Breif

Bandit是一個(gè)學(xué)習(xí)linux命令的WarGame，通過(guò)闖關(guān)的模式，不斷的學(xué)習(xí)新的命令，對(duì)于程序員亦或者安全愛(ài)好者來(lái)說(shuō)都是一個(gè)不錯(cuò)的學(xué)習(xí)平臺(tái)，網(wǎng)址是 http://overthewire.org/wargames/bandit/ 分享給大家～

[文章已同步至個(gè)人博客，歡迎閱讀～]

Level 0 → Level 1

• Level Goal

The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org, on port 2220. The username is bandit0 and the password is bandit0. Once logged in, go to the Level 1 page to find out how to beat Level 1.

The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.
第一關(guān)直接ssh登陸就好了

ssh bandit0@bandit.labs.overthewire.org -p 2220
密碼：bandit0

直接查看readme得到密碼boJ9jbbUNNfktd78OOpsqOltutMc3MY1

bandit0

Level 1 → Level 2

• Level Goal
  The password for the next level is stored in a file called - located in the home directory

利用上一關(guān)得到的密碼ssh登陸

ssh bandit1@bandit.labs.overthewire.org -p 2220

ls發(fā)現(xiàn)文件名是一個(gè)-，但是這個(gè)在linux中有特殊意義導(dǎo)致直接cat不好用

bandit1

cat ./-

密碼是CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

Level 2 → Level 3

• Level Goal
  The password for the next level is stored in a file called spaces in this filename located in the home directory
  這道題文件名中有空格，可以用雙引號(hào)把文件名包裹起來(lái)

cat "spaces in this filename"

bandit2

Level 3 → Level 4

• Level Goal
  The password for the next level is stored in a hidden file in the inhere directory.

如題，文件是隱藏文件，在linux中，文件名前面有.的就是隱藏文件，可以使用ls -a來(lái)顯示

bandit3

Level 4 → Level 5

• Level Goal
  The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.

本題有10個(gè)文件，題目說(shuō)是密碼在人類可讀的文件，那么就要判斷文件的類型，用file命令

file ./*

bandit4

Level 5 → Level 6

• Level Goal
  The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:

human-readable
1033 bytes in size
not executable

這道題又是一個(gè)找文件的題目，ls -R目測(cè)有好幾十個(gè)文件，一個(gè)個(gè)找肯定不現(xiàn)實(shí)，根據(jù)題目的要求，是一個(gè)人類可讀文件，并且1033字節(jié)，非可執(zhí)行文件，那么可以用find命令

find . -type f -size 1033c

解釋一下-type f指定為普通文件，-size 1033c指定為1033字節(jié)，更多的用法如下

-size n[cwbkMG] : 檔案大小 為 n 個(gè)由后綴決定的數(shù)據(jù)塊。其中后綴含義為：
b: 代表 512 位元組的區(qū)塊（如果用戶沒(méi)有指定后綴，則默認(rèn)為 b）
c: 表示字節(jié)數(shù)
k: 表示 kilo bytes （1024字節(jié)）
w: 字 （2字節(jié)）
M:兆字節(jié)（1048576字節(jié)）
G: 千兆字節(jié) （1073741824字節(jié)）
-type c : 檔案類型是 c 。
d: 目錄
c: 字型裝置檔案
b: 區(qū)塊裝置檔案
p: 具名貯列
f: 一般檔案
l: 符號(hào)連結(jié)
s: socket

最后找到了目標(biāo)文件

bandit4

Level 6 → Level 7

• Level Goal
  The password for the next level is stored somewhere on the server and has all of the following properties:

owned by user bandit7
owned by group bandit6
33 bytes in size

又是找文件，那么依然可以使用find命令，只不過(guò)參數(shù)稍稍的改變

find / -user bandit7 -group bandit6 -size 33c 2>/dev/null

這里-user指定user組，-group指定group組，-size指定大小，后面的2>/dev/null因?yàn)閒ind命令在根目錄下查找會(huì)經(jīng)常有很多權(quán)限的報(bào)錯(cuò)信息，所有在linux中通常用這種方式將錯(cuò)誤信息重定向到“黑洞中”

bandit6

Level 7 → Level 8

• Level Goal
  The password for the next level is stored in the file data.txt next to the word millionth

題目說(shuō)密碼在單詞millionth的后面，那么我們就在data.txt中搜索這個(gè)單詞即可

cat data.txt|grep millionth

bandit7

Level 8 → Level 9

• Level Goal
  The password for the next level is stored in the file data.txt and is the only line of text that occurs only once

這題是要找到出現(xiàn)一次的那個(gè)行，肯定用uniq命令了，但是使用之前需要用sort命令對(duì)文本進(jìn)行排序，因?yàn)?code>uniq命令是通過(guò)判斷上下兩行是否一樣來(lái)判斷的，所以用sort排序一下然后在uniq就能找到唯一出現(xiàn)的那一行了

sort data.txt|uniq -u
sort data.txt|uniq -c

這題我想了兩種解法，一個(gè)是直接-u獲取，還有就是-c列出出現(xiàn)的次數(shù)，然后從中找到是1的那一行即可

bandit8

Level 9 → Level 10

• Level Goal
  The password for the next level is stored in the file data.txt in one of the few human-readable strings, beginning with several ‘=’ characters.

這題用cat命令之后會(huì)出現(xiàn)很多亂碼，因此需要使用strings命令，獲取可打印的字符

strings data.txt

bandit9

Level 10 → Level 11

• Level Goal
  The password for the next level is stored in the file data.txt, which contains base64 encoded data

查看文件發(fā)現(xiàn)是個(gè)base64的字符串，直接base64 -d解碼即可

bandit10

Level 11 → Level 12

• Level Goal
  The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions

根據(jù)題目所說(shuō)的字母的的順序旋轉(zhuǎn)了13個(gè)位置，就相當(dāng)去26個(gè)字母的前13個(gè)位置與后13個(gè)位置調(diào)換了。那么我們就是用tr命令進(jìn)行調(diào)換

cat data.txt | tr 'a-zA-Z' 'n-za-mN-ZA-M'

bandit11

Level 12 → Level 13

• Level Goal
  The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)

這道題比較麻煩。首先我們按照提示，在/tmp目錄下創(chuàng)建自定義的文件夾

mkdir /tmp/pino
cp data.txt /tmp/pino
cd /tmp/pino
cat data.txt

然后我們發(fā)現(xiàn)data.txt是一個(gè)hex dump文件，里面是十六進(jìn)制的內(nèi)容，我們可以用xxd命令將其轉(zhuǎn)換成二進(jìn)制文件

xxd -r data.txt > data.bin

然后我們用file命令看一下這個(gè)二進(jìn)制是什么文件

image.png

mv data.bin data.gz

然后用gzip -d命令解壓，發(fā)現(xiàn)還是一個(gè)二進(jìn)制文件，繼續(xù)file命令查看

mv data data.bz2
bzip -d data.bz2

之后重復(fù)工作，后來(lái)還遇到了tar壓縮文件

mv data data.tar
tar -xvf data.tar

如此解壓，最后類似，得到密碼8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

Level 13 → Level 14

• Level Goal
  The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on

這道題我們使用bandit13用戶登陸的，但是題目說(shuō)需要我們用bandit14用戶登陸才能查看密碼，并且給了我們ssh的私鑰，那么我們就可以利用ssh -i參數(shù)指定私鑰進(jìn)行登陸

ssh -i sshkey.private bandit14@localhost

登陸之后

cat  /etc/bandit_pass/bandit14

bandit13

Level 14 → Level 15

• Level Goal
  The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.

根據(jù)題目要求我們要把這關(guān)的密碼提交到localhost的30000端口上，那么我就想到了用telnet連接到本地的30000端口上，然后把這關(guān)的密碼發(fā)送過(guò)去

Level 15 → Level 16

• Level Goal
  The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.

Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…

這道題用openssl命令
這個(gè)命令不太常用，直接openssl help查看幫助，發(fā)現(xiàn)命令openssl s_client help
根據(jù)幫助找到登陸命令

openssl s_client -connect localhost:30001

將本關(guān)的密碼發(fā)送過(guò)去，發(fā)現(xiàn)

Level 16 → Level 17

• Level Goal
  The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.

這道題做完之后感覺(jué)挺有意思的，首先看了一下題目要求，其實(shí)我是一臉懵逼的，本來(lái)想netstat看一下的，結(jié)果發(fā)現(xiàn)沒(méi)權(quán)限。。。然后我就隨手一發(fā)ps aux之后，發(fā)現(xiàn)有個(gè)nmap的進(jìn)程，給了我靈感。。。

nmap localhost -p 31000-32000

有5個(gè)端口，但是題目說(shuō)錯(cuò)誤的端口是你發(fā)啥它回啥，于是測(cè)試了一下發(fā)現(xiàn)有兩個(gè)端口可能是正確的，分別是31518和31790，題目又說(shuō)了存在ssl服務(wù)，于是再挨個(gè)測(cè)試了一下

openssl s_client -connect localhost:31518
openssl s_client -connect localhost:31790

發(fā)現(xiàn)31790是正確的

發(fā)現(xiàn)它返回了一個(gè)類似ssh私鑰的文件，然后果斷保存到一個(gè)文件中ssh.priv，這里需要在/tmp目錄下創(chuàng)建一個(gè)自己的目錄，才能寫(xiě)入到文件中，因?yàn)橛袡?quán)限管理。
再利用上一關(guān)的知識(shí)

ssh -i /tmp/bandit16/ssh.priv bandit17@localhost

成功登陸，密碼在/etc/bandit_pass/bandit17
密碼xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn

Level 17 → Level 18

• Level Goal
  There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new

NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19

這種比較新舊的問(wèn)題肯定是用diff命令了

diff passwords.old passwords.new

Level 18 → Level 19

• Level Goal
  The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.

這道題我們正常登陸的話

ssh bandit18@bandit.labs.overthewire.org -p2220

然后我們就發(fā)現(xiàn)直接斷開(kāi)了

其實(shí)我們?cè)趕sh登陸的時(shí)候可以直接后面跟上命令，雖然被斷開(kāi)了，但是命令還是可以執(zhí)行的，我們?cè)诤竺婕由?code>cat readme，照常輸入上一關(guān)的密碼，下一關(guān)的密碼就會(huì)顯示出來(lái)的

Level 19 → Level 20

• Level Goal
  To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.

這題也不知道要我們做什么，反正就莫名其妙的得到密碼了

Level 20 → Level 21

• Level Goal
  There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).

NOTE: Try connecting to your own network daemon to see if it works as you think

題目說(shuō)這個(gè)suconnect程序會(huì)連接到我們指定的端口，并且讀取內(nèi)容并于bandit20的密碼進(jìn)行比較，如果相同的話就返回下一關(guān)的密碼
我們知道密碼是存放在/etc/bandit_pass/bandit20這個(gè)文件中的，因此我們就在本地開(kāi)啟一個(gè)端口，并且把密碼發(fā)送到這個(gè)端口，然后我們?cè)谟眠@個(gè)程序連接到這個(gè)端口中就可以成功了。

nc -l 2333 < /etc/bandit_pass/bandit20 &

這里我在命令后面加了&符號(hào)，可以讓這條命令在后臺(tái)執(zhí)行，這樣我們就可以繼續(xù)執(zhí)行./suconnect 2333命令來(lái)連接2333端口了

Level 21 → Level 22

• Level Goal
  A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

按照提示到/etc/cron.d目錄下查看cronjob_bandit22的定時(shí)任務(wù)

Level 22 → Level 23

• Level Goal
  A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.

解題看下圖

密碼jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

Level 23 → Level 24

• Level Goal
  A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!

NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…

這道題先看一下contab文件

分析一下知道定時(shí)任務(wù)會(huì)執(zhí)行/usr/bin/cronjob_bandit24.sh這個(gè)文件
shell腳本的功能是執(zhí)行/var/spool/bandit24中的所有文件，如果60秒內(nèi)沒(méi)有執(zhí)行就刪除所有文件.
因此思路就是我們寫(xiě)一個(gè)查看密碼的shell腳本放到這個(gè)目錄下，讓他以bandit24用戶來(lái)執(zhí)行就好了。

mkdir /tmp/bandit23
chmod 777 /tmp/bandit23
cd /tmp/bandit23
vim shell.sh

shell.sh的內(nèi)容如下

#!/bin/bash
cat /etc/bandit_pass/bandit24 >> /tmp/bandit/pass

然后chmod 777 shell.sh，再然后將shell.sh復(fù)制到/var/spool/bandit24目錄下，等待一些時(shí)間，就會(huì)發(fā)現(xiàn)/tmp/bandit23/目錄下多了一個(gè)pass文件，內(nèi)容就是密碼

Level 24 → Level 25

• Level Goal
  A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.

這道題目首先nc連接一下

根據(jù)要求輸入上一關(guān)的密碼加空格加4位數(shù)字，果斷報(bào)錯(cuò)了。。
所以要寫(xiě)腳本進(jìn)行爆破。
我想到的是使用pwntools來(lái)進(jìn)行爆破（CTF打多了...）
腳本如下:

from pwn import *

r = remote('localhost', 30002)
for i in range(0, 10):
    for j in range(0, 10):
        for k in range(0, 10):
            for p in range(0, 10):
                flag = str(i) + str(j) + str(k) + str(p)
                s = "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ "+ flag
                r.sendline(s)
                response = r.recvline()
                if 'Wrong!' not in response:
                    print 'Correct! ' + response

一個(gè)比較粗糙的爆破腳本就寫(xiě)好了，執(zhí)行就好了

Level 25 → Level 26

• Level Goal
  Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.

這道題登陸上去后發(fā)現(xiàn)home目錄下有一個(gè)ssh的私鑰，果斷ssh連接上去

ssh -i ssh.private bandit26@localhost

但是登陸之后直接就切斷了
根據(jù)提示，說(shuō)用戶bandit26用的shell有問(wèn)題，這種情況我們可以查看/etc/passwd文件

:e /etc/bandit_pass/bandit26

Level 26 → Level 27

• Level Goal
  Good job getting a shell! Now hurry and grab the password for bandit27!

這一關(guān)使用密碼ssh登陸之后也是直接斷開(kāi)了，所以跟上一關(guān)套路一樣，進(jìn)入more模式，利用vim模式執(zhí)行命令，這次不能用e來(lái)讀取文件了，因?yàn)闄?quán)限不夠。!command也不行，!sh也不行，后來(lái)查看資料發(fā)現(xiàn)vim還有一種需要先設(shè)置shell的目錄才行

vim模式下
:set shell=/bin/sh
:sh

這樣得到了一個(gè)shell,ls發(fā)現(xiàn)有一個(gè)程序，跟以前一樣，直接讀取密碼文件即可

Level 27 → Level 28

• Level Goal
  There is a git repository at ssh://bandit27-git@localhost/home/bandit27-git/repo. The password for the user bandit27-git is the same as for the user bandit27.

Clone the repository and find the password for the next level.

解題如圖

Level 28 → Level 29

• Level Goal
  There is a git repository at ssh://bandit28-git@localhost/home/bandit28-git/repo. The password for the user bandit28-git is the same as for the user bandit28.

Clone the repository and find the password for the next level.

跟上一關(guān)一樣使用git clone把東西下載下來(lái)，然后有一個(gè)READ.ME，查看

Level 29 → Level 30

• Level Goal
  There is a git repository at ssh://bandit29-git@localhost/home/bandit29-git/repo. The password for the user bandit29-git is the same as for the user bandit29.

Clone the repository and find the password for the next level.

這道題還是老套路，git clone一下，然后git log、git show都試了一下，也沒(méi)啥發(fā)現(xiàn)，然后git branch -a了一下，看到了有四個(gè)分支

git checkout remotes/origin/master

Level 30 → Level 31

Level Goal
There is a git repository at ssh://bandit30-git@localhost/home/bandit30-git/repo. The password for the user bandit30-git is the same as for the user bandit30.

Clone the repository and find the password for the next level.

git show-ref可以現(xiàn)實(shí)本地存儲(chǔ)庫(kù)的所有可用的引用以及關(guān)聯(lián)的提交ID

Level 31 → Level 32

• Level Goal
  There is a git repository at ssh://bandit31-git@localhost/home/bandit31-git/repo. The password for the user bandit31-git is the same as for the user bandit31.

Clone the repository and find the password for the next level.

本題要求我們把key.txt文件push到遠(yuǎn)程服務(wù)器上。
首先按照要求創(chuàng)建key.txt

echo 'May I come in ?' > key.txt

然后

git add -f key.txt
git commit

這里git commit會(huì)打開(kāi)nano編輯器，具體如何操作自行百度
之后git push即可
得到密碼56a9bf19c63d650ce78e6ec0354ee45e

Level 32 → Level 33

After all this git stuff its time for another esape. Good luck!

執(zhí)行uppershell發(fā)現(xiàn)他會(huì)把輸入的命令變成大寫(xiě)之后再執(zhí)行，導(dǎo)致命令并不能正常執(zhí)行。因此我們可以寫(xiě)一個(gè)名字為大寫(xiě)的shell文件
TEST文件

#!/bin/bash
bash

這樣就能獲取到bandit33的bash了

Level 33 → Level 34

結(jié)束啦～～