## DEV Community is a community of 905,285 amazing developers

We're a place where coders share, stay up-to-date and grow their careers.

Yulin Chen

Posted on • Updated on

# OverTheWire Bandit Levels 0-18 Hints and Notes

## Level 0

The syntax to ssh login is ssh your_username@host_ip_address, and we can specify the port using -p:

ssh bandit0@bandit.labs.overthewire.org -p 2220


## Level 1

Open file called - located in the home directory

cat ./-


Just cat - command will be interpreted as using standard input and output to read from and write to. The ./- defines a relative path to the file.

Alternatively redirect the file to cat:

cat < -


## Level 2

Open file called spaces in this filename located in the home directory

cat "spaces in this filename"


or

cat spaces\in\this\filename


## Level 3

Find hidden file in the inhere directory
To get inside the inhere directory:

cd inhere


Hidden files are files whose names start with a dot. To display the hidden files in current directory, we can use the -al option of ls:

ls -al


and then

cat .hidden


## Level 4

Find the only human-readable file in the inhere directory
The cat command is used on text files, i.e. human readable. To find the file types of all files in current directory:

file ./*


Spot the only ASCII text file and cat on the file.

## Level 5

Find the file somewhere under the inhere directory and has all of the following properties:

1033 bytes in size
not executable

find ./inhere -readable -size 1033c \! -executable


Note that this command will not work on BSD, i.e., Mac terminal version of find.

Alternatively, loop through everything and file on each one:

for i in $(ls); do file -i "./$i"; done;


## Level 6

Search for a file in server that has all of the following properties:

owned by user bandit7
owned by group bandit6
33 bytes in size

find / -size 33c -user bandit7 -group bandit6


The suffix c in 33c indicates bytes, other options are:

• b – 512-byte blocks (this is the default if no suffix is used)
• c – bytes
• w – two-byte words
• k – Kilobytes
• M – Megabytes
• G – Gigabytes

How to use find command to search for files based on file size

## Level 7

Find the line containing the word millionth

grep --include=\*.{txt} -rnw . -e 'millionth'


grep stands for Global Regular Expression Print, it has options

• -r or -R is recursive
• -n is line number
• -w stands for match the whole word.
• -l (lower-case L) can be added to just give the file name of matching files
• -e is the pattern used during the search

Along with these, --exclude, --include, --exclude-dir flags could be used.

How do I find all files containing specific text on Linux?

## Level 8

Find the only line of text that occurs only once in data.txt

sort data.txt | uniq -u


The sort command displays contents of data.txt in lexicographical order, and that output is redirected through the pipe to uniq.

uniq isn’t able to detect the duplicate lines unless they are adjacent to each other. The content in the file must be therefore sorted before using uniq.

Whenever we use redirection or piping, the data is sent anonymously, so output doesn't include file name.

• >, save output to a file.
• >>, append output to a file.
• <, read input from a file.
• 2>, redirect error messages.
• |, send the output from one program as input to another program.

Learn Piping and Redirection

## Level 9

Find one of the few human-readable strings in data.txt, preceded by several ‘=’ characters

strings data.txt | grep "="


Simply use grep on the file will not work in this case, because the file content is a cluster of words with no new lines. strings command is different to cat where it ignores blank lines and only prints sequence of 4 or more characters. Try echo abc | strings on the terminal.

## Level 10

Decode data.txt, which contains base64 encoded data

base64 --decode data.txt


## Level 11

ROT13 ("rotate by 13 places", sometimes hyphenated ROT-13) is a simple letter substitution cipher that replaces a letter with the 13th letter after it in the alphabet. ROT13 is a special case of the Caesar cipher which was developed in ancient Rome.
Because there are 26 letters (2×13) in the basic Latin alphabet, ROT13 is its own inverse; that is, to undo ROT13, the same algorithm is applied, so the same action can be used for encoding and decoding.

Restore data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions

cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'


or

alias rot13="tr 'A-Za-z' 'N-ZA-Mn-za-m'"
cat data.txt | rot13


tr stands for translate, translating or deleting characters. tr replaces each letter in set one A-Za-z for both upper and lower case, with set two, i.e. A will be replaced with N, Z replaced by M and so on.

## Level 12

Hexdump is a utility that displays the contents of binary files in hexadecimal (Base16), decimal (Base10), octal (Base8), or ASCII.
You can use hexdump to view the contents of a file especially when it contains non printable characters, e.g., an image. Try hexdump --canonical foo.png on the terminal and see what happens.

Restore the file data.txt, which is a hexdump of a file that has been repeatedly compressed

cat data.txt | xxd -r > data


xxd is a Linux command that creates a hexdump for a given file or standard input. It can also convert a hexdump back to its original binary form with the -r option. Here we are piping the output from cat to reverse hexdump, and redirect the output to a new file called data.

file data


The file command displays the format of the new file, and in this exercise there are three types of compression formats used:

• gzip compressed data, has file extensions .gz
• POSIX tar archive (GNU), has file extensions .tar
• bzip2 compressed data, has file extensions.bz

Depending on what format the file command tells us the current file is, we need to use the corresponding decompression command. Before we can apply the decompression, the file has to be renamed with the correct file extension. The system can't guess original name for file.

Take gzip as an example, use mv to rename file:

mv data data.gz


Decompress the data.gz file:

gzip -d data.gz


gzip replaces the input file with decompressed file, you should see the new file without .gz extension.

Repeat the process of file on decompressed output, until the resulting format is ASCII text (at which point you will see it is a RSA .key file, you can login with the ssh private key).

Here are the decompression commands:

gzip -d file.gz
bzip2 -d file.bz
tar -xf file.tar


How Hexdump Work

## Level 14

Submit the password of the current level to port 30000 on localhost

echo password | nc localhost 30000


Netcat (or nc ) is a command-line utility that reads and writes data across network connections, using the TCP or UDP protocols.

You can open two terminals, have one listening on port 3000:

nc -l 3000


and the other opens a connection to the port:

nc localhost 3000


The two terminals can now communicate freely.

## Level 15

Submit the password of the current level to port 30001 on localhost using SSL encryption

echo password | openssl s_client -ign_eof -connect localhost:30001


OpenSSL is a general purpose cryptography library that provides an open source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. The Transport Layer Security (TLS) protocol adds a layer of security on top of the TCP/IP transport protocols.

Transport Layer Security (TLS) is the successor protocol to SSL. TLS is an improved version of SSL. It works in much the same way as the SSL, using encryption to protect the transfer of data and information. The s_client command implements a generic SSL/TLS client which connects to a remote host using SSL/TLS.

In this level, we are making an encrypted communication through SSL. The -ign_eof option of s_client inhibit shutting down the connection when end of file is reached in the input, i.e., after we pressed enter.

## Level 16

Submit the password of the current level to a port on localhost in the range 31000 to 32000

1.Find which ports are open (have a server listening)

nmap -p 31000-32000 localhost


nmap (Network Mapper) is a network scanner, used to discover hosts and services on a computer network by sending packets and analysing the responses.

Here we performed a port scan (connect to ports) in the specified range of localhost with nmap.

2.Find which open port has ssl enabled
Run the command on each open port, until one of them returns a RSA key:

openssl s_client -connect localhost:port


You can copy and save the key locally in a .key file, and login to next level:

ssh -i bandit17.key bandit17@bandit.labs.overthewire.org -p 2220


3.Resolve ssh "permissions are too open" error
Keys must ONLY be accessible to the user. A quick ls -l on the key file will show that users(u), group (g), and others (o) all have read permission. You can remove the read permission from group and others:

chmod g-r bandit17.key && chmod o-r bandit17.key


or remove all permissions other than user read:

chmod 400 bandit17.key


## Level 17

Find the only line that has been changed between passwords.old and passwords.new

diff passwords.old passwords.new


The diff command lets you compare files or directories line by line. To interpret the output from this command

• < denotes lines from passwords.old
• > denotes lines from passwords.new
• 42c42 denotes the line number in passwords.old (number on the left) that was changed to the line in passwords.new (number on the right). The letter between the numbers is short for the actions possible on lines (d stands for deletion, a stands for adding and c stands for changing).

To see just the changed line from passwords.new in the output:

diff --changed-group-format='%>' --unchanged-group-format='' passwords.old passwords.new


## Level 18

Someone has modified .bashrc to log you out when you log in with SSH

ssh -t bandit18@bandit.labs.overthewire.org -p 2220 /bin/sh


ssh creates a pseudo terminal (pty) on the remote machine, as opposed to a text terminal (tty). The ssh -t command forces the pty to be open with shell /bin/sh. Now we can interact with the machine normally and cat readme.

Alternatively, to get the password out in one line:

ssh -t bandit18@bandit.labs.overthewire.org -p 2220 "cat ~/readme"