Page updated:
These are my writeups for the Bandit wargame. This does contain spoilers, but not passwords.
You are supplied with a username bandit0, a host bandit.labs.overthewire.org a port number 2220, and a password bandit0.
ssh into the system using ssh bandit0@bandit.labs.overthewire.org -p 2220. Enter the password when prompted to login.readme using cat readme.The password for the next level is stored in a file called - located in the home directory.
You cannot open - directly with cat like in level0.
- use a relative path ./-.cat ./-.The password for the next level is stored in a file called spaces in this filename located in the home directory.
This is fundimentally the same problem as level 1. This time surround the filename in quotes. Bash autocompletion will actually do this for you.
ssh.spaces in this filename using cat "spaces in this filename".The password for the next level is stored in a hidden file in the inhere directory.
ssh into the server.cd inhere to get into the inhere directory.ls -a. This shows the file .hidden.cat .hidden gets you the password.The password for the next level is stored in the only human-readable file in the inhere directory.
inhere directory with cd inhere.ls shows 10 files in inhere.file ./-file00 shows that -file00 contains data, which is not human readable.for file in *; do file ./"${file}"; done I can run the file command on all the files in inhere.data except -file07 which contains ASCII Text which should be human-readable.cat ./-file07 nets me the password.The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:
human-readable 1033 bytes in size not executable
ssh into the server.cd inhere to get into the inhere directory.ls -a shows 18 directories, and lsing one shows 9 files.find command.find -type f -size 1033c ! -executable returns one file maybehere07/.file2, and it has the password in it.find -type f -size 1033c ! -executable breaks down to: - -type f look for a file. - -size 1033c it should be 1033 bytes in size. - ! -executable file should NOT(!) be executable.
The password for the next level is stored somewhere on the server and has all of the following properties: owned by user bandit7 owned by group bandit6 33 bytes in size
This is very similar to the last level.
ssh into the server.ls -a shows no files or directories in my home directory. Password can’t be here.cd .. to move up a directory into /home/.find -type f -user bandit7 -group bandit6 -size 33c 2>/dev/null. The 2>/dev/null sends any error messages into the void. This gets rid of any Permission failed messages./home/ does not contain the file. Move up one more cd ...find command in / yields ./var/lib/dpkg/info/bandit7.password, which contains the password.The password for the next level is stored in the file data.txt next to the word millionth.
ssh into the server.ls shows that data.txt is in my home directory.grep millionth data.txt searches the file for any lines containing ‘millionth’ and returns the password.The password for the next level is stored in the file data.txt and is the only line of text that occurs only once.
ssh into the server.ls shows data.txt is in my home directory.data.txt it contains thousands of possible passwords.sort data.txt | uniq -u. This outputs the only unique line in the file, the password.The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters.
ssh into the server.ls shows data.txt is in my home directory.strings utility will output all the ascii strings it finds in a file.strings data.txt | grep === gets me all the strings with at least 3 ’=’s in them. This yields the password.The password for the next level is stored in the file data.txt, which contains base64 encoded data.
ssh into the server.data.txt is in the home directory.base64 --decode data.txt to decode data.txt, giving the password.The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions.
ssh into the server.data.txt is in the home directory.tr, a find an replace utility.tr a-mA-Mn-zN-Z n-zN-Za-mA-M < data.txt to “decrypt” the password. The wierd string after tr is the transform. It tells tr that it should take all charactor inputs in the range a-m and change it to an equivilent position in the range n-z, and A-M to N-Z, etc.The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed.
This level was more annoying than difficult.
ssh into the server.data.txt is found in the home directory.data.txt is a hex dump of another file. To get the original file back you need to ‘un-dump’ it. This is done with xxd -r data.txt the -r option reverses the dump.data. Running file data shows that this is a gzip archive.gzip, bzip2 and tar. After each is uncompressed use file to see which command you need next.gunzip <file> for gzip, bzip2 -d <file>, for bzip2, and tar -xf <file> for tarballs.The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14.
ssh into the server.sshkey.private. This is a private ssh key that you can use to access the bandit14 user on the current machine.ssh bandit14@localhost -i sshkey.private you can log on as bandit14 and get the password from /etc/bandit_pass/bandit14. Here localhost is the name of your current machine (the bandit server) and -i points ssh to what key file you want it to use.The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
ssh into the server.netcat or nc. netcat opens a TCP or UDP connection between you and a host:port, which you can then use to send data and text.nc localhost 30000 you can open a connection to port 30000, then send the password from the previous level and a server on port 30000 will send you the next password.The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
This is a lot like level 14, except a different client program is used.
ssh into the server.nc doesn’t work as nc does not implement SSL encryption.man pages of the suggested commands, it looks like s_client should be able to replicate nc’s function, but with encryption.openssl s_client -connect localhost:30001 gets me the same function that nc got for me in the last level. Enter the password for the last level and the server gives you the password for the next.The credentials for the next level can be retieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
ssh into the server.nmap using nmap -PS localhost -p 31000-32000. This gave me ports 31046, 31518, 31691, 31790, and 31960.openssl s_client -connect localhost:portfor port in 31046 31518 31691 31790 31960; do openssl s_client -connect localhost:"${port}"; done. If the port doesn’t speak SSL the connection will be refused and the script will try the next port. When a port does connect with SSL it will prompt you to enter a password. Then it gives you a response and closes the connection. Keep entering the password until a port gives you a SSL certificate.There are 2 files in the home directory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new.
ssh into the server.diff to view differences between two files.diff passwords.old passwords.new, this shows us the password from passwords.new.The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.
ssh into the server…get bumped out.ssh can run commands remotely: ssh bandit18@bandit.labs.overthewire.org -p 2220 [command].ssh bandit18@bandit.labs.overthewire.org -p 2220 cat readme to get the password.To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.
ssh into the server.bandit20-do binary tells you that it runs a command as the bandit20 user.bandit20-do cat /etc/bandit_pass/bandit20.There is a setuid binary in the home directory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).