Julian's Blog

Solving OverTheWire Bandit 0-15

Julian Gomez's photo
Julian Gomez
·

8 min read

Solving OverTheWire Bandit 0-15

Introduction to Over The Wire

Over The Wire is a platform that offer us different CTF's "minigames", that allow us to improve or knowledge in Linux operative systems, into cybersecurity concepts, teaching us how to use different commands to access to some hidden information, starting from basics with comands such as ls and cd, to start using things as .... This blog pretends to be a useful guide for beginners to how to pass the whole game "Bandit", explaining how to pass each level, and demostrate how each command works, to clarify its funcionality.

Level 0 Pre-requisits

Firstly we need a linux operative system and use a bash console, where we gonna connec through ssh, to access the data ... and execute the commands necessary to solve each level.

Level 0 -> 1

To start solving this CTF, we will connect to a machine through the network, using the the command ssh to connect remotly to another linux system.

After reach each level and find the password for the next stage, we will use "exit", to close the session and be able to use SSH again with the information provided for the next stage, changing bandit# with the number of the next level for example. (banit0,banit1,banit2,...), and @ ... and using the port 2220.

 ssh bandit0@bandit.labs.overthewire.org -p 2220

When we connect will ask for a password, each level after finding the flag hided, we will copy it and use it as password for the next level, in this case the level 0, we will just use "bandit0" as password, then we will gain access to the computer so we start searching for the password, in this case if we make a "ls" command, which one lists all the files in the directory, we will find the file readme, whose has inside of it the password, in consecuence we use cat, to read the file, and we will be able to find, the first secret key.

ls ; cat readme

After execute this, we will get the password for the next level, so we only have to "exit", type ssh command again, but instead of bandit0, as user we use bandit1, and the password will be the secret key that we found, and we will repeat this process after finishing each stage, to join the next one.

boJ9jbbUNNfktd78OOpsqOltutMc3MY1

Level 1 -> 2

The password for the next level is stored in a file called - located in the home directory

Here the file is named as "-" , so after using cat - , linux understands the character "-" as an argument to the command for example "cat -a", but its not the case so to specify a file whose name is "-", we can use "./", to refer the directory where we are currently, and then "-", so it will specify that we are searching for a file named "-" in this current path. 

cat ./-

The output password.

CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

Level 2 -> 3

The password for the next level is stored in a file called spaces in this filename located in the home directory

Using ls we find there is a file named "spaces in this filename" , in order to write the name of a file, that contains spaces in between the characters, we can use quotation marks, to write its name.

cat "space in this filename"

The output password.

UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

Level 3 -> 4

The password for the next level is stored in a hidden file in the inhere directory.

We use cd to access the directory named "inhere", and add the operators "&&", to execute other comand, this command will be "ls" with the argument "-a" that will let us list all the files in the folder, and it will show us the hidden file named .hidden as a result we can use cat to get the password for the next level.

cd inhere ; ls -a

The output password.

pIwrPrtPN36QITSp3EQaw936yaFoFgAB

Level 4 -> 5

The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.

We will use the command cd inhere, to access the directory where the files are located and ls to list all those files.

cd inhere ; ls

And we will find # files so we will need to loop through the files with the command "file", to watch each type of file

image.png subsequently we which file is ASCII TEXT, "-file07" , we can use the command "cat" and get the password.

The output password.

koReBOKuIDDepwhWk7jZC0RTdopnAYKh

Level 5 -> 6

The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties: human-readable, 1033 bytes in size, not executable.

In order to find an specific file we can use the command find and specify, which type or characteristics has the file or files we want to find, in this case we will specify the data, settled in the exercise.

find . -size 1033c -type f

The output password.

DXjZPULLxYr17uwoI01bNLQbtFemEgo7

Level 6 -> 7

The password for the next level is stored somewhere on the server and has all of the following properties: owned by user bandit7 owned by group bandit633 bytes in size.

We will use the command again specifying the arguments of the data given, "type file/user bandit7/group bandit6/size 33 bytes"

find / -type f -user bandit7 -group bandit6 -size 33c

The output password.

HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

Level 7 -> 8

The password for the next level is stored in the file data.txt next to the word millionth.

We have a file data.txt really long where we need to find the password who is written after an especific word, but since its too long to read it, a easy way is find the word we are looking for is combining the command "strings" or "cat" with, "grep", this last command will help us to find the line where is located the text, and show it, so after the command we specify in quotation marks, the string that we are looking for inside the file.

strings data.txt | grep "millionth"

The output password.

cvX2JJa4CFALtqS87jk27qwqGhBM9plV

Level 9 -> 10

The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters..

strings data.txt | grep "=="

The output password.

truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk

Level 10 -> 11

The password for the next level is stored in the file data.txt, which contains base64 encoded data We print the data with cat, and the decode the data using base64 -d.

cat data.txt | base64 -d

The output password.

IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

Level 11 -> 12

The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions As its mention in the excercise the pattern is the same as A-Z but it has been move 13 positions it means that A is equal to N.

The command tr allow us to write the original sequence, and then as second argument, the sequemce we want to find from the original one.

cat data.txt | tr "A-Za-z" "N-ZA-Mn-za-m"

The output password.

5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

Level 12 -> 13

The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!).

We will start creating a new directory and copying the file to the same directory already created to be able to perfom modifications, since in the default directoruy we do not have permission to perfom modifications.

mkdir /tmp/bandit
cp data.txt /tmp/bandit

We convert this file from hexdump back to binary using.

xxd -r data.txt data

This will give us a new file named data, which one after using the command file will give us back the next output.

data: gzip compressed data, was "data2.bin", last modified: Thu May 7 18:14:30 2020, max compression, from Unix

Now we know its a gzip file, so we will write its extension to be able to uncompress it, and we will repeat this same process till we finish.

mv data data.gz
gzip -d data.gz
file data

data: bzip2 compressed data, block size = 900k

mv data data.bz2
bzip2 -d data.bz2
file data

data: gzip compressed data, was "data4.bin", last modified: Thu May 7 18:14:30 2020, max compression, from Unix

mv data data.gz
gzip -d data.gz
file data

data: POSIX tar archive (GNU)

tar xvf data.tar data5.bin
file data5.bin

data5.bin: POSIX tar archive (GNU)

mv data5.bin data5.tar
tar xvf data5.tar data6.bin
file data6.bin

data6.bin: bzip2 compressed data, block size = 900k

mv data6.bin data6.tar
tar xvf data6.tar data7.bin
file data7.bin

data7.bin: gzip compressed data, was "data9.bin", last modified: Thu May 7 18:14:30 2020, max compression, from Unix

mv data7.bin data7.gz
gzip -d data7.gz
file data7

data7: ASCII text After print the content of data 7 the result for the password is.

8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

Level 13 -> 14

The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on.

We can connect to the localhost thanks to the ssh key, to use this keyt we need to use the -i option in our ssh command like this.

ssh -i sshkey.private bandit14@localhost

This will log us as bandit14 user, now we can watch the content stored in /etc/bandit_pass/bandit14, and since now we are the user bandit14 we will be allowed to perfom this command.

cat /etc/bandit_pass/bandit14

The output password.

4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e

Level 14 -> 15

Netcat

nc localhost 30000

The output password.

BfMYroe26WYalil77FoDi9qh59eK5xNr
Linuxlinux for beginners