Over the Wire: Bandit Level 0–5

A.K.A. Command Line 101

He’ll get ya!

While I was going to write a walkthrough on another Over the Wire war-game, I figured I might as well start from the beginning. Bandit is a great way to learn your way around using the command line, especially if you’re a former OSX fanboy like me. I recommend you do not look through the answers here until you have pounded your head into your desk and screamed some expletives loud enough for your neighbors to hear.

The main thing I want people to get from this walkthrough aren’t the actual specific solutions as there are thousands of other walkthroughs online for this pretty simple war-game. Instead, I want people to gain an intuition on how you should approach infosec war-games, whether they be reverse engineering challenges, web security challenges, or full attack-defense CTFs. The hardest part of hacking isn’t necessarily the technical aspects of it, but the process of gaining a creative mindset in learning how things work and how to make things well… break.

As always, I have to state that the solutions I provide may not be the most efficient solutions or the “right” solutions. They are simply just my solutions.

Let’s get started.

Level 0

Here we simply need to connect to Over the Wire’s Bandit server using SSH. What the hell is SSH and how do we do that? I’ll explain.

SSH stands for Secure Shell, most likely because naming a network protocol SS would have offended some people.

Network protocol? Aaaahhh! I know. It is truly a rabbit hole, but I’ll try to explain this without confusing you even more.

SSH is part of the Internet protocol suite, commonly referred to as just TCP/IP, named after the original two network protocols. Oh, by the way, a protocol in the computer sense just means the rules and conventions for communication between two or more network devices.

SSH is one those network protocols within TCP/IP that basically through some crypto mumbo jumbo allows us to securely log into a remote host, in this case Over the Wire’s server, and execute commands there. It also has plenty of other uses but we won’t go into those right now. If you’re still curious go onto Wikipedia and get lost for a couple hours. That might help, or you might just end up more confused.

Oh, you also need a SSH client. For people running OSX or any Unix based operating system, you’re good as it should be already installed on your system. Anyone running Windows will have to download a client. I don’t use Windows as I don’t use Steam anymore so you will have to figure out that out. That being said, I’ve heard PuTTY is pretty good.

Level Goal

The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org, on port 2220. The username is bandit0 and the password is bandit0. Once logged in, go to the Level 1 page to find out how to beat Level 1.

Here’s how to do this through the command line:

$ ssh -l bandit0 -p 2220 bandit.labs.overthewire.org

We first type in the base command SSH like all commands. Then we specify the username by typing the flag “l” and the username, in this case in bandit0. Then we specify what port to use through the flag “p” and the port 2220. Finally we specify what host we are connecting to, in this case the server bandit.labs.overthewire.org.

After hitting return, we will see the requirement for a password. Remember here the password is simply bandit0. We will want to modify this command later on but for now we can use this for next several levels, simply changing the username and the password.

Bandit Level 0 → Level 1

Level Goal

The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.

The two commands we will being using in this level are cat and ls.

ls stands for list and its function when not flagged is to list the files and folders within the current directory.

$ ls

After you hit enter, it should return with this:

readme

While we wouldn’t necessarily know if readme is a file or folder off the information that is provided here, they already specified that readme is in fact the file that contains the password to the next level.

Now we just need to read readme. We can do this by using cat.

While there are many ways to display the contents of a file in a bash shell, “cat” is the easiest command to use. All we need to do here is type:

$ cat readme

Which gives us…

boJ9jbbUNNfktd78OOpsqOltutMc3MY1

the first password of the game.

Make sure to save your passwords in a little passwords.txt file in case you have to take a break or go outside like people do (ONLY DO THIS FOR THESE PASSWORDS AND NONE OF YOUR ACTUAL PASSWORDS).

If you want to learn more about a specific command, you can use the command “man” followed by your command. This will give you a manual and the more complex ways to use a command. Simply press q to exit.

Bandit Level 1 → Level 2

Level Goal

The password for the next level is stored in a file called - located in the home directory

We already know the required commands for this level, but now we need to figure out how to open “-”. The problem here though is that cat is recognizing the dash as synonym for stdin. In order to fix this we need to specify the dash is a file using a dot and a forward slash:

$ cat ./-

Personally I precede all my files with the dot and slash even if I’m in the same directory as the file I’m try to use. Here though, this format is required. Pressing enter should give us this:

CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

Second password done. It only gets harder.

Bandit Level 2 → Level 3

Level Goal

The password for the next level is stored in a file called spaces in this filename located in the home directory

Here once again we are going to use the same commands but we will have to extra careful to make sure cat reads the entire filename. On a side note, this is why you shouldn’t put spaces in file names or directory names.

If we simply enter

$ cat spaces in this filename

Cat only tries to read and display a file for every word in the phrase.

cat: spaces: No such file or directory
cat: in: No such file or directory
cat: this: No such file or directory
cat: filename: No such file or directory

To fix this, all we need to do is put our filename in quotes so that cat recognizes the entire phrase as our filename.

$ cat "spaces in this filename"

Which gives us…

UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

the next password!

Onto the next level.

Bandit Level 3 → Level 4

Level Goal

The password for the next level is stored in a hidden file in the inhere directory.

Hidden files? Whaaaaaaat?

No they’re not government secrets. Usually hidden files or hidden directories are usually hidden to avoid a dumb user from accidentally deleting something important. something something delete system32

First though we have to figure out how to get into the inhere directory. After running our standard ls, you should see this:

inhere

Cool, now how do we get into the directory? We use a command called cd.

cd stands for “change directory” and to use it we simply type:

$ cd inhere

Now that we’re inside inhere, let’s just type ls again to find that hidden file.

But wait, we didn’t get anything?

What we have to do here is specify that we want to list all files in the current directory, hidden files included. To do this, we have to use the flag -a after ls:

$ ls -a

Which gives us:

.  ..  .hidden

Ignore the first two dots for now. We’ll get back to those eventually. Now all we have to do is use cat and display the contents of .hidden to the command line.

$ cat .hidden

Which gives us the next password.

pIwrPrtPN36QITSp3EQaw936yaFoFgAB

Bandit Level 4 → Level 5

Level Goal

The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.

In this level we’re going to use a new command called file.

File as a command determines the file type of a file. So for instance, I wanted to check the file type of doggo.txt. It doesn’t matter what it is in doggo.txt as all file cares about is the file type.

So if we ran:

$ file doggo.txt

It would return:

file.txt: ASCII text

Okay. This is good and it definitely puts us on the right track. While “human readable” is a very vague phrase, we can assume it means the file we are looking is some sort of readable file, even if we don’t know the actual character encoding.

However, in the example above we are only checking the file type of one file. While we could go and check the file type of each file within inhere, that’s a lot of work and we hackers like being as lazy as possible.

Here’s how to retrieve the file types of every file within inhere:

$ file inhere/*

Okay before you just copy this command, bear with me here for a second. That little asterisk at the end there is called a wildcard. There are couple different types of wildcards. Some wildcards only represent a single character, some represent a range of characters. They allow to search the directory for a specific pattern and, in this case, display the file type. Here, because we simply put it directly after the slash, it searches through every file.

For instance, say we have a directory called fruit containing the files:

apple
banana
pear
pineapple
peach

If wanted to return the file type of every file starting the letter p, I would type this:

$ file inhere/p*
pear
pineapple
peach

Here, the pattern now searches for every file starting the letter p and any letters after p.

Anyway, if that made sense, cool. If not, it’s alright. Remember Wikipedia is your friend.

So if you entered “file inhere/*” into the shell, you should have gotten this returned:

inhere/-file03: data
inhere/-file04: data
inhere/-file01: data
inhere/-file07: ASCII text
inhere/-file08: data
inhere/-file06: data
inhere/-file02: data
inhere/-file09: data
inhere/-file05: data

Okay, so right off the bat, what grabs our attention? The outlier -file07 with file type of ASCII text of course. ASCII isn’t the only character encoding system, but every other file type just says “data” so we can probably be sure that -file07 contains our honey. Recognizing what is an outlier, whether it be a certain file, port, or directory that just seems out of place is essential to solving war-games and finding vulnerabilities. This is the part of infosec that requires a lot of creative thinking, which allows happens to be my favorite aspect of infosec.

$ cat ./inhere/-file07
koReBOKuIDDepwhWk7jZC0RTdopnAYKh

Huh. Would you look at that.

The first five levels are done and you are officially on the path to becoming an infosec god. Play around with the command line and try your hand at the next levels. If you run into trouble, I’ll walk you through and explain it in the next post.

مع السلامة