Bandit Walkthrough

wyzsk發表於2020-08-19
作者: Nikkko · 2015/05/25 15:26

0x00 Introduction

overthewire是一個wargame網站,網址:http://overthewire.org/wargames/。其中bandit是最簡單的系列,主要是考察一些基本的Linux操作。作為一個Linux初學者,我花了兩個星期左右把它“通關”了。下面逐關講解。網上也能搜到很多相關攻略,所以這篇文章一部分目的是為了進行一下複習。想看直接看密碼的可以直接跳到最後。

Level 0->Levle 1

Level Goal

The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org. The username is bandit0 and the password is bandit0. Once logged in, go to the Level 1 page to find out how to beat Level 1.

這一關不用多說,直接ssh連線上目標主機,ssh命令可以直接谷歌。

ssh  bandit.labs.overthewire.org -l bandit0

然後密碼在readme裡面。

Level 1 → Level 2

Level Goal

The password for the next level is stored in a file called - located in the home directory

這一關主要是cat的使用,但是因為檔名是一個'-',所以不能直接cat。根據下面提示直接谷歌,輸入以下命令解決。

cat ./-

得到密碼 CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

Level 2 → Level 3

Level Goal

The password for the next level is stored in a file called spaces in this filename located in the home directory

這一關是檔名有空格,直接加雙引號。

cat "spaces in this filename"

Level 3 → Level 4

Level Goal

The password for the next level is stored in a hidden file in the inhere directory.

這一關是一個隱藏檔案,直接利用ll -a命令。不多說。

Level 4 → Level 5

Level Goal

The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.

這一關就是不斷使用cat ./-file0x然後觀察,最後發現在-file07裡面。

Level 5 → Level 6

Level Goal

The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties: - human-readable - 1033 bytes in size - not executable

這一關是關於find和du命令的使用。由於檔案具有1033的大小,透過找男人(man)命令檢視du的手冊,發現可以透過

du -ab | grep 1033

命令可以發現要找的檔案就是 inhere/maybehere07/.file2 然後cat就可以了。

Level 6 → Level 7

Level Goal

The password for the next level is stored somewhere on the server and has all of the following properties: - owned by user bandit7 - owned by group bandit6 - 33 bytes in size

仍然是find和du的使用。檢視find的手冊,用以下命令可以達到目的:

    find -group bandit6 -user bandit7 -size 33c

以上命令就是根據題目所給的條件進行篩選,具體檢視手冊33c表示是33bytes。

Level 7 → Level 8

Level Goal

The password for the next level is stored in the file data.txt next to the word millionth

這一關是grep的使用。直接

grep millionth data.txt

就可得到密碼。這個題目裡面密碼和匹配模式在同一行,所以可以直接grep。如果並不是在同一行還要加其他引數。其實這道題我解的時候直接cat,然後不小心就看到了密碼(data.txt比較短)(逃。

Level 8 → Level 9

Level Goal

The password for the next level is stored in the file data.txt and is the only line of text that occurs only once

這一關難度增加了一點點,不過畢竟是基礎訓練。這裡要用到“管道”的知識,具體請谷歌^^; 直接用:

sort data.txt | uniq -u

輕鬆搞定。

Level 9 → Level 10

Level Goal

The password for the next level is stored in the file data.txt in one of the few human-readable strings, beginning with several ‘=’ characters.

仍然是grep的應用。如果僅僅是想過關的話也可以人肉搜尋。如果用grep的話可以這樣

cat data.txt | grep == -a

加-a是為了讓grep強行將檔案判定為文字文件。

Level 10 → Level 11

Level Goal

The password for the next level is stored in the file data.txt, which contains base64 encoded data

既然說了是base64,那就:

base64 data.txt -d

好,下一關

Level 11 → Level 12

Level Goal

The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions

這是一個移位13位的凱撒密碼,最初我是用python來解密的,後來谷歌了一下用shell也可以

echo "The Quick Brown Fox Jumps Over The Lazy Dog" | tr 'A-Za-z' 'N-ZA-Mn-za-m'

在這個題目則可以這樣

 cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'

所以shell指令碼有時候還是挺好用的。ps:tr是translate的縮寫。

Level 12 → Level 13

Level Goal

The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)

這關主要是考察各種解包工具的使用。首先將hexdump還原成檔案:

xdd -d data.txt > out

然後接下來不斷用file命令和對應的解包命令就可以了,boring...

Level 13 → Level 14

Level Goal

The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on

這一關是SSH命令的另一種用法。之前我們都是用密碼登入的,這次要用私鑰登入。並沒有什麼難度,加上-i選項後面跟上金鑰檔案就可以了。

Level 14 → Level 15

Level Goal

The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.

這一關要求你想本機30000埠傳送這一關的密碼來獲取下一關的密碼。可以透過各種方法實現,比如自己寫程式。當然也可以使用netcat實現這一功能。

nc localhost 30000 < /etc/bandit_pass/bandit14

Level 15 → Level 16

Level Goal

The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.

這一關換了一個花樣,要求使用ssl加密來傳輸密碼。可以使用s_client命令。

 openssl s_client -connect localhost:30001 -quiet </etc/bandit_pass/bandit15

至於為什麼要用-quiet,請看man。

Level 16 → Level 17

Level Goal

The password for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next password, the others will simply send back to you whatever you send to it.

Oops,這次題目只給了一個埠範圍,那就可以用namp來掃描一下。推薦看一下nmap的man,內容很詳細,也介紹了一些掃描的原理。

首先,掃描一下:

nmap -A -p31000-32000 localhost

得到以下結果:

PORT      STATE SERVICE VERSION
31046/tcp open  echo
31518/tcp open  msdtc   Microsoft Distributed Transaction Coordinator (error)
31691/tcp open  echo
31790/tcp open  msdtc   Microsoft Distributed Transaction Coordinator (error)
31960/tcp open  echo

我們可以看到兩種服務型別,一種是echo,顧名思義就是直接將你發給他的東西扔回來。那另外一種服務就是我們關心的了。我們嘗試分別給這兩個埠傳送密碼。

然後我們發現31790埠是我們想要的,得到如下key:

#!bash
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=

-----END RSA PRIVATE KEY-----

這個就是SSL的私鑰,將它儲存起來,用ssh連線。。。然後你會發現Ooops!

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

好吧,看來還要修改許可權,用chmod 400修改檔案的許可權,然後成功進入下一關。

Level 17 → Level 18

Level Goal

There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new

考察diff命令的用法,恩,我想不用多說了。

Level 18 → Level 19

Level Goal

The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.

這一關你無法正常登陸,但是沒關係,ssh支援直接執行命令,既然我們知道密碼就存在~/readme裡面,那就容易了。

ssh localhost -l bandit18 "cat ~/readme"

Level 19 → Level 20

Level Goal

To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used to setuid binary.

目錄下面有一個bandit20-do的程式,可以以bandit20的許可權執行命令,那麼我們就可以藉此來檢視bandit20的密碼:

./bandit20-do cat /etc/bandit_pass/bandit20

Bandit Level 20 → Level 21

Level Goal

There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).

這次要分兩步,先用nc執行一個程式進行監聽,讓程式來連線。

nc localhost 40000 -l < /etc/bandit_pass/bandit20

埠任意

然後用本關給的程式進行連線:

 ./suconnect 40000

Level 21 → Level 22

Level Goal

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

這一關開始就要用到cron相關的程式,cron就是相當於任務計劃之類的東西。 進入/etc/cron.d目錄。發現好多檔案。剛開始我直接傻眼了,在這一關卡了好久。後來直接找與bandit21關最相近的檔案,那就是cronjob_bandit22。cat一下,裡面是執行一段指令碼。看下指令碼里面的內容

cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

看來密碼就在/tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv這個檔案裡面

Bandit Level 22 → Level 23

Level Goal

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

仍然是cron。進入剛才的目錄,然後看下cronjob_bandit23的內容,仍然是一段指令碼,看指令碼內容:

myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)

echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"

cat /etc/bandit_pass/$myname > /tmp/$mytarget

看來指令碼是將bandit23的密碼存進了/tmp/$mytarget檔案裡面,關鍵就是找出mytarget的值。為了得出這個值,可將指令碼copy一份,將myname=bandit23。然後將後面兩行去掉,直接echo mytarget就可得到儲存密碼的檔名。

Level 23 → Level 24

Level Goal

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

廢話不多說,直接看指令碼內容:

#!bash

myname=$(whoami)

cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
do
    if [ "$i" != "." -a "$i" != ".." ];
    then
        echo "Handling $i"
        timeout -s 9 60 "./$i"
     rm -f "./$i"
    fi
done

可以看出來以上指令碼會將/var/spool/bandit24資料夾下的所有檔案執行一遍並清除。根據crontab可知每分鐘執行一次。那就好辦了,我們將寫好的指令碼放入這個資料夾,bandit24每分鐘就會執行指令碼,而這個指令碼具有bandit24的許可權。恩,你懂的。

cat /etc/bandit_pass/bandit24 > /tmp/save/pass

先在/tmp下新建save資料夾,chmod 777 ,然後將以上指令碼放入上述資料夾裡面,等一分鐘。泡一杯咖啡,丁!去/tmp/save/資料夾下可以看見pass。如果發現沒有任何東西,請考慮許可權問題(chmod)。

Bandit Level 24 → Level 25

Level Goal

A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinaties, called brute-forcing.

這是比較有意思的一關,寫一個指令碼進行窮舉,於是我一開始寫了一下這個:

pass=UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
for i in $(seq 0 9999)
do
if
    echo $pass $i| nc localhost 30002 | grep Wrong>/dev/null
then
    echo $i
else

    echo $pass $i| nc localhost 30002 > result
    break
fi
done

執行這個指令碼,然後你就可以去打幾把DOTA了,反正我是掛了一晚上。。。。。 這樣當然不行啊,所以就有了後來的改進版本:

pass=UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
for i in $(seq 0 9999)
do {
if
    echo $pass $i| nc localhost 30002 | grep Wrong > /dev/null
then
    echo $i
else

    echo $pass $i| nc localhost 30002 > result
    exit
fi
}&
done
wait

這裡用了&和wait實現了偽多執行緒。&表示可以並行執行,wait表示父程式等待子程式執行完畢。 這樣果然快多了 ,只用了幾分鐘就搞定了。

然而這個指令碼並不能在找到正確的密碼的時候停止,這個就作為思考題吧。

Level 25 → Level 26

Level Goal

Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.

這道題,,額,,只能說腦凍好大。

用home目錄下的sshkey登陸,Oops:

 _                     _ _ _   ___   __
| |                   | (_) | |__ \ / /
| |__   __ _ _ __   __| |_| |_   ) / /_
| '_ \ / _` | '_ \ / _` | | __| / / '_ \
| |_) | (_| | | | | (_| | | |_ / /| (_) |
|_.__/ \__,_|_| |_|\__,_|_|\__|____\___/

扔給我這樣一個東西。。。 坑爹呢!

grep bandit26 /etc/passwd

執行以上命令,

bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext

那麼/usr/bin/showtext又是什麼鬼

#!/bin/sh

more ~/text.txt
exit 0

好吧,原來是這樣,用的是more程式。

step1:將終端視窗縮小到只有兩行

step2:登陸

step3:這時More會阻塞(因為沒有顯示完)

step4:按v鍵,進入vim編輯器

step5::r /etc/bandit_pass/bandit26

我真是太tm機智了。

附錄

level2:UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
level3:pIwrPrtPN36QITSp3EQaw936yaFoFgAB
level4:koReBOKuIDDepwhWk7jZC0RTdopnAYKh
level5:DXjZPULLxYr17uwoI01bNLQbtFemEgo7
level6:HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs
level7:cvX2JJa4CFALtqS87jk27qwqGhBM9plV
level8:UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR
level9:truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
level10:IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR
level11:5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu
level12:8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
level13:ssh [email protected] -i sshkey.private
level14:BfMYroe26WYalil77FoDi9qh59eK5xNr
level15:cluFn7wTiGryunymYOu4RcffSxQluehd
level17:kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
level18:IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
level19:GbKksEFF4yrVs6il55v6gwY5aVje5f0j
level20:gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
level21:Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
level22:jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
level23:UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
level24:uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG 
level25:5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z
本文章來源於烏雲知識庫,此映象為了方便大家學習研究,文章版權歸烏雲知識庫!

相關文章