The improvised OverTheWire writeup you were not looking for — Bandit.Pt1
Over the wire is a widespread and known CTF site containing challenges divided into categories.
In case you don’t know what a CTF is, this video is an excellent introduction to the concept imho.
As the n00b that I am, I’m going to attempt (and most likely fail a lot in the process) to complete them starting with the most basic category:
Every level has a description and some hints in form of:
- A list of commands that could help you solve the challenge
- Some useful links to start your research if you are completely lost
Let’s start from the beginning, shall we?
Bandit — Level0
This one is easy — even for me — . We just need to establish a connection over SSH to the specified server and port using the credentials granted by the site.
ssh email@example.com -p 2220
And… we got in!
From now on, we are executing commands on bandit.labs.overthewire.org server as user bandit0. Naturally, as these commands are going through the internet (and, in my case, reaching out to the other side of the globe) don’t expect the command line to be as fluent as in your own computer. Delay you shall face.
If you encounter yourself having to execute complex commands, or trying several combinations/options to find a solution try speeding the things up executing tests into your machine and then, when you have the commands well-formed and ready to be executed, go over the ssh-connected terminal and try them on the real thing. That will save you a TON of time.
Bandit — Level0 pt2
This part is pretty straightforward too. Plaintext, a non-hidden treasure is found just as easy as reading a file:
Bandit — Level1
This one was a little more exciting. I actually had to think how to type the name to read that f****** file.
And… we got our ticket to the next round!
Bandit — Level2
From now on, connecting to each level has no secrets for us, so I’ll keep this simple and skip that part.
Let’s jump into the challenge:
Autocomplete (using tab) gracefully solves this challenge for us, escaping every single space in the filename:
cat ./spaces\ in\ this\ filename
Number three here we go!
Bandit — Level3
Gotta find’em all (even if they are hidden)
Using ‘ll’ alias instead of just ‘ls’ gives us the capability of seeing hidden files and folders. That’s why I always prefer ll over ls.
To move within the filesystem you can use the ‘cd’ command like this:
-- step into a directorycd ..
-- step outside the directory you are currently oncd ./
-- ./ refers to the same directory you are on
Just for the sake of being explicit, here is the difference in output:
ll ./inhere/cat ./inhere/.hidden
Bandit — Level4
After stepping into the right directory we found 10 files from which, as the level description says, only one is human readable.
They all have been created by the same user, at the same time and have the same privilege restrictions and size. There’s probably a much better way to do this but, since they are only ten files, I think try and error is a valid approach here.
To see the content type of each file we can use the command ‘file’. Then, after catching the correct one, we display the next password using cat as always.
./-file07: ASCII textcat ./-file07
Bandit — Level5
After entering the inhere directory I found myself entering into a labyrinth of files. I realize this time looking for each file will get me nowhere.
Ok, so… let’s think. I need a way to filter all these files and find the one that meets the requirements:
- 1003 bytes in size
- not executable
I could probably use a combination of ‘find’, ‘grep’ and ‘file’ commands to achieve that. First of all, since I don’t remember how to actually use the command (shame on me), I try reading the man pages for ‘find’. To see the man pages of any command you can type:
Some commands also have help options like these:
that display a help page often listing option lists or command examples; really useful stuff.
I suggest typing ‘man find’ into your own terminal, reading the pages, trying some options and then returning to the ssh terminal to execute some test because reading man pages and testing commands over ssh could be a painful experience.
So, after some reading I try the filter by size first :
find -L -size 1033c
-L will make find follow the links and -size 1033c will filter out all the files that are not 1033 bytes in size (c unit is used for bytes).
After using this filter we get only one file… and it’s human-readable :
This doesn’t feel right at all since we are not using the other 2 conditions we were provided with… but the file meets all the requirements and trying this password has no cost, so I give it a try:
and we are in! I was totally wrong… this feels just right!
Bandit — Level6
This level’s description looks similar to the previous one. We are asked to find a file that:
- Is owned by user bandit7
- Is owned by group bandit6
- Which size is 33 bytes
I’ll try the size filter first, then see how to apply the rest of the conditions. The file can be placed anywhere inside the server so I fire the find command on the root directory:
find -L size 33c
This time the results are endless and I had to stop the process (using ctrl+c). I see some redirection loops reading the output so I take out the -L option to avoid them. We need to dive deeper into the filter options. Next attempt is :
find -size 33c -group bandit6 -user bandit7
If you’ve read this far I’m sure you need no explanation on what the extra parameters will do:
We have our candidate ‘bandit7.password’:
There are still a lot of levels to beat… but a little break won’t harm anyone