Overthewire : Bandit — Level 6 Through 12
Here comes the second article in the follow-up series of OverTheWire Bandit CTF Walkthrough. You can find its previous part [from Level 0 to 5] here.
Without further ado, let’s start arresting the flags.
Level 6 ➜ Level 7
From the instruction page and information from the previous level, these are the details we have got to login for Level 6:
Host to connect: bandit.labs.overthewire.org
Port: 2220
Username: bandit6
Password: DXjZPULLxYr17uwoI01bNLQbtFemEgo7
It is said that the password for the next level is stored somewhere on the server. So, finding the file over the server would be a lot trickier if we are using ls. So, we will try to widen our scope of search using the find command. We are hinted that the user of the file is bandit7 and it is a part of group bandit6. Also, the file is 33 bytes in size.
We will add this information as parameters in the find command. Now as we can see in the given image, we successfully located the password file hidden over the server.
However, we really got a huge number of standard errors (stderr) which is quite irritating. I have an idea to mitigate this problem by adding 2>/dev/null at the end of command. Lets see how.
The > operator redirects the output usually to a file but it can be to a device. So in this case we redirected all stderrs (code 2) to a null device due to which we were able to get a clean output. You can learn about it more here. cat that file and snatch the password!
Level 7 ➜ Level 8
From the instruction page and information from the previous level, these are the details we have got to login for Level 7:
Host to connect: bandit.labs.overthewire.org
Port: 2220
Username: bandit7
Password: HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs
It is said that the password for the next level is stored inside a file named data.txt. Now we are hinted that the password is written next to the word millionth in the data.txt file. This means if we find the millionth word, we find the password. We are going to use the grep command for finding millionth. For that, we use the (|) Unix pipe. The Pipe connects the standard output from the first command and feeds it as standard input to the second command.
In our case, the first cat command reads the file and then the data inside the file is sent to grep command to work on. This gives us the password for the next level. We will use it to get an SSH connection as bandit8.
Level 8 ➜ Level 9
From the instruction page and information from the previous level, these are the details we have got to login for Level 8:
Host to connect: bandit.labs.overthewire.org
Port: 2220
Username: bandit8
Password: cvX2JJa4CFALtqS87jk27qwqGhBM9plV
It is said that the password for the next level is stored inside a file named data.txt. It is hinted that the password is the only line of text that occurs only once. Here we are going to use sort command to sort the text inside the data.txt file. But still, the file contains a lot of repeating statements so we will use the uniq command to print the not repeating statement.
We are using multiple pipes here to get a filtered result. This gives us the password for the next level. We will use it to get an SSH connection as bandit9.
Level 9 ➜ Level 10
From the instruction page and information from the previous level, these are the details we have got to login for Level 9:
Host to connect: bandit.labs.overthewire.org
Port: 2220
Username: bandit9
Password: UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR
We are informed that the password for the next level is stored inside a file named data.txt in one of the few human-readable strings. We are hinted that the password is followed by several ‘=’ characters. Now if we are to use the cat command our screen would be filled with unreadable mesh. So, to get a more refined approach we are going to use strings command to print the sequences of printable characters in files. And to get to the exact location of the password, we are going to use grep.
Let’s see how.
This gives us the password for the next level. We will use it to get an SSH connection as bandit10.
Level 10 ➜ Level 11
From the instruction page and information from the previous level, these are the details we have got to login for Level 10:
Host to connect: bandit.labs.overthewire.org
Port: 2220
Username: bandit10
Password: truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
It is said that the password for the next level is stored inside a file named data.txt. Also, we are hinted that the password is encrypted in Base64. Now we can either read the file with cat command and decode the Base64 manually but we have a command in Linux that can do the heavy lifting for us.
So, we use piping to use cat command and base64 command with d parameter to read and decode the text simultaneously. This gives us the password for the next level. We will use it to get an SSH connection as bandit11.
Level 11 ➜ Level 12
From the instruction page and information from the previous level, these are the details we have got to login for Level 11:
Host to connect: bandit.labs.overthewire.org
Port: 2220
Username: bandit11
Password: IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR
It is said that the password for the next level is stored inside a file named data.txt. Also, we are hinted that the file containing the password has changed the format of letters in such a way that all the lowercase and uppercase letters have been rotated by 13 positions. If we can remember right, that exactly what happens in ROT13 encryption.
Now, to convert the text, we can use the ‘tr’ command. The parameter ‘[a-zA-Z]’ will simply be replaced by series of letters from a to z then A to Z. What basically happens is that all characters in the first set will be replaced by the corresponding characters in the second set. This gives us the password for the next level.
Level 12 ➜ Level 13
This is a quite tricky and lengthy level as compared to previous levels. Though! it’s not that hard, just repeating the basic steps.
From the instruction page and information from the previous level, these are the details we have got to login for Level 12:
Host to connect: bandit.labs.overthewire.org
Port: 2220
Username: bandit12
Password: 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu
It is said that the password for the next level is stored inside a directory named inhere. Also, we are hinted that the file containing the password is in the form of a hex dump. Just out of curiosity, let’s read the file using the cat command. As we can see in the given image that the password is not at all readable.
We are also told that the password file has been repeatedly compressed. Now to decompress we are going to need a directory with read and write permissions. The tmp directory in root contains the required permissions.
So, let’s create a directory inside the tmp folder. Here we named it cybersecnerds. For further operations let’s copy the file in the directory we just created and traverse to that directory using the cd command. On running file command, we came to know that it is an ASCII file but a hex dump from which we will retrieve the original one with xxd -r and provide it with a filename where it should store its output. Here we will name it original.
Here, I suggest you to continue on your own until you find some hints on the password file.
This gives us the password for the next level. We will use it to get an SSH connection as bandit13.
Key Takeaways from this level:
- gzip decompress: zcat in_file > out_file
- bzip2 decompress: bzip2 -d file
- tar decompress: tar -xvf file
Okay! See you in the next article.
Founder of cybersecnerds.com. Cybersecurity professional with 3+ years experience in offensive web security, cloud security and building systems.
I am a Linux envagelist and highly interested in source-code auditing. You will find me reading InfoSec blogs most of the time.