Welcome to another instalment of the Bandit CTF series!
This is the best way to learn Linux, BASH, terminals, commands and everything in between!
Go to Bandit Level 0 → Level 4 if you need help with earlier levels.
Let’s ssh in to Bandit:
$ ssh bandit.labs.overthewire.org -p 2220 -l bandit5
You’ll need the password from the previous level.
Bandit Level 5 → Level 6
Let’s get started by ls -la and see what we have.
total 24
drwxr-xr-x 3 root root 4096 May 7 2020 .
drwxr-xr-x 41 root root 4096 May 7 2020 ..
-rw-r--r-- 1 root root 220 May 15 2017 .bash_logout
-rw-r--r-- 1 root root 3526 May 15 2017 .bashrc
drwxr-x--- 22 root bandit5 4096 May 7 2020 **inhere**
-rw-r--r-- 1 root root 675 May 15 2017 .profile
Ah, let’s go into the inhere directory via cd inhere && ls -la.
Using the && lets us stack together a series of commands, this way we 1) change directories and 2) list out the files in the new directory all at once, so cool!
total 88
drwxr-x--- 22 root bandit5 4096 May 7 2020 .
drwxr-xr-x 3 root root 4096 May 7 2020 ..
drwxr-x--- 2 root bandit5 4096 May 7 2020 maybehere00
drwxr-x--- 2 root bandit5 4096 May 7 2020 maybehere01
drwxr-x--- 2 root bandit5 4096 May 7 2020 maybehere02
drwxr-x--- 2 root bandit5 4096 May 7 2020 maybehere03
drwxr-x--- 2 root bandit5 4096 May 7 2020 maybehere04
drwxr-x--- 2 root bandit5 4096 May 7 2020 maybehere05
drwxr-x--- 2 root bandit5 4096 May 7 2020 maybehere06
drwxr-x--- 2 root bandit5 4096 May 7 2020 maybehere07
drwxr-x--- 2 root bandit5 4096 May 7 2020 maybehere08
drwxr-x--- 2 root bandit5 4096 May 7 2020 maybehere09
drwxr-x--- 2 root bandit5 4096 May 7 2020 maybehere10
drwxr-x--- 2 root bandit5 4096 May 7 2020 maybehere11
drwxr-x--- 2 root bandit5 4096 May 7 2020 maybehere12
drwxr-x--- 2 root bandit5 4096 May 7 2020 maybehere13
drwxr-x--- 2 root bandit5 4096 May 7 2020 maybehere14
drwxr-x--- 2 root bandit5 4096 May 7 2020 maybehere15
drwxr-x--- 2 root bandit5 4096 May 7 2020 maybehere16
drwxr-x--- 2 root bandit5 4096 May 7 2020 maybehere17
drwxr-x--- 2 root bandit5 4096 May 7 2020 maybehere18
drwxr-x--- 2 root bandit5 4096 May 7 2020 maybehere19
…wow! We’ve got a lot of directories to search through now…
Hmm, there must be a better option to automatically search these folders! Enter the find command, with it we can search multiple directories and pass it certain switches to narrow down our results, let’s test it out.
$ find .
This runs find in the current directory, that’s what the . is for.
We can be more specific and use switches like -type or -size to find exactly what we’re looking for.
Let’s go back and get a clue from Bandit Level 5 → Level 6:
The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:
human-readable 1033 bytes in size not executable
Okay, so we’ve got some hints for what file we’re trying to find. Let’s use the -size switch with the byte size and see what we get.
$ find . -size 1033
That’s weird, no luck! That’s because we need to specify what file size exactly, 1033 is just a number. Let’s search it up!
Thanks to linuxconfig.org we know we need to use c for bytes.
*Don’t forget to use the up arrow to see last command!
$ find . -size 1033c
./maybehere07/.file2
Cool, look at that! Now we have only one search result, let’s see if we can cat it out and view it.
$ cat ./maybehere07/.file2
banditflag5-6{*****}
We got it! Now exit out and let’s go again!
*Since my first few writeups I’ve learnt sharing flag’s isn’t the best idea as it allows anyone to simply copy/paste their way through without trying or trying.
Bandit Level 6 → Level 7
Let’s jump into the next one head first and see what we get!
$ ls -la
Okay, strange, nothing there. Maybe I should read the goal first after all!
The password for the next level is stored somewhere on the server and has all of the following properties:
owned by user bandit7 owned by group bandit6 33 bytes in size
Ah, so the file isn’t within the bandit6 directory, it’s somewhere else. No worries, let’s look up how to use the find command to get the right switches.
$ find --help
After looking a bit at the wall text, I see -user NAME and -group NAME, I think they’re what we’re after. We’ll use it with -size from the last level too.
$ find -user bandit7 -group bandit6 -size 33c
No luck! What did we forget?
The location! Currently, we haven’t specified where to look, remember it’s hidden anywhere on the server.
$ find / -user bandit7 -group bandit6 -size 33c
Good, it’s working! Bad there’s so many files we don’t have access to, how do we only see accessible files? One way is to remove the errors, as ‘Permission denied’ is an error, we can redirect those results elsewhere.
Thanks to cyberciti.biz for explaining stdin, stdout and stderr, it’s worth reading over that aritcle to understand more.
$ find / -user bandit7 -group bandit6 -size 33c **2>/dev/null**
/var/lib/dpkg/info/bandit7.password
How cool? We got one search result, that makes life a lot easier.
The 2>/dev/null may seem very strange at first. The 2 stands for stderr which is the errors we have as a result of our search. The > redirects and the /dev/null is a nothing space directory we can dump everything.
So, cat that sucker and grab your flag!
$ cat /var/lib/dpkg/info/bandit7.password
banditflag6-7{*****}
Bandit Level 7 → Level 8
Let’s not read the instructions just yet! ls away my friends!
Ah, a simple data.txt file, this seems too easy to be real.
Let’s cat and …oh gosh… so much data, so much!
Hm, maybe we’ll go back to the hints now:
The password for the next level is stored in the file data.txt next to the word millionth.
Okay, so we need to somehow search within the file and output the flag. Our only hint we have is it’s next to the word millionth.
grep is the command for the job, it searches for patterns in a file.
Let’s run grep --help to get familiar with it, we’re looking for a switch that’s simple enough to match our word with it. Let’s try -e or -regexp=PATTERN, that should do it!
$ grep data.txt -e millionth
banditflag7-8{*****}
Would you look at what we have here… a flag!
Let’s exit out and head over the next level!
Bandit Level 8 → Level 9
Same as always, ls and see what we’re working with.
Looks like another data.txt file with even more ‘hard to read’ text.
Back to the instructions:
The password for the next level is stored in the file data.txt and is the only line of text that occurs only once.
We could use grep and put together a long regex to output what we need, but I’m not a wizard.. so we’ll be using sort and uniq.
First, let’s understand sort it’s similar to cat but run it against the data.txt and see the difference.
$ sort data.txt
Everything is sorted, cool.
But how do we then find the unique flag? uniq of course.
Try it:
$ uniq data.txt
Hm, that didn’t work… that’s because we need to use them together. Since they’re separate commands, we’ll use the | pipe to chain it together.
$ sort data.txt | uniq
Still no luck, let’s run uniq --help and see if there’s a switch that can help.
Yep! -u which only prints unique lines, that sounds perfect!
$ sort data.txt | uniq - u
banditflag8-9{*****}
Done! We got there thanks to stackoverflow.
Bandit Level 9 → Level 10
Our final level together, for now, let’s ls this thing.
Another data.txt file, let’s cat it.
Ah heck, it was a trap! Use clear and we’ll go back to the instructions:
The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters.
Okay, so we need to search through the file and somehow use =… let’s give it a shot! Maybe we’ll try grep again from the earlier level.
$ grep data.txt -e =
Binary file data.txt matches
StackExchange shows us that since the data.txt file starts with non-text, it treats it as binary and therefore won’t search it. Dam.
Let’s look at the other commands we can use.
There’s one called strings, let’s take a closer look with strings --help
If we use this commands and | pipe grep with a few = … we should be good to go, let’s try it!
$ strings data.txt | grep ===
========== the*2i"4
========== password
Z)========== is
&========== banditflag9-10{*****}
It’s not the prettiest method, it’s probably not the best way either, but it worked!
Thanks for reading along with my bandit CTF journey! It’s been nice to have you.
If you have any feedback, please send me a message @mrashleyball.
This is Day 9 of #100DaysOfHacking, subscribe to my weekly newsletter to see the learning journey!
Happy Hacking.
