WarGames - OverTheWire

http://overthewire.org/wargames/

Bandit Level 0 -> 1

Recently I’ve been obsessed with a wargaming site called overthewire.org. At the time of this writing I have made it through a few of the servers already, but I will post my solutions to the entry level server they offer, “Bandit”. This is also the recommended place to start if you are new to the site. You should already be familiar with basic Linux commands before attempting this wargame. However, the first page of Bandit explains what to do if you don’t know a command. You do need to use a bit of your own intuition to figure out how to make it from one level to the next.

I have been through a good handful of wargaming sites in the past and I find this one to be of good quality with an interesting variety of servers to play. For those who don’t know what a wargame is, a wargame in hacking is a security challenge in which one must exploit a vulnerability in a system or application or gain access to a computer system. Most of the servers here are about program exploitation on the Linux platform. We do not have to be on a Linux system to play these. But why not? If you have access to a Linux box, a real terminal is the way to go. Puttyis the way to go on Windows.  But I digress, use my posted solutions to learn and understand the levels or compare with your own solutions. Enjoy!

Level 0:

We simply ssh to bandit0@bandit.labs.overthewire.org using the password bandit0 and we are in our shell.

Level 0 -> 1:

Once in, we can see that the readme file is in our home directory. Simply “cat” it and grab the password for level1.

1 2 3 4

bandit0@melissa:~$ ls readme bandit0@melissa:~$ cat readme boJ9jbbUNNfktd78OOpsqOltutMc3MY1

Level 1-> 2:

We are told that the password is in a file called “-“. We need to delimit the dash to read it.

1 2 3 4

bandit1@melissa:~$ ls - bandit1@melissa:~$ cat ./- CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

Level 2 ->3:

This time we simply need to read a file with spaces in it’s name. Let’s surround the file name in quotes.

1 2 3 4

bandit2@melissa:~$ ls spaces in this filename bandit2@melissa:~$ cat "spaces in this filename" UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

Level 3->4:

We are told the file we need is in a hidden file in the inhere directory.

1 2 3 4 5 6 7 8 9 10

bandit3@melissa:~$ ls inhere bandit3@melissa:~$ cd inhere bandit3@melissa:~/inhere$ ls -la total 12 drwxr-xr-x 2 root    root    4096 2012-05-10 23:51 . drwxr-xr-x 3 root    root    4096 2012-05-10 23:51 .. -rw-r----- 1 bandit4 bandit3   33 2012-05-10 23:51 .hidden bandit3@melissa:~/inhere$ cat .hidden pIwrPrtPN36QITSp3EQaw936yaFoFgAB

Level 4 ->5:

We are told the password is somewhere in the inhere directory and is the only human readable file in the directory. Let’s see what file types we have.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30

bandit4@melissa:~$ ls inhere bandit4@melissa:~$ cd inhere bandit4@melissa:~/inhere$ ls -la total 48 drwxr-xr-x 2 root    root    4096 2012-05-10 23:51 . drwxr-xr-x 3 root    root    4096 2012-05-10 23:51 .. -rw-r----- 1 bandit5 bandit4   33 2012-05-10 23:51 -file00 -rw-r----- 1 bandit5 bandit4   33 2012-05-10 23:51 -file01 -rw-r----- 1 bandit5 bandit4   33 2012-05-10 23:51 -file02 -rw-r----- 1 bandit5 bandit4   33 2012-05-10 23:51 -file03 -rw-r----- 1 bandit5 bandit4   33 2012-05-10 23:51 -file04 -rw-r----- 1 bandit5 bandit4   33 2012-05-10 23:51 -file05 -rw-r----- 1 bandit5 bandit4   33 2012-05-10 23:51 -file06 -rw-r----- 1 bandit5 bandit4   33 2012-05-10 23:51 -file07 -rw-r----- 1 bandit5 bandit4   33 2012-05-10 23:51 -file08 -rw-r----- 1 bandit5 bandit4   33 2012-05-10 23:51 -file09 bandit4@melissa:~/inhere$ file ./-* ./-file00: data ./-file01: data ./-file02: data ./-file03: data ./-file04: data ./-file05: data ./-file06: data ./-file07: ASCII text ./-file08: data ./-file09: data bandit4@melissa:~/inhere$ cat ./-file07 koReBOKuIDDepwhWk7jZC0RTdopnAYKh

Level 5-> 6:
This is similar to the previous, except we have some more file attributes to look for. As well as more files to look through.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

bandit5@melissa:~$ ls inhere bandit5@melissa:~$ cd inhere bandit5@melissa:~/inhere$ ls -la total 88 drwxr-x--- 22 root bandit5 4096 2012-05-10 23:51 . drwxr-xr-x  3 root root    4096 2012-05-10 23:51 .. drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere00 drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere01 drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere02 drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere03 drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere04 drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere05 drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere06 drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere07 drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere08 drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere09 drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere10 drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere11 drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere12 drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere13 drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere14 drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere15 drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere16 drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere17 drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere18 drwxr-x---  2 root bandit5 4096 2012-05-10 23:51 maybehere19 bandit5@melissa:~/inhere$ find ./ -size 1033c ./maybehere07/.file2 bandit5@melissa:~/inhere$ cat ./maybehere07/.file2 DXjZPULLxYr17uwoI01bNLQbtFemEgo7

Level 6->7:

The file can be anywhere on the server, but we are given it’s attributes. This is a job for find. The command attached to the end gets rid of garbage returns and allows viewing of our password file amongst several others with the same attributes.

1 2 3 4

bandit6@melissa:~$ find / -user bandit7 -group bandit6 -size 33c 2>/dev/null /var/lib/dpkg/info/bandit7.password bandit6@melissa:~$ cat /var/lib/dpkg/info/bandit7.password HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

Level 7->8:

The password for the next level is stored in the file data.txt next to the word millionth. We can pipe cat to grep for this.

1 2 3 4

bandit7@melissa:~$ ls data.txt bandit7@melissa:~$ cat data.txt | grep millionth millionth       cvX2JJa4CFALtqS87jk27qwqGhBM9plV

Level 8->9:

Here we need to find a unique line among many. We can pipe a few commands together to do this. Note the commands do need to be in this order.

1 2 3 4

bandit8@melissa:~$ ls data.txt bandit8@melissa:~$ cat data.txt | sort | uniq -u UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR

Level 9->10:

The password for the next level is stored in the file data.txt among of few lines of human-readable strings starting with ‘=’ characters.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

bandit9@melissa:~$ ls data.txt bandit9@melissa:~$ strings data.txt | grep '=' ========== the R=ev2, NF=!^ M5Q= ========== password TuI@= ========== iss c       =$ w=RO eD=p jR=JlB G========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk :=*1p KA=%

We can see our password string amongst our output.

Level 10->11:
The password for the next level is stored in the file data.txt, which contains base64 encoded data. We need to decode the file.

1 2 3 4

bandit10@melissa:~$ ls data.txt bandit10@melissa:~$ base64 -d data.txt The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

Level 11->12:

The password is encoded using simple rot13 encryption. There are many options to solve this including using various scripting languages and simply using an online rot13 decoder. Let’s try a solution in our shell.

1 2 3 4

bandit11@melissa:~$ ls data.txt bandit11@melissa:~$ cat data.txt | tr a-zA-Z n-za-mN-ZA-M The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

That command is given on the wikipedia page for rot13

Level 12->13:

The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it is necessary to create a directory under /tmp in which you can work using mkdir. We need to decompress and check the file over and over again until we get the right format.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56

bandit12@melissa:~$ ls data.txt bandit12@melissa:~$ file data.txt data.txt: ASCII text bandit12@melissa:~$ mkdir /tmp/stw bandit12@melissa:~$ cd /tmp/stw bandit12@melissa:/tmp/stw$ xxd -r ~/data.txt > data.txt bandit12@melissa:/tmp/stw$ file data.txt data.txt: gzip compressed data, was "data2.bin", from Unix, last modified: Thu May 10 23:52:05 2012, max compression bandit12@melissa:/tmp/stw$ zcat data.txt > dataNew bandit12@melissa:/tmp/stw$ ls dataNew  data.txt bandit12@melissa:/tmp/stw$ file dataNew dataNew: bzip2 compressed data, block size = 900k bandit12@melissa:/tmp/stw$ bzip2 -d dataNew bzip2: Can't guess original name for dataNew -- using dataNew.out bandit12@melissa:/tmp/stw$ ls dataNew.out  data.txt bandit12@melissa:/tmp/stw$ file dataNew.out dataNew.out: gzip compressed data, was "data4.bin", from Unix, last modified: Thu May 10 23:52:05 2012, max compression bandit12@melissa:/tmp/stw$ zcat dataNew.out > evenNewer bandit12@melissa:/tmp/stw$ ls dataNew.out  data.txt  evenNewer bandit12@melissa:/tmp/stw$ file evenNewer evenNewer: POSIX tar archive (GNU) bandit12@melissa:/tmp/stw$ tar -xvf evenNewer data5.bin bandit12@melissa:/tmp/stw$ file data5.bin data5.bin: POSIX tar archive (GNU) bandit12@melissa:/tmp/stw$ tar -xvf data5.bin data6.bin bandit12@melissa:/tmp/stw$ file data6.bin data6.bin: bzip2 compressed data, block size = 900k bandit12@melissa:/tmp/stw$ bzip2 -d data6.bin bzip2: Can't guess original name for data6.bin -- using data6.bin.out bandit12@melissa:/tmp/stw$ ls data5.bin  data6.bin.out  dataNew.out  data.txt  evenNewer bandit12@melissa:/tmp/stw$ file data6.bin.out data6.bin.out: POSIX tar archive (GNU) bandit12@melissa:/tmp/stw$ tar -xvf data6.bin.out data8.bin bandit12@melissa:/tmp/stw$ file data8.bin data8.bin: gzip compressed data, was "data9.bin", from Unix, last modified: Thu May 10 23:52:05 2012, max compression bandit12@melissa:/tmp/stw$ zcat data8.bin > lost bandit12@melissa:/tmp/stw$ ls data5.bin  data6.bin.out  data8.bin  dataNew.out  data.txt  evenNewer  lost bandit12@melissa:/tmp/stw$ file lost lost: ASCII English text bandit12@melissa:/tmp/stw$ cat lost The password is <strong>8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL</strong>

At last, we have our password.

Level 13->14:

This one switches things up a little. The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. We need to borrow an SSH key to move on.

1 2 3 4 5 6 7 8 9 10

bandit13@melissa:~$ ls sshkey.private bandit13@melissa:~$ ssh -i sshkey.private bandit14@localhost Could not create directory '/home/bandit13/.ssh'. The authenticity of host 'localhost (127.0.0.1)' can't be established. RSA key fingerprint is 9d:09:d9:46:84:df:f9:dd:cc:7c:dc:49:a0:95:b2:10. Are you sure you want to continue connecting (yes/no)? yes Failed to add the host to the list of known hosts (/home/bandit13/.ssh/known_hosts). bandit14@melissa:~$ cat /etc/bandit_pass/bandit14 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e

And just like that, we are dumped into bandit14’s shell.

Level 14->15:

The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost. Here we have a lesson in telnet. Basically, we will use telnet to connect to localhost on port 30000 and enter the password while we are still in bandit14’s shell.

1 2 3 4 5 6 7 8 9

bandit14@melissa:~$ telnet localhost 30000 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e Correct! BfMYroe26WYalil77FoDi9qh59eK5xNr   Connection closed by foreign host.

Level 15->16: