Wargame – Bandit 0-33通关攻略

The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org, on port 2220. The username is bandit0 and the password is bandit0. Once logged in, go to the Level 1 page to find out how to beat Level 1.
ssh -p2220 bandit0@bandit.labs.overthewire.org

登录成功会显示OverTheWire的logo

Level 0

The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.

Level 1

The password for the next level is stored in a file called  located in the home directory

Level 2

The password for the next level is stored in a file called spaces in this filename located in the home directory

Level 3

The password for the next level is stored in a hidden file in the inhere directory.

Level 4

The password for the next level is stored in the only human-readable file in the inheredirectory. Tip: if your terminal is messed up, try the “reset” command.

Level 5

The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:human-readable1033 bytes in sizenot executable 

Level 6

The password for the next level is stored somewhere on the server and has all of the following properties:owned by user bandit7owned by group bandit633 bytes in size 

Level 7

The password for the next level is stored in the file data.txt next to the word millionth

Level 8

The password for the next level is stored in the file data.txt and is the only line of text that occurs only once

Level 9

The password for the next level is stored in the file data.txt in one of the few human-readable strings, beginning with several ‘=’ characters.

Level 10

The password for the next level is stored in the file data.txt, which contains base64 encoded data

Level 11

The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions

ROT13解密 http://www.rot13.de/index.php

The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

Level 12

The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)

Head查看data.txt内容,是十六进制data2.bin文件

创建文件夹/tmp/12,将文件复制过去,xxd提取文件内容保存为data2.bin

File命令查看文件类型为gzip压缩文件

基本思想就是根据解压的文件,使用file查看类型,并进一步转化文件格式和解压,直到获取到可读的文件

Level 13

The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on

使用ssh -i 指定私钥进行登录

以bandit14身份查看路径下密码

Level 14

The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.

将Level13得到的登录密码发送过去,得到下一关的登录密码

Level 15

The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…

需要使用SSL加密,在本地30001端口发送密码,使用-ign_eof选项

发送登录密码,返回下一关的登录密码

Level 16

The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.

端口扫描和服务识别,目标机器nmap命令可用,说明已安装nmap

使用命令nmap localhost -A -p31000-32000进行端口扫描和服务识别

有两个端口与SSL有关

测试发现31518端口是返回与发送相同

端口31790返回一个密钥文件

创建一个新的密钥文件,将内容保存过来,根据权限,需要在/tmp/目录下

之后需要修改私钥文件的权限,否则会有permisions问题

修改权限chmod 600 16.priv,然后SSH连接

在路径下得到密码

Level 17

There are 2 files in the home directory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new
NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19

比较两个文件的不同

Level 18

The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.

连接之后会自动断开

连接的时候跟命令ls -ll可以输出,有一个readme文件

使用cat readme可以直接看到下一关密码

Level 19

To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.

这个路径下的文件只能用bandit20用户访问

Level 20

There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
NOTE: Try connecting to your own network daemon to see if it works as you think

开启两个ssh连接,其中一个echo ‘password’ | nc -l -p 12345 发送密码并在12345端口进行监听

第二个ssh连接使用./suconnect 12345连接端口,接收第一个发送的echo数据,比较之后,如果等于上一关password,则自动发送回密码

再次查看第一个ssh连接,可以收到返回的密码值

Level 21

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

另外两个文件无权访问,属于下边两道题目的文件

Level 22

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.

根据sh文件提示,执行echo命令获取临时文件名称,拼接tmp查看

这样执行虽然得到了密码,但不是正确的,原因在于whoami输出的是bandit22,本机用户,然而执行bandit23.sh的是用户bandit23,所以需要将$(whoami)修改为bandit23

Level 23

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…

在tmp目录下创建sh文件,

注意权限的设置,需要在/tmp/23下设置权限可以返回结果 chmod 777 /tmp/23

一定时间后,在目录下返回pass结果

Level 24

A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.

根据提示,需要输入密码+4位pincode,其中pincode要用暴力破解

环境中有pwntools可用

最后返回的结果为

Correct!The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG

Level 25

Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.

查看有个ssh私钥,登录

登陆后马上断开连接

根据提示,在/etc/passwd/中查看用于bandit26使用的何种shell

查看showtext内容,使用more命令,最后exit退出

当显示内容过长时,利用more命令可以显示剩下的内容,利用这个特性可以中断more命令执行,将命令行界面拉小,然后执行ssh连接命令

出现more提示时,输入v进入vim

输入:e /etc/bandit_pass/bandit26查看密码内容

Level 26

Good job getting a shell! Now hurry and grab the password for bandit27!

依然使用more命令,但是:e 读取文件权限不够

设置shell目录,然后进入shell命令行

用户27下查看密码

Level 27

There is a git repository at ssh://bandit27-git@localhost/home/bandit27-git/repo. The password for the user bandit27-git is the same as for the user bandit27.Clone the repository and find the password for the next level.

创建文件,使用git clone下载repo文件

Level 28

There is a git repository at ssh://bandit28-git@localhost/home/bandit28-git/repo. The password for the user bandit28-git is the same as for the user bandit28.Clone the repository and find the password for the next level.

Level 29

There is a git repository at ssh://bandit29-git@localhost/home/bandit29-git/repo. The password for the user bandit29-git is the same as for the user bandit29.Clone the repository and find the password for the next level.

Git branch -a查看分支

Git check remotes/origin/dev 来到dev目录,然后git show

Level 30

There is a git repository at ssh://bandit30-git@localhost/home/bandit30-git/repo. The password for the user bandit30-git is the same as for the user bandit30.Clone the repository and find the password for the next level.

git show-ref可以实现本地存储库的所有可用的引用以及关联的提交ID

Level 31

There is a git repository at ssh://bandit31-git@localhost/home/bandit31-git/repo. The password for the user bandit31-git is the same as for the user bandit31.Clone the repository and find the password for the next level.

根据readme信息,需要在master下创建key.txt,内容为May I come in?

直接上传key.txt会出错

因为隐藏文件.gitignore会对上传的.txt文件无视

所以使用命令 git add key.txt -f命令强制上传

然后设置git commit

之后git push,其中会返回下一关密码

Level 32

After all this git stuff its time for another escape. Good luck!

命令全部变为大写

$0进入shell,id查看当前用户为bandit33

ls -ll /etc/bandit_pass 查看权限

查看路径下密码

Level 33

您可能还喜欢...