OverTheWire Bandit Levels Explained


These were basically just my notes from each level that I figured I’d post just in case other people got stuck on a level or if I wanted to look back to these. Overall completing all of the levels was certainly a grind but there were plenty of nights where I just couldn’t stop cause I was having loads of fun. My linux skills honestly sky rocketed from working on these levels and I certainly think this is a super great way to get hands on experience with linux boxes. Hope you guys enjoy the levels as much as I did and good luck!

Bandit – understanding and utilizing basic linux commands

Level 0 –
install whatever SSH client you would like and set the host name to the lab address and the port number to what is mentioned in the instructions. At the time I am doing this the host name is bandits.labs.overthewire.org with port number 2220. Simply select open and you are all done.

Level 0 -> 1 –
The next step is to find the file called “readme” inside the home directory. This is just a couple simple linux terminal commands. There are a ton of ways to do this, but I simply just went to the directory /home/bandit0 and then used the cat command to read the file by typing “cat readme”. We then get the password for the next level. boJ9jbbUNNfktd78OOpsqOltutMc3MY1

We must first leave our ssh session and start it up again but this time using bandit1 as the username and the password from the last level as our password. This is important because things like file permissions are changed depending on the level you are accessing.

Level 1 -> 2 –
For this level we simply do the same thing, however you will notice that you can’t use the command “cat –“ because the character – is a special character commonly used in the terminal. Therefore, we must place ./ before the character to tell the terminal that what we are entering is an actual character and not a special character. We then get the password for this level. CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

Level 2 -> 3 –
This level is yet again the same thing, hopefully you guys have caught on by now and are a little more comfortable with using the linux terminal. The only difference here is that there are spaces in the filename. Similarly how we had to put a ./ in the last level we now have to put a / before every space. This tells the terminal that we are inserting a space and it is not a parameter or command option. We then get UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

Level 3 -> 4 –
This is probably starting to get boring for you all as well… Anyways this is the same thing however the password is in a hidden file as we are told. To find the name of the hidden file we simply use the ls command appended with a -a. For example “ls -a” we then see the filename “.hidden” which we then use cat to find the password. pIwrPrtPN36QITSp3EQaw936yaFoFgAB

Level 4 -> 5 –
Let’s do this yet again. So we go to the inhere directory and then we see there are 10 different files. Well, we know the password is in the only human-readable file and we know we can view the filetypes of these files using the “file” command. What we can do here is use the command “file ./*” to see the filetypes of all the files in the directory. We add the “./” because the filenames start with a “-“ and we know from earlier that this is a special character. For me the filename that contained the password was “-file07”  koReBOKuIDDepwhWk7jZC0RTdopnAYKh

Level 5 -> 6 –
So we have three different properties of the file that contains the password. The file size is something that is specific and not many files if any should share the same file size. Therefore, we can use the find command. By going to the inhere directory and doing “find -size 1033c” we will learn the path to the password. Mine is in /maybehere07/.file2 and using cat I got the password. If you look at the ls command you will not find a .file2 document. This is because the . tells us that the file is hidden. If you want to see that file you would do the command “ls -a” DXjZPULLxYr17uwoI01bNLQbtFemEgo7

Level 6 -> 7 –
Here we are going to use the find command with a couple extra parameters. Go ahead and try each parameter by itself so you get an understanding of what they do but it is sort of self-explanatory. The command I used is “find / -group bandit6 -user bandit7 -size 33c 2>/dev/null” What this is doing is searching all directories starting from root but then with the parameters group and user I am only telling it to search in the group bandit6 and under the user bandit7. Then we define the size of file we are looking for once again using “c” to represent bytes.  The last part is a bit confusing to a beginner, if you try the find command without it you will notice a lot of permission denied errors as well as some file not available errors. We use “2>” to tell the terminal we are redirecting stderr which are the error statements we are receiving. We then add “/dev/null” which is a null device that takes inputs that we want thrown away. I found the password in the directory “./var/lib/dpkg/info/bandit7.password” we see the name has a special character in it, what does that mean when we are using the cat command? HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

Level 7 -> 8 –
We will now learn the grep command. Grep allows us to search through text files and will print requested info from the file to the terminal. For this level we will go to the directory that contains the data.txt file and then use “grep “millionth” data.txt” What we are doing here is searching the data.txt file for the word “millionth” and it will return the password. cvX2JJa4CFALtqS87jk27qwqGhBM9plV

Level 8 -> 9 –
This level was kind of frustrating. We know the password is only listed once in the data.txt file. Our first idea should be to use the uniq command but, we know that the uniq command only declares a value a duplicate when it is adjacent to its duplicate. For this example they are certainly not adjacent initially, therefore we use the sort command. I initially was certain the “sort -u data.txt” command would do the trick but I was sadly mistaken. The command that I used to obtain the password is “sort data.txt | uniq -u” This simply sorts the file and then utilizes the uniq command and we get UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR

level 9 -> 10 –
I didn’t really feel like working on a better way to do this but my method was to simply use the grep command. I used “grep -a -I “=” data.txt” What this does is return the data.txt file and then highlights the “=” character. I simply looked through for the password after the highlighted characters. truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk

level 10 -> 11 –
This level is simple, we are really just seeing what the base64 command does. We are taking a base64 encoded message (The data.txt file) and decoding it by using the base64 command. Simply do “base64 -d data.txt” as you can probably guess the “-d” is for decode. IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

level 11 -> 12 –
The tr command or translate command allows us to complete functions such as rotate characters. In this level we need to rotate all characters 13 positions. Of course, there are tons of other ways to do this such as manually writing it out or plugging it into a web application. The method I used to solve this in the linux terminal was with “cat data.txt | tr ‘A-Za-z’ ‘N-ZA-Mn-za-m’” and we get the password in plain text. 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

level 12 -> 13 –
Things get a bit interesting on this level. We have to pay attention to a few things here; the first is that the initial txt file is a hex dump, and the other is that it has been repeatedly compressed. Now to create a hexdump version of a file we would use the linux command “xxd ‘filename’” and to reverse this operation we would use “xxd -r filename” and this gives us the binary form. Pretty simple however, since this file has been repeatedly compressed we must find a way to decompress it to its original state. Let’s start by getting the binary form of data.txt by doing the command “xxd -r data.txt datab.bin” This is simply converting the hex dump to its binary state and saving the output of the conversion to a file named “datab.bin”. However, we cannot create files in the bandit12 directory therefore we will have to make a new directory in the tmp by doing “cd /tmp” and then “mkdir namehere” and then travel to this directory by going to the root directory and typing “cd /tmp/namehere”. Then we will copy the data.txt file to this new directory by doing “cp /home/bandit12/data.txt /tmp/namehere”. Now we can create the binary version of the hex dump. If we run “file datab.bin” we can see that this file is classified as gzip compressed data. Well there is probably a better way to do this but… What I did was fairly simple. I simply used the file command to see what the compression type was and then decompressed it depending on what type of compression. If it was a gzip compression I used “gzip -d filename.gz” and if it was bzip2 than I used “bzip2 -d filename.bz2” lastly if it was a tar file I used “tar -xvf filename.tar” If you can’t get the decompression command to work make sure you are changing the extension of the file to the compression type otherwise the command won’t recognize the file as the correct type. To do this you can simply do “mv filename newFilename.whatever” Eventually you get a plain text file with the password 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

level 13 -> 14 –
As we know by reading the level there is no physical password here. However, in the bandit13 directory we get a private SSH key that can be used to log into bandit14. There is a note stating that localhost is the hostname which is the machine we are working on. So what we will use is the ssh command and indicate that we are using a file for our key and then we simply define our username details. “ssh -i sshkey.private bandit14@localhost” then you will be prompted if you want to continue and you can simply type yes and then you have completed this level. You can then read the file in “/etc/bandit_pass/bandit14” to obtain the password for this level. 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e

Level 14 -> 15 –
In this level we will use the nc command, also known as netcat as well as the echo command. What we are doing is sending text to the localhost on port 30000 and the way it is configured should reply to us with the password for the next level. The way we can do this is using the echo command to provide the text to say and then use the nc command to tell it where to send it. “echo 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e | nc localhost 30000” should do the trick. Now we know echo simply prints whatever we type into the terminal. So when we echo something using ncat it will print what we put in the echo parameters to the terminal for the connection ncat created. A better way to see what we did would be to simply do them one at a time. “nc localhost 30000” you will then be connected to localhost on port 30000 and can type whatever you would like on this connection. If you type in the password from bandit14 you will once again obtain the password. BfMYroe26WYalil77FoDi9qh59eK5xNr

Level 15 -> 16 –
For this level we are doing pretty much the same thing as level 14 however over a secure connection. We want to use ssl encryption to talk to localhost on port 30001. To do this we will use openssl and s_client. “openssl s_client -connect localhost:30001” This command connects to the s_client using openssl and allows us to insert the password for this level in order to get the password for the next level. The issue here is that when we insert this command we do not get the password. This is because of the details in the manual page under “CONNECTED COMMANDS” which I have pasted below.

If a connection is established with an SSL server then any data received from the server is displayed and any key presses will be sent to the server. When used interactively (which means neither -quiet nor -ign_eof have been given), the session will be renegotiated if the line begins with an R, and if the line begins with a Q or if end of file is reached, the connection will be closed down.”

To get the password, we will have to append our command with -ign_eof to ensure that the entire input is being inserted. “openssl s_client -connect localhost:30001 -ign_eof” Then insert the password from level 15 and you will get the password for the next level cluFn7wTiGryunymYOu4RcffSxQluehd

Level 16 -> 17 –
First we use nmap to determine what ports are open in the range of 31000-32000 by doing the command “nmap localhost -p 31000-32000 -sV” This returns 5 open ports but only two with an ssl service.

31046/tcp open  echo
31518/tcp open  ssl/echo
31691/tcp open  echo
31790/tcp open  ssl/unknown
31960/tcp open  echo

Now we know that the echo service is not really going to help us in this situation therefore let’s give the unknown service a try. Using the command “openssl s_client -connect localhost:31790 -ign_eof” we will get an encrypted connection and can then insert the password of this level to obtain the next level’s password. Which is an ssh key. I switched over to my kali VM for this because I was having issues with PUTTY. Once I got the SSH key I went into my kali terminal and went to the directory /~/.ssh and created a file “private.key” with the command “touch private.key”. Using nano I imported the ssh key we found earlier. Once this is done you can do “ssh -i key.private bandit17@bandit.labs.overthewire.org -p 2220” and you should be all set. You can get the password for this level using “cat /etc/bandit_pass/bandit17”

Bandit17 -> 18 –
Easy level, just do “diff passwords.new passwords.old and since we know the password is in passwords.new the answer is the first line. kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd

Bandit 18 -> 19 –
For this level we notice that signing in via ssh signs us out immediately. “ssh -p 2220 bandit18@bandit.labs.overthewire.org”. So the thing is, you can run commands remotely using ssh and since we are getting an ssh connection momentarily we can run commands. We know the password is in the readme file in the home directory so I simply did
“ssh -p 2220 bandit18@bandit.labs.overthewire.org cat readme” and you get the password IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x

Bandit 19 -> 20 –
The instructions for this level seemed a little tricky but luckily it wasn’t very challenging. First I tried to execute the bandit20-do file in the home directory. So I tried “./bandit20-do” and then the terminal responded by saying “Run a command as another user. Example: ./bandit20-do id” So then I began to think for 5minutes or so and thought maybe this allows me to run commands as another user… go figure. So I tried “./bandit20-do cat /etc/bandit_pass/bandit20” and got the password. Looking back on this after doing some research I discovered that the bandit20-do is a setuid binary as stated in on the website. Setuid allows a user to execute a command as another user. Therefore bandit20-do is allowing us bandit20 privileges so we can access the password in /etc/bandit_pass. GbKksEFF4yrVs6il55v6gwY5aVje5f0j

Bandit 20 -> 21 –
This level requires the use of netcat. We will open two terminals each connected to the lab signed in as bandit20. On one we will listen across any available ports, I used port 1234. The command to initiate this is “nc -l 1234”. Now on the other terminal we will initiate the setuid binary by doing “./suconnect 1234” Based off of the description of suconnect this will initiate a connection to the port “1234” and then it reads a line of text. If this line of text is the same as the password for bandit20 than it will transmit the password for bandit21. So once this is done we go to the terminal where we are listening on port 1234 and we simply paste the password of bandit20. This should return the password for bandit21.

Bandit 21 -> 22 –
For this level we are experiencing cron. Cron is basically windows task scheduler. It allows users to schedule tasks for the machine to conduct on a timely basis. So first we do as the mission states. Do a “cd /etc/cron.d” and then do an “ls”. I just assumed that we would be worrying about “cronjob_bandit22.sh”. So first I did a “cat /etc/cron.d/cronjob_bandit22.sh” and then read the output. I noticed that it is running a .sh file so I tried “cat /usr/bin/cronjob_bandit22.sh” Once you do this you should get a key that sort of looks like a password but if you read carefully it is a directory. Next we cat that directory “cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv” and the password is given Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

Bandit 22 -> 23 –
These levels are starting to get more fun. This level was similar except we had to read the script “cronjob_bandit23.sh” to do this we do “cat /usr/bin/cronjob_bandit23.sh” and read. The crucial line here is “mytarget=$(echo I am user $myname | md5sum | cut -d ‘ ‘ -f 1)” Therefore what’s happening here is it is taking the string and creating a md5 hash of the string. The last line of the script we can see that it is saving the password of whoever $myname is to /tmp/$mytarget and mytarget is the hashed string. So what we can do is “echo I am user bandit23 | md5sum | cut -d ‘ ‘ -f 1” which will give us the mytarget for bandit23. Once we get that hash we just go to the directory and hope that the password is there. So “cat /tmp/8ca319486bfbbc3663ea0fbe81326349” and bam password jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

Bandit 23 -> 24 –
First for this level we do the same as we have. Check the scripts that are running in the various cronjobs and then analyze them for what they do. Using our understanding of the scripts we can discover a possible exploit. We see that cronjob_bandit24 will run all the scripts in var/spool/$name and we notice a directory /var/spool/bandit24. So we can run scripts as bandit24 by saving scrips to this directory. What I did here was use the script from the previous level that will copy the users password into a file that is readable by bandit23. My altered shell script is below. Now I spent a couple hours trying to figure out why this wasn’t working until I read a helpful hint somewhere that I must consider file permissions. So first let’s do “cd /var/spool/bandit24” and do a “touch myscript.sh” then “vim myscript.sh” insert the shell script that will copy the password from the user and save to a writable directory, for my case “/tmp/savepassword”. Once we save and exit vim we must set the permissions by doing “chmod 777 myscript.sh” This is because by default the file permissions are “-rw-rw-r—” meaning bandit24 will be unable to execute our script. After the chmod command the permissions are “-rwxrwxrwx” so anyone can read/write/execute our script. Now that we have this done we simply running the cronjob_bandit24.sh, “/usr/bin/cronjob_bandit24.sh” and do a “cat /tmp/savepassword” in order to obtain the password UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
altered script:
“cat /etc/bandit_pass/bandit24 > /tmp/savepassword”

Bandit 24 -> 25 –
This level pretty much tells us exactly what we must do. Knowing we will have to brute force the 4-digit pin to get the password we will write a script to conduct the brute forcing. What we need the script to do exactly is connect via netcat to port 30002 and then echo the password of the current level with a single space after and then the 4digit pin we are testing.

To do this we will fire create a txt file of all possible 4digit combinations. To do this we can create a simple while loop in python or bash that will print all the possible combinations. The script I made was
n = 0
while n <= 9999;

print(“UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ “+str(‘{:04d}’.format(n)))

Then we do “python file.py > keys.txt’ to save all the combinations to a txt file. With this file we can efficiently brute force the 4digit pin and get the password for the next level. Simply do “echo keys.txt | netcat localhost 30002”. This will reveal the pass as uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG

Bandit 25 -> 26 –
Currently the last level of bandit. This was kind of a disappointing last level. Not ashamed to say I cheated on this cause well, I’ve never experienced something like this before and I don’t see a time where I will experience something like this.  Basically if you check the /etc/passwd file for bandit26 you will see that all the bandit levels are linked to /bin/bash. Well the hint for this level was that this password is not related to that directory therefore this should’ve been the first thing we checked. We notice bandit26 /usr/bin/showtext so we go check that directory and would you look at that. This is a script with a lovely exit at the end which is why the terminal closes every time we try to ssh as bandit26. The trick for this level is adjusting the size of your terminal window. As you see there is a banner displayed when the ssh connection succeeds. Well the exit command doesn’t actually initiate until the banner is fully loaded and the connection is fully established. So by adjusting the terminal window we can prevent the entire banner from loading. By pressing v we are capable of issuing vi commands. Going to the visual option, once again by pressing ‘v’ we can then type “:r /etc/bandit_pass/bandit26” and the password will be revealed. I was hoping for something cool in the text files on the bandit26 home directory but they are just some congratulation notes.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: