Skip to main content

47 posts tagged with "overthewire"

View All Tags

Bandit Level 14 → 15

Shubham
Cybersecurity Enthusiast

Bandit Level 14 → 15

Login : ssh bandit14@bandit.labs.overthewire.org -p 2220

password : MU4VWeTyJk8ROof1qqmcBPaLh7lDCPvS

Task

Send the current password to a service listening on port 30000 on localhost. The service will respond with the password for the next level.

Quick theory

The current password for your level is stored in /etc/bandit_pass/bandit14. nc (netcat) can open a TCP connection and send data: echo "<password>" | nc localhost 30000 The service expects the correct current password on stdin and prints the next-level password when correct.

Solution

Read the current password and send it to the service:

bandit14@bandit:~$ cat /etc/bandit_pass/bandit14
MU4VWeTyJk8ROof1qqmcBPaLh7lDCPvS

bandit14@bandit:~$ echo "MU4VWeTyJk8ROof1qqmcBPaLh7lDCPvS" | nc localhost 30000
Correct!
8xCjnmgoKbGLhHFAZlGE5Tmu4M2tKJQo

(If you get Wrong! Please enter the correct current password., double-check you sent the exact contents of /etc/bandit_pass/bandit14 including case and with no extra whitespace.)

`

Bandit Level 15 → 16

Shubham
Cybersecurity Enthusiast

Bandit Level 15 → 16

Login : ssh bandit15@bandit.labs.overthewire.org -p 2220

Password : 8xCjnmgoKbGLhHFAZlGE5Tmu4M2tKJQo

Task

Send the current password for bandit15 to a service listening on localhost:30001. This time, the service requires an SSL/TLS connection. If the password is correct, the server will return the next password.

Quick theory

openssl s_client -connect host:port lets us establish an SSL/TLS connection to a given service. Adding -quiet suppresses certificate and debug output, making it easier to see just the server response. We can provide the password directly using input redirection <<< "password" or piping echo "password" | openssl ....

bandit15@bandit:~$ openssl s_client -connect localhost:30001 -quiet <<< "8xCjnmgoKbGLhHFAZlGE5Tmu4M2tKJQo"

Can't use SSL_get_servername
depth=0 CN = SnakeOil
verify error:num=18:self-signed certificate
verify return:1
depth=0 CN = SnakeOil
verify return:1
Correct!
kSkvUpMQ7lBYyCM4GBPvCvT1BfWRy0Dx

`

Bandit Level 16 → 17

Shubham
Cybersecurity Enthusiast

Bandit 16 to 17

login : ssh bandit16@bandit.labs.overthewire.org -p 2220
password : kSkvUpMQ7lBYyCM4GBPvCvT1BfWRy0Dx

Task

The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.

Quick theory

Bandit16 runs a set of TCP servers on localhost:31000–32000.
Most servers simply echo back what you send.
A few require SSL/TLS (openssl s_client can be used).
The correct server will return a private key when you send the current password.

Tools you’ll use:
nmap → find open ports and detect services.
nc (netcat) → interact with non-SSL servers.
openssl s_client → interact with SSL servers.

Solution

bandit16@bandit:~$ nmap -sV localhost -p 31000-32000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-23 19:23 UTC

bandit16@bandit:~$ nmap -sV localhost -p 31000-32000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-23 19:25 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00012s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
31046/tcp open echo
31518/tcp open ssl/echo
31691/tcp open echo
31790/tcp open ssl/unknown
31960/tcp open echo
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port31790-TCP:V=7.94SVN%T=SSL%I=7%D=9/23%Time=68D2F426%P=x86_64-pc-linu
SF:x-gnu%r(GenericLines,32,"Wrong!\x20Please\x20enter\x20the\x20correct\x2
SF:0current\x20password\.\n")%r(GetRequest,32,"Wrong!\x20Please\x20enter\x
SF:20the\x20correct\x20current\x20password\.\n")%r(HTTPOptions,32,"Wrong!\
SF:x20Please\x20enter\x20the\x20correct\x20current\x20password\.\n")%r(RTS
SF:PRequest,32,"Wrong!\x20Please\x20enter\x20the\x20correct\x20current\x20
SF:password\.\n")%r(Help,32,"Wrong!\x20Please\x20enter\x20the\x20correct\x
SF:20current\x20password\.\n")%r(FourOhFourRequest,32,"Wrong!\x20Please\x2
SF:0enter\x20the\x20correct\x20current\x20password\.\n")%r(LPDString,32,"W
SF:rong!\x20Please\x20enter\x20the\x20correct\x20current\x20password\.\n")
SF:%r(SIPOptions,32,"Wrong!\x20Please\x20enter\x20the\x20correct\x20curren
SF:t\x20password\.\n");

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 142.61 seconds

So, nmap tells us that five ports are open. Only two ports (31518 and 31790) use SSL. Nmap also tells us that port 31518 runs only the echo service. The promising port seems to be port 31790, which runs an unknown service.
Now we use OpenSSL again to connect to this port on localhost and send the password.

bandit16@bandit:~$ openssl s_client -connect localhost:31790 -quiet 
Can't use SSL_get_servername
depth=0 CN = SnakeOil
verify error:num=18:self-signed certificate
verify return:1
depth=0 CN = SnakeOil
verify return:1
kSkvUpMQ7lBYyCM4GBPvCvT1BfWRy0Dx
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----

bandit16@bandit:~$ exit
logout
Connection to bandit.labs.overthewire.org closed.
shubhamdchhatbar@shubhams-MacBook-Air ~ % vim sshkey17.private
shubhamdchhatbar@shubhams-MacBook-Air ~ % nano sshkey17.private
shubhamdchhatbar@shubhams-MacBook-Air ~ % nano sshkey17.private
shubhamdchhatbar@shubhams-MacBook-Air ~ % chmod 700 sshkey17.private
shubhamdchhatbar@shubhams-MacBook-Air ~ % ssh -i sshkey17.private bandit17@bandit.labs.overthewire.org p -2220

This is an OverTheWire game server.
More information on http://www.overthewire.org/wargames

!!! You are trying to log into this SSH server on port 22, which is not intended.
!!! If you are trying to log in to an OverTheWire game, use the port mentioned in
!!! the "SSH Information" on that game's webpage (in the top left corner).

bandit17@bandit.labs.overthewire.org: Permission denied (publickey).
shubhamdchhatbar@shubhams-MacBook-Air ~ % ssh -i sshkey17.private -p 2220 bandit17@bandit.labs.overthewire.org
_ _ _ _
| |__ __ _ _ __ __| (_) |_
| '_ \ / _` | '_ \ / _` | | __|
| |_) | (_| | | | | (_| | | |_
|_.__/ \__,_|_| |_|\__,_|_|\__|


This is an OverTheWire game server.
More information on http://www.overthewire.org/wargames

backend: gibson-1

,----.. ,----, .---.
/ / \ ,/ .`| /. ./|
/ . : ,` .' : .--'. ' ;
. / ;. \ ; ; / /__./ \ : |
. ; / ` ; .'___,/ ,' .--'. ' \' .
; | ; \ ; | | : | /___/ \ | ' '
| : | ; | ' ; |.'; ; ; \ \; :
. | ' ' ' : `----' | | \ ; ` |
' ; \; / | ' : ; . \ .\ ;
\ \ ', / | | ' \ \ ' \ |
; : / ' : | : ' |--"
\ \ .' ; |.' \ \ ;
www. `---` ver '---' he '---" ire.org


Welcome to OverTheWire!

If you find any problems, please report them to the #wargames channel on
discord or IRC.

--[ Playing the games ]--

This machine might hold several wargames.
If you are playing "somegame", then:

* USERNAMES are somegame0, somegame1, ...
* Most LEVELS are stored in /somegame/.
* PASSWORDS for each level are stored in /etc/somegame_pass/.

Write-access to homedirectories is disabled. It is advised to create a
working directory with a hard-to-guess name in /tmp/. You can use the
command "mktemp -d" in order to generate a random and hard to guess
directory in /tmp/. Read-access to both /tmp/ is disabled and to /proc
restricted so that users cannot snoop on eachother. Files and directories
with easily guessable or short names will be periodically deleted! The /tmp
directory is regularly wiped.
Please play nice:

* don't leave orphan processes running
* don't leave exploit-files laying around
* don't annoy other players
* don't post passwords or spoilers
* again, DONT POST SPOILERS!
This includes writeups of your solution on your blog or website!

--[ Tips ]--

This machine has a 64bit processor and many security-features enabled
by default, although ASLR has been switched off. The following
compiler flags might be interesting:

-m32 compile for 32bit
-fno-stack-protector disable ProPolice
-Wl,-z,norelro disable relro

In addition, the execstack tool can be used to flag the stack as
executable on ELF binaries.

Finally, network-access is limited for most levels by a local
firewall.

--[ Tools ]--

For your convenience we have installed a few useful tools which you can find
in the following locations:

* gef (https://github.com/hugsy/gef) in /opt/gef/
* pwndbg (https://github.com/pwndbg/pwndbg) in /opt/pwndbg/
* gdbinit (https://github.com/gdbinit/Gdbinit) in /opt/gdbinit/
* pwntools (https://github.com/Gallopsled/pwntools)
* radare2 (http://www.radare.org/)

--[ More information ]--

For more information regarding individual wargames, visit
http://www.overthewire.org/wargames/

For support, questions or comments, contact us on discord or IRC.

Enjoy your stay!

bandit17@bandit:

`

Bandit Level 10 → 11

Shubham
Cybersecurity Enthusiast

Login: ssh bandit10@bandit.labs.overthewire.org -p 2220
Password: FGUW5ilLVJrxX9kMYMmlN4MgbpfMiqey

task

The password for the next level is stored in the file data.txt, which contains base64 encoded data.

theory lil bit

  1. Base64: This is a group of binary-to-text encoding schemes that represent binary data in an ASCII string format. It is commonly used when there is a need to encode binary data that needs to be stored and transferred over media that are designed to deal with textual data.
  2. base64 command: This utility is used to encode or decode data.
    • The -d (or --decode) flag is used to transform base64 encoded data back into its original plaintext form.
  3. Identification: You can often recognize Base64 by its character set (A-Z, a-z, 0-9, +, /) and the use of = padding at the end of the string.

solution

bandit10@bandit:~$ ls
data.txt
bandit10@bandit:~$ cat data.txt
VGhlIHBhc3N3b3JkIGlzIGR0UjE3M2ZaS2IwUlJzREZTR3NnMlJXbnBOVmozcVJyCg==
bandit10@bandit:~$ base64 -d data.txt
The password is dtR173fZKb0RRsDFSGsg2RWnpNVj3qRr

`

Bandit Level 11 → 12

Shubham
Cybersecurity Enthusiast

Login: ssh bandit11@bandit.labs.overthewire.org -p 2220
Password: dtR173fZKb0RRsDFSGsg2RWnpNVj3qRr

task

The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions.

theory lil bit

  1. ROT13: This is a simple substitution cipher that replaces a letter with the 13th letter after it in the alphabet. Since there are 26 letters in the English alphabet, applying ROT13 twice restores the original text.
  2. tr (translate): This command is used for translating or deleting characters.
    • The syntax tr 'A-Za-z' 'N-ZA-Mn-za-m' maps the first half of the alphabet to the second half and vice versa.
    • Specifically, it maps A to N, B to O, and so on, effectively shifting everything by 13 places.
  3. Symmetry: ROT13 is its own inverse; you use the exact same command to both encrypt and decrypt the message.

solution

bandit11@bandit:~$ ls
data.txt
bandit11@bandit:~$ cat data.txt
Gur cnffjbeq vf 7k16JArUVv5LxIuJfsSVdbbtahGlw9D4
bandit11@bandit:~$ cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'
The password is 7x16WNeHIi5YkIhWsfFIqoognUTyj9Q4

`

Bandit Level 8 → 9

Shubham
Cybersecurity Enthusiast

Login: ssh bandit8@bandit.labs.overthewire.org -p 2220
Password: dfwvzFQi4mU0wfNbFOe9RoWskMLg7eEc

task

The password for the next level is stored in the file data.txt and is the only line of text that occurs only once.

theory lil bit

  1. sort: Sorts lines of text files. This is necessary because uniq only detects duplicate lines if they are adjacent (one after another).
  2. uniq -u: The uniq command filters out repeated lines. The -u flag specifically tells it to only print lines that are unique (lines that appear exactly once in the input).
  3. The Pipe (|): Used to send the sorted output of the file directly into the uniq command for filtering.

solution

bandit8@bandit:~$ ls
data.txt
bandit8@bandit:~$ sort data.txt | uniq -u
4CKMh1JI91bUIZZPXDqGanal4xvAg0JM

`

Bandit Level 9 → 10

Shubham
Cybersecurity Enthusiast

Login: ssh bandit9@bandit.labs.overthewire.org -p 2220
Password: 4CKMh1JI91bUIZZPXDqGanal4xvAg0JM

task

The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters.

theory lil bit

  1. strings: This command extracts human-readable character sequences from binary or data files. It is essential when a file contains non-printable characters that would mess up your terminal if you used cat.
  2. grep: Filters the output of the strings command to find the specific pattern of equal signs (=) mentioned in the task.
  3. Efficiency: Combining these tools allows you to sift through a large, messy data file to find a specific string without having to read through thousands of lines of gibberish.

solution

bandit9@bandit:~$ ls
data.txt
bandit9@bandit:~$ strings data.txt | grep "=="
========== the
========== password
f\Z'========== is
========== FGUW5ilLVJrxX9kMYMmlN4MgbpfMiqey

`

Bandit Level 0 → 1

Shubham
Cybersecurity Enthusiast

connect to bandit's server using ssh using command given below

ssh bandit0@bandit.labs.overthewire.org -p 2220

then follow the given commands below:
ls - gives the list of files/folders
cat - read the file contents

bandit0@bandit:~$ ls
readme
bandit0@bandit:~$ cat readme
Congratulations on your first steps into the bandit game!!
Please make sure you have read the rules at https://overthewire.org/rules/
If you are following a course, workshop, walkthrough or other educational activity,
please inform the instructor about the rules as well and encourage them to
contribute to the OverTheWire community so we can keep these games free!

The password you are looking for is: ZjLjTmM6FvvyRnrb2rfNWOZOTa6ip5If

bandit0@bandit:~$

`

Bandit Level 1 → 2

Shubham
Cybersecurity Enthusiast

Login

  • SSH: ssh bandit1@bandit.labs.overthewire.org -p 2220
  • Password: ZjLjTmM6FvvyRnrb2rfNWOZOTa6ip5If

Task

Find the password stored in a file called -.

Theory

  • - is a special character in Linux (used for options/flags).
  • Directly running cat - won’t work.
  • To reference such files, we use a relative path like ./-.

Solution

First, check files in the directory:

bandit1@bandit:~$ ls
-
bandit1@bandit:~$ cat ./-
263JGJPfgU6LtdEvgfWU1XP5yac29mFx

`

Bandit Level 2 → 3

Shubham
Cybersecurity Enthusiast

Login

  • SSH: ssh bandit2@bandit.labs.overthewire.org -p 2220
  • Password: MNk8KNH3Usiio41PRUEoDFPqfxLPlSmx

Task

The password is stored in a file named --spaces in this filename-- in the home directory.

Theory

  • Filenames with spaces need to be quoted ("filename") or escaped using \.
bandit2@bandit:~$ ls
--spaces in this filename--
- bandit2@bandit:~$ cat -- "--spaces in this filename--"
MNk8KNH3Usiio41PRUEoDFPqfxLPlSmx

`