CTF Bandit Over The Wire

Last updated on May 1, 2022 5 min read

Challenge Link 👉 Bandit Over The Wire

Level 0

sshpass -p bandit0 ssh bandit0@bandit.labs.overthewire.org -p 2220
bandit0@bandit:~$ cat readme 
boJ9jbbUNNfktd78OOpsqOltutMc3MY1

username: bandit0 
password: bandit0
next_level: boJ9jbbUNNfktd78OOpsqOltutMc3MY1

Level 0 → Level 1

┌─[lukab@bullhacks3]─[~/CTF/Bandit]
└──╼ $sshpass -p boJ9jbbUNNfktd78OOpsqOltutMc3MY1 ssh bandit1@bandit.labs.overthewire.org -p 2220

bandit1@bandit:~$ cat /home/bandit1/-
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

bandit1@bandit:~$ cat ./-
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9


username: bandit1
password: boJ9jbbUNNfktd78OOpsqOltutMc3MY1
next_level: CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

Learning: Dashed filenames in UNIX based systems are used for STDIN/STDOUT, so in order to view content of file, it is required to give exact location of file.

Level 1 → Level 2

┌─[lukab@bullhacks3]─[~/CTF/Bandit]
└──╼ $sshpass -p CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9 ssh bandit2@bandit.labs.overthewire.org -p 2220

bandit2@bandit:~$ cat "spaces in this filename"
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
bandit2@bandit:~$ cat spaces\ in\ this\ filename 
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK


username: bandit2
password: CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
next_level: UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

Level 2 → Level 3

┌─[lukab@bullhacks3]─[~/CTF/Bandit]
└──╼ $sshpass -p UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK ssh bandit3@bandit.labs.overthewire.org -p 2220

bandit3@bandit:~$ cat inhere/.hidden 
pIwrPrtPN36QITSp3EQaw936yaFoFgAB


username: bandit3
password: UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
next_level: pIwrPrtPN36QITSp3EQaw936yaFoFgAB

Level 3 → Level 4

┌─[lukab@bullhacks3]─[~/CTF/Bandit]
└──╼ $sshpass -p pIwrPrtPN36QITSp3EQaw936yaFoFgAB ssh bandit4@bandit.labs.overthewire.org -p 2220

username: bandit4
password: pIwrPrtPN36QITSp3EQaw936yaFoFgAB
next_level:

Level 4 → Level 5

┌┌─[lukab@bullhacks3]─[~/CTF/Bandit]
└──╼ $sshpass -p pIwrPrtPN36QITSp3EQaw936yaFoFgAB ssh bandit4@bandit.labs.overthewire.org -p 2220

bandit4@bandit:~$ file inhere/*
inhere/-file00: data
inhere/-file01: data
inhere/-file02: data
inhere/-file03: data
inhere/-file04: data
inhere/-file05: data
inhere/-file06: data
inhere/-file07: ASCII text
inhere/-file08: data
inhere/-file09: data
bandit4@bandit:~$ cat inhere/-file07 
koReBOKuIDDepwhWk7jZC0RTdopnAYKh


username: bandit4
password: pIwrPrtPN36QITSp3EQaw936yaFoFgAB
next_level: koReBOKuIDDepwhWk7jZC0RTdopnAYKh

Level 5 → Level 6

┌─[lukab@bullhacks3]─[~/CTF/Bandit]
└──╼ $sshpass -p koReBOKuIDDepwhWk7jZC0RTdopnAYKh ssh bandit5@bandit.labs.overthewire.org -p 2220

bandit5@bandit:~$ find inhere/ ! -executable -size 1033c -type f -exec cat {} \;
DXjZPULLxYr17uwoI01bNLQbtFemEgo7


username: bandit5
password: koReBOKuIDDepwhWk7jZC0RTdopnAYKh
next_level: DXjZPULLxYr17uwoI01bNLQbtFemEgo7

Level 6 → Level 7

┌─[lukab@bullhacks3]─[~/CTF/Bandit]
└──╼ $sshpass -p DXjZPULLxYr17uwoI01bNLQbtFemEgo7 ssh bandit6@bandit.labs.overthewire.org -p 2220

bandit6@bandit:~$ find / -user bandit7 -group bandit6 2>/dev/null -exec cat {} \;
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs


username: bandit6
password: DXjZPULLxYr17uwoI01bNLQbtFemEgo7
next_level: HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

Level 7 → Level 8

┌─[lukab@bullhacks3]─[~/CTF/Bandit]
└──╼ $sshpass -p HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs ssh bandit7@bandit.labs.overthewire.org -p 2220

bandit7@bandit:~$ grep millionth data.txt | awk '{print $2}'
cvX2JJa4CFALtqS87jk27qwqGhBM9plV

username: bandit7
password: HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs
next_level: cvX2JJa4CFALtqS87jk27qwqGhBM9plV

Level 8 → Level 9

┌─[lukab@bullhacks3]─[~/CTF/Bandit]
└──╼ $sshpass -p cvX2JJa4CFALtqS87jk27qwqGhBM9plV ssh bandit8@bandit.labs.overthewire.org -p 2220

bandit8@bandit:~$ sort data.txt | uniq -u
UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR


username: bandit8
password: cvX2JJa4CFALtqS87jk27qwqGhBM9plV
next_level: UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR

Level 9 → Level 10

┌─[lukab@bullhacks3]─[~/CTF/Bandit]
└──╼ $sshpass -p UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR ssh bandit9@bandit.labs.overthewire.org -p 2220

bandit9@bandit:~$ strings data.txt | grep "&==" | awk '{print $2}'
truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk

username: bandit9
password: UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR
next_level: truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk

Learning: strings is a command line used to print human-readable characters

Level 10 → Level 11

┌─[lukab@bullhacks3]─[~/CTF/Bandit]
└──╼ $sshpass -p truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk ssh bandit10@bandit.labs.overthewire.org -p 2220

bandit10@bandit:~$ cat data.txt | base64 -d | awk '{print $4}'
IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR


username: bandt10
password: truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
next_level: IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

Level 11 → Level 12

┌─[lukab@bullhacks3]─[~/CTF/Bandit]
└──╼ $sshpass -p IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR ssh bandit11@bandit.labs.overthewire.org -p 2220

bandit11@bandit:~$ cat data.txt | tr '[a-m][n-z][A-M][N-Z]' [n-z][a-m][N-Z][A-M] | awk '{print $4}'
5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu


username: bandit11
password: IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR
next_level: 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

Level 12 → Level 13

┌─[lukab@bullhacks3]─[~/CTF/Bandit]
└──╼ $sshpass -p 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu ssh bandit12@bandit.labs.overthewire.org -p 2220

bandit12@bandit:/tmp/hello$ xxd -r data.txt  >> demo
bandit12@bandit:/tmp/hello$ file demo 
demo: gzip compressed data, was "data2.bin", last modified: Thu May  7 18:14:30 2020, max compression, from Unix
bandit12@bandit:/tmp/hello$ gzip -d demo.gz 
bandit12@bandit:/tmp/hello$ file demo 
demo: bzip2 compressed data, block size = 900k
(so on)

bandit12@bandit:/tmp/hello$ cat first
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL



username: bandit12
password: 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu
next_level: 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

Level 13 → Level 14

┌─[lukab@bullhacks3]─[~/CTF/Bandit]
└──╼ $sshpass -p 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL ssh bandit13@bandit.labs.overthewire.org -p 2220

bandit13@bandit:~$ ssh -i sshkey.private bandit14@localhost

username: bandit13
password: 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
next_level:

Level 14 → Level 15

┌─[lukab@bullhacks3]─[~/CTF/Bandit]
└──╼ $sshpass -p 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e ssh bandit14@bandit.labs.overthewire.org -p 2220

bandit14@bandit:~$ cat /etc/bandit_pass/bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e

bandit14@bandit:~$ telnet localhost 30000
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr


username: bandit14
password: 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
next_level: BfMYroe26WYalil77FoDi9qh59eK5xNr

Level 15 → Level 16

┌─[lukab@bullhacks3]─[~/CTF/Bandit]
└──╼ $sshpass -p BfMYroe26WYalil77FoDi9qh59eK5xNr ssh bandit15@bandit.labs.overthewire.org -p 2220

bandit15@bandit:~$ openssl s_client -connect localhost:30001
BfMYroe26WYalil77FoDi9qh59eK5xNr
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehd


username: bandit15
password: BfMYroe26WYalil77FoDi9qh59eK5xNr
next_level: cluFn7wTiGryunymYOu4RcffSxQluehd

Level 16 → Level 17

┌─[lukab@bullhacks3]─[~/CTF/Bandit]
└──╼ $sshpass -p cluFn7wTiGryunymYOu4RcffSxQluehd ssh bandit16@bandit.labs.overthewire.org -p 2220

bandit16@bandit:~$ nmap localhost -p 31000-32000 -sV

Starting Nmap 7.40 ( https://nmap.org ) at 2021-03-29 03:34 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00021s latency).
Not shown: 996 closed ports
PORT      STATE SERVICE     VERSION
31046/tcp open  echo
31518/tcp open  ssl/echo
31691/tcp open  echo
31790/tcp open  ssl/unknown
31960/tcp open  echo

bandit16@bandit:~$ openssl s_client -connect localhost:31790
CONNECTED(00000003)
cluFn7wTiGryunymYOu4RcffSxQluehd
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----


username: bandit16
password: cluFn7wTiGryunymYOu4RcffSxQluehd
next_level:

Level 17 → Level 18

┌─[lukab@bullhacks3]─[~/CTF/Bandit]
└──╼ $sshpass -p xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn ssh bandit17@bandit.labs.overthewire.org -p 2220

bandit16@bandit:/tmp/a$ chmod 600 private.key 
bandit16@bandit:/tmp/a$ ssh -i private.key bandit17@localhost
bandit17@bandit:~$ diff passwords.old passwords.new 
42c42
< w0Yfolrc5bwjS4qw5mq1nnQi6mF03bii
---
> kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd


username: bandit17
password: xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn
next_level: kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd

Level 18 → Level 19

┌─[✗]─[lukab@bullhacks3]─[~/CTF/Bandit]
└──╼ $sshpass -p kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd ssh bandit18@bandit.labs.overthewire.org -p 2220 -t 'sh -l'
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

$ cat readme
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x


username: bandit18
password: kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
next_level: IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x

Level 19 → Level 20

┌─[lukab@bullhacks3]─[~/CTF/Bandit]
└──╼ $sshpass -p IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x ssh bandit19@bandit.labs.overthewire.org -p 2220

bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0j


username: bandit19
password: IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
next_level: GbKksEFF4yrVs6il55v6gwY5aVje5f0j

Level 20 → Level 21

┌─[lukab@bullhacks3]─[~/CTF/Bandit]
└──╼ $sshpass -p GbKksEFF4yrVs6il55v6gwY5aVje5f0j ssh bandit20@bandit.labs.overthewire.org -p 2220

bandit20@bandit:~$ nc -z localhost 1-65535 -v
localhost [127.0.0.1] 39912 (?) open
localhost [127.0.0.1] 39658 (?) open
localhost [127.0.0.1] 31960 (?) open
localhost [127.0.0.1] 31790 (?) open
localhost [127.0.0.1] 31691 (?) open
localhost [127.0.0.1] 31518 (?) open
localhost [127.0.0.1] 31046 (?) open
localhost [127.0.0.1] 30002 (?) open
localhost [127.0.0.1] 30001 (?) open
localhost [127.0.0.1] 30000 (?) open
localhost [127.0.0.1] 6013 (?) open
localhost [127.0.0.1] 6011 (?) open
localhost [127.0.0.1] 6010 (?) open
localhost [127.0.0.1] 113 (auth) open
localhost [127.0.0.1] 22 (ssh) open

PORT      STATE SERVICE             VERSION
22/tcp    open  ssh                 OpenSSH 7.4p1 (protocol 2.0)
113/tcp   open  ident
6010/tcp  open  x11?
6013/tcp  open  x11?
30000/tcp open  ndmps?
30001/tcp open  ssl/pago-services1?
30002/tcp open  pago-services2?
31046/tcp open  echo
31518/tcp open  ssl/echo
31691/tcp open  echo
31790/tcp open  ssl/unknown
31960/tcp open  echo


username: bandit20
password: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
next_level:
security ctf
B@kul Gupt@
B@kul Gupt@
Information Security Engineer

A zealous technocrat finding out the path to work and grow with professionals.