash script written in it.
Then we have to place the file inside the folder /var/spool/bandit24.
After placing the file inside that folder, we have to wait for sometime to get the process to finish.
After sometime we can see a file inside our temporary directory.
We can get the password for the next file by reading the file we got.
cat /etc/cron.d/cronjob_bandit24cat sh /usr/bin/cronjob_bandit24.shmkdir /tmp/giritouch passwdchmod 777 passwdvi script.sh
Code:
#!/bin/bash
cat /etc/bandit_pass/bandit24 > /tmp/giri/passwd
chmod 777 script.shcp script.sh /var/spool/bandit24/script.shcat passwd
Level 24–25
We were informed that a daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode.
In this case we will have to give the password for the current level and also a 4 digit pincode, to get the password for the next level.
Here we have no clue about the 4 digit pin, so we have to brute force to get the password through all 10000 combinations.
So we have to create a bash script file with read and write permissions.
The code contains a for loop with the variable “i” which will iterate through the 10000 possibilities to find the correct 4 digit pin.
The loop will have a echo command which will pass the current level’s password with the variable “i”.
Before running the script we want to give the required permission for the file script.
Then we will pipe the script file with the ncat command with the port 30002
mkdir /tmp/giricd /tmp/girivi script.sh
code:
#!/bin/bash
for i in {0000..9999}
do
echo “UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i”
done
chmod 777 script.sh./script.sh | nc localhost 30002
Level 25–26
We can see, when we tried to connect to bandit26 using the ssh key the connection got terminated.
Previously we were informed that the shell for the user bandit26 is not /bin/bash.
when we try to read the file inside the /etc/passwd, when see for the user bandit26 there is a file named showtext inside /usr/bin/
When we read the showtext file, it gives us a hint to provoke the more command.
To provoke the more command, we have to minimize the size of the terminal.
After that we try to connect to the next level using the ssh key.
After getting the shell we have to press “v” to get the vi edit.
Then we have to enter the “:” to begin the execution of command.
We now have to mention “r” to read the password file of bandit26 by specifying the path to the file.
Then we will be prompted with the password.
ssh bandit26@localhost -i bandit26.sshkey:r /etc/bandit_pass/bandit26
Level 26–27
We continue with the same process to get the password for the next level.
Here we have to change the shell to bash.
As done in previously, we have to press v to open vi.
Then we have to use the set command with the path, in our it is /bin/bash.
After that we have to give the command :shell .
Then we will be provided with the bash shell for the user bandit26.
We can see a executable file named bandit27-do.
We can use this file to read the password for bandit27 by specifying the path to the password file.
:set /bin/bash:shell./bandit27-do cat /etc/bandit_pass/bandit27
Level 27–28
In this level we are introduced to git.
We were informed that there is a git repository at ssh://bandit27-git@localhost/home/bandit27-git/repo And we were told that the password for the user bandit-27 is same as the password for bandi27.
We are hinted to clone the repository and find the password for the next level.
So we need write permission to clone a repository, so we create a temp folder.
We have to use the command git clone with the get repository’s information.
Then we have to give the password, which is the password of the current level.
Then we will get a folder named repo,after traversing to that directory we can see a file named README.
When we to try to read it, we can get the password for the next level.
mkdir /tmp/giricd /tmp/girigit clone ssh://bandit27-git@localhost/home/bandit27-git/repocd repocat README
Level 28–29
We were informed that there is a git repository at ssh://bandit28-git@localhost/home/bandit28-git/repoand the password for the user bandit28-git is the same as for the user bandit28.
Creating a git repository is the same process as the previous level.
But when we get the README file inside the repo directory, we have to give the command git log -p.
When we try to simply read it, we see that the password is removed.
Luckily in git whenever a change is made a log entry is created.
So by using the git log command we can get the password for the next level.
mkdir /tmp/giricd /tmp/girigit clone ssh://bandit28-git@localhost/home/bandit28-git/repocd repogit log -p README.md
Level 29–30
We were informed that there is a git repository at ssh://bandit29-git@localhost/home/bandit29-git/repoand the password for the user bandit29-git is the same as for the user bandit29.
Cloning process is same as the previous level.
When we try to read the README file we can see that there is “no passwords in production” message.
So we have to checkout the list of branches available using the command,
git branch -a.
After entering this command we can see a list of branches.
So now we have to try to swtich to dev branch branch by using the command git checkout dev.
Now when we try to read the README file, we can see the password for the next level.
mkdir /tmp/girigit clone ssh://bandit28-git@localhost/home/bandit28-git/repogit branchgit checkout dev
Level 30–31
We were informed that there is a git repository at ssh://bandit30-git@localhost/home/bandit30-git/repoand the password for the user bandi30-git is the same as for the user bandit30.
Cloning process is same as the previous level.
When we try to read the README file we are prompted with the message “just an epmty file… muahaha”.
Git has the ability to tag specific point as important,to view the tag we use the command git tag.
After using this command we can see a file named secret, to read that file we use the command git show secret.
mkdir /tmp/giricd /tmp/girigit clone ssh://bandit30-git@localhost/home/bandit30-git/repocd repogit taggit show secret
Level 31–32
We were informed that there is a git repository at ssh://bandit31-git@localhost/home/bandit31-git/repoand the password for the user bandi31-git is the same as for the user bandit31.
Cloning process is same as the previous level.
We can we see a message metioning a file named key.txt and a content “ May I come in?”.
So we have to create a file named key.txt, inside it we have to insert the content mentioned previously.
Now we have to add the file to the repository and commit to that entry.
And we have to push to the orgin branch, this requires the password for the current level.
This can be done by using the combination of add, commit, push commands.
mkdir /tmp/girigit clone ssh://bandit31-git@localhost/home/bandit31-git/repovi key.txt
Content:
May I come in?
git add -f key.txtgit commit -m "."git push origin
Level 32–33
After we log into the next level we are prompted with a message “WELCOME TO THE UPPERCASE SHELL”
When we try to enter any command, it is automatically converted into uppercase.
And we see our terminal is showing us sh: 1:
We were hinted “ts time for another escape”, so we assuem that it has something to do with escape characters.
We can bypass this by using an escape character $0.
After using the escape character, we can see that we got our bash shell.
Now we use the cat command to read the password file bandit33 inside /etc/bandit_pass/ directory.
$0cat /etc/bandit_pass/bandit33
Level 33–34
After logging in as user bandit33, we can see a README file.
When we try to read it, it shows us “There is no more level to play”.
“The End”
I hope this article gives you an idea about the bandit game and how to solve it.
I will recommend you to try it yourself , as it will give an expereince and a basic knowledege on Linux and git.
Finally I thank whoever reading this, for spending your valuable time on my article.
Author: Girithar Ram R
Contact: https://www.linkedin.com/in/girithar-ram-ravindran-a4341017b/s
