Breif

Bandit是一個學(xué)習(xí)linux命令的WarGame，通過闖關(guān)的模式缀匕，不斷的學(xué)習(xí)新的命令乡小，對于程序員亦或者安全愛好者來說都是一個不錯的學(xué)習(xí)平臺，網(wǎng)址是 http://overthewire.org/wargames/bandit/ 分享給大家～

[文章已同步至個人博客湃番，歡迎閱讀～]

Level 0 → Level 1

• Level Goal

The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org, on port 2220. The username is bandit0 and the password is bandit0. Once logged in, go to the Level 1 page to find out how to beat Level 1.

The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.
第一關(guān)直接ssh登陸就好了

ssh bandit0@bandit.labs.overthewire.org -p 2220
密碼：bandit0

直接查看readme得到密碼boJ9jbbUNNfktd78OOpsqOltutMc3MY1

bandit0

Level 1 → Level 2

• Level Goal
  The password for the next level is stored in a file called - located in the home directory

利用上一關(guān)得到的密碼ssh登陸

ssh bandit1@bandit.labs.overthewire.org -p 2220

ls發(fā)現(xiàn)文件名是一個-，但是這個在linux中有特殊意義導(dǎo)致直接cat不好用

bandit1

cat ./-

密碼是CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

Level 2 → Level 3

• Level Goal
  The password for the next level is stored in a file called spaces in this filename located in the home directory
  這道題文件名中有空格，可以用雙引號把文件名包裹起來

cat "spaces in this filename"

bandit2

Level 3 → Level 4

• Level Goal
  The password for the next level is stored in a hidden file in the inhere directory.

如題削彬，文件是隱藏文件融痛，在linux中覆劈，文件名前面有.的就是隱藏文件墩崩，可以使用ls -a來顯示

bandit3

Level 4 → Level 5

• Level Goal
  The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.

本題有10個文件，題目說是密碼在人類可讀的文件，那么就要判斷文件的類型练对，用file命令

file ./*

bandit4

Level 5 → Level 6

• Level Goal
  The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:

human-readable
1033 bytes in size
not executable

這道題又是一個找文件的題目螺男，ls -R目測有好幾十個文件，一個個找肯定不現(xiàn)實(shí)淆院，根據(jù)題目的要求土辩，是一個人類可讀文件脯燃，并且1033字節(jié)辕棚，非可執(zhí)行文件扁瓢，那么可以用find命令

find . -type f -size 1033c

解釋一下-type f指定為普通文件引几，-size 1033c指定為1033字節(jié)伟桅，更多的用法如下

-size n[cwbkMG] : 檔案大小 為 n 個由后綴決定的數(shù)據(jù)塊楣铁。其中后綴含義為：
b: 代表 512 位元組的區(qū)塊（如果用戶沒有指定后綴，則默認(rèn)為 b）
c: 表示字節(jié)數(shù)
k: 表示 kilo bytes （1024字節(jié)）
w: 字 （2字節(jié)）
M:兆字節(jié)（1048576字節(jié)）
G: 千兆字節(jié) （1073741824字節(jié)）
-type c : 檔案類型是 c 溃列。
d: 目錄
c: 字型裝置檔案
b: 區(qū)塊裝置檔案
p: 具名貯列
f: 一般檔案
l: 符號連結(jié)
s: socket

最后找到了目標(biāo)文件

bandit4

Level 6 → Level 7

• Level Goal
  The password for the next level is stored somewhere on the server and has all of the following properties:

owned by user bandit7
owned by group bandit6
33 bytes in size

又是找文件，那么依然可以使用find命令雅任，只不過參數(shù)稍稍的改變

find / -user bandit7 -group bandit6 -size 33c 2>/dev/null

這里-user指定user組椿访，-group指定group組成玫，-size指定大小，后面的2>/dev/null因為find命令在根目錄下查找會經(jīng)常有很多權(quán)限的報錯信息钦勘，所有在linux中通常用這種方式將錯誤信息重定向到“黑洞中”

bandit6

Level 7 → Level 8

• Level Goal
  The password for the next level is stored in the file data.txt next to the word millionth

題目說密碼在單詞millionth的后面彻采，那么我們就在data.txt中搜索這個單詞即可

cat data.txt|grep millionth

bandit7

Level 8 → Level 9

• Level Goal
  The password for the next level is stored in the file data.txt and is the only line of text that occurs only once

這題是要找到出現(xiàn)一次的那個行岭粤，肯定用uniq命令了剃浇，但是使用之前需要用sort命令對文本進(jìn)行排序，因為uniq命令是通過判斷上下兩行是否一樣來判斷的淘讥，所以用sort排序一下然后在uniq就能找到唯一出現(xiàn)的那一行了

sort data.txt|uniq -u
sort data.txt|uniq -c

這題我想了兩種解法适揉，一個是直接-u獲取炼邀，還有就是-c列出出現(xiàn)的次數(shù)拭宁，然后從中找到是1的那一行即可

bandit8

Level 9 → Level 10

• Level Goal
  The password for the next level is stored in the file data.txt in one of the few human-readable strings, beginning with several ‘=’ characters.

這題用cat命令之后會出現(xiàn)很多亂碼兵怯，因此需要使用strings命令媒区，獲取可打印的字符

strings data.txt

bandit9

Level 10 → Level 11

• Level Goal
  The password for the next level is stored in the file data.txt, which contains base64 encoded data

查看文件發(fā)現(xiàn)是個base64的字符串，直接base64 -d解碼即可

bandit10

Level 11 → Level 12

• Level Goal
  The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions

根據(jù)題目所說的字母的的順序旋轉(zhuǎn)了13個位置宙攻，就相當(dāng)去26個字母的前13個位置與后13個位置調(diào)換了递惋。那么我們就是用tr命令進(jìn)行調(diào)換

cat data.txt | tr 'a-zA-Z' 'n-za-mN-ZA-M'

bandit11

Level 12 → Level 13

• Level Goal
  The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)

這道題比較麻煩。首先我們按照提示贩挣，在/tmp目錄下創(chuàng)建自定義的文件夾

mkdir /tmp/pino
cp data.txt /tmp/pino
cd /tmp/pino
cat data.txt

然后我們發(fā)現(xiàn)data.txt是一個hex dump文件王财，里面是十六進(jìn)制的內(nèi)容绒净，我們可以用xxd命令將其轉(zhuǎn)換成二進(jìn)制文件

xxd -r data.txt > data.bin

然后我們用file命令看一下這個二進(jìn)制是什么文件

image.png

mv data.bin data.gz

然后用gzip -d命令解壓缤言，發(fā)現(xiàn)還是一個二進(jìn)制文件，繼續(xù)file命令查看

mv data data.bz2
bzip -d data.bz2

之后重復(fù)工作，后來還遇到了tar壓縮文件

mv data data.tar
tar -xvf data.tar

如此解壓羹唠，最后類似肉迫，得到密碼8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

Level 13 → Level 14

• Level Goal
  The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on

這道題我們使用bandit13用戶登陸的，但是題目說需要我們用bandit14用戶登陸才能查看密碼族购，并且給了我們ssh的私鑰违施，那么我們就可以利用ssh -i參數(shù)指定私鑰進(jìn)行登陸

ssh -i sshkey.private bandit14@localhost

登陸之后

cat  /etc/bandit_pass/bandit14

bandit13

Level 14 → Level 15

• Level Goal
  The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.

根據(jù)題目要求我們要把這關(guān)的密碼提交到localhost的30000端口上，那么我就想到了用telnet連接到本地的30000端口上辣往，然后把這關(guān)的密碼發(fā)送過去

Level 15 → Level 16

• Level Goal
  The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.

Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…

這道題用openssl命令
這個命令不太常用，直接openssl help查看幫助许起，發(fā)現(xiàn)命令openssl s_client help
根據(jù)幫助找到登陸命令

openssl s_client -connect localhost:30001

將本關(guān)的密碼發(fā)送過去，發(fā)現(xiàn)

Level 16 → Level 17

• Level Goal
  The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.

這道題做完之后感覺挺有意思的厉亏，首先看了一下題目要求爱只，其實(shí)我是一臉懵逼的窝趣，本來想netstat看一下的哑舒，結(jié)果發(fā)現(xiàn)沒權(quán)限洗鸵。膘滨。丹弱。然后我就隨手一發(fā)ps aux之后蹈矮，發(fā)現(xiàn)有個nmap的進(jìn)程泛鸟，給了我靈感北滥。。济赎。

nmap localhost -p 31000-32000

有5個端口，但是題目說錯誤的端口是你發(fā)啥它回啥壳猜，于是測試了一下發(fā)現(xiàn)有兩個端口可能是正確的统扳，分別是31518和31790，題目又說了存在ssl服務(wù)朱嘴，于是再挨個測試了一下

openssl s_client -connect localhost:31518
openssl s_client -connect localhost:31790

發(fā)現(xiàn)31790是正確的

發(fā)現(xiàn)它返回了一個類似ssh私鑰的文件级乍，然后果斷保存到一個文件中ssh.priv玫荣，這里需要在/tmp目錄下創(chuàng)建一個自己的目錄捅厂，才能寫入到文件中，因為有權(quán)限管理辙芍。
再利用上一關(guān)的知識

ssh -i /tmp/bandit16/ssh.priv bandit17@localhost

成功登陸故硅，密碼在/etc/bandit_pass/bandit17
密碼xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn

Level 17 → Level 18

• Level Goal
  There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new

NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19

這種比較新舊的問題肯定是用diff命令了

diff passwords.old passwords.new

Level 18 → Level 19

• Level Goal
  The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.

這道題我們正常登陸的話

ssh bandit18@bandit.labs.overthewire.org -p2220

然后我們就發(fā)現(xiàn)直接斷開了

其實(shí)我們在ssh登陸的時候可以直接后面跟上命令腾誉，雖然被斷開了趣效，但是命令還是可以執(zhí)行的英支，我們在后面加上cat readme，照常輸入上一關(guān)的密碼楞黄，下一關(guān)的密碼就會顯示出來的

Level 19 → Level 20

• Level Goal
  To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.

這題也不知道要我們做什么致盟，反正就莫名其妙的得到密碼了

Level 20 → Level 21

• Level Goal
  There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).

NOTE: Try connecting to your own network daemon to see if it works as you think

題目說這個suconnect程序會連接到我們指定的端口雷蹂，并且讀取內(nèi)容并于bandit20的密碼進(jìn)行比較黑低，如果相同的話就返回下一關(guān)的密碼
我們知道密碼是存放在/etc/bandit_pass/bandit20這個文件中的矛纹，因此我們就在本地開啟一個端口霜医，并且把密碼發(fā)送到這個端口，然后我們在用這個程序連接到這個端口中就可以成功了驳规。

nc -l 2333 < /etc/bandit_pass/bandit20 &

這里我在命令后面加了&符號肴敛，可以讓這條命令在后臺執(zhí)行，這樣我們就可以繼續(xù)執(zhí)行./suconnect 2333命令來連接2333端口了

Level 21 → Level 22

• Level Goal
  A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

按照提示到/etc/cron.d目錄下查看cronjob_bandit22的定時任務(wù)

Level 22 → Level 23

• Level Goal
  A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.

解題看下圖

密碼jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

Level 23 → Level 24

• Level Goal
  A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!

NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…

這道題先看一下contab文件

分析一下知道定時任務(wù)會執(zhí)行/usr/bin/cronjob_bandit24.sh這個文件
shell腳本的功能是執(zhí)行/var/spool/bandit24中的所有文件值朋，如果60秒內(nèi)沒有執(zhí)行就刪除所有文件.
因此思路就是我們寫一個查看密碼的shell腳本放到這個目錄下，讓他以bandit24用戶來執(zhí)行就好了巩搏。

mkdir /tmp/bandit23
chmod 777 /tmp/bandit23
cd /tmp/bandit23
vim shell.sh

shell.sh的內(nèi)容如下

#!/bin/bash
cat /etc/bandit_pass/bandit24 >> /tmp/bandit/pass

然后chmod 777 shell.sh昨登，再然后將shell.sh復(fù)制到/var/spool/bandit24目錄下，等待一些時間贯底，就會發(fā)現(xiàn)/tmp/bandit23/目錄下多了一個pass文件丰辣，內(nèi)容就是密碼

Level 24 → Level 25

• Level Goal
  A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.

這道題目首先nc連接一下

根據(jù)要求輸入上一關(guān)的密碼加空格加4位數(shù)字，果斷報錯了禽捆。笙什。
所以要寫腳本進(jìn)行爆破。
我想到的是使用pwntools來進(jìn)行爆破（CTF打多了...）
腳本如下:

from pwn import *

r = remote('localhost', 30002)
for i in range(0, 10):
    for j in range(0, 10):
        for k in range(0, 10):
            for p in range(0, 10):
                flag = str(i) + str(j) + str(k) + str(p)
                s = "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ "+ flag
                r.sendline(s)
                response = r.recvline()
                if 'Wrong!' not in response:
                    print 'Correct! ' + response

一個比較粗糙的爆破腳本就寫好了胚想，執(zhí)行就好了

Level 25 → Level 26

• Level Goal
  Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.

這道題登陸上去后發(fā)現(xiàn)home目錄下有一個ssh的私鑰琐凭，果斷ssh連接上去

ssh -i ssh.private bandit26@localhost

但是登陸之后直接就切斷了
根據(jù)提示，說用戶bandit26用的shell有問題浊服，這種情況我們可以查看/etc/passwd文件

:e /etc/bandit_pass/bandit26

Level 26 → Level 27

• Level Goal
  Good job getting a shell! Now hurry and grab the password for bandit27!

這一關(guān)使用密碼ssh登陸之后也是直接斷開了金麸，所以跟上一關(guān)套路一樣，進(jìn)入more模式簿盅，利用vim模式執(zhí)行命令挥下，這次不能用e來讀取文件了，因為權(quán)限不夠桨醋。!command也不行棚瘟，!sh也不行，后來查看資料發(fā)現(xiàn)vim還有一種需要先設(shè)置shell的目錄才行

vim模式下
:set shell=/bin/sh
:sh

這樣得到了一個shell,ls發(fā)現(xiàn)有一個程序喜最，跟以前一樣偎蘸，直接讀取密碼文件即可

Level 27 → Level 28

• Level Goal
  There is a git repository at ssh://bandit27-git@localhost/home/bandit27-git/repo. The password for the user bandit27-git is the same as for the user bandit27.

Clone the repository and find the password for the next level.

解題如圖

Level 28 → Level 29

• Level Goal
  There is a git repository at ssh://bandit28-git@localhost/home/bandit28-git/repo. The password for the user bandit28-git is the same as for the user bandit28.

Clone the repository and find the password for the next level.

跟上一關(guān)一樣使用git clone把東西下載下來，然后有一個READ.ME瞬内，查看

Level 29 → Level 30

• Level Goal
  There is a git repository at ssh://bandit29-git@localhost/home/bandit29-git/repo. The password for the user bandit29-git is the same as for the user bandit29.

Clone the repository and find the password for the next level.

這道題還是老套路，git clone一下舟陆，然后git log误澳、git show都試了一下，也沒啥發(fā)現(xiàn)秦躯，然后git branch -a了一下忆谓，看到了有四個分支

git checkout remotes/origin/master

Level 30 → Level 31

Level Goal
There is a git repository at ssh://bandit30-git@localhost/home/bandit30-git/repo. The password for the user bandit30-git is the same as for the user bandit30.

Clone the repository and find the password for the next level.

git show-ref可以現(xiàn)實(shí)本地存儲庫的所有可用的引用以及關(guān)聯(lián)的提交ID

Level 31 → Level 32

• Level Goal
  There is a git repository at ssh://bandit31-git@localhost/home/bandit31-git/repo. The password for the user bandit31-git is the same as for the user bandit31.

Clone the repository and find the password for the next level.

本題要求我們把key.txt文件push到遠(yuǎn)程服務(wù)器上昙沦。
首先按照要求創(chuàng)建key.txt

echo 'May I come in ?' > key.txt

然后

git add -f key.txt
git commit

這里git commit會打開nano編輯器，具體如何操作自行百度
之后git push即可
得到密碼56a9bf19c63d650ce78e6ec0354ee45e

Level 32 → Level 33

After all this git stuff its time for another esape. Good luck!

執(zhí)行uppershell發(fā)現(xiàn)他會把輸入的命令變成大寫之后再執(zhí)行载荔，導(dǎo)致命令并不能正常執(zhí)行盾饮。因此我們可以寫一個名字為大寫的shell文件
TEST文件

#!/bin/bash
bash

這樣就能獲取到bandit33的bash了

Level 33 → Level 34

結(jié)束啦～～