Breif
Bandit是一个学习linux命令的WarGame,通过闯关的模式,不断的学习新的命令,对于程序员亦或者安全爱好者来说都是一个不错的学习平台,网址是 http://overthewire.org/wargames/bandit/ 分享给大家~
Level 0 → Level 1
- Level Goal
The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org, on port 2220. The username is bandit0 and the password is bandit0. Once logged in, go to the Level 1 page to find out how to beat Level 1.
The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.
第一关直接ssh登陆就好了
1 | ssh bandit0@bandit.labs.overthewire.org -p 2220 |
直接查看readme得到密码boJ9jbbUNNfktd78OOpsqOltutMc3MY1
Level 1 → Level 2
- Level Goal
The password for the next level is stored in a file called - located in the home directory
利用上一关得到的密码ssh登陆
1 | ssh bandit1@bandit.labs.overthewire.org -p 2220 |
ls
发现文件名是一个-
,但是这个在linux中有特殊意义导致直接cat不好用
因此可以使用./
来注明是当前路径下的,就可以读取到了
1 | cat ./- |
密码是CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
Level 2 → Level 3
- Level Goal
The password for the next level is stored in a file called spaces in this filename located in the home directory
这道题文件名中有空格,可以用双引号把文件名包裹起来1
cat "spaces in this filename"
密码UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
Level 3 → Level 4
- Level Goal
The password for the next level is stored in a hidden file in the inhere directory.
如题,文件是隐藏文件,在linux中,文件名前面有.
的就是隐藏文件,可以使用ls -a
来显示
密码pIwrPrtPN36QITSp3EQaw936yaFoFgAB
Level 4 → Level 5
- Level Goal
The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.
本题有10个文件,题目说是密码在人类可读的文件,那么就要判断文件的类型,用file
命令
1 | file ./* |
只有一个是ACSII TEXT类型的,那么就是目标了
密码koReBOKuIDDepwhWk7jZC0RTdopnAYKh
Level 5 → Level 6
- Level Goal
The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:
human-readable
1033 bytes in size
not executable
这道题又是一个找文件的题目,ls -R
目测有好几十个文件,一个个找肯定不现实,根据题目的要求,是一个人类可读文件,并且1033字节,非可执行文件,那么可以用find
命令
1 | find . -type f -size 1033c |
解释一下-type f
指定为普通文件,-size 1033c
指定为1033字节,更多的用法如下
1 | -size n[cwbkMG] : 档案大小 为 n 个由后缀决定的数据块。其中后缀含义为: |
最后找到了目标文件
密码DXjZPULLxYr17uwoI01bNLQbtFemEgo7
Level 6 → Level 7
- Level Goal
The password for the next level is stored somewhere on the server and has all of the following properties:
owned by user bandit7
owned by group bandit6
33 bytes in size
又是找文件,那么依然可以使用find
命令,只不过参数稍稍的改变
1 | find / -user bandit7 -group bandit6 -size 33c 2>/dev/null |
这里-user
指定user组,-group
指定group组,-size
指定大小,后面的2>/dev/null
因为find命令在根目录下查找会经常有很多权限的报错信息,所有在linux中通常用这种方式将错误信息重定向到“黑洞中”
密码HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs
Level 7 → Level 8
- Level Goal
The password for the next level is stored in the file data.txt next to the word millionth
题目说密码在单词millionth的后面,那么我们就在data.txt中搜索这个单词即可
1 | cat data.txt|grep millionth |
密码cvX2JJa4CFALtqS87jk27qwqGhBM9plV
Level 8 → Level 9
- Level Goal
The password for the next level is stored in the file data.txt and is the only line of text that occurs only once
这题是要找到出现一次的那个行,肯定用uniq
命令了,但是使用之前需要用sort
命令对文本进行排序,因为uniq
命令是通过判断上下两行是否一样来判断的,所以用sort排序一下然后在uniq就能找到唯一出现的那一行了
1 | sort data.txt|uniq -u |
这题我想了两种解法,一个是直接-u获取,还有就是-c列出出现的次数,然后从中找到是1的那一行即可
密码UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR
Level 9 → Level 10
- Level Goal
The password for the next level is stored in the file data.txt in one of the few human-readable strings, beginning with several ‘=’ characters.
这题用cat
命令之后会出现很多乱码,因此需要使用strings
命令,获取可打印的字符
1 | strings data.txt |
密码truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
Level 10 → Level 11
- Level Goal
The password for the next level is stored in the file data.txt, which contains base64 encoded data
查看文件发现是个base64的字符串,直接base64 -d
解码即可
密码IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR
Level 11 → Level 12
- Level Goal
The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions
根据题目所说的字母的的顺序旋转了13个位置,就相当去26个字母的前13个位置与后13个位置调换了。那么我们就是用tr
命令进行调换
1 | cat data.txt | tr 'a-zA-Z' 'n-za-mN-ZA-M' |
Level 12 → Level 13
- Level Goal
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)
这道题比较麻烦。首先我们按照提示,在/tmp目录下创建自定义的文件夹
1 | mkdir /tmp/pino |
然后我们发现data.txt是一个hex dump文件,里面是十六进制的内容,我们可以用xxd
命令将其转换成二进制文件
1 | xxd -r data.txt > data.bin |
然后我们用file
命令看一下这个二进制是什么文件
发现是一个gzip压缩文件,那么利用mv
命令把文件重命名
1 | mv data.bin data.gz |
然后用gzip -d
命令解压,发现还是一个二进制文件,继续file命令查看
发现是一个bzip2压缩文件,继续重命名并解压
1 | mv data data.bz2 |
之后重复工作,后来还遇到了tar压缩文件
1 | mv data data.tar |
如此解压,最后类似,得到密码8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
Level 13 → Level 14
- Level Goal
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on
这道题我们使用bandit13用户登陆的,但是题目说需要我们用bandit14用户登陆才能查看密码,并且给了我们ssh的私钥,那么我们就可以利用ssh -i
参数指定私钥进行登陆
1 | ssh -i sshkey.private bandit14@localhost |
登陆之后
1 | cat /etc/bandit_pass/bandit14 |
密码4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Level 14 → Level 15
- Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
根据题目要求我们要把这关的密码提交到localhost的30000端口上,那么我就想到了用telnet连接到本地的30000端口上,然后把这关的密码发送过去
密码BfMYroe26WYalil77FoDi9qh59eK5xNr
Level 15 → Level 16
- Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…
这道题用openssl
命令
这个命令不太常用,直接openssl help
查看帮助,发现命令openssl s_client help
根据帮助找到登陆命令
1 | openssl s_client -connect localhost:30001 |
将本关的密码发送过去,发现
看到了提示上面说的问题,根据提示带上参数-ign_eof
再来一遍
成功获取密码cluFn7wTiGryunymYOu4RcffSxQluehd
Level 16 → Level 17
- Level Goal
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
这道题做完之后感觉挺有意思的,首先看了一下题目要求,其实我是一脸懵逼的,本来想netstat看一下的,结果发现没权限。。。然后我就随手一发ps aux
之后,发现有个nmap的进程,给了我灵感。。。
1 | nmap localhost -p 31000-32000 |
有5个端口,但是题目说错误的端口是你发啥它回啥,于是测试了一下发现有两个端口可能是正确的,分别是31518和31790,题目又说了存在ssl服务,于是再挨个测试了一下
1 | openssl s_client -connect localhost:31518 |
发现31790是正确的
发现它返回了一个类似ssh私钥的文件,然后果断保存到一个文件中ssh.priv,这里需要在/tmp目录下创建一个自己的目录,才能写入到文件中,因为有权限管理。
再利用上一关的知识
1 | ssh -i /tmp/bandit16/ssh.priv bandit17@localhost |
成功登陆,密码在/etc/bandit_pass/bandit17
密码xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn
Level 17 → Level 18
- Level Goal
There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new
NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19
这种比较新旧的问题肯定是用diff
命令了
1 | diff passwords.old passwords.new |
密码kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
Level 18 → Level 19
- Level Goal
The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.
这道题我们正常登陆的话
1 | ssh bandit18@bandit.labs.overthewire.org -p2220 |
然后我们就发现直接断开了
其实我们在ssh登陆的时候可以直接后面跟上命令,虽然被断开了,但是命令还是可以执行的,我们在后面加上cat readme
,照常输入上一关的密码,下一关的密码就会显示出来的
密码IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
Level 19 → Level 20
- Level Goal
To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.
这题也不知道要我们做什么,反正就莫名其妙的得到密码了
密码GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Level 20 → Level 21
- Level Goal
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
NOTE: Try connecting to your own network daemon to see if it works as you think
题目说这个suconnect程序会连接到我们指定的端口,并且读取内容并于bandit20的密码进行比较,如果相同的话就返回下一关的密码
我们知道密码是存放在/etc/bandit_pass/bandit20这个文件中的,因此我们就在本地开启一个端口,并且把密码发送到这个端口,然后我们在用这个程序连接到这个端口中就可以成功了。
1 | nc -l 2333 < /etc/bandit_pass/bandit20 & |
这里我在命令后面加了&符号,可以让这条命令在后台执行,这样我们就可以继续执行./suconnect 2333
命令来连接2333端口了
获取密码gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
Level 21 → Level 22
- Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
按照提示到/etc/cron.d目录下查看cronjob_bandit22的定时任务
最后获取密码Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
Level 22 → Level 23
- Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.
解题看下图
密码jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
Level 23 → Level 24
- Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…
这道题先看一下contab文件
分析一下知道定时任务会执行/usr/bin/cronjob_bandit24.sh这个文件
shell脚本的功能是执行/var/spool/bandit24中的所有文件,如果60秒内没有执行就删除所有文件.
因此思路就是我们写一个查看密码的shell脚本放到这个目录下,让他以bandit24用户来执行就好了。
1 | mkdir /tmp/bandit23 |
shell.sh的内容如下
1 | #!/bin/bash |
然后chmod 777 shell.sh
,再然后将shell.sh复制到/var/spool/bandit24目录下,等待一些时间,就会发现/tmp/bandit23/目录下多了一个pass文件,内容就是密码
密码UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
Level 24 → Level 25
- Level Goal
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.
这道题目首先nc连接一下
根据要求输入上一关的密码加空格加4位数字,果断报错了。。
所以要写脚本进行爆破。
我想到的是使用pwntools来进行爆破(CTF打多了…)
脚本如下:
1 | from pwn import * |
一个比较粗糙的爆破脚本就写好了,执行就好了
密码uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG
Level 25 → Level 26
- Level Goal
Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.
这道题登陆上去后发现home目录下有一个ssh的私钥,果断ssh连接上去
1 | ssh -i ssh.private bandit26@localhost |
但是登陆之后直接就切断了
根据提示,说用户bandit26用的shell有问题,这种情况我们可以查看/etc/passwd文件
其最后一个文件是该用户登陆后执行的文件,其他用户都是/bin/bash等,但是这个用户是/usr/bin/showtext,查看一下
这里export TERM=linux
是设置终端类型是linux,然后more 了一下~/text.txt文件,之后直接exit 0退出了,所以我们ssh才连接不上去!
但是这里看到more了就会想到其实more可以执行命令的,之前博客里写过,more跟less都是可以执行命令的,在出发more的状况下输入!command这种。
但是我们直接ssh登陆的时候并没有出发more的效果,原因是因为终端太大了。。把终端缩小点即可。
然后输入!/bin/sh,尝试进入命令行模式,不过失败了。。
这里还有其他的用法,输入v,进入vim模式,其实vim模式也能执行命令,方法也是!command,但是这里也不行,因此再就是用vim特有的:e file
,vim模式下的e命令可以导入文件到编辑器内,我们知道密码的所在,因此就可以用e命令来导入密码文件
1 | :e /etc/bandit_pass/bandit26 |
密码5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z
Level 26 → Level 27
- Level Goal
Good job getting a shell! Now hurry and grab the password for bandit27!
这一关使用密码ssh登陆之后也是直接断开了,所以跟上一关套路一样,进入more模式,利用vim模式执行命令,这次不能用e来读取文件了,因为权限不够。!command也不行,!sh也不行,后来查看资料发现vim还有一种需要先设置shell的目录才行
1 | vim模式下 |
这样得到了一个shell,ls
发现有一个程序,跟以前一样,直接读取密码文件即可
密码3ba3118a22e93127a4ed485be72ef5ea
Level 27 → Level 28
- Level Goal
There is a git repository at ssh://bandit27-git@localhost/home/bandit27-git/repo. The password for the user bandit27-git is the same as for the user bandit27.
Clone the repository and find the password for the next level.
解题如图
密码0ef186ac70e04ea33b4c1853d2526fa2
Level 28 → Level 29
- Level Goal
There is a git repository at ssh://bandit28-git@localhost/home/bandit28-git/repo. The password for the user bandit28-git is the same as for the user bandit28.
Clone the repository and find the password for the next level.
跟上一关一样使用git clone
把东西下载下来,然后有一个READ.ME,查看
没什么发现
随手一个git log
,查看一下日志
从上到下为由新到旧,我们发现最新一条日志写着fix info leak
,修复信息泄露,那么我们就git show
,默认是有git diff-tree --cc
的格式,可以看到文本差异。
获得密码bbc96594b4e001778eee9975372716b2
Level 29 → Level 30
- Level Goal
There is a git repository at ssh://bandit29-git@localhost/home/bandit29-git/repo. The password for the user bandit29-git is the same as for the user bandit29.
Clone the repository and find the password for the next level.
这道题还是老套路,git clone
一下,然后git log
、git show
都试了一下,也没啥发现,然后git branch -a
了一下,看到了有四个分支
看到了有一个dev的分支,一般dev是development开发者的分支,就切换分支看下
1 | git checkout remotes/origin/master |
发现了一些了不起的东西,git show
得到密码5b90576bedb2cc04c86a9e924ce42faf
Level 30 → Level 31
Level Goal
There is a git repository at ssh://bandit30-git@localhost/home/bandit30-git/repo. The password for the user bandit30-git is the same as for the user bandit30.
Clone the repository and find the password for the next level.
git show-ref
可以现实本地存储库的所有可用的引用以及关联的提交ID
这里有一个敏感的secret字眼,直接git show f17132340e8ee6c159e0a4a6bc6f80e1da3b1aea
,得到密码47e603bb428404d265f59c42920d81e5
Level 31 → Level 32
- Level Goal
There is a git repository at ssh://bandit31-git@localhost/home/bandit31-git/repo. The password for the user bandit31-git is the same as for the user bandit31.
Clone the repository and find the password for the next level.
本题要求我们把key.txt文件push到远程服务器上。
首先按照要求创建key.txt
1 | echo 'May I come in ?' > key.txt |
然后
1 | git add -f key.txt |
这里git commit
会打开nano编辑器,具体如何操作自行百度
之后git push
即可
得到密码56a9bf19c63d650ce78e6ec0354ee45e
Level 32 → Level 33
After all this git stuff its time for another esape. Good luck!
执行uppershell发现他会把输入的命令变成大写之后再执行,导致命令并不能正常执行。因此我们可以写一个名字为大写的shell文件
TEST文件
1 | #!/bin/bash |
这样就能获取到bandit33的bash了
密码c9c3199ddf4121b10cf581a98d51caee
Level 33 → Level 34
结束啦~~