WarGame之bandit通关日志

Breif

Bandit是一个学习linux命令的WarGame,通过闯关的模式,不断的学习新的命令,对于程序员亦或者安全爱好者来说都是一个不错的学习平台,网址是 http://overthewire.org/wargames/bandit/ 分享给大家~

Level 0 → Level 1

  • Level Goal

The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org, on port 2220. The username is bandit0 and the password is bandit0. Once logged in, go to the Level 1 page to find out how to beat Level 1.

The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.
第一关直接ssh登陆就好了

1
2
ssh bandit0@bandit.labs.overthewire.org -p 2220
密码:bandit0

直接查看readme得到密码boJ9jbbUNNfktd78OOpsqOltutMc3MY1
bandit0

Level 1 → Level 2

  • Level Goal
    The password for the next level is stored in a file called - located in the home directory

利用上一关得到的密码ssh登陆

1
ssh bandit1@bandit.labs.overthewire.org -p 2220

ls发现文件名是一个-,但是这个在linux中有特殊意义导致直接cat不好用
bandit1
因此可以使用./来注明是当前路径下的,就可以读取到了

1
cat ./-

密码是CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

Level 2 → Level 3

  • Level Goal
    The password for the next level is stored in a file called spaces in this filename located in the home directory
    这道题文件名中有空格,可以用双引号把文件名包裹起来
    1
    cat "spaces in this filename"

bandit2
密码UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

Level 3 → Level 4

  • Level Goal
    The password for the next level is stored in a hidden file in the inhere directory.

如题,文件是隐藏文件,在linux中,文件名前面有.的就是隐藏文件,可以使用ls -a来显示
bandit3
密码pIwrPrtPN36QITSp3EQaw936yaFoFgAB

Level 4 → Level 5

  • Level Goal
    The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.

本题有10个文件,题目说是密码在人类可读的文件,那么就要判断文件的类型,用file命令

1
file ./*

bandit4
只有一个是ACSII TEXT类型的,那么就是目标了
密码koReBOKuIDDepwhWk7jZC0RTdopnAYKh

Level 5 → Level 6

  • Level Goal
    The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:

human-readable
1033 bytes in size
not executable

这道题又是一个找文件的题目,ls -R目测有好几十个文件,一个个找肯定不现实,根据题目的要求,是一个人类可读文件,并且1033字节,非可执行文件,那么可以用find命令

1
find . -type f -size 1033c

解释一下-type f指定为普通文件,-size 1033c指定为1033字节,更多的用法如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
-size n[cwbkMG] : 档案大小 为 n 个由后缀决定的数据块。其中后缀含义为:
b: 代表 512 位元组的区块(如果用户没有指定后缀,则默认为 b)
c: 表示字节数
k: 表示 kilo bytes (1024字节)
w: 字 (2字节)
M:兆字节(1048576字节)
G: 千兆字节 (1073741824字节)
-type c : 档案类型是 c 。
d: 目录
c: 字型装置档案
b: 区块装置档案
p: 具名贮列
f: 一般档案
l: 符号连结
s: socket

最后找到了目标文件
bandit4
密码DXjZPULLxYr17uwoI01bNLQbtFemEgo7

Level 6 → Level 7

  • Level Goal
    The password for the next level is stored somewhere on the server and has all of the following properties:

owned by user bandit7
owned by group bandit6
33 bytes in size

又是找文件,那么依然可以使用find命令,只不过参数稍稍的改变

1
find / -user bandit7 -group bandit6 -size 33c 2>/dev/null

这里-user指定user组,-group指定group组,-size指定大小,后面的2>/dev/null因为find命令在根目录下查找会经常有很多权限的报错信息,所有在linux中通常用这种方式将错误信息重定向到“黑洞中”
bandit6
密码HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

Level 7 → Level 8

  • Level Goal
    The password for the next level is stored in the file data.txt next to the word millionth

题目说密码在单词millionth的后面,那么我们就在data.txt中搜索这个单词即可

1
cat data.txt|grep millionth

bandit7
密码cvX2JJa4CFALtqS87jk27qwqGhBM9plV

Level 8 → Level 9

  • Level Goal
    The password for the next level is stored in the file data.txt and is the only line of text that occurs only once

这题是要找到出现一次的那个行,肯定用uniq命令了,但是使用之前需要用sort命令对文本进行排序,因为uniq命令是通过判断上下两行是否一样来判断的,所以用sort排序一下然后在uniq就能找到唯一出现的那一行了

1
2
sort data.txt|uniq -u
sort data.txt|uniq -c

这题我想了两种解法,一个是直接-u获取,还有就是-c列出出现的次数,然后从中找到是1的那一行即可
bandit8
密码UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR

Level 9 → Level 10

  • Level Goal
    The password for the next level is stored in the file data.txt in one of the few human-readable strings, beginning with several ‘=’ characters.

这题用cat命令之后会出现很多乱码,因此需要使用strings命令,获取可打印的字符

1
strings data.txt

bandit9
密码truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk

Level 10 → Level 11

  • Level Goal
    The password for the next level is stored in the file data.txt, which contains base64 encoded data

查看文件发现是个base64的字符串,直接base64 -d解码即可
bandit10
密码IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

Level 11 → Level 12

  • Level Goal
    The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions

根据题目所说的字母的的顺序旋转了13个位置,就相当去26个字母的前13个位置与后13个位置调换了。那么我们就是用tr命令进行调换

1
cat data.txt | tr 'a-zA-Z' 'n-za-mN-ZA-M'

bandit11

Level 12 → Level 13

  • Level Goal
    The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)

这道题比较麻烦。首先我们按照提示,在/tmp目录下创建自定义的文件夹

1
2
3
4
mkdir /tmp/pino
cp data.txt /tmp/pino
cd /tmp/pino
cat data.txt

然后我们发现data.txt是一个hex dump文件,里面是十六进制的内容,我们可以用xxd命令将其转换成二进制文件

1
xxd -r data.txt > data.bin

然后我们用file命令看一下这个二进制是什么文件
image.png
发现是一个gzip压缩文件,那么利用mv命令把文件重命名

1
mv data.bin data.gz

然后用gzip -d命令解压,发现还是一个二进制文件,继续file命令查看

发现是一个bzip2压缩文件,继续重命名并解压

1
2
mv data data.bz2
bzip -d data.bz2

之后重复工作,后来还遇到了tar压缩文件

1
2
mv data data.tar
tar -xvf data.tar

如此解压,最后类似,得到密码8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

Level 13 → Level 14

  • Level Goal
    The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on

这道题我们使用bandit13用户登陆的,但是题目说需要我们用bandit14用户登陆才能查看密码,并且给了我们ssh的私钥,那么我们就可以利用ssh -i参数指定私钥进行登陆

1
ssh -i sshkey.private bandit14@localhost

登陆之后

1
cat  /etc/bandit_pass/bandit14

bandit13
密码4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e

Level 14 → Level 15

  • Level Goal
    The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.

根据题目要求我们要把这关的密码提交到localhost的30000端口上,那么我就想到了用telnet连接到本地的30000端口上,然后把这关的密码发送过去

密码BfMYroe26WYalil77FoDi9qh59eK5xNr

Level 15 → Level 16

  • Level Goal
    The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.

Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…

这道题用openssl命令
这个命令不太常用,直接openssl help查看帮助,发现命令openssl s_client help
根据帮助找到登陆命令

1
openssl s_client -connect localhost:30001

将本关的密码发送过去,发现

看到了提示上面说的问题,根据提示带上参数-ign_eof再来一遍

成功获取密码cluFn7wTiGryunymYOu4RcffSxQluehd

Level 16 → Level 17

  • Level Goal
    The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.

这道题做完之后感觉挺有意思的,首先看了一下题目要求,其实我是一脸懵逼的,本来想netstat看一下的,结果发现没权限。。。然后我就随手一发ps aux之后,发现有个nmap的进程,给了我灵感。。。

1
nmap localhost -p 31000-32000

有5个端口,但是题目说错误的端口是你发啥它回啥,于是测试了一下发现有两个端口可能是正确的,分别是31518和31790,题目又说了存在ssl服务,于是再挨个测试了一下

1
2
openssl s_client -connect localhost:31518
openssl s_client -connect localhost:31790

发现31790是正确的

发现它返回了一个类似ssh私钥的文件,然后果断保存到一个文件中ssh.priv,这里需要在/tmp目录下创建一个自己的目录,才能写入到文件中,因为有权限管理。
再利用上一关的知识

1
ssh -i /tmp/bandit16/ssh.priv bandit17@localhost

成功登陆,密码在/etc/bandit_pass/bandit17
密码xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn

Level 17 → Level 18

  • Level Goal
    There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new

NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19

这种比较新旧的问题肯定是用diff命令了

1
diff passwords.old passwords.new


密码kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd

Level 18 → Level 19

  • Level Goal
    The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.

这道题我们正常登陆的话

1
ssh bandit18@bandit.labs.overthewire.org -p2220

然后我们就发现直接断开了

其实我们在ssh登陆的时候可以直接后面跟上命令,虽然被断开了,但是命令还是可以执行的,我们在后面加上cat readme,照常输入上一关的密码,下一关的密码就会显示出来的

密码IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x

Level 19 → Level 20

  • Level Goal
    To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.

这题也不知道要我们做什么,反正就莫名其妙的得到密码了

密码GbKksEFF4yrVs6il55v6gwY5aVje5f0j

Level 20 → Level 21

  • Level Goal
    There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).

NOTE: Try connecting to your own network daemon to see if it works as you think

题目说这个suconnect程序会连接到我们指定的端口,并且读取内容并于bandit20的密码进行比较,如果相同的话就返回下一关的密码
我们知道密码是存放在/etc/bandit_pass/bandit20这个文件中的,因此我们就在本地开启一个端口,并且把密码发送到这个端口,然后我们在用这个程序连接到这个端口中就可以成功了。

1
nc -l 2333 < /etc/bandit_pass/bandit20 &

这里我在命令后面加了&符号,可以让这条命令在后台执行,这样我们就可以继续执行./suconnect 2333命令来连接2333端口了

获取密码gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr

Level 21 → Level 22

  • Level Goal
    A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

按照提示到/etc/cron.d目录下查看cronjob_bandit22的定时任务

最后获取密码Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

Level 22 → Level 23

  • Level Goal
    A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.

解题看下图

密码jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

Level 23 → Level 24

  • Level Goal
    A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!

NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…

这道题先看一下contab文件

分析一下知道定时任务会执行/usr/bin/cronjob_bandit24.sh这个文件
shell脚本的功能是执行/var/spool/bandit24中的所有文件,如果60秒内没有执行就删除所有文件.
因此思路就是我们写一个查看密码的shell脚本放到这个目录下,让他以bandit24用户来执行就好了。

1
2
3
4
mkdir /tmp/bandit23
chmod 777 /tmp/bandit23
cd /tmp/bandit23
vim shell.sh

shell.sh的内容如下

1
2
#!/bin/bash
cat /etc/bandit_pass/bandit24 >> /tmp/bandit/pass

然后chmod 777 shell.sh,再然后将shell.sh复制到/var/spool/bandit24目录下,等待一些时间,就会发现/tmp/bandit23/目录下多了一个pass文件,内容就是密码

密码UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ

Level 24 → Level 25

  • Level Goal
    A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.

这道题目首先nc连接一下

根据要求输入上一关的密码加空格加4位数字,果断报错了。。
所以要写脚本进行爆破。
我想到的是使用pwntools来进行爆破(CTF打多了…)
脚本如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
from pwn import *

r = remote('localhost', 30002)
for i in range(0, 10):
for j in range(0, 10):
for k in range(0, 10):
for p in range(0, 10):
flag = str(i) + str(j) + str(k) + str(p)
s = "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ "+ flag
r.sendline(s)
response = r.recvline()
if 'Wrong!' not in response:
print 'Correct! ' + response

一个比较粗糙的爆破脚本就写好了,执行就好了

密码uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG

Level 25 → Level 26

  • Level Goal
    Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.

这道题登陆上去后发现home目录下有一个ssh的私钥,果断ssh连接上去

1
ssh -i ssh.private bandit26@localhost

但是登陆之后直接就切断了
根据提示,说用户bandit26用的shell有问题,这种情况我们可以查看/etc/passwd文件

其最后一个文件是该用户登陆后执行的文件,其他用户都是/bin/bash等,但是这个用户是/usr/bin/showtext,查看一下

这里export TERM=linux是设置终端类型是linux,然后more 了一下~/text.txt文件,之后直接exit 0退出了,所以我们ssh才连接不上去!
但是这里看到more了就会想到其实more可以执行命令的,之前博客里写过,more跟less都是可以执行命令的,在出发more的状况下输入!command这种。
但是我们直接ssh登陆的时候并没有出发more的效果,原因是因为终端太大了。。把终端缩小点即可。

然后输入!/bin/sh,尝试进入命令行模式,不过失败了。。
这里还有其他的用法,输入v,进入vim模式,其实vim模式也能执行命令,方法也是!command,但是这里也不行,因此再就是用vim特有的:e file,vim模式下的e命令可以导入文件到编辑器内,我们知道密码的所在,因此就可以用e命令来导入密码文件

1
:e /etc/bandit_pass/bandit26


密码5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z

Level 26 → Level 27

  • Level Goal
    Good job getting a shell! Now hurry and grab the password for bandit27!

这一关使用密码ssh登陆之后也是直接断开了,所以跟上一关套路一样,进入more模式,利用vim模式执行命令,这次不能用e来读取文件了,因为权限不够。!command也不行,!sh也不行,后来查看资料发现vim还有一种需要先设置shell的目录才行

1
2
3
vim模式下
:set shell=/bin/sh
:sh

这样得到了一个shell,ls发现有一个程序,跟以前一样,直接读取密码文件即可

密码3ba3118a22e93127a4ed485be72ef5ea

Level 27 → Level 28

  • Level Goal
    There is a git repository at ssh://bandit27-git@localhost/home/bandit27-git/repo. The password for the user bandit27-git is the same as for the user bandit27.

Clone the repository and find the password for the next level.

解题如图

密码0ef186ac70e04ea33b4c1853d2526fa2

Level 28 → Level 29

  • Level Goal
    There is a git repository at ssh://bandit28-git@localhost/home/bandit28-git/repo. The password for the user bandit28-git is the same as for the user bandit28.

Clone the repository and find the password for the next level.

跟上一关一样使用git clone把东西下载下来,然后有一个READ.ME,查看

没什么发现
随手一个git log,查看一下日志

从上到下为由新到旧,我们发现最新一条日志写着fix info leak,修复信息泄露,那么我们就git show,默认是有git diff-tree --cc的格式,可以看到文本差异。

获得密码bbc96594b4e001778eee9975372716b2

Level 29 → Level 30

  • Level Goal
    There is a git repository at ssh://bandit29-git@localhost/home/bandit29-git/repo. The password for the user bandit29-git is the same as for the user bandit29.

Clone the repository and find the password for the next level.

这道题还是老套路,git clone一下,然后git loggit show都试了一下,也没啥发现,然后git branch -a了一下,看到了有四个分支

看到了有一个dev的分支,一般dev是development开发者的分支,就切换分支看下

1
git checkout remotes/origin/master


发现了一些了不起的东西,git show得到密码5b90576bedb2cc04c86a9e924ce42faf

Level 30 → Level 31

Level Goal
There is a git repository at ssh://bandit30-git@localhost/home/bandit30-git/repo. The password for the user bandit30-git is the same as for the user bandit30.

Clone the repository and find the password for the next level.

git show-ref可以现实本地存储库的所有可用的引用以及关联的提交ID

这里有一个敏感的secret字眼,直接git show f17132340e8ee6c159e0a4a6bc6f80e1da3b1aea,得到密码47e603bb428404d265f59c42920d81e5

Level 31 → Level 32

  • Level Goal
    There is a git repository at ssh://bandit31-git@localhost/home/bandit31-git/repo. The password for the user bandit31-git is the same as for the user bandit31.

Clone the repository and find the password for the next level.

本题要求我们把key.txt文件push到远程服务器上。
首先按照要求创建key.txt

1
echo 'May I come in ?' > key.txt

然后

1
2
git add -f key.txt
git commit

这里git commit会打开nano编辑器,具体如何操作自行百度
之后git push即可
得到密码56a9bf19c63d650ce78e6ec0354ee45e

Level 32 → Level 33

After all this git stuff its time for another esape. Good luck!

执行uppershell发现他会把输入的命令变成大写之后再执行,导致命令并不能正常执行。因此我们可以写一个名字为大写的shell文件
TEST文件

1
2
#!/bin/bash
bash

这样就能获取到bandit33的bash了

密码c9c3199ddf4121b10cf581a98d51caee

Level 33 → Level 34

结束啦~~

本文标题:WarGame之bandit通关日志

文章作者:Pino-HD

发布时间:2018年09月07日 - 13:09

最后更新:2018年09月07日 - 13:09

原始链接:https://pino-hd.github.io/2018/09/07/WarGame之bandit通关日志/

许可协议: 署名-非商业性使用-禁止演绎 4.0 国际 转载请保留原文链接及作者。

坚持原创技术分享,您的支持将鼓励我继续创作!