wargame[12-22]

wargame游戏记录 level 12 -level 22

level 12

1
2
3
4
5
6
题目信息:
Level Goal
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)x

Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd, mkdir, cp, mv, file
1
2
3
4
5
6
7
8
9
10
11
bandit12@bandit:/tmp/wyb$ ls
data.bin  data.txt
bandit12@bandit:/tmp/wyb$ rm data.bin
bandit12@bandit:/tmp/wyb$ ls
data.txt
bandit12@bandit:/tmp/wyb$ xxd -r data.txt > data.bin
bandit12@bandit:/tmp/wyb$ ls
data.bin  data.txt
bandit12@bandit:/tmp/wyb$ zcat data.bin
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
bandit12@bandit:/tmp/wyb$
  • zcat用法学习
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    zcat命令用于不真正解压缩文件,就能显示压缩包中文件的内容的场合。

    语法:

    zcat(选项) 压缩文件名

    -S:指定gzip格式的压缩包的后缀。当后缀不是标准压缩包后缀时使用此选项; 

    -c:将文件内容写到标注输出; 

    -d:执行解压缩操作; 

    -l:显示压缩包中文件的列表; 

    -L:显示软件许可信息; 

    -q:禁用警告信息; 

    -r:在目录上执行递归操作; 

    -t:测试压缩文件的完整性; 

    -V:显示指令的版本信息; 

    -l:更快的压缩速度; 

    -9:更高的压缩比。

    例如,现在不想使用gzip命令将file.gz文件解压,但是想查看其中的内容,可以执行命令:

    zcat file.gz

level 13

1
2
3
4
5
6
题目信息:
Level Goal
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on

Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
bandit14@bandit:~$ ls
bandit14@bandit:~$ cat /etc/bandit_pass/bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
bandit14@bandit:~$ exit
logout
Connection to localhost closed.
bandit13@bandit:~$ ls
sshkey.private
#ssh私钥登陆
bandit13@bandit:~$ ssh  -i /home/bandit13/sshkey.private  bandit14@localhost 
Could not create directory '/home/bandit13/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)?

bandit14@bandit:~$ ls
bandit14@bandit:~$ cat /etc/bandit_pass/bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
bandit14@bandit:~$ exit
logout
Connection to localhost closed.

  • #ssh指定私钥登陆


  • cat /etc/bandit_pass/bandit14

level 14

1
2
3
4
5
6
题目信息:
Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.

Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap
1
2
3
4
5
6
7
8
9
10
bandit14@bandit:~$ telnet localhost 30000
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr

Connection closed by foreign host.
bandit14@bandit:~$

level 15

1
2
3
4
5
6
7
8
题目信息:
Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.

Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…

Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
bandit15@bandit:~$ openssl s_client -connect localhost:30001 -ign_eof
CONNECTED(00000003)
depth=0 CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = localhost
verify return:1
---
Certificate chain
 0 s:/CN=localhost
   i:/CN=localhost
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICBjCCAW+gAwIBAgIEfkeLojANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDDAls
b2NhbGhvc3QwHhcNMTkwODAzMDc0OTMxWhcNMjAwODAyMDc0OTMxWjAUMRIwEAYD
VQQDDAlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMDGwHmT
GntqHvPYiM0wm4Dsmhlmiywaj0CGZKW1Cx6ze9pH+iWXEvcnWga4Kfevqh0LJLeS
jmgE6hFRK9rTwq+q6UE0hADazxb7r8jpthnHwKyRGEtFmsFTv/JqJDk+V5cngA4Y
m4scTjF+r1Y7jQA5VkUPHy+eYoNoqRqGh7JhAgMBAAGjZTBjMBQGA1UdEQQNMAuC
CWxvY2FsaG9zdDBLBglghkgBhvhCAQ0EPhY8QXV0b21hdGljYWxseSBnZW5lcmF0
ZWQgYnkgTmNhdC4gU2VlIGh0dHBzOi8vbm1hcC5vcmcvbmNhdC8uMA0GCSqGSIb3
DQEBBQUAA4GBAEICbhntCy/wyg56HQpox3nt8YtTkr6g21P4akxso7m08u6FuyiY
t/8yd+iph6qlRDHQ+D8T4TcpflsV8YKPXIgMoJQtGkuVgqHeCfgBEJcx+T52F8aX
84l5d7tEr9XEuCPKIlf4/GL8wOQLww2a2+sjlSwa8S1XlkbC61JzPyS3
-----END CERTIFICATE-----
subject=/CN=localhost
issuer=/CN=localhost
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1019 bytes and written 269 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 9D3A3CF9CB1F514C6FADA04A4F09D8D4269FE401BA80414E06EC8427A4FAFA74
    Session-ID-ctx:
    Master-Key: 8F4CB712D8BFB9AB2624C4A4A7DFBD4BAEEE4B933C2DE4FE4DB6E5AE43AB6A09A1D37CFFEB855101D04ACF8E01DD94A7
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 6a 32 a6 c7 27 26 f0 c8-b4 75 99 96 41 ed a8 13   j2..'&...u..A...
    0010 - 0c c2 47 06 a8 8a 74 f9-4d eb 5a 94 ff ec 1a e9   ..G...t.M.Z.....
    0020 - 45 c8 19 54 7e 87 76 f7-4c ff 58 ab c2 82 26 f5   E..T~.v.L.X...&.
    0030 - da 7b e6 ac 8d 34 30 a1-b4 67 ca 39 b2 35 fc 2c   .{...40..g.9.5.,
    0040 - e6 89 57 88 df f1 ee 24-3b 5f 57 1d 53 7e a5 39   ..W....$;_W.S~.9
    0050 - 70 c1 46 23 67 52 df ef-d4 d6 e1 92 f1 74 3e 9a   p.F#gR.......t>.
    0060 - 93 ee cd 18 51 f2 3c 65-89 af 93 9b 83 37 ba 6c   ....Q.<e.....7.l
    0070 - 65 bf ee b8 82 f8 5d 1f-41 0a a8 c7 53 2b f2 c1   e.....].A...S+..
    0080 - ba b7 2e 11 4e 61 93 16-03 b7 80 8a ef 3f b6 72   ....Na.......?.r
    0090 - ac ae ca 90 3a 80 4d ce-96 15 91 4e e2 d1 b8 47   ....:.M....N...G

    Start Time: 1565698204
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: yes
---
BfMYroe26WYalil77FoDi9qh59eK5xNr
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehd

closed
bandit15@bandit:~$

  • 根据提示的信息页面,了解了openssl加密发送的方式

  • openssl s_client -connect localhost:30001 -ign_eof


level 16

1
2
3
4
5
6
题目信息:
Level Goal
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.

Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap

  • 使用nmap扫描开放的端口

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    80
    81
    82
    83
    84
    85
    86
    87
    88
    89
    90
    91
    92
    93
    94
    95
    96
    97
    98
    99
    100
    101
    102
    103
    104
    bandit16@bandit:~$ nc -z -v localhost  31000-32000
    localhost [127.0.0.1] 31790 (?) open
    localhost [127.0.0.1] 31518 (?) open
    bandit16@bandit:~$ openssl s_client -connect localhost:31790
    CONNECTED(00000003)
    depth=0 CN = localhost
    verify error:num=18:self signed certificate
    verify return:1
    depth=0 CN = localhost
    verify return:1
    ---
    Certificate chain
     0 s:/CN=localhost
       i:/CN=localhost
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIICBjCCAW+gAwIBAgIEIRCKRDANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDDAls
    b2NhbGhvc3QwHhcNMTkwODAzMTU1MTQ5WhcNMjAwODAyMTU1MTQ5WjAUMRIwEAYD
    VQQDDAlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALjLe4CV
    y7o3TByY368V/nUFggs4EXLB6OPxbM7n9XR2fP5gBBFXeqT3jaupydtSYhWXTrgP
    PqwB2Bk5v+v7twT6KZCM5ks54NgGqH8l48zzvqBFwvllQfpARfq0GTLixbrxuSmp
    w9F8efzpOfxnoMdG9zvGBSm8M+UdAiQuprVpAgMBAAGjZTBjMBQGA1UdEQQNMAuC
    CWxvY2FsaG9zdDBLBglghkgBhvhCAQ0EPhY8QXV0b21hdGljYWxseSBnZW5lcmF0
    ZWQgYnkgTmNhdC4gU2VlIGh0dHBzOi8vbm1hcC5vcmcvbmNhdC8uMA0GCSqGSIb3
    DQEBBQUAA4GBAHQ18wczrve2XIGz+hzhqZJ402L+pa5nl5ci76tTPtK0nAh4v+Ey
    UlM+XvuL5l/opTiI6/+cObNUGOEpv8kVfwdAYiTr5RlXe9mBRErQl4r3PnhZylJM
    cVD7/BsFM3uACmHVI5KRs2JSmnB4+sfZifHPxaMsLJvF6dUuHr+YC7E0
    -----END CERTIFICATE-----
    subject=/CN=localhost
    issuer=/CN=localhost
    ---
    No client certificate CA names sent
    Peer signing digest: SHA512
    Server Temp Key: X25519, 253 bits
    ---
    SSL handshake has read 1019 bytes and written 269 bytes
    Verification error: self signed certificate
    ---
    New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
    Server public key is 1024 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-RSA-AES256-GCM-SHA384
        Session-ID: 707A6D5A01E12ADB9A3F6B493C06B469CEFECA2B1D438DC242F109F724ACE07D
        Session-ID-ctx:
        Master-Key: C2E40DF41748B855B4DD3D6EE1056452436294DD9A6182754487979AA1FD15F91FDC5D9F782203536D24A31EF153B26F
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        TLS session ticket lifetime hint: 7200 (seconds)
        TLS session ticket:
        0000 - 5c fe f6 48 80 2f 25 d8-f9 76 de 4d a7 c5 95 a7   \..H./%..v.M....
        0010 - 04 42 9a e0 fa 8c 59 42-0c 07 60 eb 0f 2b a1 62   .B....YB..`..+.b
        0020 - f7 64 3c 9b ea fc 86 d6-0b f6 d2 4c b7 51 91 1c   .d<........L.Q..
        0030 - 9c c1 09 b2 ad 4a be 68-f9 2e 61 e5 77 75 d5 b9   .....J.h..a.wu..
        0040 - 43 b3 30 40 c8 0d d0 72-95 db 68 79 f0 14 a4 46   C.0@...r..hy...F
        0050 - cf cc 1d 10 d2 81 ec f2-0f 95 2c 65 72 e2 ee 7a   ..........,er..z
        0060 - ba 01 44 85 33 d2 01 29-b9 a4 14 d4 ac 86 1b f7   ..D.3..)........
        0070 - f2 8d a6 ff 6f 4b 83 b7-95 b3 97 39 40 d9 81 8c   ....oK.....9@...
        0080 - 07 60 50 2e 6d ac b1 4c-1c 4f 06 df 00 c0 90 d9   .`P.m..L.O......
        0090 - f4 70 96 d1 3e 93 5a 3c-65 6e f0 a5 b3 24 ae 11   .p..>.Z<en...$..

        Start Time: 1565698923
        Timeout   : 7200 (sec)
        Verify return code: 18 (self signed certificate)
        Extended master secret: yes
    ---
    cluFn7wTiGryunymYOu4RcffSxQluehd
    Correct!
    -----BEGIN RSA PRIVATE KEY-----
    MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
    imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
    Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
    DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
    JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
    x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
    KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
    J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
    d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
    YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
    vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
    +TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
    8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
    SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
    HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
    SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
    R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
    Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
    R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
    L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
    blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
    YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
    77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
    dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
    vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
    -----END RSA PRIVATE KEY-----

    closed
    bandit16@bandit:~$

  • 保存返回的密钥到文件,但只能在/tmp/目录下才有写入权限,用于登陆下一题



1
2
3
4
5
6
7
8
9
10
11
12
13
14
bandit17@bandit:/home$ cd ..
bandit17@bandit:/$ ls
bin  boot  cgroup2  dev  etc  home  initrd.img  initrd.img.old  lib  lib32  lib64  libx32  lost+found  media  mnt  opt  proc  README.txt  root  run  sbin  share  srv  sys  tmp  usr  var  vmlinuz  vmlinuz.old
bandit17@bandit:/$ cd etc
bandit17@bandit:/etc/bandit_pass$ ls
bandit0  bandit10  bandit12  bandit14  bandit16  bandit18  bandit2   bandit21  bandit23  bandit25  bandit27  bandit29  bandit30  bandit32  bandit4  bandit6  bandit8
bandit1  bandit11  bandit13  bandit15  bandit17  bandit19  bandit20  bandit22  bandit24  bandit26  bandit28  bandit3   bandit31  bandit33  bandit5  bandit7  bandit9
bandit17@bandit:/etc/bandit_pass$ cat bandit17
xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn
bandit17@bandit:/etc/bandit_pass$ cat bandit18
cat: bandit18: Permission denied
bandit17@bandit:/etc/bandit_pass$ cat bandit16
cat: bandit16: Permission denied
bandit17@bandit:/etc/bandit_pass$

level 17

1
2
3
4
5
6
7
8
题目信息:
Level Goal
There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new

NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19

Commands you may need to solve this level
cat, grep, ls, diff
1
2
3
4
5
6
7
passwords.new  passwords.old
bandit17@bandit:~$ diff passwords.new passwords.old
42c42
< kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
---
> hlbSBPAWJmL6WFDb06gpTx1pPButblOA
bandit17@bandit:~$
1
key: kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd

level 18

1
2
3
4
5
6
题目信息:
Level Goal
The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.

Commands you may need to solve this level
ssh, ls, cat
  • 刚连接就断开了,所以需要将需要执行的命令添加在连接命令后面
1
2
3
4
5
6
7
8
9
10
11
➜  ~ ssh bandit18@bandit.labs.overthewire.org -p2220 "ls"
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

bandit18@bandit.labs.overthewire.org's password:
readme
➜  ~ ssh bandit18@bandit.labs.overthewire.org -p2220 "cat readme"
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

bandit18@bandit.labs.overthewire.org's password:
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
➜  ~

level 19

1
2
3
题目信息:
Level Goal
To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.

  • 连接后发现有个可执行文件,题目提示了下题密码位置,于是尝试看看能不能命令执行,一试果然可以!

  • 中途有点傻逼,本身就是19题,我还查看了19题密码,没权限,才想起来,是需要查看20题密码,23333333!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
bandit19@bandit:~$ ls
bandit20-do
bandit19@bandit:~$ file *
bandit20-do: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=8e941f24b8c5cd0af67b22b724c57e1ab92a92a1, not stripped
bandit19@bandit:~$ ./bandit20-do
Run a command as another user.
  Example: ./bandit20-do id
bandit19@bandit:~$ ./bandit20-do  cat /etc/bandit_pass
cat: /etc/bandit_pass: Is a directory
bandit19@bandit:~$ ./bandit20-do  ls /etc/bandit_pass
bandit0  bandit10  bandit12  bandit14  bandit16  bandit18  bandit2   bandit21  bandit23  bandit25  bandit27  bandit29  bandit30  bandit32  bandit4  bandit6  bandit8
bandit1  bandit11  bandit13  bandit15  bandit17  bandit19  bandit20  bandit22  bandit24  bandit26  bandit28  bandit3   bandit31  bandit33  bandit5  bandit7  bandit9
bandit19@bandit:~$ ./bandit20-do  ls /etc/bandit_pass/bandit19
/etc/bandit_pass/bandit19
bandit19@bandit:~$ ./bandit20-do  cat /etc/bandit_pass/bandit19
cat: /etc/bandit_pass/bandit19: Permission denied
bandit19@bandit:~$ ./bandit20-do  cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
bandit19@bandit:~$

level 20

1
2
3
4
5
6
7
8
题目信息:
Level Goal
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).

NOTE: Try connecting to your own network daemon to see if it works as you think

Commands you may need to solve this level
ssh, nc, cat, bash, screen, tmux, Unix ‘job control’ (bg, fg, jobs, &, CTRL-Z, …)
  • 使用screen 开启一个后台发送上一题密码,并监听
    1
    2
    bandit20@bandit:~$ echo "GbKksEFF4yrVs6il55v6gwY5aVje5f0j" | nc -lp 12333
    bandit20@bandit:~$
  • 使用ctrl+A+D 将screen进入后台,此时执行程序到刚才坚挺的端口,./suconnect 12333,进行密码比较,相同基于输出密码
    1
    2
    3
    4
    bandit20@bandit:~$ ./suconnect 12333
    Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
    Password matches, sending next password
    bandit20@bandit:~$
  • 得到下一题密码
    1
    2
    bandit20@bandit:~$ echo "GbKksEFF4yrVs6il55v6gwY5aVje5f0j" | nc -lp 12333
    gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr

level 21

1
2
3
4
5
6
题目信息:
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

Commands you may need to solve this level
cron, crontab, crontab(5) (use “man 5 crontab” to access this)
  • cron定时任务,找到定时文件,找到写入的文件便找到密码
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    bandit21@bandit:/etc/cron.d$ ls
    cronjob_bandit22  cronjob_bandit23  cronjob_bandit24
    bandit21@bandit:/etc/cron.d$ cat cronjob_bandit22
    @reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
    * * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
    bandit21@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit22.sh
    #!/bin/bash
    chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
    cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
    bandit21@bandit:/etc/cron.d$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
    Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
    bandit21@bandit:/etc/cron.d$

level 22

1
2
3
4
5
6
7
8
9
题目信息:
Bandit Level 22 → Level 23
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.

Commands you may need to solve this level
cron, crontab, crontab(5) (use “man 5 crontab” to access this)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
bandit22@bandit:~$ ls
bandit22@bandit:~$ cd /etc/cron.d/
bandit22@bandit:/etc/cron.d$ ls
cronjob_bandit22  cronjob_bandit23  cronjob_bandit24
bandit22@bandit:/etc/cron.d$ cat cronjob_bandit23
@reboot bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
bandit22@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash

myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)

echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"

cat /etc/bandit_pass/$myname > /tmp/$mytarget
bandit22@bandit:/etc/cron.d$ echo I am user bandit23 | md5sum | cut -d ' ' -f 1
8ca319486bfbbc3663ea0fbe81326349
bandit22@bandit:/etc/cron.d$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
bandit22@bandit:/etc/cron.d$

谢谢你请我吃糖果

支付宝
微信

扫一扫,分享到微信

微信分享二维码