OvertheWire: Bandit(levels 1–7)

OvertheWire provides wargames where you can practice different skills needed in infosec.

The Bandit section is designed for beginners who has zero or minimal knowledge in using the Linux shell. It uses bash(Bourne again shell) and the difficulty of the challenges progresses as you go into higher levels.

The goal is to read the password for the next level while teaching essential bash skills and concepts.

Using the password, you can login via SSH to the next bandit level.

This post is a walk-through of the levels in Bandit wargame. If you have questions just hit me up, or you can refer to the man pages!

bandit0 -> bandit1

We first use:

ls -al

ls lists files in your current directory, but not all(you’ll see this later). That’s why i consider it best practice to invoke ls with the -al option. Seeing the readme file, we invoke cat to read the text inside. The cat command basically reads the content of the file.

The password is : boJ9jbbUNNfktd78OOpsqOltutMc3MY1

bandit1 -> bandit2

After invoking ls -al, we find the file. We cannot invoke cat and then “-”, because the bash will interpret it an invalid option(in Linux, options are invoked with the command by using “-” then the option). Prepending the “./” before the file, the command will run it as a file in the current directory, and not treating it as a starter for an option.

cat ./-

The password is : CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

bandit2 -> bandit3

Invoking the ls -al command, we see a file with the name of “spaces in this filename”.

If we try to read the file using the cat command, we cannot use “cat spaces in this filename” because the shell will treat each word as an entry, not as a “file name”. That’s why we put the file name inside the the quotes, so that the shell will not misinterpret it.

cat “spaces in this file name”

The password is: UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

bandit3 -> bandit4

Using the ls -al command, we see the directory inhere.

Going inside the inhere directory using the command cd inhere, we have changed our working directory to ~/inhere. We invoke another ls -al, and see that a file .hidden is inside. We read the file using cat.

The password is: pIwrPrtPN36QITSp3EQaw936yaFoFgAB

bandit4 -> bandit5

We see a directory inhere. After checking the contents of the directory, we see many files.

It would be tedious if we check the content of each file, especially if we put this in the context of systems used in enterprises. You will be dealing with many files, and going through them manually to find your data is not the efficient way of finding what you need.

We invoke the file command. The file command basically checks the file type. We use the * as this represents a wildcard(read more about regular expressions or Regex) which can represent any character, since only the last character of the file name is changing. We see that the file07 is ASCII text. Reading the file leads to the password.

The password is: koReBOKuIDDepwhWk7jZC0RTdopnAYKh

bandit5 -> bandit6

Checking the contents, we see another inhere directory. Checking what’s inside, we find many directories again. This is a sign that checking each directory for the password file is not practical. Bash is very powerful. It allows you to look for files quickly, if you can invoke the correct commands and conditions.

We invoke find again. We use

find . -size 1033c ! -executable

This line finds a file in the current directory(hence the presence of “ . “), it looks for 1033 bytes size(c is used to indicate that the unit is bytes, refer to the find man page for more details), and using the “ ! “ inverts the command executable, hence looking for a non-executable file. I did not bother adding the human-readable condition as only one entry is returned. In the case that it requires to filter using the human-readable condition, you invoke file on the output, and look for ASCII text.

It outputs a directory where the invoked condition is met.

Reading the file leads to the password.

The password is: DXjZPULLxYr17uwoI01bNLQbtFemEgo7

bandit6 -> bandit7

It is said that the file is stored somewhere on the server, so this time it is not in the inhere directory. We invoke the find command, searching from the root directory (/), with -group to identify the group,-user to denote the user, and the size of 33bytes.

find / -group bandit6 -user bandit7 -size 33c

We see many matching files but we do not have permission, hence the permission denied. We expect a lot of files since we are searching from the root directory. Which is the topmost in a Linux file system.

A line with no permission denied is seen. It identified the file /var/lib/dpkg/info/bandit7.password accessible.

You can redirect the “error” outputs(permission denied to /dev/null, which acts like a “black-hole”). You can do this by adding a -type f 2>/dev/null to your command.

We read the contents using the cat command.

The password is: HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

Penetration Tester | Aspiring Red Team Operator 🇵🇭