OverTheWire - Bandit

Introduction

Bandit is just one of several wargames available at overthewire.org. It's aimed at beginners to Linux and CTFs and provides an excellent introduction to the basics of the Linux command line.

In this walkthrough I'm going to show the process for solving each challenge while also providing some insight into what each challenge is trying to teach and why it's useful, so keep an eye out for callouts like those below.

I have a few recommendations before getting started. Most of the OverTheWire Bandit levels provide links to potentially useful manual pages. Unfortunately the man pages can be somewhat cryptic, especially for beginners. For that reason I recommend the following steps to try to get unstuck when slogging through the man pages for any particular command.

1. Search for examples. Many man pages contain examples of their usage. These may be marked by all-caps EXAMPLES in some cases, but sometimes not.
2. If skimming through the man pages doesn't surface any apparent examples, then you may want to refer to cheat.sh. Cheat.sh is a database of usage examples for thousands of command line programs. It can be searched from the main page or by simply adding a / followed by the command. For example https://cheat.sh/ssh will return examples of ssh usage. This one can be helpful when trying to understand how a command is commonly used and which command flags are most useful.
3. If you're struggling to understand some of the examples then paste them into https://explainshell.com. Explainshell provides a more readable breakdown of each command line flag and argument. This tool can save you a lot of time flipping back and forth through the man pages.

Please also note that for any terminal output, the command prompt will be truncated to a single $ for brevity. Just remember that you'll need to be logged in to the appropriate level before executing any of the commands.

For example:

$ cat hello.txt
Hello there!

Log in

The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org, on port 2220. The username is bandit0 and the password is bandit0. Once logged in, go to the Level 1 page to find out how to beat Level 1.

Bandit 0 provides an introduction to SSH and provides a couple useful links for further research.

• ssh manual
• SSH - Wikipedia

Firstly, let's discuss what SSH is and how it's used day-to-day. SSH is a networking protocol that allows secure communication between networked computer systems. This is distinct from the ssh command line program linked above. The program implements the protocol and allows regular users to utilize the SSH protocol for secure communication. The security of SSH is based on public-key cryptography which you're welcome to read more about, but many of the details are out of scope for this walkthrough.

The most important thing you need to know about SSH is that it can be used to login to a computer system with a username and password just as if you were physically present. Except in this case it's another system accessible over the network. This is how it will be used over the course of the Bandit wargame as well as some of the other wargames by OverTheWire.

The prompt tells us that both the username and password are bandit0.

Just as important though, is the network location we've been provided, bandit.labs.overthewire.org, which we'll use to connect to level 0. Actually, bandit.labs.overthewire.org is what's known as a hostname or domain name. More specifically, it's a fully qualified domain name (FQDN). You can recognize an FQDN because it will include a top-level domain (TLD) such as .com, .net, or .org. This naming system for computers is called the Domain Name System (DNS). Luckily we don't need to dig into the details here. Just know that one of these FQDNs will resolve to an IP address which can (usually) be used to uniquely identify a computer system on the internet.

This unique name will tell the ssh program what system to connect to. The ssh program expects the user credentials and hostname in the following format ssh://[user@]hostname[:port]. This is explained in the first couple paragraphs of the ssh man page.

ssh connects and logs into the specified destination, which may be specified as either [user@]hostname or a URI of the form ssh://[user@]hostname[:port].

The elements wrapped in brackets [ and ] are actually optional. Linux man pages will commonly express the available flags and arguments for a command in this way.

With that knowledge we can now connect to the first level with this command.

ssh ssh://bandit0@bandit.labs.overthewire.org:2220

You should be greeted by a banner for the Bandit wargame and a prompt requesting entry of the bandit0 password. Enter bandit0 and you're ready to get started.

Walkthrough

Level 0

Now that we're logged in, it's time to solve the first level.

The password for the next level is stored in a file called readme located in the home directory. Use this password to login to bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.

The prompt also provides links to the man pages for several commands.

With perhaps the exception of du. Each of these commands is fundamental for any Linux user who wants to effectively use the command line.

You are highly encouraged to review each of the commands. At the very least check out the cheat.sh page for each. Regardless these are all pretty common, so you'll get plenty of experience with these commands in later levels.

Solution

For now, it should be apparent that one of the above commands should serve to show us the contents of the readme file mentioned in the prompt. The humble cat command.

It takes a filename as a parameter. So providing it with the filename readme should print it's contents.

$ cat readme
Congratulations on your first steps into the bandit game!!
Please make sure you have read the rules at https://overthewire.org/rules/
If you are following a course, workshop, walkthrough or other educational activity,
please inform the instructor about the rules as well and encourage them to
contribute to the OverTheWire community so we can keep these games free!

The password you are looking for is: [REDACTED PASSWORD]

I won't be providing any of the passwords throughout this walkthrough per the OverTheWire rules. So get out your notepad and copy those passwords. You'll need them to return to the last level you've completed without completing each level again. Once you've done that, you're ready to continue to Level 1.

Level 1

The password for the next level is stored in a file called - located in the home directory

The prompt also provides links to the man pages for the same commands as level 0.

Naturally, you might think to try the cat command again. Afterall, we're told the password in in the file called -. Let's try it and see what happens.

$ cat -
█

Strange, you're left with a blank line on the terminal now. And, if you type some text and press the Enter key, the text is repeated back to the terminal like so.

$ cat -
hello there
hello there

The reason for this will become clear if you read the description from the cat man page.

NAME
   cat - concatenate files and print on the standard output

SYNOPSIS
   cat [OPTION]... [FILE]...

DESCRIPTION
   Concatenate FILE(s) to standard output.
   With no FILE, or when FILE is -, read standard input.

So, according to the description, the parameter -, makes cat read from standard input. You may have guessed this already, but standard input or STDIN is usually what's entered by the user in the terminal; however, STDIN doesn't explicitly refer to input from a user. Rather, it refers to a stream of data that is being sent to a program, so it may also refer to files or even the output of other programs that is being passed to other programs.

You'll most likely hear of this concept of input and output referred to as STDIO or standard input and output. If you'd like to read more, there is an excellent article by freeCodeCamp explaining more about it and many other useful concepts.

Solution

There will be opportunities to demonstrate STDIO and IO redirection later, but for this level, all you need to recognize is that - is a special character that tells cat to read input from STDIN instead of a file as we saw before. So to properly refer to the - file, it must be referenced by some other means than the simple filename. There are several ways to accomplish that.

1. Use ./<filename> where <filename> would be - for this example. The . is a special character that is interpreted as the current directory. This is usually implied when we just enter a file by it's name. However, stating it explicitly allows us to circumvent the special case of using - as an argument to cat.

   $ cat ./-
   [REDACTED PASSWORD]
   

2. Use the full path. On Linux and other Unix-based systems the root of the file system can be specified with a /. To use this method though we'll need to know the full path of the - file. To get that we can use the pwd command, which is short for "print working directory".

   $ pwd
   /home/bandit1
   

   To complete the full path for - we just need to append /<filename>.

   $ cat /home/bandit1/-
   [REDACTED PASSWORD]
   

3. We can also use what is called a glob (*). The glob can be used to execute commands over multiple files at once. For example using the following command will print all files in the current working directory.

   $ cat ./*
   [REDACTED PASSWORD]
   

   In this example the only file in our current directory is the password file -. But just like the other examples it circumvents the special - argument to cat.

   The glob is actually a part of a larger set of filename expansion features available in Bash. They're quite useful and we may see more of them in future levels.

Level 2

The password for the next level is stored in a file called spaces in this filename located in the home directory

This level is similar to Level 1, except that the file is not a special character. Instead it contains special characters, the space █. The space character is essential for the shell to interpret the input text.

$ cat spaces in this filename
cat: spaces: No such file or directory
cat: in: No such file or directory
cat: this: No such file or directory
cat: filename: No such file or directory

As you can see from above, entering the name as it's written will cause the cat command to interpret each word in the file as a separate filename.

Just as before, there are a few ways to get around this.

Solution

1. Escape the space characters. In Bash, the backslash \ is used as an escape character. When the \ is used, the following character is interpreted literally. This allows the space characters of the filename to be "escaped".

   $ cat spaces\ in\ this\ filename
   [REDACTED PASSWORD]
   

2. Instead of escaping the spaces individually, the filename can also be surrounded by single quotes. Every character between two single quotes is interpreted literally.

   $ cat 'spaces in this filename'
   [REDACTED PASSWORD]
   

3. Similarly, double quotes can also be used to interpret the surrounded characters literally. However, there are some exceptions, and double quotes allow some special characters to be interpreted. But the space character is not one those, so it is functionally the same as the above example in this case.

   $ cat "spaces in this filename"
   [REDACTED PASSWORD]
   

Level 3

The password for the next level is stored in a hidden file in the inhere directory.

$ ls ./inhere

According to the ls command, there don't appear to be any files in the inhere directory. That's because ls doesn't display hidden files by default.

Solution

To show hidden files with ls, it's necessary to use the --all or -a flag.

$ ls -a ./inhere
.  ..  ...Hiding-From-You

With the --all flag enabled, ls now shows all the files in the inhere directory. Including the hidden files. In Linux and other Unix-based systems, a leading dot . in a filename is used to indicate a hidden file. As such, you may here them referred to as dotfiles.

Now that we know the name of the hidden file, cat can be used to print the contents just as we've seen before.

$ cat inhere/...Hiding-From-You
[REDACTED PASSWORD]

Level 4

The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the reset command.

If you haven't done so already, now would be a good time to read through the manual for each of the commands that were already mentioned in Level 0.

If you've read through the description for each, you should have a pretty good idea of which command you'll need to solve this one.

Solution

This level is asking us to identify which files in inhere are human readable. The file command can get the information we need.

From the file manual page we know that we can expect a response of text for any files that only contain typical ASCII characters.

The  type  printed  will  usually  contain one of the words `text` (the file
contains only printing characters and a few common control characters and is
probably safe to read on an ASCII terminal), `executable` (the file contains
the result of compiling a program  in  a form  understandable to some UNIX
kernel or another), or `data` meaning anything else (data is usually “binary”
or non-printable).

One option is to execute file on each file in inhere one-by-one like so.

$ file inhere/-file00
inhere/-file00: data

A better way is to use the glob * that we've seen previously. This allows us to run the file command on all the files at once.

$ file ./inhere/*
./inhere/-file00: data
./inhere/-file01: data
./inhere/-file02: data
./inhere/-file03: data
./inhere/-file04: data
./inhere/-file05: data
./inhere/-file06: data
./inhere/-file07: ASCII text
./inhere/-file08: data
./inhere/-file09: data

From here it's obvious that we want the file with the text data at ./inhere/-file07.

$ cat ./inhere/-file07
[REDACTED PASSWORD]

Level 5

The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:

• human-readable
• 1033 bytes in size
• not executable

This level requires a precise approach to locate the correct file. While it's technically possible to solve with just the ls and file commands. It would require some tedious manual searching to find the files that match each of the criteria. Luckily the find command is capable of locating files with all the above criteria. You just need to know the right flags.

Solution

The find command is essential to efficiently locating files on Linux systems. It has several flags that can be used to refine its search. Most importantly for this level are -readable, -size and -executable.

$ find -readable -size 1033c -not -executable
./inhere/maybehere07/.file2

Note -size and -not flags. The c suffix for the -size argument is used to indicate a size in bytes. The other available suffixes are all available in the find man page. Additionally, the -not flag negates the next expression, thus locating any files that aren't executable in this example.

$ find -readable -size 1033c
./inhere/maybehere07/.file2

Once again, cat the file to get the password.

$ cat ./inhere/maybehere07/.file2
[REDACTED PASSWORD]

Level 6

The password for the next level is stored somewhere on the server and has all of the following properties:

• owned by user bandit7
• owned by group bandit6
• 33 bytes in size

This level is very similar to Level 5 with a couple minor differences. First, the file is "stored somewhere on the server" instead of in the inhere directory. That just means we'll need to run the find command from the root of the file system to ensure the file isn't missed. Secondly, the file is specified by two new parameters. The user and group that own the file.

Solution

Searching the find manpage you can find the two flags -user and -group to filter for files owned by the bandit7 user and the bandit6 group as specified by the prompt. The final parameter is for a -size of 33 bytes which we already saw in level 5.

Here's an example of the output from find with all the required arguments.

$ find / -user bandit7 -group bandit6 -size 33c
find: ‘/drifter/drifter14_src/axTLS’: Permission denied
find: ‘/root’: Permission denied
find: ‘/snap’: Permission denied
find: ‘/tmp’: Permission denied
find: ‘/proc/tty/driver’: Permission denied
find: ‘/proc/250118/task/250118/fd/6’: No such file or directory
find: ‘/proc/250118/task/250118/fdinfo/6’: No such file or directory
find: ‘/proc/250118/fd/5’: No such file or directory
...
[TRUNCATED OUTPUT]

Unfortunately searching with find from / has a side effect. Any files or directories that the current user is not allowed to read will print an error to the terminal. This makes it pretty difficult to parse the output for any resulting files that match our search. To avoid this flood of errors, a common solution is to redirect the standard error stream to /dev/null This is actually just a file that discards anything written to it.

To redirect a data stream in Bash we must specify its file descriptor, which is an integer. The file descriptor is followed by a greater than sign > which indacates that the stream should be redirected to a target file. Here is the same command as above with all errors redirect to /dev/null.

$ find / -user bandit7 -group bandit6 -size 33c 2>/dev/null
/var/lib/dpkg/info/bandit7.password

As you can see, the output is considerably easier to understand. Read the file at /var/lib/dpkg/info/bandit7.password to get the next password.

Level 7

The password for the next level is stored in the file data.txt next to the word "millionth".

This is the first level that OverTheWire introduces some new recommended commands since level 0.

Once again, I highly recommend at least reading through the introduction for each of these commands and checking out the examples at cheat.sh.

Solution

If you've followed the above advice, there should really only be one contender to solve this level. The grep command.

NAME
   grep - print lines that match patterns

SYNOPSIS
   grep [OPTION...] PATTERNS [FILE...]
   grep [OPTION...] -e PATTERNS ... [FILE...]
   grep [OPTION...] -f PATTERN_FILE ... [FILE...]

DESCRIPTION
   grep  searches for PATTERNS in each FILE. PATTERNS is one or more
   patterns separated by newline characters, and grep prints each line that
   matches a pattern. Typically PATTERNS should be quoted when grep is used in a
   shell command.

According to the syntax description we should be able to search for patterns in a file with the following syntax.

grep <PATTERN> <FILE>

Swapping in the values mentioned in the prompt will return the line we're looking for.

$ grep "millionth" data.txt
millionth       [REDACTED PASSWORD]

Regex

Grep and more generally regular expressions (regex) are extremely useful. You'll find many applications have integrated support for text search via regex. In particular text editors, word processors, and programming IDEs.

Level 8

The password for the next level is stored in the file data.txt and is the only line of text that occurs only once

This level is the first that seriously benefits from chaining two commands together. In Bash this is done with the pipe | character. The pipe, when placed after a command will pass all of the output (stdout) into the input (stdin) of the command that follows it.

For example, we can combine the ls and grep commands to list only those files that contain "bash" in the name.

$ ls -a | grep bash
.bash_logout
.bashrc

Remember that the -a flag is necessary to list hidden or dot files.

Read through the Piping and Redirection article provided under the helpful reading material section to learn more about piping.

Solution

Reviewing the recommended commands, one should stick out.

NAME
   uniq - report or omit repeated lines

SYNOPSIS
   uniq [OPTION]... [INPUT [OUTPUT]]

DESCRIPTION
   Filter adjacent matching lines from INPUT (or standard input), writing
to OUTPUT (or standard output).

   With no options, matching lines are merged to the first occurrence.

The uniq command is able to filter matching or repeated lines. Since we're looking for a unique line in a file, this will be helpful. However, there is one caveat when using uniq that you must be aware of. The uniq command filters adjacent matching lines. This means that any matching lines that aren't directly adjacent, won't be filtered. So the first step must be to organize the file such that matching lines are adjacent. In other words the file should be sorted. The sort program is designed precisely for this use case.

For example, here's the first 20 lines of data.txt when sorted.

$ sort data.txt | head -n20
0BKVRLEJQcpNx8wnSPxDLFnFKlQafKK6
0BKVRLEJQcpNx8wnSPxDLFnFKlQafKK6
0BKVRLEJQcpNx8wnSPxDLFnFKlQafKK6
0BKVRLEJQcpNx8wnSPxDLFnFKlQafKK6
0BKVRLEJQcpNx8wnSPxDLFnFKlQafKK6
0BKVRLEJQcpNx8wnSPxDLFnFKlQafKK6
0BKVRLEJQcpNx8wnSPxDLFnFKlQafKK6
0BKVRLEJQcpNx8wnSPxDLFnFKlQafKK6
0BKVRLEJQcpNx8wnSPxDLFnFKlQafKK6
0BKVRLEJQcpNx8wnSPxDLFnFKlQafKK6
0eJPctF8gK96ykGBBaKydhJgxSpTlJtz
0eJPctF8gK96ykGBBaKydhJgxSpTlJtz
0eJPctF8gK96ykGBBaKydhJgxSpTlJtz
0eJPctF8gK96ykGBBaKydhJgxSpTlJtz
0eJPctF8gK96ykGBBaKydhJgxSpTlJtz
0eJPctF8gK96ykGBBaKydhJgxSpTlJtz
0eJPctF8gK96ykGBBaKydhJgxSpTlJtz
0eJPctF8gK96ykGBBaKydhJgxSpTlJtz
0eJPctF8gK96ykGBBaKydhJgxSpTlJtz
0eJPctF8gK96ykGBBaKydhJgxSpTlJtz

As mentioned before, the pipe | is useful here to send the output of the sort command to uniq.

$ sort data.txt | uniq | head -n20
0BKVRLEJQcpNx8wnSPxDLFnFKlQafKK6
0eJPctF8gK96ykGBBaKydhJgxSpTlJtz
0kJ7XHD4gVtNSZIpqyP1V45sfz9OBLFo
0lPOvKhpHZebxji0gdjtGCd5GWiZnNBj
0REUhKk0yMqQOwei6NK9ZqIpE5dVlWWM
1jfUH1m4XCjr7eWAeleGdaNSxFXRtX0l
1VKPEkd0bCtIRwMFVQfY7InulwOFyDsn
2u8fvAzvnaFlvQG3iPt4Wc1TFhPcGxhH
35l6mr3f6TvlJyDwU6aUgJX07cLhr6t9
3FIgajXBiaQAiTMVGo1gxRDSiACNyvvJ
3mNA2le0gfURQKNHVIhGkMNLqLwjyyLN
4CKMh1JI91bUIZZPXDqGanal4xvAg0JM
4P8FsHcdr7d5WKnPtAaXY5SslKICd2gL
5EmwMKZHwF6Lwq5jHUaDlfFJBeHbcX0b
5hYz0028e1Q2TrtPVz5GZbpMzZNjebhh
5I2jWpqjtVp576xXI2TLh1UCyXJtGQ78
6Boy6esAjnIxCYn8uI6KZ7VD7zysDM8i
7cP8ssLElERHXqOJc9T84bxsmJBjNXk2
7qHmEo1FEbzthgyNpKc38YofXjYKZv18
8FCtUQlFXsJnNeyiDY5KfE3vRy6sZFEJ

Well that's strange. Why has uniq returned all those lines? If you read the description for uniq carefully, then one line explains this.

With no options, matching lines are merged to the first occurrence.

So essentially what we have here is a file with each unique line of the file where adjacent duplicates have been compressed into a single line. However, we want to list only the unique lines from the input. For that, the -u flag will meet our needs. The -u flag tells sort to only print unique lines. In other words, only lines without any duplicates in the input.

So finally, we have a solution.

$ sort data.txt | uniq -u
[REDACTED PASSWORD]

Level 9

The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters.

This level

Solution

$ grep '=== \w*' data.txt
grep: data.txt: binary file matches

The \w is a shortcut for any word characters which equivalent to [a-zA-Z0-9_].

We can see here, that grep found some matches, but data.txt was interpreted as a binary file. We can force grep to process the file as if it were text with the -a flag.

$ grep -a '=== \w*' data.txt
D]
  h#!QJsVzl7POl%Y]Ha^UvToD|@T^N8g}b}?
Q#gm1x}========== theѦ+idW^)F1>)٘SK3PZt&xs肉WB/2ÜB       Ź/Bjɢ<7<u/d|
                                                                    -n
#iu=
    7֣n)Uջش5bBKK}x>}:4Rl_7gHD:274CFy
6!&zB$l_GphqI.02H$Twm⧫o3mt0p~L3JprD========== passwordi L ~ˏ<@Ȅh$%Q5Dk |3
~Tf;o9sP#t+Pe΢쵟
OqDf.8Czmnf&vl:FXKbM
                 CIBi>Y
Еk      $nXT=~}*4a2?TO"'&J~fDV3========== isd5z(#&s!10&poq
nR F
    z|!(if+A64+'FTb5A}
éT:kAU2Qcɐ%#g+;YA_ekrX53|f8+e~&Oiu?VhM}^Qp^G==6!sT:     "uVa-t\fg
]󈍅(.ۍg:7nnp CD`voSQ-<]`@#H UumBiAj堵!O&D9========== [REDACTED PASSWORD]

On the last line of the above output, you'll find the password to the next level.

1
$ grep -a -o '=== \w*' data.txt
2
=== the
3
=== passwordi
4
=== is
5
=== [REDACTED PASSWORD]

Level 10

The password for the next level is stored in the file data.txt, which contains base64 encoded data

Solution

This one is pretty straight forward. The prompt gives it away by mentioning that the data is Base64 encoded.

Check the manual for the base64 command and you'll find one of the first flags is -d for --decode.

$ base64 -d data.txt
The password is [REDACTED PASSWORD]

To be continued