Over The Wire - Bandit 0 through 10

The following solutions are for the first 10 levels of “Bandit”. Use the following solutions as a reference, and compare them to your own answers. If you get stuck, try to google around, or read the Further Reading sections before looking at my solutions. This way, you will have a better understanding of the concepts and solutions, than with a monkey-sees-monkey-does approach.

With that said...Let's begin!

Level 0

The zero level is pretty easy, all we need to do is to connect to the Bandit lab.

To get to level 90, we simply need to connect with ssh into Bandit. To do that we are going to use the username bandit0 and password bandit0.

We are also going to pass the -p option, to use the port 2220

ssh bandit0@bandit.labs.overthewire.org -p 2220

Congrats! You have accessed Bandit and are in the SSH Shell!

Further Reading

• How Does SSH Work
• What Is SSH

Level 0 -> 1

The password for the next level is stored in a file called readme located in the home directory.

First we are going to use the ls command to locate the file, and then open the file using the cat command.

bandit0@bandit:~$ ls
readme
bandit0@bandit:~$ cat readme
boJ9jbbUNNfktd78OOpsqOltutMc3MY1

Now you can type exit in order to close the ssh shell. Next, we are going to ssh back into the next level.

ssh bandit1@bandit.labs.overthewire.org -p 2220

Further Reading

• ls Command Manual
• cat Command Manual

Level 1 -> 2

The password for the next level is stored in a file called - located in the home directory.

First, we are going to use the ls command to locate the file

ls
-

Now, if we try to open the file using the cat command, the command will start to display the data we type in the password since - as an argument refers to STDIN/STDOUT.

cat -
sdsdf
sdsdf

^C

In order to open the file, we need to use the relative path.

cat ./-
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

Further Reading

• How to open a f “-” dashed filename using terminal?
• Usage of dash (-) in place of a filename

Level 2 -> 3

The password for the next level is stored in a file called spaces in this filename, located in the home directory.

ls
spaces in this filename

If we try to use the cat command, we will get the following error:

cat spaces in this filename
cat: spaces: No such file or directory
cat: in: No such file or directory
cat: this: No such file or directory
cat: filename: No such file or directory

The cat command will try to open each word in the filename as a different file and will crash since there are no such files in the directory. In order to cat the file, we need to enclose the filename in double-quotes (")

cat "spaces in this filename"
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

Further Reading

• How do I enter a file or directory with special characters in its name?
• How to Read a Filename with Spaces in Linux

Level 3 -> 4

The password for the next level is stored in a hidden file in the inhere directory.

First, we need to navigate to the inhere directory.

ls
inhere

cd inhere/

Now, if we run ls in the inhere directory, we will see nothing, since the file is hidden.
So we will run ls with the -a option, show we can view hidden files.

ls -a
.  ..  .hidden

cat .hidden
pIwrPrtPN36QITSp3EQaw936yaFoFgAB

Further Reading

• Bash Shell: Display All Hidden Dot Files In a Directory
• Listing Hidden Files and Folders

Level 4 -> 5

The password for the next level is stored in the only human-readable file in the inhere directory.

First, we are going to list all files in the inhere directory.

 ls -Ral
.:
total 24
drwxr-xr-x  3 root root 4096 May  7 20:14 .
drwxr-xr-x 41 root root 4096 May  7 20:14 ..
-rw-r--r--  1 root root  220 May 15  2017 .bash_logout
-rw-r--r--  1 root root 3526 May 15  2017 .bashrc
drwxr-xr-x  2 root root 4096 May  7 20:15 inhere
-rw-r--r--  1 root root  675 May 15  2017 .profile

./inhere:
total 48
drwxr-xr-x 2 root    root    4096 May  7 20:15 .
drwxr-xr-x 3 root    root    4096 May  7 20:14 ..
-rw-r----- 1 bandit5 bandit4   33 May  7 20:14 -file00
-rw-r----- 1 bandit5 bandit4   33 May  7 20:14 -file01
-rw-r----- 1 bandit5 bandit4   33 May  7 20:14 -file02
-rw-r----- 1 bandit5 bandit4   33 May  7 20:14 -file03
-rw-r----- 1 bandit5 bandit4   33 May  7 20:14 -file04
-rw-r----- 1 bandit5 bandit4   33 May  7 20:14 -file05
-rw-r----- 1 bandit5 bandit4   33 May  7 20:15 -file06
-rw-r----- 1 bandit5 bandit4   33 May  7 20:15 -file07
-rw-r----- 1 bandit5 bandit4   33 May  7 20:15 -file08
-rw-r----- 1 bandit5 bandit4   33 May  7 20:15 -file09

Since the file is in a readable format, we are going to display all readable strings in these files.

strings inhere/-file*
!TQO
koReBOKuIDDepwhWk7jZC0RTdopnAYKh

Further Reading

• strings man page
• Linux Strings Command Examples

Level 5 -> 6

The password for the next level is stored in a file somewhere under the inhere directory and its human-readable, 1033 bytes in size and not executable.

First of all, let's see what the inhere directory contains

cd inhere
ls -la
total 88
drwxr-x--- 22 root bandit5 4096 May  7 20:15 .
drwxr-xr-x  3 root root    4096 May  7 20:15 ..
drwxr-x---  2 root bandit5 4096 May  7 20:15 maybehere00
drwxr-x---  2 root bandit5 4096 May  7 20:15 maybehere01
drwxr-x---  2 root bandit5 4096 May  7 20:15 maybehere02
drwxr-x---  2 root bandit5 4096 May  7 20:15 maybehere03
drwxr-x---  2 root bandit5 4096 May  7 20:15 maybehere04
drwxr-x---  2 root bandit5 4096 May  7 20:15 maybehere05
drwxr-x---  2 root bandit5 4096 May  7 20:15 maybehere06
drwxr-x---  2 root bandit5 4096 May  7 20:15 maybehere07
drwxr-x---  2 root bandit5 4096 May  7 20:15 maybehere08
drwxr-x---  2 root bandit5 4096 May  7 20:15 maybehere09
drwxr-x---  2 root bandit5 4096 May  7 20:15 maybehere10
drwxr-x---  2 root bandit5 4096 May  7 20:15 maybehere11
drwxr-x---  2 root bandit5 4096 May  7 20:15 maybehere12
drwxr-x---  2 root bandit5 4096 May  7 20:15 maybehere13
drwxr-x---  2 root bandit5 4096 May  7 20:15 maybehere14
drwxr-x---  2 root bandit5 4096 May  7 20:15 maybehere15
drwxr-x---  2 root bandit5 4096 May  7 20:15 maybehere16
drwxr-x---  2 root bandit5 4096 May  7 20:15 maybehere17
drwxr-x---  2 root bandit5 4096 May  7 20:15 maybehere18
drwxr-x---  2 root bandit5 4096 May  7 20:15 maybehere19

So we have directories, within directories, within directories... A brute force approach would be feasible, but highly inefficient.

This time we are going to use the find command. We now that the file is somewhere under the inhere directory, so we will use the current directory (represented as a dot, .) for our search. We know that we are looking for a file, so we will use the file option (-type f). Also the file is readable (so -readable) and not executable (so ! -executable). Finally, the file is 1033 bytes long (so -size 1033c).

find . -type f -readable ! -executable -size 1033c
./inhere/maybehere07/.file2

cat ./inhere/maybehere07/.file2
DXjZPULLxYr17uwoI01bNLQbtFemEgo7

Further reading

• Linux Tips: find all files of a particular size
• UNIX commands - find
• find man page

Level 6 -> 7

The password for the next level is stored somewhere on the server and has the following properties. It is owned by user bandit7, it is owned by group bandit6 and it is 33 bytes in size.

So, the file is located somewhere in the server. For that reason, we are going to use the root (/) directory. The file is owned by user bandit7, so we will use the -user option, and by group bandit6, so we are going for the -group option. Also, the file is of a specific size, so we will use the -size option.

Also, since we are searching from the root, we are inevitably going to try directories that we don't have access to. In order to not get spammed from error messages, we are also going to add the 2>/dev/null directive.

The > operator redirects the output to a file or a device. The 2> redirects the stderr. The /dev/null part is the null device that takes any input and throws it away.

So the 2>/dev/null redirects the stderror to a black hole never to be seen again.

find / -user bandit7 -group bandit6 -size 33c 2>/dev/null
/var/lib/dpkg/info/bandit7.password

cat /var/lib/dpkg/info/bandit7.password
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

Further reading

• What does 2>/dev/null mean?
• Linux / Unix Find All The Files Owned By a Particular User / Group

Level 7 -> 8

The password for the next level is stored in the file data.txt next to the word millionth.

For this challenge, we are going to make use of the grep command. The grep command prints all lines that match a specific pattern. In our case, the pattern is the word millionth.

ls
data.txt

cat data.txt | grep "millionth"
millionth       cvX2JJa4CFALtqS87jk27qwqGhBM9plV

Further Reading

• grep man pages
• Pipe, Grep and Sort Command in Linux/Uniz with Examples

Level 8-> 9

The password for the next level is stored in a file data.txt and is the only line that occurs only once.

For this challenge, we are going to use the uniq command. This command returns the line or lines that appear only once. But the uniq command, only checks adjacent lines, so we first need to sort the file, in order for our command to work.

ls
data.txt

cat data.txt | sort | uniq -u
UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR

Further Reading

• sort man pages
• uniq man pages
• Bash Script: count unique lines in file

Level 9 -> 10

The password for the next level is stored in the file data.txt in one of the few human-readable strings, beginning with several ‘=’ characters.

We know that the file contains a few human-readable strings, so we are going to use the strings command in order to find them. Then, we are going to use grep to filter out all lines that don't contain the = symbol

ls
data.txt

strings data.txt | grep "="
========== the*2i"4
=:G e
========== password
<I=zsGi
Z)========== is
A=|t&E
Zdb=
c^ LAh=3G
*SF=s
&========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
S=A.H&^

That's all for now! Thanks for reading!