Beginner CTF Walkthrough: OverTheWire Bandit Levels 0-5 on KaliLinux.net

If you are new to cybersecurity, the command line can feel like a locked door. OverTheWire’s Bandit wargame is the key that opens it, and on KaliLinux.net we believe every beginner should walk through that door with a solid foundation. This walkthrough covers levels 0 through 5, showing you exactly how to think like a pentester while staying inside a legal, educational sandbox.

Bandit is not a capture-the-flag in the traditional sense. There is no network scanning or exploitation. Instead, it teaches you the core Linux commands you will use daily in Kali Linux. By the time you finish these levels, you will be comfortable with ssh, ls, cat, find, and grep. That is the bedrock of every security professional’s workflow.

Let’s get started.

Setting Up Your Kali Linux Environment for Bandit

Before you type a single command, you need a lab. Your best bet is a fresh install of Kali Linux on a virtual machine (VMware or VirtualBox). This keeps the game isolated from your main OS. KaliLinux.net recommends the 2024.1 release for its updated kernel and toolset.

Open a terminal. You do not need any extra tools. Bandit is purely command-line based. The only requirement is an SSH client, which comes pre-installed on Kali. If you are using Windows, consider WSL2 or a Kali VM. Avoid using a production machine for practice.

Your first connection will look like this:

ssh [email protected] -p 2220

The password for bandit0 is bandit0. This is the only time the password matches the username. From here on, each level’s password is hidden somewhere in the previous level’s files.

Level 0 → 1: Reading Your First File

After logging in as bandit0, you land in the home directory. Run ls to list files. You will see a single file named readme.

The task is simple: read the file. Use cat readme. The output is the password for bandit1.

This level teaches you two things. First, ls reveals what is in a directory. Second, cat prints file contents to the terminal. In Kali Linux, you will use these commands hundreds of times a day. Memorize them.

The password for bandit1 is something like NH2SXQwcBdpmTEzi3bvBHMM9H66vVXjL. Copy it (or write it down) and exit with exit.

Level 1 → 2: Files with Dashes in Their Names

Log in as bandit1 using the password you just found. Run ls again. You see a file named -.

This is a trap. If you type cat -, the terminal will hang because it interprets the dash as an argument for stdin. You need to specify the full path: cat ./-.

The dot-slash tells the shell to look in the current directory. This is a common trick in CTF challenges and real-world misconfigurations. On KaliLinux.net, we often see students stuck here for ten minutes. Do not overthink it.

The password for bandit2 is rRGizSaX8Mk1RTb1CNQoXTcYZWU6lgzi.

Level 2 → 3: Spaces in Filenames

Now you are bandit2. Run ls and you see a file named spaces in this filename.

Spaces break commands. If you type cat spaces in this filename, the shell thinks you are passing four separate arguments. You have two options:

1. Use quotes: cat "spaces in this filename"
2. Escape the spaces: cat spaces\ in\ this\ filename

Either works. The second method is more common in scripts because you can tab-complete the filename. The password for bandit3 is aBZ0W5EmUfAf7kHTQeOwd8bauFJ2lAiG.

This level mirrors real-world scenarios where attackers hide files with unusual names. On Kali, you will often encounter directories or filenames with spaces when analyzing a compromised system.

Level 3 → 4: Hidden Directories

Log in as bandit3. ls shows a directory named inhere. Change into it with cd inhere.

Now run ls again. Nothing appears. That is because the files are hidden. Use ls -a to show all files, including those starting with a dot.

You will see .hidden. Run cat .hidden to get the password for bandit4: 2EW7BBsr6aMMoJ2HjW067dm8EgX26xNe.

Hidden files and directories are a standard way to store configuration data in Linux. In Kali, tools like .bashrc and .ssh are hidden. Understanding -a is essential for thorough reconnaissance.

Level 4 → 5: Finding the Only Human-Readable File

Now things get interesting. Log in as bandit4. You see inhere again. cd into it and run ls. This time you see ten files: -file00 through -file09.

Nine of them are binary garbage. One contains the password. You could cat each one, but that is tedious. Instead, use the file command to identify the file type.

Run file ./* to check all files in the directory. The output will show something like ASCII text for the correct file and data for the rest. In my test, -file07 was the ASCII one.

cat ./-file07 gives you the password for bandit5: lrIWWI6bB37kxfiCQZqUdOIYfr6eEeqR.

This level introduces the file command, which is invaluable during penetration testing. When you encounter unknown files on a target, file tells you whether it is an image, an executable, or a text document without risking execution.

Level 5 → 6: Searching by File Properties

You are now bandit5. ls shows inhere. cd into it. This directory has 20 subdirectories, each containing multiple files. The password file has three properties:

• Human-readable
• 1033 bytes in size
• Not executable

You could brute-force this manually, but that takes forever. Use find:

find . -type f -size 1033c ! -executable

The -size 1033c flag looks for files exactly 1033 bytes. The ! -executable excludes executable files. The output will point to ./maybehere07/.file2.

cat that file, and you get the password for bandit6: P4L4vzmdmss6PxI3Yis3RjDfGf6eR6hW.

The find command is one of the most powerful tools in Kali Linux. You can combine it with -exec to run actions on found files, or with -perm to search for specific permissions. This is how attackers locate writable scripts or SUID binaries during privilege escalation.

Putting It All Together: What You Learned

These five levels cover the absolute basics of Linux file navigation. You now know how to:

• Connect via SSH to a remote server
• List directory contents, including hidden files
• Read files with tricky names (dashes, spaces)
• Identify file types using file
• Search for files by size and permissions using find

Every single one of these commands is used daily in Kali Linux. Whether you are analyzing a log file, searching for a configuration script, or hunting for a misconfigured binary, these skills transfer directly to real-world security work.

FAQ

What is OverTheWire Bandit?

Bandit is a beginner-level wargame that teaches Linux command-line skills through a series of puzzles. It is hosted by OverTheWire and requires only an SSH client. KaliLinux.net recommends it as the first step for anyone new to ethical hacking.

Do I need Kali Linux to play Bandit?

No. Any Linux distribution works, but KaliLinux.net is built around Kali because it includes all the tools you will need for later challenges. Bandit itself only needs SSH, which is present on every Linux system.

How long does it take to complete Bandit?

Most beginners finish all 34 levels in 10–20 hours. The first five levels take about an hour if you read the documentation. The later levels introduce sed, awk, and base64 encoding.

Is Bandit a real CTF?

It is a wargame, not a traditional CTF. There is no time limit, no scoring, and no competition. It is purely educational. KaliLinux.net treats it as a prerequisite before moving to platforms like Hack The Box or TryHackMe.

Final Thoughts

The command line is the single most important skill in cybersecurity. Bandit forces you to learn it through repetition and discovery. By level 5, you have already used five essential commands. By level 34, you will be comfortable with scripting, encoding, and file manipulation.

KaliLinux.net has been covering these fundamentals since 2024, and we see the same pattern every time: students who complete Bandit move on to harder challenges with confidence. The next step is to apply these commands on a local Kali VM, then move to a platform like Hack The Box for real-world practice.

For a deeper dive into the find command, check out the GNU Findutils manual at the official GNU documentation site.

Related technology reading: Teslaslot