The Bandit wargame from OverTheWire is a great way to learn Linux commands and basic cybersecurity concepts. This writeup provides solutions for levels for beginners.
Each level requires an SSH connection using the provided credentials.
kali@kali:~$ ssh banditX@bandit.labs.overthewire.org -p 2220Replace X with the current level number and enter the retrieved password when prompted.
Retrieve the password stored in the file readme in the home directory.
cat readmeCopy the displayed password and use it to log in to Level 1.
Find the password stored in the - file.
cat ./-Find the password inside the spaces in this filename file.
cat "spaces in this filename"Find the password inside a hidden file located in the inhere directory.
ls -a inhere
cat inhere/.hiddenFind the password inside a file with human-readable content in inhere.
file inhere/*
cat inhere/-file07Find the password in a file owned by bandit6, with a size of 1033 bytes.
find / -user bandit6 -size 1033c 2>/dev/null
cat /var/lib/dpkg/info/bandit6.passwordFind the password stored in a file somewhere in / with the word "millionth".
find / -type f -exec grep -l "millionth" {} 2>/dev/null \;
cat /var/lib/dpkg/info/bandit7.passwordFind the password in a file containing only ASCII text and stored in data.txt.
grep "millionth" data.txtFind the password in data.txt that appears only once.
sort data.txt | uniq -uFind the password in data.txt, which is base64 encoded.
base64 -d data.txtFind the password in data.txt, which is encoded with ROT13.
cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'Find the password in data.txt, which is a compressed file.
mkdir /tmp/bandit
cp data.txt /tmp/bandit/
cd /tmp/bandit
xxd -r data.txt > output.gz
gzip -d output.gz
tar -xvf output
tar -xvf output2
tar -xvf output3
tar -xvf output4
cat final_fileFind the password inside a hexdump file.
xxd -r data.txt > output
cat outputSend the password via nc to retrieve the next password.
nc localhost 30000
Enter passwordSame as before, but use SSL.
openssl s_client -connect localhost:30001
Enter passwordFind the private SSH key and log in to Level 16.
cat sshkey.private > ~/.ssh/bandit16
chmod 600 ~/.ssh/bandit16
ssh -i ~/.ssh/bandit16 bandit16@localhost -p 2220Find the reachable port and retrieve the password.
nmap -p- localhost
nc localhost PORT_NUMBERFind a file owned by bandit18 and execute it.
ls -l /home/bandit17/
./passwordfileSwitch user without knowing the password.
./bandit18/bin/setuidFind the password in a script that prints the password when executed.
./bandit19/scriptBy completing these levels, you gain a solid understanding of Linux commands, file handling, and security principles. Keep practicing and continue to explore cybersecurity challenges! π₯