Bandit CTF - Over The Wire

Lvl0 The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org, on port 2220. The username is bandit0 and the password is bandit0. Once logged in, go to the Level 1 page to find out how to beat Level 1.

Just connect to the host and cat the readme

ZjLjTmM6FvvyRnrb2rfNWOZOTa6ip5If

SHA1 Hashed Flag 1f740a4f5d052af8909be50a34cca22f8bf40d7b

Lvl1 The password for the next level is stored in a file called - located in the home directory

Found by catting it’s relative filename

cat ./-

SHA1 Hashed Flag 7afdaf2d082ee8ea0107a2d2c4459ac5b10e701c

Lvl2 The password for the next level is stored in a file called –spaces in this filename– located in the home directory

Found by escaping spaces in filename, or just by simply ‘tabbing’

cat ./–spaces\ in\ this\ filename–

SHA1 Hashed Flag 903f8a4c9a65e9eddb791168d89bd8c493aa20f3

Lvl3 The password for the next level is stored in a hidden file in the inhere directory.

Just specify the full name

cat …Hiding-From-You

SHA1 Hashed Flag acf0a61e79e1f9826e1cb8a48bb4bc1357837882

Lvl4 The password for the next level is stored in the only human-readable file in the inhere directory.

Iterate over files in a directory using the file command to find which ones have ascii data

for f in *; do file “./$f”

grep -q “ASCII text” && echo “$f”; done

Then cat that file by its relative path cat ./-file07

SHA1 Hashed Flag 19ddad9ea7444aa978b77253580384f404865bbd

Lvl5 The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:

human-readable
1033 bytes in size
not executable

Recursively find a file that matches the criteria.

Though we really only need to find a file that is 1033 bytes in size with this lvl:

find . -type f -size 1033c

To satisfy the exact criteria more specifically we can

find . -type f -size 1033c ! -executable -print0 2>/dev/null
| while IFS= read -r -d ‘’ f; do file -b – “$f” | grep -Ei ‘text|ascii’ >/dev/null && printf ‘%s\n’ “$f” done

SHA1 Hashed Flag d63202f9e968e518b24a6db672a25acdafca5974

Lvl6 The password for the next level is stored somewhere on the server and has all of the following properties:

owned by user bandit7
owned by group bandit6
33 bytes in size

Recursively find a file that matches the criteria.

This will produce many errors, so lets send all errors to the null device

find . -type f -user bandit7 -group bandit6 -size 33c 2>/dev/null

SHA1 Hashed Flag a0c3f66ef9dc2b58d5c170f90bb0fc0b5c549cb1

Lvl7 The password for the next level is stored in the file data.txt next to the word millionth

Find the words next to ‘millionth’ in a file

grep -oP ‘(\S+\s+){0,1}millionth(\s+\S+){0,1}’ data.txt

SHA1 Hashed Flag

Lvl8 The password for the next level is stored in the file data.txt and is the only line of text that occurs only once

Find the unique entry in the data file

sort data.txt

uniq -u

SHA1 Hashed Flag

Lvl9 The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters.

Only show lines that have several ‘=‘ characters

Lets find strings with three or more ‘=‘ in sequence

strings -n 4 data.txt

grep -E ‘={3,}’

SHA1 Hashed Flag 4ab0c7515e433c7c009123d3fcbc13c66a3f4445

Lvl10 The password for the next level is stored in the file data.txt, which contains base64 encoded data

Decode the base64 encoded string:

base64 -d data.txt

Lvl11 The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions

Decode the ROT13 cypher

tr ‘A-Za-z’ ‘N-ZA-Mn-za-m’ < data.txt

SHA1 Hashed Flag 26376576422b82404e69bb2309bba3f083db1bf4

Lvl12 The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work. Use mkdir with a hard to guess directory name. Or better, use the command “mktemp -d”. Then copy the datafile using cp, and rename it using mv (read the manpages!)

file data.bin This was a cluster. Keep finding the compression type until you are left with a file with ascii This is a good prompt to have a script that recursively finds encoding type and decompresses

SHA1 Hashed Flag 2ecb7c2f22b0e01afaf1fea73cb188b9dd7aba21

                     _                     _ _ _   
                    | |__   __ _ _ __   __| (_) |_ 
                    | '_ \ / _` | '_ \ / _` | | __|
                    | |_) | (_| | | | | (_| | | |_ 
                    |_.__/ \__,_|_| |_|\__,_|_|\__|


  ,----..            ,----,          .---.
 /   /   \         ,/   .`|         /. ./|
/   .     :      ,`   .'  :     .--'.  ' ;    .   /   ;.  \   ;    ;     /    /__./ \ : |   .   ;   /  ` ; .'___,/    ,' .--'.  '   \' .   ;   |  ; \ ; | |    :     | /___/ \ |    ' '   |   :  | ; | ' ;    |.';  ; ;   \  \;      :   .   |  ' ' ' : `----'  |  |  \   ;  `      |   '   ;  \; /  |     '   :  ;   .   \    .\  ;    \   \  ',  /      |   |  '    \   \   ' \ |
;   :    /       '   :  |     :   '  |--"
 \   \ .'        ;   |.'       \   \ ;   www. `---` ver     '---' he       '---" ire.org