Bandit [Level 0 to Level 12] – OverTheWire Writeup

This post will be a writeup with the solutions for Bandit from OverTheWire. As the are 34 levels and I think it will be too long for a single post, I will divide the writeup in three posts. This first entry will have solutions from level 0 to level 12.

Bandit it’s a beginner aimed wargame which teach the basics of Linux and usage of many essentials tools. Every level it’s a username and we have to get the password from next one with given instructions.

Table of Contents

To start we just have the initial credentials, the hostname and the custom port for SSH.

  • username: bandit0
  • password: bandit0
  • hostname: bandit.labs.overthewire.org
  • port: 2220

The command syntax to login is always the same:

ssh <banditN>@bandit.labs.overthewire.org -p 2220

Once we try to login, the first time we login with a different user we are asked to confirm we want to continue connection. We just have to type ‘yes’ and press enter. Then we need to introduce password. The full output should look like follows:

$ ssh bandit0@bandit.labs.overthewire.org -p 2220
The authenticity of host '[bandit.labs.overthewire.org]:2220 ([176.9.9.172]:2220)' can't be established.
ED25519 key fingerprint is SHA256:xOMImN4lodtNUxc+8pieveXo7KEdBMztFjgmIcfdVmk.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[bandit.labs.overthewire.org]:2220' (ED25519) to the list of known hosts.
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

bandit0@bandit.labs.overthewire.org's password: 
Linux bandit.otw.local 5.4.8 x86_64 GNU/Linux

      ,----..            ,----,          .---.
     /   /   \         ,/   .`|         /. ./|
    /   .     :      ,`   .'  :     .--'.  ' ;
   .   /   ;.  \   ;    ;     /    /__./ \ : |
  .   ;   /  ` ; .'___,/    ,' .--'.  '   \' .
  ;   |  ; \ ; | |    :     | /___/ \ |    ' '
  |   :  | ; | ' ;    |.';  ; ;   \  \;      :
  .   |  ' ' ' : `----'  |  |  \   ;  `      |
  '   ;  \; /  |     '   :  ;   .   \    .\  ;
   \   \  ',  /      |   |  '    \   \   ' \ |
    ;   :    /       '   :  |     :   '  |--"
     \   \ .'        ;   |.'       \   \ ;
  www. `---` ver     '---' he       '---" ire.org


Welcome to OverTheWire!

If you find any problems, please report them to Steven or morla on
irc.overthewire.org.

--[ Playing the games ]--

  This machine might hold several wargames.
  If you are playing "somegame", then:

    * USERNAMES are somegame0, somegame1, ...
    * Most LEVELS are stored in /somegame/.
    * PASSWORDS for each level are stored in /etc/somegame_pass/.

  Write-access to homedirectories is disabled. It is advised to create a
  working directory with a hard-to-guess name in /tmp/.  You can use the
  command "mktemp -d" in order to generate a random and hard to guess
  directory in /tmp/.  Read-access to both /tmp/ and /proc/ is disabled
  so that users can not snoop on eachother. Files and directories with
  easily guessable or short names will be periodically deleted!

  Please play nice:

    * don't leave orphan processes running
    * don't leave exploit-files laying around
    * don't annoy other players
    * don't post passwords or spoilers
    * again, DONT POST SPOILERS!
      This includes writeups of your solution on your blog or website!

--[ Tips ]--

  This machine has a 64bit processor and many security-features enabled
  by default, although ASLR has been switched off.  The following
  compiler flags might be interesting:

    -m32                    compile for 32bit
    -fno-stack-protector    disable ProPolice
    -Wl,-z,norelro          disable relro

  In addition, the execstack tool can be used to flag the stack as
  executable on ELF binaries.

  Finally, network-access is limited for most levels by a local
  firewall.

--[ Tools ]--

 For your convenience we have installed a few usefull tools which you can find
 in the following locations:

    * gef (https://github.com/hugsy/gef) in /usr/local/gef/
    * pwndbg (https://github.com/pwndbg/pwndbg) in /usr/local/pwndbg/
    * peda (https://github.com/longld/peda.git) in /usr/local/peda/
    * gdbinit (https://github.com/gdbinit/Gdbinit) in /usr/local/gdbinit/
    * pwntools (https://github.com/Gallopsled/pwntools)
    * radare2 (http://www.radare.org/)
    * checksec.sh (http://www.trapkit.de/tools/checksec.html) in /usr/local/bin/checksec.sh

--[ More information ]--

  For more information regarding individual wargames, visit
  http://www.overthewire.org/wargames/

  For support, questions or comments, contact us through IRC on
  irc.overthewire.org #wargames.

  Enjoy your stay!

bandit0@bandit:~$ 

For next outputs I will remove all repeated MOTD (message of the day) output from SSH connection.

Level 0 -> 1

The password for the next level is stored in a file called readme located in the home directory.

In this case, if we list the files in current directory, if we read the only file (readme) we get the answer:

$ ssh bandit0@bandit.labs.overthewire.org -p 2220
bandit0@bandit.labs.overthewire.org's password: 

Welcome to OverTheWire!

bandit0@bandit:~$ ls
readme
bandit0@bandit:~$ cat readme 
***EDITED***
bandit0@bandit:~$ exit
logout
Connection to bandit.labs.overthewire.org closed.

The found password will be the password for the next user (bandit1). It’s the same for all ongoing levels.

Level 1 -> 2

The password for the next level is stored in a file called located in the home directory.

Similar to last one, in this case we have to read a file. The problem is, its name is a special character (‘-‘). If we try to read it by just its name cat command tries to process it as a parameter. To read it we need to specify its path (it could be relative or absolute):

$ ssh bandit1@bandit.labs.overthewire.org -p 2220
bandit1@bandit.labs.overthewire.org's password: 

Welcome to OverTheWire!

bandit1@bandit:~$ ls
-
bandit1@bandit:~$ cat ./- 
***EDITED***
bandit1@bandit:~$ exit
logout
Connection to bandit.labs.overthewire.org closed.

Level 2 -> 3

The password for the next level is stored in a file called spaces in this filename located in the home directory.

Once again we have to read a file. In this case the filename has spaces in it. We cannot read the file as it is. We have two options: space the spaces with backslash (‘\’) or surround the filename by quotes. I will use the first option:

$ ssh bandit2@bandit.labs.overthewire.org -p 2220
bandit2@bandit.labs.overthewire.org's password: 

Welcome to OverTheWire!

bandit2@bandit:~$ ls
spaces in this filename
bandit2@bandit:~$ cat spaces\ in\ this\ filename 
***EDITED***
bandit2@bandit:~$ exit
logout
Connection to bandit.labs.overthewire.org closed.

Level 3 -> 4

The password for the next level is stored in a hidden file in the inhere directory.

To list hidden files with ls command we need to add ‘-a’ parameter, which stands for ‘all’. Verifying the file is there we can read it as usual:

$ ssh bandit3@bandit.labs.overthewire.org -p 2220
bandit3@bandit.labs.overthewire.org's password: 

Welcome to OverTheWire!

bandit3@bandit:~$ ls
inhere
bandit3@bandit:~$ ls -la inhere/
total 12
drwxr-xr-x 2 root    root    4096 May  7  2020 .
drwxr-xr-x 3 root    root    4096 May  7  2020 ..
-rw-r----- 1 bandit4 bandit3   33 May  7  2020 .hidden
bandit3@bandit:~$ cat inhere/.hidden 
***EDITED***
bandit3@bandit:~$ exit
logout
Connection to bandit.labs.overthewire.org closed.

Level 4 -> 5

The password for the next level is stored in the only human-readable file in the inhere directory.

As per instructions given, we know the file should be human-readable, this means the contents should be ASCII. We can validate this with file command.

Listing the files from inhere directory we see nine files. We can validate one by one but I used a for loop for easy. With this we can identify the file with ASCII data. As its filename begins with ‘-‘ we need to specify the filepath as we did before, finally get the flag:

$ ssh bandit4@bandit.labs.overthewire.org -p 2220
bandit4@bandit.labs.overthewire.org's password: 

Welcome to OverTheWire!

bandit4@bandit:~$ ls
inhere
bandit4@bandit:~$ cd inhere
bandit4@bandit:~/inhere$ ls
-file00  -file01  -file02  -file03  -file04  -file05  -file06  -file07  -file08  -file09
bandit4@bandit:~/inhere$ file ./-file00 
./-file00: data
bandit4@bandit:~/inhere$ for i in {0..9}; do file ./-file0$i; done
./-file00: data
./-file01: data
./-file02: data
./-file03: data
./-file04: data
./-file05: data
./-file06: data
./-file07: ASCII text
./-file08: data
./-file09: data
bandit4@bandit:~/inhere$ cat ./-file07
***EDITED***
bandit4@bandit:~/inhere$ exit
logout
Connection to bandit.labs.overthewire.org closed.

Level 5 -> 6

The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:

– human readable

– 1033 bytes in size

– not executable

After looking around in inhere directory we can see there are many folders and files, so it would be very difficult to find the password by hand. Fortunately, we have find command, which as its name says, we can find any file/folder in file system. We could start by filtering the search by some desired file properties, for example:

  • It’s in current folder: .
  • It’s a file: -type f
  • Size is 1033 bytes: -size 1033c

You can find details of command in man pages. As we just got a single file, we can think that’s the password file, after reading the file, we got it:

$ ssh bandit5@bandit.labs.overthewire.org -p 2220
bandit5@bandit.labs.overthewire.org's password: 

Welcome to OverTheWire!

bandit5@bandit:~$ ls
inhere
bandit5@bandit:~$ cd inhere/
bandit5@bandit:~/inhere$ ls
maybehere00  maybehere03  maybehere06  maybehere09  maybehere12  maybehere15  maybehere18
maybehere01  maybehere04  maybehere07  maybehere10  maybehere13  maybehere16  maybehere19
maybehere02  maybehere05  maybehere08  maybehere11  maybehere14  maybehere17
bandit5@bandit:~/inhere$ find . -type f -size 1033c
./maybehere07/.file2
bandit5@bandit:~/inhere$ cat ./maybehere07/.file2 
***EDITED***
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        bandit5@bandit:~/inhere$ exit
logout
Connection to bandit.labs.overthewire.org closed.

Level 6 -> 7

The password for the next level is stored somewhere on the server and has all of the following properties:

– owned by user bandit7

– owned by group bandit6

– 33 bytes in size

Once again we have to find a file, but this time in the whole file system. We can use again find command filtering by new properties:

  • Somewhere in the file system: /
  • Belongs to bandit7 user: -user bandit7
  • Belongs to bandit6 group: -group bandit6
  • Size is 33 bytes: -size 33c

As we are searching in the while file system, we could get any error. I added 2> /dev/null to command in order to hide any error.

$ ssh bandit6@bandit.labs.overthewire.org -p 2220
bandit6@bandit.labs.overthewire.org's password: 

Welcome to OverTheWire!

bandit6@bandit:~$ ls
bandit6@bandit:~$ find / -user bandit7 -group bandit6 -size 33c 2> /dev/null
/var/lib/dpkg/info/bandit7.password
bandit6@bandit:~$ cat /var/lib/dpkg/info/bandit7.password 
***EDITED***
bandit6@bandit:~$ exit
logout
Connection to bandit.labs.overthewire.org closed.

Level 7 -> 8

The password for the next level is stored in the file data.txt next to the word millionth.

For this we can use grep command. This can search for any word in a file showing the full line where the word is located:

$ ssh bandit7@bandit.labs.overthewire.org -p 2220
bandit7@bandit.labs.overthewire.org's password: 

Welcome to OverTheWire!

bandit7@bandit:~$ ls
data.txt
bandit7@bandit:~$ grep millionth data.txt 
millionth       ***EDITED***
bandit7@bandit:~$ exit
logout
Connection to bandit.labs.overthewire.org closed.

Level 8 -> 9

The password for the next level is stored in the file data.txt and is the only line of text that occurs only once.

If we take a look to the file contents, we will find many potential passwords for next level. To get the right one first we have to order the lines by name (sort), then search for the unique line (uniq -u). The reasin for this is because uniq command just works for ordered text lines:

$ ssh bandit8@bandit.labs.overthewire.org -p 2220
bandit8@bandit.labs.overthewire.org's password: 

Welcome to OverTheWire!

bandit8@bandit:~$ ls
data.txt
bandit8@bandit:~$ cat data.txt | sort | uniq -u
***EDITED***
bandit8@bandit:~$ exit
logout
Connection to bandit.labs.overthewire.org closed.

Level 9 -> 10

The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several โ€˜=โ€™ characters.

Before trying the get the next password we need to know strings command can extract readable strings from any kind of file. Also, grep command has limited functionalities unless we specify other. For extended functionalities with regex expressions we use -E flag.

Knowing that, we can get all human-readable strings from data.txt file with strings command then filter for all of them which are preceded by ‘=’ characters with extended grep command. We use this extended version as we can specify we want 2 or more coincidences from same character as you can see below:

$ ssh bandit9@bandit.labs.overthewire.org -p 2220
bandit9@bandit.labs.overthewire.org's password: 

Welcome to OverTheWire!

bandit9@bandit:~$ ls
data.txt
bandit9@bandit:~$ cat data.txt | strings | grep -E '={2,}'
========== the*2i"4
========== password
Z)========== is
&========== ***EDITED***
bandit9@bandit:~$ exit
logout
Connection to bandit.labs.overthewire.org closed.

Level 10 -> 11

The password for the next level is stored in the file data.txt, which contains base64 encoded data.

We have an easier level. If we read the file we realize it’s indeed base64 encoded. To decoded it we can simply use base64 -d as follows:

$ ssh bandit10@bandit.labs.overthewire.org -p 2220
bandit10@bandit.labs.overthewire.org's password: 

Welcome to OverTheWire!

bandit10@bandit:~$ ls
data.txt
bandit10@bandit:~$ cat data.txt 
VGhlIHBhc3N3b3JkIGlz***EDITED***M0lSRnFyeEUxaHhUTkViVVBSCg==
bandit10@bandit:~$ cat data.txt | base64 -d
The password is ***EDITED***
bandit10@bandit:~$ exit
logout
Connection to bandit.labs.overthewire.org closed.

Level 11 -> 12

The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions.

This is ROT13 which is a well know substitution cipher. We can simulate this with tr (which stands for translate) command:

$ ssh bandit11@bandit.labs.overthewire.org -p 2220
bandit11@bandit.labs.overthewire.org's password: 

Welcome to OverTheWire!

bandit11@bandit:~$ ls
data.txt
bandit11@bandit:~$ cat data.txt 
Gur cnffjbeq vf 5Gr8L4qe***EDITED***XSP6x2RHh
bandit11@bandit:~$ cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'
The password is ***EDITED***
bandit11@bandit:~$ exit
logout
Connection to bandit.labs.overthewire.org closed.

As of know, the levels had easy difficulty. Please wait for the following levels in upcoming blog entries.