Over The Wire - Bandit Complete Walkthrough
Level 0 → 1
Level Goal
The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org, on port 2220. The username is bandit0 and the password is bandit0. Once logged in, go to the Level 1 page to find out how to beat Level 1.
The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.
Procedure
Using ssh login to the remote machine and look for the file with the password for the next level.
{Ω} 192.168.1.216 [kaliban@bunker] ~
↳ ssh bandit0@bandit.labs.overthewire.org -p 2220
bandit0@bandit:~$ ls
readme
bandit0@bandit:~$ cat readme
Congratulations on your first steps into the bandit game!!
Please make sure you have read the rules at https://overthewire.org/rules/
If you are following a course, workshop, walkthrough or other educational activity,
please inform the instructor about the rules as well and encourage them to
contribute to the OverTheWire community so we can keep these games free!
The password you are looking for is: ZjLjTmM6FvvyRnrb2rfNWOZOTa6ip5If
Result
The password for the next level is: ZjLjTmM6FvvyRnrb2rfNWOZOTa6ip5If
Level 1 → 2
Level Goal
The password for the next level is stored in a file called - located in the home directory
Procedure
Using the password obtained earlier login as bandit1 in the machine and look for the new password.
{Ω} 192.168.1.216 [kaliban@bunker] ~
↳ ssh bandit1@bandit.labs.overthewire.org -p 2220
bandit1@bandit:~$ ls
-
If we try to use cat on that file we get no result because the - will be seen as an argument refers to STDIN/STDOUT, to read that file we need to specify the full path.
bandit1@bandit:~$ cat ./-
263JGJPfgU6LtdEvgfWU1XP5yac29mFx
Result
The password for the next level is: 263JGJPfgU6LtdEvgfWU1XP5yac29mFx
Level 2 → 3
Level Goal
The password for the next level is stored in a file called spaces in this filename located in the home directory
Procedure
Using the new password login as bandit2 and look for the file with the new password.
{Ω} 192.168.1.216 [kaliban@bunker] ~
↳ ssh bandit2@bandit.labs.overthewire.org -p 2220
bandit2@bandit:~$ ls
spaces in this filename
A file with spaces in its name is another tricky case because the space is usually used to specify a new file or a new argument, to read this file we need to use the escape character \ before the space or writing the file name between quotes ““.
bandit2@bandit:~$ cat spaces\ in\ this\ filename
MNk8KNH3Usiio41PRUEoDFPqfxLPlSmx
bandit2@bandit:~$ cat "spaces in this filename"
MNk8KNH3Usiio41PRUEoDFPqfxLPlSmx
Result
The password is: MNk8KNH3Usiio41PRUEoDFPqfxLPlSmx
Level 3 → 4
Level Goal
The password for the next level is stored in a hidden file in the inhere directory.
Procedure
After using the new password to login as bandit3 we can start looking for the hidden file in the inhere folder.
{Ω} 192.168.1.216 [kaliban@bunker] ~
↳ ssh bandit3@bandit.labs.overthewire.org -p 2220
bandit3@bandit:~$ ls
inhere
bandit3@bandit:~$ cd inhere/
bandit3@bandit:~/inhere$ ls
bandit3@bandit:~/inhere$
Using the ls command in this folder will obviously give us zero results because the file is hidden, but using the flag -a after the ls command we can see hidden files.
Hidden files are usually used to store system configurations and are hidden putting a dot (.) before the name so they are not visible to the user.
bandit3@bandit:~/inhere$ ls -a
. .. ...Hiding-From-You
bandit3@bandit:~/inhere$ cat ...Hiding-From-You
2WmrDFRmJIq3IPxneAaMGhap0pFhF3NJ
Beside the hidden file we can also see two other things a single dot and a double dot, the first one is the directory we’re currently in, the other one is the parent directory, using the cd command with the double dot (cd ..) will bring us to the parent directory.
Results
The password is: 2WmrDFRmJIq3IPxneAaMGhap0pFhF3NJ
Level 4 → 5
Level Goal
The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.
Procedure
After gaining access to the new machine with the bandit4 user password we can start look for the new file within the inhere folder.
{Ω} 192.168.1.216 [kaliban@bunker] ~
↳ ssh bandit4@bandit.labs.overthewire.org -p 2220
bandit4@bandit:~$ ls
inhere
bandit4@bandit:~$ cd inhere/
bandit4@bandit:~/inhere$ ls
-file00 -file01 -file02 -file03 -file04 -file05 -file06 -file07 -file08 -file09
Here we have few options, looking every single file until we find the right one but that would be inefficient and slow, what we can do instead is using the file command to see the file type of every file in the folder and see what file is in a readable format and then read the content of that file.
bandit4@bandit:~/inhere$ file ./*
./-file00: data
./-file01: data
./-file02: data
./-file03: data
./-file04: data
./-file05: data
./-file06: data
./-file07: ASCII text
./-file08: data
./-file09: data
bandit4@bandit:~/inhere$ cat ./-file07
4oQYVPkxZOOEOO5pTW81FB8j8lxXGUQw
Result
The password for the next level is: 4oQYVPkxZOOEOO5pTW81FB8j8lxXGUQw
Level 5 → 6
Level Goal
The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:
human-readable
1033 bytes in size
not executable
Procedure
We can access the new machine using the password obtained before and look for the new password.
If we use the ls command we can see that we have a lot of folder to look through and in every folder we have a few files, just like before going through them one by one would be too slow so we have to find another solution.
{Ω} 192.168.1.216 [kaliban@bunker] ~
↳ ssh bandit5@bandit.labs.overthewire.org -p 2220
bandit5@bandit:~$ ls
inhere
bandit5@bandit:~$ cd inhere/
bandit5@bandit:~/inhere$ ls
maybehere00 maybehere03 maybehere06 maybehere09 maybehere12 maybehere15 maybehere18
maybehere01 maybehere04 maybehere07 maybehere10 maybehere13 maybehere16 maybehere19
maybehere02 maybehere05 maybehere08 maybehere11 maybehere14 maybehere17
To find the password for the next level we can use again the file command with a few more things.
The command file */{.,}* will return the file type of every file in the folder inhere, we could just use */* but this does not include hidden files, therefore we use {.,} so we include all the files starting with a . and the , will give us files starting with anything else.
bandit5@bandit:~/inhere$ file */{.,}*
maybehere00/.file1: ASCII text, with very long lines (550)
maybehere00/.file2: ASCII text, with very long lines (7835)
maybehere00/.file3: data
maybehere01/.file1: Clarion Developer (v2 and above) memo data
maybehere01/.file2: ASCII text, with very long lines (3069)
maybehere01/.file3: data
maybehere02/.file1: ASCII text, with very long lines (6350)
maybehere02/.file2: ASCII text, with very long lines (2576)
maybehere02/.file3: data
maybehere03/.file1: ASCII text, with very long lines (9768)
maybehere03/.file2: ASCII text, with very long lines (8879)
maybehere03/.file3: data
maybehere04/.file1: ASCII text, with very long lines (2439)
maybehere04/.file2: ASCII text, with very long lines (6143)
maybehere04/.file3: data
...SNIP...
To make the result more readable we can use the grep command, this time we want to print only lines containing ‘ASCII’ since this is the readable format we’re looking for.
bandit5@bandit:~/inhere$ file */{.,}* | grep ASCII
...SNIP...
maybehere09/.file2: ASCII text, with very long lines (8516)
maybehere10/.file1: ASCII text, with very long lines (7091)
maybehere10/.file2: ASCII text
maybehere11/.file1: ASCII text, with very long lines (451)
maybehere11/.file2: ASCII text, with very long lines (2500)
maybehere12/.file1: ASCII text, with very long lines (5814)
maybehere12/.file2: ASCII text, with very long lines (8243)
maybehere13/.file1: ASCII text, with very long lines (5257)
maybehere13/.file2: ASCII text, with very long lines (8951)
maybehere14/.file1: ASCII text, with very long lines (3426)
maybehere14/.file2: ASCII text, with very long lines (1502)
maybehere15/.file1: ASCII text, with very long lines (2158)
maybehere15/.file2: ASCII text
maybehere16/.file1: ASCII text, with very long lines (5425)
maybehere16/.file2: ASCII text, with very long lines (8471)
...SNIP...
We still have a lot of output of “ASCII text” and “ASCII text, with very long lines”, we can assume that the password is not in one of the files with “very long lines“ so we can filter out that part with another grep using the -v flag.
bandit5@bandit:~/inhere$ file */{.,}* | grep ASCII | grep -v ', with very long lines'
maybehere10/.file2: ASCII text
maybehere15/.file2: ASCII text
maybehere01/-file2: ASCII text
maybehere08/spaces file1: ASCII text
maybehere12/-file2: ASCII text
maybehere15/spaces file2: ASCII text
maybehere18/-file2: ASCII text
The output now is way smaller, we could even read through every file by hand but we don’t know which one is the file that respect our requirements.
To get the file size we can use the du command and we can use again grep to filter the correct size.
bandit5@bandit:~/inhere$ du -b -a | grep 1033
1033 ./maybehere07/.file2
bandit5@bandit:~/inhere$ cat maybehere07/.file2
HWasnPhtq9AVKe0dmk45nxy20cvUa6EG
This returns only one file but we can see it was’t in out previous list, so filtering out the files “with very long lines” was actually an error.
To find non-executable files we can use the find command with the -executable flag and the exclamation mark (!) before to find all the non-executable files.
We can finally get the result we wanted only using one command and the best candidate is the find command.
bandit5@bandit:~/inhere$ find . -type f -size 1033c ! -executable -exec file '{}' \; | grep ASCII
./maybehere07/.file2: ASCII text, with very long lines (1000)
bandit5@bandit:~/inhere$ cat maybehere07/.file2
HWasnPhtq9AVKe0dmk45nxy20cvUa6EG
Result
The password for the next level is: HWasnPhtq9AVKe0dmk45nxy20cvUa6EG
Level 6 → 7
Level Goal
The password for the next level is stored somewhere on the server and has all of the following properties:
owned by user bandit7
owned by group bandit6
33 bytes in size
Procedure
In this level the file containing the password is stored somewhere in the server this we don’t have a specific target and we should look through the whole system to find that file but luckily the find command can be helpful with our taks.
{Ω} 192.168.1.216 [kaliban@bunker] ~
↳ ssh bandit6@bandit.labs.overthewire.org -p 2220
bandit6@bandit:~$ find / -type f -user bandit7 -group bandit6 -size 33c 2>/dev/null
/var/lib/dpkg/info/bandit7.password
bandit6@bandit:~$ cat /var/lib/dpkg/info/bandit7.password
morbNTDkSW6jIlUc0ymOdMaLnOlFVAaj
Here the explanation of what that command does:
The / at the beginning specify the folder where to start the search.
The flag -type f will only look for files excluding folders.
The -user bandit7 flag will look for files which the owner is the bandit7 user.
The -group bandit 6 flag will look for files that belong to the group bandit6.
-size 33c will only look for files that are 33 bytes in size.
The final part 2>/dev/null with redirect every output that contains any error to null, a virtual device that works like a black hole so the output is not displayed in the STDOUT.
Result
The password is: morbNTDkSW6jIlUc0ymOdMaLnOlFVAaj
Level 7 → 8
Level Goal
The password for the next level is stored in the file data.txt next to the word millionth.
Procedure
After logging in the remote machine as bandit7 we can already see the data.txt file in the home directory, using the wc command with the -l flag will show us the number of lines that the file has, being is a very big file we cant just read through every line until we find the password but we can use the grep command after the cat command to instantly get what we need.
{Ω} 192.168.1.216 [kaliban@bunker] ~
↳ ssh bandit7@bandit.labs.overthewire.org -p 2220
bandit7@bandit:~$ wc -l data.txt
98567 data.txt
bandit7@bandit:~$ cat data.txt | grep millionth
millionth dfwvzFQi4mU0wfNbFOe9RoWskMLg7eEc
Result
The password is: dfwvzFQi4mU0wfNbFOe9RoWskMLg7eEc
Level 8 → 9
Level Goal
The password for the next level is stored in the file data.txt and is the only line of text that occurs only once.
Procedure
Using the new password we can login in the user bandit8 and check out the data.txt file, we have again a lot of lines but this time we need to find the text that occurs only one time, to do that we can use the sort command to sort the content of the file and then pipe the output to the uniq command with the flag -u which will only pick the text that occurs one time.
{Ω} 192.168.1.216 [kaliban@bunker] ~
↳ ssh bandit8@bandit.labs.overthewire.org -p 2220
bandit8@bandit:~$ ls
data.txt
bandit8@bandit:~$ sort data.txt | uniq -u
4CKMh1JI91bUIZZPXDqGanal4xvAg0JM
Result
The password for the next level is: 4CKMh1JI91bUIZZPXDqGanal4xvAg0JM
Level 9 → 10
Level Goal
The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters.
Procedure
To find the password for the next level we can use the strings command to get only the readable text from the file, after that we can use the grep command to get the lines with several equal signs.
{Ω} 192.168.1.216 [kaliban@bunker] ~
↳ ssh bandit9@bandit.labs.overthewire.org -p 2220
bandit9@bandit:~$ strings data.txt | grep ====
}========== the
3JprD========== passwordi
~fDV3========== is
D9========== FGUW5ilLVJrxX9kMYMmlN4MgbpfMiqey
Result
The password is: FGUW5ilLVJrxX9kMYMmlN4MgbpfMiqey
Level 10 → 11
Level Goal
The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters.
Procedure
To find the password we just need to decode the content of the file data.txt, to do this we can use the base64 command which allows files as input.
{Ω} 192.168.1.216 [kaliban@bunker] ~
↳ ssh bandit10@bandit.labs.overthewire.org -p 2220
bandit10@bandit:~$ cat data.txt
VGhlIHBhc3N3b3JkIGlzIGR0UjE3M2ZaS2IwUlJzREZTR3NnMlJXbnBOVmozcVJyCg==
bandit10@bandit:~$ base64 -d data.txt
The password is dtR173fZKb0RRsDFSGsg2RWnpNVj3qRr
Result
The password for the next level is: dtR173fZKb0RRsDFSGsg2RWnpNVj3qRr
Level 11 → 12
Level Goal
The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions
Procedure
To find the password for this level we can use the tr command, used to translate or modify the standard input and writing that to standard output.
{Ω} 192.168.1.216 [kaliban@bunker] ~
↳ ssh bandit11@bandit.labs.overthewire.org -p 2220
bandit11@bandit:~$ cat data.txt
Gur cnffjbeq vf 7k16JArUVv5LxVuJfsSVdbbtaHGlw9D4
bandit11@bandit:~$ cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'
The password is 7x16WNeHIi5YkIhWsfFIqoognUTyj9Q4
Result
The password is: 7x16WNeHIi5YkIhWsfFIqoognUTyj9Q4
Level 12 → 13
Level Goal
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work. Use mkdir with a hard to guess directory name. Or better, use the command “mktemp -d”. Then copy the datafile using cp, and rename it using mv (read the manpages!)
Procedure
To solve this level, the first thing we have to do is create a folder in /tmp, and then we can copy there the data.txt file.
{Ω} 192.168.1.216 [kaliban@bunker] ~
↳ ssh bandit12@bandit.labs.overthewire.org -p 2220
bandit12@bandit:~$ ls
data.txt
bandit12@bandit:~$ mkdir /tmp/kaliban
bandit12@bandit:~$ cp data.txt /tmp/kaliban
bandit12@bandit:~$ cd /tmp/kaliban
bandit12@bandit:/tmp/kaliban$ ls
data.txt
Now we can change the name of the file back to its original format and see what data we can get out of it.
bandit12@bandit:/tmp/kaliban$ mv data.txt hexdump_data
bandit12@bandit:/tmp/kaliban$ cat hexdump_data | head
00000000: 1f8b 0808 dfcd eb66 0203 6461 7461 322e .......f..data2.
00000010: 6269 6e00 013e 02c1 fd42 5a68 3931 4159 bin..>...BZh91AY
00000020: 2653 59ca 83b2 c100 0017 7fff dff3 f4a7 &SY.............
00000030: fc9f fefe f2f3 cffe f5ff ffdd bf7e 5bfe .............~[.
00000040: faff dfbe 97aa 6fff f0de edf7 b001 3b56 ......o.......;V
00000050: 0400 0034 d000 0000 0069 a1a1 a000 0343 ...4.....i.....C
00000060: 4686 4341 a680 068d 1a69 a0d0 0068 d1a0 F.CA.....i...h..
00000070: 1906 1193 0433 5193 d4c6 5103 4646 9a34 .....3Q...Q.FF.4
00000080: 0000 d320 0680 0003 264d 0346 8683 d21a ... ....&M.F....
00000090: 0686 8064 3400 0189 a683 4fd5 0190 001e ...d4.....O.....
To work with the actual data though we need to revert the hexdump.
bandit12@bandit:/tmp/kalibanfolder$ xxd -r hexdump_data compressed_data
To understand what kind of file we’re working with we can look at the first bytes of the dump.
For gzip compressed files the header is \x1F\x8B\x08. We can see that these are in the first line of the file.
bandit12@bandit:/tmp/kalibanfolder$ cat hexdump_data | head
00000000: 1f8b 0808 dfcd eb66 0203 6461 7461 322e .......f..data2.
We can now change the file ending renaming the file with the right extension.
bandit12@bandit:/tmp/kalibanfolder$ mv compressed_data compressed_data.gz
bandit12@bandit:/tmp/kalibanfolder$ ls
compressed_data.gz hexdump_data
bandit12@bandit:/tmp/kalibanfolder$ gzip -d compressed_data.gz
bandit12@bandit:/tmp/kalibanfolder$ ls
compressed_data hexdump_data
We can now look at the first bytes of the new acquired file to understand what we’re working with.
bandit12@bandit:/tmp/kalibanfolder$ xxd compressed_data | head
00000000: 425a 6839 3141 5926 5359 ca83 b2c1 0000 BZh91AY&SY......
00000010: 177f ffdf f3f4 a7fc 9ffe fef2 f3cf fef5 ................
00000020: ffff ddbf 7e5b fefa ffdf be97 aa6f fff0 ....~[.......o..
00000030: deed f7b0 013b 5604 0000 34d0 0000 0000 .....;V...4.....
00000040: 69a1 a1a0 0003 4346 8643 41a6 8006 8d1a i.....CF.CA.....
00000050: 69a0 d000 68d1 a019 0611 9304 3351 93d4 i...h.......3Q..
00000060: c651 0346 469a 3400 00d3 2006 8000 0326 .Q.FF.4... ....&
00000070: 4d03 4686 83d2 1a06 8680 6434 0001 89a6 M.F.......d4....
00000080: 834f d501 9000 1e90 34d1 8803 430e 9a0c .O......4...C...
00000090: 4069 a006 2646 8683 4003 10d3 4034 69a6 @i..&F..@...@4i.
This time we have a different header and the first bytes (425a) tells us that we’re now working with a bzip file, we can now correct the filename and proceed.
bandit12@bandit:/tmp/kalibanfolder$ mv compressed_data compressed_data.bz
bandit12@bandit:/tmp/kalibanfolder$ bzip2 -d compressed_data.bz
bandit12@bandit:/tmp/kalibanfolder$ xxd compressed_data | head
00000000: 1f8b 0808 dfcd eb66 0203 6461 7461 342e .......f..data4.
After checking the bytes of the file we can see we have again a gzip file.
bandit12@bandit:/tmp/kalibanfolder$ mv compressed_data compressed_data.gz
bandit12@bandit:/tmp/kalibanfolder$ gzip -d compressed_data.gz
bandit12@bandit:/tmp/kalibanfolder$ xxd compressed_data | head
00000000: 6461 7461 352e 6269 6e00 0000 0000 0000 data5.bin.......
00000010: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000030: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000040: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000050: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000060: 0000 0000 3030 3030 3634 3400 3030 3030 ....0000644.0000
00000070: 3030 3000 3030 3030 3030 3000 3030 3030 000.0000000.0000
00000080: 3030 3234 3030 3000 3134 3637 3237 3436 0024000.14672746
00000090: 3733 3700 3031 3132 3637 0020 3000 0000 737.011267. 0...
This time we have a different output, in fact, in the first bytes we can see “data5.bin“ which is a filename, looks like we now have a tar archive, we can proceed extracting it.
bandit12@bandit:/tmp/kalibanfolder$ mv compressed_data compressed_data.tar
bandit12@bandit:/tmp/kalibanfolder$ tar -xf compressed_data.tar
bandit12@bandit:/tmp/kalibanfolder$ ls
compressed_data.tar data5.bin hexdump_data
bandit12@bandit:/tmp/kalibanfolder$ xxd data5.bin | head
00000000: 6461 7461 362e 6269 6e00 0000 0000 0000 data6.bin.......
00000010: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000030: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000040: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000050: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000060: 0000 0000 3030 3030 3634 3400 3030 3030 ....0000644.0000
00000070: 3030 3000 3030 3030 3030 3000 3030 3030 000.0000000.0000
00000080: 3030 3030 3333 3500 3134 3637 3237 3436 0000335.14672746
00000090: 3733 3700 3031 3132 3735 0020 3000 0000 737.011275. 0...
Looks like data5.bin is also a tar archive, we can extract the file again.
bandit12@bandit:/tmp/kalibanfolder$ tar -xf data5.bin
bandit12@bandit:/tmp/kalibanfolder$ ls
compressed_data data5.bin data6.bin hexdump_data
bandit12@bandit:/tmp/kalibanfolder$ xxd data6.bin | head
00000000: 425a 6839 3141 5926 5359 d0e6 93b3 0000 BZh91AY&SY......
Looks like data6.bin is a bzip2 compressed file.
bandit12@bandit:/tmp/kalibanfolder$ bzip2 -d data6.bin
bzip2: Can't guess original name for data6.bin -- using data6.bin.out
bandit12@bandit:/tmp/kalibanfolder$ ls
compressed_data data5.bin data6.bin.out hexdump_data
bandit12@bandit:/tmp/kalibanfolder$ xxd data6.bin.out | head00000000: 6461 7461 382e 6269 6e00 0000 0000 0000 data8.bin.......
00000010: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000030: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000040: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000050: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000060: 0000 0000 3030 3030 3634 3400 3030 3030 ....0000644.0000
00000070: 3030 3000 3030 3030 3030 3000 3030 3030 000.0000000.0000
00000080: 3030 3030 3131 3700 3134 3637 3237 3436 0000117.14672746
00000090: 3733 3700 3031 3132 3735 0020 3000 0000 737.011275. 0...
Data6.bin.out shows another file name.
bandit12@bandit:/tmp/kalibanfolder$ tar -xf data6.bin.out
bandit12@bandit:/tmp/kalibanfolder$ ls
compressed_data data5.bin data6.bin.out data8.bin hexdump_data
bandit12@bandit:/tmp/kalibanfolder$ xxd data8.bin | head
00000000: 1f8b 0808 dfcd eb66 0203 6461 7461 392e .......f..data9.
00000010: 6269 6e00 0bc9 4855 2848 2c2e 2ecf 2f4a bin...HU(H,.../J
00000020: 51c8 2c56 70f3 374d 2977 2b4e 3648 4e4a Q.,Vp.7M)w+N6HNJ
00000030: f4cc f430 c8b0 f032 4a0d cd2e 362a 4b09 ...0...2J...6*K.
00000040: 7129 77cc e302 003e de32 4131 0000 00 q)w....>.2A1...
We have to do one more decompression with gzip and see the content of the file.
bandit12@bandit:/tmp/kalibanfolder$ mv data8.bin data8.gz
bandit12@bandit:/tmp/kalibanfolder$ gzip -d data8.gz
bandit12@bandit:/tmp/kalibanfolder$ ls
compressed_data data5.bin data6.bin.out data8 hexdump_data
bandit12@bandit:/tmp/kalibanfolder$ cat data8
The password is FO5dwFsc0cbaIiH0h8J2eUks2vdTDwAn
Result
The password is FO5dwFsc0cbaIiH0h8J2eUks2vdTDwAn
Level 13 → 14
Level Goal
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on.
Procedure
The first thing we have to do in order to go to the next level is finding the private key for the bandit14 user.
{Ω} 172.28.47.141 [kaliban@bunker] ~
↳ ssh bandit13@bandit.labs.overthewire.org -p 2220
bandit13@bandit:~$ ls
sshkey.private
Now that we know where the key is, we can use scp to copy it to our machine and then access the target user.
{Ω} 172.28.47.141 [kaliban@bunker] ~
↳ scp -P 2220 bandit13@bandit.labs.overthewire.org:sshkey.private .
{Ω} 172.28.47.141 [kaliban@bunker] ~
↳ chmod 700 sshkey.private
{Ω} 172.28.47.141 [kaliban@bunker] ~
↳ ssh -i sshkey.private bandit14@bandit.labs.overthewire.org -p 2220
bandit14@bandit:~$ cat /etc/bandit_pass/bandit14
MU4VWeTyJk8ROof1qqmcBPaLh7lDCPvS
Result
The password is: MU4VWeTyJk8ROof1qqmcBPaLh7lDCPvS
Level 14 → 15
Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
Procedure
To solve this level we can login in the bandit14 user with the previously obtained password, connect to the localhost with netcat on port 30000 and submit the user password.
{Ω} 172.28.47.141 [kaliban@bunker] ~
↳ ssh bandit14@bandit.labs.overthewire.org -p 2220
bandit14@bandit:~$ nc localhost 30000
MU4VWeTyJk8ROof1qqmcBPaLh7lDCPvS
Correct!
8xCjnmgoKbGLhHFAZlGE5Tmu4M2tKJQo
Result
The password for the next level is: 8xCjnmgoKbGLhHFAZlGE5Tmu4M2tKJQo
Level 15 → 16
Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL/TLS encryption.
Helpful note: Getting “DONE”, “RENEGOTIATING” or “KEYUPDATE”? Read the “CONNECTED COMMANDS” section in the manpage.
Procedure
To solve this level we can connect to the new target user with the new password and use again netcat to connect to localhost, but this time connecting to port 30001 using the —ssl flag.
{Ω} 172.28.47.141 [kaliban@bunker] ~
↳ ssh bandit15@bandit.labs.overthewire.org -p 2220
bandit15@bandit:~$ ncat --ssl localhost 30001
8xCjnmgoKbGLhHFAZlGE5Tmu4M2tKJQo
Correct!
kSkvUpMQ7lBYyCM4GBPvCvT1BfWRy0Dx
Result
The password is: kSkvUpMQ7lBYyCM4GBPvCvT1BfWRy0Dx
Level 16 → 17
…