[Write Up] Bandit Wargame Clear Log (Level 10 - 20)

OverTheWire Bandit Wargame Level 10–20: My Step-by-Step Solutions

This is the second review about Over the wire : Bandit wargames.
While I studying python3, I explored various area of IT and became interested in cybersecurity.
Then I found the Bandit wargames and totally got hooked.
Starting today, I'll write down how I cleared each level of the wargames. This will be a way for me to improve both computer skills and English writing skills.
Please let me know if I use any awkward expressions or provide incorrect information.

If you need more details about Bandit wargames, please check this link : http://www.overthewire.org/wargames

---

11. Bandit Level 10 → Level 11

Level Goal
The password for the next level is stored in the file data.txt, which contains base64 encoded data

Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd

Helpful Reading Material
Base64 on Wikipedia

How I soved it

I entered the ls command first, and then I found the data.txt file which contained base64 encoded data.
So I decoded it using the base64 command with the -d option, which stands for decode.
After I added data.txt, I pressed the Enter key. Then the password popped up, so I logged into level 11.

---

12. Bandit Level 11 → Level 12

Level Goal
The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions

Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd

Helpful Reading Material
Rot13 on Wikipedia

How I soved it

I started by entering ls to check the files in the current directory and I found the data.txt file.
I tried to read it using cat, but the contents were unreadable. To understand it, I needed to decode the letters.
So I used the tr command which helps translate or delete characters.
I used the arguments '[A-Za-z]' and '[N-ZA-Mn-za-m]' to define the ROT13 transformation, conbined with the '|' symbol to pipe the contets form cat.
As a result, I found the password for the next level.

---

13. Bandit Level 12 → Level 13

Level Goal
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work. Use mkdir with a hard to guess directory name. Or better, use the command “mktemp -d”. Then copy the datafile using cp, and rename it using mv (read the manpages!)

Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd, mkdir, cp, mv, file

Helpful Reading Material
Hex dump on Wikipedia

How I soved it

I found the data.txt file using the ls command. After that, I made the sank12 directory in the temp directory to solve this game more easier.
Then I copied the data.txt file using the cp command into the sank12 directory.
I moved into the sank12 directory using the cd command, and then I typed ls to find the data.txt file.
Next, I entered the xxd command with the -r option to decode the data.txt file. But it was unreadable.
So I added the > symbol and a new file name -- in this case, bandit12 to save the result.
I checked the files in the current directory using ls. The bandit12 file apeared.
I needed to know what the bandit12 file type is. So I used the file command to check and then I knew it was gzip.

Before I decoded it, I had to change the file extension to gz. So I entered mv bandit12 bandit12.gz, which means "I want to move the bandit file to the bandit.gz file.
Then I decoded the bandit.gz file using the gunzip command. After that, I entered ls again and I found the bandit file.
I used the file command again, so I could catch that the bandit12file was compressed by bzip2.
I changed the bandit12 file to bandit12.bz2, and I decoded it using the bzip2 command with the -d option.
And then, I entered the ls command again. I found the bandit12 file, so I used the file command again to know what the bandit12file type is.
It was gzip, so I decoded it using thegunzipcommand. And then, thebandit12file apeared.
I checked the type of thebandit12file using thefilecommand. It was thetar.
I enteredmv bandit12 bandit12.tar, and then I typedtar -xf bandit12.tarto decode thebandit12file.
After that, I enteredlsto check the files in the current directory. And I found thedata5.binfile.
I used thefilecommand, so I knew the typed of thedata5.bin` file was tar.

I entered mv data5.bin data5.tar. Then I typed tar -xf data5.tar. After that I used the ls command.
I found the data6.bin file. I used the file command to check the type of the file and then I knew it was tar.
I entered mv data6.bin data5.tar. Then I typed tar -xf data6.tar. After that I used the ls command.
I found the data8.bin file. When I checked it using the file command, it was gzip.
So I changed the file name to data8gz, and then I tried to decode it using the gunzip command.
As a result, the data8 file apeared. It was the ASCII text file.
So I used the cat command to read the file and finally I found the password for the next level.

---

14. Bandit Level 13 → Level 14

Level Goal
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on

Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap

Helpful Reading Material
SSH/OpenSSH/Keys

How I solved it

First of all, I entered the id command to check my current user ID. It's bandit13.
So it was clear that I could not read the bandit14 file.##13. Bandit Level 13 → Level 14

Level Goal
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on

Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap

Helpful Reading Material
SSH/OpenSSH/Keys

How I solved it

First of all, I entered the id command to check my current user ID which was bandit13.
So it was clear that I could not read the bandit14 file directly.
I used the ls command to check the files in the current directory and found the sshkey.private file.
Next, I used the man command with ssh to find an option that aloows using a private key.
I found that the -i option let me specify the identity file for public key authentication.
So I entered the ssh command with the -i sshkey.private option.
Then, I added bandit14@locahost -p 2220 that the address which I wanted to logged in.
The bandit system asked me to continue, and I entered yes. Finally I logged into bandit14.

---

**15. Bandit Level 14 → Level 15

Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.

Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap

Helpful Reading Material
How the Internet works in 5 minutes (YouTube) (Not completely accurate, but good enough for beginners)
IP Addresses
IP Address on Wikipedia
Localhost on Wikipedia
Ports
Port (computer networking) on Wikipedia

How I solved it

I started by entering cat /etc/bandit_pass/bandit14 to find the current password.
After I found the password, I used the nc command. The nc command stands for netcat, which is short for network and the cat command.
Then I add the localhost IP address(127.0.0.1) and port number(30000), and I pressed the Enter key.
Then I entered the current level password. As a result, I got the password for the next level.

---

16. Bandit Level 15 → Level 16

Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL/TLS encryption.

Helpful note: Getting “DONE”, “RENEGOTIATING” or “KEYUPDATE”? Read the “CONNECTED COMMANDS” section in the manpage.

Commands you may need to solve this level
ssh, telnet, nc, ncat, socat, openssl, s_client, nmap, netstat, ss

Helpful Reading Material
Secure Socket Layer/Transport Layer Security on Wikipedia
OpenSSL Cookbook - Testing with OpenSSL

How I solved it

First of all, I entered cat /etc/bandit_pass/bandit15 to find the current level's password.
Next, I ran the openssl command with the s_client subcommand(I made many mistakes here at first---I kept using -s_client, but you should not use the dash. It's a subcommand, not an option.)
The s_client subcommand helps you connect directly to an SSL/TLS serever.
Then I added the -connect option with the address localhost:30001 and pressed Enter`.
Once connected, I pasted the current level's password. As a result, I got the password for the next level.

---

17. Bandit Level 16 → Level 17

Level Goal
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL/TLS and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.

Helpful note: Getting “DONE”, “RENEGOTIATING” or “KEYUPDATE”? Read the “CONNECTED COMMANDS” section in the manpage.

Commands you may need to solve this level
ssh, telnet, nc, ncat, socat, openssl, s_client, nmap, netstat, ss

Helpful Reading Material
Port scanner on Wikipedia

How I solved it

I started by entering cat /etc/bandit_pass/bandit16 to find the password for the current level.
Next, I entered the nc command with the -r -w 1 -z option.
The -r option makes to scan ports in a random order instead of sequentially. It helps you avoid detection by intrusion detection systems(IDS) by making scan patterns unpredictable.
The -w 1 option sets limits the connection attimpt timeout to 1 second. This option helps you speed up scans and avoid hanging on unresponsive ports.
The -z option means to check connection without sending or receicing any data. If you want to check only the ports are opened or not, this option will be help.
As a result, I found five opended ports, so I tried to find out which of those speak SSL/TLS one by one.

I tried port 31046 first by using openssl s_client -connect localhost:31046, but it didn't support SSL/TLS.

So I moved on to the next one: I entered openssl s_client -connect localhost:31790, and it worked!
Once connected, I pasted the current level's password. However, it only reurned a single message---KEYUPDATE, and nothing else.

That felt suspicious because the wargame description stated: "There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it."
So I retried the same command, but dhis time I added the -ign_eof option, which allows you to keep reading input even after the server disconnects.
I ran the command again and pasted the current level's password. This time, the server responded with an RSA private key.
I saved the key as key16 inside the /tmp/sank16 directory.
Then I tried to log in to the next level using the command: ssh -i key16 bandit17@localhost -p 2220.

But I was denied., because permissions on the key16 file were too open.
I checked the file permissions using ls -l key16 and then fixed it with chmod 700 key16.
After that, I retried the SSH login---and it worked!

---

18. Bandit Level 17 → Level 18

Level Goal
There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new

NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19

Commands you may need to solve this level
cat, grep, ls, diff

How I solved it

I started by entering ls to check the files in the current directory, and I found two files: passwords.new and password.old.
I used the diff command to check the difference with those two files. I entered diff passwords.new passwords.old.
As a result, I found the password for the next level. So I logged into level 18.

---

19. Bandit Level 18 → Level 19

Level Goal
The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.

Commands you may need to solve this level
ssh, ls, cat

How I solved it

The wargame discripion stated: "Someone has modified .bashrc to log you out when you log in with SSH."
.bashrc is a user-level script that runs automatically when a bash shell is started, so I needed to bypass or avoid it.
To do that, I entered ssh bandit18@bandit.labs.overthewire.org -p 2220 /bin/sh, which starts a sh shell instead of bash.
I succefully logged into level 18, then I used the ls command and found the readme file.
Finally I ran cat readme and got the password for the next level.

---

20. Bandit Level 19 → Level 20

Level Goal
To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.

Helpful Reading Material
setuid on Wikipedia

How I solved it

I started by entering ls to check the files in the current directory.
I found the bandit20-do file and executed it to see how to use it.
The file allows me to run a command as another user---in this case, bandit20.
So I ran ./bandit20-do cat etc/bandit_pass/bandit20 and got the passoword for level 20.

---

I’m continuing with higher levels, and I’ll post my solutions step by step.
If you find this helpful or want to follow along, feel free to leave a comment!