Open in app

Sign in

Write

Sign in

Bandit walkthrough

Niki Manoledaki
4 min readFeb 23, 2020

Bandit is a ‘hacking’ pen-testing wargame by OverTheWire that is designed to teach you the basics of network security.

The great thing about it is that each level has a challenge and some helpful reading material, but no tutorial — everything is self-taught!

Bandit has 34 levels. I will document the steps that I took here.

Here we go! 🚀

Level 0

I connected with SSH on port 2220 with the username bandit0.

$ ssh -l bandit0 -p 2220 bandit.labs.overthewire.org

Level 0 → 1

We need to look into the readme folder to find the password.

$ ls -alt
total 24
drwxr-xr-x 41 root    root    4096 Oct 16  2018 ..
drwxr-xr-x  2 root    root    4096 Oct 16  2018 .
-rw-r-----  1 bandit1 bandit0   33 Oct 16  2018 readme
-rw-r--r--  1 root    root     220 May 15  2017 .bash_logout
-rw-r--r--  1 root    root    3526 May 15  2017 .bashrc
-rw-r--r--  1 root    root     675 May 15  2017 .profile
$ cat readme

The instructions specify that “whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.” So let’s do that right now.

$ ssh -l bandit1 -p 2220 bandit.labs.overthewire.org

Then enter the password you found in the vim file when prompted. This process will be repeated for every new level.

Level 1 → 2

The password for the next level is stored in a file called — located in the home directory

$ cat ./-

In this case, cat - will invoke STDIN/STDOUT so it was important to specify the relative location to the dash file.

CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

Level 2 → 3

The password for the next level is stored in a file called spaces in this filename located in the home directory.

$ cat “spaces in this filename”

Level 3 → 4

The password for the next level is stored in a hidden file in the inhere directory.

$ cd inhere$ ls -a
.hidden$ cat .hidden

Level 4→ 5

The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.

After iterating over each file, the 7th file seems to be the most readable.

$ cat ./-file07

Level 5 → 6

The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:
human-readable
1033 bytes in size
not executable

The Linux command find can be used to specify the type of the thing being searched for (in this case, f for file), the size, and the command to execute once it has been found. This command can be used to find by permissions, users, groups, date, and many other kinds of filters.

$ find ./inhere -type f -size 1033c -exec cat {} \;

Level 6 → 7

The password for the next level is stored somewhere on the server and has all of the following properties:
owned by user bandit7
owned by group bandit6
33 bytes in size

$ find / -size 33c -user bandit7 -group bandit6 -exec cat {} \;

Level 7 → 8

The password for the next level is stored in the file data.txt next to the word millionth

$ cat data.txt | grep millionth

Level 8 → 9

The password for the next level is stored in the file data.txt and is the only line of text that occurs only once

$ sort data.txt | uniq -u

Level 9 → 10

The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters.

Simply using grep on data.txt will not work this time because it is perceived to be a binary file. Using strings on the file first converts its content into strings and can be parsed by grep more easily.

$ strings data.txt | grep “=”

Level 10 → 11

The password for the next level is stored in the file data.txt, which contains base64 encoded data

$ base64 -d data.txt

Level 11 → 12

The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions

We can use the tr Linux command to translate or transform a set of characters to perform the ROT13 cipher.

$ cat data.txt | tr ‘A-Za-z’ ‘N-ZA-Mn-za-m’

Level 12 → 13

The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)

// First, move data.txt into a temp directory
$ mkdir /tmp/niki123 
$ cp data.txt /tmp/niki123 
$ cd /tmp/niki123$ xxd -r data.txt data2.bin // Use xxd to reverse the hexdump$ file data2.bin // Inspect the file to see its type
data2.bin: gzip compressed data, was "data2.bin", last modified: Thu May  7 18:14:30 2020, max compression, from Unix$ TODO
5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

This is a work in progress!

Security
Hacking
Bandit
Overthewire

--

--

Niki Manoledaki

Written by Niki Manoledaki

15 Followers

Software engineer with a cloud native focus. Currently building backend services and maintaining eksctl @ WeaveWorks.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams