Over The Wire - Bandit Complete Walkthrough
Level 0 → 1
Level Goal
The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org, on port 2220. The username is bandit0 and the password is bandit0. Once logged in, go to the Level 1 page to find out how to beat Level 1.
The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.
Procedure
Using ssh login to the remote machine and look for the file with the password for the next level.
{Ω} 192.168.1.216 [kaliban@bunker] ~
↳ ssh bandit0@bandit.labs.overthewire.org -p 2220
bandit0@bandit:~$ ls
readme
bandit0@bandit:~$ cat readme
Congratulations on your first steps into the bandit game!!
Please make sure you have read the rules at https://overthewire.org/rules/
If you are following a course, workshop, walkthrough or other educational activity,
please inform the instructor about the rules as well and encourage them to
contribute to the OverTheWire community so we can keep these games free!
The password you are looking for is: ZjLjTmM6FvvyRnrb2rfNWOZOTa6ip5If
Result
The password for the next level is: ZjLjTmM6FvvyRnrb2rfNWOZOTa6ip5If
Level 1 → 2
Level Goal
The password for the next level is stored in a file called - located in the home directory
Procedure
Using the password obtained earlier login as bandit1 in the machine and look for the new password.
{Ω} 192.168.1.216 [kaliban@bunker] ~
↳ ssh bandit1@bandit.labs.overthewire.org -p 2220
bandit1@bandit:~$ ls
-
If we try to use cat on that file we get no result because the - will be seen as an argument refers to STDIN/STDOUT, to read that file we need to specify the full path.
bandit1@bandit:~$ cat ./-
263JGJPfgU6LtdEvgfWU1XP5yac29mFx
Result
The password for the next level is: 263JGJPfgU6LtdEvgfWU1XP5yac29mFx
Level 2 → 3
Level Goal
The password for the next level is stored in a file called spaces in this filename located in the home directory
Procedure
Using the new password login as bandit2 and look for the file with the new password.
{Ω} 192.168.1.216 [kaliban@bunker] ~
↳ ssh bandit2@bandit.labs.overthewire.org -p 2220
bandit2@bandit:~$ ls
spaces in this filename
A file with spaces in its name is another tricky case because the space is usually used to specify a new file or a new argument, to read this file we need to use the escape character \ before the space or writing the file name between quotes ““.
bandit2@bandit:~$ cat spaces\ in\ this\ filename
MNk8KNH3Usiio41PRUEoDFPqfxLPlSmx
bandit2@bandit:~$ cat "spaces in this filename"
MNk8KNH3Usiio41PRUEoDFPqfxLPlSmx
Result
The password is: MNk8KNH3Usiio41PRUEoDFPqfxLPlSmx
Level 3 → 4
Level Goal
The password for the next level is stored in a hidden file in the inhere directory.
Procedure
After using the new password to login as bandit3 we can start looking for the hidden file in the inhere folder.
{Ω} 192.168.1.216 [kaliban@bunker] ~
↳ ssh bandit3@bandit.labs.overthewire.org -p 2220
bandit3@bandit:~$ ls
inhere
bandit3@bandit:~$ cd inhere/
bandit3@bandit:~/inhere$ ls
bandit3@bandit:~/inhere$
Using the ls command in this folder will obviously give us zero results because the file is hidden, but using the flag -a after the ls command we can see hidden files.
Hidden files are usually used to store system configurations and are hidden putting a dot (.) before the name so they are not visible to the user.
bandit3@bandit:~/inhere$ ls -a
. .. ...Hiding-From-You
bandit3@bandit:~/inhere$ cat ...Hiding-From-You
2WmrDFRmJIq3IPxneAaMGhap0pFhF3NJ
Beside the hidden file we can also see two other things a single dot and a double dot, the first one is the directory we’re currently in, the other one is the parent directory, using the cd command with the double dot (cd ..) will bring us to the parent directory.
Results
The password is: 2WmrDFRmJIq3IPxneAaMGhap0pFhF3NJ
Level 4 → 5
Level Goal
The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.
Procedure
After gaining access to the new machine with the bandit4 user password we can start look for the new file within the inhere folder.
{Ω} 192.168.1.216 [kaliban@bunker] ~
↳ ssh bandit4@bandit.labs.overthewire.org -p 2220
bandit4@bandit:~$ ls
inhere
bandit4@bandit:~$ cd inhere/
bandit4@bandit:~/inhere$ ls
-file00 -file01 -file02 -file03 -file04 -file05 -file06 -file07 -file08 -file09
Here we have few options, looking every single file until we find the right one but that would be inefficient and slow, what we can do instead is using the file command to see the file type of every file in the folder and see what file is in a readable format and then read the content of that file.
bandit4@bandit:~/inhere$ file ./*
./-file00: data
./-file01: data
./-file02: data
./-file03: data
./-file04: data
./-file05: data
./-file06: data
./-file07: ASCII text
./-file08: data
./-file09: data
bandit4@bandit:~/inhere$ cat ./-file07
4oQYVPkxZOOEOO5pTW81FB8j8lxXGUQw
Result
The password for the next level is: 4oQYVPkxZOOEOO5pTW81FB8j8lxXGUQw
Level 5 → 6
Level Goal
The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:
human-readable
1033 bytes in size
not executable
Procedure
We can access the new machine using the password obtained before and look for the new password.
If we use the ls command we can see that we have a lot of folder to look through and in every folder we have a few files, just like before going through them one by one would be too slow so we have to find another solution.
{Ω} 192.168.1.216 [kaliban@bunker] ~
↳ ssh bandit5@bandit.labs.overthewire.org -p 2220
bandit5@bandit:~$ ls
inhere
bandit5@bandit:~$ cd inhere/
bandit5@bandit:~/inhere$ ls
maybehere00 maybehere03 maybehere06 maybehere09 maybehere12 maybehere15 maybehere18
maybehere01 maybehere04 maybehere07 maybehere10 maybehere13 maybehere16 maybehere19
maybehere02 maybehere05 maybehere08 maybehere11 maybehere14 maybehere17
To find the password for the next level we can use again the file command with a few more things.
The command file */{.,}* will return the file type of every file in the folder inhere, we could just use */* but this does not include hidden files, therefore we use {.,} so we include all the files starting with a . and the , will give us files starting with anything else.
bandit5@bandit:~/inhere$ file */{.,}*
maybehere00/.file1: ASCII text, with very long lines (550)
maybehere00/.file2: ASCII text, with very long lines (7835)
maybehere00/.file3: data
maybehere01/.file1: Clarion Developer (v2 and above) memo data
maybehere01/.file2: ASCII text, with very long lines (3069)
maybehere01/.file3: data
maybehere02/.file1: ASCII text, with very long lines (6350)
maybehere02/.file2: ASCII text, with very long lines (2576)
maybehere02/.file3: data
maybehere03/.file1: ASCII text, with very long lines (9768)
maybehere03/.file2: ASCII text, with very long lines (8879)
maybehere03/.file3: data
maybehere04/.file1: ASCII text, with very long lines (2439)
maybehere04/.file2: ASCII text, with very long lines (6143)
maybehere04/.file3: data
...SNIP...
To make the result more readable we can use the grep command, this time we want to print only lines containing ‘ASCII’ since this is the readable format we’re looking for.
bandit5@bandit:~/inhere$ file */{.,}* | grep ASCII
...SNIP...
maybehere09/.file2: ASCII text, with very long lines (8516)
maybehere10/.file1: ASCII text, with very long lines (7091)
maybehere10/.file2: ASCII text
maybehere11/.file1: ASCII text, with very long lines (451)
maybehere11/.file2: ASCII text, with very long lines (2500)
maybehere12/.file1: ASCII text, with very long lines (5814)
maybehere12/.file2: ASCII text, with very long lines (8243)
maybehere13/.file1: ASCII text, with very long lines (5257)
maybehere13/.file2: ASCII text, with very long lines (8951)
maybehere14/.file1: ASCII text, with very long lines (3426)
maybehere14/.file2: ASCII text, with very long lines (1502)
maybehere15/.file1: ASCII text, with very long lines (2158)
maybehere15/.file2: ASCII text
maybehere16/.file1: ASCII text, with very long lines (5425)
maybehere16/.file2: ASCII text, with very long lines (8471)
...SNIP...
We still have a lot of output of “ASCII text” and “ASCII text, with very long lines”, we can assume that the password is not in one of the files with “very long lines“ so we can filter out that part with another grep using the -v flag.
bandit5@bandit:~/inhere$ file */{.,}* | grep ASCII | grep -v ', with very long lines'
maybehere10/.file2: ASCII text
maybehere15/.file2: ASCII text
maybehere01/-file2: ASCII text
maybehere08/spaces file1: ASCII text
maybehere12/-file2: ASCII text
maybehere15/spaces file2: ASCII text
maybehere18/-file2: ASCII text
The output now is way smaller, we could even read through every file by hand but we don’t know which one is the file that respect our requirements.
To get the file size we can use the du command and we can use again grep to filter the correct size.
bandit5@bandit:~/inhere$ du -b -a | grep 1033
1033 ./maybehere07/.file2
bandit5@bandit:~/inhere$ cat maybehere07/.file2
HWasnPhtq9AVKe0dmk45nxy20cvUa6EG
This returns only one file but we can see it was’t in out previous list, so filtering out the files “with very long lines” was actually an error.
To find non-executable files we can use the find command with the -executable flag and the exclamation mark (!) before to find all the non-executable files.
We can finally get the result we wanted only using one command and the best candidate is the find command.
bandit5@bandit:~/inhere$ find . -type f -size 1033c ! -executable -exec file '{}' \; | grep ASCII
./maybehere07/.file2: ASCII text, with very long lines (1000)
bandit5@bandit:~/inhere$ cat maybehere07/.file2
HWasnPhtq9AVKe0dmk45nxy20cvUa6EG
Result
The password for the next level is: HWasnPhtq9AVKe0dmk45nxy20cvUa6EG
Level 6 → 7
Level Goal
The password for the next level is stored somewhere on the server and has all of the following properties:
owned by user bandit7
owned by group bandit6
33 bytes in size
Procedure
In this level the file containing the password is stored somewhere in the server this we don’t have a specific target and we should look through the whole system to find that file but luckily the find command can be helpful with our taks.
{Ω} 192.168.1.216 [kaliban@bunker] ~
↳ ssh bandit6@bandit.labs.overthewire.org -p 2220
bandit6@bandit:~$ find / -type f -user bandit7 -group bandit6 -size 33c 2>/dev/null
/var/lib/dpkg/info/bandit7.password
bandit6@bandit:~$ cat /var/lib/dpkg/info/bandit7.password
morbNTDkSW6jIlUc0ymOdMaLnOlFVAaj
Here the explanation of what that command does:
The / at the beginning specify the folder where to start the search.
The flag -type f will only look for files excluding folders.
The -user bandit7 flag will look for files which the owner is the bandit7 user.
The -group bandit 6 flag will look for files that belong to the group bandit6.
-size 33c will only look for files that are 33 bytes in size.
The final part 2>/dev/null with redirect every output that contains any error to null, a virtual device that works like a black hole so the output is not displayed in the STDOUT.
Result
The password is: morbNTDkSW6jIlUc0ymOdMaLnOlFVAaj
Level 7 → 8
Level Goal
The password for the next level is stored in the file data.txt next to the word millionth.
Procedure
After logging in the remote machine as bandit7 we can already see the data.txt file in the home directory, using the wc command with the -l flag will show us the number of lines that the file has, being is a very big file we cant just read through every line until we find the password but we can use the grep command after the cat command to instantly get what we need.
{Ω} 192.168.1.216 [kaliban@bunker] ~
↳ ssh bandit7@bandit.labs.overthewire.org -p 2220
bandit7@bandit:~$ wc -l data.txt
98567 data.txt
bandit7@bandit:~$ cat data.txt | grep millionth
millionth dfwvzFQi4mU0wfNbFOe9RoWskMLg7eEc
Result
The password is: dfwvzFQi4mU0wfNbFOe9RoWskMLg7eEc
Level 8 → 9
Level Goal
The password for the next level is stored in the file data.txt and is the only line of text that occurs only once.
Procedure
Using the new password we can login in the user bandit8 and check out the data.txt file, we have again a lot of lines but this time we need to find the text that occurs only one time, to do that we can use the sort command to sort the content of the file and then pipe the output to the uniq command with the flag -u which will only pick the text that occurs one time.
{Ω} 192.168.1.216 [kaliban@bunker] ~
↳ ssh bandit8@bandit.labs.overthewire.org -p 2220
bandit8@bandit:~$ ls
data.txt
bandit8@bandit:~$ sort data.txt | uniq -u
4CKMh1JI91bUIZZPXDqGanal4xvAg0JM
Result
The password for the next level is: 4CKMh1JI91bUIZZPXDqGanal4xvAg0JM
Level 9 → 10
Level Goal
The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters.
Procedure
To find the password for the next level we can use the strings command to get only the readable text from the file, after that we can use the grep command to get the lines with several equal signs.
{Ω} 192.168.1.216 [kaliban@bunker] ~
↳ ssh bandit9@bandit.labs.overthewire.org -p 2220
bandit9@bandit:~$ strings data.txt | grep ====
}========== the
3JprD========== passwordi
~fDV3========== is
D9========== FGUW5ilLVJrxX9kMYMmlN4MgbpfMiqey
Result
The password is: FGUW5ilLVJrxX9kMYMmlN4MgbpfMiqey
Level 10 → 11
Level Goal
The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters.
Procedure
To find the password we just need to decode the content of the file data.txt, to do this we can use the base64 command which allows files as input.
{Ω} 192.168.1.216 [kaliban@bunker] ~
↳ ssh bandit10@bandit.labs.overthewire.org -p 2220
bandit10@bandit:~$ cat data.txt
VGhlIHBhc3N3b3JkIGlzIGR0UjE3M2ZaS2IwUlJzREZTR3NnMlJXbnBOVmozcVJyCg==
bandit10@bandit:~$ base64 -d data.txt
The password is dtR173fZKb0RRsDFSGsg2RWnpNVj3qRr
Result
The password for the next level is: dtR173fZKb0RRsDFSGsg2RWnpNVj3qRr
Level 11 → 12
…