OverTheWire – Bandit (0 -> 10)

OverTheWire.org

Info

From the OverTheWire website:

The wargames offered by the OverTheWire community can help you to learn and practice security concepts in the form of fun-filled games.

OverTheWire.org

Bandit

Bandit is the first series of challenges and it’s recommended to start with these.

The Bandit wargame is aimed at absolute beginners. It will teach the basics needed to be able to play other wargames.

OverTheWire.org

Make sure you following along on the website to get more info on the goal of the challenges and the skills that you’ll learn from them.

Always first try to do a challenge yourself.
You’ll learn more and might find methodologies or techniques that work better for you.

This write-up contains the solution to the first 10 levels.

Level 0

Connect with the OverTheWire infrastructure using the provided credentials.

$ ssh bandit0@bandit.labs.overthewire.org -p 2220
The authenticity of host '[bandit.labs.overthewire.org]:2220 ([176.9.9.172]:2220)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[bandit.labs.overthewire.org]:2220,[176.9.9.172]:2220' (ECDSA) to the list of known hosts.
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

bandit0@bandit.labs.overthewire.org's password: 
Linux bandit 4.18.12 x86_64 GNU/Linux
               
      ,----..            ,----,          .---. 
     /   /   \         ,/   .`|         /. ./|
    /   .     :      ,`   .'  :     .--'.  ' ;
   .   /   ;.  \   ;    ;     /    /__./ \ : |
  .   ;   /  ` ; .'___,/    ,' .--'.  '   \' .
  ;   |  ; \ ; | |    :     | /___/ \ |    ' ' 
  |   :  | ; | ' ;    |.';  ; ;   \  \;      : 
  .   |  ' ' ' : `----'  |  |  \   ;  `      |
  '   ;  \; /  |     '   :  ;   .   \    .\  ; 
   \   \  ',  /      |   |  '    \   \   ' \ |
    ;   :    /       '   :  |     :   '  |--"  
     \   \ .'        ;   |.'       \   \ ;     
  www. `---` ver     '---' he       '---" ire.org     
               
              
Welcome to OverTheWire!

If you find any problems, please report them to Steven or morla on
irc.overthewire.org.
[...]

Level 0 -> Level 1

We simply print the content of the readme file to the console to retrieve the flag/password.

bandit0@bandit:~$ wc -m readme 
33 readme

bandit0@bandit:~$ cat readme
bo##########Y1

Level 1 -> Level 2

First login as the bandit1 user. This will allow you to do this challenge.

You have to do this for every level.
So get the password by finishing the challenge, then use this password to login as the next challenge’s user.

$ ssh bandit1@bandit.labs.overthewire.org -p 2220
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

bandit1@bandit.labs.overthewire.org's password: # Password we obtained in the last level

- is a special character. It can indicate a parameter (if followed by a character, e.g. -h) and can be used to indicate standard input (stdin) for commands expecting input (e.g. cat -). So we either have to escape this character by using a backslash (\) or by using a relative path to ensure the parameter doesn’t start with a dash (-).

bandit1@bandit:~$ cat ./-
# OR
bandit1@bandit:~$ cat \-
CV##########A9

Level 2 -> Level 3

Spaces either need to be escaped or the path must be enclosed within quotes. Otherwise each word will be treated as additional parameters.

Take this into account when processing user input, as this could be abused by an attacker.

bandit2@bandit:~$ cat spaces\ in\ this\ filename
# OR
bandit2@bandit:~$ cat "spaces in this filename"
Um##########uK

Level 3 -> Level 4

Unix treats filenames starting with a dot (.) as hidden files. These files aren’t by default displayed in the output of a command like ls. To show hidden files, you need to pass -a as a parameter.

bandit3@bandit:~$ ls
inhere
bandit3@bandit:~$ cd inhere
bandit3@bandit:~/inhere$ ls -al
total 12
drwxr-xr-x 2 root    root    4096 Oct 16  2018 .
drwxr-xr-x 3 root    root    4096 Oct 16  2018 ..
-rw-r----- 1 bandit4 bandit3   33 Oct 16  2018 .hidden
bandit3@bandit:~/inhere$ cat .hidden 
pI##########AB

Level 4 -> Level 5

file will attempt to classify the filetype of the files passed as parameter.

bandit4@bandit:~$ ls -al inhere/
total 48
drwxr-xr-x 2 root    root    4096 Oct 16  2018 .
drwxr-xr-x 3 root    root    4096 Oct 16  2018 ..
-rw-r----- 1 bandit5 bandit4   33 Oct 16  2018 -file00
-rw-r----- 1 bandit5 bandit4   33 Oct 16  2018 -file01
-rw-r----- 1 bandit5 bandit4   33 Oct 16  2018 -file02
-rw-r----- 1 bandit5 bandit4   33 Oct 16  2018 -file03
-rw-r----- 1 bandit5 bandit4   33 Oct 16  2018 -file04
-rw-r----- 1 bandit5 bandit4   33 Oct 16  2018 -file05
-rw-r----- 1 bandit5 bandit4   33 Oct 16  2018 -file06
-rw-r----- 1 bandit5 bandit4   33 Oct 16  2018 -file07
-rw-r----- 1 bandit5 bandit4   33 Oct 16  2018 -file08
-rw-r----- 1 bandit5 bandit4   33 Oct 16  2018 -file09
bandit4@bandit:~$ file inhere/*
inhere/-file00: data
inhere/-file01: data
inhere/-file02: data
inhere/-file03: data
inhere/-file04: data
inhere/-file05: data
inhere/-file06: data
inhere/-file07: ASCII text
inhere/-file08: data
inhere/-file09: data
bandit4@bandit:~$ cat inhere/-file07
ko##########•Kh

Level 5 -> Level 6

find will search files within a path matching the filters you pass to it. You can also execute a command on each of the retrieved files ({} will be replaced by the filepath).

$ find inhere/ -type f -size 1033c ! -executable -exec cat {} +
DX##########o7

Level 6 -> Level 7

Since we’re looking through the whole filesystem (starting at /), we’ll get some errors regarding access permissions, so let’s hide this clutter by redirecting stderr (standard error, stream 2) to a black hole (/dev/null).

bandit6@bandit:~$ find / -user bandit7 -group bandit6 -size 33c -exec cat {} + 2>/dev/null
HK##########zs

Level 7 -> Level 8

Grep will perform a search on the text provided to it. You can use regular expressions to build complex search queries. By default it outputs the line matching the query.

bandit7@bandit:~$ grep millionth data.txt
millionth       cv##########lV

Level 8 -> Level 9

uniq will remove duplicate lines, but only if they are adjacent, so we need to sort the text first. By passing -u as a parameter, it will print the lines that don’t have duplicates.

bandit8@bandit:~$ sort data.txt | uniq -u
Us##########hR

Level 9 -> Level 10

The challenge mentions several ‘=’ characters, i.e. more than 1, so we can filter even better by using a regular expressing requiring at least 2 ‘=’ characters.

bandit9@bandit:~$ strings data.txt | grep -E '^==+'
# OR
bandit9@bandit:~$ strings data.txt | grep -E '^={2,}'
========== password
========== isa
========== tr##########Lk