OverTheWire-Bandit
Bandit
https://overthewire.org/wargames/bandit/
bandit前33关主要包含以下知识点:
-
读文件(~:bandit12):文件名有
-、有空格;搜索特定大小、人类可读文件;文件字符串排序、base64解密、字符变换;文件解压。 -
网络连接(bandit13:bandit20):private key ssh登录、ssh登录执行命令;nc连接与监听;ssl加密连接;namp扫描;setuid程序用户提权。
-
定时任务(bandit21:bandit23):阅读和写简单shell脚本
-
python socket连接扫描端口(bandit24)
-
vim打开文件、shell(bandit25:bandit26)
-
git使用(bandit27:bandit31)
-
$0(bandit32)
本文只包含主要操作,不包含完整过程。
1.bandit2 文件名中有-
需要说明-文件所在目录
读 ./-
2.bandit3 文件名中有空格
写$ touch'firstname secondname'
读cat 'linoxide docs'或cat file\ name\ with\ spaces
3.bandit4 寻找当前列表中人类可读的文件
xargs file对上一步得到的每个文件运行file命令
find . -type f | xargs file | grep text
4.bandit5
- human-readable
- 1033 bytes in size
- not executable
find . -size 1033c -not -executable;
5.bandit6
- owned by user bandit7
- owned by group bandit6
- 33 bytes in size
find . -size 33c -group bandit6 -user bandit7
6.bandit7
grep "millionth" data.txt
cat data.txt | grep "millionth"
7.bandit8
The password for the next level is stored in the file data.txt and is the only line of text that occurs only once.
sort data.txt | uniq -u
8.bandit9
The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters.
strings data.txt | grep -E "=+"
9.bandit10
The password for the next level is stored in the file data.txt, which contains base64 encoded data.
cat data.txt | base64 --decode
10.bandit11
The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions
cat data.txt | tr 'n-za-mN-ZA-M' 'a-zA-Z'
11.bandit12
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed.
其中一部分解压命令
mv data data2.gz
gzip -d data2.gz
bzip2 -d data3.bz
tar -xf data5.tar
8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
12.bandit13
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on
ssh bandit14@localhost -i sshkey.private
以bandit14身份登录后
cat /etc/bandit_pass/bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
13.bandit14
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
echo "4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e" | nc localhost 30000
BfMYroe26WYalil77FoDi9qh59eK5xNr
14.bandit15
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
echo "BfMYroe26WYalil77FoDi9qh59eK5xNr" | openssl s_client -connect localhost:30001 -ign_eof
cluFn7wTiGryunymYOu4RcffSxQluehd
15.bandit16
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
nmap -p31000-32000 localhost -A
mkdir /tmp/wulongc
vim /tmp/wulongc/bandit17.key
echo "cluFn7wTiGryunymYOu4RcffSxQluehd" | openssl s_client -connect localhost:31790 -ign_eof < /tmp/wulongc/bandit17.key
进入下一阶段的凭证是一段RSA私钥,将其保存在tmp文件夹下,删除没用的部分,将权限设置为600,然后再连接
ssh bandit17@localhost -i /tmp/wulongc/bandit17.key
16.bandit17
There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new
diff passwords.new passwords.old
kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
17.bandit18
The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.
ssh bandit18@bandit.labs.overthewire.org -p 2220 "cat ~/readme"
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
18.bandit 19
To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.
bandit20-do权限为rwsr-x—,s表示开启了粘滞位,允许用户在该文件所有者的许可下执行该文件或程序, 主要用于提升当前用户的特权
Set UID程序可以在调用它的用户(bandit19)的UID和可执行文件的所有者(bandit20)之间切换,因此可以用来打开bandit20的密码
./bandit20-do cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
19.bandit 20
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
首先,设置一个侦听端口61337的简单TCP服务器,并让进程在后台运行。echo,用于对连接该服务器的机器发送bandit20的密码;-l参数说明是监听模式;-p指明端口;&符号将进程设置为后台进程
echo "GbKksEFF4yrVs6il55v6gwY5aVje5f0j" | nc -l localhost -p 61337 &
然后
./suconnect 61337
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
20.bandit21
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
cat /usr/bin/cronjob_bandit22.sh
一直cat
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
21.bandit22
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
题目给出了下面的代码,所以关键在于mytarget是多少。$myname为bandit23,然后运行命令,得到8ca319486bfbbc3663ea0fbe81326349
#!/bin/bash
myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
cat /etc/bandit_pass/$myname > /tmp/$mytarget
于是
cat /tmp/8ca319486bfbbc3663ea0fbe81326349
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
22.bandit23
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
#!/bin/bash
myname=$(whoami)
cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
do
if [ "$i" != "." -a "$i" != ".." ];
then
echo "Handling $i"
owner="$(stat --format "%U" ./$i)"
if [ "${owner}" = "bandit23" ]; then
timeout -s 9 60 ./$i
fi
rm -f ./$i
fi
done
这应该要求自己撰写一个读密码的脚本,放在/var/spool/bandit24路径下,先在tmp目录下将bash写好权限设置好,再拷贝过去
mkdir /tmp/wulongch
cd /tmp/wulongch
vim bandit24_pass
vim a.sh
a.sh内容
#!/bin/bash
cat /etc/bandit_pass/bandit24 > /tmp/wulongch/bandit24_pass
改权限和拷贝
chmod 777 a.sh
chmod 777 bandit24_pass
cp a.sh /var/spool/bandit24/a.sh
等一分钟后,sh脚本被执行
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
23.bandit24
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.
需要编写python代码,进行暴力搜索
import socket
pincode = 0
password = "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ"
# Connect to server
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("127.0.0.1", 30002))
# Print welcome message
welcome_msg = s.recv(2048)
print(welcome_msg)
# Try brute-forcing
while pincode < 10000:
pincode_string = str(pincode).zfill(4)
message=password+" "+pincode_string+"\n"
# Send message
s.sendall(message.encode())
receive_msg = s.recv(1024)
# Check result
if "Wrong" in receive_msg:
print("Wrong PINCODE: %s" % pincode_string)
else:
print(receive_msg)
break
pincode += 1
uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG
24.bandit25
Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.
给出了bandit26.sshkey,但一登录就会马上掉线
cat /etc/passwd查看,可以发现其他关基本都是/bin/bash,但是bandit26这一关却是/usr/bin/showtext
查看/usr/bin/showtext:
#!/bin/sh
export TERM=linux
more ~/text.txt
exit 0
为了使得登录bandit26的过程中,停留在exit 0 的上一步,不马上掉线,需要利用more这个功能
首先,将终端窗口调小,这样通过ssh命令登录到bandit26时,大的bandit26 ASCII艺术横幅将强制一条more消息来提示继续输出
ssh -i bandit26.sshkey -t bandit26@localhost cat text.txt
然后在出现more消息后,点击v进入vim,这时打开的还是text.txt。因为是以bandit26的用户身份登录的,所以在vim中输入文件打开指令:e /etc/bandit_pass/bandit26,就能够看到其密码
5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z
25.bandit26
Good job getting a shell! Now hurry and grab the password for bandit27!
在上一关的vim界面
:set shell=/bin/bash
然后按住shift+:,输入shell,就能到达shell页面
./bandit27-do cat /etc/bandit_pass/bandit27
3ba3118a22e93127a4ed485be72ef5ea
26.bandit27
git clone ssh://bandit27-git@localhost/home/bandit27-git/repo
0ef186ac70e04ea33b4c1853d2526fa2
27.bandit28
git clone ssh://bandit28-git@localhost/home/bandit28-git/repo
README.md里只有
# Bandit Notes
Some notes for level29 of bandit.
## credentials
- username: bandit29
- password: xxxxxxxxxx
使用git log -p查看提交历史的变化,可以发现README经历了增加删除password的变化
bbc96594b4e001778eee9975372716b2
28.bandit29
要查看其他分支上的提交历史。git branch查看当前所在分支,git branch -r查看所有分支,git checkout dev切换到dev分支,最后git log -p查看提交历史中的password
5b90576bedb2cc04c86a9e924ce42faf
29.bandit30
git tag # 在git中创建一个提交标签,实际应用中通常是用来做版本的1.0 2.0标记的
git show secret # 显示标签的提交信息
47e603bb428404d265f59c42920d81e5
30.bandit31
README中内容
This time your task is to push a file to the remote repository.
Details:
File name: key.txt
Content: 'May I come in?'
Branch: master
echo "May I come in?" > key.txt
cat .gitignore # 发现故意忽略了*.txt
rm .gitignore
git add key.txt # 在工作目录中获取修改后的文件,并将修改后的版本放在暂存区
git commit -m "file" # 从暂存区域获取所有内容,并对与惟一标识符关联的存储库当前状态创建永久快照
git push origin master
56a9bf19c63d650ce78e6ec0354ee45e
31.bandit32
$0能够用来调用shell
https://unix.stackexchange.com/questions/280454/what-is-the-meaning-of-0-in-the-bash-shell
$0
cat /etc/bandit_pass/bandit33
c9c3199ddf4121b10cf581a98d51caee