π OverTheWire Bandit Level 18: Finding Differences Between Files with diff
Level 18 introduces the diff commandβa powerful tool for comparing files and finding differences. When you have two similar files and need to find what changed, diff shows you exactly what's different. This is essential for code reviews, configuration management, and finding changes in files.
Level 18 teaches you:
- Using
diffto compare two files - Understanding
diffoutput format - Identifying which file contains which content
- Finding the only changed line between files
- Reading
diffoutput symbols (<and>)
This level builds on text processing skills from earlier levels. Understanding diff is useful for analyzing changes, comparing configurations, and finding differences in files.
π― The Objective
After logging into bandit17, your goal is to find the password for Level 18. There are two files in the home directory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between the two files.
What Level 18 teaches:
- Using
diffto compare files - Understanding
diffoutput format - Identifying changed lines
- Reading file comparison symbols
- Finding differences efficiently
The challenge: Both files contain many passwords. Only one line differs between them. Use diff to find which line changedβthat's the password for Level 18.
Note: If you see "Byebye!" when trying to log into bandit18, that's related to the next level (bandit19), not this one.
π Understanding the Problem
Let's start by connecting to Level 17 and seeing what we're dealing with:
sshpass -p `cat bandit17` ssh bandit17@bandit.labs.overthewire.org -p 2220
Once connected, let's check what files are in the home directory:
ls -la
You should see two files:
passwords.oldβ Old password filepasswords.newβ New password file
The problem: How do you find the one line that changed between these two files?
The answer: Use diff to compare the files. It will show you exactly which line is different.
π§ Understanding the diff Command
Let's dive deeper into diff, because understanding it is crucial:
What Is diff?
The diff command compares two files and shows the differences:
- Shows what changed β Lines that differ between files
- Shows context β Surrounding lines for reference
- Shows location β Line numbers where differences occur
Basic usage:
diff file1 file2
What it does:
- Compares
file1andfile2line by line - Shows lines that differ
- Uses symbols to indicate which file has which content
Understanding diff Output
diff uses symbols to show differences:
< β Content from the first file (left file)
- In
diff passwords.old passwords.new,<means content frompasswords.old
> β Content from the second file (right file)
- In
diff passwords.old passwords.new,>means content frompasswords.new
--- β Separator between file sections
Line numbers β Shows where differences occur
Example output:
42c42
< old_password_line
---
> new_password_line
Breaking this down:
42c42β Line 42 changed (c = change)< old_password_lineβ Content from first file---β Separator> new_password_lineβ Content from second file
For Level 18: The > line (from passwords.new) is the password for Level 18.
π Step-by-Step Walkthrough
Step 1: Connect to Level 17
sshpass -p `cat bandit17` ssh bandit17@bandit.labs.overthewire.org -p 2220
Step 2: Check the Files
List files in the home directory:
ls -la
You should see passwords.old and passwords.new.
Step 3: Compare the Files with diff
Use diff to compare the two files:
diff passwords.old passwords.new
Breaking this down:
diffβ File comparison commandpasswords.oldβ First file (old passwords)passwords.newβ Second file (new passwords)
What you'll see: The output will show the differences between the files. It might look something like:
42c42
< kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
---
> w0Yfolrc5bwjS4qw5VE1ekH6yqF6UZJ5
Breaking down the output:
42c42β Line 42 changed (c = change)< kfBf3eYk5BPBRzwjqutbbfE887SVc5Ydβ Old password (frompasswords.old)---β Separator> w0Yfolrc5bwjS4qw5VE1ekH6yqF6UZJ5β New password (frompasswords.new)
Step 4: Extract the Password
The password for Level 18 is the line marked with > (from passwords.new). In the example above, it's w0Yfolrc5bwjS4qw5VE1ekH6yqF6UZJ5.
Copy that passwordβthat's your password for Level 18.
Step 5: Save the Password
Copy the password and save it on your local machine:
On Linux/macOS:
echo "PASSWORD_HERE" > bandit18
On Windows (PowerShell):
"PASSWORD_HERE" | Out-File -FilePath bandit18 -NoNewline
Step 6: Connect to Level 18
sshpass -p `cat bandit18` ssh bandit18@bandit.labs.overthewire.org -p 2220
Note: If you see "Byebye!" when trying to log in, that's related to Level 19, not Level 18. The password is correctβyou'll learn about this in the next level.
π‘ Understanding diff Output Formats
Let's dive deeper into diff output, because it can vary:
Change (c)
Format: line1,line2cline3,line4
Meaning: Lines changed
Example:
42c42
< old_line
---
> new_line
What it means: Line 42 in first file changed to line 42 in second file.
Addition (a)
Format: line1aline2
Meaning: Lines added
Example:
42a43
> new_line
What it means: New line added after line 42.
Deletion (d)
Format: line1,line2dline3
Meaning: Lines deleted
Example:
42d41
< old_line
What it means: Line 42 deleted (was line 41 in second file).
For Level 18: You'll typically see a change (c), showing one line that changed.
π οΈ Alternative Methods
Here are different ways to find the difference:
Method 1: diff Command (Recommended)
diff passwords.old passwords.new
Pros: Simple, clear, shows exactly what changed Cons: None really
Method 2: Using comm
comm -13 passwords.old passwords.new
Pros: Shows only lines unique to second file Cons: Requires sorted files, less intuitive
Method 3: Using grep with -v
grep -v -f passwords.old passwords.new
Pros: Shows lines in second file not in first Cons: More complex, might show multiple lines if format differs
Method 4: Manual Comparison (Not Recommended)
cat passwords.old
cat passwords.new
# Manually compare line by line...
Pros: Simple, no new commands Cons: Extremely slow, error-prone, nearly impossible with many lines
For Level 18, use Method 1 β it's the most efficient and teaches you valuable skills.
π Real-World Context
Why does this matter in penetration testing?
In real security assessments, you'll constantly compare files:
1. Configuration File Analysis
Comparing configuration files:
- Before and after changes
- Different versions
- Backup vs. current
Example: Finding configuration changes:
diff /etc/ssh/sshd_config.backup /etc/ssh/sshd_config
2. Code Analysis
Comparing code versions:
- Finding changes in source code
- Identifying modifications
- Code reviews
Example: Finding code changes:
diff old_version.py new_version.py
3. Log File Analysis
Comparing log files:
- Finding new entries
- Identifying changes
- Detecting anomalies
Example: Finding new log entries:
diff log_old.txt log_new.txt
4. Password List Comparison
Comparing password lists:
- Updated wordlists
- Changed credentials
- New passwords
Example: Finding new passwords:
diff passwords_old.txt passwords_new.txt
5. Backup Comparison
Comparing backups:
- Finding what changed
- Identifying modifications
- Verifying backups
Example: Comparing backup files:
diff backup_old.tar backup_new.tar
6. Forensics
In digital forensics:
- Comparing file versions
- Finding modifications
- Identifying changes
Example: Finding file changes:
diff original_file.txt modified_file.txt
The skill you're learning: How to efficiently compare files and find differences. This is essential when:
- Analyzing configuration changes
- Comparing code versions
- Finding modifications in files
- Identifying what changed between backups
- Performing file analysis
π¨ Common Mistakes
Mistake 1: Reading the Wrong Line
Wrong:
diff passwords.old passwords.new
# Reads the < line (from passwords.old) instead of > line
Right:
diff passwords.old passwords.new
# Reads the > line (from passwords.new) - that's the password
Why: The > symbol indicates content from the second file (passwords.new), which contains the new password. The < symbol is from the first file (passwords.old), which has the old password.
Mistake 2: Not Understanding diff Symbols
Confusion: "What do < and > mean?"
Clarification:
<β Content from the first file (left file,passwords.old)>β Content from the second file (right file,passwords.new)---β Separator between file sections
For Level 18: The password is the line with > (from passwords.new).
Mistake 3: Wrong File Order
Wrong:
diff passwords.new passwords.old
# Reverses the order, < and > meanings swap
Right:
diff passwords.old passwords.new
# Correct order: old first, new second
Why: The order matters! diff file1 file2 means:
<= content fromfile1>= content fromfile2
If you reverse the order, the symbols swap meanings.
Mistake 4: Not Reading the Complete Output
Wrong:
diff passwords.old passwords.new | head -1
# Only sees line numbers, misses the actual difference
Right:
diff passwords.old passwords.new
# Reads complete output to see the changed line
Why: diff output includes line numbers AND the actual changed content. You need both to find the password.
Mistake 5: Confusing "Byebye!" Message
Confusion: "I see 'Byebye!' when logging inβdid I get the wrong password?"
Clarification:
- The "Byebye!" message is not an error
- It's related to Level 19, not Level 18
- Your password is correct
- You'll learn about this in the next level
For Level 18: If you see "Byebye!", the password is correct. This is expected behavior for Level 19.
π» Practice Exercise
Try these to reinforce what you learned:
-
Create test files:
echo -e "line1\nline2\nline3" > file1.txt echo -e "line1\nline2_changed\nline3" > file2.txt -
Compare them:
diff file1.txt file2.txt # Shows the difference -
Understand the output:
diff file1.txt file2.txt # < means from file1.txt # > means from file2.txt -
Try reversed order:
diff file2.txt file1.txt # Notice how < and > swap -
Clean up:
rm file1.txt file2.txt
π Understanding diff Options
This is a good time to understand common diff options:
-u (Unified Format)
Shows unified diff format:
diff -u file1 file2
More readable format with context lines
-c (Context Format)
Shows context around changes:
diff -c file1 file2
Includes surrounding lines for context
-i (Ignore Case)
Case-insensitive comparison:
diff -i file1 file2
Ignores case differences
-w (Ignore Whitespace)
Ignores whitespace differences:
diff -w file1 file2
Ignores spaces and tabs
For Level 18: Basic diff is sufficient, but these options are useful for more complex comparisons.
π What's Next?
Level 19 introduces SUID binariesβexecutables that run with the permissions of the file owner, not the user running them. You'll learn about privilege escalation and how to exploit misconfigured SUID binaries.
Before moving on, make sure you:
- β
Successfully used
diffto compare files - β
Understand what
<and>symbols mean - β Can identify which file contains which content
- β
Know that
>means content from the second file - β Understand that "Byebye!" is related to Level 19, not Level 18
π Key Takeaways
After completing Level 18, you should understand:
diffcommand β Compares two files and shows differences<symbol β Content from the first file (left file)>symbol β Content from the second file (right file)- File comparison β Finding what changed between files
- Output reading β Understanding
diffoutput format
π― Quick Reference
| Problem | Solution | Example |
|---|---|---|
| Compare files | Use diff | diff file1 file2 |
| Find differences | Read > lines | diff old new shows > from new |
| Unified format | Use -u | diff -u file1 file2 |
| Ignore case | Use -i | diff -i file1 file2 |
| Context lines | Use -c | diff -c file1 file2 |
Questions about Level 18 or using the diff command? Reach out directly:
- Email: m1k3@msquarellc.net
- Phone: (559) 670-3159
- Schedule: Book a free consultation
M Square LLC
Cybersecurity | Penetration Testing | No-Nonsense Advice