Hello again, and welcome back to the walkthrough for the OverTheWire bandit wargame. In this post, the third in the series, we’ll be tackling levels 10 to 15, expanding on our newly learned command-line operations from the previous post.
In the previous post, you’ll remember that we expanded upon the find command, implementing it into more complex scenarios, alongside learning how to use the uniq command to find unique lines in files. Today, we’ll take the next step together in learning more command-line tools that will be useful to you as you build your confidence in using the command-line.
Level 10 - Level 11
In this level, the password for the next level is stored in a file named “data.txt”, which contains base64 encoded data. Our task is to decode this data to retrieve the password.
First, as usual, let’s list the contents of the current directory to see the data.txt file:
$ ls -l
total 4
-rw-r----- 1 bandit11 bandit10 69 Jun 20 04:06 data.txt
We can see that data.txt is present. To understand what type of data this file contains, let’s use the cat command to view its contents:
$ cat data.txt
VGhlIHBhc3N3b3JkIGlzIGR0UjE3M2ZaS2IwUlJzREZTR3NnMlJXbnBOVmozcVJyCg==
The text appears to be encoded in a way that makes it unreadable. This is because the data is encoded in base64. Base64 is a method of encoding binary data into ASCII text. It is commonly used to encode data that needs to be stored and transferred over media designed to deal with text, ensuring that the data remains intact without modification during transport.
Base64 encoded data typically has certain characteristics that make it recognisable: - It consists of uppercase and lowercase letters, digits, +, /, and ends with = padding characters. - The length of the encoded string is usually a multiple of 4.
We can see both of these properties in the content in data.txt, giving us confidence that this data is indeed base64. To decode the base64 encoded data and reveal the password, we can use the base64 command with the -d (decode) option. Here’s how we can do it:
$ base64 -d data.txt
The password is <password>
Now that we have the password, we can log into the server as bandit11.
Level 11 - Level 12
In this level, the password for the next level is stored in a file named “data.txt”, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions. Our task is to decode this data to retrieve the password.
First, let’s list the contents of the current directory to see the data.txt file:
$ ls -l
total 4
-rw-r----- 1 bandit12 bandit11 49 Jun 20 04:06 data.txt
We can see that data.txt is present. To understand what type of data this file contains, let’s use the cat command to view its contents:
$ cat data.txt
Gur cnffjbeq vf 7k16JArUVv5LxVuJfsSVdbbtaHGlw9D4
This text is encoded using a method called ROT13. ROT13 is a simple letter substitution cipher that replaces a letter with the 13th letter after it in the alphabet. It’s a particular case of the Caesar cipher, which shifts letters by a fixed number of positions. The Caesar cipher, named after Julius Caesar, who used it in his private correspondence, can use any shift, but ROT13 specifically uses a shift of 13.
ROT13 is its own inverse because the alphabet has 26 letters; therefore, applying ROT13 twice returns the original text. This makes ROT13 useful for obscuring text in an easily reversible way, but it provides no cryptographic security.
To decode the ROT13 encoded data, we can use the tr command, which stands for “translate” or “transliterate.” The tr command is used to replace or delete characters. We will use it to map each letter of the alphabet to its ROT13 counterpart.
Here’s how we can construct the tr command:
$ tr 'A-Za-z' 'N-ZA-Mn-za-m'
This command specifies that tr should translate:
- ‘A-Z’ to ’N-ZA-M’ (shifting uppercase letters by 13 positions)
- ‘a-z’ to ’n-za-m’ (shifting lowercase letters by 13 positions)
To decode the content of data.txt, we use this tr command with the file contents piped in via cat:
$ cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'
The password is <password>
This command decodes the ROT13 encoded data in data.txt and displays the password for the next level.
Level 12 - Level 13
In this level, the password for the next level is stored in the file “data.txt”, a hexdump of a file that has been repeatedly compressed. Let’s break down the steps to retrieve the password together.
First, as suggested by the level description, we need a temporary directory to work in to keep our current directory manageable, as this process will create many intermediate files. For this, we can use the mktemp command, which creates a temporary file by default, but with the -d option, it creates a temporary directory. This command provides the path to the directory it creates so we can use it directly for the next commands. Note that the directory you see below will be different when you use mktemp:
$ mktemp -d
/tmp/tmp.mMrfvN2wkn
$ cp data.txt /tmp/tmp.mMrfvN2wkn
$ cd /tmp/tmp.mMrfvN2wkn
Here, after creating the temporary directory, we have copied the data.txt file into our new directory using the cp command, then changed our working directory to our new directory using cd.
Now that we are ready to start let’s begin by using cat to view the contents of data.txt:
$ cat data.txt
00000000: 1f8b 0808 dcaa 7366 0203 6461 7461 322e ......sf..data2.
00000010: 6269 6e00 0141 02be fd42 5a68 3931 4159 bin..A...BZh91AY
00000020: 2653 5946 b21b 1500 001c 7fff dcff d2ff &SYF............
00000030: f96f b6bf 0fd6 d7ff b7bf bffd a5fe 3fef .o............?.
00000040: b6de 9fff bebe ffbc cfef f7ff b001 3b16 ..............;.
00000050: 51d0 0191 a1a0 68c9 a000 000d 321a 0680 Q.....h.....2...
00000060: 0d00 000d 000c 4c4c 101a 0006 8006 8000 ......LL........
00000070: 6834 1ea1 a699 3d4f 46a7 a880 0000 0034 h4....=OF......4
00000080: 0000 681a 1a32 34da 80d0 1a68 c803 4003 ..h..24....h..@.
00000090: 4193 2794 d1a3 4f41 1ea0 1a6d 41ea 0000 A.'...OA...mA...
000000a0: d1a0 6800 6800 74d1 a1a3 236a 0343 4d06 ..h.h.t...#j.CM.
000000b0: 41a0 0193 40d0 0006 81a6 8068 34d0 1a00 [email protected]...
000000c0: 0034 f483 2000 341a 1a07 a8d1 ea00 01ea .4.. .4.........
000000d0: 7a40 d341 11a3 2206 8c3e 78ef 6b88 f36a [email protected].."..>x.k..j
000000e0: d1e9 00a8 22a8 54de d2cb 05f7 589c afb2 ....".T.....X...
000000f0: 57d7 5466 402c e6e8 c692 14f8 77e6 c3a4 W.Tf@,......w...
00000100: 8f56 b2e9 14a3 4b69 6c34 6632 0c50 6d95 .V....Kil4f2.Pm.
00000110: 8dbd cd71 b0a1 4dae 0e49 a568 74aa 7111 ...q..M..I.ht.q.
00000120: 8fa6 5c3c 1dcf 8384 9db0 c5f7 a31d f97d ..\<...........}
00000130: 5b02 0708 b1eb cb42 4024 131a 0be7 e8df [......B@$......
00000140: 26fb d4c1 0fda ea8f 13a0 fdf5 ff60 811d &............`..
00000150: b030 b5f5 b627 7a27 32c7 084f bde4 40e6 .0...'z'2..O..@.
00000160: 5528 d67c 9000 fa43 8547 d5b9 0aa2 0c84 U(.|...C.G......
00000170: 0849 ad45 ea52 a830 863e beb3 4cbb a8e3 .I.E.R.0.>..L...
00000180: 7a94 470d 0865 0935 3546 5167 f791 7f81 z.G..e.55FQg....
00000190: 9d54 275a 5125 d043 720a 8328 a05c 6507 .T'ZQ%.Cr..(.\e.
000001a0: 29d7 445d 3287 9444 396a 09c0 2c66 04f2 ).D]2..D9j..,f..
000001b0: d12a 8c12 5122 48b2 b594 b43c bcc5 e44d .*..Q"H....<...M
000001c0: 045d 32df b558 6088 2c19 4e83 7102 9018 .]2..X`.,.N.q...
000001d0: f052 147e bc75 a772 ff8b 156d 4f2b 8c73 .R.~.u.r...mO+.s
000001e0: f7b1 344b aba4 0b3c 89a0 2434 4501 d86f ..4K...<..$4E..o
000001f0: 0ad9 6dd2 8543 d008 d3fa 2e8f d86a 743c ..m..C.......jt<
00000200: 4996 19b5 ac0a 110c aa40 4edf 4e6f 0ed4 [email protected]..
00000210: dc9f 1a07 d343 1328 a9c1 34ba e4d2 d1e8 .....C.(..4.....
00000220: 626c 4701 aa5d 75d5 e0b3 ee16 6218 5d04 blG..]u.....b.].
00000230: 991d f752 c613 bfa0 8664 9bb1 0dbf e775 ...R.....d.....u
00000240: ba89 1487 72b9 28c1 df81 8665 4082 27ff ....r.(....e@.'.
00000250: 1772 4538 5090 46b2 1b15 8195 ba71 4102 .rE8P.F......qA.
00000260: 0000
This is a hexdump, which represents binary data in a readable hexadecimal format (hexadecimal is a base-16 numbering system using digits 0-9 and letters A-F). Each line shows the offset in the file, followed by the hexadecimal representation of the bytes, with the ASCII representation on the right. ASCII (American Standard Code for Information Interchange) is a character encoding standard for text files, which is how you’re used to viewing text files. Note that where no ASCII representation is available, a “.” is displayed instead. You can view the full ASCII table using man ascii in your terminal.
A hexdump like this is produced by a tool such as xxd. The name xxd comes from “x”, meaning “hexadecimal”, and “d”, meaning “dump”. The extra “x” at the beginning is there for historical reasons. While xxd can produce hexdumps like this, it can also reverse the hexdump process using the -r option, effectively writing a file that contains the right-hand side (the ASCII representation) of the hexdump.
$ xxd -r data.txt data.bin
This converts data.txt back into its original binary form, saved as data.bin (”.bin” meaning binary as this will be a binary file).
Now let’s determine the file type of the data.bin file using the file command that we’ve used before:
$ file data.bin
data.bin: gzip compressed data, was "data2.bin", last modified: Thu Jun 20 04:06:52 2024, max compression, from Unix, original size modulo 2^32 577
The output indicates that the file is gzip compressed data. Compression is a method of reducing the size of a file by encoding its data more efficiently. It’s generally used to save storage space or to speed up file transfers. Common compression formats include gzip, bzip2, and tar. Here, file reports that this is a gzip compressed file, so we should use the gunzip command to decompress it. However, gunzip requires the file to have the correct extension before it will work. We can rename the file to have the correct extension using mv:
$ mv data.bin data.gz
$ gunzip data.gz
This will produce a file named “data”. We know that the compression has been repeated due to the level description, so let’s use file again to see what type of file “data” is:
$ file data
data: bzip2 compressed data, block size = 900k
file is reporting that this is bzip2 compressed data. Let’s repeat this process using the appropriate compression command depending on what file reports:
- For gzip: rename the file to have a “.gz” extension and use
gunzip - For bzip2: rename the file to have a “.bz2” extension and use
bunzip2 - For tar archive: rename the file to have a “.tar” extension and use
tar -xf
Eventually, we’ll get a file that file reports as ASCII text. You can then cat this file to obtain the password:
$ cat data
The password is <password>
Level 13 - Level 14
In this level, the password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by bandit14. Instead of getting the password directly, we are provided with a private SSH key that can be used to log into the next level.
First, let’s list the contents of the current directory to find the provided SSH key:
$ ls -l
total 4
-rw-r----- 1 bandit14 bandit13 1679 Jun 20 04:06 sshkey.private
We can see that there is a file named sshkey.private. We can confirm that it’s an SSH private key by using file:
$ file sshkey.private
sshkey.private: PEM RSA private key
So far, we have only used passwords to authenticate using SSH. However, SSH also supports key-based authentication, which is considered more secure and convenient. SSH keys are a pair of cryptographic keys used for secure login: a private key (which should be kept secret) and a public key (which can be shared). In this case, we have been provided with an SSH private key that we will use to log into the bandit14 account.
We will use the ssh command with the -i option to specify the private key file and log into the bandit14 account. The “localhost” hostname refers to the same machine we’re currently logged into, which is useful for logging into different user accounts on the same server. Remember to specify the port 2220 using the -p option.
$ ssh -i sshkey.private bandit14@localhost -p 2220
Notice that we are now logged in as bandit14, and we did not have to provide a password due to using the SSH private key. For this reason, it’s essential to keep your private keys stored securely and never shared.
We can now access the /etc/bandit_pass/bandit14 file to gain the password for bandit14 so that we can log in again via SSH as we’re used to. Remember the /etc/bandit_pass directory, as it will be valuable later.
$ cat /etc/bandit_pass/bandit14
<password>
Level 14 - Level 15
In this level, the password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost. Let’s break down the steps to accomplish this.
Ports are communication endpoints that networking protocols use to differentiate multiple services running on a single machine. You’ll remember that we’ve used port 2220 to connect to the SSH service running on this machine. In this level, we will be interacting with a service running on port 30000 of this machine.
We’ll use netcat (often abbreviated as nc), a versatile networking utility, to send the password to port 30000. netcat can read and write data across network connections using TCP or UDP.
To connect to a specific port using netcat, the basic syntax is:
$ nc <hostname> <port>
In our case, localhost is the hostname, and 30000 is the port. We will then send the password to this port by piping the password to netcat. We can find the password for the current level using the “bandit_pass” directory that we were introduced to in the previous level. We’ll use cat to provide the input to netcat via a pipe:
$ cat /etc/bandit_pass/bandit14 | nc localhost 30000
Correct!
<password>
We’ve successfully completed another five levels of the OverTheWire Bandit wargame. We’re almost halfway through, so well done making it to this stage! You’re now aware of some common encoding methods and have started to explore the topic of security. We’ve quickly developed our knowledge since the first post in this series, and I hope you’ll join me in the next post as we continue to expand upon the knowledge we’ve gained so far and progress our experience with command-line tools.
Thank you for following along with me through levels 10 to 15. I hope you’ve found this walkthrough beneficial in helping you solve and understand the OverTheWire Bandit wargame, and I look forward to seeing you again in the next part.