Skip to main content

OverTheWire | Bandit | Levels 10-19

· 7 min read

Summary:

A write-up providing help with the Bandit wargame on the OverTheWire website, consisting of a series of 32 levels, followed by an additional challenge using an 'uppercase shell' trick at Level 33, that covers various Linux and shell scripting topics. The challenges range from basic navigation to more advanced topics like SSH authentication, file permissions, and Git usage.

Wargame Name: Bandit | Difficulty: Easy | OS: Linux

The aim of this walkthrough is to provide help with the Bandit wargame on the OverTheWire website. Please note that no flags or passwords are directly provided here. Only one of the many ways to solve the challenges.

The wargame is available under Bandit wargame.

High-Level Summary:

  • Level 9 | Using ssh-keygen to generate public keys and SSH into a server
  • Level 10-12 | More password guessing and using SSH key authentication
  • Level 13 | Stealing files from another user's home directory
  • Level 14 | Understanding the /etc/passwd file and extracting passwords
  • Level 15-16 | Using sudo to gain root privileges and understand permissions
  • Level 17 | Stealing a password using SSH key authentication
  • Level 18 | Creating a new SSH key pair for authentication

Note: Throughout this tutorial/walkthrough the words password and flag are used interchangeably.

Quick intro and start config

Basic idea: finish level x to get level x+1. The general connection via ssh can look like this, where x stands for the current level:

ssh [email protected] -p 2220
SSH connection
Hostbandit.labs.overthewire.org
Port2220

Level 09 -> Level 10

Level Goal: The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters.

Solution: First use the strings command to make the output ASCII readable, then search the output with grep.

# Use strings to print the printable chars in the file.
strings data.txt | grep -E '===+'

Level 10 -> Level 11

Level Goal: The password for the next level is stored in the file data.txt, which contains base64 encoded data.

Solution: Decrypt the output with base64.

# Use -d to decrypt data.
cat data.txt | base64 -d

Level 11 -> Level 12

Level Goal: The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions.

Solution: Use the tr command to make the shift.

cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'

Level 12 -> Level 13

Level Goal: The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!).

Solution: First use the xxd command to reverse the hexdump effect. Then use the file command to find out the output file type in order to determine the correct compression function.

xxd -r data.txt | gzip --decompress | bzip2 --decompress | gzip --decompress | tar xvO | tar xvO | bzip2 --decompress | tar xvO | gzip -d | cat

Level 13 -> Level 14

Level Goal: The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on.

Solution: Copy the ssh key to your local machine.

# copy the private key to your machine
cat sshkey.private
...
# exit the ssh connection
exit

Change the access rights for the newly created file.

# on local machine - change access rights for the file
chmod 0400 <sshkey.private>
...
# use the key to authenticate for the ssh service
ssh -i sshkey.private [email protected] -p 2220
...
# on target machine - grab the flag
cat /etc/bandit_pass/bandit14

Level 14 -> Level 15

Level Goal: The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.

Solution: Use netcat to connect to the given port/service.

nc -vn 127.0.0.1 30000
# or
nc -v localhost 30000
...
# paste prev flag to get the new flag
...

Level 15 -> Level 16

Level Goal: *The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.

Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…*

Solution: Use the openssl command to connect to the given ssl service.

openssl s_client --connect localhost:30001
...
# paste prev flag to get the new flag

Level 16 -> Level 17

Level Goal: The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.

Solution: First, scan the port range with nmap.

nmap localhost -p31000-32000

Then check out the services, that run on the open ports.

nmap -n localhost -p31046,31518,31691,31790,31960 -sV --version-light

Finally, connect to the service that runs ssl and paste the previous flag.

openssl s_client -connect localhost:31790
...
# paste prev flag
# copy the private key
...
exit

Level 17 -> Level 18

Level Goal: There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new

NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19.

Solution: Change the permissions for the ssh private key on your local machine.

# on local machine
chmod 0400 <private-ssh-key-file>

Use the key to connect to level 17.

# on local machine
ssh -i <private-ssh-key-file> [email protected] -p 2220

Compare the two files with the diff command.

# on local machine
diff passwords.old passwords.new

Level 18 -> Level 19

Level Goal: The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.

Solution: Specify cat as a command to be executed right after the ssh log in to work around the automatic log off.

ssh [email protected] -p 2220 cat ./readme