OverTheWire: Bandit
Goals
- Meet one of the pen-testing practice services, and work through a few of their exercises
- Refresh some old Unix knowledge, and learn some important new tools and concepts
- Practice keeping a log of your investigations
- Compare your ideas to what other people tried
- Start getting used to the feeling of being stuck, and what to do when that happens
OverTheWire
OverTheWire is one of many sites that give you exercises to practice computer security skills. The exercises have various names—Hack The Box calls them "boxes" (where "box" here is being used as an informal term for a single computer), TryHackMe calls them "rooms", some sites call them "CTFs" (for "capture the flag"), and for some reason, OverTheWire calls them "wargames". Offensive Security focuses a lot of attention on small networks of computers, so they just call the exercises "VMs" ("virtual machines") or "VM Groups". Regardless of the name, all these exercises present puzzles to help you acquire and practice pen-testing skills.
Practicing on various sites, I have noticed two broad categories of exercises. First, there are puzzles whose purpose is to show you a computer or network with realistic vulnerabilities—the kind of vulnerabilities that a too-busy or inadequately informed system administrator or software developer might leave open on a real computer. Very soon, you will start creating this kind of exercise yourself.
The second kind of puzzle only cares about teaching you a particular tool or technique, without concern for giving you a realistic context. For this assignment, you'll be doing this second kind of puzzle.
Bandit
The Bandit wargame at OverTheWire is designed to introduce you to a variety of Linux commands, file system concepts, and services that will come in handy in your security work. Some of the concepts are likely to be at least vaguely familiar to you (e.g. the "rwx" permissions you see when you do "ls -l"), whereas many are likely to be new.
For each level of bandit, your goal is to obtain the 32-character SSH password that will let you login to the next level. The instructions for each level are typically brief and mostly clear.
Here are a few of the key ideas explored in the 34 bandit exercises.
- listing files and directories, including "hidden" ones (i.e., those whose names start with a period, like .gitignore or ..)
- viewing the contents of files with cat, hexdump, editors like nano or vim, etc.
- filtering and transforming file contents with grep, sort, uniq, tr, hexdump, xxd, etc.
- public and private encryption keys (especially as used in logging into computers via SSH)
- services listening at particular TCP ports, and how to communicate with them
- compression utilities like zip/unzip, gzip/gunzip, bzip2/bunzip2, tar, etc.
- cron jobs
- bash scripts
- git
Your assignment
- Work through as many levels of bandit as you have time for before class on Friday (I'm guessing most of you will be able to do 10-20 levels by then). Try to spend 2-3 hours on this.
- Create a folder named "bandit" in your git repo. Put anything you want in this folder, including notes, code, etc. Name files appropriately. Don't forget to commit and push your changes before class on Friday.
- Keep notes in your bandit folder. Two goals for logging your work: (1) make it easy for another person to replicate your solution, and (2) highlight the important lessons of the exercise. Feel free to use any file format you like. I prefer a format that's editable in any text editor—straight text (*.txt) or markdown (*.md) are my favorites (and markdown supports images, if you want to include screenshots).
Be prepared to discuss several items in class on Friday:
- What was most interesting?
- Where did you get stuck? What was most frustrating?
- Compare techniques with your classmates
- Compare writeups with your classmates
- etc.
Important: clean up after yourself
TL;DR: if you create a subdirectory of /tmp when logged in as banditX, you need to delete that subdirectory before logging out. For example, in Level 12→Level 13:
OK, a little more explanation.
The bandit server is just one virtual machine hosted by OverTheWire, so you'll all be sharing it with each other and anybody else out in the world who's working on it at the same time.
Occasionally, you may need to create a subdirectory of /tmp so you can create files on the server. Note that for every level, you won't have write access to anything other than subdirectories of /tmp that you create. Furthermore, suppose you create /tmp/whatever when you're logged in as bandit12. You won't have access to /tmp/whatever anymore when you login as bandit13 or any other banditX. You have to delete that folder while logged in as the same banditX that created the folder in the first place.
Advice
- Stay cool. Getting stuck is a natural part of studying this material. Keep trying things, walk away for a while, sleep,...
- Keep detailed notes. You'll want them later, and the act of writing helps you learn and remember.
- Need a hint? Ask a friend, ask me, post on Slack, search for a "overthewire bandit walkthrough", etc.
- Balance learning-by-doing against time. You should definitely give each exercise a good try on your own first, so don't just follow step-by-step with an online walkthrough. On the other hand, if one level has been leaving you without ideas for an hour or two, see if you can get some help.
- Consult the man pages for the suggested commands. Practice both searching efficiently for the info you need and reading more thoroughly to learn about the overall capabilities of the command.