Skip to main content

67 posts tagged with "cybersecurity"

View All Tags

Bandit Level 13 → 14

Shubham
Cybersecurity Enthusiast

Login: ssh bandit13@bandit.labs.overthewire.org -p 2220
(you already logged in as bandit13 and found sshkey.private in the home directory)

Task

You are given a private SSH key file (sshkey.private) in the bandit13 home directory. Use that key locally to connect to the bandit14 account. After you successfully ssh to bandit14, read the file /etc/bandit_pass/bandit14 to get the next level password.


Quick solution (commands)

# copy the private key from the remote host to your local machine
scp -P 2220 bandit13@bandit.labs.overthewire.org:sshkey.private .

# secure the key locally (OpenSSH requires strict permissions)
chmod 600 sshkey.private

# use the key to login as bandit14
ssh -i sshkey.private -p 2220 bandit14@bandit.labs.overthewire.org

# once logged in as bandit14, read the password for the next level
cat /etc/bandit_pass/bandit14

Theory (a bit more — why this works)

  1. Public-key SSH authentication

    • Instead of a password, SSH can use an asymmetric key-pair: a private key (which you keep secret) and a public key (stored on the server).
    • If the server has the corresponding public key in the authorized_keys of an account, SSH proves you own the private key and logs you in as that account.
    • In this level you were given the private key for bandit14. Possessing that key is equivalent to having the password for bandit14 (for authentication purposes).
  2. scp

    • scp copies files over SSH. The -P 2220 option tells scp to use port 2220 (Bandit uses that port).
    • Example: scp -P 2220 bandit13@...:sshkey.private . copies sshkey.private from the remote bandit13 home to your current local directory.
  3. File permissions matter

    • OpenSSH refuses to use private key files that are readable by group or others. If a private key file is group/world-readable SSH prints a warning like:
      Permissions 0640 for 'sshkey.private' are too open.
    • The correct permission for private keys is `` (-rw-------) so that only the file owner can read/write it. 700 (-rwx------) also works but is non-standard (private keys usually don't need execute bit).
    • Use chmod 600 sshkey.private to fix permissions.
  4. Windows line endings

    • If the key was moved through Windows or edited with a Windows editor, it may contain CRLF ( ) line endings. SSH expects Unix LF ( ). Convert with dos2unix or a tr command if needed.
  5. Troubleshooting

    • If SSH refuses to authenticate, add verbose output to see why:
      ssh -vvv -i sshkey.private -p 2220 bandit14@bandit.labs.overthewire.org
      Look for messages about Offering public key and Authentication succeeded or Permission denied.
    • If you still get Permission denied (publickey), confirm:
      • The key file content is intact (no accidental edits).
      • File permissions are 600 and ownership is your user.
      • You used the correct user (bandit14) and port (2220).
  6. ssh-agent alternative

    • Instead of passing -i every time, add the key to your agent (keeps it in memory):
      ssh-add sshkey.private
      ssh -p 2220 bandit14@bandit.labs.overthewire.org

Full explained session (step-by-step)

  1. On the remote server (bandit13) — you discovered the key:
bandit13@bandit:~$ ls
sshkey.private
  1. From your local machine — copy the key here for use:
scp -P 2220 bandit13@bandit.labs.overthewire.org:sshkey.private .
# you will be prompted for the bandit13 password
  1. Secure the key file
# make it readable only by you
chmod 600 sshkey.private
# verify
ls -l sshkey.private
# output should look like: -rw------- 1 youruser yourgroup 1675 Sep 19 12:34 sshkey.private
  1. Attempt SSH using the key
ssh -i sshkey.private -p 2220 bandit14@bandit.labs.overthewire.org
  • On first connect you'll likely be asked to accept the host fingerprint — answer yes.
  • If the key works you'll be dropped into a shell as bandit14.
  1. Read the next-level password
cat /etc/bandit_pass/bandit14
# this prints the password you need for the next level

Example (what you might see)

$ scp -P 2220 bandit13@bandit.labs.overthewire.org:sshkey.private .
bandit13@bandit.labs.overthewire.org's password:
sshkey.private 100% 1675 1.6KB/s 00:00

$ chmod 600 sshkey.private
$ ssh -i sshkey.private -p 2220 bandit14@bandit.labs.overthewire.org
The authenticity of host '[bandit.labs.overthewire.org]:2220 ([IP]:2220)' can't be established.
ECDSA key fingerprint is SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
Are you sure you want to continue connecting (yes/no)? yes
Welcome to bandit...
$ cat /etc/bandit_pass/bandit14
<the-password-for-bandit15>

Cleanup & security reminder

  • This is a game environment, but in real life never share private keys publicly (e.g., push them to GitHub). Remove keys from your local machine when you no longer need them:
shred -u sshkey.private   # securely delete
# or simply: rm sshkey.private
  • If you ever suspect a private key has been exposed, revoke it on the server (remove the corresponding public key from ~/.ssh/authorized_keys) and generate a new key pair.

If you want, I can:

  • shorten this into a one-page README.md suitable for GitHub, or
  • create a small diagram explaining public/private key flow, or
  • add the exact ssh -vvv debugging output to the doc (if you paste your session output).

Tell me which you prefer and I will update the file.

`

Bandit Level 14 → 15

Shubham
Cybersecurity Enthusiast

Bandit Level 14 → 15

Login : ssh bandit14@bandit.labs.overthewire.org -p 2220

password : MU4VWeTyJk8ROof1qqmcBPaLh7lDCPvS

Task

Send the current password to a service listening on port 30000 on localhost. The service will respond with the password for the next level.

Quick theory

The current password for your level is stored in /etc/bandit_pass/bandit14. nc (netcat) can open a TCP connection and send data: echo "<password>" | nc localhost 30000 The service expects the correct current password on stdin and prints the next-level password when correct.

Solution

Read the current password and send it to the service:

bandit14@bandit:~$ cat /etc/bandit_pass/bandit14
MU4VWeTyJk8ROof1qqmcBPaLh7lDCPvS

bandit14@bandit:~$ echo "MU4VWeTyJk8ROof1qqmcBPaLh7lDCPvS" | nc localhost 30000
Correct!
8xCjnmgoKbGLhHFAZlGE5Tmu4M2tKJQo

(If you get Wrong! Please enter the correct current password., double-check you sent the exact contents of /etc/bandit_pass/bandit14 including case and with no extra whitespace.)

`

Bandit Level 15 → 16

Shubham
Cybersecurity Enthusiast

Bandit Level 15 → 16

Login : ssh bandit15@bandit.labs.overthewire.org -p 2220

Password : 8xCjnmgoKbGLhHFAZlGE5Tmu4M2tKJQo

Task

Send the current password for bandit15 to a service listening on localhost:30001. This time, the service requires an SSL/TLS connection. If the password is correct, the server will return the next password.

Quick theory

openssl s_client -connect host:port lets us establish an SSL/TLS connection to a given service. Adding -quiet suppresses certificate and debug output, making it easier to see just the server response. We can provide the password directly using input redirection <<< "password" or piping echo "password" | openssl ....

bandit15@bandit:~$ openssl s_client -connect localhost:30001 -quiet <<< "8xCjnmgoKbGLhHFAZlGE5Tmu4M2tKJQo"

Can't use SSL_get_servername
depth=0 CN = SnakeOil
verify error:num=18:self-signed certificate
verify return:1
depth=0 CN = SnakeOil
verify return:1
Correct!
kSkvUpMQ7lBYyCM4GBPvCvT1BfWRy0Dx

`

Bandit Level 16 → 17

Shubham
Cybersecurity Enthusiast

Bandit 16 to 17

login : ssh bandit16@bandit.labs.overthewire.org -p 2220
password : kSkvUpMQ7lBYyCM4GBPvCvT1BfWRy0Dx

Task

The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.

Quick theory

Bandit16 runs a set of TCP servers on localhost:31000–32000.
Most servers simply echo back what you send.
A few require SSL/TLS (openssl s_client can be used).
The correct server will return a private key when you send the current password.

Tools you’ll use:
nmap → find open ports and detect services.
nc (netcat) → interact with non-SSL servers.
openssl s_client → interact with SSL servers.

Solution

bandit16@bandit:~$ nmap -sV localhost -p 31000-32000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-23 19:23 UTC

bandit16@bandit:~$ nmap -sV localhost -p 31000-32000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-23 19:25 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00012s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
31046/tcp open echo
31518/tcp open ssl/echo
31691/tcp open echo
31790/tcp open ssl/unknown
31960/tcp open echo
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port31790-TCP:V=7.94SVN%T=SSL%I=7%D=9/23%Time=68D2F426%P=x86_64-pc-linu
SF:x-gnu%r(GenericLines,32,"Wrong!\x20Please\x20enter\x20the\x20correct\x2
SF:0current\x20password\.\n")%r(GetRequest,32,"Wrong!\x20Please\x20enter\x
SF:20the\x20correct\x20current\x20password\.\n")%r(HTTPOptions,32,"Wrong!\
SF:x20Please\x20enter\x20the\x20correct\x20current\x20password\.\n")%r(RTS
SF:PRequest,32,"Wrong!\x20Please\x20enter\x20the\x20correct\x20current\x20
SF:password\.\n")%r(Help,32,"Wrong!\x20Please\x20enter\x20the\x20correct\x
SF:20current\x20password\.\n")%r(FourOhFourRequest,32,"Wrong!\x20Please\x2
SF:0enter\x20the\x20correct\x20current\x20password\.\n")%r(LPDString,32,"W
SF:rong!\x20Please\x20enter\x20the\x20correct\x20current\x20password\.\n")
SF:%r(SIPOptions,32,"Wrong!\x20Please\x20enter\x20the\x20correct\x20curren
SF:t\x20password\.\n");

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 142.61 seconds

So, nmap tells us that five ports are open. Only two ports (31518 and 31790) use SSL. Nmap also tells us that port 31518 runs only the echo service. The promising port seems to be port 31790, which runs an unknown service.
Now we use OpenSSL again to connect to this port on localhost and send the password.

bandit16@bandit:~$ openssl s_client -connect localhost:31790 -quiet 
Can't use SSL_get_servername
depth=0 CN = SnakeOil
verify error:num=18:self-signed certificate
verify return:1
depth=0 CN = SnakeOil
verify return:1
kSkvUpMQ7lBYyCM4GBPvCvT1BfWRy0Dx
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----

bandit16@bandit:~$ exit
logout
Connection to bandit.labs.overthewire.org closed.
shubhamdchhatbar@shubhams-MacBook-Air ~ % vim sshkey17.private
shubhamdchhatbar@shubhams-MacBook-Air ~ % nano sshkey17.private
shubhamdchhatbar@shubhams-MacBook-Air ~ % nano sshkey17.private
shubhamdchhatbar@shubhams-MacBook-Air ~ % chmod 700 sshkey17.private
shubhamdchhatbar@shubhams-MacBook-Air ~ % ssh -i sshkey17.private bandit17@bandit.labs.overthewire.org p -2220

This is an OverTheWire game server.
More information on http://www.overthewire.org/wargames

!!! You are trying to log into this SSH server on port 22, which is not intended.
!!! If you are trying to log in to an OverTheWire game, use the port mentioned in
!!! the "SSH Information" on that game's webpage (in the top left corner).

bandit17@bandit.labs.overthewire.org: Permission denied (publickey).
shubhamdchhatbar@shubhams-MacBook-Air ~ % ssh -i sshkey17.private -p 2220 bandit17@bandit.labs.overthewire.org
_ _ _ _
| |__ __ _ _ __ __| (_) |_
| '_ \ / _` | '_ \ / _` | | __|
| |_) | (_| | | | | (_| | | |_
|_.__/ \__,_|_| |_|\__,_|_|\__|


This is an OverTheWire game server.
More information on http://www.overthewire.org/wargames

backend: gibson-1

,----.. ,----, .---.
/ / \ ,/ .`| /. ./|
/ . : ,` .' : .--'. ' ;
. / ;. \ ; ; / /__./ \ : |
. ; / ` ; .'___,/ ,' .--'. ' \' .
; | ; \ ; | | : | /___/ \ | ' '
| : | ; | ' ; |.'; ; ; \ \; :
. | ' ' ' : `----' | | \ ; ` |
' ; \; / | ' : ; . \ .\ ;
\ \ ', / | | ' \ \ ' \ |
; : / ' : | : ' |--"
\ \ .' ; |.' \ \ ;
www. `---` ver '---' he '---" ire.org


Welcome to OverTheWire!

If you find any problems, please report them to the #wargames channel on
discord or IRC.

--[ Playing the games ]--

This machine might hold several wargames.
If you are playing "somegame", then:

* USERNAMES are somegame0, somegame1, ...
* Most LEVELS are stored in /somegame/.
* PASSWORDS for each level are stored in /etc/somegame_pass/.

Write-access to homedirectories is disabled. It is advised to create a
working directory with a hard-to-guess name in /tmp/. You can use the
command "mktemp -d" in order to generate a random and hard to guess
directory in /tmp/. Read-access to both /tmp/ is disabled and to /proc
restricted so that users cannot snoop on eachother. Files and directories
with easily guessable or short names will be periodically deleted! The /tmp
directory is regularly wiped.
Please play nice:

* don't leave orphan processes running
* don't leave exploit-files laying around
* don't annoy other players
* don't post passwords or spoilers
* again, DONT POST SPOILERS!
This includes writeups of your solution on your blog or website!

--[ Tips ]--

This machine has a 64bit processor and many security-features enabled
by default, although ASLR has been switched off. The following
compiler flags might be interesting:

-m32 compile for 32bit
-fno-stack-protector disable ProPolice
-Wl,-z,norelro disable relro

In addition, the execstack tool can be used to flag the stack as
executable on ELF binaries.

Finally, network-access is limited for most levels by a local
firewall.

--[ Tools ]--

For your convenience we have installed a few useful tools which you can find
in the following locations:

* gef (https://github.com/hugsy/gef) in /opt/gef/
* pwndbg (https://github.com/pwndbg/pwndbg) in /opt/pwndbg/
* gdbinit (https://github.com/gdbinit/Gdbinit) in /opt/gdbinit/
* pwntools (https://github.com/Gallopsled/pwntools)
* radare2 (http://www.radare.org/)

--[ More information ]--

For more information regarding individual wargames, visit
http://www.overthewire.org/wargames/

For support, questions or comments, contact us on discord or IRC.

Enjoy your stay!

bandit17@bandit:

`

Bandit Level 10 → 11

Shubham
Cybersecurity Enthusiast

Login: ssh bandit10@bandit.labs.overthewire.org -p 2220
Password: FGUW5ilLVJrxX9kMYMmlN4MgbpfMiqey

task

The password for the next level is stored in the file data.txt, which contains base64 encoded data.

theory lil bit

  1. Base64: This is a group of binary-to-text encoding schemes that represent binary data in an ASCII string format. It is commonly used when there is a need to encode binary data that needs to be stored and transferred over media that are designed to deal with textual data.
  2. base64 command: This utility is used to encode or decode data.
    • The -d (or --decode) flag is used to transform base64 encoded data back into its original plaintext form.
  3. Identification: You can often recognize Base64 by its character set (A-Z, a-z, 0-9, +, /) and the use of = padding at the end of the string.

solution

bandit10@bandit:~$ ls
data.txt
bandit10@bandit:~$ cat data.txt
VGhlIHBhc3N3b3JkIGlzIGR0UjE3M2ZaS2IwUlJzREZTR3NnMlJXbnBOVmozcVJyCg==
bandit10@bandit:~$ base64 -d data.txt
The password is dtR173fZKb0RRsDFSGsg2RWnpNVj3qRr

`

Bandit Level 11 → 12

Shubham
Cybersecurity Enthusiast

Login: ssh bandit11@bandit.labs.overthewire.org -p 2220
Password: dtR173fZKb0RRsDFSGsg2RWnpNVj3qRr

task

The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions.

theory lil bit

  1. ROT13: This is a simple substitution cipher that replaces a letter with the 13th letter after it in the alphabet. Since there are 26 letters in the English alphabet, applying ROT13 twice restores the original text.
  2. tr (translate): This command is used for translating or deleting characters.
    • The syntax tr 'A-Za-z' 'N-ZA-Mn-za-m' maps the first half of the alphabet to the second half and vice versa.
    • Specifically, it maps A to N, B to O, and so on, effectively shifting everything by 13 places.
  3. Symmetry: ROT13 is its own inverse; you use the exact same command to both encrypt and decrypt the message.

solution

bandit11@bandit:~$ ls
data.txt
bandit11@bandit:~$ cat data.txt
Gur cnffjbeq vf 7k16JArUVv5LxIuJfsSVdbbtahGlw9D4
bandit11@bandit:~$ cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'
The password is 7x16WNeHIi5YkIhWsfFIqoognUTyj9Q4

`

Bandit Level 8 → 9

Shubham
Cybersecurity Enthusiast

Login: ssh bandit8@bandit.labs.overthewire.org -p 2220
Password: dfwvzFQi4mU0wfNbFOe9RoWskMLg7eEc

task

The password for the next level is stored in the file data.txt and is the only line of text that occurs only once.

theory lil bit

  1. sort: Sorts lines of text files. This is necessary because uniq only detects duplicate lines if they are adjacent (one after another).
  2. uniq -u: The uniq command filters out repeated lines. The -u flag specifically tells it to only print lines that are unique (lines that appear exactly once in the input).
  3. The Pipe (|): Used to send the sorted output of the file directly into the uniq command for filtering.

solution

bandit8@bandit:~$ ls
data.txt
bandit8@bandit:~$ sort data.txt | uniq -u
4CKMh1JI91bUIZZPXDqGanal4xvAg0JM

`

Bandit Level 9 → 10

Shubham
Cybersecurity Enthusiast

Login: ssh bandit9@bandit.labs.overthewire.org -p 2220
Password: 4CKMh1JI91bUIZZPXDqGanal4xvAg0JM

task

The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters.

theory lil bit

  1. strings: This command extracts human-readable character sequences from binary or data files. It is essential when a file contains non-printable characters that would mess up your terminal if you used cat.
  2. grep: Filters the output of the strings command to find the specific pattern of equal signs (=) mentioned in the task.
  3. Efficiency: Combining these tools allows you to sift through a large, messy data file to find a specific string without having to read through thousands of lines of gibberish.

solution

bandit9@bandit:~$ ls
data.txt
bandit9@bandit:~$ strings data.txt | grep "=="
========== the
========== password
f\Z'========== is
========== FGUW5ilLVJrxX9kMYMmlN4MgbpfMiqey

`

Bandit Level 0 → 1

Shubham
Cybersecurity Enthusiast

connect to bandit's server using ssh using command given below

ssh bandit0@bandit.labs.overthewire.org -p 2220

then follow the given commands below:
ls - gives the list of files/folders
cat - read the file contents

bandit0@bandit:~$ ls
readme
bandit0@bandit:~$ cat readme
Congratulations on your first steps into the bandit game!!
Please make sure you have read the rules at https://overthewire.org/rules/
If you are following a course, workshop, walkthrough or other educational activity,
please inform the instructor about the rules as well and encourage them to
contribute to the OverTheWire community so we can keep these games free!

The password you are looking for is: ZjLjTmM6FvvyRnrb2rfNWOZOTa6ip5If

bandit0@bandit:~$

`

Bandit Level 1 → 2

Shubham
Cybersecurity Enthusiast

Login

  • SSH: ssh bandit1@bandit.labs.overthewire.org -p 2220
  • Password: ZjLjTmM6FvvyRnrb2rfNWOZOTa6ip5If

Task

Find the password stored in a file called -.

Theory

  • - is a special character in Linux (used for options/flags).
  • Directly running cat - won’t work.
  • To reference such files, we use a relative path like ./-.

Solution

First, check files in the directory:

bandit1@bandit:~$ ls
-
bandit1@bandit:~$ cat ./-
263JGJPfgU6LtdEvgfWU1XP5yac29mFx

`