OverTheWire: Bandit

Bandit is a beginner Capture The Flag (CTF) game from OverTheWire (OTW).

Whether you’re familiar with text-based games or have never even thought of playing them (me). This is the perfect CTF for learning Linux.

You’re here to either copy my answers OR learn. Can I ask you to please focus on the learning? It’s okay to peak when you’re so blind it’s crippling you, but please don’t just copy, copy, copy!

Take the time to try, fail and repeat. It’s a massive part of learning. Don’t rob yourself of that.

One more thing before we go any further. Open something to take notes in, Notion, Text Editor, heck Mircosoft Word. It doesn’t matter. But it’s a great idea to record what you’ve done and how you’ve done it.

Okay, lecture over. Let’s CTF!!

Level 0 – Level 4

Level 0

Okay, let’s get started with Bandit Level 0 and connect to the game via Secure Socket Shell (SSH).

This tells Linux to run the ssh command, connect to bandit.labs.overthewire.org via port 2220 and user bandit0. So all together it looks like ssh [email protected] -p 2220.

Then, type yes and hit enter to complete the connection.

Take a moment to read the rules and check out the welcome message.

Level 1

Okay, now put your game face on grunts.

Let’s take a look at our goal. The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.

I like to copy/paste the goal into my note-taking app and highlight/bold areas that are important. In this case, we’ve got clear instructions to find the readme file.

Okay, let’s look around the machine, find the file and then read it. We’ll use the ls command to view files in the current directory. Then we’ll cat the file we find.

Great! We got it! I know it’s a random bunch of letters and numbers but in this CTF the “flags” will look like this. Other games might be a bit different, but this unreadable nonsense is a good thing!

Don’t forget to copy that flag by highlighting it and pressing CTRL + SHIFT + C.

Let’s confirm this is correct by cutting the connection via bandit0 user and ssh into the next level via bandit1. We’ll do that by running the command exit.

Now instead of typing or copying/pasting the ssh credentials, let’s use the up arrow to find our last command. Edit the command to make it more usable moving forward. Remove bandit0@ in the beginning and add -l bandit1. All together, it looks like ssh bandit.labs.overthewire.org -p2220 -l bandit1

Now paste the flag using CTRL + SHIFT + V which you can copy from your notes because you’re definitely taking notes, right??? Done with Bandit Level 1, so move on to the next level.

Level 2

Alrighty, now it’s getting serious with Bandit Level 2. First things first, let’s read that goal. The password for the next level is stored in a file called – located in the home directory

Okay, seems easy, same as last round, ls then cat…right?

Try it, but you’ll see the issue. We need to specify the exact file path in order for Linux to understand. We’ll add ./ which tells Linux “hey, I’m in this folder”.

That looks pretty good, so let’s follow the same process of exit > up > change user, in this case, bandit2 > and paste the flag as the password.

Level 3

Training wheels are off, quick goal check. The password for the next level is stored in a file called spaces in this filename located in the home directory.

Okay, hm, a bit unusal. This shouldn’t be too difficult… shouldn’t be.

If we try and cat out to see the file, but type out spaces in this filename it treats each word as a separate file. How do we fix this?

After a bit of googling… it’s quite easy. Just add a \ after each word. But to make it easier, hit TAB after typing the first letter s and it’ll do it for you!

Flag, got, nice, thanks Bandit Level 3. Now get out of this level and move on to the next one.

Level 4

Let’s go beyond ls and cat and start changing the directory (aka folders).

So what’s the goal? The password for the next level is stored in a hidden file in the inhere directory.

Okay, our clue is the directory is hidden, tuck that away for now. Let’s view what’s around and move into our directory using cd. You might notice I’m using && to chain commands together, a neat little trick I’ve picked up. So try cd inhere && ls and we should see our file but it’s hidden.

We need to introduce flags, these are like switches we can use to add features to our programs.

ls displays files, but if we turn on -a it will also display hidden files. Let’s try it!

Nice! We got the flag for Bandit Level 4, nice. Now let’s exit and move on to the next level in Bandit Levels 5 to 9.

Thanks for reading and I hope you learned something from this little exercise. This is days 4 and 56 of #100DaysOfHacking on the Hackers Learning Path. Subscribe for CyberSec updates or read more, happy hacking.

Bandit Level 5 – Level 9

Welcome to another instalment of the Bandit CTF series!

This is the best way to learn Linux, BASH, terminals, commands and everything in between!

Let’s ssh in to Bandit:

$ ssh bandit.labs.overthewire.org -p 2220 -l bandit5

You’ll need the password from the previous level.

Level 6

Let’s get started by ls -la and see what we have.

total 24
drwxr-xr-x  3 root root    4096 May  7  2020 .
drwxr-xr-x 41 root root    4096 May  7  2020 ..
-rw-r--r--  1 root root     220 May 15  2017 .bash_logout
-rw-r--r--  1 root root    3526 May 15  2017 .bashrc
drwxr-x--- 22 root bandit5 4096 May  7  2020 **inhere**
-rw-r--r--  1 root root     675 May 15  2017 .profile

Ah, let’s go into the inhere directory via cd inhere && ls -la.

Using the && lets us stack together a series of commands, this way we 1) change directories and 2) list out the files in the new directory all at once, so cool!

total 88
drwxr-x--- 22 root bandit5 4096 May  7  2020 .
drwxr-xr-x  3 root root    4096 May  7  2020 ..
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere00
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere01
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere02
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere03
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere04
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere05
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere06
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere07
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere08
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere09
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere10
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere11
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere12
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere13
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere14
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere15
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere16
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere17
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere18
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere19

…wow! We’ve got a lot of directories to search through now…

Hmm, there must be a better option to automatically search these folders! Enter the find command, with it we can search multiple directories and pass it certain switches to narrow down our results, let’s test it out.

$ find .

This runs find in the current directory, that’s what the . is for.

We can be more specific and use switches like -type or -size to find exactly what we’re looking for.

Let’s go back and get a clue from Bandit Level 5 → Level 6:

The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:

human-readable 1033 bytes in size not executable

Okay, so we’ve got some hints for what file we’re trying to find. Let’s use the -size switch with the byte size and see what we get.

$ find . -size 1033

That’s weird, no luck! That’s because we need to specify what file size exactly, 1033 is just a number. Let’s search it up!

Thanks to linuxconfig.org we know we need to use c for bytes.

*Don’t forget to use the up arrow to see last command!

$ find . -size 1033c
./maybehere07/.file2

Cool, look at that! Now we have only one search result, let’s see if we can cat it out and view it.

$ cat ./maybehere07/.file2
banditflag5-6{*****}

We got it! Now exit out and let’s go again!

*Since my first few writeups I’ve learnt sharing flag’s isn’t the best idea as it allows anyone to simply copy/paste their way through without trying or trying.

Level 7

Let’s jump into the next one head first and see what we get!

$ ls -la

Okay, strange, nothing there. Maybe I should read the goal first after all!

The password for the next level is stored somewhere on the server and has all of the following properties:

owned by user bandit7 owned by group bandit6 33 bytes in size

Ah, so the file isn’t within the bandit6 directory, it’s somewhere else. No worries, let’s look up how to use the find command to get the right switches.

$ find --help

After looking a bit at the wall text, I see -user NAME and -group NAME, I think they’re what we’re after. We’ll use it with -size from the last level too.

$ find -user bandit7 -group bandit6 -size 33c

No luck! What did we forget?

The location! Currently, we haven’t specified where to look, remember it’s hidden anywhere on the server.

$ find / -user bandit7 -group bandit6 -size 33c

Good, it’s working! Bad there’s so many files we don’t have access to, how do we only see accessible files? One way is to remove the errors, as ‘Permission denied’ is an error, we can redirect those results elsewhere.

Thanks to cyberciti.biz for explaining stdin, stdout and stderr, it’s worth reading over that aritcle to understand more.

$ find / -user bandit7 -group bandit6 -size 33c **2>/dev/null**
/var/lib/dpkg/info/bandit7.password

How cool? We got one search result, that makes life a lot easier.

The 2>/dev/null may seem very strange at first. The 2 stands for stderr which is the errors we have as a result of our search. The > redirects and the /dev/null is a nothing space directory we can dump everything.

So, cat that sucker and grab your flag!

$ cat /var/lib/dpkg/info/bandit7.password
banditflag6-7{*****}

Level 8

Let’s not read the instructions just yet! ls away my friends!

Ah, a simple data.txt file, this seems too easy to be real.

Let’s cat and …oh gosh… so much data, so much!

Hm, maybe we’ll go back to the hints now:

The password for the next level is stored in the file data.txt next to the word millionth.

Okay, so we need to somehow search within the file and output the flag. Our only hint we have is it’s next to the word millionth.

grep is the command for the job, it searches for patterns in a file.

Let’s run grep --help to get familiar with it, we’re looking for a switch that’s simple enough to match our word with it. Let’s try -e or -regexp=PATTERN, that should do it!

$ grep data.txt -e millionth
banditflag7-8{*****}

Would you look at what we have here… a flag!

Let’s exit out and head over the next level!

Level 9

Same as always, ls and see what we’re working with.

Looks like another data.txt file with even more ‘hard to read’ text.

Back to the instructions:

The password for the next level is stored in the file data.txt and is the only line of text that occurs only once.

We could use grep and put together a long regex to output what we need, but I’m not a wizard.. so we’ll be using sort and uniq.

First, let’s understand sort it’s similar to cat but run it against the data.txt and see the difference.

$ sort data.txt

Everything is sorted, cool.

But how do we then find the unique flag? uniq of course.

Try it:

$ uniq data.txt

Hm, that didn’t work… that’s because we need to use them together. Since they’re separate commands, we’ll use the | pipe to chain it together.

$ sort data.txt | uniq

Still no luck, let’s run uniq --help and see if there’s a switch that can help.

Yep! -u which only prints unique lines, that sounds perfect!

$ sort data.txt | uniq - u
banditflag8-9{*****}

Done! We got there thanks to stackoverflow.

Level 10

Our final level together, for now, let’s ls this thing.

Another data.txt file, let’s cat it.

Ah heck, it was a trap! Use clear and we’ll go back to the instructions:

The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters.

Okay, so we need to search through the file and somehow use =… let’s give it a shot! Maybe we’ll try grep again from the earlier level.

$ grep data.txt -e =
Binary file data.txt matches

StackExchange shows us that since the data.txt file starts with non-text, it treats it as binary and therefore won’t search it. Dam.

Let’s look at the other commands we can use.

There’s one called strings, let’s take a closer look with strings --help

If we use this commands and | pipe grep with a few = … we should be good to go, let’s try it!

$ strings data.txt | grep ===
========== the*2i"4
========== password
Z)========== is
&========== banditflag9-10{*****}

It’s not the prettiest method, it’s probably not the best way either, but it worked!

Thanks for reading along with my bandit CTF journey! It’s been nice to have you.

If you have any feedback, please send me a message @mrashleyball.

This is Day 9 and 57 of #100DaysOfHacking, subscribe to my weekly newsletter to see the learning journey!

Happy Hacking.

Bandit Level 10 – 14

Over The Wire’s Bandit is a Linux Capture The Flag that tests your hacking skills. In this video, we walk through Bandit levels 10 to 14. These are some of the more difficult levels, but our clear and concise explanations will help you get through them. By the end of this video, you’ll be one step closer to becoming a master hacker!

Level 10

Level 11

Level 12

Level 13

Level 14

Bandit 15 – 19

Welcome back to Over The Wire’s Bandit the Linux Capture The Flag that tests your hacking skills. Let’s walk through Bandit levels 15 to 19 which again increase in difficulty, but let me help you get through them. By the end of this video, you’ll be one step closer to becoming a master hacker… hopefully.