OvertheWire Progress (Ongoing)

Corresponds to level I am trying to reach (i.e. Level 1 = Level 0 -> 1, so activities described in Level 1 are done on Bandit level 0))

Level 1:

• ssh bandit0@bandit.labs.overthewire.org -p 2220 w/password provided
• ls - to view the files in directory to get a sense of where you’re at
• `cat readme to read the readme file
• pw to level 1: ZjLjTmM6FvvyRnrb2rfNWOZOTa6ip5If
• to exit vim, type :q
• to exit ssh, type exit in the terminal after escaping vim

  Level 2:

• to read the type of file you have to use a cat ./-
• Why?
  • when using vim (like I had just tried and had an epic fail with) it actually takes it as an argument and uses the - as a STDIN or STDOUT argument
  • What is STDIN/STDOUT?
    • They are standard streams established when a Linux command is executed.
    • A stream is something that can transfer data
    • For stdin, stdout, and stderr, the data is text
    • stdin is the input stream, and accepts text as its input
    • stdout is the output stream, and is the output from the command to the shell
    • stderr is the error stream, and is the output of the error messages from the command
• pw to level 2: 263JGJPfgU6LtdEvgfWU1XP5yac29mFx
• Sources:
  • standard streams
  • how to open a dashed filename

    Level 3:

• Funny enough, i hate having spaces in filenames
• Main reason I know how to manage this is because I host a media server and with so many of my media files containing spaces, had to manage how to escape them.
• Anyways, shortcut of this is to do cat and then start typing the first few letters of the file, then press tab on your keyboard (i.e., tab completion). The command will attempt to autofill and will actually complete the rest of the labor for you. Otherwise, you’ll need to add a manual \ backslash to escape the space and read it correctly.
• Why?
  • Try it, just try reading the files of your doc without escaping correctly. You’ll see that it just ends up taking each of them as an argument on its own. In the example below, if I hadn’t escaped, the terminal would attempt to read it as “cat spaces” “cat in” “cat this”… etc.
• pw: MNk8KNH3Usiio41PRUEoDFPqfxLPlSmx
• Sources
  • spaces in filenames

    Level 4:

• I remember when I first did this level so long ago I got so frustrated but so satisfied when I found out how to do it
• using an ls -a command reveals any hidden files or folders
• cd into the hidden directory
• cat the hidden file after revealing it, feel free to use tab completion.
• pw for level 4: 2WmrDFRmJIq3IPxneAaMGhap0pFhF3NJ

  Level 5:

• navigate to the inhere folder cd inhere
• how to know which file is human readable?
  • well, looking up this questions gives me a few answer, but i wanted one i could easily remember
  • I ended up stumbling upon this article describing different ways to help tell whether something is human readable, and ultimately i came upon the file command and how it could give me additional info on the files
  • So, I initially tried to file *
    • * is just a wildcard. a wildcard is when anything can fit the criteria, and a wildcard can have a certain text before or after it to fit the criteria
    • example 1: * looks for any files
    • example 2: *text looks for any files that end with the word text
    • example 3: text* looks for any files that begin with the word text
    • example 4: *text*.doc looks for any files that has the word text within it, and ends with a .doc extension
  • However, I forgot that we just learned in the last level that you cannot simply request a file name if it begins with -. and, all of our files did
  • So, instead I used file ./*
  • This worked and gave me the file type of each of the files so I could determine which one was human readable, and cat the values out.
  • pw to level 5: 4oQYVPkxZOOEOO5pTW81FB8j8lxXGUQw

    Level 6

• cd inhere
• need to find human readable, 1033 bytes, not exec
• I looked through the find man pages and found that you can pull what are executables by performing find -executable. welp, there’s more than one file per directory, so this won’t help too much.
• then i found that we can restrict our search to be by size, by using find -size 1033c. this solves the puzzle since there is only one file that matches that criteria.
• Why append the c at the end?
  • Based upon the man arguments, there are a few different sizes used in the -size argument. since the instructions specify 1033 bytes, we needed to specify. the default size used in search is b, for 512 byte blocks
  • a block is the smallest level of memory we’re able to interact with. think of it like plots of land for suburban houses. Many houses are built to be of similar size, so let’s imagine they’re all the exact same size plots of land. As owner of the house and land, you may make your house smaller, using up less of the plot of land, but regardless, it is your plot of land. That’s like a block. When reading a disk, you’ll need to read through the entire plot of land, as opposed to just the square footage of the house.
  • A byte is a level lower, let’s just say it represents the square footage of the house. So while your amount of data may be less than a full block, the computer will still need to read the full plot of land. The byte is just square footage, in other words are more approximate amount of space being used.
• pw to level 6: HWasnPhtq9AVKe0dmk45nxy20cvUa6EG
• Sources
  • man find
  • eli5 memory basics

    Level 7

• Understand the goal of is saying the password is stored somewhere on the server, implying it may not be in the directory you spawn in.
• Knowing this, I went back out to the root directory through a quick little cd../.. (the / indicates I’m essentially doing cd.. and cd.. again, but just quicker. So I go back two levels)
• I then created a search that fulfills all requirements but it provides too many results with Permission denied since it checks them all. The search is find -size 33c -user bandit7 -group bandit6.
• So let’s figure out how to get rid of the Permission denied errors. We can do this by slightly modifying the command to be 2>/dev/null find -size 33c -user bandit7 -group bandit6. After this, we only get one file returned.
• What is the 2>/dev/null?
  • The > operator is a redirect, which can redirect various streams/output to a file. Let’s recall that there is stderr, stdout, stdin. stdin is an input, so that wouldn’t make sense for it to be an output. stderr and stdout are both outputs, so this would make sense to redirect. To showcase how to output stdout, we can do either of the following:
    • > file redirects stdout to a file
    • 1> file redirects stdout to a file
  • However, this wouldn’t make sense in our case, since it would just redirect stdout, rather than just the permission denied errors.
  • So we have other ways to redirect:
    • 2> file redirects stderr to a file
    • &> file redirects stdout and stderr to a file
  • So that’s how we get to the 2> file. But what’s /dev/null?
    • /dev/null is a black hole. throw everything away here LOL
• The password is morbNTDkSW6jIlUc0ymOdMaLnOlFVAaj
• Sources
  • man find
  • how to exclude permission denied
  • the black hole

    Level 8

• we gotta look for the password which is next to the word ‘millionth’.
• So uh, ya can’t just cat data.txt (unless you really like reading that much).
• I read the man page of grep after but uh that was a bit tricky to understand, so I went ahead and looked up more example usage to correctly understand :3
• pw: dfwvzFQi4mU0wfNbFOe9RoWskMLg7eEc
• Sources:
  • man grep (scary read)
  • grep examples (non-scary read)

    Level 9

• Goal: The password for the next level is stored in the file data.txt and is the only line of text that occurs only once

• Didn’t necessarily find anything when reading through the grep or find man pages so I came back to the OvertheWire page for useful hints. They provided a few leads, one being piping/redirection (I see why), and then sort & uniq.
• Using these, I tried a sort -u data.txt on the file. I’m honestly not sure why it didn’t work, as in theory it should by all my sources. I eventually solved it through an alternative method, sort data.txt | uniq -u
• What does uniq do?
  • Uniq either shows the repeated lines, or omits them in its output.
  • However, the way uniq works is by filtering via adjacent matching lines. Therefore, if there is newlines (in our case, other values) between values, then we’ll need to figure out a way to get the duplicate values all adjacent to one another, which is why we need to sort the data and pipe it using |
• pw: 4CKMh1JI91bUIZZPXDqGanal4xvAg0JM
• Sources
  • man uniq
  • man sort
  • man grep

    Level 10

• Goal: The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters.

• The goal gives us a hint that there are few human-readable strings, implying there’s lines of text you can’t just cat out.
• With strings we can print out all the human readable text.
• Then afterwards we can pipe our text over to a grep to just look for the ‘=’ characters preceding it.
• So I made strings data.txt | grep "===="
• pw: FGUW5ilLVJrxX9kMYMmlN4MgbpfMiqey
• Sources
  • man grep
  • man sort
  • man strings

    Level 11

• Goal: The password for the next level is stored in the file data.txt, which contains base64 encoded data

• We get the hint that the data.txt file contains base64 encoded data, but what is base64?
  • Base64 is binary to text encoding. in other words, base64 text can be used to transmit binary data over media that doesn’t handle binary data and designed to only handle text data.
  • A good example of this is SMTP (aka the email system) which was traditionally designed to work with plain text data.
  • More information is available in the Sources area.
• So after we have an idea that base64 is encoding, the goal is asking us to decode it.
• After a quick read over the base64 man page and we can put together base64 -d data.txt
• pw: dtR173fZKb0RRsDFSGsg2RWnpNVj3qRr
• Sources
  • base64 wikipedia
  • base64 man
  • base64 knowledge

    Level 12

• Goal: The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions

• A rotate 13 cipher is a letter substitution where a specific letter in the alphabet is replaced with the 13th letter after it in the alphabet.
• The wikipedia page covers this in substantial detail and provides a way to implement it as well. What was initially confusing for me was whether the mapping the wiki provides would be the same I would need, but to be honest, yes, it would be. A rot13 cipher may change positioning but in this case the goal and implementation in the wiki are the same.
• You can also use it again afterward on the answer to revert it back to the original text.
• What is the <<<?
  • A «< is a here-string that can be used to pass a string as input to a command.
• pw: 7x16WNeHIi5YkIhWsfFIqoognUTyj9Q4
• Sources
  • rot13 wikipedia
  • here-string

    Level 13

• Goal: The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work. Use mkdir with a hard to guess directory name. Or better, use the command “mktemp -d”. Then copy the datafile using cp, and rename it using mv (read the manpages!)

• mktemp -d to give us some room to work with on this file
• xxd -r data.txt > data2.tgz will reverse the hexdump and convert it into a .tgz archive
  • Honestly the only reason I started to figure out what file to rename it to was with the help of the goal (compression) and looking up file signatures - it started with 1f 8b 08, which according to source could mean archive file, vlc player skin file, or synology router, but we’re talking about compression so yeah.
• file data2.tgz tells us what the file is
• decompress with gzip -d data2.tgz (we end up with data2.tar)… we just end up repeating thru this
• file data2.tar (gives us bzip2 compressed data)
• bzip2 -d data2.tar (gives us data2.tar.out)
• file data2.tar.out (tells us it is gzip)
• gzip -d data2.tar.out (doesn’t work, .out doesn’t work)
• mv data2.tar.out data4.tgz to rename
• gzip data4.tgz (we end up with data4.tar)
• tar -xf data4.tar (gives us data5.bin)
• file data5.bin (shows it is tar archive)
• mv data5.bin data5.tar (to properly rename and decompress)
• tar -xf data5.tar (gives us data6.bin)
• file data6.bin (tells us it is bzip2)
• bzip2 -d data6.bin (gives us data6.bin.out)
• mv data6.bin.out data6.tar (prepping for decompress)
• tar -xf data6.tar (gives us data8.bin)
• file data8.bin (gives us gzip compressed data)
• mv data8.bin data8.tgz (prepping for decompress)
• gzip -d data8.tgz (gives us data8.tar)
• file data8.tar FINALLY TELLS US IT IS ASCII TEXT
• mv data8.tar data8.txt RENAMING TO PREP
• cat data8.txt AHHHH ITS JOEVER
• pw: FO5dwFsc0cbaIiH0h8J2eUks2vdTDwAn
• Sources
  • man gzip
  • man file
  • file examples
  • hexdump info
  • hexdump wikipedia
  • man mktemp
  • man bzip2
  • max compression with .tgz
  • man xxd
  • xxd examples
  • file signatures

    Level 14

• Goal: The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on
• SSH has multiple ways of authentication, one of them being password authentication (which is what we’ve been doing), and another is through a RSA public/private key combination. A public/private key combination tends to be the more secure method of authentication.
  • What are RSA public/private keys?
    • There’s a process behind the scenes for how communication occurs between the two. Essentially, the following flow occurs:
      • A private key’s purpose is to decrypt data and is solely meant to decrypt the data and validate your identity. It is typically on your end, the computer that is attempting to establish the connection
      • The computer you’re attempting to connect has a public key, which is really meant to encrypt any data. The computer is typically some sort of server.
      • Upon attempting to make a connection, you will send your request along with the public key that you’re requesting to associate your private key with. The server will read this, validate it has that public key, then generate a random string. The server will then encrypt the random string using the public key, and send it across back to you. Your machine will then decrypt the data, do an additional calculation to prove that it did indeed do the decryption, and send it back to the server. If the calculation is correct, then the server will allow the connection. Only the correct private key can decrypt the data.
• So we know we have access to a private key for the next level, WTF do we do with this information?
• uh… maybe they want us to do some other complex form of things, personally tried to just scp the damn thing out, just to facepalm and realize.. cat!
• So after I catted the damn thing out, I went ahead and threw it into a file in my Downloads folder. Probably a terrible place to put it, but that’s where it’ll be for now.
• Now how do we use the damn thing?
• Let’s go ahead and make sure to change the permissions on our new file to 400 (aka read-only for owner of file). I went ahead and made the novel mistake of just leaving it as default (644, Owner read/write permissions, group read, other read) and that just spits us back and tells us to type in the password
• Okay NOW let’s go ahead and type in the command ssh -i 'Downloads/file.private' bandit14@bandit.labs.overthewire.org -p 2220.
  • Essentially what we’re doing is ssh’ing as bandit14, on port 2220, using specifically the file.private identity (which is why we use the -i)
• And now we enjoy our stay
• Finally, can’t forget to cat the password out :) wouldn’t want to re-do that whole identity command now would we?
• pw: MU4VWeTyJk8ROof1qqmcBPaLh7lDCPvS
• Sources
  • SSH Keys - by Rob Edwards
  • How SSH Works - by Mental Outlaw
  • What is SSH Public Key Authentication
  • SSH/OpenSSH/Keys - Ubuntu Docs
  • Chmod 400
  • Chmod 644

    Level 15

• Goal: The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
• This should not have been as difficult as it was, but I was just thinking things through one lane/command too much. What I mean by this, is I could’ve expanded what else I could use.
• So, after connecting to level 14, we need to submit it to port 30000 on the localhost of the remote machine. We can do this by utilizing nc (aka netcat)
  • What is netcat?
    • Netcat is a networking tool commonly used for things like the following:
      • Sending and receiving data over TCP and UDP
      • Port scanning
      • Data transmission to a specific port on a machine
      • Listening mode
      • File transfer
      • Shell access
• Alright so into the solution, I went ahead and logged into bandit 14 just as normal
• Then I went ahead and tried nc localhost 30000
  • Breaking this down, I opened a nc session within the localhost (which if you recall, now we’re acting on the remote server, on port 30000)
• Then it awaits some input, so I input the password for level 14 and voila!
• pw: 8xCjnmgoKbGLhHFAZlGE5Tmu4M2tKJQo