Over The Wire: Bandit 6-10

Every craftsman’s gotta practice his craft and the fine folks at Over the Wire have provided Bandit for us to do develop our skills.

In the #bandit tag I’ll be posting my walkthrough of the various levels.

Level 5->6

The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:

• human-readable
• 1033 bytes in size
• not executable

sshpass -p lrIWWI6bB37kxfiCQZqUdOIYfr6eEeqR ssh bandit5@bandit.labs.overthewire.org -p 2220
copy

We’ll use some adiditonal switches - -readable to find human-readable files, -size for a specific file size - here to find the specific file.

bandit5@bandit:~$ find inhere -readable -size 1033c
inhere/maybehere07/.file2
bandit5@bandit:~$ cat inhere/maybehere07/.file2
P4L4vucdmLnm8I7Vl7jG1ApGSfjYKqJU
copy

The password for next level is: P4L4vucdmLnm8I7Vl7jG1ApGSfjYKqJU

Level 6->7

The password for the next level is stored somewhere on the server and has all of the following properties:

• owned by user bandit7
• owned by group bandit6
• 33 bytes in size

sshpass -p P4L4vucdmLnm8I7Vl7jG1ApGSfjYKqJU ssh bandit6@bandit.labs.overthewire.org -p 2220
copy

We’ll use find / to start our search from the root directory. Plus, we’ve several criteria for finding the correct password file so we need to include -user bandit7 -user bandit6 -size 33c to the command. Also, we don’t want to see all the permission denied or any other error messages, we just want to see what we’re here to find so let’s redirect STDERR to the void of 2>/dev/null.

bandit6@bandit:-$ find / -user bandit7 -group bandit6 -size 33c 2>/dev/null
/var/lib/dpkg/info/bandit7.password
bandit6@bandit:-$ cat /var/lib/dpkg/info/bandit7.password
z7WtoNQU2XfjmMtWA8u5rN4vzqu4v99S
copy

The password for next level is: z7WtoNQU2XfjmMtWA8u5rN4vzqu4v99S

Level 7->8

The password for the next level is stored in the file data.txt next to the word millionth

sshpass -p z7WtoNQU2XfjmMtWA8u5rN4vzqu4v99S ssh bandit7@bandit.labs.overthewire.org -p 2220
copy

Our friend here is grep which will take in the output of our cat data.txt command and find our keyword ‘millionth’.

bandit7@bandit:~$ ls
data.txt
bandit7@bandit:~$ cat data.txt | grep millionth
TESKZC0XvTetK0S9xNwm25STk5iWrBvP
bandit7@bandit:~$ 
copy

The password for next level is: TESKZC0XvTetK0S9xNwm25STk5iWrBvP

Level 8->9

The password for the next level is stored in the file data.txt and is the only line of text that occurs only once

sshpass -p TESKZC0XvTetK0S9xNwm25STk5iWrBvP ssh bandit8@bandit.labs.overthewire.org -p 2220
copy

Similar to the previous level we’re going to take the output of our cat data.txt command, sort it so that any repetitions are placed next to each other, and then use uniq -u to show us the unique line.

bandit8@bandit:~$ ls
data.txt
bandit8@bandit:~$ cat data.txt | sort | uniq -u
EN632PlfYiZbn3PhVK3XOGSlNInNE00t
bandit8@bandit:~$
copy

The password for next level is: EN632PlfYiZbn3PhVK3XOGSlNInNE00t

Level 9->10

The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters.

sshpass -p EN632PlfYiZbn3PhVK3XOGSlNInNE00t ssh bandit9@bandit.labs.overthewire.org -p 2220
copy

Since we’re given the hint to look for several ‘=’ characters we’ll use strings which, per the man page, “prints the printable character sequences that are at least 4 characters long” and use grep again to find multiplte ‘=’.

bandit9@bandit:~$ ls
data.txt
bandit9@bandit:~$ strings data.txt | grep '=='
c========== the
h;========== password
========== isT
n.E========== G7w8LIi6J3kTb8A7j9LgrywtEUlyyp6s
bandit9@bandit:~$ 
copy

The password for next level is: G7w8LIi6J3kTb8A7j9LgrywtEUlyyp6s