OvertheWire provides wargames where you can practice different skills needed in infosec.
The Bandit section is designed for beginners who has zero or minimal knowledge in using the Linux shell. It uses bash(Bourne again shell) and the difficulty of the challenges progresses as you go into higher levels.
The goal is to read the password for the next level while teaching essential bash skills and concepts.
Using the password, you can login via SSH to the next bandit level.
This post is a walk-through of the levels in Bandit wargame. If you have questions just hit me up, or you can refer to the man pages!
bandit0 -> bandit1
Scenario: The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH to log into that level and continue the game.
We first use:
ls lists files in your current directory, but not all(you’ll see this later). That’s why i consider it best practice to invoke ls with the -al option. Seeing the readme file, we invoke cat to read the text inside. The cat command basically reads the content of the file.
The password is : boJ9jbbUNNfktd78OOpsqOltutMc3MY1
bandit1 -> bandit2
Scenario: The password for the next level is stored in a file called
- located in the home directory.
After invoking ls -al, we find the
— file. We cannot invoke cat and then “-”, because the bash will interpret it an invalid option(in Linux, options are invoked with the command by using “-” then the option). Prepending the “./” before the file, the command will run it as a file in the current directory, and not treating it as a starter for an option.
The password is : CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
bandit2 -> bandit3
Scenario: The password for the next level is stored in a file called spaces in this filename located in the home directory.
Invoking the ls -al command, we see a file with the name of “spaces in this filename”.
If we try to read the file using the cat command, we cannot use “cat spaces in this filename” because the shell will treat each word as an entry, not as a “file name”. That’s why we put the file name inside the the quotes, so that the shell will not misinterpret it.
cat “spaces in this file name”
The password is: UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
bandit3 -> bandit4
Scenario: The password for the next level is stored in a hidden file in the inhere directory.
Using the ls -al command, we see the directory inhere.
Going inside the inhere directory using the command cd inhere, we have changed our working directory to ~/inhere. We invoke another ls -al, and see that a file .hidden is inside. We read the file using cat.
The password is: pIwrPrtPN36QITSp3EQaw936yaFoFgAB
bandit4 -> bandit5
We see a directory inhere. After checking the contents of the directory, we see many files.
It would be tedious if we check the content of each file, especially if we put this in the context of systems used in enterprises. You will be dealing with many files, and going through them manually to find your data is not the efficient way of finding what you need.
We invoke the file command. The file command basically checks the file type. We use the * as this represents a wildcard(read more about regular expressions or Regex) which can represent any character, since only the last character of the file name is changing. We see that the file07 is ASCII text. Reading the file leads to the password.
The password is: koReBOKuIDDepwhWk7jZC0RTdopnAYKh
bandit5 -> bandit6
Scenario: The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties: — human-readable — 1033 bytes in size — not executable
Checking the contents, we see another inhere directory. Checking what’s inside, we find many directories again. This is a sign that checking each directory for the password file is not practical. Bash is very powerful. It allows you to look for files quickly, if you can invoke the correct commands and conditions.
We invoke find again. We use
find . -size 1033c ! -executable
This line finds a file in the current directory(hence the presence of “ . “), it looks for 1033 bytes size(c is used to indicate that the unit is bytes, refer to the find man page for more details), and using the “ ! “ inverts the command executable, hence looking for a non-executable file. I did not bother adding the human-readable condition as only one entry is returned. In the case that it requires to filter using the human-readable condition, you invoke file on the output, and look for ASCII text.
It outputs a directory where the invoked condition is met.
Reading the file leads to the password.
The password is: DXjZPULLxYr17uwoI01bNLQbtFemEgo7
bandit6 -> bandit7
Scenario: The password for the next level is stored somewhere on the server and has all of the following properties: — owned by user bandit7 — owned by group bandit6–33 bytes in size
It is said that the file is stored somewhere on the server, so this time it is not in the inhere directory. We invoke the find command, searching from the root directory (/), with -group to identify the group,-user to denote the user, and the size of 33bytes.
find / -group bandit6 -user bandit7 -size 33c
We see many matching files but we do not have permission, hence the permission denied. We expect a lot of files since we are searching from the root directory. Which is the topmost in a Linux file system.
A line with no permission denied is seen. It identified the file /var/lib/dpkg/info/bandit7.password accessible.
You can redirect the “error” outputs(permission denied to /dev/null, which acts like a “black-hole”). You can do this by adding a -type f 2>/dev/null to your command.
We read the contents using the cat command.
The password is: HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs