Bandit Level 5 → Level 10

Table of Contents

Welcome to another instalment of the Bandit CTF series!

This is the best way to learn Linux, BASH, terminals, commands and everything in between!

Go to Bandit Level 0 → Level 4 if you need help with earlier levels.

Let’s ssh in to Bandit:

$ ssh bandit.labs.overthewire.org -p 2220 -l bandit5

You’ll need the password from the previous level.

Bandit Level 5 → Level 6

Let’s get started by ls -la and see what we have.

total 24
drwxr-xr-x  3 root root    4096 May  7  2020 .
drwxr-xr-x 41 root root    4096 May  7  2020 ..
-rw-r--r--  1 root root     220 May 15  2017 .bash_logout
-rw-r--r--  1 root root    3526 May 15  2017 .bashrc
drwxr-x--- 22 root bandit5 4096 May  7  2020 **inhere**
-rw-r--r--  1 root root     675 May 15  2017 .profile

Ah, let’s go into the inhere directory via cd inhere && ls -la.

Using the && lets us stack together a series of commands, this way we 1) change directories and 2) list out the files in the new directory all at once, so cool!

total 88
drwxr-x--- 22 root bandit5 4096 May  7  2020 .
drwxr-xr-x  3 root root    4096 May  7  2020 ..
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere00
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere01
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere02
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere03
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere04
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere05
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere06
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere07
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere08
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere09
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere10
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere11
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere12
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere13
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere14
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere15
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere16
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere17
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere18
drwxr-x---  2 root bandit5 4096 May  7  2020 maybehere19

…wow! We’ve got a lot of directories to search through now…

Hmm, there must be a better option to automatically search these folders! Enter the find command, with it we can search multiple directories and pass it certain switches to narrow down our results, let’s test it out.

$ find .

This runs find in the current directory, that’s what the . is for.

We can be more specific and use switches like -type or -size to find exactly what we’re looking for.

Let’s go back and get a clue from Bandit Level 5 → Level 6:

The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:

human-readable 1033 bytes in size not executable

Okay, so we’ve got some hints for what file we’re trying to find. Let’s use the -size switch with the byte size and see what we get.

$ find . -size 1033

That’s weird, no luck! That’s because we need to specify what file size exactly, 1033 is just a number. Let’s search it up!

Thanks to linuxconfig.org we know we need to use c for bytes.

*Don’t forget to use the up arrow to see last command!

$ find . -size 1033c
./maybehere07/.file2

Cool, look at that! Now we have only one search result, let’s see if we can cat it out and view it.

$ cat ./maybehere07/.file2
banditflag5-6{*****}

We got it! Now exit out and let’s go again!

*Since my first few writeups I’ve learnt sharing flag’s isn’t the best idea as it allows anyone to simply copy/paste their way through without trying or trying.

Bandit Level 6 → Level 7

Let’s jump into the next one head first and see what we get!

$ ls -la

Okay, strange, nothing there. Maybe I should read the goal first after all!

The password for the next level is stored somewhere on the server and has all of the following properties:

owned by user bandit7 owned by group bandit6 33 bytes in size

Ah, so the file isn’t within the bandit6 directory, it’s somewhere else. No worries, let’s look up how to use the find command to get the right switches.

$ find --help

After looking a bit at the wall text, I see -user NAME and -group NAME, I think they’re what we’re after. We’ll use it with -size from the last level too.

$ find -user bandit7 -group bandit6 -size 33c

No luck! What did we forget?

The location! Currently, we haven’t specified where to look, remember it’s hidden anywhere on the server.

$ find / -user bandit7 -group bandit6 -size 33c

Good, it’s working! Bad there’s so many files we don’t have access to, how do we only see accessible files? One way is to remove the errors, as ‘Permission denied’ is an error, we can redirect those results elsewhere.

Thanks to cyberciti.biz for explaining stdin, stdout and stderr, it’s worth reading over that aritcle to understand more.

$ find / -user bandit7 -group bandit6 -size 33c **2>/dev/null**
/var/lib/dpkg/info/bandit7.password

How cool? We got one search result, that makes life a lot easier.

The 2>/dev/null may seem very strange at first. The 2 stands for stderr which is the errors we have as a result of our search. The > redirects and the /dev/null is a nothing space directory we can dump everything.

So, cat that sucker and grab your flag!

$ cat /var/lib/dpkg/info/bandit7.password
banditflag6-7{*****}

Bandit Level 7 → Level 8

Let’s not read the instructions just yet! ls away my friends!

Ah, a simple data.txt file, this seems too easy to be real.

Let’s cat and …oh gosh… so much data, so much!

Hm, maybe we’ll go back to the hints now:

The password for the next level is stored in the file data.txt next to the word millionth.

Okay, so we need to somehow search within the file and output the flag. Our only hint we have is it’s next to the word millionth.

grep is the command for the job, it searches for patterns in a file.

Let’s run grep --help to get familiar with it, we’re looking for a switch that’s simple enough to match our word with it. Let’s try -e or -regexp=PATTERN, that should do it!

$ grep data.txt -e millionth
banditflag7-8{*****}

Would you look at what we have here… a flag!

Let’s exit out and head over the next level!

Bandit Level 8 → Level 9

Same as always, ls and see what we’re working with.

Looks like another data.txt file with even more ‘hard to read’ text.

Back to the instructions:

The password for the next level is stored in the file data.txt and is the only line of text that occurs only once.

We could use grep and put together a long regex to output what we need, but I’m not a wizard.. so we’ll be using sort and uniq.

First, let’s understand sort it’s similar to cat but run it against the data.txt and see the difference.

$ sort data.txt

Everything is sorted, cool.

But how do we then find the unique flag? uniq of course.

Try it:

$ uniq data.txt

Hm, that didn’t work… that’s because we need to use them together. Since they’re separate commands, we’ll use the | pipe to chain it together.

$ sort data.txt | uniq

Still no luck, let’s run uniq --help and see if there’s a switch that can help.

Yep! -u which only prints unique lines, that sounds perfect!

$ sort data.txt | uniq - u
banditflag8-9{*****}

Done! We got there thanks to stackoverflow.

Bandit Level 9 → Level 10

Our final level together, for now, let’s ls this thing.

Another data.txt file, let’s cat it.

Ah heck, it was a trap! Use clear and we’ll go back to the instructions:

The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters.

Okay, so we need to search through the file and somehow use =… let’s give it a shot! Maybe we’ll try grep again from the earlier level.

$ grep data.txt -e =
Binary file data.txt matches

StackExchange shows us that since the data.txt file starts with non-text, it treats it as binary and therefore won’t search it. Dam.

Let’s look at the other commands we can use.

There’s one called strings, let’s take a closer look with strings --help

If we use this commands and | pipe grep with a few = … we should be good to go, let’s try it!

$ strings data.txt | grep ===
========== the*2i"4
========== password
Z)========== is
&========== banditflag9-10{*****}

It’s not the prettiest method, it’s probably not the best way either, but it worked!


Thanks for reading along with my bandit CTF journey! It’s been nice to have you.

If you have any feedback, please send me a message @mrashleyball.

This is Day 9 of #100DaysOfHacking, subscribe to my weekly newsletter to see the learning journey!

Happy Hacking.

About The Author
Ashley Ball

Ashley Ball

Hi, I'm Ash. I'm a teacher, web designer and content creator from Australia. I like making things simple. I like staying connected, learning about design and being an entrepreneur. Subscribe for insights via my weekly newsletter.
Share This Article
Share on linkedin
LinkedIn
Share on twitter
Twitter
Share on facebook
Facebook
Share on whatsapp
WhatsApp
Share on email
Email

Weekly Newsletter

I love staying connected, learning about design and being an entrepreneur.

Weekly Newsletter

I love staying connected, learning about design and being an entrepreneur.

This site uses cookies and other tracking technologies to assist with navigation, monitor site usage and web traffic, assist with our promotional and marketing efforts, and customize and improve our services, as set out in our privacy policy