Bandit Lv 0~20

by Jii
← back

Bandit: https://overthewire.org/wargames/bandit/

Bandit is a wargame for beginners (like myself) designed to teach basic skills needed to play other wargames.

Level 0

Need to know how to use ssh to log into the remote server: bandit.labs.overthewire.org at port 2220.

Level 0 → 1

Use cat to display the content of readme which contains the password.

Level 1 → 2

File name is - which also means a standard input.

Be explicit when targetting this file: cat ./- or display everything(*) in current directory.

Level 2 → 3

File name contain spaces. You can escape the spaces (./hello\ world) or use quotations (./"hello world").

Level 3 → 4

Know the format of hidden files (.hidden) and how to list them (ls -a).

Level 4 → 5

Good to know: file, xargs, and/or find

Use find to list all the files and execute file command to detect ASCII file. Or you can also use ls to list all the files and pipe it with xargs to apply file command to each argument.

$ find . -maxdepth 1 -type f -exec file {} \;

# or

$ ls | xargs -I {} file ./{}

Level 5 → 6

Use find with below filters:

  • 1033 bytes in size -> -size 1033c
  • human-readable -> -exec file {}
  • not executable -> ! -executable

Level 6 → 7

Use find with below filters:

  • owned by user bandit7 -> -owner bandit7
  • owned by group bandit6 -> -group bandit6
  • 33 bytes in size -> -size 33c

Level 7 → 8

Print the content and pipe it with grep to find the password next to millionth text.

Level 8 → 9

Good to know: sort, uniq

Sort the content and display strings with counts (uniq -c). This will show which string only appeared once.

Or you can pipe another command, awk, to only display the line with count == 1.

Level 9 → 10

Good to know: strings, grep

strings - print the sequences of printable characters in files

Level 10 → 11

Decode the given text file using base64 -d.

Level 11 → 12

Good to know: tr, ROT13

Use ROT13 algorithm to decipher the content (No need to actually implement the algorithm. You can simply use tr).

Level 12 → 13

Good to know: file, tar, gzip, bzip2

Check the type of each compressed file using file and use the correct tool to decompress the zip.

Repeat until you end up with ASCII file.

Level 13 → 14

Good to know: ssh (SSH key), scp, chmod

Use scp or manually copy the private key from the server.

Change the permission of the private key to match with SSH type using chmod.

Then use ssh with this private key to login to next level. You can find the password for the current level in /etc/bandit_pass/

Level 14 → 15

Good to know: netcat (nc)

Use netcat to send current level’s password to localhost 30000.

Level 15 → 16

Good to know: ncat, SSL

use ncat to send current level’s password on localhost with SSL encryption (-ssl).

Level 16 → 17

Good to know: ss, openssl, s_client

Not quite sure if this is the correct method, but I used ss with port ranges between 31000-32000 to find which of them are listening.

$ ss -tlunp sport ge :31000 and sport le :32000

Then used openssl s_client to find out which of those ports are using SSL/TLS.

At last, used ncat --ssl to retrieve the private key.

Level 17 → 18

Use diff.

Level 18 → 19

Good to know: scp

Since we can’t login to the server (it gets disconnected right away), you can execute cat command remotely using ssh, or use scp to download the file.

Level 19 → 20

Use the given setuid binary file to up your permission and print the password located at /etc/bandit_pass/

Level 20 → 21

Good to know: tmux, nc, Unix job control (fg, bg, &, etc…)

You can use two shells or use & to run it in the background.

  1. use nc -l <PORT> to listen to any available port
  2. on the other shell, use the given suconnect <PORT> file with the same port you chose
  3. in the shell where nc is running, enter the current level’s password

Continue reading for Level 21 to 33