Bandit Wargames Part 1

by Posted on

BANDIT WARGAME

Introduction

Bandit wargame is the beginner level wargame of the OverTheWire wargames. Its focus is teaching the basics needed to be able to play other wargames.

If you’re a beginner in Linux systems your best friend in this wargame will be man pages (manual pages). Manpages are in short manuals for commands on the Linux command line. To read man pages simply type on the command line “man <command>”. For example; man ls.

Okay. Let’s get to it!

Disclaimer: My host is a Windows machine but I’m using a console emulator called Cmder that allows me to have a bash-like shell environment. You can find it here: https://cmder.app/. It’s a really cool tool if you ask me.

Level 0

The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org, on port 2220. The username is bandit0 and the password is bandit0. Once logged in, go to the Level 1 page to find out how to beat Level 1.

Solution:

ssh into the machine through the following command: ssh -p 2220 [email protected]

Level 0 – Level 1

The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.

Solution:

The home directory of a user in a Linux system is usually indicated as a tilde (~) on the shell prompt in the command line interface.

The shell prompt is what we use to interact with the shell.

Typically, the shell prompt has the following format:
[username@domain directory]$

In our case: bandit0 is the username, bandit is the domain name/hostname, ~ is the current directory and $ is a symbol that separates the user information from the rest of the command. In most cases, $ represents a normal user and # represents a root user. This is as shown below:

To list the files in a directory, use the ls command.

NB: As always, if you don’t know a command, use the man command to find out more. Scroll down and up the man page and press q to exit.

We already saw that the home directory contains a “readme” file through the ls command. To view its contents, use the cat command.

We now have the password to our next level! Use it to login to next level using ssh. Exit the current connection by executing the exit command.

Level 1 – Level 2

The password for the next level is stored in a file called located in the home directory

Solution:

List the contents of the home directory.

Read the file “- “.

However, if you execute “cat – “you don’t see the contents of the file. This is because the command does not read from the file but from stdin (standard input). What ever you type after this command will be echoed back. Try it!

To read the file use a relative path to read it: “cat ./-“. A full stop/period (.) represents the current directory.

Level 2 – Level 3

The password for the next level is stored in a file called spaces in this filename located in the home directory

Solution:

List the contents of the directory.

You’ll see that the file has spaces in the filename. Usually I would use the tab key to autocomplete the name. You can however type the name as you escape the space using \.

Then view the contents of the file.

Level 3 – Level 4

The password for the next level is stored in a hidden file in the inhere directory.

Solution:

List the contents of the home directory and then move into the inhere directory using the cd command.

List the contents of the inhere directory. In this case we will have to use the flag “-a” to ensure that even hidden files are listed. Hidden files in Unix/Linux environment usually start with a full-stop/period (.).

View the contents of the of .hidden.

NB: I also used the “-l” flag to list the contents of the directory in long format.

Level 4 – Level 5

The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.

Solution:

Move into the inhere directoryand list the contents of the directory.

Since we are trying to find a human readable file, we use the file command to find out what kind of file each file is in the directory. We do that using the following command: file ./*. We can see that the file “-file07” contains ASCII text. Read the contents of this file.

Level 5 – Level 6

The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:

  • human-readable
  • 1033 bytes in size
  • not executable

Solution:

In this challenge we use the find command to find a file with the specified properties: find . -size 1033c -type f ! -executable

We then read the file.

Level 6 – Level 7

The password for the next level is stored somewhere on the server and has all of the following properties:

  • owned by user bandit7
  • owned by group bandit6
  • 33 bytes in size

Solution:

The file that contains the password is stored somewhere in the server. That means that the file could exist anywhere under the root (/) directory. Therefore, we search for the file from the root directory using the specified properties.

find / -user bandit7 -group bandit6 -size 33c

The file that is readable is /var/lib/dpkg/info/bandit7.password. Read the file.

cat /var/lib/dpkg/info/bandit7.password

Level 7 – Level 8

The password for the next level is stored in the file data.txt next to the word millionth

Solution:

Use grep to find the line that has the word “millionth”. You can cat then pipe to grep or directly use grep.

Level 8 – Level 9

The password for the next level is stored in the file data.txt and is the only line of text that occurs only once

Solution:

On this level we are looking for a line that only occurs once in data.txt. I have two ideas of how you can do this:

  1. Sort lines in the data.txt file and then print the only unique line.
  2. Sort the lines in the data.txt file, get the count of each line and find the one that has count of one (1).

NB: We sort the data first because the uniq command only filters out adjacent matching lines. If you pass the data without sorting the data you will just print out the whole file.

Find out more in the man page!! < man uniq >

Level 9 – Level 10

The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters.

Solution:

Use the strings command to print human-readable strings in the file and filters strings with “equals to” (=) signs.

Level 10 – Level 11

The password for the next level is stored in the file data.txt, which contains base64 encoded data

Solution:

Decode the base64 encoded data using the base64 command.

Level 11 – Level 12

The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions

Solution:

In this case we use the tr (translate) to get the reverse of a rotation by 13 positions (ROT13).

Level 12 – Level 13

The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)

Solution:

We first create a directory in the /tmp directory and move the data.txt file to that directory.

We then start with data.txt, which we know is a hexdump. Using xxd, we reverse this, yielding hex_reverse. Despite lacking the .gz extension, we rename it for gzip -d, successfully decompressing it.

However, hex_reverse proves to be bzip2-compressed. Though bunzip2 struggles to infer the original name, renaming it as hex_reverse.out.gz allows gzip to reveal its content.

Inside lies a POSIX tar archive. Extracting it unveils data5.bin, which in turn reveals data6.bin, another bzip2-compressed file. bunzip2 decompresses it an name the output file data6.bin.out.

We examine data6.bin.out, identified as a POSIX tar archive. Upon extraction, it reveals data8.bin. A file check discloses data8.bin as gzip compressed, originally named “data9.bin”, modified on October 5, 2023. We rename it to data8.bin.gz to signify its compressed state, we append the .gz extension.

With the file decompressed using gunzip, our directory now houses data8.bin. A quick inspection using file confirms it as ASCII text. We display its contents using cat.

Level 13– Level 14

The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on

Solution:

We list the home directory and file sshkey.private. This is the private key that can be used to log in as bandit14.

We use it to login as bandit14 with the following command.

Level 14 – Level 15

The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.

Solution:

In the previous level, we were informed that the password of the current level can be found in the file /etc/bandit_pass/bandit14.

In this challenge we shall use the nc(netcat) command to send the password to the aforementioned port on localhost.

As always, you can refer to the manpages.

Level 15 – Level 16

The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.

Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…

Solution:

S_client  establishs a connection to a server using the SSL/TLS protocol.

The password of this level can be found in /etc/bandit_pass/bandit15.

We submit the password to localhost using the following command.

Conclusion:

I believe we are now halfway the bandit wargames. As always with CTFs, you get to learn new things. Here are the commands we have used so far in the wargames:

  1. ssh
  2. ls
  3. man
  4. cd
  5. cat
  6. find
  7. sort
  8. uniq
  9. strings
  10. mkdir
  11. cp
  12. mv
  13. xxd
  14. file
  15. tar
  16. gzip
  17. bzip2
  18. openssl

All these are important Linux tools and even though you already know them, you always find a new way to use them most of the times. The best thing you can do is know their basic usage and then through manpages, know how you can modify their behaviour through flags.

Okay. Let’s ­catch up on part 2 of the bandit wargames.

Published by hammy

I am him. I do cool things.