github soundcloud
OverTheWire

https://overthewire.org/wargames/

Bandit 0

cat readme
boJ9jbbUNNfktd78OOpsqOltutMc3MY1

Bandit 1

So the password is boJ9jbbUNNfktd78OOpsqOltutMc3MY1

cat ./-
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

The trickery here is that the cat program probably interprets the dash character.

Bandit 2

cat "spaces in this filename"
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

Bandit 3

cat inhere/.hidden
pIwrPrtPN36QITSp3EQaw936yaFoFgAB

Bandit 4

I ran the file command until it said it found an ASCII file.

file inhere/-file*
cat inhere/-file07
inhere/-file00: data
inhere/-file01: data
inhere/-file02: data
inhere/-file03: data
inhere/-file04: data
inhere/-file05: data
inhere/-file06: data
inhere/-file07: ASCII text
inhere/-file08: data
inhere/-file09: data
koReBOKuIDDepwhWk7jZC0RTdopnAYKh

Bandit 5

My first thought is to use the find command. It can probably filter on all the attributes mentioned. When I Google for “find not executable linux” I find people looking for the solution to the exact OverTheWire level. Oh well:

find inhere/ -type f -size 1033c ! -executable
inhere/maybehere07/.file2

I look at the file with xxd:

xxd inhere/maybehere07/.file2
00000000: 4458 6a5a 5055 4c4c 7859 7231 3775 776f  DXjZPULLxYr17uwo
00000010: 4930 3162 4e4c 5162 7446 656d 4567 6f37  I01bNLQbtFemEgo7
00000020: 0a20 2020 2020 2020 2020 2020 2020 2020  .
00000030: 2020 2020 2020 2020 2020 2020 2020 2020
00000040: 2020 2020 2020 2020 2020 2020 2020 2020
00000050: 2020 2020 2020 2020 2020 2020 2020 2020
00000060: 2020 2020 2020 2020 2020 2020 2020 2020
00000070: 2020 2020 2020 2020 2020 2020 2020 2020
00000080: 2020 2020 2020 2020 2020 2020 2020 2020
00000090: 2020 2020 2020 2020 2020 2020 2020 2020
000000a0: 2020 2020 2020 2020 2020 2020 2020 2020
000000b0: 2020 2020 2020 2020 2020 2020 2020 2020
000000c0: 2020 2020 2020 2020 2020 2020 2020 2020
000000d0: 2020 2020 2020 2020 2020 2020 2020 2020
000000e0: 2020 2020 2020 2020 2020 2020 2020 2020
000000f0: 2020 2020 2020 2020 2020 2020 2020 2020
00000100: 2020 2020 2020 2020 2020 2020 2020 2020
00000110: 2020 2020 2020 2020 2020 2020 2020 2020
00000120: 2020 2020 2020 2020 2020 2020 2020 2020
00000130: 2020 2020 2020 2020 2020 2020 2020 2020
00000140: 2020 2020 2020 2020 2020 2020 2020 2020
00000150: 2020 2020 2020 2020 2020 2020 2020 2020
00000160: 2020 2020 2020 2020 2020 2020 2020 2020
00000170: 2020 2020 2020 2020 2020 2020 2020 2020
00000180: 2020 2020 2020 2020 2020 2020 2020 2020
00000190: 2020 2020 2020 2020 2020 2020 2020 2020
000001a0: 2020 2020 2020 2020 2020 2020 2020 2020
000001b0: 2020 2020 2020 2020 2020 2020 2020 2020
000001c0: 2020 2020 2020 2020 2020 2020 2020 2020
000001d0: 2020 2020 2020 2020 2020 2020 2020 2020
000001e0: 2020 2020 2020 2020 2020 2020 2020 2020
000001f0: 2020 2020 2020 2020 2020 2020 2020 2020
00000200: 2020 2020 2020 2020 2020 2020 2020 2020
00000210: 2020 2020 2020 2020 2020 2020 2020 2020
00000220: 2020 2020 2020 2020 2020 2020 2020 2020
00000230: 2020 2020 2020 2020 2020 2020 2020 2020
00000240: 2020 2020 2020 2020 2020 2020 2020 2020
00000250: 2020 2020 2020 2020 2020 2020 2020 2020
00000260: 2020 2020 2020 2020 2020 2020 2020 2020
00000270: 2020 2020 2020 2020 2020 2020 2020 2020
00000280: 2020 2020 2020 2020 2020 2020 2020 2020
00000290: 2020 2020 2020 2020 2020 2020 2020 2020
000002a0: 2020 2020 2020 2020 2020 2020 2020 2020
000002b0: 2020 2020 2020 2020 2020 2020 2020 2020
000002c0: 2020 2020 2020 2020 2020 2020 2020 2020
000002d0: 2020 2020 2020 2020 2020 2020 2020 2020
000002e0: 2020 2020 2020 2020 2020 2020 2020 2020
000002f0: 2020 2020 2020 2020 2020 2020 2020 2020
00000300: 2020 2020 2020 2020 2020 2020 2020 2020
00000310: 2020 2020 2020 2020 2020 2020 2020 2020
00000320: 2020 2020 2020 2020 2020 2020 2020 2020
00000330: 2020 2020 2020 2020 2020 2020 2020 2020
00000340: 2020 2020 2020 2020 2020 2020 2020 2020
00000350: 2020 2020 2020 2020 2020 2020 2020 2020
00000360: 2020 2020 2020 2020 2020 2020 2020 2020
00000370: 2020 2020 2020 2020 2020 2020 2020 2020
00000380: 2020 2020 2020 2020 2020 2020 2020 2020
00000390: 2020 2020 2020 2020 2020 2020 2020 2020
000003a0: 2020 2020 2020 2020 2020 2020 2020 2020
000003b0: 2020 2020 2020 2020 2020 2020 2020 2020
000003c0: 2020 2020 2020 2020 2020 2020 2020 2020
000003d0: 2020 2020 2020 2020 2020 2020 2020 2020
000003e0: 2020 2020 2020 2020 2020 2020 2020 2020
000003f0: 2020 2020 2020 2020 2020 2020 2020 2020
00000400: 2020 2020 2020 2020 20

There’s a lot of crap besides the ASCII. I use strings to only capture the bits that can be interpreted as ASCII:

strings inhere/maybehere07/.file2
DXjZPULLxYr17uwoI01bNLQbtFemEgo7

Bandit 6

Seems like I should use the find command again. Maybe find / something.

I read the find manual to find these arguments:

  • -user uname
  • -group

After running it a few times, I come up with this solution:

cat $(find / -type f -size 33c -user bandit7 -group bandit6 2>&1 | grep -v "Permission denied\|No such")
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

Bandit 7

I looked at the file with vi and found the word. Then used grep:

grep millionth data.txt | cut -f2
cvX2JJa4CFALtqS87jk27qwqGhBM9plV

Bandit 8

I have some experience with these commands (parsing log files and such), so it was not so difficult.

sort data.txt | uniq -u
UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR

Bandit 9

Inspected the file with strings and found the password.

strings data.txt | grep "^=" | tail -n 1 | cut -d" " -f2
truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk

Bandit 10

base64 -d:

base64 -d data.txt | cut -d " " -f4
IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

Bandit 11

Using tr to shift the characters:

cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'
The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

I want to try it in Python:

cat data.txt
Gur cnffjbeq vf 5Gr8L4qetPEsPk8htqjhRK8XSP6x2RHh
import codecs

flag = "Gur cnffjbeq vf 5Gr8L4qetPEsPk8htqjhRK8XSP6x2RHh"

print(codecs.encode(flag, 'rot_13'))
The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

rot13 function in Python.

I guess we could use CyberChef too.

Bandit 12

Now it’s starting to get quite challenging for me. My initial plan:

  • Convert hexdump back to binary with xxd
    • I already know this from my blog post on bits
  • Look at the magic bytes (file signatures) for knowing what compression has been used, maybe using the file command
cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'

I did all the decompression manually by discovering the compression with file. For some reason, gunzip wants the file extension to be .gz. I wonder why. Can use -S to override.

The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

After that, I starting thinking about doing it all on the fly:

xxd -r data.txt | gzip -dc | bzip2 -dc | gzip -dc | tar xvf - -O | tar xvf - -O | bzip2 -dc | tar xvf - -O | gzip -dc
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

I’m surprised it works.

I googled xxd -r data.txt | gzip -dc and found a gist using the same technique.

I like that he shows how to run it straight through SSH:

ssh -p 2220 bandit12@bandit.labs.overthewire.org 'xxd -r data.txt | gzip -dc | bzip2 -d -c | gzip -dc | tar -xO | tar -xO | bzip2 -d -c | tar -xO | gzip -dc'

By doing this, I realized that I could remove some options. So it’s always useful to compare solutions. Nice way to learn. Did some more searching and found some nice resources:

By doing this, I also learned that you can use the sshpass -p <file> command to pass a password into ssh. So you can see how much you can learn by following the rabbit. John Hammond always saves the flag in a file named bandit12 etc. He ends up doing the decompression by hand.

Bandit 13

I’m copying over the private file:

sshpass -p "8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL" scp -P 2220 bandit13@bandit.labs.overthewire.org:sshkey.private sshkey.private

After that:

chmod 600 sshkey.private
ssh -i sshkey.private bandit14@bandit.labs.overthewire.org -p 2220 "cat /etc/bandit_pass/bandit14 "
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e

Bandit 14

nc to the rescue. I think telnet might be possible too?

echo "4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e" | nc 127.0.0.1 30000 | grep .
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr

Bandit 15

I have no idea what to do here. Thinking of using:

With openssl:

echo "BfMYroe26WYalil77FoDi9qh59eK5xNr" | openssl s_client -connect localhost:30001 -ign_eof -quiet | grep .
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehd

Quite happy that I also got it to work in Python:

import socket
import ssl

password = b"BfMYroe26WYalil77FoDi9qh59eK5xNr"
hostname = "localhost"

context = ssl.create_default_context()
context.check_hostname = False
context.verify_mode = ssl.CERT_NONE

with socket.create_connection((hostname, 30001)) as sock:
    with context.wrap_socket(sock, server_hostname=hostname) as ssock:
        ssock.sendall(password + b"\n")
        data = ssock.recv(1024)

print(data.decode("UTF-8").strip())
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehd

Bandit 16

I want to do this in Python too, cause I suspect I can build on the same concepts later.

I Google how to do a port range scan on localhost.

nmap -p31000-32000 localhost

Starting Nmap 7.40 ( https://nmap.org ) at 2019-10-20 23:47 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00026s latency).
Not shown: 998 closed ports
PORT      STATE    SERVICE
31518/tcp filtered unknown
31790/tcp open     unknown
31960/tcp open     unknown

Nmap done: 1 IP address (1 host up) scanned in 1.26 seconds

Python port scanner thing.

import socket

for port in range(31000, 32000):
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.settimeout(1)
    result = sock.connect_ex(("localhost", port))
    if 0 == result:
        print("Port: {} Open".format(port))
    sock.close()
Port: 31790 Open
Port: 31960 Open

Not too happy about these results. But I suspect 31518 is SSL because this silly port scanner can’t find it.