OverTheWire Bandit Levels 0-18 Hints and Notes

yulin

Yulin

Posted on March 10, 2022

OverTheWire Bandit Levels 0-18 Hints and Notes

Table of Contents

Level 0 -SSH
Level 1 - Cat
Level 2 - Cat
Level 3 - ls
Level 4 - File
Level 5 - Find
Level 6 - Find
Level 7 - Grep
Level 8 - Piping
Level 9 - Strings
Level 10 - Base64
Level 11 - ROT13
Level 12 - Hexdump
Level 13 - SSH localhost
Level 14 - nc
Level 15 - Openssl
Level 16 - nmap, chmod
Level 17 - diff
Level 18 - pty


Level 0

The syntax to ssh login is ssh your_username@host_ip_address, and we can specify the port using -p:

ssh bandit0@bandit.labs.overthewire.org -p 2220
Enter fullscreen mode Exit fullscreen mode

Level 1

Open file called - located in the home directory

cat ./-
Enter fullscreen mode Exit fullscreen mode

Just cat - command will be interpreted as using standard input and output to read from and write to. The ./- defines a relative path to the file.

Alternatively redirect the file to cat:

cat < -
Enter fullscreen mode Exit fullscreen mode

Level 2

Open file called spaces in this filename located in the home directory

cat "spaces in this filename"
Enter fullscreen mode Exit fullscreen mode

or

cat spaces\in\this\filename
Enter fullscreen mode Exit fullscreen mode

Level 3

Find hidden file in the inhere directory
To get inside the inhere directory:

cd inhere
Enter fullscreen mode Exit fullscreen mode

Hidden files are files whose names start with a dot. To display the hidden files in current directory, we can use the -al option of ls:

ls -al
Enter fullscreen mode Exit fullscreen mode

and then

cat .hidden
Enter fullscreen mode Exit fullscreen mode

Level 4

Find the only human-readable file in the inhere directory
The cat command is used on text files, i.e. human readable. To find the file types of all files in current directory:

file ./*
Enter fullscreen mode Exit fullscreen mode

Spot the only ASCII text file and cat on the file.


Level 5

Find the file somewhere under the inhere directory and has all of the following properties:

human-readable
1033 bytes in size
not executable

find ./inhere -readable -size 1033c \! -executable
Enter fullscreen mode Exit fullscreen mode

Note that this command will not work on BSD, i.e., Mac terminal version of find.

Alternatively, loop through everything and file on each one:

for i in $(ls); do file -i "./$i"; done;
Enter fullscreen mode Exit fullscreen mode

Level 6

Search for a file in server that has all of the following properties:

owned by user bandit7
owned by group bandit6
33 bytes in size

find / -size 33c -user bandit7 -group bandit6
Enter fullscreen mode Exit fullscreen mode

The suffix c in 33c indicates bytes, other options are:

  • b – 512-byte blocks (this is the default if no suffix is used)
  • c – bytes
  • w – two-byte words
  • k – Kilobytes
  • M – Megabytes
  • G – Gigabytes

How to use find command to search for files based on file size


Level 7

Find the line containing the word millionth

grep --include=\*.{txt} -rnw . -e 'millionth'
Enter fullscreen mode Exit fullscreen mode

grep stands for Global Regular Expression Print, it has options

  • -r or -R is recursive
  • -n is line number
  • -w stands for match the whole word.
  • -l (lower-case L) can be added to just give the file name of matching files
  • -e is the pattern used during the search

Along with these, --exclude, --include, --exclude-dir flags could be used.

How do I find all files containing specific text on Linux?


Level 8

Find the only line of text that occurs only once in data.txt

sort data.txt | uniq -u
Enter fullscreen mode Exit fullscreen mode

The sort command displays contents of data.txt in lexicographical order, and that output is redirected through the pipe to uniq.

uniq isn’t able to detect the duplicate lines unless they are adjacent to each other. The content in the file must be therefore sorted before using uniq.

Whenever we use redirection or piping, the data is sent anonymously, so output doesn't include file name.

  • >, save output to a file.
  • >>, append output to a file.
  • <, read input from a file.
  • 2>, redirect error messages.
  • |, send the output from one program as input to another program.

Learn Piping and Redirection


Level 9

Find one of the few human-readable strings in data.txt, preceded by several ‘=’ characters

strings data.txt | grep "="
Enter fullscreen mode Exit fullscreen mode

Simply use grep on the file will not work in this case, because the file content is a cluster of words with no new lines. strings command is different to cat where it ignores blank lines and only prints sequence of 4 or more characters. Try echo abc | strings on the terminal.


Level 10

Decode data.txt, which contains base64 encoded data

base64 --decode data.txt
Enter fullscreen mode Exit fullscreen mode

Level 11

ROT13 ("rotate by 13 places", sometimes hyphenated ROT-13) is a simple letter substitution cipher that replaces a letter with the 13th letter after it in the alphabet. ROT13 is a special case of the Caesar cipher which was developed in ancient Rome.
Because there are 26 letters (2×13) in the basic Latin alphabet, ROT13 is its own inverse; that is, to undo ROT13, the same algorithm is applied, so the same action can be used for encoding and decoding.

Restore data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions

cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'
Enter fullscreen mode Exit fullscreen mode

or

alias rot13="tr 'A-Za-z' 'N-ZA-Mn-za-m'"
cat data.txt | rot13
Enter fullscreen mode Exit fullscreen mode

tr stands for translate, translating or deleting characters. tr replaces each letter in set one A-Za-z for both upper and lower case, with set two, i.e. A will be replaced with N, Z replaced by M and so on.


Level 12

Hexdump is a utility that displays the contents of binary files in hexadecimal (Base16), decimal (Base10), octal (Base8), or ASCII.
You can use hexdump to view the contents of a file especially when it contains non printable characters, e.g., an image. Try hexdump --canonical foo.png on the terminal and see what happens.

Restore the file data.txt, which is a hexdump of a file that has been repeatedly compressed

cat data.txt | xxd -r > data
Enter fullscreen mode Exit fullscreen mode

xxd is a Linux command that creates a hexdump for a given file or standard input. It can also convert a hexdump back to its original binary form with the -r option. Here we are piping the output from cat to reverse hexdump, and redirect the output to a new file called data.

file data
Enter fullscreen mode Exit fullscreen mode

The file command displays the format of the new file, and in this exercise there are three types of compression formats used:

  • gzip compressed data, has file extensions .gz
  • POSIX tar archive (GNU), has file extensions .tar
  • bzip2 compressed data, has file extensions.bz

Depending on what format the file command tells us the current file is, we need to use the corresponding decompression command. Before we can apply the decompression, the file has to be renamed with the correct file extension. The system can't guess original name for file.

Take gzip as an example, use mv to rename file:

mv data data.gz
Enter fullscreen mode Exit fullscreen mode

Decompress the data.gz file:

gzip -d data.gz
Enter fullscreen mode Exit fullscreen mode

gzip replaces the input file with decompressed file, you should see the new file without .gz extension.

Repeat the process of file on decompressed output, until the resulting format is ASCII text (at which point you will see it is a RSA .key file, you can login with the ssh private key).

Here are the decompression commands:

gzip -d file.gz
bzip2 -d file.bz
tar -xf file.tar
Enter fullscreen mode Exit fullscreen mode

How Hexdump Work


Level 14

Submit the password of the current level to port 30000 on localhost

echo password | nc localhost 30000
Enter fullscreen mode Exit fullscreen mode

Netcat (or nc ) is a command-line utility that reads and writes data across network connections, using the TCP or UDP protocols.

You can open two terminals, have one listening on port 3000:

nc -l 3000
Enter fullscreen mode Exit fullscreen mode

and the other opens a connection to the port:

nc localhost 3000
Enter fullscreen mode Exit fullscreen mode

The two terminals can now communicate freely.


Level 15

Submit the password of the current level to port 30001 on localhost using SSL encryption

echo password | openssl s_client -ign_eof -connect localhost:30001
Enter fullscreen mode Exit fullscreen mode

OpenSSL is a general purpose cryptography library that provides an open source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. The Transport Layer Security (TLS) protocol adds a layer of security on top of the TCP/IP transport protocols.

Transport Layer Security (TLS) is the successor protocol to SSL. TLS is an improved version of SSL. It works in much the same way as the SSL, using encryption to protect the transfer of data and information. The s_client command implements a generic SSL/TLS client which connects to a remote host using SSL/TLS.

In this level, we are making an encrypted communication through SSL. The -ign_eof option of s_client inhibit shutting down the connection when end of file is reached in the input, i.e., after we pressed enter.


Level 16

Submit the password of the current level to a port on localhost in the range 31000 to 32000

1.Find which ports are open (have a server listening)

nmap -p 31000-32000 localhost
Enter fullscreen mode Exit fullscreen mode

nmap (Network Mapper) is a network scanner, used to discover hosts and services on a computer network by sending packets and analysing the responses.

Here we performed a port scan (connect to ports) in the specified range of localhost with nmap.

2.Find which open port has ssl enabled
Run the command on each open port, until one of them returns a RSA key:

openssl s_client -connect localhost:port
Enter fullscreen mode Exit fullscreen mode

You can copy and save the key locally in a .key file, and login to next level:

ssh -i bandit17.key bandit17@bandit.labs.overthewire.org -p 2220
Enter fullscreen mode Exit fullscreen mode

3.Resolve ssh "permissions are too open" error
Keys must ONLY be accessible to the user. A quick ls -l on the key file will show that users(u), group (g), and others (o) all have read permission. You can remove the read permission from group and others:

chmod g-r bandit17.key && chmod o-r bandit17.key
Enter fullscreen mode Exit fullscreen mode

or remove all permissions other than user read:

chmod 400 bandit17.key
Enter fullscreen mode Exit fullscreen mode

Level 17

Find the only line that has been changed between passwords.old and passwords.new

diff passwords.old passwords.new
Enter fullscreen mode Exit fullscreen mode

The diff command lets you compare files or directories line by line. To interpret the output from this command

  • < denotes lines from passwords.old
  • > denotes lines from passwords.new
  • 42c42 denotes the line number in passwords.old (number on the left) that was changed to the line in passwords.new (number on the right). The letter between the numbers is short for the actions possible on lines (d stands for deletion, a stands for adding and c stands for changing).

To see just the changed line from passwords.new in the output:

diff --changed-group-format='%>' --unchanged-group-format='' passwords.old passwords.new
Enter fullscreen mode Exit fullscreen mode

Level 18

Someone has modified .bashrc to log you out when you log in with SSH

ssh -t bandit18@bandit.labs.overthewire.org -p 2220 /bin/sh 
Enter fullscreen mode Exit fullscreen mode

ssh creates a pseudo terminal (pty) on the remote machine, as opposed to a text terminal (tty). The ssh -t command forces the pty to be open with shell /bin/sh. Now we can interact with the machine normally and cat readme.

Alternatively, to get the password out in one line:

ssh -t bandit18@bandit.labs.overthewire.org -p 2220 "cat ~/readme"
Enter fullscreen mode Exit fullscreen mode
💖 💪 🙅 🚩
yulin
Yulin

Posted on March 10, 2022

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related