Bandit is a CTF style wargame for absolute beginners. It is meant as a beginner guide for other CTF puzzles on OverTheWire. The puzzle starts at level 0 and goes upto level 34 at the time of writing. Lets begin with the walkthrough.
Level 0 (Link)
The first level is teaching us to SSH into the remote machine to gain access to the server. SSH stands for Secure Socket Shell, a protocol that creates secure connections between 2 computers over any unsecured network by using cryptography. It lets us gain access to the remote machine's shell to interact with it. This level provides us with all the details required to create a SSH connection to the server. We are provided with -
An FQDN pointing to the server
The port to connect via
Username
Password
We use this command to login to the server with the provided username and port.
ssh bandit0@bandit.labs.overthewire.org -p 2220
General format
ssh username@server_fqdn_or_ip -p port
Then we are prompted to enter the password for the server which is also bandit0. Post these steps we will be greeted by a welcome message and some tips for use.
Level 0 -> 1 (Link)
The step to reach first level is to find a password from a file named readme. Lets start by traversing the current directory by running the command ls. This command lists the contents of the current directory. By default when a user logs in, the shell starts in the user's home directory and that's where the user can keep his personal files.
bandit0@bandit:~$ ls
readme
bandit0@bandit:~$
And it shows us that the readme file is here in the current directory. To read the contents of the file we use the cat command. This command is used to output contents of specified files.
bandit0@bandit:~$ cat readme
Congratulations on your first steps into the bandit game!!
Please make sure you have read the rules at https:
If you are following a course, workshop, walkthrough or other educational activity,
please inform the instructor about the rules as well and encourage them to
contribute to the OverTheWire community so we can keep these games free!
The password you are looking for is: ZjLjTmM6FvvyRnrb2rfNWOZOTa6ip5If
bandit0@bandit:~$
The files contents are revealed by this command and the password is mentioned for the next step. Each level in this series of puzzles has a separate user and password. The password we just saw is the password for the user to go from level 1 to 2. Lets logout and advance to level 1.
bandit0@bandit:~$ exit
logout
Connection to bandit.labs.overthewire.org closed.
◄ ◎ ssh bandit1@bandit.labs.overthewire.org -p 2220
_ _ _ _
| |__ __ _ _ __ __| (_) |_
| '_ \ / _` | '_ \ / _` | | __|
| |_) | (_| | | | | (_| | | |_
|_.__/ \__,_|_| |_|\__,_|_|\__|
This is an OverTheWire game server.
More information on http://www.overthewire.org/wargames
bandit1@bandit.labs.overthewire.org's password:
Then we enter the password revealed by the readme file and advance to level 1.
Level 1 -> 2 (Link)
As stated the password is stored in a file named -. Should be simple, lets just run cat -
No OUTPUT!!. Lets try pressing some keys
bandit1@bandit:~$ cat -
fsadfasd
fsadfasd
By the looks of it, its echoing our input back. Lets exit it (Ctrl + C) and read the help section of cat to understand whats going on by running cat —help
bandit1@bandit:~$ cat --help
Usage: cat [OPTION]... [FILE]...
Concatenate FILE(s) to standard output.
With no FILE, or when FILE is -, read standard input.
-A, --show-all equivalent to -vET
-b, --number-nonblank number nonempty output lines, overrides -n
-e equivalent to -vE
-E, --show-ends display $ at end of each line
-n, --number number all output lines
-s, --squeeze-blank suppress repeated empty output lines
-t equivalent to -vT
-T, --show-tabs display TAB characters as ^I
-u (ignored)
-v, --show-nonprinting use ^ and M- notation, except for LFD and TAB
--help display this help and exit
--version output version information and exit
Examples:
cat f - g Output f's contents, then standard input, then g's contents.
cat Copy standard input to standard output.
GNU coreutils online help: <https:
Full documentation <https:
or available locally via: info '(coreutils) cat invocation'
At the 4th line it says "when FILE is -, read standard input.". So how do we read it. If we try to copy it or rename it we are given a permission denied error.
bandit1@bandit:~$ mv - readable_name.txt
mv: cannot move '-' to 'readable_name.txt': Permission denied
There is another way to read the file, which is by using a path instead of just name for the file. That way the FILE variable will be different than plain - and still point to the file we want. We can run cat ~/- since we are in the user home directory and the ~ symbol represents that.
bandit1@bandit:~$ cat ~/-
263JGJPfgU6LtdEvgfWU1XP5yac29mFx
bandit1@bandit:~$
There is our password and we can advance to level 2 by logging in to the next level.
Level 2 -> 3 (Link)
Again as provided we just need to read the file named spaces in this filename. Simply running the command cat spaces in this filename will give an error as the command will try to read 4 files spaces, in, this, filename separately.
bandit2@bandit:~$ cat spaces in this filename
cat: spaces: No such file or directory
cat: in: No such file or directory
cat: this: No such file or directory
cat: filename: No such file or directory
bandit2@bandit:~$
What we need to do is somehow make it read those spaces as part of the filename. We can try using our trusty escape character \ for each space or by enclosing the filename in quotes '.
bandit2@bandit:~$ cat ~/spaces\ in\ this\ filename
MNk8KNH3Usiio41PRUEoDFPqfxLPlSmx
bandit2@bandit:~$ cat 'spaces in this filename'
MNk8KNH3Usiio41PRUEoDFPqfxLPlSmx
bandit2@bandit:~$
Both of these command give us the password and we can proceed to the next level.
Level 3 -> 4 (Link)
Now we have a subdirectory with us named inhere, that we confirm by listing directories
bandit3@bandit:~$ ls
inhere
bandit3@bandit:~$
Let's go in the directory and see its contents
bandit3@bandit:~$ cd inhere/
bandit3@bandit:~/inhere$ ls
bandit3@bandit:~/inhere$
The directory seems to be empty from the result on the ls command, which isn't a surprise because the file is mentioned as hidden. Hidden files on linux systems start with a .. To view them we need to use the -a flag which makes the command display all files and directories including hidden and implied ones.
bandit3@bandit:~/inhere$ ls -a
. .. ...Hiding-From-You
bandit3@bandit:~/inhere$
Our file is …Hiding-From-You. We can now simply see its contents and get the password for next step.
bandit3@bandit:~/inhere$ cat ...Hiding-From-You
2WmrDFRmJIq3IPxneAaMGhap0pFhF3NJ
bandit3@bandit:~/inhere$
Level 4 -> 5 (Link)
Now we have a subdirectory named inhere again and the contents of the directory as follows -
bandit4@bandit:~$ cd inhere/
bandit4@bandit:~/inhere$ ls
-file00 -file01 -file02 -file03 -file04 -file05 -file06 -file07 -file08 -file09
bandit4@bandit:~/inhere$
That's a LOT of files! Let's try reading them
bandit4@bandit:~/inhere$ cat ./-file00
�p��&�y�,�(jo�.at�:uf�^���@bandit4@bandit:~/inhere$
That doesn't look like something that is "human readable". Lets try to find more info about this file using the file command.
bandit4@bandit:~/inhere$ file ./-file00
./-file00: data
bandit4@bandit:~/inhere$
This contains raw data and not in a human readable format. Infact, if we read the question carefully there must be just one file that is human readable, so we can get the info of all files to get some more info.
bandit4@bandit:~/inhere$ file ./*
./-file00: data
./-file01: data
./-file02: data
./-file03: data
./-file04: data
./-file05: data
./-file06: data
./-file07: ASCII text
./-file08: data
./-file09: data
bandit4@bandit:~/inhere$
File -file07 appears to be the only one containing plain ascii text. Lets see the contents of this file
bandit4@bandit:~/inhere$ cat ./-file07
4oQYVPkxZOOEOO5pTW81FB8j8lxXGUQw
bandit4@bandit:~/inhere$
We have successfully obtained the password for the next level.
Level 5 -> 6 (Link)
For this level, we need to find a file that meets the following criteria
human-readable (ASCII)
1033 bytes in size
not executable
And the system directory structure appears to have many folders with files in themselves inside of the inheredirectory.
bandit5@bandit:~$ cd inhere/
bandit5@bandit:~/inhere$ ls
maybehere00 maybehere03 maybehere06 maybehere09 maybehere12 maybehere15 maybehere18
maybehere01 maybehere04 maybehere07 maybehere10 maybehere13 maybehere16 maybehere19
maybehere02 maybehere05 maybehere08 maybehere11 maybehere14 maybehere17
bandit5@bandit:~/inhere$
20 FOLDERS!. The requirements state that it must be 1033 in size. We can run the ls command with a -l flag that outputs the long format which also contains the file sizes.
bandit5@bandit:~/inhere/maybehere00$ ls -l
total 44
-rwxr-x--- 1 root bandit5 1039 Sep 19 2024 -file1
-rw-r----- 1 root bandit5 9388 Sep 19 2024 -file2
-rwxr-x--- 1 root bandit5 7378 Sep 19 2024 -file3
-rwxr-x--- 1 root bandit5 6118 Sep 19 2024 spaces file1
-rw-r----- 1 root bandit5 6850 Sep 19 2024 spaces file2
-rwxr-x--- 1 root bandit5 1915 Sep 19 2024 spaces file3
bandit5@bandit:~/inhere/maybehere00$
That still seems like a lot of work, as we have 20 folders. We have another flag at our hand which is -R, it instructs the command to list recursively in sub folders. We can run this command from the inhere folder and then we will have list of all files.
bandit5@bandit:~/inhere$ ls -lR
.:
total 80
drwxr-x--- 2 root bandit5 4096 Sep 19 2024 maybehere00
drwxr-x--- 2 root bandit5 4096 Sep 19 2024 maybehere01
drwxr-x--- 2 root bandit5 4096 Sep 19 2024 maybehere02
..................
./maybehere00:
total 44
-rwxr-x--- 1 root bandit5 1039 Sep 19 2024 -file1
-rw-r----- 1 root bandit5 9388 Sep 19 2024 -file2
-rwxr-x--- 1 root bandit5 7378 Sep 19 2024 -file3
-rwxr-x--- 1 root bandit5 6118 Sep 19 2024 spaces file1
-rw-r----- 1 root bandit5 6850 Sep 19 2024 spaces file2
-rwxr-x--- 1 root bandit5 1915 Sep 19 2024 spaces file3
./maybehere01:
total 52
-rwxr-x--- 1 root bandit5 6028 Sep 19 2024 -file1
...................
-rwxr-x--- 1 root bandit5 7965 Sep 19 2024 -file3
-rwxr-x--- 1 root bandit5 7186 Sep 19 2024 spaces file1
-rw-r----- 1 root bandit5 8785 Sep 19 2024 spaces file2
-rwxr-x--- 1 root bandit5 2307 Sep 19 2024 spaces file3
bandit5@bandit:~/inhere$
The file sizes are written just before the dates. We can use grep to search for 1033 which is the file size stated.
bandit5@bandit:~/inhere$ ls -lR | grep 1033
bandit5@bandit:~/inhere$
And we come up EMPTY HANDED! We are MISSING THE HIDDEN FILES in this method. We can simply add the -a flag again and then see the result.
bandit5@bandit:~/inhere$ ls -laR | grep 1033
-rw-r----- 1 root bandit5 1033 Sep 19 2024 .file2
bandit5@bandit:~/inhere$
We have our file… Well not yet. We know that the file is named .file2 but don't know which directory its inside. What if instead of all this there was a command meant for searching files with certain requirements? We have a find command for it. Lets see how to use it
bandit5@bandit:~/inhere$ find --help
Usage: find [-H] [-L] [-P] [-Olevel] [-D debugopts] [path...] [expression]
Default path is the current directory; default expression is -print.
Expression may consist of: operators, options, tests, and actions.
Operators (decreasing precedence; -and is implicit where no others are given):
( EXPR ) ! EXPR -not EXPR EXPR1 -a EXPR2 EXPR1 -and EXPR2
EXPR1 -o EXPR2 EXPR1 -or EXPR2 EXPR1 , EXPR2
Positional options (always true):
-daystart -follow -nowarn -regextype -warn
Normal options (always true, specified before other expressions):
-depth -files0-from FILE -maxdepth LEVELS -mindepth LEVELS
-mount -noleaf -xdev -ignore_readdir_race -noignore_readdir_race
Tests (N can be +N or -N or N):
-amin N -anewer FILE -atime N -cmin N -cnewer FILE -context CONTEXT
-ctime N -empty -false -fstype TYPE -gid N -group NAME -ilname PATTERN
-iname PATTERN -inum N -iwholename PATTERN -iregex PATTERN
-links N -lname PATTERN -mmin N -mtime N -name PATTERN -newer FILE
-nouser -nogroup -path PATTERN -perm [-/]MODE -regex PATTERN
-readable -writable -executable
-wholename PATTERN -size N[bcwkMG] -true -type [bcdpflsD] -uid N
-used N -user NAME -xtype [bcdpfls]
The find command searches all subdirectories and if we read the man pages more carefully, we can understand each one of the options. For our purposes we care only about the -size and -executable flags.
bandit5@bandit:~/inhere$ find -size 1033c -not -executable
./maybehere07/.file2
bandit5@bandit:~/inhere$
This command shows us the file which has the size 1033(c is for bytes) and that is not executable. We can read the contents of this and get the password for the next level.
bandit5@bandit:~/inhere$ cat ./maybehere07/.file2
HWasnPhtq9AVKe0dmk45nxy20cvUa6EG
bandit5@bandit:~/inhere$
