My Favorite Levels From OTW: Bandit

What is OTW?

OTW, or Over The Wire, offers "wargames"—capture-the-flag style games designed to teach and practice security concepts.

Bandit is the recommended starting point, introducing beginners to essential skills, from Git usage to Bash commands.

Below are a few of my favorite levels and what I learned from them.

Level 12: File Signatures and Compression

This level challenges players with a file that has been repeatedly compressed. The objective is to identify each compression type using file signatures and decompress it step-by-step.

The first step is to view a hex dump of the file using the xxd command. For example:

xxd compressed_data | head
 
# Example output
00000000: 1f8b 0808 dfcd eb66 0203 6461 7461 342e  .......f..data4.

The signature 1f8b indicates a GZIP compressed file. The file can be decompressed using:

mv compressed_data compressed_data.gz
gzip -d compressed_data.gz

After decompression, viewing the hex dump again might reveal another compressed format:

xxd compressed_data | head
 
# Example output
00000000: 425a 6839 3141 5926 5359 ca83 b2c1 0000  BZh91AY&SY......

This signature 425a 68 indicates a BZIP2 compressed file. Decompress it with:

mv compressed_data compressed_data.bz
bzip2 -d compressed_data.bz

Continuing this process, the hex dump might show:

xxd compressed_data | head
 
# Example output
00000000: 6461 7461 352e 6269 6e00 0000 0000 0000  data5.bin.......

This output indicates a TAR archive. The archive can be extracted using:

mv compressed_data compressed_data.tar
tar -x -f compressed_data.tar

This methodical approach of inspecting, identifying, and decompressing or extracting the file type eventually led to discovering the hidden content.

Key Takeaway

Understanding file signatures is crucial when dealing with unknown or obfuscated file types. Using hex dumps (xxd) and methodically applying the correct decompression tool led to success.

Level 25: Exploiting the more Command

This level exploits the more command's ability to enter an interactive editor. The default shell path was altered, preventing normal access.

Upon logging in, the more command runs immediately, displaying a text file. Normally, more would close instantly, but by minimizing the terminal window, you can force it into interactive mode. Once in interactive mode, pressing v opens the editor.

From here, you can escape to a shell by running:

:set shell=/bin/bash
:shell

This technique allows bypassing the restricted shell and gaining access to the terminal.

Key Takeaway

Linux tools like more and vim have powerful features that can be leveraged to bypass restrictions. This level reinforced the importance of understanding built-in tool capabilities and using the environment to your advantage.

Conclusion

The Bandit wargame offers a hands-on approach to learning practical security concepts. The levels highlighted here taught me:

• How to analyze and manipulate compressed files.
• The power of Unix-based tools in restricted environments.
• How to think critically and methodically when approaching security challenges.

Tools Used

• xxd: Create hex dumps of binary files.
• gzip: Compress and decompress files using GZIP.
• bzip2: Compress and decompress files using BZIP2.
• tar: Archive and extract files using the TAR format.
• cat: Concatenate and display file content.
• more: View file content interactively, with paging.
• vim: Advanced text editor for editing and navigating files.

If you're new to security or want to strengthen your command-line skills, Bandit is a fantastic place to start!