Introduction

For a little context, the Bandit wargame was actually one of the first hands-on labs I tried out. As much as I hate to admit it, I barely knew what I was doing and ran to Google on pretty much every level. Even though it was definitely embarrassing, research is a big part of learning, and as long as you're making an effort to understand that Stack Overflow post from 12 years ago instead of copy-pasting it, there's nothing to be ashamed of :)

All levels can be found on the OverTheWire website here. Although these writeups are meant to be complete guides through each level, feel free to skip to the TLDR section if you would prefer a quick overview of the general methodology for the challenges. Now, let’s get into the action!

Level 0

Level Goal: The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org, on port 2220. The username is bandit0 and the password is bandit0. Once logged in, go to the Level 1 page to find out how to beat Level 1.

The first level is simple: connect to the server via SSH using the provided credentials, then proceed to Level 1.

$ ssh [email protected] -p2220
                         _                     _ _ _
                        | |__   __ _ _ __   __| (_) |_
                        | '_ \ / _` | '_ \ / _` | | __|
                        | |_) | (_| | | | | (_| | | |_
                        |_.__/ \__,_|_| |_|\__,_|_|\__|

\
                      This is an OverTheWire game server.
            More information on http://www.overthewire.org/wargames

[email protected]'s password:

      ,----..            ,----,          .---.
     /   /   \         ,/   .`|         /. ./|
    /   .     :      ,`   .'  :     .--'.  ' ;
   .   /   ;.  \   ;    ;     /    /__./ \ : |
  .   ;   /  ` ; .'___,/    ,' .--'.  '   \' .
  ;   |  ; \ ; | |    :     | /___/ \ |    ' '
  |   :  | ; | ' ;    |.';  ; ;   \  \;      :
  .   |  ' ' ' : `----'  |  |  \   ;  `      |
  '   ;  \; /  |     '   :  ;   .   \    .\  ;
   \   \  ',  /      |   |  '    \   \   ' \ |
    ;   :    /       '   :  |     :   '  |--"
     \   \ .'        ;   |.'       \   \ ;
  www. `---` ver     '---' he       '---" ire.org

\
Welcome to OverTheWire!
[...]

bandit0@bandit:~$

Level 0 --> Level 1

Level Goal: The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.

Now that an SSH connection to the server has been established, we can find the password for the next level in the readme file by reading its content with the cat command.

bandit0@bandit:~$ cat readme
[...]
The password you are looking for is: [redacted]

Pretty simple stuff so far. Onto the next one!

Level 1 --> Level 2

Level Goal: The password for the next level is stored in a file called - located in the home directory.

In this level, we're supposed to find the password in a file called -. Just as we did in the last level, we connect to the server via SSH with our credentials and read the file with cat.

bandit1@bandit:~$ cat -

After running this command, you probably noticed that there was no output and the terminal started to hang. To exit this state, press the Ctrl + C keys at the same time. This happens because the terminal interprets hyphens after a command as the start of a parameter. So we need to find a way to let the terminal know that a parameter is not being introduced. To do that, we can specify the file path to the - file.

bandit1@bandit:~$ cat ./-
[redacted]

Now we have the password from the weirdly named file!

Level 2 --> Level 3

Level Goal: The password for the next level is stored in a file called –-spaces in this filename–-located in the home directory.

Like in the last level, we're presented with a strangely named file that we need to read. Since the file name has hyphens, we could try the same approach from before.

bandit2@bandit:~$ cat ./--spaces in this filename--
cat: ./--spaces: No such file or directory
cat: in: No such file or directory
cat: this: No such file or directory
cat: filename--: No such file or directory

Unfortunately, we get error messages, but why? That's because in the terminal, spaces between words are interpreted as a separator between arguments, so it treats every part of the filename independently. There are two ways to get around this. We can either enclose the filename in quotes or put a backslash (\) before each space. Both of these options work by letting the terminal know that we mean an actual space, instead of an argument separator.

$ cat ./'--spaces in this filename--'
[redacted]

$ cat ./--spaces\ in\ this\ filename--
[redacted]

Good job! Next level.

Level 3 --> Level 4

Level Goal: The password for the next level is stored in a hidden file in the inhere directory.

This one is a little different. Here, we're focused on directories, and we can use cd and ls to examine the contents of the inhere directory.

bandit3@bandit:~$ cd inhere
bandit3@bandit:~/inhere$ ls
bandit3@bandit:~/inhere$

Although it seems like there's nothing in the directory, we need to keep in mind that the password is supposed to be in a hidden file. How do we list hidden files in a directory? By adding the -a parameter to the ls command.

bandit3@bandit:~/inhere$ ls -a
.  ..  ...Hiding-From-You

Now we clearly see the hidden file and can get the password.

bandit3@bandit:~/inhere$ cat ...Hiding-From-You
[redacted]

Next!

Level 4 --> Level 5

Level Goal: The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.

This level is a bit of a step up in difficulty compared to the other levels, but that's not gonna stop us!

Taking a look at the inhere directory with ls, we see that there are ten files that might have the password. So what we need to do is check whether or not every file in the directory is human-readable.

bandit4@bandit:~$ ls inhere/
-file00  -file01  -file02  -file03  -file04  -file05  -file06  -file07  -file08  -file09

To do this, we can use the file command, which returns the file type of a file. For a human-readable file, it returns FILENAME: ASCII text. Since there are only ten files here, checking each file one by one is definitely an option, but what if there were fifty? Or a thousand? So to automate the check process, we can use the find command, which has the option to "find" every file in a directory that matches specified criteria, then run a command on them.

find inhere -type f -exec file {} \;

Don’t worry about the syntax; it’s much simpler than it looks. Essentially, the command finds everything in the inhere directory that is a file and executes the file command on it. As for the symbols at the end, the curly brackets({}) are a placeholder for each result we run file on, and the backslash+semicolon(\;) ends the -exec portion of the find command.

bandit4@bandit:~$ find inhere -type f -exec file {} \;
inhere/-file01: data
inhere/-file09: data
inhere/-file05: data
inhere/-file02: data
inhere/-file03: data
inhere/-file06: data
inhere/-file07: ASCII text
inhere/-file08: data
inhere/-file04: data
inhere/-file00: data

Although we've now found the human-readable file, there’s still the issue of the results we aren't interested in also being returned. That's where the grep command comes in. Basically, what it does is search through whatever input we give it for every instance of a word or phrase. To feed the results from find into grep, we use the vertical bar(|), which pipes the output of one command as input into another command. Knowing that the human-readable file has ASCII text at the end, we can grep for that.

bandit4@bandit:~$ find inhere -type f -exec file {} \; | grep 'ASCII'
inhere/-file07: ASCII text

And there it is! The only result we get now is exactly what we're looking for, and we can finally get our password.

bandit4@bandit:~$ cat inhere/-file07
[redacted]

Level 5 --> Level 6

Level Goal: The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties: human-readable, 1033 bytes in size, not executable.

This one's pretty close to the last level, just with a couple more criteria for the file we're looking for. To search for files of a specific size, we use the -size [Number][unit] parameter, where the unit is c(byte), k(kilobyte), M(megabyte), G(gigabyte) etc. As for it not being executable, we just need to add the ! -executable flag. The exclamation point signifies that we want files that are not executable. Then, for the human-readable part, the same method we used in the last level works.

bandit5@bandit:~$ find inhere -size 1033c ! -executable -exec file {} \; | grep 'ASCII'
inhere/maybehere07/.file2: ASCII text, with very long lines (1000)

Now we can get our password!

bandit5@bandit:~$ cat inhere/maybehere07/.file2
[redacted]

TLDR

1. Level 0:
   • Connect to the server via SSH.
2. Level 0 --> Level 1:
   • Read the readme file using the cat command.
3. Level 1 --> Level 2:
   • Read the - with cat, accommodating for the irregular filename by using the file path.
4. Level 2 --> Level 3:
   • Read the file with cat, using file path and quotes or backslashes to accommodate spaces present in the file name.
5. Level 3 --> Level 4:
   • List contents of ‘inhere’ directory, with -a parameter to show hidden files.
   • Read the hidden file with cal.
6. Level 4 --> Level 5:
   • Use file command to perform a file check on each file, or use find with with -exec parameter to check all files at once.
7. Level 5 --> Level 6:
   • Search for files that satisfy the given conditions using find with appropriate parameters.

Let's Connect!