CTF Tech Training

Over the Wire: Bandit 0-20

What is Over the Wire?

Over the wire is a website offering challenges whereby beating a challenge provides access to the next level. In their words, these “wargames offered by the OverTheWire community can help you to learn and practice security concepts in the form of fun-filled games”. The Bandit pathway however is particularly interesting in that it initially focuses on unix commands, letting you build on past levels to move further into the next.

First things first, you gotta know where to search. man pages are good, and you can search through them by ussing the / key then entering the pattern you want. If no results, try again. Stack Overflow may have some suggestions. SS64 also has some good examples. Next up, youll want to have some tools ready. My preference is Terminator on Linux OS’s for the command line stuff, as it lets you quickly open additional terminals from the same window (man pages, etc.). If you are on Windows, you will need PuTTY or similar SSH client to connect to the game. You are given the first user & password, host & port. There are many valid syntaxes, I used

ssh -p 2220 -l bandit0

Enter the password and you are in. The next level, you are told there is a file called readme in the home directory (where you land upon login). ls & cat provide the password for the next level.

Level 1 – Here, the difficulty is that the name is a dash. – When processing it, the programs take it to mean an argument follows, and so cat doesn’t read the file. Fortunately there are ways to force certain files as input or output cat < - and you’re golden.

Level 2- The filename has spaces. Not to fret, you’re using Terminator, right? find the file using ls; prepare your cat command and start typing the name of the filename. Press the tab key after the first couple letters and… filename completely encapsulated.

Level 3 – File is hidden and inside a different directory. ls shows that the directory is a subdirectory of where the user is, so quick cd inhere. ls however comes up empty… hmmm… hidden files… maybe ls -a so it shows ALL the files and good to go.

Level 4 – You need to find a human-readable file in a given directory. Building up from the last level, cd into the inhere directory and ls . 2 difficulties arise; Firstly, there are multiple files. Secondly, the initial dash in the filenames. You could brute force your way through the files using
cat < -file OR you could take a hint from the challenge and look at the file command. file ./* and you can easily read the password.

Level 5 – Here you have multiple subfolders inside the inhere directory. Running file ./*/* isn’t very useful as there are too many possible results. Quick check of the find man page for size and find -size 1033c gets you to the appropriate file.

Level 6 – Similar to level 5, except the file is hidden somewhere in the server. Running file ./*/* has the same issues as previously, and I’m not sure how deep down you would need to add wildcards for all the potential subdirectories. Once more, find -size ran from the root (cd /) lets us find all possible files. There is something interesting in /var/lib, so running ls -l /var/lib/...| grep bandit7 shows the file attributes. I’m using grep here to ensure an attribute matches the user-owner bandit7 (as per the challenge). The attributes correspon to the challenge: owned by user bandit7, owned by group bandit 6so time for level 7.

Level 7 – Back to data analysis. There are close to 100’000 lines in the given file, so attempting to search it by hand is pointless. Doing cat %input% | grep %pattern% is an absolutely valid solution. Particularly if you are starting out by looking at a file’s content, it is normal to expand that process into filtering the noise from the signal. It is however, worth knowing you can do that in a single command grep %pattern% infile or in thes case grep millionth data.txt and ready for the next level.

Level 8 – Initial point is to cat data.txt and see what we’re working with. The challenge suggests using sort and uniq. uniq -c provides a count on the number of sequential occurences occurences, however in the current state of the file that is a 1 on each line. sort data.txt | uniq -c and look for the single one.

Level 9 – If we try to find lines with 2 or more = signs through cat file | grep or grep file return errors as the file does not consist of text. cat file is not human readable. The strings command will look through the file and provide several lines. Filtering the output for the aforementionned pattern provides the answer.
strings data.txt | grep ==

Level 10 – The password is in a file which is base64 encoded. Depending on where your input data is coming in from, you may want to look at CyberChef due to its high potential for data transformation. However, much easier to just base64 -d data.txt for the password to the next level.

Level 11 – This has been rotated once by 13 chars, while maintaining case. This means applying the same transform would return the original text. This one-liner may be useful for CTF challenges: tr 'A-Za-z' 'N-ZA-Mn-za-m'

Level 12 – The original file has been compressed multiple times and hex encoded. Be organised, and use file at each decoding / decompressing part to see what the next required operation is.

Level 13 – This is a different ssh syntax. Remember to get the password for level 14 once logged in, as running ssh sessions from within ssh session can quickly

Level 14 – This is the first network challenge. Connect with nc nc localhost 30000 then enter the password for bandit14 (which you got earlier from the ssh connection) and good to go.

Level 15 – Second network challenge, this time you need to use SSL. openssl s_client -connect host:port provides you a similar connection as we got in level 14. Submit password and get access to the next level.

Level 16 – This time we need to look through approximately 1000 ports! or not… nmap will provide a scan. nmap localhost -p31000-32000 already limits the number of ports to test. However, we can agressively look through this while also getting as detailed a report as possible by using some additional flags. nmap -A -T5 localhost -p31000-32000 – look for the ports running ssl services and get the password for the next level.

Level 17 – Back to file analysis. Could try reading the files on 2 terminals looking for the different line OR use the built-in diff command. diff oldFile newFile returns the lines that change; look through the man pages for more details, but this essentially provides you with access to the next level.

Level 18 – Logging in immediately kicks us off the connection. hmmm. The good news, we’re warned this is an issue with the bash profile, so maybe we can get a command in along with the connection string? ssh host -p<port> -l user "COMMAND" and we can read the password in the file as per the challenge.

Level 19 – We can run comands as another user! Password is available at /etc/bandit_pass/bandit20 so execute the binary and then read the password as if you were already that user.

Level 20 – We want to create a listener returning the current password… echo "REQ" | nc -l host -p<port> & where “REQ” holds the password within the double quotes. Pick the port of your choosing (above 1000 is a good call to avoid anything already in use) and then run the binary using that port. #winning.

With the tools presented in these 20 levels, you already have a great toolbag for moving around an unix environment. There are of course multiple ways to solve the challenges, including various scripting techniques for the large enumeration challenges at the begining; however, for this post I wanted to focus on using existing tools as recommended by the challenge.