Bandit game solution
A website for practicing basic Linux commands, part of the foundational levels in the OverTheWire.org challenge series.
In this article, "level" refers to the latter part in the website's guide level n -> level (n+1).
Website link: https://overthewire.org/wargames/bandit/
level1, level14
Using SSH
You cannot recall any algorithms or OI knowledge you have learned. You cannot remember anything. You cannot even recall your own name.
But you can recall…
, or more precisely, . You can recall that Port No. 22 leads to Sanshanhai. Sanshanhai is the destination you yearn for, and you must reach it.
This section covers the basic usage of SSH:
The website states that both the username and password are bandit0.
ssh bandit0@bandit.labs.overthewire.org -p 2220
If only a key is available, without a password:
ssh bandit14@bandit.labs.overthewire.org -p 2220 -i ./bandit14.sshkey
Level 2~Level 5
Basic Path Navigation and File Viewing
ls -a to view hidden files.
ls -l to view detailed information about files, including permissions, owner and group, file size, modification time, etc.
cd ../ to go back to the previous directory.
cd '<dir>' can be used to navigate to paths containing spaces or special characters (such as -).
Level 6, Level 7
Finding Files by Size
find -size 1033c
Finds files that are exactly 1033 bytes in size.
find -size +5k -size -99k
Finds files with sizes between 5KB and 99KB.
Commonly used storage units are c, k, M, and G. Don't ask me why the first two are lowercase and the last two are uppercase.
Finding Files by User and Group
Similar to the above: -user, -group.
level8, level9, level18
Find a Specific String
grep millionth < data.txt
Here, < is the input stream for a file, similarly, > is used as the output stream.
Finding the Unique String in the Text
sort data.txt | uniq -c
Here, sort arranges the strings in the text in dictionary order.
| is a pipe symbol used to pass the output of the previous command as input to the next command.
uniq is a command for removing duplicate lines in text, which compresses repeated occurrences of a line into a single line. The -c parameter displays the number of times each string appears, making it easy to identify the string that occurs only once.
File Comparison
diff <dir_1> <dir_2>
level10~level12
Examination of Encoding
Mentioned ASCII, Base64, and ROT13.
Actually, it's not necessary to use built-in Linux commands; using online converters or writing scripts are also acceptable.
Level 13
13 is indeed an unlucky number. Just like the process of solving this problem—utterly annoying.
Conversion Between Hexadecimal Text and Binary Files
xxd converts a binary file into hexadecimal text.
xxd -r performs the reverse operation.
Copying, Moving Files, and Renaming
This level requires performing operations on files. Due to permission restrictions, files need to be moved to a temporary directory.
cp <src_dir> <dst_dir> copies a file from the source path to the destination path.
mv <src_dir> <dst_dir> moves a file from the source path to the destination path.
Renaming can be achieved using mv <old_name> <new_name>.
File Type Identification
Use the file command, which is not affected by file extensions.
This is because Linux itself does not have the concept of "file extensions." The so-called "file extensions" exist solely for human convenience in recognition.
Extract Files
gunzip
Decompression: First, ensure the file has the .gz extension. The decompression command is: gzip -d <filename>
Compression: gzip <filename>
bzip2
Decompress: bzip2 -d <filename>
Compress: bzip2 <filename>
tar
Extract: tar -xvf <filename>
Package: tar -cvf <dst_name> <src_name>. It is recommended to use .tar as the suffix for <dst_name>.
Compress using gzip: tar -zcvf <dst_name> <src_name>. It is recommended to use .tar.gz or .tgz as the suffix for <dst_name>.
Compress using bzip2: tar -jcvf <dst_name> <src_name>. It is recommended to use .bz2 as the suffix for <dst_name>.
Level15~Level17
I know absolutely nothing about the networking part.
Connect to an address using nc and send data.
echo <your text> | nc localhost 30000
Here, localhost refers to the local address 127.0.0.1, and 30000 is the port number.
Connecting to an Address via Telnet and Sending Data
telnet localhost 30000
# After this, you can input data and press Enter to send it
Establish an SSL connection to an address and send encrypted data
openssl s_client -ign_eof -connect localhost:30001
# After this, you can input data and press Enter to send it
# Note: The -ign_eof parameter does not seem to be mandatory
nmap Port Scanning
nmap -p 31000-32000 localhost
Scan for active ports within the range 31000–32000.
Don't scan randomly on a regular basis—be careful not to get into legal trouble.
bandit19 to bandit21
In short, these levels had me running some rather unusual programs.
Running Commands from an Automatically Exiting Terminal
ssh bandit18@bandit.labs.overthewire.org -p 2220 cat readme
Running Commands in the Background on Linux
cat /etc/bandit_pass/bandit20 | nc -l 50000 &
The & symbol indicates that the command should run in the background, so when you later connect to port 50000 using nc, it will automatically return the password.
Bandit22 to Bandit24
Cron is equivalent to the Task Scheduler in Windows.
However, these levels are not about creating scheduled tasks but rather about reading others' scripts and writing your own.
The permission filtering in level 24 is not very strict; I not only saw others' scripts but also rm -rf'd some of them. I estimate fewer than 100 people have played this game?
Remember to write #!/bin/bash on the first line of your script.
Level25
Brute-Forcing
Actually, I used a C script to generate ten thousand lines of commands and bombarded them in. If the password was correct, the connection would be interrupted.
We can roughly determine the range of the password, then reduce the number of command lines and bombard again.
At this point, if we look back at the previous brute-forcing records, we should be able to see the password.
Of course, the elegant way is to use a Python script (copied from the internet).
#!/usr/bin/python
from pwn import *
from multiprocessing import Process
def brute(nrOne,nrTwo):
for pin in range(nrOne,nrTwo):
pin = str(pin).zfill(4)
r = remote('127.0.0.1', 30002)
r.recv()
r.send('UoMYxxxxxxxxxxxxxxxxxxxxxxxxxxxx ' + pin + '\n')
if 'Wrong' not in r.recvline():
print '[+] Successful -> ' + pin
print r.recvline()
r.close()
else:
if int(pin) % 100 == 0:
print '[!] Failed -> ' + pin
r.close()
if __name__=='__main__':
p1 = Process(target = brute, args = (0,2500,))
p2 = Process(target = brute, args = (2500,5000,))
p3 = Process(target = brute, args = (5000,7500,))
p4 = Process(target = brute, args = (7500,10000,))
p1.start()
p2.start()
p3.start()
p4.start()
Level26, Level27
Two levels that really blow your mind.
Check which terminal the system is using
Simply run cat /etc/passwd, and the last entry will be the default terminal.
How to Enter Vim from the showtext Program
Resize the terminal window so that the file content cannot be fully displayed. At this point, a more prompt will appear. Press v to enter Vim.
How to Modify the Terminal in Vim and Enter Bash
In Vim's command mode, enter the following two lines:
:set shell=/bin/bash
:shell
level28~level32
Various Git Operations
Clone: git clone <git_address>
Pull: git pull
Upload:
git add .
git commit -m "<your_description>"
git push origin master
Revert one step: git reset --hard HEAD^
View history versions: git log --pretty=oneline
Revert to a specific version: git reset <commit_id>
View branches: git branch -a
Switch branch: git checkout <branch>
View tags: git tag
Create a tag: git tag -a v1.4 -m 'my version 1.4', where -a means "annotated".
level33
A SHELL that automatically converts lowercase letters to uppercase—meaning it appears to run nothing.
However, entering$0brings you into a normal shell, which is quite puzzling.
If you have an explanation, feel free to share it in the comments.
Introduction to the meanings of $0 $1 $2 $# $@ $* $?
Reference: https://segmentfault.com/a/1190000021435389