Fork me on GitHub

wargame-bandit

Posted on | In , ,

练习网址

0x-1 Level 0

The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org, on port 2220. The username is bandit0 and the password is bandit0. Once logged in, go to the Level 1 page to find out how to beat Level 1.

1
2
ssh bandit0@bandit.labs.overthewire.org -p 2220
bandit0

0x00 Level 0 → Level 1

The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.

1
2
3
4
ssh bandit0@bandit.labs.overthewire.org -p 2220
bandit0
ls
cat readme

1
boJ9jbbUNNfktd78OOpsqOltutMc3MY1

0x01 Level 1 → Level 2

The password for the next level is stored in a file called - located in the home directory

1
2
ls
cat ./-

1
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

0x02 Level 2 → Level 3

The password for the next level is stored in a file called spaces in this filename located in the home directory

1
2
ls
cat "spaces in this filename"

1
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

0x03 Level 3 → Level 4

The password for the next level is stored in a hidden file in the inhere directory.

1
2
3
4
ls
cd inhere
ls -a
cat ./.hidden

1
pIwrPrtPN36QITSp3EQaw936yaFoFgAB

0x04 Level 4 → Level 5

The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.

1
2
3
4
5
ls
cd inhere
ls -a
file ./*
cat ./-file07

1
koReBOKuIDDepwhWk7jZC0RTdopnAYKh

0x05 Level 5 → Level 6

The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:
human-readable
1033 bytes in size
not executable

1
2
3
4
5
ls
cd inhere
ls
find . -type f -size 1033c
cat ./maybehere07/.file2

1
DXjZPULLxYr17uwoI01bNLQbtFemEgo7

0x06 Level 6 → Level 7

The password for the next level is stored somewhere on the server and has all of the following properties:
owned by user bandit7
owned by group bandit6
33 bytes in size

1
2
3
ls
find / -user bandit7 -group bandit6 -size 33c 2>/dev/null
cat /var/lib/dpkg/info/bandit7.password

1
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

0x07 Level 7 → Level 8

The password for the next level is stored in the file data.txt next to the word millionth

1
2
3
4
ls
cat data.txt|grep millionth
* grep: 用于查找文件里符合条件的字符串。
* |:  上一条命令的输出,作为下一条命令参数

1
cvX2JJa4CFALtqS87jk27qwqGhBM9plV

0x08 Level 8 → Level 9

The password for the next level is stored in the file data.txt and is the only line of text that occurs only once

1
2
3
4
5
ls
sort data.txt|uniq -u
* sort: 可针对文本文件的内容,以行为单位来排序。
* uniq 可检查文本文件中重复出现的行列
-u或--unique 仅显示出一次的行列

1
UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR

0x09 Level 9 → Level 10

The password for the next level is stored in the file data.txt in one of the few human-readable strings, beginning with several ‘=’ characters.

1
2
3
ls
strings data.txt|grep =
* strings: 在对象文件或二进制文件中查找可打印的字符串

1
truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk

0x10 Level 10 → Level 11

The password for the next level is stored in the file data.txt, which contains base64 encoded data

1
2
3
ls
cat data.txt
cat data.txt|base64 -d

1
IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

0x11 Level 11 → Level 12

The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions

1
2
3
4
ls
cat data.txt
cat data.txt|tr 'a-zA-Z' 'n-za-mN-ZA-M'
*  tr:  “Text Replacer”,该命令用于进行文本替换,从标准输入中通过替换或删除操作进行字符转换

1
5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

0x12 Level 12 → Level 13

The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)

1
2
3
4
5
6
7
8
9
10
* xxd -r data.txt data.bin
十六进制文件转二进制格式
* mv data.bin data.gz
文件重命名
* gzip -d data.gz
gzip类型文件解压
* bzip2 -d data.bz
bzip2类型文件解压
* tar -xvf data.tar
tar类型文件解压

1
8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

0x13 Level 13 → Level 14

The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on

1
2
ssh -i sshkey.private bandit14@localhost
cat /etc/bandit_pass/bandit14

1
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e

0x14 Level 14 → Level 15

The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.

1
telnet localhost 30000

1
BfMYroe26WYalil77FoDi9qh59eK5xNr

0x15 Level 15 → Level 16

The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.

Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…

1
2
3
4
openssl s_client -connect localhost:30001 -ign_eof
* openssl s_client -connect host:port:设置服务器地址和端口号
如果没有设置,则默认为本地主机以及端口号4433。
* -ign_eof:当输入文件到达文件尾的时候并不断开连接。

1
cluFn7wTiGryunymYOu4RcffSxQluehd

0x16 Level 16 → Level 17

The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.

1
2
3
4
5
6
7
8
9
nmap localhost -p 31000-32000
openssl s_client -connect localhost:31790
mkdir /tmp/hf1dw
cd /tmp/hf1dw
touch 1.priv
chmod 777 1.priv
vim 1.priv
chmod 600 1.priv
ssh -i 1.priv bandit17@localhost

执行完直接就到了第17关了
(A_A)>>???密码在/etc/bandit_pass/bandit17

1
xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn

0x17 Level 17 → Level 18

There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new

NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19

1
diff passwords.new  passwords.old

1
kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd

0x18 Level 18 → Level 19

The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.

1
2
ssh bandit18@bandit.labs.overthewire.org -p 2220 ls
ssh bandit18@bandit.labs.overthewire.org -p 2220 cat readme

1
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x

0x19 Level 19 → Level 20

To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.

1
2
ls -l
./bandit20-do cat /etc/bandit_pass/bandit20

1
GbKksEFF4yrVs6il55v6gwY5aVje5f0j

0x20 Level 20 → Level 21

There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).

NOTE: Try connecting to your own network daemon to see if it works as you think

1
2
ls
echo "GbKksEFF4yrVs6il55v6gwY5aVje5f0j" | nc -l -p 12312 & ./suconnect 12312

1
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr

0x21 Level 21 → Level 22

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

1
2
3
4
5
6
ls
cd /etc/cron.d/
ls
cat cronjob_bandit22
cat /usr/bin/cronjob_bandit22.sh
cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

1
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

0x22 Level 22 → Level 23

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.

1
2
3
4
5
6
cd /etc/cron.d/
ls
cat cronjob_bandit23
cat /usr/bin/cronjob_bandit23.sh
echo I am user bandit23 | md5sum | cut -d ' ' -f 1
cat /tmp/8ca319486bfbbc3663ea0fbe81326349

1
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

0x23 Level 23 → Level 24

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!

NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
cd  /etc/cron.d/
ls
cat cronjob_bandit24
cat /usr/bin/cronjob_bandit24.sh
mkdir /tmp/hf1dw2
cd ..
chmod 777 hf1dw2
cd hf1dw2
touch shell.sh
chmod 777 shell.sh
vim shell.sh

#!/bin/bash
cat /etc/bandit_pass/bandit24 >> /tmp/hf1dw2/password

cp shell.sh /var/spool/bandit24
wait..........
cat password

1
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ

0x24 Level 24 → Level 25

A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
cd /tmp/hf1dw2
touch 24.py
chmod 777 24.py
vim 24.py

from pwn import *

r = remote('localhost', 30002)
for i in range(0, 10):
    for j in range(0, 10):
        for k in range(0, 10):
            for p in range(0, 10):
                flag = str(i) + str(j) + str(k) + str(p)
                s = "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ "+ flag
#注意空格字母与数字衔接处的空格
                r.sendline(s)
                response = r.recvline()
                if 'Wrong!' not in response:
                    print 'Correct! ' + response

这个不知为何爆破很慢,没等下去,借别人的结果一用。。。。

1
uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG

0x25 Level 25 → Level 26

Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.

1
2
3
4
5
6
7
ls
ssh -i bandit26.sshkey bandit26@localhost
cat /etc/passwd |grep bandit26
cat /usr/bin/showtext
缩小终端,再次执行ssh -i bandit26.sshkey bandit26@localhost
v 
:e /etc/bandit_pass/bandit26

1
5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z

0x26 Level 26 → Level 27

Good job getting a shell! Now hurry and grab the password for bandit27!

1
2
3
4
5
6
7
8
ssh登录
缩小终端
ssh登录
v
:set shell=/bin/sh
:sh
ls
./bandit27-do cat /etc/bandit_pass/bandit27

1
3ba3118a22e93127a4ed485be72ef5ea

0x27 Level 27 → Level 28

There is a git repository at ssh://bandit27-git@localhost/home/bandit27-git/repo. The password for the user bandit27-git is the same as for the user bandit27.

Clone the repository and find the password for the next level.

1
2
3
4
5
6
cd /tmp/hf1dw2
git clone ssh://bandit27-git@localhost/home/bandit27-git/repo
输入26-27得到的密码
cd repo
ls
cat README

1
0ef186ac70e04ea33b4c1853d2526fa2

0x28 Level 28 → Level 29

There is a git repository at ssh://bandit28-git@localhost/home/bandit28-git/repo. The password for the user bandit28-git is the same as for the user bandit28.

1
2
3
4
5
6
7
8
9
10
mkdir /tmp/hf1dw3
cd /tmp/hf1dw3
git clone ssh://bandit28-git@localhost/home/bandit28-git/repo
cd repo
cat README.md
git log
git show

git log --pretty   列出文件的所有改动历史
git show   打印出来针对文件的所有的改动历史

1
bbc96594b4e001778eee9975372716b2

0x29 Level 29 → Level 30

There is a git repository at ssh://bandit29-git@localhost/home/bandit29-git/repo. The password for the user bandit29-git is the same as for the user bandit29.

Clone the repository and find the password for the next level.

1
2
3
4
5
6
7
git branch -a
git checkout remotes/origin/dev
git log
git show

git branch -a   查看当前所有分支
git checkout filename   清空当前工作区的修改,如果缓冲区有数据,就恢复成缓冲区,如果没有就恢复成上一个提交的版本

1
5b90576bedb2cc04c86a9e924ce42faf

0x30 Level 30 → Level 31

There is a git repository at ssh://bandit30-git@localhost/home/bandit30-git/repo. The password for the user bandit30-git is the same as for the user bandit30.

Clone the repository and find the password for the next level.

1
2
3
4
git show-ref
git show f17132340e8ee6c159e0a4a6bc6f80e1da3b1aea

git-show-ref  - 在本地存储库中列出引用,显示本地存储库中可用的引用以及关联的提交ID。

1
47e603bb428404d265f59c42920d81e5

0x31 Level 31 → Level 32

There is a git repository at ssh://bandit31-git@localhost/home/bandit31-git/repo. The password for the user bandit31-git is the same as for the user bandit31.

Clone the repository and find the password for the next level.

1
2
3
4
5
6
7
8
9
10
11
cat README.md
echo 'May I come in?' > key.txt
git add -f key.txt
git commit -m 'key.txt'
git push


添加操作是Git是最基本操作之一,当你在工作区(working directory)进行内容改动后,需要add操作,将文件添加到暂存区(index),然后再commit,改动的内容才在本地仓库(local repository,或者也叫版本库)中生效,之后你才能push到远程仓库(remote repository),让你的工作被团队中其他人共享到。

 git commit -m “message”
-m 参数表示可以直接输入后面的“message”,如果不加 -m参数,那么是不能直接输入message的,而是会调用一个编辑器一般是vim来让你输入这个message

1
56a9bf19c63d650ce78e6ec0354ee45e

0x32 Level 32 → Level 33

After all this git stuff its time for another escape. Good luck!

1
2
$0
cat /etc/bandit_pass/bandit33

1
c9c3199ddf4121b10cf581a98d51caee

0x33 Level 33 → Level 34

At this moment, level 34 does not exist yet.

资料:
git中文开发手册
linux下git常用命令
write_up1
write_up2