Bandit CTF

SCOREBOARD · Submit Flags

Purpose

This little CTF uses the OverTheWire Bandit challenges to help students learn basic SSH and Linux command-line skills.

Getting Started

You need to log in to a server using SSH with a series of usernames: bandit0, bandit1, bandit2, etc.

Here is the information for your first login:

From a Mac or Linux machine, you can connect with this command:
ssh bandit0@bandit.labs.overthewire.org -p 2220

B 1

The password for the next question is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.

What is the password to login to bandit1?

Hint

Commands you may need to solve this question:
ls, cd, cat, file, du, find

B 2

The password for the next question is stored in a file called `-` located in the home directory.

What is the password to bandit2?

Hint

Commands you may need to solve this question:
ls, cd, cat, file, du, find

Helpful Reading Material:
dashed filename
Special Characters

B 3

The password for the next question is stored in a file called spaces in this filename located in the home directory.

What is the password to bandit3?

Hint

Commands you may need to solve this question:
ls, cd, cat, file, du, find

Helpful Reading:
Spaces In Filename

B 4

The password for the next level is stored in a hidden file in the inhere directory.

What is the password to bandit4?

Hint

Commands you may need to solve this question:
ls, cd, cat, file, du, find

B 5

The password for the next question is stored in a file somewhere under the inhere directory and has all of the following properties:

human-readable;
33 bytes in size;
not executable

What is the password to bandit5?

Hint

Commands you may need to solve this question:
ls, cd, cat, file, du, find

B 6

The password for the next question is stored in a file somewhere under the inhere directory and has all of the following properties:

human-readable;
1033 bytes in size;
not executable

What is the password for bandit6?

Hint

Commands you may need to solve this question:
ls, cd, cat, file, du, find

B 7

The password for the next question is stored somewhere on the server and has all of the following properties:

owned by user bandit7;
owned by group bandit6;
33 bytes in size

What is the password to bandit7?

Hint

Commands you may need to solve this question:
ls, cd, cat, file, du, find, grep

B 8

The password for the next question is stored in the file data.txt next to the word millionth.

What is the password to bandit8?

Hint

Commands you may need to solve this question:
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd

B 9

The password for the next question is stored in the file data.txt and is the only line of text that occurs only once.

What is the password to bandit9?

Hint

Commands you may need to solve this question:
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd

Helpful Reading Material:
Unix Command Line: pipes and redirects

B 10

The password for the next question is stored in the file data.txt in one of the few human-readable strings, beginning with several = characters.

What is the password to bandit10?

Hint

Commands you may need to solve this question:
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd

B 11

The password for the next question is stored in the file data.txt, which contains base64 encoded data.

What is the password to bandit11?

Hint

Commands you may need to solve this question:
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
Also see Base64 Wikipedia

B 12

The password for the next question is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions.

What is the password to bandit12?

Hint

Commands you may need to solve this question:
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd

Helpful Reading Material:
Rot13 on Wikipedia

B 13

The password for the next question is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)

What is the password to bandit13?

Hint

Commands you may need to solve this question:
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd, mkdir, cp, mv, file

Helpful Reading Material:
Hex dump on Wikipedia

B 14

The password for the next question is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you dont get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on.

What is the password to bandit14?

Hint

Commands you may need to solve this question:
ssh, telnet, nc, openssl, s_client, nmap

Helpful Reading Material:
SSH/OpenSSH/Keys

B 15

The password for the next question can be retrieved by submitting the password of the current level to port 30000 on localhost.

What is the password to bandit15?

Hint

Commands you may need to solve this question
ssh, telnet, nc, openssl, s_client, nmap

Helpful Reading Material:
How the Internet works in 5 minutes (YouTube) (Not completely accurate, but good enough for beginners)
IP Addresses
IP Address on Wikipedia
Localhost on Wikipedia
Ports
Port (computer networking) on Wikipedia

B 16

The password for the next question can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.

Helpful note: Getting HEARTBEATING and Read R BLOCK? Use -ign_eof and read the CONNECTED COMMANDS section in the manpage. Next to R and Q, the B command also works in this version of that command.

What is the password to bandit16?

Hint

Commands you may need to solve this question:
ssh, telnet, nc, openssl, s_client, nmap

Helpful Reading Material:
Secure Socket Layer/Transport Layer Security on Wikipedia
OpenSSL Cookbook - Testing with OpenSSL

B 17

The credentials for the next question can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which dont. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.

What is the RSA private key?

Hint

Commands you may need to solve this question
ssh, telnet, nc, openssl, s_client, nmap

Helpful Reading Material
Port scanner on Wikipedia

B 18

There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next question is in passwords.new and is the only line that has been changed between passwords.old and passwords.new.

NOTE: if you have solved this question and see Byebye! when trying to log into bandit18, this is related to the next level, bandit19

What is the password to bandit18?

Hint

Commands you may need to solve this question:
cat, grep, ls, diff

B 19

The password for the next question is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.

What is the password to bandit19?

Hint

Commands you may need to solve this question:
ssh, ls, cat

B 20

To gain access to the next question, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this question can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.

What is the password to bandit20?

Hint

Helpful Reading Material:
setuid on Wikipedia

B 21

There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).

NOTE: To beat this question, you need to login twice: once to run the setuid command, and once to start a network daemon to which the setuid will connect.

NOTE 2: Try connecting to your own network daemon to see if it works as you think.

Hint

Commands you may need to solve this question:
ssh, nc, cat, bash, screen, tmux, Unix job control (bg, fg, jobs, &, CTRL-Z, ...)

B 22

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

What is the password to bandit22?

Hint

Commands you may need to solve this question
cron, crontab, crontab(5) (use man 5 crontab to access this)

B 23

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.

What is the password to bandit23?

Hint

Commands you may need to solve this question
cron, crontab, crontab(5) (use man 5 crontab to access this)

Sources

This uses the OverTheWire Bandit Challenges. I based this on Irvin Lemus' Bandit CTFd presentation at the WASTC Faculty Development Week in June, 2019.
Posted 6-12-19 by Sam Bowne