OverTheWire Bandit CTF Walkthrough: Levels 0-10

I’m here to walk you through the OverTheWire Bandit “Capture The Flag” (CTF) game. This is a great way to practice your Linux command-line skills, starting with the basics and getting progressively more challenging. In this walkthrough, I’ll cover the solutions for the first 11 levels, from 0 to 10.

In this post, we covered some Linux command line skills for beginners through solving OverTheWire Bandit CTF from level 1 till level 10.

The Bandit wargame is aimed at absolute beginners. It will teach the basics needed to be able to play other wargames. If you notice something essential is missing or have ideas

Getting Started: Connecting to the Lab

First things first, you’ll need to connect to the Bandit lab using SSH. The username and password for the first level are both bandit0, and you’ll be connecting to port 2220.

The challenges covered in this post comprise learning how to work on different Linux command line tools such as cat, grep, find, ls, etc.

There are several things you can try when you are unsure how to continue:

  • First, if you know a command, but don’t know how to use it, try the manual (man page) by entering “man <command>” (without the quotes). e.g. if you know about the “ls” command, type: man ls. The “man” command also has a manual, try it. Press q to quit the man command.
  • Second, if there is no man page, the command might be a shell built-in. In that case use the “help <X>” command. E.g. help cd
  • Also, your favorite search-engine is your friend. Learn how to use it! I recommend Google.

Level by Level Breakdown:

Here’s how I tackled each level, along with the commands I used:

Level 0 to 1: Reading a File

  • The Goal: Find the password for the next level, which is in a file named readme.
  • My Approach: This one’s pretty straightforward. I used ls to see the files in the directory, and then cat to read the contents of the readme file.

Level 1 to 2: Dealing with a Pesky Dash

  • The Goal: The password is in a file named - (a single dash).
  • My Approach: Trying to cat - doesn’t work as you’d expect. The trick is to either use cat -- - to tell cat that you’re done with options, or to specify the full path to the file, like cat ./-.

Level 2 to 3: Spaces in Filenames

  • The Goal: This time, the password is in a file named spaces in the file name.
  • My Approach: When a filename has spaces, you need to either wrap the whole name in quotes ("spaces in the file name") or escape each space with a backslash (spaces\ in\ the\ file\ name).

Level 3 to 4: Finding Hidden Files

  • The Goal: The password is in a hidden file inside the inhere directory.
  • My Approach: Hidden files in Linux start with a dot. I used ls -la to list all files, including the hidden ones. Then I could see the .hiddenfile and cat its contents.

Level 4 to 5: It’s a Human-Readable World

  • The Goal: Find the password in the only human-readable file in the inhere directory.
  • My Approach: I used a for loop with the file command to check the type of each file. Once I found the one that was ASCII text, I used cat to get the password.

Level 5 to 6: Finding by Attributes

  • The Goal: The password is in a file that is human-readable, 1033 bytes in size, and not executable.
  • My Approach: The find command is your best friend here. I used it to search for a file of a specific size (-size 1033c).

Level 6 to 7: Advanced Searching

  • The Goal: Find the password, which is on the server somewhere, owned by user bandit7, group bandit6, and is 33 bytes in size.
  • My Approach: Another job for the find command! I searched the entire filesystem (/) for a file with the specified user, group, and size. I also redirected errors to /dev/null to keep the output clean.

Level 7 to 8: Grep to the Rescue

  • The Goal: The password is in the file data.txt, on the same line as the word “millionth”.
  • My Approach: I used cat to read the file and then piped the output to grep, which I used to find the line containing “millionth”.

Level 8 to 9: Finding the Unique Line

  • The Goal: The password is the only line of text that appears just once in the data.txt file.
  • My Approach: I sorted the lines of the file with sort and then used uniq -u to find the unique line.

Level 9 to 10: Strings and Things

  • The Goal: The password is a human-readable string in data.txt that comes after several “==” characters.
  • My Approach: I used strings to pull out the human-readable text from the file, and then grep to find the lines that contained “==”.

Technical Commands Used:

Here are the commands I used throughout this walkthrough:

  • ssh bandit0@bandit.labs.overthewire.org -p 2220
  • pwd
  • ls
  • cat
  • cat -- -
  • cat ./-
  • cat "spaces in the file name"
  • cat spaces\ in\ the\ file\ name
  • ls -la
  • cd inhere
  • cat .hiddenfile
  • for f in $(seq 0 9); do file ./0${f}; done
  • find . -type f -size 1033c
  • find / -type f -user bandit7 -group bandit6 -size 33c 2>/dev/null
  • cat data.txt | grep millionth
  • sort data.txt | uniq -u
  • cat data.txt | strings | grep "=="
  • exit

I hope this detailed walkthrough helps you on your own journey through the Bandit CTF. I’ll be back with more videos to cover the rest of the levels. Good luck!

Video Walk-Through

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles