Bash Bandit Levels 0‐20 - rune-seregina/sys255-fa24 GitHub Wiki

Check out Bash Bandit and OverTheWire's other games!

Table of Contents

Bandit Levels 0-5

Bandit 0-1:

The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.

  • ls
    • lists subdirectories and files in a given directory (default is current directory if not otherwise specified). I performed this command to see if the “readme” file (where the level instructions pointed me towards) was in the directory that I was already in.
  • cat readme
    • “concatenate”, used in this case to display the contents of a file (readme)
  • copied password
  • ssh [email protected] -p 2220
  • right-click to paste the password

Bandit 1-2:

The password for the next level is stored in a file called - located in the home directory

  • ls
    • lists subdirectories and files in a given directory. I performed this command to see if the “-” file (where the level instructions pointed me towards) was in the directory that I was already in.
  • cat ./-
    • displays the contents of a dashed file name. The reason the “./” syntax is used is because the “-” symbol has a meaning in Linux, which is to specify a standard input (as in, no flags are being added to the command). The “./” changes this dash into plaintext, for the system to understand that I am attempting to access a dashed file name.
  • copied password
  • ssh [email protected] -p 2220
  • right-click to paste the password

Bandit 2-3:

The password for the next level is stored in a file called spaces in this filename located in the home directory.

  • ls
    • lists subdirectories and files in a given directory. I performed this command to see if the “spaces in this filename” file (where the level instructions pointed me towards) was in the directory that I was already in.
  • cat “spaces in this filename”
    • displays the contents of a file name with spaces. Quotation marks are necessary to identify the entirety of the filename, and not just the first word, since usually a filename is usually one word and the system doesn’t know to look for spaces automatically.
  • copied password
  • ssh [email protected] -p 2220
  • right-click to paste the password

Bandit 3-4:

The password for the next level is stored in a hidden file in the inhere directory.

  • ls
    • lists subdirectories and files in a given directory. I performed this command to see if the “inhere” directory (where the level instructions pointed me towards) was in the directory that I was already in.
  • cd ~/inhere
    • “change directory” to “inhere” (within the root directory, ~)
  • ls -a
    • lists **all **(-a) subdirectories and files in a given directory, including hidden files.
  • cat …Hiding-From-You
    • displays the contents of a file, in this case with the name “...Hiding-From-You”, which I saw in the directory after using the -ls -a command.
  • copied password
  • ssh [email protected] -p 2220
  • right-click to paste the password

Bandit 4-5:

The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.

  • ls
    • lists subdirectories and files in a given directory. I performed this command to see if the “inhere” directory (where the level instructions pointed me towards) was in the directory that I was already in.
  • cd ~/inhere
    • “change directory” to “inhere” (within the root directory, ~)
  • ls
    • lists subdirectories and files in a given directory. I performed this command to scope out the files in the directory that may potentially hold the password.
  • Try cat ./-file00 - -file09
    • seeing as there were 9 files, named -file00 through -file09, I decided to “cat” (see the contents of) each of these files one by one (using ./ in order to counteract the “-” in the filename as explored in Bandit 1-2).
  • copied password
  • ssh [email protected] -p 2220
  • right-click to paste the password

Bandit 5-6:

The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:

  • human-readable
  • 1033 bytes in size
  • not executable
  • ls
    • lists subdirectories and files in a given directory. I performed this command to see if the “inhere” directory (where the level instructions pointed me towards) was in the directory that I was already in.
  • cd ~/inhere
    • “change directory” to “inhere” (within the root directory, ~)
  • ls -la
  • Try ls -l ~/inhere/maybehere00-19 | grep 1033
    • Using the hint from the OverTheWire website that the password is stored in a file that is 1033 bytes in size, I can use the ls -l command on all 18 subdirectories of the /inhere directory, and using “grep 1033”, only files with 1033 bytes are returned. ~/inhere/maybehere07/.file2 returns a grep output, signifying that it matches my requirements.
  • copied password
  • ssh [email protected] -p 2220
  • right-click to paste the password

Bandit Levels 6-10

Bandit 6-7:

The password for the next level is stored somewhere on the server and has all of the following properties:

  • owned by user bandit7
  • owned by group bandit6
  • 33 bytes in size
  • ls -la
    • lists all (-a) subdirectories and files in a given directory, including hidden files, along with the mode, number of links, owner, group, size (in bytes), and time of last modification for each file (-l).
  • find / -type f -user bandit7 -group bandit6
    • the “find” command searches for a specified file/directory within a directory. “/” signifies that I want to search all directories branching off my starter directory. The “-type” flag can be used to signify the type of file/directory to be found, most commonly “f” for file, “d” for directory, etc. In this case, I am searching for files. The “-user” and “-group” flags are pretty self explanatory, signifying that I am looking for a file where the owner is the user “bandit7” and the group is “bandit6”.
  • cat /var/lib/dpkg/info/bandit7.password
    • displays the contents of a file when given the files’s directory. I used this to read the file containing the password as discovered via knowing its properties and the find command.
  • copied password
  • ssh [email protected] -p 2220
  • right-click to paste the password

Bandit 7-8:

The password for the next level is stored in the file data.txt next to the word millionth.

  • ls
    • lists subdirectories and files in a given directory. I performed this command to see if the “data.txt” file (where the level instructions pointed me towards) was in the directory that I was already in.
  • cat ./data.txt | grep millionth
    • displays the contents of “data.txt” within the current directory (“./” for shorthand), while finding and extracting the string of text “millionth” as per the level instructions, which returned the entire line containing the word “millionth” including the password.
  • copied password
  • ssh [email protected] -p 2220
  • right-click to paste the password

Bandit 8-9:

The password for the next level is stored in the file data.txt and is the only line of text that occurs only once.

  • ls
    • lists subdirectories and files in a given directory. I performed this command to see if the “data.txt” file (where the level instructions pointed me towards) was in the directory that I was already in.
  • sort ./data.txt | uniq -u
    • sort is used to arrange the contents of a file (line by line). The default settings of sort will arrange lines alphabetically. I am sorting “data.txt” alphabetically, which is in he current directory (“./” for shorthand). Then, I use a pipe “|” to feed this input into my next command, which will tell me which line occurs only once.
  • uniq -u
    • used to show or filter out repeating lines in a file. The “-u” flag only outputs lines that are unique in the input. Pairing this command with sort allows duplicate lines to appear next to each other, and then be filtered out using the “-u” flag.
  • copied password
  • ssh [email protected] -p 2220
  • right-click to paste the password

Bandit 9-10:

The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters.

  • ls
    • lists subdirectories and files in a given directory. I performed this command to see if the “data.txt” file (where the level instructions pointed me towards) was in the directory that I was already in.
  • strings ./data.txt | grep =
    • “strings” extracts and outputs all text (alphanumeric characters, as opposed to binary, punctuation, whitespace, etc.) in a file. Since the level instructions also say that the password is preceded by the “=” character, we can “grep” or extract this from the output using a pipe (|).
  • copied password
  • ssh [email protected] -p 2220
  • right-click to paste the password

Bandit 10-11:

The password for the next level is stored in the file data.txt, which contains base64 encoded data.

  • ls

    • lists subdirectories and files in a given directory. I performed this command to see if the “data.txt” file (where the level instructions pointed me towards) was in the directory that I was already in.

  • base64 --decode ./data.txt

    • decodes given data encoded in base64, in this case, data.txt.

  • copied password

  • ssh [email protected] -p 2220

  • right-click to paste the password

Bandit Levels 11-15

Bandit 11-12:

The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions.

  • ls
    • lists subdirectories and files in a given directory. I performed this command to see if the “data.txt” file (where the level instructions pointed me towards) was in the directory that I was already in.
  • cat data.txt
    • displays the contents of “data.txt”, I used this to scope out the contents and confirm that, as the directions state, the characters of the file have been rotated
  • cat ./data.txt | tr ‘[A-Za-z]’ ‘[N-ZA-Mn-za-m]’
    • now, I’m using “cat” to display the contents of “data.txt” but piping (|) this output into another command, which is the “tr” command for translating in filtering characters. The first command of brackets is the first set, or the set I am translating from which is the alphabetic characters “A-Z” (uppercase) and “a-z” lowercase, written as “[A-Za-z]”. The next set is what I am translating to or the substitution set, which is the alphabet rotated by 13 letters (known as ROT13). The syntax for this shows that I am mapping “N-Z” (uppercase) to “A-M” (uppercase) and mapping “n-z” (lowercase) to “a-m” (lowercase), written as “[N-ZA-Mn-za-m]”. The command then returned the translated output as per my specifications from the original data.txt file
  • copied password
  • ssh [email protected] -p 2220
  • right-click to paste the password

Bandit 12-13:

The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work. Use mkdir with a hard to guess directory name. Or better, use the command “mktemp -d”. Then copy the datafile using cp, and rename it using mv (read the manpages!)

  • ls
    • lists subdirectories and files in a given directory. I performed this command to see if the “data.txt” file (where the level instructions pointed me towards) was in the directory that I was already in.
  • mktemp -d
    • generates a temporary file or directory with a randomized name, run with the -d flag for a directory
  • cp ./data.txt /tmp/tmp.[directoryname]
    • copy the file “data.txt” and its contents to the directory I just created
  • cd /tmp/tmp.[directoryname]
    • change my current directory to the directory I just created
  • file data.txt
    • determines the type of file based on its contents, rather than its extension. I will run this command continuously to identify the type of compression used on “data.txt”.
  • xxd -r data.txt > data2.txt
    • since the “file” command returned that the file was made of an ASCII dump, I researched what command can be used to revert this and found that “xxd -r” reverses the hex dump of a file made using “xxd”. I used the command to revert “data.txt” and move the contents to file called “data2.txt”, using numbers to count the variations of the file I create.
  • cp ./data2.txt ./data3.txt.gz
    • after determining the file contents using the file command of the newly decompressed “data2.txt” to be gzip compressed data, I copied the file to a file called “data3.txt.gz”, with the added extension so it can be recognized and decompressed by the command ‘gzip”.
  • gzip -d ./data3.txt.gz
    • since the “file” command returned that the file was gzip compressed data, I used the “gzip -d” command to revert the gzip compression on “data3.txt.gz”, which will save to “data3.txt”
  • cp ./data3.txt ./data4.txt.bz2
    • after determining the file contents using the file command of the newly decompressed “data3.txt” to be bzip2 compressed data, I copied the file to a file called “data4.txt.bz2”, with the added extension so it can be recognized and decompressed by the command ‘bzip2”.
  • bzip2 -d ./data4.txt.bz2
    • since the “file” command returned that the file was bzip2 compressed data, I used the “bzip2 -d” command to revert the gzip compression on “data4.txt.bz2”, which will save to “data4.txt”
  • cp ./data5.txt ./data6.txt.tar
    • after determining the file contents using the file command of the newly decompressed “data5.txt” to be tar compressed data, I copied the file to a file called “data6.txt.tar”, with the added extension so it can be recognized and decompressed by the command ‘tar”.
  • tar xvf ./data6.txt.tar
    • since the “file” command returned that the file was tar compressed data, I used the “tar xvf” command to revert the tar compression on “data6.txt.tar”, which will save to “data5.bin”. The “xvf” are three different flags used for tar, “x” for extract, “v” to display a detailed output about the process, and “f” to specify the file for the process.
  • Repeat process as needed until the “file” command returns that the file is ASCII text
  • cat data10.bin
    • displays the contents of “data10.bin”, which now contains the original, uncompressed password
  • copied password
  • ssh [email protected] -p 2220
  • right-click to paste the password

Bandit 13-14:

The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on.

  • ls
    • lists subdirectories and files in a given directory. I performed this command to scope out what resources were available to me in my current directory. I found that there was a file called sshkey.private.
  • ssh -i sshkey.private bandit14@localhost -p 2220
    • the “ssh” command in Linux allows secure connection to a remote machine. After Googling the manual for the “ssh” command in Linux (also available by running the command “man ssh”, but PowerShell doesn’t like this), I found that the “-i” flag allows a user to specify a private key file. Since I had access to this private key in the “sshkey.private” file, I used the correct “ssh” command syntax to remotely connect to bandit14. cat /etc/bandit_pass/bandit14 - Once remotely connected to bandit14 via SSH, I am now able to run commands as bandit14, including retrieving (reading using “cat”) the password from the corresponding password file, located at /etc/bandit_pass/bandit14 as specified in the level description.

Bandit 14-15:

The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.

  • ncat localhost 30000
    • after researching the usage and syntax of ncat by Googling the manual for the “ncat” command in Linux (also available by running the command “man ncat”, but PowerShell doesn’t like this), I used this command to connect to the port 30000 on localhost as specified in the level description. (paste bandit14 password) - I submitted the password of the current level as specified in the level description. This returned the password to the next level.
  • copied password
  • ssh [email protected] -p 2220
  • right-click to paste the password

Bandit 15-16:

The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL/TLS encryption.

  • man ncat | grep ssl
    • displays the manual for the “ncat” command, then feeds this input into another command using a pipe (|) to find and extract (“grep”) a string (“ssl”). In this case, I want information about how to use SSL/TLS encryption within the “ncat” command.
  • ncat --ssl localhost 30001
    • similar to the last level, I use the ncat command to connect to port 30001 on my localhost, this time using the “--ssl” flag for an SSL encrypted connection.
  • (paste bandit14 password)
    • I submitted the password of the current level as specified in the level description. This returned the password to the next level.
  • copied password
  • opened PuTTY and entered [email protected] using port 2220
  • right-click to paste the password

Bandit Levels 16-20

Bandit 16-17:

The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL/TLS and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.

  • Why PuTTY? - For this level, I will need to be able to open a text editor, which is not supported in PowerShell.
  • mktemp -d
    • generates a temporary file or directory with a randomized name, run with the -d flag for a directory. I’m creating this temporary directory in order to store a temporary file that I will create to hold the private key I need to access the next level.
  • cd /tmp/tmp.[directoryname]
    • change my current directory to the directory I just created
  • nmap localhost -p 31000-32000
    • after researching the usage and syntax of ncat by Googling the manual for the “nmap” command in Linux, I used this command to connect to get information about the ports in the range “31000-32000” on my localhost. The output returned the open ports and types of ports
  • cat /etc/bandit_pass/bandit16
    • since I will need to submit the password to the correct port, I make sure to copy the password of the current level just in case. ncat --ssl localhost (try ports) - using “ncat” with the flag “--ssl” allows me to connect to ports on the localhost and try submitting the current password until one responds back with a private SSH key, which is 31790.
  • nano sshkey.private
    • I created a new file using the text editor “nano” in my temporary directory in order to paste the private key I received into a file that can be fed into the “ssh” command.
  • chmod 400 sshkey.private
    • short for “change mode”, the chmod command changes the read, write, and execute permissions of a specified file (“sshkey.private”, in this case). The value given to chmod is equivalent to a certain permission setup, where one is the permission for the owner, one is for the group, and one is for everyone else: these permissions can be any combination of of read, write, and/or execute for each of these user groups. “400” grants the owner permission only to read the file and the other groups no permissions for the file. I place such strict permissions on “sshkey.private” because allowing unsecure access to this file will trigger bandit to not perform the “ssh” command due to security reasons.
  • ls -l
    • lists subdirectories and files in a given directory, including hidden files, along with the mode, number of links, owner, group, size (in bytes), and time of last modification for each file (-l). I use this to check if my update of the permissions for “sshkey.private” have been applied. The output read “-r--------”, showing that my permissions applied.
  • ssh -i sshkey.private bandit17@localhost -p 2220
    • the “ssh” command in Linux allows secure connection to a remote machine. I used the newly created “sshkey.private” as the private key for the connection.

Bandit 17-18:

There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new

  • ls
    • lists subdirectories and files in a given directory. I performed this command to view the files in my current directory, which are “passwords.old” and “passwords.new” as the lab description states.
  • diff passwords.new passwords.old
    • I researched what command would best suit my needs to compare the contents of the two files and display the differences, which is the Linux command “diff”. The output displayed one line from each file that was unique between the two files.
  • copied password
  • ssh [email protected] -p 2220
  • right-click to paste the password

Bandit 18-19:

The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.

  • ssh -T [email protected] -p 2220
    • the “ssh” command in Linux allows secure connection to a remote machine. I Googled the SSH manual and looked for an option that could allow me to bypass the changes made to the “.bashrc” file. I learned that “.bashrc” files hold configurations for the terminal instance that is started when a user logs in. In order to bypass this, I looked for an SSH option that allowed me to remote connect without entering a terminal instance. The “-T” flag is defined as “Disable pseudo-terminal allocation”. By using this flag, I was able to connect to bandit19 without being forcibly logged out.
  • ls
    • lists subdirectories and files in a given directory. I performed this command to scope out the files in my current directory, which returned the file “readme”.
  • cat readme
    • “concatenate”, used in this case to display the contents of a file (readme)
  • copied password
  • ssh [email protected] -p 2220
  • right-click to paste the password

Bandit 19-20:

To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.

  • ls
    • lists subdirectories and files in a given directory. I performed this command to scope out the files in my current directory, which returned the file “bandit20-d0”.
  • ./bandit20-do
    • Per the level description, I ran this setuid binary on its own to receive a description of how to use it. “./” in this case means to execute a script or program in the current directory. It returned that this command allows me to “run a command as another user”.
  • ./bandit20-do cat /etc/bandit_pass/bandit20
    • Knowing that I could use this command to run a command as another user (presumably bandit20), I ran the command to get the next level’s password: “cat /etc/bandit_pass/bandit20” as user bandit20. This returned the password for the next level.
  • copied password
  • ssh [email protected] -p 2220
  • right-click to paste the password

Bandit 20-21:

There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).

  • ls
    • lists subdirectories and files in a given directory. I performed this command to scope out the files in my current directory, which returned the file “suconnect”.
  • ./suconnect
    • Again, I ran this setuid binary on its own to receive a description of how to use it. It returned that this command allows me to “connect to a given port on localhost using TCP. If it receives the correct password from the other side, the next password is transmitted back”.
  • Open a new session for ncat
    • Doing some research, I concluded that I could open a port to “listen” on using the Linux tool “ncat”. In order to be able to have a listening port and an instance that can submit the password on that open port, I had to open a new session for bandit20.
  • Session 2: cat /etc/bandit_pass/bandit20 | ncat -l localhost 8888
    • Since I need this new instance to transmit the password and have my other instance listen, I use “cat” to display the contents of the current password file located at “/etc/bandit_pass/bandit20”, and then pipe (|) this output into my next command which creates an ncat listening session (as denoted by the -l flag) on port 888 (arbitrary port I chose) of localhost.
  • Session 1: ./suconnect 8888
    • Now, I can use the setuid binary to connect to the listening ncat port that is transmitting the level’s password. I receive the text “Read:” followed by the bandit20’s password, and then “Password matches, sending next password”. On Session 2, I can see the newly transmitted password for bandit21.
  • copied password
  • ssh [email protected] -p 2220
  • right-click to paste the password
⚠️ **GitHub.com Fallback** ⚠️