OverTheWire’s wargames are offered to help learn and practice security concepts in the form of fun-filled games.

The Bandit wargame is aimed at absolute beginners and will teach them the basics needed to be able to play other wargames. All the challenges are focused on the Linux systems and their commands. It aims to get the player familiar with the Linux terminal and introduce some basic security concepts.

It consists of a total of 33 Levels. At each level, you have to find the password for the next level to continue playing. Each Level is a user that you connect as, using SSH in the bandit.labs.overthewire.org server.

In this post, we will present the solutions for Levels 10-19 of the Bandit wargame.

NOTE: These walkthroughs are written and published to help other members of the community that are stuck at some Level. It is strongly advised to first try the challenges yourself until you can progress no more, and only then come back here to see the solution.

Level 10

Level Goal

The password for the next level is stored in the file data.txt, which contains base64 encoded data


Log in to bandit10, using the password found from Level 9:

ssh -p 2220 bandit10@bandit.labs.overthewire.org

We will use base64 in order to decode the file:

bandit10@bandit:~$ base64 -d data.txt
The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

Level 11

Level Goal

The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions.


Log in to bandit11, using the password found from Level 10:

ssh -p 2220 bandit11@bandit.labs.overthewire.org

We will use the tr utility to map upper case A-Z to N-ZA-M and lower case a-z to n-za-m, in order to have them rotated by 13 positions and we will feed the file as stdin:

bandit11@bandit:~$ tr 'A-Za-z' 'N-ZA-Mn-za-m' < data.txt
The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

Level 12

Level Goal

The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed.


Log in to bandit12, using the password found from Level 11:

ssh -p 2220 bandit12@bandit.labs.overthewire.org

Working Directory

We first create a directory to work on, in /tmp, copy data.txt and change directory there:

mkdir /tmp/mine12
cp data.txt /tmp/mine12/data.txt
cd /tmp/mine12

Convert Hexdump back to Binary

Because the file is a hexdump we convert it back to the original binary with xxd:

xxd -r data.txt > /tmp/mine12/data_rev.txt

Check file tpe

We check each time what type of file it is.


bandit12@bandit:/tmp/mine12$ file data_rev.txt
data_rev.txt: gzip compressed data, was "data2.bin", last modified: Thu May  7 18:14:30 2020, max compression, from Unix

If is a gzip compressed file, we decompress it with:

gzip -S .txt -d data_rev.txt


bandit12@bandit:/tmp/mine12$ file data_rev
data_rev: bzip2 compressed data, block size = 900k

If it is a bzip2 compressed file, we decompress it with:

bzip2 -d data_rev.txt


bandit12@bandit:/tmp/mine12$ file data_rev
data_rev: POSIX tar archive (GNU)

If it is a tar archive, we untar it with:

tar -xvf data_rev.txt

Final ASCII File

After all decompressions cat the ascii file:

bandit12@bandit:/tmp/mine12$ cat data8
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

Level 13

Level Goal

The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on


Log in to bandit13, using the password found from Level 12:

ssh -p 2220 bandit13@bandit.labs.overthewire.org

We login to the current server as bandit14 using the SSH key:

ssh -i sshkey.private bandit14@localhost

Now we can view the password with cat:

bandit14@bandit:~$ cat /etc/bandit_pass/bandit14

Level 14

Level Goal

The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.


Log in to bandit14, using the password found from Level 13:

ssh -p 2220 bandit14@bandit.labs.overthewire.org

We connect to port 30000 on localhost using nc and paste the password from the current level:

bandit14@bandit:~$ nc localhost 30000

Level 15

Level Goal

The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.


Log in to bandit15, using the password found from Level 14:

ssh -p 2220 bandit15@bandit.labs.overthewire.org

We cannot use nc now, because we use SSL encryption. To do that, we use the s_client from openssl in order to connect to port 30001 on localhost and paste the password from the current level:

bandit15@bandit:~$ openssl s_client -connect localhost:30001


Level 16

Level Goal

The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.


Log in to bandit16, using the password found from Level 15:

ssh -p 2220 bandit16@bandit.labs.overthewire.org

First, we scan all the ports from 31000 to 32000 with nmap:

nmap -sT -p31000-32000 localhost

And we get the following results:

bandit16@bandit:~$ nmap -sT -p31000-32000 localhost

Starting Nmap 7.40 ( https://nmap.org ) at 2021-04-18 21:57 CEST
Nmap scan report for localhost (
Host is up (0.00027s latency).
Not shown: 996 closed ports
31046/tcp open  unknown
31518/tcp open  unknown
31691/tcp open  unknown
31790/tcp open  unknown
31960/tcp open  unknown

Then try to connect to all of these services with openssl s_sclient in order to check if they speak SSL:

openssl s_client -connect localhost:PORT

After checking all of them, only these accept SSL connection:

  • 31518
  • 31790

After entering the current level’s password the correct service is the one on port 31790:

bandit16@bandit:~$ openssl s_client -connect localhost:31790
# ...


Save the previous private key in a file in /tmp directory:

vim /tmp/sshkey17.private

Change the permissions so that it is not accessible by others:

chmod 600 /tmp/ssh17.private

We login to the current server as bandit17 using the SSH key:

ssh -i /tmp/ssh17.private bandit17@localhost

Now we can view the password with cat:

bandit17@bandit:~$ cat /etc/bandit_pass/bandit17

Level 17

Level Goal

There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new


Log in to bandit17, using the password found from Level 16:

ssh -p 2220 bandit17@bandit.labs.overthewire.org

We just diff the two files:

bandit17@bandit:~$ diff passwords.old passwords.new
< w0Yfolrc5bwjS4qw5mq1nnQi6mF03bii
> kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
  • The line with < is from the first file (passwords.old)
  • The line with > is from the second file (passwords.new)

NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19

Level 18

Level Goal

The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.


Log in to bandit18, using the password found from Level 17:

ssh -p 2220 bandit18@bandit.labs.overthewire.org

If we try to SSH (either remotely or from localhost), we get:

bandit17@bandit:~$ ssh bandit18@localhost
# ...
Byebye !
Connection to localhost closed.

But we don’t need to login, we can just run the cat command on the readme through ssh:

bandit17@bandit:~$ ssh bandit18@localhost "cat readme"
The authenticity of host 'localhost (' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit17/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

Permissions 0640 for '/home/bandit17/.ssh/id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "/home/bandit17/.ssh/id_rsa": bad permissions
bandit18@localhost's password:

Level 19

Level Goal

To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.


Log in to bandit19, using the password found from Level 18:

ssh -p 2220 bandit19@bandit.labs.overthewire.org

If we check at the binary permissions:

bandit19@bandit:~$ ls -al
total 28
drwxr-xr-x  2 root     root     4096 May  7  2020 .
drwxr-xr-x 41 root     root     4096 May  7  2020 ..
-rwsr-x---  1 bandit20 bandit19 7296 May  7  2020 bandit20-do
-rw-r--r--  1 root     root      220 May 15  2017 .bash_logout
-rw-r--r--  1 root     root     3526 May 15  2017 .bashrc
-rw-r--r--  1 root     root      675 May 15  2017 .profile

We can see it has the setuid bit set. This means that anyone who executes this binary, it executes it with bandit20 user’s privileges.

So we use the binary to cat the password on /etc/bandit_pass/bandit20:

bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20