Bandit Overthewire (0–14)

Ahmet Göker
9 min readJul 26, 2022

Hey HackGeeks,

Welcome back to my blog-post. Today I will walkthrough “Bandit” overthewire challenge. I would recommend you to check this challenge. If you want to enhance your Linux skills, this challenge will be superb to practise on it. You can check this challenge at https://overthewire.org/wargames/bandit/

This blog will be a serie till level 33.

Bandit

The Bandit wargame is aimed at absolute beginners. It will teach the basics needed to be able to play other wargames. If you notice something essential is missing or have ideas for new levels, please let us know!

Let’s kick off.

Level 0

This level does not require any challenge. Just log into bandit0 through ssh connection.

Username: bandit0

Password: bandit0

Level 0–1

After logged into bandit1, i firstly typed “ls *” to see whether files were being placed or not. Luckily, there was a file called “readme” thus I decided to cat this out to see the content.

Level 1–2

The password for the next level is stored in a file called — located in the home directory. While reading this text, I decided to type “ls -la” to see whether readable files were being placed or not.

Hmm interesting. It reads from stdin thus we need to use “cat” command and “<” operator to read the password.

stdin: The standard input device, also referred to as stdin , is the device from which input to the system is taken.

Level 2–3

I get logged in as “bandit2” thus as always i decided to see whether files were being or not.

And saw a file called “spaces in this file” In order to read files with spaces in the name you have to put the file name in quotation marks.

Level 3–4

I get logged in as “bandit3” thus as always i decided to see whether files were being placed or not.

The password for the next level is stored in a hidden file in the inhere directory.

It is recommend to use “ls -la” after get into “inhere” directory because, you will not be able to see files into it.

Easy one!! You will get password for the next level.

Level 4–5

I get logged in as “bandit4” thus as always i decided to see whether files were being placed or not. The problem is that we got a lot of files some of them are not human-readable.

Hmm interesting, we totally have 9 files. I decided to use my bash knowledge to be able to get the right file.

We are going to be able search for a file with bash, which has an ascii data (human -readable).

Awesome. File07 is our target.

Level 5–6

I get logged in as “bandit5” thus I always decided to see whether files were being placed or not.

The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:

  • human-readable
  • 1033 bytes in size
  • not executable

We are able to use “find” command.

find . -size 1033c ! -executable will be enough to be used.

Level 6–7

I get logged in as “bandit5” thus as always i decided to see whether files were being placed or not.

Hint: The password for the next level is stored somewhere on the server and has all of the following properties:

  • owned by user bandit7
  • owned by group bandit6
  • 33 bytes in size

We still are be able to use “find” command.

Nothing to be seen. I decided yo use “find” command properly.

Awesome it worked very well. Grab your password and go to the next level.

Level 7–8

I get logged in as “bandit7” thus as always i decided to see whether files were being placed or not.

Hint: The password for the next level is stored in the file data.txt next to the word millionth

Hmm interesting, we are going to use “grep” command.

grep: The grep command can search for a string in groups of files. When it finds a pattern that matches in more than one file, it prints the name of the file, followed by a colon, then the line matching the pattern.

“grep” command will be superb to be used. Let’s try that out:)

We just needed to grep “millionth” being able to find the word with his password.

Level 8–9

I get logged in as “bandit8” thus as always i decided to see whether files were being placed or not.

Hint: The password for the next level is stored in the file data.txt and is the only line of text that occurs only once

Oke this sounds great, we will be able to use “uniq” command with “-u” flag.

You can use “manuel page” for uniq command.

When we used “strings” command, we cannot specify the exact line.

Let’s sort this and associate “uniq” command respectively

sort: Write sorted concatenation of all FILE(s) to standard output.

Level 8–9

I get logged in as “bandit8” thus as always i decided to see whether files were being placed or not.

Hint: The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters.

Awesome. I am able to use “cat” command and pipe with | string | and grep it with “=” let’s give a try.

Awesome. Grab your password and go to the next level.

Level 9–10

I almost forget to say that every username per differs for instance, if you get the password of bandit 10; you should replace the previous username with bandit10 and so on.

Hint: The password for the next level is stored in the file data.txt, which contains base64 encoded data

Awesome, we can decode the data with “base64 -d” command.

As usual i ran “ls -la” and obviously saw “data.txt” file.

I decided to run “strings” command to see into “data.txt”. And, i recognized that this was being encoded base64 data:)

Grab your password and go to the next level.

Level 11–12

I get logged in as “bandit11” thus as always i decided to see whether files were being placed or not.

Hint: The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions

You can use many methods to solve this challenge.

As we can read by the hint, it has something to do with ROT13 encoder.

ROT13: ROT13 (“rotate by 13 places”, sometimes hyphenated ROT-13) is a simple letter substitution cipher that replaces a letter with the 13th letter after it in the alphabet. (source: https://en.wikipedia.org/wiki/ROT13)

First Method
Second Method

References:

https://en.wikipedia.org/wiki/ROT13#tr

Level 12–13

I get logged in as “bandit12” thus as always i decided to see whether files were being placed or not.

Hint: The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)

I understood from this question, that we need to create /tmp folder. This gives us the permission error that can be bypass by adding the -p option.

First of all, i am going to create a “/tmp/challenge” directory.

“xxd” command will be helpful

After creating “/tmp/challenge” we will copy “data.txt” to this directory.

In order to decypher the hexdump of the file I was able to run “xxd -r data.txt > bandit”

Let’s try this out.

I used “-r” flag to be reversed.

ran “file” command → gzip file

Awesome. I can use “mv bandit bandit.gz”, this will create the file and to decompress it

I added the bzip2 extension with “mv bandit bandit.bz2”

After a while, we grabbed the password and went to the next level.

Level 13 -14

I get logged in as “bandit12” thus as always i decided to see whether files were being placed or not.

Hint: The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on.

Awesome. We will get a private key to be logged with localhost.

Private key: SSH keys are a pair of public and private keys that are used to authenticate and establish an encrypted communication channel between a client and a remote machine over the internet.

For more info → https://www.appviewx.com/education-center/what-are-ssh-keys/

In order to run this file we can use “ssh -i sshkey.private” bandit14@localhost”

Awesome we are logged in.

Stay tuned other levels will be walkthroughed.

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Ahmet Göker | Exploit researcher | malware Researcher| Cryptanalyst | CTF player | Reverse Engineering

You can follow me on:

Linkedin: https://www.linkedin.com/in/ahmetg%C3%B6ker/

Twitter: https://twitter.com/TurkishHoodie_

Youtube: https://www.youtube.com/c/TurkishHoodie

Github: https://github.com/DarkGhost010

https://wallpaperaccess.com/linux

--

--