Cover Image

OverTheWire Bandit
 April 2, 2021    CTF

Bandit 0

  • Connect to the bandit server with ssh bandit0@bandit.labs.overthewire.org -p 2220.
  • ls shows a file called readme which can be read with the cat readme command.
  • The password is boJ9jbbUNNfktd78OOpsqOltutMc3MY1.


Bandit 1

  • We get a file named - which is interpreted by cat as a stdin, to get around this we can add a path to the filename cat /home/bandit1/-.
  • The password is CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9.


Bandit 2

  • We get a file called spaces in this filename which can be opend by using apostrophes cat "spaces in this filename".
  • The password is UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK.


Bandit 3

  • We can find a directory called inhere that can be accessed with cd inhere, in the folder is a file that can be listed with ls -al and read with cat .hidden.
  • The password is pIwrPrtPN36QITSp3EQaw936yaFoFgAB.


Bandit 4

  • We get a directory that contains a bunch of files, but only one is human-readable cat inhere/-file07.
  • The password is koReBOKuIDDepwhWk7jZC0RTdopnAYKh.


Bandit 5

  • We are looking for a human-readable file that is not executable and has a size of 1033 bytes find -type f -size 1033c ! -executable, it is called maybehere07/.file2.
  • The password is DXjZPULLxYr17uwoI01bNLQbtFemEgo7.


Bandit 6

  • We are looking for a file owned by user bandit7, group bandit6 and that is 33 bytes big find / -type f -size 33c -user bandit7 -group bandit6, it is called /var/lib/dpkg/info/bandit7.password.
  • The password is HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs.


Bandit 7

  • We get a data.txt file with a bunch of passwords in it, with grep data.txt | grep "millionth the file can be filtered.
  • The password is cvX2JJa4CFALtqS87jk27qwqGhBM9plV.


Bandit 8

  • We are looking for the only line that appears once in data.txt file cat data.txt | sort | uniq -u.
  • The password is UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR.


Bandit 9

  • We are looking for are human-readable string with several ‘=’ characters strings data.txt | grep "=".
  • The password is truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk.


Bandit 10

  • We get a base64 encoded password in the data.txt file strings data.txt | base64 --decode.
  • The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR.


Bandit 11

  • We get a ROT13 encoded Text cat data.txt | tr A-Za-z N-ZA-Mn-za-m
  • The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu.


Bandit 12

  • Convert the hexdump into a binary file xxd -r data1.txt data1.bin
  • Figure out used compression with file data1.bin, it´s gzip and decompress it zcat data1.bin > data2.bin
  • Figure out used compression with file data2.bin, it´s bzip2 and decompress it bzcat data2.bin > data3.bin
  • Figure out used compression with file data3.bin, it´s gzip and decompress it zcat data3.bin > data4.bin
  • Figure out used compression with file data4.bin, it´s tar and decompress it tar -x -O -f data4.bin > data5.bin
  • Figure out used compression with file data5.bin, it´s tar and decompress it tar -x -O -f data5.bin > data6.bin
  • Figure out used compression with file data6.bin, it´s bzip2 and decompress it bzcat data6.bin > data7.bin
  • Figure out used compression with file data7.bin, it´s tar and decompress it tar -x -O -f data7.bin > data8.bin
  • Figure out used compression with file data8.bin, it´s gzip and decompress it zcat data8.bin > data9.bin
  • Figure out used compression with file data9.bin, it´s ASCII text and can be read with cat data9.bin
  • The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL.


Bandit 13

  • We get a private ssh key that can be used to log into bandit14 ssh -i sshkey.private bandit14@localhost
  • The password is 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e.


Bandit 14

  • We open up a telnet on port 30000 and submit the password telnet localhost 30000
  • The password is BfMYroe26WYalil77FoDi9qh59eK5xNr.


Bandit 15

  • We open up a ncat on port 30001 with SSL encryption and submit the password ncat --ssl localhost 30001
  • The password is cluFn7wTiGryunymYOu4RcffSxQluehd.


Bandit 16

  • A nmap localhost -p 31000-32000 gives us 5 potential ports, it was port 31960 ncat --ssl localhost 31960
  • We get a RSA Private Key 
    -----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----
  • The password is xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn.