OverTheWire’s wargames are offered to help learn and practice security concepts in the form of fun-filled games.

The Bandit wargame is aimed at absolute beginners and will teach them the basics needed to be able to play other wargames. All the challenges are focused on the Linux systems and their commands. It aims to get the player familiar with the Linux terminal and introduce some basic security concepts.

It consists of a total of 33 Levels. At each level, you have to find the password for the next level to continue playing. Each Level is a user that you connect as, using SSH in the bandit.labs.overthewire.org server.

In this post, we will present the solutions for Levels 10-19 of the Bandit wargame.

NOTE: These walkthroughs are written and published to help other members of the community that are stuck at some Level. It is strongly advised to first try the challenges yourself until you can progress no more, and only then come back here to see the solution.

Level 10

Level Goal

The password for the next level is stored in the file data.txt, which contains base64 encoded data

Solution

Log in to bandit10, using the password found from Level 9:

ssh -p 2220 bandit10@bandit.labs.overthewire.org
Copy

We will use base64 in order to decode the file:

bandit10@bandit:~$ base64 -d data.txt
The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR
Copy

Level 11

Level Goal

The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions.

Solution

Log in to bandit11, using the password found from Level 10:

ssh -p 2220 bandit11@bandit.labs.overthewire.org
Copy

We will use the tr utility to map upper case A-Z to N-ZA-M and lower case a-z to n-za-m, in order to have them rotated by 13 positions and we will feed the file as stdin:

bandit11@bandit:~$ tr 'A-Za-z' 'N-ZA-Mn-za-m' < data.txt
The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu
Copy

Level 12

Level Goal

The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed.

Solution

Log in to bandit12, using the password found from Level 11:

ssh -p 2220 bandit12@bandit.labs.overthewire.org
Copy

Working Directory

We first create a directory to work on, in /tmp, copy data.txt and change directory there:

mkdir /tmp/mine12
cp data.txt /tmp/mine12/data.txt
cd /tmp/mine12
Copy

Convert Hexdump back to Binary

Because the file is a hexdump we convert it back to the original binary with xxd:

xxd -r data.txt > /tmp/mine12/data_rev.txt
Copy

Check file tpe

We check each time what type of file it is.

gzip

bandit12@bandit:/tmp/mine12$ file data_rev.txt
data_rev.txt: gzip compressed data, was "data2.bin", last modified: Thu May  7 18:14:30 2020, max compression, from Unix
Copy

If is a gzip compressed file, we decompress it with:

gzip -S .txt -d data_rev.txt
Copy

bz2

bandit12@bandit:/tmp/mine12$ file data_rev
data_rev: bzip2 compressed data, block size = 900k
Copy

If it is a bzip2 compressed file, we decompress it with:

bzip2 -d data_rev.txt
Copy

tar

bandit12@bandit:/tmp/mine12$ file data_rev
data_rev: POSIX tar archive (GNU)
Copy

If it is a tar archive, we untar it with:

tar -xvf data_rev.txt
Copy

Final ASCII File

After all decompressions cat the ascii file:

bandit12@bandit:/tmp/mine12$ cat data8
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
Copy

Level 13

Level Goal

The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on

Solution

Log in to bandit13, using the password found from Level 12:

ssh -p 2220 bandit13@bandit.labs.overthewire.org
Copy

We login to the current server as bandit14 using the SSH key:

ssh -i sshkey.private bandit14@localhost
Copy

Now we can view the password with cat:

bandit14@bandit:~$ cat /etc/bandit_pass/bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Copy

Level 14

Level Goal

The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.

Solution

Log in to bandit14, using the password found from Level 13:

ssh -p 2220 bandit14@bandit.labs.overthewire.org
Copy

We connect to port 30000 on localhost using nc and paste the password from the current level:

bandit14@bandit:~$ nc localhost 30000
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr
Copy

Level 15

Level Goal

The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.

Solution

Log in to bandit15, using the password found from Level 14:

ssh -p 2220 bandit15@bandit.labs.overthewire.org
Copy

We cannot use nc now, because we use SSL encryption. To do that, we use the s_client from openssl in order to connect to port 30001 on localhost and paste the password from the current level:

bandit15@bandit:~$ openssl s_client -connect localhost:30001
CONNECTED(00000003)
#...
BfMYroe26WYalil77FoDi9qh59eK5xNr
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehd

closed
Copy

Level 16

Level Goal

The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.

Solution

Log in to bandit16, using the password found from Level 15:

ssh -p 2220 bandit16@bandit.labs.overthewire.org
Copy

First, we scan all the ports from 31000 to 32000 with nmap:

nmap -sT -p31000-32000 localhost
Copy

And we get the following results:

bandit16@bandit:~$ nmap -sT -p31000-32000 localhost

Starting Nmap 7.40 ( https://nmap.org ) at 2021-04-18 21:57 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00027s latency).
Not shown: 996 closed ports
PORT      STATE SERVICE
31046/tcp open  unknown
31518/tcp open  unknown
31691/tcp open  unknown
31790/tcp open  unknown
31960/tcp open  unknown

Then try to connect to all of these services with openssl s_sclient in order to check if they speak SSL:

openssl s_client -connect localhost:PORT
Copy

After checking all of them, only these accept SSL connection:

  • 31518
  • 31790

After entering the current level’s password the correct service is the one on port 31790:

bandit16@bandit:~$ openssl s_client -connect localhost:31790
CONNECTED(00000003)
# ...
cluFn7wTiGryunymYOu4RcffSxQluehd
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----

closed
Copy

Save the previous private key in a file in /tmp directory:

vim /tmp/sshkey17.private
Copy

Change the permissions so that it is not accessible by others:

chmod 600 /tmp/ssh17.private
Copy

We login to the current server as bandit17 using the SSH key:

ssh -i /tmp/ssh17.private bandit17@localhost
Copy

Now we can view the password with cat:

bandit17@bandit:~$ cat /etc/bandit_pass/bandit17
xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn
Copy

Level 17

Level Goal

There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new

Solution

Log in to bandit17, using the password found from Level 16:

ssh -p 2220 bandit17@bandit.labs.overthewire.org
Copy

We just diff the two files:

bandit17@bandit:~$ diff passwords.old passwords.new
42c42
< w0Yfolrc5bwjS4qw5mq1nnQi6mF03bii
---
> kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
Copy
  • The line with < is from the first file (passwords.old)
  • The line with > is from the second file (passwords.new)

NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19

Level 18

Level Goal

The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.

Solution

Log in to bandit18, using the password found from Level 17:

ssh -p 2220 bandit18@bandit.labs.overthewire.org
Copy

If we try to SSH (either remotely or from localhost), we get:

bandit17@bandit:~$ ssh bandit18@localhost
# ...
Byebye !
Connection to localhost closed.
Copy

But we don’t need to login, we can just run the cat command on the readme through ssh:

bandit17@bandit:~$ ssh bandit18@localhost "cat readme"
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit17/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/home/bandit17/.ssh/id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "/home/bandit17/.ssh/id_rsa": bad permissions
bandit18@localhost's password:
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
Copy

Level 19

Level Goal

To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.

Solution

Log in to bandit19, using the password found from Level 18:

ssh -p 2220 bandit19@bandit.labs.overthewire.org
Copy

If we check at the binary permissions:

bandit19@bandit:~$ ls -al
total 28
drwxr-xr-x  2 root     root     4096 May  7  2020 .
drwxr-xr-x 41 root     root     4096 May  7  2020 ..
-rwsr-x---  1 bandit20 bandit19 7296 May  7  2020 bandit20-do
-rw-r--r--  1 root     root      220 May 15  2017 .bash_logout
-rw-r--r--  1 root     root     3526 May 15  2017 .bashrc
-rw-r--r--  1 root     root      675 May 15  2017 .profile
Copy

We can see it has the setuid bit set. This means that anyone who executes this binary, it executes it with bandit20 user’s privileges.

So we use the binary to cat the password on /etc/bandit_pass/bandit20:

bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Copy