📝 OverTheWire Bandit Level 3: Handling Files with Spaces in Their Names

Level 3 continues the theme of tricky filenames, but this time it's about files with spaces. If you thought dashes were annoying, wait until you see what spaces do to command-line arguments.

Level 3 teaches you:

• How Linux interprets spaces in command-line arguments
• Using quotes to handle filenames with spaces
• Tab completion and escape characters
• Why proper delimiting matters

This is another common gotcha that trips up beginners—and even experienced users sometimes. Understanding how to handle spaces in filenames is essential for working with real-world systems.

---

🎯 The Objective

After logging into bandit2, your goal is to find the password for Level 3. The password is in a file, but this file has spaces in its name.

What Level 3 teaches:

• Handling spaces in filenames
• Using quotes (single or double) to delimit arguments
• Tab completion for auto-escaping
• Understanding how the shell parses arguments

The challenge: Read a file with spaces in its name. If you try it the normal way, Linux will think each word is a separate file.

---

🔍 Understanding the Problem

Let's start by connecting to Level 2 and seeing what we're dealing with:

sshpass -p `cat bandit2` ssh bandit2@bandit.labs.overthewire.org -p 2220

Once connected, let's see what files are in the directory:

ls -la

You should see a file with spaces in its name, something like spaces in this filename or file with spaces in the name.txt.

The problem: If you try to read this file the normal way:

cat spaces in this filename

Linux interprets this as:

• cat — the command
• spaces — first file (doesn't exist)
• in — second file (doesn't exist)
• this — third file (doesn't exist)
• filename — fourth file (doesn't exist)

So cat tries to read four separate files, none of which exist. You'll get errors like "No such file or directory" for each word.

---

🧠 Why This Happens: Understanding Shell Parsing

Here's what's happening: The shell (bash) uses spaces to separate arguments.

How the Shell Parses Commands

When you type a command, the shell breaks it into words using spaces as delimiters:

cat file1 file2 file3

The shell sees:

• Command: cat
• Argument 1: file1
• Argument 2: file2
• Argument 3: file3

For a file with spaces:

cat spaces in this filename

The shell sees:

• Command: cat
• Argument 1: spaces
• Argument 2: in
• Argument 3: this
• Argument 4: filename

The shell doesn't know these words are supposed to be one filename—it treats each word as a separate argument.

The Solution: Use Quotes

To tell the shell "treat this as one argument," you need to use quotes. Quotes tell the shell to treat everything inside as a single argument, preserving spaces.

---

📋 Step-by-Step Walkthrough

Step 1: Connect to Level 2

sshpass -p `cat bandit2` ssh bandit2@bandit.labs.overthewire.org -p 2220

Step 2: List Files

ls -la

You should see a file with spaces in its name. Note the exact name—you'll need it.

Step 3: Read the File Using Quotes

There are several ways to do this. Here are the most common:

Method 1: Single Quotes

cat 'spaces in this filename'

Method 2: Double Quotes

cat "spaces in this filename"

Method 3: Tab Completion (Recommended)

cat sp<TAB>

When you press Tab after typing the first few letters, the shell will auto-complete the filename and automatically escape the spaces with backslashes:

cat spaces\ in\ this\ filename

Method 4: Escape Characters

cat spaces\ in\ this\ filename

Type a backslash (\) before each space to escape it.

All methods work—choose whichever feels most comfortable. I recommend Method 3 (tab completion) because it's fastest and least error-prone.

Step 4: Save the Password

Copy the password and save it:

On Linux/macOS:

echo "PASSWORD_HERE" > bandit3

On Windows (PowerShell):

"PASSWORD_HERE" | Out-File -FilePath bandit3 -NoNewline

Step 5: Connect to Level 3

sshpass -p `cat bandit3` ssh bandit3@bandit.labs.overthewire.org -p 2220

---

💡 Understanding Quotes

Let's dive deeper into quotes, because they're crucial for handling special characters:

Single Quotes vs. Double Quotes

Single quotes ('):

• Treats everything literally
• No variable expansion
• No command substitution
• Preserves spaces exactly as typed

Double quotes ("):

• Allows variable expansion ($VAR)
• Allows command substitution (`command`)
• Still preserves spaces
• More flexible but can be trickier

For filenames with spaces, both work the same:

cat 'file with spaces.txt'    # Single quotes
cat "file with spaces.txt"    # Double quotes

When they differ:

# Single quotes - literal
echo '$HOME'                  # Output: $HOME

# Double quotes - variable expanded
echo "$HOME"                  # Output: /home/bandit2

For Level 3, use either—they both work for preserving spaces in filenames.

---

⌨️ Tab Completion: Your Best Friend

Tab completion is one of the most useful features in Linux terminals. Here's how it works:

How Tab Completion Works

1. Start typing the beginning of a filename
2. Press Tab — the shell completes the rest
3. If multiple matches, press Tab twice to see options
4. Spaces are automatically escaped with backslashes

Example

# Type this:
cat sp<TAB>

# Shell completes to:
cat spaces\ in\ this\ filename

Notice: The shell automatically added backslashes (\) before each space. This is called escaping.

Benefits of Tab Completion

• Fast — No typing long filenames
• Accurate — No typos
• Auto-escaping — Handles special characters automatically
• Discoverable — Shows you what files exist

Pro tip: Get in the habit of using Tab completion. It'll save you time and prevent errors.

---

🔤 Understanding Escape Characters

The backslash (\) is an escape character. It tells the shell "the next character should be treated literally, not as a special character."

How Escaping Works

Without escaping:

cat file with spaces.txt
# Shell sees: cat file with spaces.txt (4 separate arguments)

With escaping:

cat file\ with\ spaces.txt
# Shell sees: cat "file with spaces.txt" (1 argument)

Common escape sequences:

• \ — Space (escaped)
• \- — Dash (escaped)
• \\ — Literal backslash
• \$ — Literal dollar sign

When to Use Escaping

• When typing filenames manually
• When quotes don't work (rare)
• When you need to mix quotes and special characters

For Level 3, quotes are easier—but understanding escaping is useful for more complex scenarios.

---

🛠️ Alternative Methods

Here are all the ways to handle files with spaces:

Method 1: Single Quotes (Simple)

cat 'spaces in this filename'

Pros: Simple, clear, preserves everything literally Cons: None really

Method 2: Double Quotes (Simple)

cat "spaces in this filename"

Pros: Simple, clear, allows variable expansion if needed Cons: Can be confusing if you have $ in the filename

Method 3: Tab Completion (Recommended)

cat sp<TAB>
# Auto-completes to: cat spaces\ in\ this\ filename

Pros: Fast, accurate, auto-escaping Cons: Requires knowing the first few letters

Method 4: Manual Escaping

cat spaces\ in\ this\ filename

Pros: Explicit control Cons: Tedious to type, error-prone

Method 5: Using Wildcards

cat spaces*

Pros: Short, works if filename is unique Cons: Might match multiple files

For Level 3, use Method 1, 2, or 3 — they're all reliable and easy.

---

🔒 Real-World Context

Why does this matter in penetration testing?

In real security assessments, you'll encounter files with spaces:

1. User-Created Files

Users often create files with spaces:

• my passwords.txt
• backup file 2024.doc
• important notes.md

These are common in home directories and shared folders.

2. Windows Systems

Windows allows spaces in filenames more freely than Linux. When analyzing Windows systems or SMB shares, you'll see:

• My Documents
• Program Files
• Application Data

3. Web Applications

Web applications might create files with spaces:

• user upload file.jpg
• report 2024-01-16.pdf
• backup data.sql

4. Log Files

Log files sometimes have spaces:

• access log 2024-01-16.txt
• error log file.log
• debug output file.txt

The skill you're learning: How to access files regardless of their naming conventions. This is essential when:

• Analyzing user directories
• Reading configuration files
• Extracting data from logs
• Working with files from different operating systems

---

🚨 Common Mistakes

Mistake 1: Forgetting Quotes

Wrong:

cat spaces in this filename

Right:

cat "spaces in this filename"

Why: Without quotes, the shell treats each word as a separate argument.

Mistake 2: Wrong Quote Type

Usually fine:

cat 'file with $HOME.txt'      # $HOME treated literally
cat "file with $HOME.txt"      # $HOME expanded to /home/user

If your filename contains $ and you don't want expansion, use single quotes.

Mistake 3: Not Using Tab Completion

Many beginners type long filenames manually, which leads to typos. Use Tab completion—it's faster and more accurate.

Mistake 4: Mixing Quotes Incorrectly

Wrong:

cat 'file with spaces".txt'    # Mismatched quotes

Right:

cat 'file with spaces.txt'     # All single quotes
cat "file with spaces.txt"     # All double quotes

Mistake 5: Forgetting Spaces When Escaping

Wrong:

cat spaces\in\this\filename    # Missing spaces

Right:

cat spaces\ in\ this\ filename # Backslash before each space

---

💻 Practice Exercise

Try these to reinforce what you learned:

1. Create a test file with spaces:

   echo "test" > "file with spaces.txt"
   

2. Read it using different methods:

   cat "file with spaces.txt"        # Double quotes
   cat 'file with spaces.txt'        # Single quotes
   cat file\ with\ spaces.txt        # Escaping
   cat file*                         # Wildcard
   

3. Use tab completion:

   cat f<TAB>                        # Auto-complete
   

4. Clean up:

   rm "file with spaces.txt"
   

---

🎓 Understanding Shell Parsing

This is a good time to understand how the shell processes commands:

Tokenization

The shell breaks commands into tokens (words) using:

• Spaces
• Tabs
• Newlines

Quote Processing

Quotes change how tokenization works:

• Inside quotes, spaces are preserved
• Quotes themselves are removed (not passed to the command)
• Variables and commands may be expanded (double quotes)

Example

# Without quotes:
cat file with spaces
# Tokens: ["cat", "file", "with", "spaces"]

# With quotes:
cat "file with spaces"
# Tokens: ["cat", "file with spaces"]

Why this matters: Understanding how the shell parses commands helps you write correct commands and debug issues.

---

🔗 What's Next?

Level 4 introduces hidden files—files that start with a dot (.). These files don't show up in normal ls listings, requiring you to use ls -a to see them.

Before moving on, make sure you:

• ✅ Successfully read a file with spaces in its name
• ✅ Understand why quotes are necessary
• ✅ Know how to use tab completion
• ✅ Can escape spaces manually if needed

---

📚 Key Takeaways

After completing Level 3, you should understand:

1. Spaces are delimiters — The shell uses spaces to separate arguments
2. Quotes preserve spaces — Single or double quotes treat contents as one argument
3. Tab completion is powerful — Auto-completes and escapes automatically
4. Escaping works too — Backslashes tell the shell to treat the next character literally
5. Multiple solutions — There are several ways to handle spaces, all valid

---

🎯 Quick Reference

Problem	Solution	Example
File has spaces	Use quotes	cat "file with spaces.txt"
File has spaces	Use tab completion	cat f<TAB>
File has spaces	Escape spaces	cat file\ with\ spaces.txt
File starts with -	Use relative path	cat ./-
File is hidden	Use ls -a	ls -a

---

Questions about Level 3 or handling files with spaces? Reach out directly:

• Email: m1k3@msquarellc.net
• Phone: (559) 670-3159
• Schedule: Book a free consultation

---

M Square LLC
Cybersecurity | Penetration Testing | No-Nonsense Advice