Bandit Writeup


Table of Contents

  1. Level 0
  2. Level 0 -> Level 1
  3. Level 1 -> Level 2
  4. Level 2 -> Level 3
  5. Level 3 -> Level 4
  6. Level 4 -> Level 5
  7. Level 5 -> Level 6
  8. Level 6 -> Level 7
  9. Level 7 -> Level 8
  10. Level 8 -> Level 9
  11. Level 9 -> Level 10
  12. Level 10 -> Level 11
  13. Level 11 -> Level 12
  14. Level 12 -> Level 13
  15. Level 13 -> Level 14
  16. Level 14 -> Level 15

Level 0
The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org, on port 2220. The username is bandit0 and the password is bandit0. Once logged in, go to the Level 1 page to find out how to beat Level 1.

Commands you may need to solve this level:
ssh

Helpful Reading Material
Secure Shell (SSH) on Wikipedia
How to use SSH on wikiHow


Level 0 -> Level 1
The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.

Commands you may need to solve this level:
ls, cd, cat, file, du, find


$ ssh bandit0@bandit.labs.overthewire.org -p 2220
$ ls
$ cat readme
            

boJ9jbbUNNfktd78OOpsqOltutMc3MY1


Level 1 -> Level 2
The password for the next level is stored in a file called - located in the home directory

Commands you may need to solve this level:
ls, cd, cat, file, du, find

Helpful Reading Material
Google Search for “dashed filename”
Advanced Bash-scripting Guide - Chapter 3 - Special Characters


$ ssh bandit1@bandit.labs.overthewire.org -p 2220
$ ls -la
$ cat ./-
            

CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9


Level 2 -> Level 3
The password for the next level is stored in a file called spaces in this filename located in the home directory

Commands you may need to solve this level:
ls, cd, cat, file, du, find

Helpful Reading Material
Google Search for “spaces in filename”


$ ssh bandit2@bandit.labs.overthewire.org -p 2220
$ ls -la
$ cat spaces\ in\ this\ filename
            

UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK


Level 3 -> Level 4
The password for the next level is stored in a hidden file in the inhere directory.

Commands you may need to solve this level:
ls, cd, cat, file, du, find


$ ssh bandit3@bandit.labs.overthewire.org -p 2220
$ cd inehere/
$ ls -la
$ cat .hidden
            

pIwrPrtPN36QITSp3EQaw936yaFoFgAB


Level 4 -> Level 5
The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.

Commands you may need to solve this level:
ls, cd, cat, file, du, find


$ ssh bandit4@bandit.labs.overthewire.org -p 2220
$ cd inehere/
$ ls -la
$ file -- *
$ cat ./-file07
            

koReBOKuIDDepwhWk7jZC0RTdopnAYKh


Level 5 -> Level 6
The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:
human-readable
1033 bytes in size
not executable

Commands you may need to solve this level:
ls, cd, cat, file, du, find


$ ssh bandit5@bandit.labs.overthewire.org -p 2220
$ cd inhere/
$ ls -laR
$ find -type f -size 1033c
  # some others variants can be:
  #   - $ cat $(find . -size 1033c))
  #   - $ find . -size 1033c -exec cat {} \;)

$ cat maybehere07/.file2
            

DXjZPULLxYr17uwoI01bNLQbtFemEgo7h


Level 6 -> Level 7
The password for the next level is stored somewhere on the server and has all of the following properties:
owned by user bandit7
owned by group bandit6
33 bytes in size

Commands you may need to solve this level:
ls, cd, cat, file, du, find, grep


$ ssh bandit6@bandit.labs.overthewire.org -p 2220
$ find / -size 33c -group bandit6 -user bandit7
$ cat ./var/lib/dpkg/info/bandit7.password
            

HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs


Level 7 -> Level 8
The password for the next level is stored in the file data.txt next to the word millionth

Commands you may need to solve this level:
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd


$ ssh bandit7@bandit.labs.overthewire.org -p 2220
$ ls -la
$ cat data.txt | find millionth
            

cvX2JJa4CFALtqS87jk27qwqGhBM9plV


Level 8 -> Level 9
The password for the next level is stored in the file data.txt and is the only line of text that occurs only once

Commands you may need to solve this level:
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd


$ ssh bandit8@bandit.labs.overthewire.org -p 2220
$ ls -la
$ sort data.txt | uniq -u
            

UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR


Level 9 -> Level 10
The password for the next level is stored in the file data.txt in one of the few human-readable strings, beginning with several ‘=’ characters.

Commands you may need to solve this level:
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd


$ ssh bandit9@bandit.labs.overthewire.org -p 2220
$ ls -la
$ strings data.txt | grep ==
            

truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk


Level 10 -> Level 11
The password for the next level is stored in the file data.txt, which contains base64 encoded data

Commands you may need to solve this level:
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd

Helpful Reading Material
Base64 on Wikipedia


$ ssh bandit10@bandit.labs.overthewire.org -p 2220
$ ls -la
$ cat data.txt | base64 -d
  # $ base64 -d data.txt
            

IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR


Level 11 -> Level 12
The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions

Commands you may need to solve this level:
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd

Helpful Reading Material
Rot13 on Wikipedia


$ ssh bandit11@bandit.labs.overthewire.org -p 2220
$ ls -la
$ cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'
            

5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu


Level 12 -> Level 13
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)

Commands you may need to solve this level:
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd, mkdir, cp, mv, file

Helpful Reading Material
Hex dump on Wikipedia


$ ssh bandit12@bandit.labs.overthewire.org -p 2220
$ mkdir /tmp/myfolder
$ cp data.txt /tmp/myfolder
$ cd /tmp/myfolder
$ xxd -r data.txt data.bin
$ zcat data.bin | bzcat | zcat| tar xO | tar xO | bzcat | tar xO | zcat
    # Tips: use the command 'file -' at each step to identify what command use next
    #   -$ zcat data.bin | bzcat | zcat| tar xO | tar xO | bzcat | tar xO | file -)
            

8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL


Level 13 -> Level 14
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on

Commands you may need to solve this level:
ssh, telnet, nc, openssl, s_client, nmap

Helpful Reading Material
SSH/OpenSSH/Keys


$ ssh bandit13@bandit.labs.overthewire.org -p 2220
$ ssh bandit14@localhost -i ~/sshkey.private
$ cat /etc/bandit_pass/bandit14
            

4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e


Level 14 -> Level 15
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.

Commands you may need to solve this level:
ssh, telnet, nc, openssl, s_client, nmap

Helpful Reading Material
IP Addresses
IP Address on Wikipedia
Localhost on Wikipedia
Ports
Port (computer networking) on Wikipedia


$ ssh bandit14@bandit.labs.overthewire.org -p 2220
$ telnet localhost 30000
    # use the password: 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
            

BfMYroe26WYalil77FoDi9qh59eK5xNr