Create and run a shell script.
Host name is: bandit.labs.overthewire.org
User: bandit23
password: jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
Goal: A program is running automatically at regular intervals from
cron, the time-based job scheduler. Look in /etc/cron.d/ for
the configuration and see what command is being executed.
Commands used for this level:
ls -l - List information about all the file's and use a long listing format.
cat - used to view contents of a file.
whoami - print effective userid
mkdir -
cd -
vim -
Step 1.
Just like the last two levels we need to view /etc/cron.d/ directory.
Type ls -l /etc/cron.d/
Step 2.
We see a cronjob_bandit24 file so let's do a cat on it.
Type cat /etc/cron.d/cronjob_bandit24
We get bandit24 /usr/bin/cronjob_bandit24.sh as our output so lets take a look at what this script does.
Step 3.
Type cat /usr/bin/cronjob_bandit24.sh
myname=$(whoami)
cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in *;
do
echo "Handling $i"
./$i
rm -f $i
done
Step 4.
Looks like we have another script that sets uid to myname and executes and deletes all scripts in /var/spool/$myname.
Let's run the script and see what happens.
Type /usr/bin/cronjob_bandit24.sh
/usr/bin/cronjob_bandit24.sh: line 5: cd: /var/spool/bandit23: No such file or directory
Executing and deleting all scripts in /var/spool/bandit23:
Handling *
/usr/bin/cronjob_bandit24.sh: line 10: ./*: No such file or directory
Step 5.
Looks like the script changes to the directory /var/spool/bandit23 then executes and deletes all scripts but none are found. Let's create a script but put it in /var/spool/bandit24 that will cat the password file from where we have seen our passwords stored at /etc/bandit_pass/bandit24 out to a directory we will pick. By putting the script in bandit24 directory it will assign the myname to this script as uid of bandit24 who happens to have permission to cat this file. We currently do not have permission to cat that file being we are logged in as bandit23.
Type mkdir /tmp/bandit24
Hmm thats strange it says mkdir: cannot create directory '/tmp/bandit24': File exists
Okay lets cat that file.
cat /tmp/bandit24 and like that we have our password for the next level UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
This is obviously an error in the way this challenge is setup but it is cool to see you can sometimes accomplish your goal by just snooping around a bit when you find something that doesn't seem right. This file must have been created by another user and I guess all user have access to other users of overthewire files they create.
Let's continue our goal of creating a script and having it run.
Step 6.
Type mkdir -p /tmp/hxjump Your directory my still be there from previous levels if they have not reboot the server. The dash p will keep you from getting errors if the file exists already.
Then let's change to our directory and create our script.
cd /tmp/hxjump
Step 7.
Now let's create our script
vim bandit24.sh
Once in vi press a and copy and past the above and change our uid like below.
#!/bin/bash
cat /etc/bandit_pass/bandit24 >> /tmp/hxjump/level24
Pree Esc key to exiting editing mode and then type :wq
Step 8.
Now set read, write, and execute permissions on our file with chmod 777 bandit24.sh
Step 9.
Now we need to copy our script over to /var/spool/bandit24
cp bandit24.sh /var/spool/bandit24
The script will auto run because of cron, you may need to wait a minute before the next step shows our file.
Step 10.
Apparently this level appears to be broken as I can see my script is copied to /var/spool/bandit24 and after a minute is deleted from the /var/spool/bandit24 directory but no file is ever created in my tmp/hxjump directory. I have looked at other solutions and they all did basically the same thing I did for a script. At least I have the password for the next level. Maybe i'll come back to this level sometime if they ever fix it.
Tuesday, December 16, 2014
Monday, December 15, 2014
Bandit Level 22 to Level 23
View a created script and use the info to run a custom command.
Host name is: bandit.labs.overthewire.org
User: bandit22
password: Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
Goal: A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
Commands used for this level:
ls -l - List information about all the file's and use a long listing format.
cat - used to view contents of a file.
whoami - print effective userid
Step 1.
This looks exactly like the last level so let's follow what we did last level.
Type ls -l /etc/cron.d/
Just like last level we see a cronjob_bandit23 file
Step 2.
Let's cat that file
cat /etc/cron.d/cronjob_bandit23
We get the output to a file location that runs at /usr/bin/cronjob_bandit23.sh
Step 3.
Let's cat that file in step 2.
cat /usr/bin/cronjob_bandit23.sh
We see get another bin bash script
#!/bin/bash
myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
cat /etc/bandit_pass/$myname > /tmp/$mytarget
It looks like this script sends the output of a cat on
/etc/bandit_pass/$myname to /tmp/$mytarget
Step 4.
Again like before let's cat that copied file location to see what it has in it.
cat /tmp/$mytarget
This time we get /tmp/: Permission denied
Hmm looks like the $ may have blocked our full file location because it only shows /tmp/ in the output.
Let's go back and read our NOTE for the GOAL.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.
Ah $ is used for shell so let's read about shell scripts and we should try to execute the script to see what it does.
Step 5.
Type /usr/bin/cronjob_bandit23.sh
We get the output: Copying passwordfile /etc/bandit_pass/bandit22 to /tmp/8169b67bd894ddbb4412f91573b38db3
Step 6.
Let's cat that file location
cat /tmp/8169b67bd894ddbb4412f91573b38db3
We get our current password output. Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
Not what we want.
Step 7.
Let's go back and look at cronjob_bandit23.sh script
Type /usr/bin/cronjob_bandit23.sh
We get the output: Copying passwordfile /etc/bandit_pass/bandit22 to /tmp/8169b67bd894ddbb4412f91573b38db3 We missed something, see how it says bandit22, not what we want. We want bandit23 password. Let's look at how the script works again.
myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
cat /etc/bandit_pass/$myname > /tmp/$mytarget
That first part myname=$(whoami) sets myname to our name. Go ahead and do a whoami. It returns who we are logged in as bandit22.
The second part mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1) looks like the command that is run during this script where $myname is set to bandit22 and we know we want bandit23 password. Let's take that part of the script and replace the $myname part with bandit23 instead of letting the script set it to our current uid.
Type echo I am user bandit23 | md5sum | cut -d ' ' -f 1
We get 8ca319486bfbbc3663ea0fbe81326349 output.
Step 8.
Hmm that output above looks familiar lets do a cat on the output file.
Type cat /tmp/8ca319486bfbbc3663ea0fbe81326349
Look at that it looks like we have our next level password output:
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
Host name is: bandit.labs.overthewire.org
User: bandit22
password: Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
Goal: A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
Commands used for this level:
ls -l - List information about all the file's and use a long listing format.
cat - used to view contents of a file.
whoami - print effective userid
Step 1.
This looks exactly like the last level so let's follow what we did last level.
Type ls -l /etc/cron.d/
Just like last level we see a cronjob_bandit23 file
Step 2.
Let's cat that file
cat /etc/cron.d/cronjob_bandit23
We get the output to a file location that runs at /usr/bin/cronjob_bandit23.sh
Step 3.
Let's cat that file in step 2.
cat /usr/bin/cronjob_bandit23.sh
We see get another bin bash script
#!/bin/bash
myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
cat /etc/bandit_pass/$myname > /tmp/$mytarget
It looks like this script sends the output of a cat on
/etc/bandit_pass/$myname to /tmp/$mytarget
Step 4.
Again like before let's cat that copied file location to see what it has in it.
cat /tmp/$mytarget
This time we get /tmp/: Permission denied
Hmm looks like the $ may have blocked our full file location because it only shows /tmp/ in the output.
Let's go back and read our NOTE for the GOAL.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.
Ah $ is used for shell so let's read about shell scripts and we should try to execute the script to see what it does.
Step 5.
Type /usr/bin/cronjob_bandit23.sh
We get the output: Copying passwordfile /etc/bandit_pass/bandit22 to /tmp/8169b67bd894ddbb4412f91573b38db3
Step 6.
Let's cat that file location
cat /tmp/8169b67bd894ddbb4412f91573b38db3
We get our current password output. Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
Not what we want.
Step 7.
Let's go back and look at cronjob_bandit23.sh script
Type /usr/bin/cronjob_bandit23.sh
We get the output: Copying passwordfile /etc/bandit_pass/bandit22 to /tmp/8169b67bd894ddbb4412f91573b38db3 We missed something, see how it says bandit22, not what we want. We want bandit23 password. Let's look at how the script works again.
myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
cat /etc/bandit_pass/$myname > /tmp/$mytarget
That first part myname=$(whoami) sets myname to our name. Go ahead and do a whoami. It returns who we are logged in as bandit22.
The second part mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1) looks like the command that is run during this script where $myname is set to bandit22 and we know we want bandit23 password. Let's take that part of the script and replace the $myname part with bandit23 instead of letting the script set it to our current uid.
Type echo I am user bandit23 | md5sum | cut -d ' ' -f 1
We get 8ca319486bfbbc3663ea0fbe81326349 output.
Step 8.
Hmm that output above looks familiar lets do a cat on the output file.
Type cat /tmp/8ca319486bfbbc3663ea0fbe81326349
Look at that it looks like we have our next level password output:
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
Bandit Level 21 to Level 22
View cron jobs and find what the job is performing.
Host name is: bandit.labs.overthewire.org
User: bandit21
password: gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
Goal: A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
Commands used for this level:
ls -l - List information about all the file's and use a long listing format.
cat - used to view contents of a file.
Step 1.
From the goal we are given that a program is running regularly with cron and is configured in the /etc/cron.d/ directory. Lets check the man page of cron.
Type man cron and do a search with /cron.d
We see that cron is a daemon to execute scheduled commands and that cron reads the files in the /etc/cron.d directory. Let's look at that directory and see what files we have in it.
Type ls -l /etc/cron.d/
We see a bunch of files but we know we are looking for a cronjob and we are trying to get to level 22, so lets view the contents of cronjob22.
Step 2.
Type cat /etc/cron.d/cronjob_bandit22
We are given the output of: * * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
Given that lets go ahead and cat out that given file and see what it is.
Step 3.
Type cat /usr/bin/cronjob_bandit22.sh
We are given:
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
The #!/bin/bash means we have a bash script file
chmod 644 means only owner can write, others can read to the file at /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Then the last two lines cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv is what the script is doing. This line means it runs cat on /etc/bandit_pass/bandit22 and with the > sends that output to the file at /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Step 4.
With the above info all we need to do now is cat the file at /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Type cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv and we are given our next level pasword of: Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
Host name is: bandit.labs.overthewire.org
User: bandit21
password: gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
Goal: A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
Commands used for this level:
ls -l - List information about all the file's and use a long listing format.
cat - used to view contents of a file.
Step 1.
From the goal we are given that a program is running regularly with cron and is configured in the /etc/cron.d/ directory. Lets check the man page of cron.
Type man cron and do a search with /cron.d
We see that cron is a daemon to execute scheduled commands and that cron reads the files in the /etc/cron.d directory. Let's look at that directory and see what files we have in it.
Type ls -l /etc/cron.d/
We see a bunch of files but we know we are looking for a cronjob and we are trying to get to level 22, so lets view the contents of cronjob22.
Step 2.
Type cat /etc/cron.d/cronjob_bandit22
We are given the output of: * * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
Given that lets go ahead and cat out that given file and see what it is.
Step 3.
Type cat /usr/bin/cronjob_bandit22.sh
We are given:
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
The #!/bin/bash means we have a bash script file
chmod 644 means only owner can write, others can read to the file at /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Then the last two lines cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv is what the script is doing. This line means it runs cat on /etc/bandit_pass/bandit22 and with the > sends that output to the file at /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Step 4.
With the above info all we need to do now is cat the file at /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Type cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv and we are given our next level pasword of: Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
Bandit Level 20 to Level 21
Use netcat to create a client/server connection.
Host name is bandit.labs.overthewire.org
User: bandit20
password: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Goal: There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
Commands used for this level:
ls - List information about all the file's
nc -l - arbitrary TCP and UDP connections and listens, when used with -l to specify that nc should listen for an incoming connection rather than initiate a connection to a remote host.
echo - display a line of text
Step 1.
Type ls
We see the suconnect binary file which is described in the goal.
Step 2.
Type ./suconnect
We see we need to run the binary file suconnect with a port number. We also know we need to transmit a password of the current level to login to a open port. To do this we need to create a client/server connection using netcat.
Let's check the netcat man page.
Type man nc and page down to where it says Client/Server Model. This section gives us everything we need to create a client/server connection. We can test how this works on our own PC by opening two terminal windows. Let's give it a test.
Open two terminal windows on your PC and in the first one type exactly the command that is given under client/server model. Type nc -l 1234 nc is now listening on port 1234 for a connection. Now in the second window we can connect to that open port by typing nc localhost 1234 then go ahead and type something and it will be concatenated to the other terminal window and vice versa. With this test we now see that maybe if we open a listening port in one window and in the other we run our binary file on that open port that maybe we will get our next level password.
Step 3.
Let's start our netcat listening port and echo our current level password to it.
Type echo "GbKksEFF4yrVs6il55v6gwY5aVje5f0j" | nc -l 1234
By doing this we have started a listening port of 1234 (this can be any port # that is not in use) and upon a connection to echo our current password.
Now we need to open a second terminal connection to our level.
Step 4.
Open a second terminal window and connect to the level with:
Host name is bandit.labs.overthewire.org
User: bandit20
password: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Now just like our local test in step 2 we need to run our suconnect binary file to our open listening port of 1234 which is running in our first terminal window.
Type ./suconnect 1234
We get an output of:
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j this is our echoed password from the first terminal session we have running netcat in listening mode.
Password matches, sending next password and here we see the password matches and just like noted in the goal our next password is echoed back to our first terminal window. Now go back to our first open terminal window and you will see our next level password is displayed: gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
Note: Another way to accomplish this level without opening two windows is to run our first window in the background with the ampersand symbol (&) at the end of our first command like so: echo "GbKksEFF4yrVs6il55v6gwY5aVje5f0j" | nc -l 1234 &
Using the ampersand at the end of a command tells it to be run in the back ground. We could then run our commands for the second terminal in our current terminal while our netcat listening port runs in the background.
Host name is bandit.labs.overthewire.org
User: bandit20
password: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Goal: There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
Commands used for this level:
ls - List information about all the file's
nc -l - arbitrary TCP and UDP connections and listens, when used with -l to specify that nc should listen for an incoming connection rather than initiate a connection to a remote host.
echo - display a line of text
Step 1.
Type ls
We see the suconnect binary file which is described in the goal.
Step 2.
Type ./suconnect
We see we need to run the binary file suconnect with a port number. We also know we need to transmit a password of the current level to login to a open port. To do this we need to create a client/server connection using netcat.
Let's check the netcat man page.
Type man nc and page down to where it says Client/Server Model. This section gives us everything we need to create a client/server connection. We can test how this works on our own PC by opening two terminal windows. Let's give it a test.
Open two terminal windows on your PC and in the first one type exactly the command that is given under client/server model. Type nc -l 1234 nc is now listening on port 1234 for a connection. Now in the second window we can connect to that open port by typing nc localhost 1234 then go ahead and type something and it will be concatenated to the other terminal window and vice versa. With this test we now see that maybe if we open a listening port in one window and in the other we run our binary file on that open port that maybe we will get our next level password.
Step 3.
Let's start our netcat listening port and echo our current level password to it.
Type echo "GbKksEFF4yrVs6il55v6gwY5aVje5f0j" | nc -l 1234
By doing this we have started a listening port of 1234 (this can be any port # that is not in use) and upon a connection to echo our current password.
Now we need to open a second terminal connection to our level.
Step 4.
Open a second terminal window and connect to the level with:
Host name is bandit.labs.overthewire.org
User: bandit20
password: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Now just like our local test in step 2 we need to run our suconnect binary file to our open listening port of 1234 which is running in our first terminal window.
Type ./suconnect 1234
We get an output of:
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j this is our echoed password from the first terminal session we have running netcat in listening mode.
Password matches, sending next password and here we see the password matches and just like noted in the goal our next password is echoed back to our first terminal window. Now go back to our first open terminal window and you will see our next level password is displayed: gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
Note: Another way to accomplish this level without opening two windows is to run our first window in the background with the ampersand symbol (&) at the end of our first command like so: echo "GbKksEFF4yrVs6il55v6gwY5aVje5f0j" | nc -l 1234 &
Using the ampersand at the end of a command tells it to be run in the back ground. We could then run our commands for the second terminal in our current terminal while our netcat listening port runs in the background.
Friday, December 12, 2014
Bandit Level 19 to Level 20
Host name is bandit.labs.overthewire.org
User: bandit19
password: IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
Goal: To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used to setuid binary.
Commands used for this level:
ls -l - List information about all the file's and use a long listing format.
file - determine file type
cat - used to view contents of a file.
cd - change directory
Step 1.
After logging in type ls
You will see bandit20-do
Step 2.
Let's see what kind of file it is.
Type file bandit20-do
We see that it's a setuid ELF 32-bit LSB executable.
Step 3.
Let's get more info on the file.
Type ls -l
We see this output for our file.
-rwsr-x--- 1 bandit20 bandit19 7370 Nov 14 10:32 bandit20-do
We can break this down as follows:
- -rwsr-x--- permissions
- 1 : number of linked hard-links
- bandit20: owner of the file
- bandit19: to which group this file belongs to
- 7370: size
- Nov 14 10:32 modification/creation date and time
- bandit20-do: file/directory name
This means we, being user bandit19 can read and execute the file. Lets try running the file the way it is stated in the goal to see if we can find out how to use it to set our uid to bandit20.
Type ./bandit20-do (the ./ in front means current directory)
We get an out put of :
Run a command as another user.
Example: ./bandit20-do id
Step 4.
Let's try running the command again with the example.
Type ./bandit20-do id
We get the output of:
uid=11019(bandit19) gid=11019(bandit19) euid=11020(bandit20) groups=11020(bandit20),11019(bandit19)
uid is user id
gid is group id
euid is effective user id
groups is groups it belongs to
euid is used for permission checks in Linux. We cant just change to any EUID unless we are root.
Here are the rules:
- Changing to SUID or RUID is always ok
- If you are root (UID 0), you can change to any UID. This will set both EUID, RUID and SUID.
- Changing from root to any other UID
- RUID is set to according to your login.
- EUID is different from RUID only when running Set UID programs, like su
The point is that a Set UID program can switch between the UID of the user who invoked it (that would be us bandit19), and the owner of the executable (bandit20). Let's do one more thing and check the help info of the command.
Type ./bandit20-do --help
We get an output stating:
Set each NAME to VALUE in the environment and run COMMAND.
Step 5.
Let's run our bandit20-do with a cat command to where we are told the file is located (/etc/bandit_pass) and see if it let's us view the file.
Type ./bandit20-do cat /etc/bandit_pass
We are told that /etc/bandit_pass: Is a directory
Let's change to /etc/bandit_pass and see what the directory contains for files and pick what file we actually want to view.
Step 6.
Type cd /etc/bandit_pass
Then do an ls -l
It shows that bandit20 is the owner of the bandit20 file so let's go back to where our bandit20-do file is and run it again with bandit20 as our file to view.
Step 7.
Type cd ~
Then type ./bandit20-do cat /etc/bandit_pass/bandit20 and we get our password for the next level: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Wednesday, December 10, 2014
Bandit Level 18 to Level 19
Logging in with ssh without having .bashrc run.
Host name is bandit.labs.overthewire.org
User: bandit18
password: kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
Goal: The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.
Commands used for this level:
ssh - OpenSSH SSH client
/bin/sh - a way of launching an interactive shell usually bash
Step 1
Host name is bandit.labs.overthewire.org
User: bandit18
password: kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
Goal: The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.
Commands used for this level:
ssh - OpenSSH SSH client
/bin/sh - a way of launching an interactive shell usually bash
Well when we try and
login to this level the normal way we get immediately logged out, why
because the .bashrc file has been edited to do this to us. .bashrc is
a file normally read by interactive shells only
and can be edited to affect how our
interactive shell behaves. What we need to do is try logging in a
different way so we avoid having the .bashrc file run.
What we can do is
tell our ssh login to launch the Bourne again shell, also known as
bash instead of the regular shell. Bash only reads from the
/etc/profile, .bash_profile, .bash_login or .profile files, you can
read about that here.
We will tell ssh to
launch the bash shell instead of logging directly into bandit18 user
shell, which we know will launch that .bashrc file that logs us out.
We can do this by adding /bin/sh command to our ssh login with our
user info. Using /bin/sh is a standard way of launching the Bourne
again shell (bash) when writing script files. Most scripts start with
the hashbang (#!) followed by /bin/sh telling the script to first
start the bash shell. Our login should be simple enough now that we
know more.
We could just type
ssh bandit18@bandit.labs.overthewire.org
/bin/sh but we will not see a prompt because we are only requesting a
port to connect to. What we can do is force a connection to a tty
port with a -t added to ssh command.
Type ssh -t
bandit18@bandit.labs.overthewire.org
/bin/sh
Step 2.
We are now in and
can check if we see the readme file with ls.
Type ls
We see the readme
file so all we have to do is cat the file with cat readme and our
password for the next level is displayed:
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
Bandit Level 16 to 17 and 18
Using a port scanning tool to find open ports and copying and using a private ssh key to connect to a server. Then level 18 comparing files for differences.
Host name is bandit.labs.overthewire.org
User: bandit16
password: cluFn7wTiGryunymYOu4RcffSxQluehd
Goal: The password for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next password, the others will simply send back to you whatever you send to it.
Host name is bandit.labs.overthewire.org
User: bandit16
password: cluFn7wTiGryunymYOu4RcffSxQluehd
Goal: The password for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next password, the others will simply send back to you whatever you send to it.
Commands used for this level:
nmap - Network
exploration tool and security / port scanner
echo - display a line of text
nc - arbitrary TCP and UDP connections and listens (nc is short for netcat)
openssl
- OpenSSH SSH client (remote login program)
mkdir
- make directories.
cd
- change directory.
touch
- change file timestamps
vim
- Vi IMproved, a programmers text editor
Commands used for level 18:
ls - List information about the FILE's (the current directory by default).
diff - compare files line by line
Step 1.
First thing we need to do is find a way to scan ports in the given range from our goal. Linux has a tool for doing just that called nmap. Lets check the man page on nmap to see how it works and what it does.
Type man nmap
We see nmap is a
port scanner and that is exactly the tool we need. If we read further
down to SCAN TECHNIQUES section we see we have multiple options for
scanning. We know that first we want to find what ports are open for
a connection. We read that the sT option in this section is for
connect so that looks good for our first option. We also need to
select a range of ports to scan so if we read down further we see
that the -p option will let us select specific ports to scan or a
range even. We know we want to scan localhost and ports from 31000 to
32000 so lets put together our scan options. We will use nmap command
for our port scanner tool with -sT to attempt a connection, send that
to localhost with a port range of 31000-32000
Type nmap -sT
localhost -p31000-32000
We see we have 5
ports open 31046, 31518,
31691, 31790, and 31960 all with unknown service.
Step 2.
We now have 5 ports we can attempt to connect to and we know from our goal we need to find the port
that speaks SSL. We also know that the wrong ports will simply
echo back what we send them. Lets echo some text, pipe it to netcat
like in level 14, and use localhost with the each port number to see
what ports echo back our text and which ones give us an SSL response.
echo hello | nc
localhost 31046
gives
us our hello in return
echo hello | nc
localhost 31518
gives us an SSL
error
echo hello | nc
localhost 31691
gives
us our hello in return
echo hello | nc
localhost 31790
gives us an SSL
error
echo hello | nc
localhost 31960
gives
us our hello in return
Step 3.
We
know know we have two ports that reply with an SSL error.
Let's
hit those two ports with our password and our openssl tool like in
level 15.
echo
cluFn7wTiGryunymYOu4RcffSxQluehd | openssl s_client -quiet -connect
localhost:31518
It
looks like we have connected but it has replied our current password
like the other ports so lets try the other SSL port.
echo
cluFn7wTiGryunymYOu4RcffSxQluehd | openssl s_client -quiet -connect
localhost:31790
We
get a private RSA key in return instead
of the password. Not
exactly what we hoped for but we know what to do with the key from
previous levels.
Step 4.
Copy the RSA key, don't forget to get the whole
thing including the header and footer of the key. Now we need to save this private key and do exactly what
we did in level 13.
Lets create a directory under /tmp,
create a file and save our key to it. We can then use ssh to send
that key to the next level and get our password.
mkdir
/tmp/yourname
cd
/tmp/yourname
touch
sshkey.private
vim
sshkey.private
You
are now in vim editor and can paste your copied key.
Press
a first in vim to append the file.
Now paste the copied key into the
file. Once you've pasted the key
press esc key to exit editing
mode of vim and type :wq to write
and quit the editor. If you want more info on moving around in vi editor cheack the man page on it.
Step 5.
We can now do like we did in level 13 and use ssh to send the RSA privatekey to
bandit17
ssh
-i ./sshkey.private bandit17@localhost
We
are asked if we want to continue and we need to type yes
We
see we get an error stating; It is required that your private key
files are NOT accessible by others. What we need to do is change the
permission of our privatekey so it is not accessible by other users.
We can use chmod to do that.
Step 6.
Lets
read some about chmod options here.
We know we need to
only allow us, the owner of the file to read and write to it and
after reading the above link we see that chmod 600 will do that.
chmod
600 sshkey.private
Now do a ls -la to view read write permissions of our file.
Step 7.
Let's
try sending our privatekey again.
ssh
-i ./sshkey.private bandit17@localhost
We
are now into level 17 but we do
not have a password for the level so we need to get level 18
password.
Level
17 to 18
Compare two files
and find the difference.
Goal:
There are 2 files in the homedirectory: passwords.old
and passwords.new. The password for the next level is in
passwords.new and is the only line that has been
changed between passwords.old and passwords.new
Commands used in this level:
ls - List information about the FILE's (the current directory by default).
diff - compare files line by line
Step 1.
We need to
compare the two files and find the different line between the two
files. We can use the diff command to do that. Let's check the man
page of diff.
Type man diff
Type man diff
We see that
diff will compare files line by line and that is our exact goal.
Type diff
passwords.old passwords.new
We get the below output:
<
BS8bqB1kqkinKJjuxL6k072Qq9NRwQpR
---
> kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
Looks like
we have two options for passwords so lets try them on level 18.
Try the
first one and it doesn't work but the second password does and we
have our password for level 18: kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
Tuesday, December 9, 2014
Bandit Level 15 to Level 16
Submitting a password to a port using SSL encryption.
Host name is bandit.labs.overthewire.org
User: bandit15
password: BfMYroe26WYalil77FoDi9qh59eK5xNr
Goal: The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -quiet and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…
Commands used for this level:
echo - display a line of text
openssl - OpenSSL command line tool
Step 1.
We need to somehow submit our current password to port 30001 using SSL.
We know from the last level we can use echo to send the current password to a command. We also know we need to use SSL to connect to port 30001. Lets check the man page of SSL.
Type man ssl
Looking at the man page for ssl we see that SSL is OpenSSL SSL/TLS library. The info is different than other man pages we have looked at. This man page is just info on what ssl is because ssl is not a command, it is a type of connection. If we scroll to the bottom of the man page we can see that the info shown appeared in Openssl. To verify that ssl is not what we want go ahead and try to echo the password and pipe it to ssl with localhost 30001
Type echo BfMYroe26WYalil77FoDi9qh59eK5xNr | ssl localhost 30001
We get No command 'ssl' found.
We do now know that openssl might be the command we need so lets check the man page for openssl.
Type man openssl
We see that OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer, which is exactly what we need from the goal given. More can be read about SSL/TLS here.
You should also read here about connecting to ssl servers as it gives us exactly what we need for our command.
We now know pretty much everything we need for our command. From the goal we know we need to use -quiet with our command and from reading here we have this as an example openssl s_client -connect www.example.com:443
Let's open the man page of openssl again and read about the s_client option.
Type man openssl
We see that the s_client option implements a generic SSL/TLS client which can establish a transparent connection to a remote server speaking SSL/TLS.
So we will echo our password, pipe it to openssl. We now have everything for our command. We will echo our password, pipe it to openssl with s_client, -connect, and -quiet options.
Step 2.
Type echo BfMYroe26WYalil77FoDi9qh59eK5xNr | openssl s_client -quiet -connect localhost:30001
We see the full handshake happen as our connection goes out as a self signed certificate. It then returns 1 and we verify a return of 1 and we are connected. Our password is displayed as cluFn7wTiGryunymYOu4RcffSxQluehd
Host name is bandit.labs.overthewire.org
User: bandit15
password: BfMYroe26WYalil77FoDi9qh59eK5xNr
Goal: The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -quiet and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…
Commands used for this level:
echo - display a line of text
openssl - OpenSSL command line tool
Step 1.
We need to somehow submit our current password to port 30001 using SSL.
We know from the last level we can use echo to send the current password to a command. We also know we need to use SSL to connect to port 30001. Lets check the man page of SSL.
Type man ssl
Looking at the man page for ssl we see that SSL is OpenSSL SSL/TLS library. The info is different than other man pages we have looked at. This man page is just info on what ssl is because ssl is not a command, it is a type of connection. If we scroll to the bottom of the man page we can see that the info shown appeared in Openssl. To verify that ssl is not what we want go ahead and try to echo the password and pipe it to ssl with localhost 30001
Type echo BfMYroe26WYalil77FoDi9qh59eK5xNr | ssl localhost 30001
We get No command 'ssl' found.
We do now know that openssl might be the command we need so lets check the man page for openssl.
Type man openssl
We see that OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer, which is exactly what we need from the goal given. More can be read about SSL/TLS here.
You should also read here about connecting to ssl servers as it gives us exactly what we need for our command.
We now know pretty much everything we need for our command. From the goal we know we need to use -quiet with our command and from reading here we have this as an example openssl s_client -connect www.example.com:443
Let's open the man page of openssl again and read about the s_client option.
Type man openssl
We see that the s_client option implements a generic SSL/TLS client which can establish a transparent connection to a remote server speaking SSL/TLS.
So we will echo our password, pipe it to openssl. We now have everything for our command. We will echo our password, pipe it to openssl with s_client, -connect, and -quiet options.
Step 2.
Type echo BfMYroe26WYalil77FoDi9qh59eK5xNr | openssl s_client -quiet -connect localhost:30001
We see the full handshake happen as our connection goes out as a self signed certificate. It then returns 1 and we verify a return of 1 and we are connected. Our password is displayed as cluFn7wTiGryunymYOu4RcffSxQluehd
Monday, December 8, 2014
Bandit Level 14 to Level 15
Submitting a password to a port.
Host name is bandit.labs.overthewire.org
User: bandit14
password: 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Goal: The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
Commands used for this level:
echo - display a line of text
nc - arbitrary TCP and UDP connections and listens (nc is short for netcat)
Step 1.
We need to somehow submit our current password to port 30000.
First lets check man page on echo.
Type man echo
We see that the echo command will echo the STRING(s) to standard output.
What we can do is use that to send our password by piping it to a command that will allow us to connect to a local port.
Port's use TCP or UDP to establish connections and it just so happens Linux has a tool to do that called netcat. Lets check the man page for netcat.
Type man nc
The very first line in the description says that netcat utility is used for just about anything under the sun involving TCP, UDP. Wow that sounds perfect for what we want to do. We also know we need to connect to localhost at port 30000, we have everything for our full command. We will echo our password and pipe the output to netcat and tell netcat to connect to localhost at port 30000.
Type echo 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e | nc localhost 30000 and our password is given to us for the next level: BfMYroe26WYalil77FoDi9qh59eK5xNr
Host name is bandit.labs.overthewire.org
User: bandit14
password: 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Goal: The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
Commands used for this level:
echo - display a line of text
nc - arbitrary TCP and UDP connections and listens (nc is short for netcat)
Step 1.
We need to somehow submit our current password to port 30000.
First lets check man page on echo.
Type man echo
We see that the echo command will echo the STRING(s) to standard output.
What we can do is use that to send our password by piping it to a command that will allow us to connect to a local port.
Port's use TCP or UDP to establish connections and it just so happens Linux has a tool to do that called netcat. Lets check the man page for netcat.
Type man nc
The very first line in the description says that netcat utility is used for just about anything under the sun involving TCP, UDP. Wow that sounds perfect for what we want to do. We also know we need to connect to localhost at port 30000, we have everything for our full command. We will echo our password and pipe the output to netcat and tell netcat to connect to localhost at port 30000.
Type echo 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e | nc localhost 30000 and our password is given to us for the next level: BfMYroe26WYalil77FoDi9qh59eK5xNr
Bandit Level 13 to Level 14
Use a private SSH key to login as another user.
Host name is bandit.labs.overthewire.org
User: bandit13
password: 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
Commands used for this level:
ls - List information about the FILE's (the current directory by default).
cat - used to view contents of a file.
openssh - OpenSSH SSH client (remote login program)
Step 1.
After logging in type ls
You will see a file called sshkey.private
Step 2.
What we have is a private ssh key. With ssh the private key is kept on the computer you log in from (the key we have), while the public key is stored on all the computers you want to log in to (more can be read about keys here).
Type cat sshkey.private and you can see what a private key looks like.
Step 3.
So we need to use ssh to login to another users account bandit14@localhost for us.
Type man ssh and we see ssh is a program for logging into a remote machine and for executing commands on a remote machine. If we read down on the man page we see that ssh when used with -i option will use a file with a private key to use for login. We will use our sshkey.private file. We now know our full command to type to remote into bandit14 user.
Type ssh -i ./sshkey.private bandit14@localhost
This command says use ssh, -i says use a specified privatekey file, ./sshkey.private is our key location, and bandit14@localhost is the account we want to login to.
After we enter this command we will be asked: Are you sure you want to continue connecting (yes/no)?
Type yes
We are now connected to bandit14
Step 4.
Now all we need to do is read our password file which is given to us as being in the /etc/bandit_pass/bandit14 file.
Type cat /etc/bandit_pass/bandit14 file and our password for the next level is given 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Host name is bandit.labs.overthewire.org
User: bandit13
password: 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
Commands used for this level:
ls - List information about the FILE's (the current directory by default).
cat - used to view contents of a file.
openssh - OpenSSH SSH client (remote login program)
Step 1.
After logging in type ls
You will see a file called sshkey.private
Step 2.
What we have is a private ssh key. With ssh the private key is kept on the computer you log in from (the key we have), while the public key is stored on all the computers you want to log in to (more can be read about keys here).
Type cat sshkey.private and you can see what a private key looks like.
Step 3.
So we need to use ssh to login to another users account bandit14@localhost for us.
Type man ssh and we see ssh is a program for logging into a remote machine and for executing commands on a remote machine. If we read down on the man page we see that ssh when used with -i option will use a file with a private key to use for login. We will use our sshkey.private file. We now know our full command to type to remote into bandit14 user.
Type ssh -i ./sshkey.private bandit14@localhost
This command says use ssh, -i says use a specified privatekey file, ./sshkey.private is our key location, and bandit14@localhost is the account we want to login to.
After we enter this command we will be asked: Are you sure you want to continue connecting (yes/no)?
Type yes
We are now connected to bandit14
Step 4.
Now all we need to do is read our password file which is given to us as being in the /etc/bandit_pass/bandit14 file.
Type cat /etc/bandit_pass/bandit14 file and our password for the next level is given 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Bandit Level 12 to Level 13
Reverse a hexdump and uncompress the data.
Host name is bandit.labs.overthewire.org
User: bandit12
password: 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu
Commands used for this level:
ls - List information about the FILE's (the current directory by default).
mkdir - make directories.
cp - copy files and directories.
cd - change directory.
file - determine file type.
xxd - make a hexdump or do the reverse.
mv - move (rename) files.
cat - used to view contents of a file.
gzip - compress or expand files.
bzip2 - a block-sorting file compressor.
tar - The GNU version of the tar archiving utility.
Step 1.
After logging in type ls
You will see a file data.txt
Step 2.
Type cat data.txt
In that data.txt file we see a bunch of numbers and letters aligned in rows. These characters aligned like this are known as a hexdump. A hexdump is a hexadecimal view of computer data, from RAM or from a file or storage device.
http://en.wikipedia.org/wiki/Hex_dump
Hexdump's are a very good way to reverse engineer computer programs.
Here is a very interestiong TED talk by Mikko Hypponen explaining viruses and showing some hexdump examples at 1:45 and 10:00.
What we need to do is copy our data.txt file over to /tmp directory because the lab will not let us write data to the directory that the data.txt file is currently in.
First command we need to use to copy the file is mkdir which will make a directory we can do what we want in. This is created under the /tmp directory because files in the /tmp directory can be set to be deleted at reboot or set intervals easily.
Type mkdir /tmp/yourname (where yourname is anything you'd like).
Step 3.
Next we need to copy our file over to our new directory.
Type cp data.txt /tmp/yourname (where yourname is what you chose).
Step 4.
Now we can move over to our created directory and uncompress our file.
Type cd /tmp/yourname and do an ls to make sure your file copied over to here.
Step 5.
First thing we need to is find out what kind of file we have.
Type file data.txt
We see that we currently have a ASCII file but since we know we have a hexdump we need to convert the file to binary.
Step 6.
We need to reverse the ASCII file to a hexdump and Linux has a command to do just that.
Type man xxd
We see the second line under description says xxd can also convert a hex dump back to its original binary form and to do this we look further down the man page and see we need to use -r with xxd to reverse the hexdump.
Type xxd -r data.txt and we see that our data file output has changed but it has not been saved so we need to tell xxd to convert and write this info to a new file for us.
Type xxd -r data.txt newdata
What this command does is it converts our file back to binary with xxd -r command and creates a new file called newdata without a .txt extension.
Step 7.
We now have a new file without an extension and we need to find out what kind of file it is. We can use the file command to do this.
Type file newdata
We see that we have a gzip file.
Step 8.
Type man gzip and we find that gzip is a compression tool that uses .gz as a defualt file extension and when used with -d will decompress a file.
We can now add our .gz file extension to our file by using the move command.
Type mv newdata newdata.gz
Now we can uncompress our gzip file using gzip -d.
Type gzip -d newdata.gz
Step 9.
We can now check to see what type of file was uncompressed.
Type file newdata
We see we now have a bzip2 file.
Step 10.
Lets do the same as before type man bzip2 to find what extension bzip2 uses and what option to use to decompress. We see we need to use .bz2 and -d with our bzip2 command to decompress.
Type mv newdata newdata.bz2 to add our bz2 file extension.
Type bzip2 -d newdata.bz2 to uncompress our bzip2 file
Step 11.
We can now check to see what type of file was uncompressed.
Type file newdata
We see we now have a gzip file again.
Step 12.
Lets do the same again but this time we already know what we use for gzip files.
Type mv newdata newdata.gz to add our gz file extension.
Type gzip -d newdata.gz to uncompress our gzip file.
Step 13.
We can now check to see what type of file was uncompressed.
Type file newdata
We see we now have a POSIX tar archive.
Step 14.
Type man tar and we find that tar is an archiving utility and when used with -x it will extract the data, -v do it verbosely, -f will use archive file.
Type tar -xvf newdata
We get data5.bin as an extracted file.
Step 15.
Now let's see what type of file this data5.bin is.
Type file data5.bin
Again we see we now have a POSIX tar archive. Like above lets untar it.
Type tar -xvf data5.bin
We get data6.bin as an extracted file.
Step 15.
Now let's see what type of file this data6.bin is.
Type file data6.bin
Again we have a bzip2 file so let's move and rename it.
Type mv data6.bin data7.bz2
Now uncompress the file.
Type bzip2 -d data7.bz2
We now have a new data7 file.
Step 16.
Now let's see what type of file our data7 is.
Type file data7
We see we have another tar file. Lets untar it like we have above.
Type tar -xvf data7
We get a data8.bin file.
Step 17.
Now let's see what type of file our data8.bin is.
Type file data8.bin
We see we have another gzip file so let's mv and rename with .gz extension.
mv data8.bin data9.gz
Step 18.
Now we ungzip out file like before.
Type gzip -d data9.gz
Then we check the uncompressed file type again.
Type file data9
We see we now have a readable ASCII file.
Step 19.
Now that we have an ASCII file let's do a cat on it to display it's contents.
type cat data9 and we see our passoword for the next level is displayed: The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
Host name is bandit.labs.overthewire.org
User: bandit12
password: 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu
Commands used for this level:
ls - List information about the FILE's (the current directory by default).
mkdir - make directories.
cp - copy files and directories.
cd - change directory.
file - determine file type.
xxd - make a hexdump or do the reverse.
mv - move (rename) files.
cat - used to view contents of a file.
gzip - compress or expand files.
bzip2 - a block-sorting file compressor.
tar - The GNU version of the tar archiving utility.
Step 1.
After logging in type ls
You will see a file data.txt
Step 2.
Type cat data.txt
In that data.txt file we see a bunch of numbers and letters aligned in rows. These characters aligned like this are known as a hexdump. A hexdump is a hexadecimal view of computer data, from RAM or from a file or storage device.
http://en.wikipedia.org/wiki/Hex_dump
Hexdump's are a very good way to reverse engineer computer programs.
Here is a very interestiong TED talk by Mikko Hypponen explaining viruses and showing some hexdump examples at 1:45 and 10:00.
What we need to do is copy our data.txt file over to /tmp directory because the lab will not let us write data to the directory that the data.txt file is currently in.
First command we need to use to copy the file is mkdir which will make a directory we can do what we want in. This is created under the /tmp directory because files in the /tmp directory can be set to be deleted at reboot or set intervals easily.
Type mkdir /tmp/yourname (where yourname is anything you'd like).
Step 3.
Next we need to copy our file over to our new directory.
Type cp data.txt /tmp/yourname (where yourname is what you chose).
Step 4.
Now we can move over to our created directory and uncompress our file.
Type cd /tmp/yourname and do an ls to make sure your file copied over to here.
Step 5.
First thing we need to is find out what kind of file we have.
Type file data.txt
We see that we currently have a ASCII file but since we know we have a hexdump we need to convert the file to binary.
Step 6.
We need to reverse the ASCII file to a hexdump and Linux has a command to do just that.
Type man xxd
We see the second line under description says xxd can also convert a hex dump back to its original binary form and to do this we look further down the man page and see we need to use -r with xxd to reverse the hexdump.
Type xxd -r data.txt and we see that our data file output has changed but it has not been saved so we need to tell xxd to convert and write this info to a new file for us.
Type xxd -r data.txt newdata
What this command does is it converts our file back to binary with xxd -r command and creates a new file called newdata without a .txt extension.
Step 7.
We now have a new file without an extension and we need to find out what kind of file it is. We can use the file command to do this.
Type file newdata
We see that we have a gzip file.
Step 8.
Type man gzip and we find that gzip is a compression tool that uses .gz as a defualt file extension and when used with -d will decompress a file.
We can now add our .gz file extension to our file by using the move command.
Type mv newdata newdata.gz
Now we can uncompress our gzip file using gzip -d.
Type gzip -d newdata.gz
Step 9.
We can now check to see what type of file was uncompressed.
Type file newdata
We see we now have a bzip2 file.
Step 10.
Lets do the same as before type man bzip2 to find what extension bzip2 uses and what option to use to decompress. We see we need to use .bz2 and -d with our bzip2 command to decompress.
Type mv newdata newdata.bz2 to add our bz2 file extension.
Type bzip2 -d newdata.bz2 to uncompress our bzip2 file
Step 11.
We can now check to see what type of file was uncompressed.
Type file newdata
We see we now have a gzip file again.
Step 12.
Lets do the same again but this time we already know what we use for gzip files.
Type mv newdata newdata.gz to add our gz file extension.
Type gzip -d newdata.gz to uncompress our gzip file.
Step 13.
We can now check to see what type of file was uncompressed.
Type file newdata
We see we now have a POSIX tar archive.
Step 14.
Type man tar and we find that tar is an archiving utility and when used with -x it will extract the data, -v do it verbosely, -f will use archive file.
Type tar -xvf newdata
We get data5.bin as an extracted file.
Step 15.
Now let's see what type of file this data5.bin is.
Type file data5.bin
Again we see we now have a POSIX tar archive. Like above lets untar it.
Type tar -xvf data5.bin
We get data6.bin as an extracted file.
Step 15.
Now let's see what type of file this data6.bin is.
Type file data6.bin
Again we have a bzip2 file so let's move and rename it.
Type mv data6.bin data7.bz2
Now uncompress the file.
Type bzip2 -d data7.bz2
We now have a new data7 file.
Step 16.
Now let's see what type of file our data7 is.
Type file data7
We see we have another tar file. Lets untar it like we have above.
Type tar -xvf data7
We get a data8.bin file.
Step 17.
Now let's see what type of file our data8.bin is.
Type file data8.bin
We see we have another gzip file so let's mv and rename with .gz extension.
mv data8.bin data9.gz
Step 18.
Now we ungzip out file like before.
Type gzip -d data9.gz
Then we check the uncompressed file type again.
Type file data9
We see we now have a readable ASCII file.
Step 19.
Now that we have an ASCII file let's do a cat on it to display it's contents.
type cat data9 and we see our passoword for the next level is displayed: The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
Bandit Level 11 to Level 12
Decoding ROT13
Host name is bandit.labs.overthewire.org
User: bandit11
password: IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR
Commands used for this level:
ls - List information about the FILE's (the current directory by default).
cat - used to view contents of a file.
tr - translate or delete characters.
Step 1.
After logging in type ls
You will see a file data.txt
Step 2.
In that data.txt file we need read some ROT13 encoded data.
http://en.wikipedia.org/wiki/ROT13
ROT13 is a simple letter substitution cipher that replaces a letter with the letter 13 letters after it in the alphabet.
Linux has a command called tr so lets type man tr to learn about this command.
We see that tr will translate, squeeze, and/or delete characters from standard input, writing to standard output. With this command we can tell it to rotate an input of characters 13 letters after by using tr with a-zA-Z n-za-mN-ZA-M.
What this does is it tells the tr command to match the input letters from a-z and A-Z (lower case and upper) to 13 characters after those being n-za-mN-ZA-M. We need to type the second part this way because the command does not know that it should go back to a after hitting z so 13 characters after a is n and so on then if it goes past z to start at a again.
Step3.
Now all we need to do is cat data.txt and pipe it to the tr command with our ROT13 cipher.
Type cat data.txt | tr a-zA-Z n-za-mN-ZA-M and our decoded ROT13 data is displayed: The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu
Host name is bandit.labs.overthewire.org
User: bandit11
password: IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR
Commands used for this level:
ls - List information about the FILE's (the current directory by default).
cat - used to view contents of a file.
tr - translate or delete characters.
Step 1.
After logging in type ls
You will see a file data.txt
Step 2.
In that data.txt file we need read some ROT13 encoded data.
http://en.wikipedia.org/wiki/ROT13
ROT13 is a simple letter substitution cipher that replaces a letter with the letter 13 letters after it in the alphabet.
Linux has a command called tr so lets type man tr to learn about this command.
We see that tr will translate, squeeze, and/or delete characters from standard input, writing to standard output. With this command we can tell it to rotate an input of characters 13 letters after by using tr with a-zA-Z n-za-mN-ZA-M.
What this does is it tells the tr command to match the input letters from a-z and A-Z (lower case and upper) to 13 characters after those being n-za-mN-ZA-M. We need to type the second part this way because the command does not know that it should go back to a after hitting z so 13 characters after a is n and so on then if it goes past z to start at a again.
Step3.
Now all we need to do is cat data.txt and pipe it to the tr command with our ROT13 cipher.
Type cat data.txt | tr a-zA-Z n-za-mN-ZA-M and our decoded ROT13 data is displayed: The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu
Sunday, December 7, 2014
Bandit Level 10 to Level 11
View base64 encoded data.
Host name is bandit.labs.overthewire.org
User: bandit10
password: truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
Commands used for this level:
ls - List information about the FILE's (the current directory by default).
cat - used to view contents of a file.
base64 - encode/decode data and print to standard output (use with -d to decode)
Step 1.
After logging in type ls
You will see a file data.txt
Step 2.
In that data.txt file we need read some base64 encoded data.
Type cat data.txt
We see what looks like our password but is much longer than our password really is. We need to decode the text to get our password.
To decode the data we need to learn about base64 encoded data.
http://en.wikipedia.org/wiki/Base64
We learn that base64 is a binary to text encoding scheme. What base64 does is it encodes and decodes data into its base64 value.
The steps base64 encode takes are:
1. Each letter of text in a string of characters (a word) is converted to its ASCII decimal value. We will use the word "The" as our example. Looking up the ASCII chart we see the decimal values for T = 84, h = 104, e = 101.
2. Each decimal value is then converted to binary. To convert to binary from decimal you just divide the number by 2 repeatedly until you reach a value of 0. If your division has a remainder then your bit gets set to 1.
2/84 = 42 remainder 0
2/42 = 21 remainder 0
2/21 = 10 remainder 1
2/10 = 5 remainder 0
2/5 = 2 remainder 1
2/2 = 1 remainder 0
2/1 = 0 remainder 1
binary value for T is 01010100
binary value for h is 01101000
binary value for e is 01100101
3. The binary values for each word is then combined into a string of binary 010101000110100001100101 and broken up into strings of 6 bits 010101,000110,100001,100101
4. Each 6 bit string is then converted back to decimal value.
010101 = 21
000110 = 6
100001 = 33
100101 = 37
5. Finally those decimal values are matched to the base64 index values.
21 = V
6 = G
33 = h
37 = l
Step 3.
It just so happens that Linux has a base64 tool. Lets read the man page by typing man base64. We see that this command when used with a -d will decode base64 data.
Type base64 -d data.txt and our decoded base64 data is display: The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR
Host name is bandit.labs.overthewire.org
User: bandit10
password: truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
Commands used for this level:
ls - List information about the FILE's (the current directory by default).
cat - used to view contents of a file.
base64 - encode/decode data and print to standard output (use with -d to decode)
Step 1.
After logging in type ls
You will see a file data.txt
Step 2.
In that data.txt file we need read some base64 encoded data.
Type cat data.txt
We see what looks like our password but is much longer than our password really is. We need to decode the text to get our password.
To decode the data we need to learn about base64 encoded data.
http://en.wikipedia.org/wiki/Base64
We learn that base64 is a binary to text encoding scheme. What base64 does is it encodes and decodes data into its base64 value.
The steps base64 encode takes are:
1. Each letter of text in a string of characters (a word) is converted to its ASCII decimal value. We will use the word "The" as our example. Looking up the ASCII chart we see the decimal values for T = 84, h = 104, e = 101.
2. Each decimal value is then converted to binary. To convert to binary from decimal you just divide the number by 2 repeatedly until you reach a value of 0. If your division has a remainder then your bit gets set to 1.
2/84 = 42 remainder 0
2/42 = 21 remainder 0
2/21 = 10 remainder 1
2/10 = 5 remainder 0
2/5 = 2 remainder 1
2/2 = 1 remainder 0
2/1 = 0 remainder 1
binary value for T is 01010100
binary value for h is 01101000
binary value for e is 01100101
3. The binary values for each word is then combined into a string of binary 010101000110100001100101 and broken up into strings of 6 bits 010101,000110,100001,100101
4. Each 6 bit string is then converted back to decimal value.
010101 = 21
000110 = 6
100001 = 33
100101 = 37
5. Finally those decimal values are matched to the base64 index values.
21 = V
6 = G
33 = h
37 = l
Step 3.
It just so happens that Linux has a base64 tool. Lets read the man page by typing man base64. We see that this command when used with a -d will decode base64 data.
Type base64 -d data.txt and our decoded base64 data is display: The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR
Friday, December 5, 2014
Bandit Level 9 to Level 10
Find a string of human-readable lines in a text file.
Host name is bandit.labs.overthewire.org
User: bandit9
password: UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR
Commands used for this level:
ls - List information about the FILE's (the current directory by default).
cat - used to view contents of a file.
strings - print the strings of printable characters in files.
grep - print lines matching a pattern.
Step 1.
After logging in type ls
You will see a file data.txt
Step 2.
In that data.txt file we need to find a string that is human-readable and starts with the = character. Lets do a cat on the data.txt file to see what the data looks like.
Type cat data.txt
We see that we have a file with mostly garbled data. Now we could just scroll up through the data and look for the = characters along with the only human-readable text to find the password but lets use some tools to find our password.
Step 3.
We know we are looking for a string of characters so lets do a man strings.
We see that strings prints the printable character sequences that are at least 4 characters long. Perfect for looking for a string of character that would be our password.
Type strings data.txt
We can clearly see our password here but lets narrow it down to be sure.
Step 4.
We know we are looking for a string that starts with = characters and grep is a tool that we can use to print lines of a matching character. Lets do a man grep.
We see that grep searches the named input file for lines containing a match to a given pattern. Lets pipe our strings command to grep with a "=" as a search pattern.
Type strings data.txt | grep "=" and our password for level 10 is displayed but we can shorten our ouput even more by using "==" as a search pattern for grep.
4a. Type strings data.txt | grep "==" and we get our full desired output.
truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
Host name is bandit.labs.overthewire.org
User: bandit9
password: UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR
Commands used for this level:
ls - List information about the FILE's (the current directory by default).
cat - used to view contents of a file.
strings - print the strings of printable characters in files.
grep - print lines matching a pattern.
Step 1.
After logging in type ls
You will see a file data.txt
Step 2.
In that data.txt file we need to find a string that is human-readable and starts with the = character. Lets do a cat on the data.txt file to see what the data looks like.
Type cat data.txt
We see that we have a file with mostly garbled data. Now we could just scroll up through the data and look for the = characters along with the only human-readable text to find the password but lets use some tools to find our password.
Step 3.
We know we are looking for a string of characters so lets do a man strings.
We see that strings prints the printable character sequences that are at least 4 characters long. Perfect for looking for a string of character that would be our password.
Type strings data.txt
We can clearly see our password here but lets narrow it down to be sure.
Step 4.
We know we are looking for a string that starts with = characters and grep is a tool that we can use to print lines of a matching character. Lets do a man grep.
We see that grep searches the named input file for lines containing a match to a given pattern. Lets pipe our strings command to grep with a "=" as a search pattern.
Type strings data.txt | grep "=" and our password for level 10 is displayed but we can shorten our ouput even more by using "==" as a search pattern for grep.
4a. Type strings data.txt | grep "==" and we get our full desired output.
truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
Bandit Level 8 to Level 9
Find string of text in a text file that is the only line that does not have a duplicate line.
Host name is bandit.labs.overthewire.org
User: bandit8
password: cvX2JJa4CFALtqS87jk27qwqGhBM9plV
Commands used for this level:
ls - List information about the FILE's (the current directory by default).
sort - sort lines of text files print to stdout
uniq - report or omit repeated lines
Step 1.
After logging in type ls
You will see a file data.txt
Step 2.
In that data.txt file we need to find the one line that does not repeat, that line will be our password for the next level.
You could start with a cat of the file and find that the file is huge, it would take forever to search to find the one non-repeating line with out a tool. Let's figure out what command we could use to sort the data and find this line. Lets look at the man page for sort. We see that sort will sort the text for us in order. Let's do a sort on data.txt.
2a. Type sort data.txt
We see that sort has sorted all the text in our data.txt file and we see that we do have many repeating lines of data. We need to somehow find the one non-repeating line still. If we go back to the man page on sort and scroll to the bottom we see that it says to SEE ALSO uniq. Let's do a man uniq. We see that uniq is used to filter adjacent matching lines from INPUT. We also see that when uniq is used with -u option it will print only unique lines of text. Lets sort the data.txt file and pipe into uniq.
2b. Type sort data.txt | uniq -u and our password for level 9 is displayed.
UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR
Host name is bandit.labs.overthewire.org
User: bandit8
password: cvX2JJa4CFALtqS87jk27qwqGhBM9plV
Commands used for this level:
ls - List information about the FILE's (the current directory by default).
sort - sort lines of text files print to stdout
uniq - report or omit repeated lines
Step 1.
After logging in type ls
You will see a file data.txt
Step 2.
In that data.txt file we need to find the one line that does not repeat, that line will be our password for the next level.
You could start with a cat of the file and find that the file is huge, it would take forever to search to find the one non-repeating line with out a tool. Let's figure out what command we could use to sort the data and find this line. Lets look at the man page for sort. We see that sort will sort the text for us in order. Let's do a sort on data.txt.
2a. Type sort data.txt
We see that sort has sorted all the text in our data.txt file and we see that we do have many repeating lines of data. We need to somehow find the one non-repeating line still. If we go back to the man page on sort and scroll to the bottom we see that it says to SEE ALSO uniq. Let's do a man uniq. We see that uniq is used to filter adjacent matching lines from INPUT. We also see that when uniq is used with -u option it will print only unique lines of text. Lets sort the data.txt file and pipe into uniq.
2b. Type sort data.txt | uniq -u and our password for level 9 is displayed.
UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR
Wednesday, December 3, 2014
Bandit Level 7 to Level 8
Find the password in a large text file with a matching string.
Host name is bandit.labs.overthewire.org
User: bandit7
password: HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs
Commands used for this level:
ls - List information about the FILE's (the current directory by default).
cat - used to view contents of a file.
grep - searches the named input files.
Step 1.
After logging in type ls
You will see a file data.txt
Step 2.
In that data.txt file we need to find the word millionth and our password will be next to it.
Go ahead and try a cat data.txt to see what happens.We get a giant stream of data, we need to filter that data.We know from the last level that grep is great for searching for a matched string. Lets pipe our cat of data.txt to grep and match the word millionth.
Type cat data.txt | grep millionth and our password for level 8 is displayed.
cvX2JJa4CFALtqS87jk27qwqGhBM9plV
Host name is bandit.labs.overthewire.org
User: bandit7
password: HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs
Commands used for this level:
ls - List information about the FILE's (the current directory by default).
cat - used to view contents of a file.
grep - searches the named input files.
Step 1.
After logging in type ls
You will see a file data.txt
Step 2.
In that data.txt file we need to find the word millionth and our password will be next to it.
Go ahead and try a cat data.txt to see what happens.We get a giant stream of data, we need to filter that data.We know from the last level that grep is great for searching for a matched string. Lets pipe our cat of data.txt to grep and match the word millionth.
Type cat data.txt | grep millionth and our password for level 8 is displayed.
cvX2JJa4CFALtqS87jk27qwqGhBM9plV
Bandit Level 6 to Level 7
Find a file somewhere on a server that is owned by a user, a group, and by size.
Host name is bandit.labs.overthewire.org
User: bandit6
password: DXjZPULLxYr17uwoI01bNLQbtFemEgo7
Commands used for this level:
find - search for files in a directory.
cat - used to view contents of a file.
grep - searches the named input files.
Step 1.
We need to find a file owned by user bandit7, group bandit6, and is 33 bytes in size.
Lets use man page for find to find our options to use.
1a. Type man find and in the man page type /-user we see that to find by user we need to add -user username option. (pressing n after the search will jump to the next found matched search term and SHIFT + n will search backwards)
1b. Still in find man page type /group and we see that we need -group groupname to search by group.
1c. While still in find man page /size to see we need to add -size n (n being size of the file with a "c" for bytes)
We now know our command will be find -user bandit7 -group bandit6 -size 33c
Step 2.
Type our command find -user bandit7 -group bandit6 -size 33c
We see we have an issue with what we find which is nothing because we are not searching the entire server, so we should do a find at the root of the server by adding a / after find (/ is root of the file system, all other files are under root)
2a. Type find / -user bandit7 -group bandit6 -size 33c
You can scroll through the output and find our file by looking for the one file that does not display Permission denied which is /var/lib/dpkg/info/bandit7.password and then cat that file but lets go further and clean up our output to have the computer find the exact file for us so we do not have to search through all the lines.
2c. What well do is use 2>&1 which is a way of redirecting error messages.
There are always three default files
open, stdin (the keyboard),
stdout (the screen), and
stderr (error messages output to the
screen). These, and any other open files, can be redirected.
Redirection simply means capturing output from a file, command,
program, script, or even code block within a script and sending it as
input to another file, command, program, or script.
In other words, it will send any error messages to whatever you have currently defined for output. Normal output would be your screen, but you can set this so output is going to a file or command. We will be sending the output to the grep command. Lets do a man on grep
2d. type man grep
type /invert we find that -v option will invert the sense of matching.
type /-F we find that -F option will match a given pattern and we know we want to remove any output that shows Permission denied so we will use Permission as our pattern to match.
So breaking this down we want to match using -F Permission
and then we don't want to see anything that displays Permission so we invert our -F matching with -v to not show any files that say Permission.
2f. Our final command to find our exact file will be:
find / -user bandit7 -group bandit6 -size 33c 2>&1 | grep -F -v Permission
We see now our one file is at /var/lib/dpkg/info/bandit7.password
Step 3. type cat /var/lib/dpkg/info/bandit7.password and our password for level 7 is displayed.
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs
Host name is bandit.labs.overthewire.org
User: bandit6
password: DXjZPULLxYr17uwoI01bNLQbtFemEgo7
Commands used for this level:
find - search for files in a directory.
cat - used to view contents of a file.
grep - searches the named input files.
Step 1.
We need to find a file owned by user bandit7, group bandit6, and is 33 bytes in size.
Lets use man page for find to find our options to use.
1a. Type man find and in the man page type /-user we see that to find by user we need to add -user username option. (pressing n after the search will jump to the next found matched search term and SHIFT + n will search backwards)
1b. Still in find man page type /group and we see that we need -group groupname to search by group.
1c. While still in find man page /size to see we need to add -size n (n being size of the file with a "c" for bytes)
We now know our command will be find -user bandit7 -group bandit6 -size 33c
Step 2.
Type our command find -user bandit7 -group bandit6 -size 33c
We see we have an issue with what we find which is nothing because we are not searching the entire server, so we should do a find at the root of the server by adding a / after find (/ is root of the file system, all other files are under root)
2a. Type find / -user bandit7 -group bandit6 -size 33c
You can scroll through the output and find our file by looking for the one file that does not display Permission denied which is /var/lib/dpkg/info/bandit7.password and then cat that file but lets go further and clean up our output to have the computer find the exact file for us so we do not have to search through all the lines.
2c. What well do is use 2>&1 which is a way of redirecting error messages.
- 2 is the default file descriptor for stderr.
- 1 is the default file descriptor for stdout.
>&is shell syntax for "fold the previous (first) file descriptor into the forthcoming (second) file descriptor."
In other words, it will send any error messages to whatever you have currently defined for output. Normal output would be your screen, but you can set this so output is going to a file or command. We will be sending the output to the grep command. Lets do a man on grep
2d. type man grep
type /invert we find that -v option will invert the sense of matching.
type /-F we find that -F option will match a given pattern and we know we want to remove any output that shows Permission denied so we will use Permission as our pattern to match.
So breaking this down we want to match using -F Permission
and then we don't want to see anything that displays Permission so we invert our -F matching with -v to not show any files that say Permission.
2f. Our final command to find our exact file will be:
find / -user bandit7 -group bandit6 -size 33c 2>&1 | grep -F -v Permission
We see now our one file is at /var/lib/dpkg/info/bandit7.password
Step 3. type cat /var/lib/dpkg/info/bandit7.password and our password for level 7 is displayed.
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs
Bandit Level 5 to Level 6
Find and display human readable files by size in bytes and not executable.
Host name is bandit.labs.overthewire.org
User: bandit5
password: koReBOKuIDDepwhWk7jZC0RTdopnAYKh
Commands used for this level:
ls - List information about the FILE's (the current directory by default).
cd - change directory.
man - an interface to the on-line reference manuals
find - search for files in a directory.
/ - here we use it to search man pages
cat - used to view contents of a file.
Step 1.
After logging in type ls
You will see a directory named inhere (you can tell its a directory instead of a file because it is a different color).
Step 2.
Type ls and we will see multiple directories that we need to search for a human readable file, that is 1033 bytes, and is not executable.
To do this we need to use the find command with some options.
2a. Type man find to view the man page for find command.
To make finding this solution easier we can search the man page by typing forward slash (/) once in the man page (the / is used to open the search option). Now type readable after the / and we see how to use the -readable option.
2b. We also need to find how to use size and executable options so press / again and search for size. This shows we need to use -size n (n being the size we are looking for followed by "c" to use bytes).
2c. Now press / again and search for executable and we see we need to use -executable as our last option but remember that we are looking for not executable so we will use ! in front of the -executable option (! is the computer programming symbol for NOT)
From our searching we now know our command will be find -readable -size 1033c ! -executable
Type find -readable - size 1033c ! -executable
We see our only file that fits our search options displayed is ./maybehere07/.file2
Step3.
Last step is simply to display our found file.
Type cat ./maybehere07/.file2 and the password for level 6 is displayed.
DXjZPULLxYr17uwoI01bNLQbtFemEgo7
Host name is bandit.labs.overthewire.org
User: bandit5
password: koReBOKuIDDepwhWk7jZC0RTdopnAYKh
Commands used for this level:
ls - List information about the FILE's (the current directory by default).
cd - change directory.
man - an interface to the on-line reference manuals
find - search for files in a directory.
/ - here we use it to search man pages
cat - used to view contents of a file.
Step 1.
After logging in type ls
You will see a directory named inhere (you can tell its a directory instead of a file because it is a different color).
Step 2.
Type ls and we will see multiple directories that we need to search for a human readable file, that is 1033 bytes, and is not executable.
To do this we need to use the find command with some options.
2a. Type man find to view the man page for find command.
To make finding this solution easier we can search the man page by typing forward slash (/) once in the man page (the / is used to open the search option). Now type readable after the / and we see how to use the -readable option.
2b. We also need to find how to use size and executable options so press / again and search for size. This shows we need to use -size n (n being the size we are looking for followed by "c" to use bytes).
2c. Now press / again and search for executable and we see we need to use -executable as our last option but remember that we are looking for not executable so we will use ! in front of the -executable option (! is the computer programming symbol for NOT)
From our searching we now know our command will be find -readable -size 1033c ! -executable
Type find -readable - size 1033c ! -executable
We see our only file that fits our search options displayed is ./maybehere07/.file2
Step3.
Last step is simply to display our found file.
Type cat ./maybehere07/.file2 and the password for level 6 is displayed.
DXjZPULLxYr17uwoI01bNLQbtFemEgo7
Bandit Level 4 to Level 5
Find human readable files and dealing with dashed (-) file names.
Host name is bandit.labs.overthewire.org
User: bandit4
password: pIwrPrtPN36QITSp3EQaw936yaFoFgAB
Commands used for this level:
ls - List information about all the file's include hidden files that start with (.).
cd - change directory
du - estimate file space usage
file - determine file type
cat - used to view contents of a file.
| - this is the pipe command and used to pass info from one command to another.
Step 1.
After logging in type ls
You will see a directory named inhere (you can tell its a directory instead of a file because it is a different color).
Step 2.
Type ls and we will see multiple files that start with a dash. We need to find the only human readable file. Before we do that lets type man du to learn what du does. We will see that du estimates file space and when used with the -h will print sizes in human readable format.
Now that we know we need to use du -h we need to use file command at the same time to find that human readable file. What we do is use the pipe command to pipe the du command into the file command. We also need to deal with the dashed (-) file name so we need to tell file command to work in the current directory by typing ./ just like we did in level one.
Type du -h | file ./* (the * is used as a wildcard to search all files)
./-file00: data
./-file01: data
./-file02: data
./-file03: data
./-file04: data
./-file05: data
./-file06: data
./-file07: ASCII text
./-file08: data
./-file09: data
We find that -file07 is the human readable ASCII file.
Step 3.
Now all we need to do is cat -file07, but remember we are dealing with a dashed file name so we need to tell cat the exact place of the file by using ./
Type cat ./-file07 and the password for level 5 is displayed.
koReBOKuIDDepwhWk7jZC0RTdopnAYKh
Host name is bandit.labs.overthewire.org
User: bandit4
password: pIwrPrtPN36QITSp3EQaw936yaFoFgAB
Commands used for this level:
ls - List information about all the file's include hidden files that start with (.).
cd - change directory
du - estimate file space usage
file - determine file type
cat - used to view contents of a file.
| - this is the pipe command and used to pass info from one command to another.
Step 1.
After logging in type ls
You will see a directory named inhere (you can tell its a directory instead of a file because it is a different color).
Step 2.
Type ls and we will see multiple files that start with a dash. We need to find the only human readable file. Before we do that lets type man du to learn what du does. We will see that du estimates file space and when used with the -h will print sizes in human readable format.
Now that we know we need to use du -h we need to use file command at the same time to find that human readable file. What we do is use the pipe command to pipe the du command into the file command. We also need to deal with the dashed (-) file name so we need to tell file command to work in the current directory by typing ./ just like we did in level one.
Type du -h | file ./* (the * is used as a wildcard to search all files)
./-file00: data
./-file01: data
./-file02: data
./-file03: data
./-file04: data
./-file05: data
./-file06: data
./-file07: ASCII text
./-file08: data
./-file09: data
We find that -file07 is the human readable ASCII file.
Step 3.
Now all we need to do is cat -file07, but remember we are dealing with a dashed file name so we need to tell cat the exact place of the file by using ./
Type cat ./-file07 and the password for level 5 is displayed.
koReBOKuIDDepwhWk7jZC0RTdopnAYKh
Bandit Level 3 to Level 4
Viewing hidden files.
Host name is bandit.labs.overthewire.org
User: bandit3
password: UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
Commands used for this level:
ls -a - List information about all the file's include hidden files that start with (.).
cd - change directory
cat - used to view contents of a file.
Step 1.
After logging in type ls
You will see a directory named inhere (you can tell its a directory instead of a file because it is a different color).
Step 2.
Change directory to inhere by typing cd inhere
Step 3.
Now in the /home/bandit3/inhere directory go ahead and type ls.
Nothing will be displayed because the file we are looking for is hidden by placing a . in front of the file name. Placing a period as the first character of a file name is how you hide files in Linux.
We need to use ls -a , the dash a means display all files including hidden files.
We will now see the .hidden file.
Type cat .hidden and the password for level 4 is displayed.
pIwrPrtPN36QITSp3EQaw936yaFoFgAB
Host name is bandit.labs.overthewire.org
User: bandit3
password: UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
Commands used for this level:
ls -a - List information about all the file's include hidden files that start with (.).
cd - change directory
cat - used to view contents of a file.
Step 1.
After logging in type ls
You will see a directory named inhere (you can tell its a directory instead of a file because it is a different color).
Step 2.
Change directory to inhere by typing cd inhere
Step 3.
Now in the /home/bandit3/inhere directory go ahead and type ls.
Nothing will be displayed because the file we are looking for is hidden by placing a . in front of the file name. Placing a period as the first character of a file name is how you hide files in Linux.
We need to use ls -a , the dash a means display all files including hidden files.
We will now see the .hidden file.
Type cat .hidden and the password for level 4 is displayed.
pIwrPrtPN36QITSp3EQaw936yaFoFgAB
Bandit Level 2 to Level 3
Dealing with files with spaces in the file name.
Host name is bandit.labs.overthewire.org
User: bandit2
password: CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
Commands used for this level:
cat - used to view contents of a file.
ls - List information about the FILE's (the current directory by default).
Step 1.
After logging in type ls
You will see a file named spaces in this filename
Step 2.
Linux does not handle spaces in file names well so if you do type
cat spaces in this filename, cat will think you are trying to view the contents of file spaces, file in, file this, and file filename and those separate files do not exist.
One of the reasons Linux does not handle spaces in file names is that bash scripting uses spaces as a NULL terminator to break a script at a certain point. It is considered a best practice to not use spaces in filenames in Linux, underscores (_) are generally used in place of spaces. spaces_in_this_filename would be a better way to name this file if you where to create it.
To get around this we need to "hide" the spaces from cat, just like in the Level 1. To do this we simply type a backslash (\) in the filename before each space.
Type cat spaces\ in\ this\ filename.
The contents of the file has the password for level 3 in it.
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
Another quick way around typing the full filename out is to use the TAB key. The TAB key in Linux and most command line interperters is used to auto complete the full filename or full command name from only the first few characters being entered.
We could have just done cat s and pressed the TAB key and it would auto complete the filename with backslashes in it for us.
cat spaces\ in\ this\ filename
Using the TAB key only works if the filename has enough distinct characters in it for the system to auto complete the filename. If we had other files in this directory with names like spaces in and spaces, for auto complete to work for our file spaces in this filename we would need to type cat spaces in t then press TAB to auto complete the file we want to cat.
Host name is bandit.labs.overthewire.org
User: bandit2
password: CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
Commands used for this level:
cat - used to view contents of a file.
ls - List information about the FILE's (the current directory by default).
Step 1.
After logging in type ls
You will see a file named spaces in this filename
Step 2.
Linux does not handle spaces in file names well so if you do type
cat spaces in this filename, cat will think you are trying to view the contents of file spaces, file in, file this, and file filename and those separate files do not exist.
One of the reasons Linux does not handle spaces in file names is that bash scripting uses spaces as a NULL terminator to break a script at a certain point. It is considered a best practice to not use spaces in filenames in Linux, underscores (_) are generally used in place of spaces. spaces_in_this_filename would be a better way to name this file if you where to create it.
To get around this we need to "hide" the spaces from cat, just like in the Level 1. To do this we simply type a backslash (\) in the filename before each space.
Type cat spaces\ in\ this\ filename.
The contents of the file has the password for level 3 in it.
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
Another quick way around typing the full filename out is to use the TAB key. The TAB key in Linux and most command line interperters is used to auto complete the full filename or full command name from only the first few characters being entered.
We could have just done cat s and pressed the TAB key and it would auto complete the filename with backslashes in it for us.
cat spaces\ in\ this\ filename
Using the TAB key only works if the filename has enough distinct characters in it for the system to auto complete the filename. If we had other files in this directory with names like spaces in and spaces, for auto complete to work for our file spaces in this filename we would need to type cat spaces in t then press TAB to auto complete the file we want to cat.
Bandit Level 1 to Level 2
Viewing files with dashed (-) filenames.
Host name is bandit.labs.overthewire.org
User: bandit1
password: boJ9jbbUNNfktd78OOpsqOltutMc3MY1
Commands used for this level:
cat - used to view contents of a file.
ls - List information about the FILE's (the current directory by default).
Step 1.
After logging in type ls
You will see a file named -
Step 2.
Now from the last level we might think that typing cat - would allow you to view the contents of the file, but it wont.
Usage of dash (-) in place of a filename
Using
What will happen in our case is cat - echoes stdin, in this case keyboard user input, to stdout, the terminal window. Go ahead and try it to see what happens.
(if you are stuck after doing this press CTRL C to exit back to bash prompt).
The other problem is that Linux command options usually start with a dash (
To get around this, you need to alter the way that cat sees the file as a regular file by "hiding" the dash from cat. The best way to do this is to cat directly to the file location by prefixing the filename with ./ or /home/bandit1/. ./ means "look in the current directory". and /home/bandit1/ means "look in directory /home/bandit1.
Type cat ./-
The contents of the file has the password for level 2 in it.
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
Host name is bandit.labs.overthewire.org
User: bandit1
password: boJ9jbbUNNfktd78OOpsqOltutMc3MY1
Commands used for this level:
cat - used to view contents of a file.
ls - List information about the FILE's (the current directory by default).
Step 1.
After logging in type ls
You will see a file named -
Step 2.
Now from the last level we might think that typing cat - would allow you to view the contents of the file, but it wont.
Usage of dash (-) in place of a filename
Using
- as a filename to mean stdin/stdout is a convention that a lot of programs use. When cat sees the string - as a filename, it treats it as a synonym for stdin.What will happen in our case is cat - echoes stdin, in this case keyboard user input, to stdout, the terminal window. Go ahead and try it to see what happens.
(if you are stuck after doing this press CTRL C to exit back to bash prompt).
The other problem is that Linux command options usually start with a dash (
-
).
If you try to type that filename on a command line, the command might
think you're trying to type a command option.To get around this, you need to alter the way that cat sees the file as a regular file by "hiding" the dash from cat. The best way to do this is to cat directly to the file location by prefixing the filename with ./ or /home/bandit1/. ./ means "look in the current directory". and /home/bandit1/ means "look in directory /home/bandit1.
Type cat ./-
The contents of the file has the password for level 2 in it.
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
Bandit level 0 to Level 1
First we need to connect to the Over the Wire Bandit game with SSH. You will need a SSH client. For Linux I suggest Gnome Connection Manager and for Windows I suggest Putty.
Host name is bandit.labs.overthewire.org
User: bandit0
password: bandit0
The best tool to use to read about Linux commands is the man pages. To use man pages you simply type; man <command name>
Example: man ls
Commands used for this level:
ls - List information about the FILE's (the current directory by default).
The two most common arguments used with ls are:
ls -a - view all files including hidden files that start with .
ls -l - view long list format of files.
cat - used to view contents of a file.
Step 1.
After logging in type ls
You will see a file named readme
Step 2.
Type cat readme
The contents of the file has the password for level 1 in it.
boJ9jbbUNNfktd78OOpsqOltutMc3MY1
Host name is bandit.labs.overthewire.org
User: bandit0
password: bandit0
The best tool to use to read about Linux commands is the man pages. To use man pages you simply type; man <command name>
Example: man ls
Commands used for this level:
ls - List information about the FILE's (the current directory by default).
The two most common arguments used with ls are:
ls -a - view all files including hidden files that start with .
ls -l - view long list format of files.
cat - used to view contents of a file.
Step 1.
After logging in type ls
You will see a file named readme
Step 2.
Type cat readme
The contents of the file has the password for level 1 in it.
boJ9jbbUNNfktd78OOpsqOltutMc3MY1
Subscribe to:
Posts (Atom)