# Bandit Walkthrough
0x00 Introduction
=================
* * *
overthewire是一个wargame网站,网址:http://overthewire.org/wargames/。其中bandit是最简单的系列,主要是考察一些基本的Linux操作。作为一个Linux初学者,我花了两个星期左右把它“通关”了。下面逐关讲解。网上也能搜到很多相关攻略,所以这篇文章一部分目的是为了进行一下复习。想看直接看密码的可以直接跳到最后。
Level 0->Levle 1
================
* * *
“`
Level Goal
The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org. The username is bandit0 and the password is bandit0. Once logged in, go to the Level 1 page to find out how to beat Level 1.
“`
这一关不用多说,直接ssh连接上目标主机,ssh命令可以直接谷歌。
“`
ssh bandit.labs.overthewire.org -l bandit0
“`
然后密码在readme里面。
Level 1 → Level 2
=================
* * *
“`
Level Goal
The password for the next level is stored in a file called – located in the home directory
“`
这一关主要是cat的使用,但是因为文件名是一个’-‘,所以不能直接cat。根据下面提示直接谷歌,输入以下命令解决。
“`
cat ./-
“`
得到密码 CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
Level 2 → Level 3
=================
* * *
“`
Level Goal
The password for the next level is stored in a file called spaces in this filename located in the home directory
“`
这一关是文件名有空格,直接加双引号。
“`
cat “spaces in this filename”
“`
Level 3 → Level 4
=================
* * *
“`
Level Goal
The password for the next level is stored in a hidden file in the inhere directory.
“`
这一关是一个隐藏文件,直接利用ll -a命令。不多说。
Level 4 → Level 5
=================
* * *
“`
Level Goal
The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.
“`
这一关就是不断使用cat ./-file0x然后观察,最后发现在-file07里面。
Level 5 → Level 6
=================
* * *
“`
Level Goal
The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties: – human-readable – 1033 bytes in size – not executable
“`
这一关是关于find和du命令的使用。由于文件具有1033的大小,通过找男人(man)命令查看du的手册,发现可以通过
“`
du -ab | grep 1033
“`
命令可以发现要找的文件就是 inhere/maybehere07/.file2 然后cat就可以了。
Level 6 → Level 7
=================
* * *
“`
Level Goal
The password for the next level is stored somewhere on the server and has all of the following properties: – owned by user bandit7 – owned by group bandit6 – 33 bytes in size
“`
仍然是find和du的使用。查看find的手册,用以下命令可以达到目的:
“`
find -group bandit6 -user bandit7 -size 33c
“`
以上命令就是根据题目所给的条件进行筛选,具体查看手册33c表示是33bytes。
Level 7 → Level 8
=================
* * *
“`
Level Goal
The password for the next level is stored in the file data.txt next to the word millionth
“`
这一关是grep的使用。直接
“`
grep millionth data.txt
“`
就可得到密码。这个题目里面密码和匹配模式在同一行,所以可以直接grep。如果并不是在同一行还要加其他参数。其实这道题我解的时候直接cat,然后不小心就看到了密码(data.txt比较短)(逃。
Level 8 → Level 9
=================
* * *
“`
Level Goal
The password for the next level is stored in the file data.txt and is the only line of text that occurs only once
“`
这一关难度增加了一点点,不过毕竟是基础训练。这里要用到“管道”的知识,具体请谷歌^^; 直接用:
“`
sort data.txt | uniq -u
“`
轻松搞定。
Level 9 → Level 10
==================
* * *
“`
Level Goal
The password for the next level is stored in the file data.txt in one of the few human-readable strings, beginning with several ‘=’ characters.
“`
仍然是grep的应用。如果仅仅是想过关的话也可以人肉搜索。如果用grep的话可以这样
“`
cat data.txt | grep == -a
“`
加-a是为了让grep强行将文件判定为文本文档。
Level 10 → Level 11
===================
* * *
“`
Level Goal
The password for the next level is stored in the file data.txt, which contains base64 encoded data
“`
既然说了是base64,那就:
“`
base64 data.txt -d
“`
好,下一关
Level 11 → Level 12
===================
* * *
“`
Level Goal
The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions
“`
这是一个移位13位的凯撒密码,最初我是用python来解密的,后来谷歌了一下用shell也可以
“`
echo “The Quick Brown Fox Jumps Over The Lazy Dog” | tr ‘A-Za-z’ ‘N-ZA-Mn-za-m’
“`
在这个题目则可以这样
“`
cat data.txt | tr ‘A-Za-z’ ‘N-ZA-Mn-za-m’
“`
所以shell脚本有时候还是挺好用的。ps:tr是translate的缩写。
Level 12 → Level 13
===================
* * *
“`
Level Goal
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)
“`
这关主要是考察各种解包工具的使用。首先将hexdump还原成文件:
“`
xdd -d data.txt > out
“`
然后接下来不断用file命令和对应的解包命令就可以了,boring…
Level 13 → Level 14
===================
* * *
“`
Level Goal
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on
“`
这一关是SSH命令的另一种用法。之前我们都是用密码登录的,这次要用私钥登录。并没有什么难度,加上-i选项后面跟上密钥文件就可以了。
Level 14 → Level 15
===================
* * *
“`
Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
“`
这一关要求你想本机30000端口发送这一关的密码来获取下一关的密码。可以通过各种方法实现,比如自己写程序。当然也可以使用netcat实现这一功能。
“`
nc localhost 30000 < /etc/bandit_pass/bandit14
```
Level 15 → Level 16
===================
* * *
```
Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
```
这一关换了一个花样,要求使用ssl加密来传输密码。可以使用s_client命令。
```
openssl s_client -connect localhost:30001 -quiet /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
“`
看来密码就在/tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv这个文件里面
Bandit Level 22 → Level 23
==========================
* * *
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
仍然是cron。进入刚才的目录,然后看下cronjob_bandit23的内容,仍然是一段脚本,看脚本内容:
“`
myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ‘ ‘ -f 1)
echo “Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget”
cat /etc/bandit_pass/$myname > /tmp/$mytarget
“`
看来脚本是将bandit23的密码存进了/tmp/$mytarget文件里面,关键就是找出mytarget的值。为了得出这个值,可将脚本copy一份,将myname=bandit23。然后将后面两行去掉,直接echo mytarget就可得到存储密码的文件名。
Level 23 → Level 24
===================
“`
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
“`
废话不多说,直接看脚本内容:
“`
myname=$(whoami)
cd /var/spool/$myname
echo “Executing and deleting all scripts in /var/spool/$myname:”
for i in * .*;
do
if [ “$i” != “.” -a “$i” != “..” ];
then
echo “Handling $i”
timeout -s 9 60 “./$i”
rm -f “./$i”
fi
done
“`
可以看出来以上脚本会将/var/spool/bandit24文件夹下的所有文件执行一遍并清除。根据crontab可知每分钟执行一次。那就好办了,我们将写好的脚本放入这个文件夹,bandit24每分钟就会执行脚本,而这个脚本具有bandit24的权限。恩,你懂的。
“`
cat /etc/bandit_pass/bandit24 > /tmp/save/pass
“`
先在/tmp下新建save文件夹,chmod 777 ,然后将以上脚本放入上述文件夹里面,等一分钟。泡一杯咖啡,丁!去/tmp/save/文件夹下可以看见pass。如果发现没有任何东西,请考虑权限问题(chmod)。
Bandit Level 24 → Level 25
“`
Level Goal
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinaties, called brute-forcing.
“`
这是比较有意思的一关,写一个脚本进行穷举,于是我一开始写了一下这个:
“`
pass=UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
for i in $(seq 0 9999)
do
if
echo $pass $i| nc localhost 30002 | grep Wrong>/dev/null
then
echo $i
else
echo $pass $i| nc localhost 30002 > result
break
fi
done
“`
运行这个脚本,然后你就可以去打几把DOTA了,反正我是挂了一晚上。。。。。 这样当然不行啊,所以就有了后来的改进版本:
“`
pass=UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
for i in $(seq 0 9999)
do {
if
echo $pass $i| nc localhost 30002 | grep Wrong > /dev/null
then
echo $i
else
echo $pass $i| nc localhost 30002 > result
exit
fi
}&
done
wait
“`
这里用了&和wait实现了伪多线程。&表示可以并行执行,wait表示父进程等待子进程执行完毕。 这样果然快多了 ,只用了几分钟就搞定了。
然而这个脚本并不能在找到正确的密码的时候停止,这个就作为思考题吧。
Level 25 → Level 26
===================
* * *
“`
Level Goal
Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.
“`
这道题,,额,,只能说脑冻好大。
用home目录下的sshkey登陆,Oops:
“`
_ _ _ _ ___ __
| | | (_) | |__ \ / /
| |__ __ _ _ __ __| |_| |_ ) / /_
| ‘_ \ / _` | ‘_ \ / _` | | __| / / ‘_ \
| |_) | (_| | | | | (_| | | |_ / /| (_) |
|_.__/ \__,_|_| |_|\__,_|_|\__|____\___/
“`
扔给我这样一个东西。。。 坑爹呢!
“`
grep bandit26 /etc/passwd
“`
运行以上命令,
“`
bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext
“`
那么/usr/bin/showtext又是什么鬼
“`
more ~/text.txt
exit 0
“`
好吧,原来是这样,用的是more程序。
step1:将终端窗口缩小到只有两行
step2:登陆
step3:这时More会阻塞(因为没有显示完)
step4:按v键,进入vim编辑器
step5::r /etc/bandit_pass/bandit26
我真是太tm机智了。
附录
==
* * *
“`
level2:UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
level3:pIwrPrtPN36QITSp3EQaw936yaFoFgAB
level4:koReBOKuIDDepwhWk7jZC0RTdopnAYKh
level5:DXjZPULLxYr17uwoI01bNLQbtFemEgo7
level6:HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs
level7:cvX2JJa4CFALtqS87jk27qwqGhBM9plV
level8:UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR
level9:truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
level10:IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR
level11:5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu
level12:8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
level13:ssh bandit14@localhost -i sshkey.private
level14:BfMYroe26WYalil77FoDi9qh59eK5xNr
level15:cluFn7wTiGryunymYOu4RcffSxQluehd
level17:kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
level18:IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
level19:GbKksEFF4yrVs6il55v6gwY5aVje5f0j
level20:gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
level21:Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
level22:jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
level23:UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
level24:uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG
level25:5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z
“`
请登录后查看评论内容