Bandit Level 18 Walkthrough

Level 17 ➔ Level 18: Identifying Modifications in Data

1. My Objective

I am currently logged in as bandit17. My task is to find a password hidden inside a file named passwords.new. I am given a second file, passwords.old, which contains almost the exact same content. The password I am looking for is the only line that has been changed between the old version and the new version.

The Challenge: Both files contain hundreds of lines. I cannot manually read them side-by-side to find the difference. I need a tool that can "subtract" the common data and show me only the modified part.

2. The Feynman Explanation: The "Spot the Difference" Puzzle

How do I find a single change in two massive text files? I use the diff command.

The Transparency Overlay Analogy:

Imagine I have two photographs that look identical. They are pictures of a crowded city street. I'm told that in the second photo, one person changed their hat color.

If I look at them one after another, I'll never see the change. But what if I printed the first photo on a transparent sheet and placed it exactly over the second photo?

Everywhere the pixels are the same, the light passes through normally. But at the exact spot where the hat color changed, the image will look "shifted" or "blurry." This transparency trick is what diff does. It ignores the thousands of lines that match and only highlights the "blur"—the exact line where the two files disagree.

3. Practical Solution

I am already logged in as bandit17 (using the private key I found in the previous level). I will use the diff command to compare the two password files.

# I run the diff command: old file first, then new file
bandit17@bandit:~$ diff passwords.old passwords.new

# The output shows the line from 'old' and the line from 'new'
# The '<' symbol is the old version; the '>' symbol is the new version.
42c42
< Old_Password_Line
---
> hlbpSAn929SAb36906sV... (The Password)

Why did the output look like that?

The diff command uses a specific notation. The 42c42 tells me that line 42 in the first file was Changed to match line 42 in the second file. The line starting with > is the content from the second file (passwords.new), which is exactly what the mission objective asked for.

🚀 My Pro Tips: Mastering Difference Tools

✨ Unified Format (-u)

In the real world, developers usually use the -u flag. It produces a "Unified Diff" which shows a few lines of context around the change. It's much easier to read:
diff -u passwords.old passwords.new

⭐ Side-by-Side Comparison (-y)

If I want to see the files next to each other in my terminal, I use the -y flag. I often combine it with --suppress-common-lines so I don't see the matching parts:
diff -y --suppress-common-lines passwords.old passwords.new

🔍 The 'Byebye!' Note

As the mission note warns: when I try to log into bandit18 using this password, the connection might drop with a "Byebye!" message. This is intentional. It means the .bashrc file of that user is set to log me out immediately. I'll need to use a special SSH command to solve the next level without actually opening a shell.

4. Why this matters

I use diff constantly when I am auditing code or investigating system breaches. If a hacker modified a single line in a 5,000-line configuration file, I won't find it by reading. I will compare the current file against a known clean backup. This command is the foundation of version control systems like **Git**, which manage the history of almost every software project in the world.

Difference Located!

I've successfully extracted the modified line. I'll save this password and move on to Level 18 ➔ Level 19, where I will have to bypass a forced logout!

Tags: #Linux #Bandit #OverTheWire #DiffCommand #FileComparison #SysAdmin #CyberSecurity #FeynmanTechnique #CodeWithPritom #ProTips