The improvised OverTheWire writeup you were not looking for — Bandit.Pt1

Over the wire is a widespread and known CTF site containing challenges divided into categories.

In case you don’t know what a CTF is, this video is an excellent introduction to the concept imho.

As the n00b that I am, I’m going to attempt (and most likely fail a lot in the process) to complete them starting with the most basic category:

Bandit

Every level has a description and some hints in form of:

  • A list of commands that could help you solve the challenge
  • Some useful links to start your research if you are completely lost

Let’s start from the beginning, shall we?

Bandit — Level0

This one is easy — even for me — . We just need to establish a connection over SSH to the specified server and port using the credentials granted by the site.

ssh bandit0@bandit.labs.overthewire.org -p 2220
bandit0
Image for post
Image for post

And… we got in!

From now on, we are executing commands on bandit.labs.overthewire.org server as user bandit0. Naturally, as these commands are going through the internet (and, in my case, reaching out to the other side of the globe) don’t expect the command line to be as fluent as in your own computer. Delay you shall face.

If you encounter yourself having to execute complex commands, or trying several combinations/options to find a solution try speeding the things up executing tests into your machine and then, when you have the commands well-formed and ready to be executed, go over the ssh-connected terminal and try them on the real thing. That will save you a TON of time.

Bandit — Level0 pt2

This part is pretty straightforward too. Plaintext, a non-hidden treasure is found just as easy as reading a file:

cat readme
boJ9jbbUNNfktd78OOpsqOltutMc3MY1
Side note: to exit the session opened over SSH you can type ‘exit’ or ‘logout’

Bandit — Level1

This one was a little more exciting. I actually had to think how to type the name to read that f****** file.

Image for post
Image for post
cat ./-
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
Image for post
Image for post

And… we got our ticket to the next round!

Bandit — Level2

From now on, connecting to each level has no secrets for us, so I’ll keep this simple and skip that part.

Let’s jump into the challenge:

Autocomplete (using tab) gracefully solves this challenge for us, escaping every single space in the filename:

cat ./spaces\ in\ this\ filename
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
Image for post
Image for post

Number three here we go!

Bandit — Level3

Gotta find’em all (even if they are hidden)

Using ‘ll’ alias instead of just ‘ls’ gives us the capability of seeing hidden files and folders. That’s why I always prefer ll over ls.

To move within the filesystem you can use the ‘cd’ command like this:

cd directoryName
-- step into a directory
cd ..
-- step outside the directory you are currently on
cd ./
-- ./ refers to the same directory you are on
Image for post
Image for post

Just for the sake of being explicit, here is the difference in output:

Image for post
Image for post
ll ./inhere/cat ./inhere/.hidden
pIwrPrtPN36QITSp3EQaw936yaFoFgAB

Bandit — Level4

After stepping into the right directory we found 10 files from which, as the level description says, only one is human readable.

Image for post
Image for post

They all have been created by the same user, at the same time and have the same privilege restrictions and size. There’s probably a much better way to do this but, since they are only ten files, I think try and error is a valid approach here.

To see the content type of each file we can use the command ‘file’. Then, after catching the correct one, we display the next password using cat as always.

Image for post
Image for post
file ./-file07
./-file07: ASCII text
cat ./-file07
koReBOKuIDDepwhWk7jZC0RTdopnAYKh

Bandit — Level5

After entering the inhere directory I found myself entering into a labyrinth of files. I realize this time looking for each file will get me nowhere.

Image for post
Image for post
Image for post
Image for post

Ok, so… let’s think. I need a way to filter all these files and find the one that meets the requirements:

  • human-readable
  • 1003 bytes in size
  • not executable

I could probably use a combination of ‘find’, ‘grep’ and ‘file’ commands to achieve that. First of all, since I don’t remember how to actually use the command (shame on me), I try reading the man pages for ‘find’. To see the man pages of any command you can type:

man commandName

Some commands also have help options like these:

commandName --help
commandName -help
commandName -h

that display a help page often listing option lists or command examples; really useful stuff.

I suggest typing ‘man find’ into your own terminal, reading the pages, trying some options and then returning to the ssh terminal to execute some test because reading man pages and testing commands over ssh could be a painful experience.

So, after some reading I try the filter by size first :

find -L -size 1033c

-L will make find follow the links and -size 1033c will filter out all the files that are not 1033 bytes in size (c unit is used for bytes).

After using this filter we get only one file… and it’s human-readable :

Image for post
Image for post

This doesn’t feel right at all since we are not using the other 2 conditions we were provided with… but the file meets all the requirements and trying this password has no cost, so I give it a try:

Image for post
Image for post

and we are in! I was totally wrong… this feels just right!

Bandit — Level6

This level’s description looks similar to the previous one. We are asked to find a file that:

  • Is owned by user bandit7
  • Is owned by group bandit6
  • Which size is 33 bytes

I’ll try the size filter first, then see how to apply the rest of the conditions. The file can be placed anywhere inside the server so I fire the find command on the root directory:

find -L size 33c
Image for post
Image for post

This time the results are endless and I had to stop the process (using ctrl+c). I see some redirection loops reading the output so I take out the -L option to avoid them. We need to dive deeper into the filter options. Next attempt is :

find -size 33c -group bandit6 -user bandit7

If you’ve read this far I’m sure you need no explanation on what the extra parameters will do:

Image for post
Image for post

We have our candidate ‘bandit7.password’:

Image for post
Image for post

Bingo!

There are still a lot of levels to beat… but a little break won’t harm anyone

syscall59

Hacking/Infosec writeups and articles

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store