OverTheWire Logo

OverTheWire Bandit Part 1

What is OverTheWire?

OverTheWire is a website with two games. One is "Wargames", which is a level based game, the other game is "Warzone", which is more of a free-for-all hacking game.

In this series of articles, I'm going to give a walkthrough of how to complete the "Bandit" series of levels on their website.

Getting to the Game

To get to the first level's page, we need to click on "Bandit" on the left hand side of the page. This should bring us to Bandit's level page, and we can click on "Level 0" on the left.

Bandit Level 0 Page
Bandit Level 0 Page

Connecting With SSH

Each level in this game requires us to connect to the server using SSH. SSH, or Secure SHell, allows us to log into the console of a remote computer, and run commands. Linux, Mac OSx, and ChromeOS. On Windows, you'll need to install PuTTY, which you can download from https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html


Since this is the first article in which SSH is required, I'll give a step by step guide for SSH using PuTTY. Upon opening PuTTY, you'll be confronted by this screen:

PuTTY Configuration Screen
PuTTY Configuration Screen

Type in bandit.labs.overthewire.org for the hostname, and 2220 for the port. This tells putty where the SSH server is listening, so that it can connect to the server.

Type OverTheWire Bandit into the saved sessions field, and click Save. This will allow us to load these settings for future use.

Click Open, and you'll be presented with this screen:

OTW Bandit Login
OTW Bandit Login

This screen shows us that we need to provide a username to log into the server as. The Bandit series uses the username bandit[level], where [level] is the level number we're on. This is bandit0 for the first level, bandit1 for the second, and so on.

Typing bandit0 in and pressing Enter will show us the server banner, or the message for SSH connections to the server, and prompt us for the password. The password for the first level is bandit0, and all following levels use the password we get from the level before. As you're typing in a password, the screen will not show anything. Just type in bandit0, and press Enter.

Unix, Linux, ChromeOS, Mac OSx

Open a terminal, type in ssh -l bandit0 -p 2220 bandit.labs.overthewire.org, and press Enter.

This tells our computer that we want to use SSH to connect to bandit.labs.overthewire.org on port 2220 with the username bandit0

The Bandit series uses the username bandit[level], where [level] is the level number we're on. This is bandit0 for the first level, bandit1 for the second, and so on.

After pressing Enter, we'll be presented with the server banner, and a prompt asking for the password.

Linux SSH Password
Linux SSH Password Request

We can see that the server is requesting our password, which is bandit0 for the first level. Type in bandit0 (you won't see anything typing in), press Enter, and you should be logged in.

In this game the password for every level is found by completing the previous level, so this will be different later on.

Completing Level 0

By clicking on the link on the left hand side of the Bandit Level 0 page that says Level 0 -> Level 1, we can see what we need to do in order to get to the next level. Apparently there is a file named readme in the "home directory".

Notice that the server prompt says bandit0@bandit:~$. This is the server's way of telling us that we're logged in as the user bandit0 on the server named bandit, and that we're in the folder ~, which means "home directory". The $ means that we're a standard user, not the admin (which is called root on linux machines).

To check what files are in the folder we're currently in, we can run ls, which means list directory contents. More information can be found on the "Manual Pages" of ls, by running man ls. For now however, we're just going to type in ls and press Enter, which will show us the contents of the folder we're in currently.

ls output
`ls` output

The server will give us this output. This is the server's way of telling us that there's a file named readme in the current folder.

Let's open this file, because it should have the password for the next level in it. We can do this by running cat readme, and pressing Enter. cat prints the contents of the file we type in after to the terminal that we're in.

cat readme
Output of `cat readme`

We need to copy the stringĀ  boJ9...3MY1, because this is the password for the next level.

Note: People unfamiliar with a terminal may try selecting the string and pressing Ctrl+C to copy the text. This will not work because Ctrl+C kills (stops) the currently running program in a terminal. Most terminals allow you to do one of the following to copy text (select it, then try these):

    • Hold Ctrl+Shift+C to copy. (This works in many UNIX/Linux/Mac OSx terminals)
    • Right click on the selected text, and check if there's a Copy option.
    • Right click on the application title bar, and see if there's something that says Copy. This option may be in a submenu called Edit. This works on many Windows command lines.

To disconnect from the server, type exit, and press Enter.

Onto Level 1

On the sidebar of OverTheWire, we can click on Level 1 -> Level 2 to see some info about this next level.

We see that there's a file that's named an unconventional name, which has the password in it. Let's connect to the OverTheWire Bandit server again, using bandit1 as the username, and the string we copied from the last level as the password.

Once we're logged into the server, we can see that we're logged as bandit1 on the server bandit from the terminal prompt.

We'll run ls to list the files in the current directory. This will output a really weird file named -.

- as a file name
`-` as a file name

Trying to run cat - will not help us here, as having a hyphen at the end of a command means that another input will be fed into the program using "standard input" (this is not standard way for terminal novices).

Running cat - leaves our terminal hanging forever, not allowing us to run commands. This is a great example for using Ctrl+C. We have a command that's stuck, so we can hit Ctrl+C to kill the command.

Killing a hung command using `Ctrl` and `C`
Killing a hung command using `Ctrl` and `C`

Notice that pressing Ctrl+C puts ^C on the current line I was on, and brought me back to the prompt.

Let's work around this weird issue. On Linux, ./ means the current directory. Instead of trying to cat the file -, we can cat the file ./-, which means "the file - in the current directory`.

Running cat ./- will get us the password for the next level.

`cat`ting the weird file name
catting the weird file name

An Author's Note

In this series, I am very specifically going to avoid posting the password as standard text. I will keep the passwords in the images for anyone completely stuck, but I am not going to make it selectable and copyable text, as this series should give readers the necessary understanding to get these passwords themselves.

One thought on “OverTheWire Bandit Part 1”

Leave a Reply