Bandit

Level 0 → 1
User: bandit0 Pass: bandit0

At level 0 you learn the steps to log in, open the file labeled “read me” and copy the password found
there.

From your terminal, type: ssh [email protected] -p2220

This takes you to the proper port on the overthewire servers (port 2220). Enter the password, “bandit0”
and hit enter.

You will be taken to the bandit0 home directory. Type “ls” to list the files in the home directory. The only
file is called “read me” and it’s the one you want. Open the “read me” file by typing “cat readme” and
hitting enter. The command “cat” stands for “concatenate” and means “to string together or join.” For our
purposes at this level, we’ll use it to “open” a file in Linux.

The password will be displayed on your screen and will look like a long (32 or so characters) string of
random letters and number.

Copy and paste this password in a safe place (in case you need to start over).

Exit the bandit0 server by typing “exit” and hitting enter. Proceed to level 1.

If you’ve just left a level, you can hit the up arrow and the last command you typed will autofill. Change
the “0” in bandit0 to a “1” and hit enter. If you’re starting fresh, you’ll need to type the entire location
address: [email protected] -p2220

Level 1→2
Pass: IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

The goal of level 1 is to learn how to open files that have a dash (-) at the front of the filename. You
cannot just type “cat -filexyz” and expect the file to open. The way to open files with this naming
convention is to use the “cat ./-file” format or using the full file path “/home/user/-”.

Typing “ls” into the terminal shows a single file named “-“.

Type “cat ./-“ and hit enter to open this file and copy/paste the password into your safe location.

Exit from the server by typing “exit” and hitting enter.

Level 2→3
Pass: CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

In level 2 we will learn how to open files that contain spaces within the filename. The goal is to locate
and open a file called “spaces in this filename” that is contained in the home directory.

After signing in to level 2, type “ls” to list the files contained in the home directory. The one you want is
called “spaces in this filename” but you cannot just type “cat spaces in this filename” and expect the file
to open. This is because Linux sees the spaces in the filename and interprets them as separate items. In
other words, Linux thinks that you’re trying to open four different files called, “spaces,” “in,” “this,” and
“filename” all at the same time (and of course those files don’t actually exist).

To get Linux to interpret the spaces as part of the actual filename you must use quotation marks around
the filename. To do this, type the following: cat “spaces in this filename” and then hit enter. By putting
quotation marks before the word “spaces” and after the word “filename” you are telling Linux to ignore
the spaces and treat the entire thing as a single filename.

Grab the password and save to your safe location before exiting. (Type “exit” and hit enter to leave the
server.)

Level 3→4
Pass: UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

The goal of level 3 is to locate a hidden file in the “in here” directory. Normally when you’re in a
directory, you can tell Linux to display files by typing “ls” and hitting enter. However, when files contain
a “.“ in front of the filename, Linux will not display those files after a simple “ls” command. They are still
present in the directory, but are considered “hidden” files because they don’t show up unless you type “ls
-a” and hit enter. This “list all” command will then display all of the files in the directory, even ones that
had been previously hidden.

Sign into level 3. Type “ls” to list all the directories. The “inhere” directory is the only one that shows up.
Navigate to the inhere directory by typing “cd inhere.” Then type “ls” and you’ll see that nothing shows
up. The directory appears to be empty. Then type “ls -a” and you’ll see that there actually is a hidden file
called “.hidden.” Open the hidden file by typing cat .hidden and hit enter. Grab the password and exit.
(Don’t forget to save the password in your safe place.)

Level 4→5
Pass: pIwrPrtPN36QITSp3EQaw936yaFoFgAB

The goal of level 4 is to locate the only human-readable file in the inhere directory. There are multiple
files but only one of them contains ASCII data (data that a human would likely understand). One way to
tell Linux to display the type of data a group of files contains is to type “file ./*” and hit enter.

Sign into level 4. List the directories (ls). Change directories (cd) to the inhere directory. Type ls to list
files. (If you want, you can then type “ls -a” to double-check to see if there are any hidden files.) You will
see a list of files from 1-9. At this point you can see the files, but you don’t know which ones are human-
readable, if any.

Type “file ./*” and hit enter. You will then see the same list of files but this time the type of information
contained in each file will be listed. Most of the files just show “data” but one of them (-file07) shows
“ASCII.” This is the human-readable file. Type “cat -file07” (you may have to type the entire pathname:
“cat ./-file07”) and hit enter. Grab your password and exit.
Level 5→6
Pass: koReBOKuIDDepwhWk7jZC0RTdopnAYKh

The goal of level 5 is similar to the goal of level 4. You must locate a human-readable file that is also
1033 bytes in size and is not executable. To do this you must locate files, filter by human readable (just
like in level 4) and then convince Linux to display the file size also. Note: there may be more than one
file that is 1033 bites in size and/or there may be more than one human-readable file.

There are a couple of different ways to approach this task (and there may be more I’m not aware of).
We’ll look at two here. The command “du” in Linux stands for “disk usage” and when entered, will
display the file size of files in a directory. The default unit is kilobytes, but by adding -b to the end of the
du command, Linux will display the file sizes in actual bytes.

Try this now. Sign in to level 5 and list directories (ls). Navigate to the inhere directory (cd inhere) and
display the files in the directory with “ls” or “ls -a.” You’ll see 20 other directories, numbered 0 – 19.
However, Linux isn’t showing you the size of these directories, so we have more work to do. Typing “du”
will cause Linux to show you the file sizes of each item in the directories. Try this now.

As you can see, the file sizes are now shown, but again, they’re displayed in kilobytes and we want to
know the actual byte size (so we can look for any that are exactly 1033 bytes in size). Note: there may not
appear to be any rhyme or reason to the order – they’re not listed by file size or by filename.

Type “du -b” to see the files sizes in bytes. When you hit enter, you’ll see all 20 sub-directories listed
along with their file sizes. So, all we have to do is look for the one that’s 1033 bytes, right? But wait a
minute, there isn’t one that’s exactly 1033 bytes. What’s going on? The answer is that the du -b command
is showing the file size of the entire directories, and there are multiple files in these directories. What
we’re looking for is a single file that is 1033 bytes in size (and that is human readable).

To see the file sizes of every individual file in the directories we have to add an “all” flag (-a) to the “du -
b” command. To do this, type “du -ab” and hit enter. This is a command to list file sizes (displayed in
bytes) and to show all of the individual internal files. Although you get a long list, it is now possible to
look through the entire list for a single file that is exactly 1033 bytes in size.

Towards the bottom of the list, you’ll find a file called “maybehere07/.file2” that shows a size of exactly
1033 bytes. Because this is the only file of that exact size, we know this must be the one we’re looking for
(and it is). To be honest, solving this level by using “du -ab” is cheating a tiny bit. We were asked to find
a file of 1033 bytes that was human readable. In my opinion, this level should have contained several files
that were exactly 1033 bytes in size and we should have to figure out which ones of these were human
readable. While it is possible to look at the type of data contained in these files (see Level 4), I’m not
aware of any single command that shows the data type AND lists by file size.

Another method for showing the file size for all of these directories is to navigate to the inhere directory
and then type the command “find -type f -size 1033c” and hit enter. This will search the entire inhere
directory but will only return results that are exactly 1033 bytes in size. The “c” at the end of 1033c
means “bytes.” Why doesn’t “b” stand for bytes? Nobody knows. Just kidding, “b” stands for “blocks”
and is a different unit of file size measurement.

Open the file named .file2 using “cd ./maybehere07” and then “cat .file2” and grab the password for the
next level. (Typing “cat ./maybehere07/.file2” would also work.)
This level was very similar to level4. That may be just for practice or it may be an oversight on the part of
the overthewire creators. I was hoping to learn a single command that sorted by “human readable” and
“file size” all at the same time (or perhaps a 2-step process for that) but it turns out it wasn’t needed. Just
sorting by file size, using one of the two methods shown above, is sufficient. du -ab | grep "1033"

Exit and proceed to level 6.

Level 6→7
Pass: DXjZPULLxYr17uwoI01bNLQbtFemEgo7

The goal of level 6 is to locate a file that is stored somewhere on the server and is owned by user bandit7
and group bandit6. We are also told that the file size is 33 bytes.

There actually exists a command that you can type that will give you all of this information (at least in
theory.) Try typing “find / type -f -user bandit7 -group bandit6 -size 33c” and hit enter. Most likely you
got a lot of “permission denied” messages. This is because that “find” command that you just entered
isn’t just looking in your home directory, but in many other directories that you don’t have permission to
be in. The answer we’re looking for is actually in that list, but we want a way of isolating it. We do this
by filtering out all of the “permission denied” messages.

Using what’s known as a “redirection operator” we can essentially send all of these “permission denied”
messages to the trash and leave only the results that we’re looking for.

First, let’s learn what redirection is. You’ll often hear that “Everything in Linux is file based.” While
that’s not technically true, it’s close enough for our purposes. Everything, from actual files, to devices, to
directories are “files.” And every file has a number called a “file descriptor” (fd) number. Linux’s
standard input (stdin) device is (usually) the keyboard. The file descriptor for the standard input is 0. The
standard output (stdout) device is (usually) the screen. The fd for the standard output is 1. There is also
something called a “standard error” (stderr). The fd for the standard error is 2.

When we asked Linux to search through a bunch of places that we don’t have permissions to be in, it
returned a bunch of error messages and sent them to the standard output, which (in this particular case) is
our screen. In other words, it showed us those errors (and they got in our way because there were so many
of them). Using a redirection operator, we’re going to tell Linux to send those error messages somewhere
else. The messages are technically still being generated, but we’re not going to see them!

Type “find / type -f -user bandit7 -group bandit6 -size 33c 2>/dev/null” and hit enter.

You’ll notice this is the same command as before, only we’ve told Linux to send any error messages to a
file called /dev/null. Remember, the standard error file descriptor was a “2” which is where the 2 in 2>
comes from. In plain English this command would say, “Search every directory for a file belonging to
user bandit7, group bandit6 and that has a file size of 33 bytes. Oh, and send any errors to this junk file.”

Linux will return a single file: “/var/lib/dpkg/info/bandit7.password”. This is the file we’re looking for
(and it’s the only file that meets our criteria). “Cat” that file to open it and reveal the password.

cat /var/lib/dpkg/info/bandit7.password

Grab that password and exit.

The goal of level 7 is to find a password that is right next to the word “millionth” in a file called
“data.txt.” In Linux there are often multiple ways to solve a given problem. The problem on this level is
no different. The specific solution we’re going to look at introduces two extremely useful Linux tools;
piping and grep. Both will be used to locate the password in this level.

Before we explore new Linux techniques, let’s try what we already know. After entering the password,
list the contents of the home directory by typing “ls” (or “ls -a”). You will see the file we’re after
(data.txt) listed. You might think to just try opening the file and looking for the word “millionth.” Try it,
with “cat data.txt” and hit enter.

Uh-oh. It’s a huge file with dozens and dozens of lines of text. Looking through them all to find the word
“millionth” is certainly possible, but there’s a better way: filter out the stuff we don’t want. That’s where
piping and grep come in handy.

We’ll cover piping first. Piping in Linux is a function that takes an output from one command and sends it
to another command. In layman’s terms, piping can be thought of as an operator that links together two
(or more) commands. You “pipe” commands together using the vertical “slash” that is shown above the
‘enter’ key on most keyboards. So, X | Y would be acted upon by Linux as, “Do X, then send that result
to Y.” Or you can think of it as “Do X, then do Y.”

The command “grep” is a search command. Its name derives from a similar Unix command and comes
from the phrase “globally search a regular expression and print.” Grep will look through a file (or files)
for a variety of things you tell it to search for and will display the output onscreen.

We’re going to use these two concepts to help us filter out all of the junk that we don’t want and leave
only the word “millionth” (and the rest of the data on that line) isolated.

Look at this command: cat data.txt | grep -i “millionth”. Reading left to right, we can see that this
command is opening (cat) the file we’re after (data.txt) and then piping (sending) the output to another
command (grep) which is looking for the word “millionth.”

The only thing we haven’t covered is the “-i” that comes just after the grep command. This is a flag that
tells Linux to ignore case-sensitivity. In other words, Linux would have returned “millionth,” “Millionth”
or even “MILLIONTH.” As it happens, there is only one “millionth” in the file, so the command
would’ve worked without that flag (cat data.txt | grep “millionth”), but we’ve included it just to
demonstrate some different varieties of grep commands. There are others and you should read the “man
grep” document.

Grab the password and exit.

Level 8→9
Password: cvX2JJa4CFALtqS87jk27qwqGhBM9plV
The goal of level 8 is to locate the only line of text (our password) in the file data.txt that occurs only
once. We will do this by building on one of the skills we learned in level 7 (piping) and adding a couple
of new skills: sorting and filtering by unique words.

Sign in and list all files. You should see data.txt as one of the files. You can try opening this file (cat
data.txt) but all you’re going to see is a huge list of seemingly random characters hundreds of lines long.
What we need to do is to get Linux to show us only the unique lines. If this was a smaller file, with say,
only a few dozen lines, you could try entering “sort data.txt” and getting Linux to sort all of the lines that
were the same together alphabetically. You could then look for the line that was only present once in the
list.

Try this now. Type “sort data.txt” and hit enter. You’ll see that the list got better, but it’s still way too
large to scroll through reading each line looking for the unique one. To fix this, we’re going to pipe our
sort results to another command: uniq. In Linux, the uniq command will display only those lines that
appear only once. This is exactly what we’re looking for, so we pipe our sort results to uniq like this:
“sort data.txt | uniq -u”.

The reason we need to sort the data first is because uniq only looks at adjacent lines and compares them.
If you tried running uniq on the data.txt file without sorting it first you would get a result, but it wouldn’t
be the result you were looking for.

You could also use “cat data.txt | sort | uniq -u” and get the same result. There is no benefit to doing it this
way, but it illustrates the concept of piping to multiple commands. First you cat (open) the file, then you
send it to the sort function, and finally you list it by unique lines (uniq -u).

You might be wondering why we need the -u flag after the uniq command. This flag causes Linux to print
the lines that appear only once. This is what we wanted. If you don’t use the -u flag, Linux will merge any
lines that repeat. That means that a list like this:

QWERTY
QWERTY
ASDFGH
ASDFGH
ZXCVBN

would be merged into this:

QWERTY
ASDFGH
ZXCVBN

That doesn’t tell us which one of the original lines only appeared once, does it?
Using the -u flag, uniq will take this:

QWERTY
QWERTY
ASDFGH
ASDFGH
ZXCVBN

And return the only truly unique line: ZXCVBN

Clearly those are two different things and we wanted the “uniq -u” output, hence the flag.
Level 9→10
Password: UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR

The object of lesson 9 is to filter out all of the “junk” data to reveal the password. This time, the password
is located just after an = symbol (or a series of == symbols). This lesson introduces the concept of
“strings” in Linux and combines it with two ideas we’ve already covered (piping and grep).

In Linux, a string is a series of discrete characters. The “strings” command will return each string of
printable characters in a file. Let’s try this now.

Type “strings data.txt” and see what happens. You’ll get a long list of all of the strings of at least 4
characters. This is because “strings” defaults to a length of 4 if you don’t specify how long you want each
result to be. Also, the command is returning every string in the file. That’s not very helpful, at least not
for this level challenge. We know that the password comes after an = symbol, so what we need is a way to
tell Linux to only return the strings that fall after that symbol in the file.

Using the piping technique learned earlier, we can do just that. Type, “strings data.txt | grep =” and see
what happens.

The output now is about 12 lines and since we know what the format of all of the previous passwords has
been, it’s not too hard to pick out the password for Level 10→11. But there is an even more specific way
to phrase our grep command. Remember, we were told that the password would follow multiple (at least
2) = symbols. So, let’s try that. Type “strings data.txt | grep ==” and see what happens.

Grab and exit.

Level 10→11
Password: truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk

The goal of this level is to locate the password in a file that contains Base64 data.

Sign in to Level 10 and list the contents of the home folder. You’ll see the target file, “data.txt” sitting
there. What happens if you try to cat that file?

The output of “cat data.txt” is a long string of characters that sort of resembles our previous passwords,
but is much too long. This is Base64 encoded data. How do we know
? The “==” sign at the end of the data string is a big clue, though no guarantee. You should Google
Base64 and read as much as you can. But for now…

Base64 encoding is a method for converting binary data (1s and 0s) into a series of alphanumeric
symbols. Although there a few different versions, the most common uses the capital and lowercase letters,
the digits 0-9 and the +, / and = symbols. Base64 data is used to send data that’s in a binary format to
systems and applications where raw binary data sometimes causes problems, but regular text is fine.

For the purposes of this level, we just need to decrypt the Base64 data and examine it. There are a few
ways to do this.
Try typing “base64 -d data.txt” and hitting enter. The “-d” flag on the base64 command is telling Linux to
decrypt the file “data.txt.” (Read up on these flags and options by typing “man base64” into your
terminal.) As you can see, the output is now our familiar 32-character password format. Grab it.

Another way of doing this would be using piping: “cat data.txt | base64 -d”. Either will work.

Exit.

Level 11→12
Password:

The goal of level 11 is to learn to decrypt (or ‘translate’) a password that has had all of the uppercase and
lowercase letters encrypted with a ROT-13 cipher.

Rotational ciphers are a special case of substitution ciphers where the regular alphabet has been shifted
(rotated) by a certain number. For instance, we know that in the regular English alphabet, ‘A’ is the first
letter (A=1), ‘B’ is the second letter of the alphabet, ‘C’ is the third letter, etc. This is a simple
substitution cipher where letters are replaced by numbers (Note: This is just a substitution cipher so far;
there is no “rotation” of those letters and numbers yet.)

A ROT-1 cipher would be A=B, B=C, C=D, etc. This is also a substitution cipher, but the letters and
numbers have been shifted (or rotated) by 1 for each letter combination. The word “the” in a ROT-1
cipher would be “uif.”

We’re looking for a password that has been encrypted with a ROT-13 cipher. This is a very popular
rotational cipher used in puzzle-making and online “capture the flag” scenarios.

Finding the password for this level is easy. We can simply use what we already know: type ‘ls’ to list the
files, and then ‘cat data.txt’ to read the contents of that file. Do that now.

As you can see, there is text in this file but it appears unreadable. That’s because it’s been encrypted via
ROT-13. We can decrypt this file using the ‘translate’ command in Linux. Here is the format for
translating files: cat data.txt | tr ‘a-zA-Z’ ‘n-za-mN-ZA-M’

Hitting enter reveals this sentence: “The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu.”

Grab and exit.

Level 12-13

Password: 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

The goal of level 12 is to locate the password in a hexdump of a file that has been compressed multiple
times. The process for solving this level will be: Find the appropriate file. Use ‘xxd’ to create a hexdump
of the file. The first few characters of the hexdump will tell you whether the file is compressed (using one
of two compression tools) or bundled (using tar). You’ll either decompress the file or unbundle it. This
involves renaming the file so that it has the proper extension (.gz for gzip, .bz2 for bzip2, or .tar for
bundled tar files) and then running the appropriate decompress or “unbundle” command. This process
will repeat several times (about 6 or so).
It’s fairly involved, so a bit of reading is required before we dive in.

A hexdump is often used to view files in something closer to a human-readable format than whatever
method the original file is stored in. I said “closer” to a human-readable format, because to the
uninitiated, a hexdump still looks pretty unreadable! Once you’re familiar with them however, you’ll find
that they do reveal information about the file in a more forgiving format than binary (or other non-human-
readable formats) do. To create a hexdump, you use the command ‘xxd’ and hit enter. To revert the
hexdump back to its original format, use the command ‘xxd -r’ and hit enter.

There are several different types of compression, but two of the most popular in Linux are gzip and bzip2.
Bzip2 compresses a bit better, resulting in smaller file sizes, but takes a bit longer. Files compressed with
either of these formats typically have .gz or .bz2 at the end of their filename. To compress a file using
gzip, simply type ‘gzip <filename>’ and hit enter. To decompress, type ‘gzip -d <filename>’ and hit
enter. Files compressed using bzip2 work similarly: ‘bzip2 <filename>’ and hit enter and to decompress
type ‘bzip2 -d <filename>’ and hit enter. Note: if you’re trying to decompress a gzip-compressed file that
does NOT end in .gz, you’ll have to rename the file to include the .gz at the end of the filename. Use the
‘mv’ command to rename the file and add the .gz extension, like this:
“mv text_file text_file.gz” and you can then use ‘ls -a’ to view the new filename.

The file we’re dealing with has been compressed multiple times using both of these compression formats.
A format sometimes seen alongside gzip or bzip2, is tar. A tar file is an archive file that allows for one or
more files to be bundled together and sent as a single unit. It’s similar to a .zip file, but a tar file is not
compressed (though they can be compressed with other commands.) For our purposes, tar files are similar
in concept to sending someone an entire folder containing multiple word processing or spreadsheet files
instead of sending them one at a time.

To create a tar archive file, type ‘tar -cf <filename> <directory>” and hit enter. The <filename> is the
name you choose for your new tarball and <directory> is the directory you wish to make a tarball from.
Optionally, you can type ‘tar -cvf <filename> <directory>’ and hit enter. The -c means “create,” the v
means “verbose” (this will display a readout of all the files that get added to the .tar file as it is being
created) and the f signifies that the next part will be the new tarball’s filename. Although not required, it’s
a good practice to name your tarballs with the .tar extension. That helps others (and yourself) to recognize
that the file is a bundled tar file. It’s important that you’re not IN the directory that you’re trying to make
a tarball of – or you’ll get an error message. You need to be in the directory containing the directory
you’re making a tarball of for this format to work.

But, you can add a path to a different directory than the one you’re in. Imagine you want to create a
tarball of bunch of employee resumes. You could do this by typing: ‘tar -cvf Resumes.tar
~/user/Documents/Resumes’ and hit enter. You could do this even if you were not actually in the
Documents directory. If you were actually in the Documents directory, you would only have to type
‘Resumes’ as the target directory.

It is common to create a tar file, and then to compress that tar using gzip or bzip2. To read the individual
files in the tar, you’ll first have to decompress the main tar file, then extract the individual files from
within the tar. This can be done in two steps, but it’s also possible to create a tar file and compress or
decompress it and extract the files with a single command. To do so, you add a ‘z’ flag, like this: “tar -czf
<filename> <directory>” when you compress with gzip and “tar -cjf <filename> <directory>” when
compressing with bzip2. Note that bzip2 uses the ‘j’ flag instead of the ‘z’ flag. It is a good idea to name
compressed tarballs with .tar.gz (or tar.bz2)
To decompress and extract in a single command, type “tar -xzf <filename> -C <destination>” and hit
enter (for files compressed with gzip) or “tar -jzf <filename> -C <destination>” for files compressed with
bzip2. Again, note the ‘j’ vs ‘z’ flag as the difference between bzip2 and gzip. Strictly speaking, the -C
flag and the destination path are only necessary if you want to decompress and extract the files into a
directory that you’re not currently in. If you exclude the -C and destination, the files will be unzipped and
extracted in your current directory.

Although beyond the scope of this lesson, it’s possible to append files to an already existing tarball and to
extract individual files from an existing tarball without extracting the other files. It is also possible to
exclude files in a directory from being included in a given tarball. Essentially, you tell the system to
“make a tarball out of all of these files except Filexyz” and that file won’t be archived. Lastly, it’s
possible to update an existing tarball and that update will include any recent changes to the individual
files that have been made since the tarball was first created. Google is your friend here.

Level 13-14

Level 14-15

Level 15-16 Read about ‘openssl’ and ‘s_client’ commands, as well as ‘Read
R BLOCK.’

Level 16-17
nmap -sV localhost -p31000-32000

echo “bandit16 password” | openssl s_client -connect localhost:31790

Make the pw file on the B17 server!

openssl s_client

Read about “nocommand” “quiet” and “ign_eof”

nmap -Pn -sV -T5 are all switches to know about!