Level 1 -> Level 2
Level 1 -> Level 2 is much the same as Level 0 -> Level 1 but this time the file containing the password is simply named ‘-‘, if you try to cat the file now nothing happens…
This is because ‘-‘ is often used to refer to stdin, so cat – would simply display the standard input (in this case the keyboard). This is shown when text is entered into the command line and enter is pressed, whatever text was inputted is simply repeated back to you.
The way around this is to specify that ‘-‘ is actually a file and the easiest way to do this is to give it a path with the prefix ./ . Now if cat ./- is entered the password will be revealed
Level 2 -> Level 3
This level presents a problem as the file in which the password is stored is named ‘spaces in this filename’, if we were to simply enter cat spaces in this filename, then the system would try to output the files ‘spaces’, ‘in’, ‘this’ and ‘filename’ separately.
We can tell the system that we want it to see the text as one string by adding quotation marks around the filename. By entering cat “spaces in this filename” we obtain the password and can move on to the next level.
The first level of Bandit, Level 0, is incredibly simple. You use the ssh command to connect to the game server. ssh stands for ‘secure shell’ and allows a user to connect securely to an ssh server. The website gives you the username and password required to access the server. Do not get used to that…
Level 0 -> Level 1 introduces some simple commands; ls and cat. ls lists the files in your current directory and cat outputs the contents of a file. The ls command can be modified by adding an option as seen below.
ls is the most basic, ls -a includes entries that start with ‘.’ and ls -l uses a longer listing format. These options can be used in conjunction e.g. ls -al.
As mentioned above, cat simply outputs the contents of a file, we can see that the file readme contained the password for the next level.
The next step is to copy the password to the clipboard and then connect via ssh to the next level.
When I first went through these levels I ran into a problem at this point, after getting the password I tried to use ssh firstname.lastname@example.org. This threw up an error stating that I couldn’t connect. After some digging and conversation in the Over The Wire IRC channel I was told that the machine that the game is hosted on doesn’t make outgoing connections for security reasons. So because I was already connected to the machine, it wouldn’t connect. What I had to do was to use the exit command to log out of the current ssh session and then log back in using the usual command. I also found that instead of logging out I could simply use ssh bandit1@localhost to connect because all the levels are hosted on the same machine and I technically wasn’t making an outbound connection.
For nearly all commands there is a manual page that can be accessed by adding man in front of the command e.g. man ls, man cat. The manual shows you the correct syntax for commands and gives a list of options that can be used and the effects that they have.
In my quest for computing knowledge I stumbled across a recommendation, probably on /r/howtohack, to check out Over the Wire’s Wargames. Wargames being a set of challenges that require you to complete various computing and security tasks to then progress to the next level.
The particular one I started with is Bandit and is completed entirely in the Unix command line using commands that you are provided with and some that you aren’t. The site provides some resources for reading about the different commands but it also suggests using Google to its full potential and I have to echo (haha) that suggestion.
I’ll be making a series of posts about either a group of levels, if they are easy enough to explain a few at a time, or a single level, if it takes a bit more effort.