Posts OverTheWire - Bandit Level 5
Post
Cancel

OverTheWire - Bandit Level 5

Posted Jan 7 2020-01-07T13:37:00+00:00 by jintz
Updated Sep 16 2020-09-16T17:04:38+01:00

This time we run into files that are not “human-readable,” including output that messes up our terminal. But that gives us the opportunity to learn how both CTRL-L and the reset command can help clear the terminal. We also get a preview of the power of “piping” commands together.

Level Instructions

The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the reset command.

Level Solution

First we have to login via SSH using the previous level’s user bandit4 (using their password pIwrPrtPN36QITSp3EQaw936yaFoFgAB which we found in the previous level).

1. Connecting

1
2
3
4

ssh bandit4@bandit.labs.overthewire.org -p 2220
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

bandit4@bandit.labs.overthewire.org's password:

Just copy and paste the password pIwrPrtPN36QITSp3EQaw936yaFoFgAB when prompted, and hit ENTER. You won’t see a cursor. That’s normal.

2. Searching

We know the file is in a directory called inhere so let’s start by finding that directory first. For example, by searching for all directories with that name using the find command:

1
2

bandit4@bandit:~$ find inhere -type d
inhere

The argument -type d focuses the search on directories only, no other file types.

That was easy! It’s located in the same directory we are already in (i.e. inside the user’s home), which means we would also see it if we just list all files where we are using ls:

1
2

bandit4@bandit:~$ ls
inhere

In this case there is no need to add the -la arguments, since the directory itself is not hidden.

Anyway, let’s use cd to go inside the directory and list what’s in it using ls -la:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

bandit4@bandit:~$ cd inhere/
bandit4@bandit:~/inhere$ ls -la
total 48
drwxr-xr-x 2 root    root    4096 May  7 20:15 .
drwxr-xr-x 3 root    root    4096 May  7 20:14 ..
-rw-r----- 1 bandit5 bandit4   33 May  7 20:14 -file00
-rw-r----- 1 bandit5 bandit4   33 May  7 20:14 -file01
-rw-r----- 1 bandit5 bandit4   33 May  7 20:14 -file02
-rw-r----- 1 bandit5 bandit4   33 May  7 20:14 -file03
-rw-r----- 1 bandit5 bandit4   33 May  7 20:14 -file04
-rw-r----- 1 bandit5 bandit4   33 May  7 20:14 -file05
-rw-r----- 1 bandit5 bandit4   33 May  7 20:15 -file06
-rw-r----- 1 bandit5 bandit4   33 May  7 20:15 -file07
-rw-r----- 1 bandit5 bandit4   33 May  7 20:15 -file08
-rw-r----- 1 bandit5 bandit4   33 May  7 20:15 -file09
bandit4@bandit:~/inhere$

We can see 10 files, all with the same filesize (33), which doesn’t give us any hint which is the one file we are after. It’s supposed to be the “only human-readable file” which probably means that the type of data inside it is ASCII text, instead of binary data, video, hex, or encrypted in any way etc. Let’s have a look at the first file using cat:

1
2

bandit4@bandit:~/inhere$ cat ./-file00
�/`2ғ�%��rL~5�g��� �����bandit4@bandit:~/inhere$

Note that the filename starts with a dash - so we need to preceed it with a period and slash ./.

The output we get in the termal looks like raw data, which is unreadable garbage to us and messes up the terminal! Luckily, we can easily clear the command line by hitting CTRL-L or submitting the reset command. However, as the keyboard shortcut is faster and easier to execute than the command, I recommend you try it out.

While we could use cat on each file, it would be tedious to go through up to 10 files that way - and that method wouldn’t be feasible if we had to go through hundreds or thousands of files. So let’s use a new command called file to determine the file type. This command does not care about the extension used for file, but actually examines the content inside:

1
2
3
4
5
6
7
8
9
10
11

bandit4@bandit:~/inhere$ file ./*
./-file00: data
./-file01: data
./-file02: data
./-file03: data
./-file04: data
./-file05: data
./-file06: data
./-file07: ASCII text
./-file08: data
./-file09: data

That was easy! We could already grab the flag by outputting what’s inside -file07. However, before we do that, let’s learn something new called “piping”:

Piping

A “pipe” is a form of redirection that is used in Linux to send the output of one command to another command for further processing. It basically combines two commands, thus the output of the first command acts as input to the following command. You can make it do so by using the pipe character | between two commands on the terminal.

Here’s an example of the previous file command being piped into another command called grep which filters out everything except lines that match the argument you give it. Think of it as “grabbing” stuff to narrow things down:

1
2

bandit4@bandit:~/inhere$ file ./* | grep ASCII
./-file07: ASCII text

The argument ASCII after grep makes sure we only “grab” the output of the previous command file ./* that includes that word. In this case, only 1 line contained the text “ASCII”. Just imagine how useful this would be if we had to parse through tons of files!

Anyway, let’s grab the flag and move on:

1
2

bandit4@bandit:~/inhere$ cat ./-file07
koReBOKuIDDepwhWk7jZC0RTdopnAYKh

That’s the “flag” we want to “capture” and the password we need for the next level, i.e. to login with user bandit5.

3. Exiting

1
2
3

bandit4@bandit:~/inhere$ exit
logout
Connection to bandit.labs.overthewire.org closed.

Level Flag

koReBOKuIDDepwhWk7jZC0RTdopnAYKh

OverTheWire, Bandit
overthewire bandit write-up walk-thru ctf
This post is licensed under CC BY-NC 4.0 by the author.

Recent Update

Contents

OverTheWire - Bandit Level 4

OverTheWire - Bandit Level 6

© 2020 jintz. All rights reserved.

For Educational Purposes Only.