Hey friends, finally the time has come to continue our OverTheWire Bandit Walkthrough Level 10 – 15 ! I am sorry that I didn’t come around to do this earlier, but there was so much other stuff going on that this was very low on the priority list – I’m getting better, promise 😉
Without further ado, let’s get going
Level 10 to 11
The password for the next level is stored in the file data.txt, which contains base64 encoded data
Alright, let’s get started by connecting to Bandit 10
1 - ssh firstname.lastname@example.org
A quick look into the man pages of the base64 command reveals that base64 -d decodes base64 encoded files.
2 - base64 -d data.txt
And sure enough we got the password to level 11. Easy.
Level 11 to 12
The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions.
1 - ssh email@example.com
To be honest, this is extremely hard to figre out by yourself. You would need to read up on rot13 and basic cryptography to even understand what was done here.
It helps to look at an actual alphabet to understand it better:
So what actually happened here is, the character A was moved 13 positions to the right and becomes N. Same goes for lower case a. We now need to revert that back.
We can use the tr command to do that.
And this is no less confusing.
2 - cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'
This reveals the password to level 12. As I said, it is confusing.
Try to read a little bit on it and play around with the command to understand it.
Level 12 to 13
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!
1 - ssh firstname.lastname@example.org
This is quite a lengthy and a bit annoying level.
“Repeatedly compressed” is they keyword here.
tar, gzip, bzip2 the commands we need to utilize.
First, as recommended, we create a temp directory for our unzipping marathon.
2 - mkdir /tmp/yourname 3 - cp data.txt /tmp/yourname 4 - cd /tmp/yourname
Now we need to figure out which format the file actually is, but first we need to use the
xxd command to convert it back to a compressed format from the hex format.
We utilize the command
xxd -r for it which does the following: convert (or patch) hexdump into binary.
5 - xxd -r data.txt data.out
Now we will use the command
file to check which kind of file it is.
6 - file data.out
It reveals that data.out is a gzip compressed file.
Alright, let’s rename data.out to data.gz
7 - mv data.out data.gz
Now the unzipping marathon starts. You basically: rename > unzip > check file type > repeat and that for several times…
8 - gzip -d data.gz 9 - file data 10 - bzip2 -d data 11 - file data.out 12 - mv data.out data.gz 13 - gzip -d data.gz 14 - file data 15 - tar -xf data 16 - file data5.bin 17 - tar -xf data5.bin 18 - file data6.bin 19 - bzip2 -d data6.bin 20 - tar -xf data6.bin.out 21 - file data8.bin 22 - mv data8.bin data8.gz 23 - gzip -d data8.gz 24 - cat data8
Level 13 to 14
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on
This is going to be a breeze compared to the next level.
1 - ssh email@example.com
For this level, we don’t actually need to read the password inside of the bandit14 file. The description states that we get a private ssh key that can be used to login to the next level.
2 - ls
Reveals that there is a sshkey.private inside of our home directory.
3 - ssh -i sshkey.private bandit14@localhost
If you get asked if you are sure you want to continue connecting you type yes.
Level 14 to 15
Alright, las tlevel for this tutorial.
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
So we already are connected to Bandit 14 through SSH and we also know from the previous level, that the password to level 14 is stored inside of the bandit14 file.
1 - cat /etc/bandit_pass/bandit14
Reveals the password for Bandit 14.
Now to be fair this is fairly hard to figure out just by reading man pages of the recommended commands, but eventually we figure out that we can use both, the
nc and the
telnet command to solve this problem.
2 - cat /etc/bandit_pass/bandit14 | nc localhost 30000
3 - cat /etc/bandit_pass/bandit14 and copy the password to your clipboard 4 - telnet localhost 30000 and paste the password in and hit enter
So that’s it again! I hope this helped some of you to better understand the thinking process of those games. But as I always say and I will say it again: Do your own research first before following this tutorial and try to figure it out by yourself.
This tutorial should serve as a emergency guide to look stuff up once you are stuck.
It’s fun to figure it out by yourself and try different commands and see what they do.