In this tutorial, we’ll go over levels 5-10 from the Bandit CTF from Over The Wire. We’ll talk about the commands used, as well as why we used them and other situations where these commands come in handy. A walkthrough of Bandit levels 0-4 can be found here.
In this Bandit challenge, we’re given a short list of attributes of the file that contains the password to the next level. This file is human readable, 1033 bytes, and is not executable. Inside the main folder (“inhere”), we see 20 subfolders. How are we going to find the file we are looking for? It’s time to learn about the “find” command!
The find command can be used to track down files that fit various criteria. To find files that are exactly 1033 bytes, we can type:
find -size 1033c
Since only one file is returned, we know what file contains our password. If we wanted to filter further based on the criteria, we could use the -type option to find human readable files, and we could use the -executable option to find files that are executable. To exclude those executable files, we would use “!” to remove them from the results. So a more thorough command to find our file might look like this:
find -size 1033c -type f ! -executable
In this challenge, we’re told the file we’re looking for can exist anywhere on the server, is owned by user bandit7, is also owned by group bandit6, and is 33 bytes in size.
We can use some of the things we learned from the find command from level 5, such as how to specify file size in our search. In addition to using the filesize option, we can also specify users and groups that have access to this file:
find / -size 33c -user bandit7 -group bandit6
This gets us our results, but with a lot of error output (often called stderr for standard error). To remove this error output, we can pipe stderr to /dev/null. To do this, we just append “2 > /dev/null” to the previous command (the “2” represents standard error output):
find / -size 33c -user bandit7 -group bandit6 2 > /dev/null
At that point, we get our file name and can open this to get the password for the next level.
In Bandit Level 7, we are looking for a string that is next to the word “millionth” in a file called data.txt. To solve this, we’re going to use grep. The usage for this instance is fairly straightforward, with the only inputs being the text we’re looking for, and the filename that we will search within:
grep millionth data.txt
Since this example is fairly easy, let’s look at another way to use grep. We can use the cat command to pipe a file into grep to get the same result:
cat data.txt | grep millionth
In Bandit level 8, the password is within a text file, and is the line that occurs only once. When we display the contents of data.txt, we see a lot of different lines, and need to pick out the one line that is unique. To do this, we’re going to use the sort and uniq commands, which are two commands that are often used together to sort lines within files.
The sort command will take a text file, and sort the lines within it alphabetically. Without any additional flags set, duplicate lines are repeated. There are several uses for sort, and I recommend reviewing the documentation to learn more about how it can be used.
Like the sort command, uniq can be used for many things. In this instance, we want to use it to only identify unique lines within our sorted file, and we can do this with the -u option. Putting those commands together, we can find the password for the next level:
cat data.txt | sort | uniq -u
Bandit Level 9 features a file that is not human-readable, yet the password is somewhere inside, preceded by several “=” characters. To find our password, we will use the strings command. In other CTF challenges, strings is often the first command people run against binary files, so it’s worthwhile to know the basics of this command.
To find the password for the next level, we can run the strings command against data.txt, then pipe the output into the grep command we just learned about:
strings data.txt | grep '=='
Level 10 features a password encoded via base64. Like using strings, encoding and decoding base64 is a very useful skill when solving CTFs.
Using the base64 command to decode data is straightforward. Just use the “-d” flag and point to the file, and you’ll see the result:
base64 -d data.txt
Because these levels involved relatively basic linux commands, we went through 6 levels in one post. Future posts and videos may be a bit more involved, and there is more to learn from them, so we’ll tackle those one by one going forward. Stay tuned for more!