OverTheWire Bandit Walkthrough Level 10 – 15

Hey friends, finally the time has come to continue our OverTheWire Bandit Walkthrough Level 10 – 15 ! I am sorry that I didn’t come around to do this earlier, but there was so much other stuff going on that this was very low on the priority list – I’m getting better, promise πŸ˜‰

Without further ado, let’s get going

Level 10 to 11

Password to Level 10

The password for the next level is stored in the file data.txt, which contains base64 encoded data

Alright, let’s get started by connecting to Bandit 10

1 - ssh bandit10@bandit.labs.overthewire.org

A quick look into the man pages of the base64 command reveals that base64 -d decodes base64 encoded files.

2 - base64 -d data.txt

And sure enough we got the password to level 11. Easy.

Password to Level 11

 

Level 11 to 12

The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions.

 

1 - ssh bandit11@bandit.labs.overthewire.org

 

To be honest, this is extremely hard to figre out by yourself. You would need to read up on rot13 and basic cryptography to even understand what was done here.

It helps to look at an actual alphabet to understand it better:

Alphabet
Alphabet

So what actually happened here is, the character A was moved 13 positions to the right and becomes N. Same goes for lower case a. We now need to revert thatΒ  back.

We can use the tr command to do that.

And this is no less confusing.

2 - cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'

This reveals the password to level 12. As I said, it is confusing.

Try to read a little bit on it and play around with the command to understand it.

Password to Level 12

 

Level 12 to 13

The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!

 

1 - ssh bandit12@bandit.labs.overthewire.org

This is quite a lengthy and a bit annoying level.

“Repeatedly compressed” is they keyword here.

tar, gzip, bzip2 the commands we need to utilize.

First, as recommended, we create a temp directory for our unzipping marathon.

2 - mkdir /tmp/yourname 
3 - cp data.txt /tmp/yourname
4 - cd /tmp/yourname

Now we need to figure out which format the file actually is, but first we need to use the xxd command to convert it back to a compressed format from the hex format.

We utilize the command xxd -r for it which does the following: convert (or patch) hexdump into binary.

5 - xxd -r data.txt data.out

Now we will use the command file to check which kind of file it is.

6 - file data.out

It reveals that data.out is a gzip compressed file.

File Output
File Output

Alright, let’s rename data.out to data.gz

7 - mv data.out data.gz

Now the unzipping marathon starts. You basically: rename > unzip > check file type > repeat and that for several times…

8 - gzip -d data.gz
9 - file data
10 - bzip2 -d data
11 - file data.out
12 - mv data.out data.gz
13 - gzip -d data.gz
14 - file data
15 - tar -xf data
16 - file data5.bin
17 - tar -xf data5.bin
18 - file data6.bin
19 - bzip2 -d data6.bin
20 - tar -xf data6.bin.out
21 - file data8.bin
22 - mv data8.bin data8.gz
23 - gzip -d data8.gz
24 - cat data8

EASY!

Password to Level 13

 

Level 13 to 14

The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on

This is going to be a breeze compared to the next level.

1 - ssh bandit13@bandit.labs.overthewire.org

For this level, we don’t actually need to read the password inside of the bandit14 file. The description states that we get a private ssh key that can be used to login to the next level.

2 - ls

Reveals that there is a sshkey.private inside of our home directory.

3 - ssh -i sshkey.private bandit14@localhost

If you get asked if you are sure you want to continue connecting you type yes.

Connecting To Bandit14 Via SSH
Connecting To Bandit14 Via SSH

Level 14 to 15

Alright, las tlevel for this tutorial.

The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.

So we already are connected to Bandit 14 through SSH and we also know from the previous level, that the password to level 14 is stored inside of the bandit14 file.

1 - cat /etc/bandit_pass/bandit14

Reveals the password for Bandit 14.

Now to be fair this is fairly hard to figure out just by reading man pages of the recommended commands, but eventually we figure out that we can use both, the nc and the telnet command to solve this problem.

Netcat:

2 - cat /etc/bandit_pass/bandit14 | nc localhost 30000
Netcat
Netcat

Telnet:

3 - cat /etc/bandit_pass/bandit14 and copy the password to your clipboard
4 - telnet localhost 30000 and paste the password in and hit enter
Telnet
Telnet
Password to Level 15

So that’s it again! I hope this helped some of you to better understand the thinking process of those games. But as I always say and I will say it again: Do your own research first before following this tutorial and try to figure it out by yourself.

This tutorial should serve as a emergency guide to look stuff up once you are stuck.

It’s fun to figure it out by yourself and try different commands and see what they do.

So long

Stefan

Leave a Reply