I’ve been interested lately in bettering my pen testing skills. I just finished my Computer Architecture course where I learned the MIPS architecture, how caches and CPU pipelining work, how virtual memory and paging works, etc.

That got me thinking…why is any of this useful? While studying for my final, I found this video on LiveOverflow in which Fabian (the author) reverse engineers a binary by breaking down the assembly instructions. This was a big a-ha moment for me, as prior to this, I was struggling to grasp the practicality of understanding low level computer architecture. After all, I’m a network engineer; I am mostly concerned with the network stack and high level design strategy.

After finishing the video, it finally clicked. I need to understand computer architecture in order to creatively break it down and find flaws, or inversely, better secure them! That reminded me of some advice I received while attending NECCDC in 2015 on how professional penetration testers must typically understand binary exploitation.

Anyways, I ended up down a rabbit hole last week, researching the various skills and avenues I could branch into. I’ve since been reading a lot about pen-testing in general. Tonight, I ran through some exercises of Over The Wire’s Bandit war game. Here goes:

Level 0

The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.
ssh -l bandit0 -p 2220 bandit.labs.overthewire.org

cat ~/readme
boJ9jbbUNNfktd78OOpsqOltutMc3MY1

Level 1

The password for the next level is stored in a file called - located in the home directory.
cat ./-
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

Level 2

The password for the next level is stored in a file called spaces in this filename located in the home directory.
ssh -l bandit2 -p 2220 bandit.labs.overthewire.org

find / -name spaces
/usr/src/radare2/test/db/cmd/spaces

cat spaces\ in\ this\ filename
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

Level 3

The password for the next level is stored in a hidden file in the inhere directory.
find / -name inhere

find: ‘/root’: Permission denied
find: ‘/home/bandit28-git’: Permission denied
**/home/bandit4/inhere**
find: ‘/home/bandit30-git’: Permission denied
**/home/bandit5/inhere**
find: ‘/home/bandit5/inhere’: Permission denied
**/home/bandit3/inhere**
find: ‘/home/bandit27-git’: Permission denied
find: ‘/home/bandit29-git’: Permission denied
find: ‘/home/bandit31-git’: Permission denied
find: ‘/lost+found’: Permission denied
find: ‘/etc/ssl/private’: Permission denied
find: ‘/etc/polkit-1/localauthority’: Permission denied
find: ‘/etc/lvm/archive’: Permission denied
find: ‘/etc/lvm/backup’: Permission denied
find: ‘/sys/fs/pstore’: Permission denied
find: ‘/proc/tty/driver’: Permission denied
find: ‘/cgroup2/csessions’: Permission denied
find: ‘/boot/lost+found’: Permission denied
find: ‘/tmp’: Permission denied
find: ‘/run/lvm’: Permission denied
find: ‘/run/screen/S-bandit6’: Permission denied
find: ‘/run/screen/S-bandit21’: Permission denied
find: ‘/run/screen/S-bandit12’: Permission denied
find: ‘/run/screen/S-bandit5’: Permission denied
find: ‘/run/screen/S-bandit22’: Permission denied
find: ‘/run/screen/S-bandit24’: Permission denied
find: ‘/run/screen/S-bandit25’: Permission denied
find: ‘/run/screen/S-bandit0’: Permission denied
find: ‘/run/screen/S-bandit20’: Permission denied
find: ‘/run/screen/S-bandit23’: Permission denied
find: ‘/run/shm’: Permission denied
find: ‘/run/lock/lvm’: Permission denied
find: ‘/var/spool/bandit24’: Permission denied
find: ‘/var/spool/cron/crontabs’: Permission denied
find: ‘/var/spool/rsyslog’: Permission denied
find: ‘/var/tmp’: Permission denied
find: ‘/var/lib/apt/lists/partial’: Permission denied
find: ‘/var/lib/polkit-1’: Permission denied
find: ‘/var/log’: Permission denied
find: ‘/var/cache/apt/archives/partial’: Permission denied
find: ‘/var/cache/ldconfig’: Permission denied

bandit3@bandit:~$ cd /home/bandit3/inhere

bandit3@bandit:~/inhere$ ls -la
total 12
drwxr-xr-x 2 root    root    4096 May  7 20:14 .
drwxr-xr-x 3 root    root    4096 May  7 20:14 ..
-rw-r----- 1 bandit4 bandit3   33 May  7 20:14 .hidden

bandit3@bandit:~/inhere$ cat .hidden
pIwrPrtPN36QITSp3EQaw936yaFoFgAB

Level 4

The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.
bandit4@bandit:~/inhere$ ls -la
total 48
drwxr-xr-x 2 root    root    4096 May  7 20:15 .
drwxr-xr-x 3 root    root    4096 May  7 20:14 ..
-rw-r----- 1 bandit5 bandit4   33 May  7 20:14 -file00
-rw-r----- 1 bandit5 bandit4   33 May  7 20:14 -file01
-rw-r----- 1 bandit5 bandit4   33 May  7 20:14 -file02
-rw-r----- 1 bandit5 bandit4   33 May  7 20:14 -file03
-rw-r----- 1 bandit5 bandit4   33 May  7 20:14 -file04
-rw-r----- 1 bandit5 bandit4   33 May  7 20:14 -file05
-rw-r----- 1 bandit5 bandit4   33 May  7 20:15 -file06
-rw-r----- 1 bandit5 bandit4   33 May  7 20:15 -file07
-rw-r----- 1 bandit5 bandit4   33 May  7 20:15 -file08
-rw-r----- 1 bandit5 bandit4   33 May  7 20:15 -file09

bandit4@bandit:~/inhere$ find . -name '-*' -exec cat {} \;
��p,k�;��r*��	�.!��C��J	�dx,��/`2ғ�%��rL~5�g��� �����ly���~��A�f����-E�{���m�����ܗM�����h!TQO�`�4"aל�߂phT��,�A�r�l$�?h�9('?�koReBOKuIDDepwhWk7jZC0RTdopnAYKh�n��J����{��@i�4�ו$��I&������c���ގ.�
e�)�#��5��
          ��p��V�_���ׯ�mm�e�0$�in=��_b�5FA�P7sz��gNbandit4@bandit:~/inhere$

I randomly tried the long string in the middle of the recursive cat dump, and it worked.

koReBOKuIDDepwhWk7jZC0RTdopnAYKh

Level 5

The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:
– human-readable
–  1033 bytes in size
– not executablen
bandit5@bandit:~/inhere$ find . -type f -size 1033c -exec ls {} \;
./maybehere07/.file2

bandit5@bandit:~/inhere$ cat ./maybehere07/.file2
DXjZPULLxYr17uwoI01bNLQbtFemEgo7

Level 6

The password for the next level is stored somewhere on the server and has all of the following properties:
– owned by user bandit7
– owned by group bandit6
–  33 bytes in size

This one took some trial and error…

bandit6@bandit:~$ history
    1  man find
    2  find / -type f -size 33c
    3  find / -type f -size 33c -exec ls {} \;
    4  find / -type f -size 33c -exec ls -la {} \;
    5  clear
    6  find / -type f -size 33c -exec ls -la {} \;
    7  find / -type f -size 33c -exec ls -la {} | grep bandit7 \;
    8  find / -type f -size 33c -exec ls -la {} \; | grep bandit7
    9  find / -type f -size 33c -exec ls -la {} \; | grep bandit7  | grep bandit6
   10  find / -type f -size 33c -exec ls -la {} \; | grep bandit7  | grep bandit6 | grep 33
   11  find / -type f -size 33c action 2>/dev/null -exec ls -la {} \; | grep bandit7  | grep bandit6 | grep 33
   12  find / -type f -size 33c -exec ls -la {} \ action 2>/dev/null; | grep bandit7  | grep bandit6 | grep 33
   13  find / -type f -size 33c -exec ls -la {} \ action 2>/dev/null;
   14  find / -type f -size 33c -exec ls -la {} action 2>/dev/null;
   15  find / -type f -size 33c -exec ls -la {} \ 2>/dev/null; | grep bandit7  | grep bandit6 | grep 33
   16  find / -type f -size 33c -exec ls -la {} \ 2>/dev/null | grep bandit7  | grep bandit6 | grep 33
   17  find / -type f -size 33c -exec ls -la {} \ 2>/dev/null | grep bandit7  | grep bandit6 | grep 33;
   18  find / -type f -size 33c -exec ls -la {} 2>/dev/null\; | grep bandit7  | grep bandit6 | grep 33
   19  find / -type f -size 33c -exec ls -la {} 2>/dev/null \; | grep bandit7  | grep bandit6 | grep 33
   20  find / -type f -size 33c -exec ls -la {} 2>/dev/null \;
   21  find / -type f -size 33c -exec ls -la {} 2>/dev/null \; | grep bandit7  | grep bandit6 | grep 33

But the final result worked!

bandit6@bandit:~$ find / -type f -size 33c -exec ls -la {} 2>/dev/null \; | grep bandit7  | grep bandit6 | grep 33
-rw-r----- 1 bandit7 bandit6 33 May  7 20:15 /var/lib/dpkg/info/bandit7.password
bandit6@bandit:~$
bandit6@bandit:~$ cat /var/lib/dpkg/info/bandit7.password
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

Level 7

The password for the next level is stored in the file data.txt next to the word millionth
bandit7@bandit:~$ find / -name data.txt 2>/dev/null
/home/bandit7/data.txt
/home/bandit8/data.txt
/home/bandit12/data.txt
/home/bandit9/data.txt
/home/bandit10/data.txt
/home/bandit11/data.txt

bandit7@bandit:~$ cat /home/bandit7/data.txt | grep millionth
millionth	cvX2JJa4CFALtqS87jk27qwqGhBM9plV

I’ll tackle some more of these later!