The following solutions are for the first 10 levels of “Bandit”. Use the following solutions as a reference, and compare them to your own answers. If you get stuck, try to google around, or read the Further Reading
sections before looking at my solutions. This way, you will have a better understanding of the concepts and solutions, than with a monkey-sees-monkey-does approach.
With that said...Let's begin!
Level 0
The zero level is pretty easy, all we need to do is to connect to the Bandit lab.
To get to level 90, we simply need to connect with ssh into Bandit. To do that we are going to use the username bandit0 and password bandit0.
We are also going to pass the -p
option, to use the port 2220
ssh bandit0@bandit.labs.overthewire.org -p 2220
Congrats! You have accessed Bandit and are in the SSH Shell!
Further Reading
Level 0 -> 1
The password for the next level is stored in a file called readme located in the home directory.
First we are going to use the ls
command to locate the file, and then open the file using the cat
command.
bandit0@bandit:~$ ls
readme
bandit0@bandit:~$ cat readme
boJ9jbbUNNfktd78OOpsqOltutMc3MY1
Now you can type exit
in order to close the ssh shell. Next, we are going to ssh
back into the next level.
ssh bandit1@bandit.labs.overthewire.org -p 2220
Further Reading
Level 1 -> 2
The password for the next level is stored in a file called - located in the home directory.
First, we are going to use the ls
command to locate the file
ls
-
Now, if we try to open the file using the cat
command, the command will start to display the data we type in the password since - as an argument refers to STDIN/STDOUT.
cat -
sdsdf
sdsdf
^C
In order to open the file, we need to use the relative path.
cat ./-
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
Further Reading
Level 2 -> 3
The password for the next level is stored in a file called spaces in this filename, located in the home directory.
ls
spaces in this filename
If we try to use the cat command, we will get the following error:
cat spaces in this filename
cat: spaces: No such file or directory
cat: in: No such file or directory
cat: this: No such file or directory
cat: filename: No such file or directory
The cat
command will try to open each word in the filename as a different file and will crash since there are no such files in the directory. In order to cat
the file, we need to enclose the filename in double-quotes ("
)
cat "spaces in this filename"
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
Further Reading
- How do I enter a file or directory with special characters in its name?
- How to Read a Filename with Spaces in Linux
Level 3 -> 4
The password for the next level is stored in a hidden file in the inhere directory.
First, we need to navigate to the inhere directory.
ls
inhere
cd inhere/
Now, if we run ls
in the inhere
directory, we will see nothing, since the file is hidden.
So we will run ls
with the -a
option, show we can view hidden files.
ls -a
. .. .hidden
cat .hidden
pIwrPrtPN36QITSp3EQaw936yaFoFgAB
Further Reading
Level 4 -> 5
The password for the next level is stored in the only human-readable file in the inhere directory.
First, we are going to list all files in the inhere
directory.
ls -Ral
.:
total 24
drwxr-xr-x 3 root root 4096 May 7 20:14 .
drwxr-xr-x 41 root root 4096 May 7 20:14 ..
-rw-r--r-- 1 root root 220 May 15 2017 .bash_logout
-rw-r--r-- 1 root root 3526 May 15 2017 .bashrc
drwxr-xr-x 2 root root 4096 May 7 20:15 inhere
-rw-r--r-- 1 root root 675 May 15 2017 .profile
./inhere:
total 48
drwxr-xr-x 2 root root 4096 May 7 20:15 .
drwxr-xr-x 3 root root 4096 May 7 20:14 ..
-rw-r----- 1 bandit5 bandit4 33 May 7 20:14 -file00
-rw-r----- 1 bandit5 bandit4 33 May 7 20:14 -file01
-rw-r----- 1 bandit5 bandit4 33 May 7 20:14 -file02
-rw-r----- 1 bandit5 bandit4 33 May 7 20:14 -file03
-rw-r----- 1 bandit5 bandit4 33 May 7 20:14 -file04
-rw-r----- 1 bandit5 bandit4 33 May 7 20:14 -file05
-rw-r----- 1 bandit5 bandit4 33 May 7 20:15 -file06
-rw-r----- 1 bandit5 bandit4 33 May 7 20:15 -file07
-rw-r----- 1 bandit5 bandit4 33 May 7 20:15 -file08
-rw-r----- 1 bandit5 bandit4 33 May 7 20:15 -file09
Since the file is in a readable format, we are going to display all readable strings
in these files.
strings inhere/-file*
!TQO
koReBOKuIDDepwhWk7jZC0RTdopnAYKh
Further Reading
Level 5 -> 6
The password for the next level is stored in a file somewhere under the inhere directory and its human-readable, 1033 bytes in size and not executable.
First of all, let's see what the inhere directory contains
cd inhere
ls -la
total 88
drwxr-x--- 22 root bandit5 4096 May 7 20:15 .
drwxr-xr-x 3 root root 4096 May 7 20:15 ..
drwxr-x--- 2 root bandit5 4096 May 7 20:15 maybehere00
drwxr-x--- 2 root bandit5 4096 May 7 20:15 maybehere01
drwxr-x--- 2 root bandit5 4096 May 7 20:15 maybehere02
drwxr-x--- 2 root bandit5 4096 May 7 20:15 maybehere03
drwxr-x--- 2 root bandit5 4096 May 7 20:15 maybehere04
drwxr-x--- 2 root bandit5 4096 May 7 20:15 maybehere05
drwxr-x--- 2 root bandit5 4096 May 7 20:15 maybehere06
drwxr-x--- 2 root bandit5 4096 May 7 20:15 maybehere07
drwxr-x--- 2 root bandit5 4096 May 7 20:15 maybehere08
drwxr-x--- 2 root bandit5 4096 May 7 20:15 maybehere09
drwxr-x--- 2 root bandit5 4096 May 7 20:15 maybehere10
drwxr-x--- 2 root bandit5 4096 May 7 20:15 maybehere11
drwxr-x--- 2 root bandit5 4096 May 7 20:15 maybehere12
drwxr-x--- 2 root bandit5 4096 May 7 20:15 maybehere13
drwxr-x--- 2 root bandit5 4096 May 7 20:15 maybehere14
drwxr-x--- 2 root bandit5 4096 May 7 20:15 maybehere15
drwxr-x--- 2 root bandit5 4096 May 7 20:15 maybehere16
drwxr-x--- 2 root bandit5 4096 May 7 20:15 maybehere17
drwxr-x--- 2 root bandit5 4096 May 7 20:15 maybehere18
drwxr-x--- 2 root bandit5 4096 May 7 20:15 maybehere19
So we have directories, within directories, within directories... A brute force approach would be feasible, but highly inefficient.
This time we are going to use the find
command. We now that the file is somewhere under the inhere
directory, so we will use the current directory (represented as a dot, .
) for our search. We know that we are looking for a file, so we will use the file option (-type f
). Also the file is readable (so -readable
) and not executable (so ! -executable
). Finally, the file is 1033 bytes long (so -size 1033c
).
find . -type f -readable ! -executable -size 1033c
./inhere/maybehere07/.file2
cat ./inhere/maybehere07/.file2
DXjZPULLxYr17uwoI01bNLQbtFemEgo7
Further reading
Level 6 -> 7
The password for the next level is stored somewhere on the server and has the following properties. It is owned by user bandit7, it is owned by group bandit6 and it is 33 bytes in size.
So, the file is located somewhere in the server. For that reason, we are going to use the root (/
) directory. The file is owned by user bandit7, so we will use the -user
option, and by group bandit6, so we are going for the -group
option. Also, the file is of a specific size, so we will use the -size
option.
Also, since we are searching from the root, we are inevitably going to try directories that we don't have access to. In order to not get spammed from error messages, we are also going to add the 2>/dev/null
directive.
The >
operator redirects the output to a file or a device. The 2>
redirects the stderr. The /dev/null
part is the null device that takes any input and throws it away.
So the 2>/dev/null
redirects the stderror to a black hole never to be seen again.
find / -user bandit7 -group bandit6 -size 33c 2>/dev/null
/var/lib/dpkg/info/bandit7.password
cat /var/lib/dpkg/info/bandit7.password
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs
Further reading
Level 7 -> 8
The password for the next level is stored in the file data.txt next to the word millionth.
For this challenge, we are going to make use of the grep
command. The grep
command prints all lines that match a specific pattern. In our case, the pattern is the word millionth
.
ls
data.txt
cat data.txt | grep "millionth"
millionth cvX2JJa4CFALtqS87jk27qwqGhBM9plV
Further Reading
Level 8-> 9
The password for the next level is stored in a file data.txt and is the only line that occurs only once.
For this challenge, we are going to use the uniq
command. This command returns the line or lines that appear only once. But the uniq
command, only checks adjacent lines, so we first need to sort the file, in order for our command to work.
ls
data.txt
cat data.txt | sort | uniq -u
UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR
Further Reading
Level 9 -> 10
The password for the next level is stored in the file data.txt in one of the few human-readable strings, beginning with several ‘=’ characters.
We know that the file contains a few human-readable strings, so we are going to use the strings
command in order to find them. Then, we are going to use grep
to filter out all lines that don't contain the =
symbol
ls
data.txt
strings data.txt | grep "="
========== the*2i"4
=:G e
========== password
<I=zsGi
Z)========== is
A=|t&E
Zdb=
c^ LAh=3G
*SF=s
&========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
S=A.H&^
That's all for now! Thanks for reading!
Top comments (0)