OverTheWire Bandit Levels 0-18 Hints and Notes
Yulin
Posted on March 10, 2022
Table of Contents
Level 0 -SSH
Level 1 - Cat
Level 2 - Cat
Level 3 - ls
Level 4 - File
Level 5 - Find
Level 6 - Find
Level 7 - Grep
Level 8 - Piping
Level 9 - Strings
Level 10 - Base64
Level 11 - ROT13
Level 12 - Hexdump
Level 13 - SSH localhost
Level 14 - nc
Level 15 - Openssl
Level 16 - nmap, chmod
Level 17 - diff
Level 18 - pty
Level 0
The syntax to ssh login is ssh your_username@host_ip_address
, and we can specify the port using -p
:
ssh bandit0@bandit.labs.overthewire.org -p 2220
Level 1
Open file called - located in the home directory
cat ./-
Just cat -
command will be interpreted as using standard input and output to read from and write to. The ./-
defines a relative path to the file.
Alternatively redirect the file to cat:
cat < -
Level 2
Open file called spaces in this filename located in the home directory
cat "spaces in this filename"
or
cat spaces\in\this\filename
Level 3
Find hidden file in the inhere directory
To get inside the inhere directory:
cd inhere
Hidden files are files whose names start with a dot. To display the hidden files in current directory, we can use the -al
option of ls
:
ls -al
and then
cat .hidden
Level 4
Find the only human-readable file in the inhere directory
The cat
command is used on text files, i.e. human readable. To find the file types of all files in current directory:
file ./*
Spot the only ASCII text file and cat
on the file.
Level 5
Find the file somewhere under the inhere directory and has all of the following properties:
human-readable
1033 bytes in size
not executable
find ./inhere -readable -size 1033c \! -executable
Note that this command will not work on BSD, i.e., Mac terminal version of find
.
Alternatively, loop through everything and file
on each one:
for i in $(ls); do file -i "./$i"; done;
Level 6
Search for a file in server that has all of the following properties:
owned by user bandit7
owned by group bandit6
33 bytes in size
find / -size 33c -user bandit7 -group bandit6
The suffix c
in 33c
indicates bytes, other options are:
-
b
– 512-byte blocks (this is the default if no suffix is used) -
c
– bytes -
w
– two-byte words -
k
– Kilobytes -
M
– Megabytes -
G
– Gigabytes
How to use find command to search for files based on file size
Level 7
Find the line containing the word millionth
grep --include=\*.{txt} -rnw . -e 'millionth'
grep
stands for Global Regular Expression Print, it has options
-
-r
or-R
is recursive -
-n
is line number -
-w
stands for match the whole word. -
-l
(lower-case L) can be added to just give the file name of matching files -
-e
is the pattern used during the search
Along with these, --exclude
, --include
, --exclude-dir
flags could be used.
How do I find all files containing specific text on Linux?
Level 8
Find the only line of text that occurs only once in data.txt
sort data.txt | uniq -u
The sort
command displays contents of data.txt in lexicographical order, and that output is redirected through the pipe
to uniq
.
uniq
isn’t able to detect the duplicate lines unless they are adjacent to each other. The content in the file must be therefore sorted before using uniq
.
Whenever we use redirection or piping, the data is sent anonymously, so output doesn't include file name.
-
>
, save output to a file. -
>>
, append output to a file. -
<
, read input from a file. -
2>
, redirect error messages. -
|
, send the output from one program as input to another program.
Level 9
Find one of the few human-readable strings in data.txt, preceded by several ‘=’ characters
strings data.txt | grep "="
Simply use grep
on the file will not work in this case, because the file content is a cluster of words with no new lines. strings
command is different to cat
where it ignores blank lines and only prints sequence of 4 or more characters. Try echo abc | strings
on the terminal.
Level 10
Decode data.txt, which contains base64 encoded data
base64 --decode data.txt
Level 11
ROT13 ("rotate by 13 places", sometimes hyphenated ROT-13) is a simple letter substitution cipher that replaces a letter with the 13th letter after it in the alphabet. ROT13 is a special case of the Caesar cipher which was developed in ancient Rome.
Because there are 26 letters (2×13) in the basic Latin alphabet, ROT13 is its own inverse; that is, to undo ROT13, the same algorithm is applied, so the same action can be used for encoding and decoding.
Restore data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions
cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'
or
alias rot13="tr 'A-Za-z' 'N-ZA-Mn-za-m'"
cat data.txt | rot13
tr
stands for translate, translating or deleting characters. tr
replaces each letter in set one A-Za-z
for both upper and lower case, with set two, i.e. A will be replaced with N, Z replaced by M and so on.
Level 12
Hexdump is a utility that displays the contents of binary files in hexadecimal (Base16), decimal (Base10), octal (Base8), or ASCII.
You can use hexdump to view the contents of a file especially when it contains non printable characters, e.g., an image. Tryhexdump --canonical foo.png
on the terminal and see what happens.
Restore the file data.txt, which is a hexdump of a file that has been repeatedly compressed
cat data.txt | xxd -r > data
xxd
is a Linux command that creates a hexdump for a given file or standard input. It can also convert a hexdump back to its original binary form with the -r
option. Here we are piping the output from cat
to reverse hexdump, and redirect the output to a new file called data.
file data
The file
command displays the format of the new file, and in this exercise there are three types of compression formats used:
- gzip compressed data, has file extensions
.gz
- POSIX tar archive (GNU), has file extensions
.tar
- bzip2 compressed data, has file extensions
.bz
Depending on what format the file
command tells us the current file is, we need to use the corresponding decompression command. Before we can apply the decompression, the file has to be renamed with the correct file extension. The system can't guess original name for file.
Take gzip as an example, use mv
to rename file:
mv data data.gz
Decompress the data.gz file:
gzip -d data.gz
gzip replaces the input file with decompressed file, you should see the new file without .gz
extension.
Repeat the process of file
on decompressed output, until the resulting format is ASCII text (at which point you will see it is a RSA .key
file, you can login with the ssh private key).
Here are the decompression commands:
gzip -d file.gz
bzip2 -d file.bz
tar -xf file.tar
Level 14
Submit the password of the current level to port 30000 on localhost
echo password | nc localhost 30000
Netcat (or nc ) is a command-line utility that reads and writes data across network connections, using the TCP or UDP protocols.
You can open two terminals, have one listening on port 3000:
nc -l 3000
and the other opens a connection to the port:
nc localhost 3000
The two terminals can now communicate freely.
Level 15
Submit the password of the current level to port 30001 on localhost using SSL encryption
echo password | openssl s_client -ign_eof -connect localhost:30001
OpenSSL is a general purpose cryptography library that provides an open source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. The Transport Layer Security (TLS) protocol adds a layer of security on top of the TCP/IP transport protocols.
Transport Layer Security (TLS) is the successor protocol to SSL. TLS is an improved version of SSL. It works in much the same way as the SSL, using encryption to protect the transfer of data and information. The
s_client
command implements a generic SSL/TLS client which connects to a remote host using SSL/TLS.
In this level, we are making an encrypted communication through SSL. The -ign_eof
option of s_client
inhibit shutting down the connection when end of file is reached in the input, i.e., after we pressed enter.
Level 16
Submit the password of the current level to a port on localhost in the range 31000 to 32000
1.Find which ports are open (have a server listening)
nmap -p 31000-32000 localhost
nmap (Network Mapper) is a network scanner, used to discover hosts and services on a computer network by sending packets and analysing the responses.
Here we performed a port scan (connect to ports) in the specified range of localhost with nmap.
2.Find which open port has ssl enabled
Run the command on each open port, until one of them returns a RSA key:
openssl s_client -connect localhost:port
You can copy and save the key locally in a .key
file, and login to next level:
ssh -i bandit17.key bandit17@bandit.labs.overthewire.org -p 2220
3.Resolve ssh "permissions are too open" error
Keys must ONLY be accessible to the user. A quick ls -l
on the key file will show that users(u), group (g), and others (o) all have read permission. You can remove the read permission from group and others:
chmod g-r bandit17.key && chmod o-r bandit17.key
or remove all permissions other than user read:
chmod 400 bandit17.key
Level 17
Find the only line that has been changed between passwords.old and passwords.new
diff passwords.old passwords.new
The diff
command lets you compare files or directories line by line. To interpret the output from this command
-
<
denotes lines from passwords.old -
>
denotes lines from passwords.new -
42c42
denotes the line number in passwords.old (number on the left) that was changed to the line in passwords.new (number on the right). The letter between the numbers is short for the actions possible on lines (d
stands for deletion,a
stands for adding andc
stands for changing).
To see just the changed line from passwords.new in the output:
diff --changed-group-format='%>' --unchanged-group-format='' passwords.old passwords.new
Level 18
Someone has modified .bashrc to log you out when you log in with SSH
ssh -t bandit18@bandit.labs.overthewire.org -p 2220 /bin/sh
ssh
creates a pseudo terminal (pty) on the remote machine, as opposed to a text terminal (tty). The ssh -t
command forces the pty to be open with shell /bin/sh
. Now we can interact with the machine normally and cat readme
.
Alternatively, to get the password out in one line:
ssh -t bandit18@bandit.labs.overthewire.org -p 2220 "cat ~/readme"
Posted on March 10, 2022
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.