• bandit


    bandit官网为:https://overthewire.org/wargames/bandit

    0-10

    0

    直接给我们提示了用户名和密码是bandit0
    直接使用命令登陆:
    ssh -p 2220 bandit0@bandit.labs.overthewire.org
    输入密码bandit0登陆成功(密码输入是没有回显的)

    ls看到一个readme文件,里面保存着下一级的登陆密码
    cat readme
    得到下一级的登陆密码:boJ9jbbUNNfktd78OOpsqOltutMc3MY1

    1

    ssh -p 2220 bandit1@bandit.labs.overthewire.org
    ls
    看到一个-命名的特殊字符文件
    cat -不能直接获得其中内容,会被当做其他命令来解释,回显你输入的内容,可ctrl+d停止
    cat ./-即可读取文件中的内容,由此得到下一级的登陆密码:
    CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

    2

    ssh -p 2220 bandit2@bandit.labs.overthewire.org
    直接cat space,使用tab键补全,得到下级密码:
    UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
    如图所示:

    3

    ssh -p 2220 bandit3@bandit.labs.overthewire.org
    可以看到有一个inhere的文件夹

    进去后ls查看发现是空的,
    于是使用ls -a查看隐藏文件
    cat .hidden得到下级密码:
    pIwrPrtPN36QITSp3EQaw936yaFoFgAB

    4

    file ./*
    使用file命令查看文件类型
    cat ./-file07
    获得下一级密码:
    koReBOKuIDDepwhWk7jZC0RTdopnAYKh
    如图:

    5

    ssh -p 2220 bandit5@bandit.labs.overthewire.org
    发现有许多文件夹
    find -type f -size 1033c
    查找出来:

    f:一般文档
    c:是指字节
    找到密码:DXjZPULLxYr17uwoI01bNLQbtFemEgo7

    6

    ssh -p 2220 bandit6@bandit.labs.overthewire.org
    根据提示:

    find / -size 33c -user bandit7 -group bandit6 2>/dev/null
    2>/dev/null过滤扫描根目录下文件因权限不足而报错的信息
    得到下级密码:
    HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs
    如图:

    7

    ssh -p 2220 bandit7@bandit.labs.overthewire.org
    根据提示,使用grep
    cat data.txt|grep millionth
    如图:

    密码为:cvX2JJa4CFALtqS87jk27qwqGhBM9plV

    8

    ssh -p 2220 bandit8@bandit.labs.overthewire.org
    sort data.txt|uniq -u
    如图:

    sort排序,
    uniq命令:
    -i 忽略大小写
    -c 计数
    -u 只显示唯一的行
    下级密码为:UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR

    9

    ssh -p 2220 bandit9@bandit.labs.overthewire.org
    strings data.txt查看里面的字符串
    得到下级密码:truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk

    10

    ssh -p 2220 bandit10@bandit.labs.overthewire.org
    base64解密,base64 -d data.txt
    下级密码:IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

    11-20

    11

    ssh -p 2220 bandit11@bandit.labs.overthewire.org
    题意为按顺序旋转了13位,及前半段和后半段的字母位置置换了
    tr命令 后面接两个字符串,第一个查询,第二个置换
    cat data.txt |tr 'a-zA-Z' 'n-za-mN-ZA-M'
    同理:cat data.txt |tr 'a-zA-Z' 'a-mn-zA-MN-Z'也是一样的效果
    下级密码为:5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

    12

    ssh -p 2220 bandit12@bandit.labs.overthewire.org
    有点绕,不过我们还是可以一步步根据命令提示来
    xxd -r将16进制转化为2进制
    下面包含大量tar,bz2,gz的解压操作,具体详细参数的解释此处不做解释
    只是看起来繁杂,希望各位读者别被吓着了,多敲敲也就熟悉了
    由于在当前目录下权限不足,我们转移到题目提示的工作目录/tmp下面,全部命令如下,如有不理解的请自行百度查看相关参数

    bandit12@bandit:~$ mkdir /tmp/ss
    bandit12@bandit:~$ cp  data.txt /tmp/ss
    bandit12@bandit:~$ cd /tmp/ss
    bandit12@bandit:/tmp/ss$ file data.txt 
    data.txt: ASCII text
    bandit12@bandit:/tmp/ss$ xxd -r data.txt >data.bin
    bandit12@bandit:/tmp/ss$ file data.bin 
    data.bin: gzip compressed data, was "data2.bin", last modified: Thu May  7 18:14:30 2020, max compression, from Unix
    bandit12@bandit:/tmp/ss$ mv data.bin data.gz
    bandit12@bandit:/tmp/ss$ gzip -d data.gz 
    bandit12@bandit:/tmp/ss$ ls
    data  data.txt
    bandit12@bandit:/tmp/ss$ file data
    data: bzip2 compressed data, block size = 900k
    bandit12@bandit:/tmp/ss$ bunzip2 -d data
    bunzip2: Can't guess original name for data -- using data.out
    bandit12@bandit:/tmp/ss$ ls
    data.out  data.txt
    bandit12@bandit:/tmp/ss$ bunzip2 -d data.out
    bunzip2: Can't guess original name for data.out -- using data.out.out
    bunzip2: data.out is not a bzip2 file.
    bandit12@bandit:/tmp/ss$ ls
    data.out  data.txt
    bandit12@bandit:/tmp/ss$ mv data.out data
    bandit12@bandit:/tmp/ss$ mv data data.bz2
    bandit12@bandit:/tmp/ss$ bunzip2 -d data.bz2 
    bunzip2: data.bz2 is not a bzip2 file.
    bandit12@bandit:/tmp/ss$ ls
    data.bz2  data.txt
    bandit12@bandit:/tmp/ss$ mv data.bz2 data
    bandit12@bandit:/tmp/ss$ mv data data.bz
    bandit12@bandit:/tmp/ss$ bunzip2 -d data.bz 
    bunzip2: data.bz is not a bzip2 file.
    bandit12@bandit:/tmp/ss$ mv data.
    data.bz   data.txt  
    bandit12@bandit:/tmp/ss$ mv data.bz data
    bandit12@bandit:/tmp/ss$ file data
    data: gzip compressed data, was "data4.bin", last modified: Thu May  7 18:14:30 2020, max compression, from Unix
    bandit12@bandit:/tmp/ss$ ls
    data  data.txt
    bandit12@bandit:/tmp/ss$ ls
    data  data.txt
    bandit12@bandit:/tmp/ss$ rm -rf data
    bandit12@bandit:/tmp/ss$ ls
    data.txt
    bandit12@bandit:/tmp/ss$ xxd -r data.txt >data.bin
    bandit12@bandit:/tmp/ss$ ls
    data.bin  data.txt
    bandit12@bandit:/tmp/ss$ rm -rf data.bin
    bandit12@bandit:/tmp/ss$ ls
    data.txt
    bandit12@bandit:/tmp/ss$ file data.txt 
    data.txt: ASCII text
    bandit12@bandit:/tmp/ss$ xxd -r data.txt >data.bin
    bandit12@bandit:/tmp/ss$ file data.bin 
    data.bin: gzip compressed data, was "data2.bin", last modified: Thu May  7 18:14:30 2020, max compression, from Unix
    bandit12@bandit:/tmp/ss$ mv data.bin data.gz
    bandit12@bandit:/tmp/ss$ gzip -d data.gz 
    bandit12@bandit:/tmp/ss$ file data
    data: bzip2 compressed data, block size = 900k
    bandit12@bandit:/tmp/ss$ mv data data.bz2
    bandit12@bandit:/tmp/ss$ bunzip2 -d data.bz2 
    bandit12@bandit:/tmp/ss$ ls
    data  data.txt
    bandit12@bandit:/tmp/ss$ file data
    data: gzip compressed data, was "data4.bin", last modified: Thu May  7 18:14:30 2020, max compression, from Unix
    bandit12@bandit:/tmp/ss$ mv data data.gz
    bandit12@bandit:/tmp/ss$ gzip -d data.gz 
    bandit12@bandit:/tmp/ss$ ls
    data  data.txt
    bandit12@bandit:/tmp/ss$ file data
    data: POSIX tar archive (GNU)
    bandit12@bandit:/tmp/ss$ mv data data.tar
    bandit12@bandit:/tmp/ss$ tar xvf data.tar 
    data5.bin
    bandit12@bandit:/tmp/ss$ file data5.bin 
    data5.bin: POSIX tar archive (GNU)
    bandit12@bandit:/tmp/ss$ mv data5.bin data5.tar
    bandit12@bandit:/tmp/ss$ tar xvf data5.tar 
    data6.bin
    bandit12@bandit:/tmp/ss$ file data6.bin 
    data6.bin: bzip2 compressed data, block size = 900k
    bandit12@bandit:/tmp/ss$ mv data6.bin data6.bz2
    bandit12@bandit:/tmp/ss$ bunzip2 -d data6.bz2 
    bandit12@bandit:/tmp/ss$ ls
    data5.tar  data6  data.tar  data.txt
    bandit12@bandit:/tmp/ss$ file data6
    data6: POSIX tar archive (GNU)
    bandit12@bandit:/tmp/ss$ mv data6 data6.tar
    bandit12@bandit:/tmp/ss$ tar xvf data6.tar 
    data8.bin
    bandit12@bandit:/tmp/ss$ file data8.bin 
    data8.bin: gzip compressed data, was "data9.bin", last modified: Thu May  7 18:14:30 2020, max compression, from Unix
    bandit12@bandit:/tmp/ss$ mv data8.bin data8.gz
    bandit12@bandit:/tmp/ss$ gzip -d data8.gz 
    bandit12@bandit:/tmp/ss$ ls
    data5.tar  data6.tar  data8  data.tar  data.txt
    bandit12@bandit:/tmp/ss$ file data8
    data8: ASCII text
    bandit12@bandit:/tmp/ss$ cat data8
    The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
    

    得到下级密码为:8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
    ssh -p 2220 bandit12@bandit.labs.overthewire.org

    13

    ssh -p 2220 bandit13@bandit.labs.overthewire.org
    这一关告诉我们密码存放/etc/bandit_pass/bandit14里,要使用密钥文件连接ssh,bandit14登陆
    ssh -i sshkey.private bandit@127.0.0.1
    cat /etc/bandit_pass/bandit14
    得到下级密码:
    4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e

    14

    ssh -p 2220 bandit14@bandit.labs.overthewire.org

    bandit14@bandit:~$ telnet localhost 30000
    Trying 127.0.0.1...
    Connected to localhost.
    Escape character is '^]'.
    
    Wrong! Please enter the correct current password
    Connection closed by foreign host.
    bandit14@bandit:~$ telnet localhost 30000
    Trying 127.0.0.1...
    Connected to localhost.
    Escape character is '^]'.
    4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
    Correct!
    BfMYroe26WYalil77FoDi9qh59eK5xNr
    
    Connection closed by foreign host.
    

    得到下级密码:BfMYroe26WYalil77FoDi9qh59eK5xNr

    15

    ssh -p 2220 bandit15@bandit.labs.overthewire.org
    使用ssl连接:
    openssl s_client -connect localhost:30001
    下级密码:cluFn7wTiGryunymYOu4RcffSxQluehd

    16

    ssh -p 2220 bandit16@bandit.labs.overthewire.org
    nmap -sV查找主机版本服务号
    nmap -sV localhost -p 31000-32000
    扫描出有两个端口31518和31790
    按照一般套路,前一个端口都是用来浪费你时间的,我们直接去尝试31790这个端口
    openssl s_client -connect localhost -port 31790
    得到一串ssh密钥:

    MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
    imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
    Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
    DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
    JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
    x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
    KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
    J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
    d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
    YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
    vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
    +TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
    8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
    SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
    HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
    SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
    R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
    Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
    R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
    L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
    blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
    YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
    77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
    dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
    vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
    

    生成密钥文件,使用bandit17进行连接
    chmod 600 a.priv
    ssh -i a.priv bandit17@localhost

    不知道为什么提示还要输入passphrase和password,还有点问题,我看了几篇博客,关于此关也写的不是很详细,希望大家指正
    参考别人博客还是给出下级密码:xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn

    17

    ssh -p 2220 bandit17@bandit.labs.overthewire.org
    ls查看有password.new和password.old两个文件
    cat命令分别查看,发现许多相同的行,
    diff password.new password.old找出不同行
    密码为:kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd

    18

    ssh -p 2220 bandit18@bandit.labs.overthewire.org
    都遇到byebye了,题意说.bashrc文件被修改了,当我们登陆进去的时候就会登出
    但是还是可以执行命令的
    如:
    ssh -p 2220 bandit18@bandit.labs.overthewire.org cat ./readme
    输入密码,获得下级密码:
    IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x

    19

    ssh -p 2220 bandit19@bandit.labs.overthewire.org
    ls -l查看:
    -rwsr-x--- 1 bandit20 bandit19 7296 May 7 20:14 bandit20-do
    (文件显示为红色,表示为压缩文件或包文件,七列从左往右分别是,权限、文件数、归属用户、归属群组、文件大小、创建日期、文件名称)
    简单了解ruid和euid:ruid谁执行就是谁,euid是判断到底用什么权限执行
    s位表示,任意用户执行此文件时,都以所有者的身份去执行(若为大S则表示文件未被赋予执行权限)
    所有者是bandit20
    ./bandit20-do cat /etc/bandit_pass/bandit20
    下级密码为:GbKksEFF4yrVs6il55v6gwY5aVje5f0j

    20

    ssh -p 2220 bandit20@bandit.labs.overthewire.org
    nc侦听命令
    nc -lv < /etc/bandit_pass/bandit20 &
    -l 指定nc处于侦听模式
    -v 输出详细信息
    & 放在命令后面表示,此进程为后台进程,有时进程把shell占了,又没有交互,所以我们希望它在后台执行即可
    然后利用soconnect这个文件访问端口获取密码
    ./suconnect [port]
    完整操作如下:

    bandit20@bandit:~$ nc -lv < /etc/bandit_pass/bandit20 &
    [1] 6617
    bandit20@bandit:~$ listening on [any] 36263 ...
    
    bandit20@bandit:~$ ./suconnect 36263
    connect to [127.0.0.1] from localhost [127.0.0.1] 42488
    Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
    Password matches, sending next password
    gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
    bandit20@bandit:~$ 
    

    下级密码为:gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr

    21-30

    21

    ssh -p 2220 bandit21@bandit.labs.overthewire.org
    根据题目提示:cd /etc/cron.d
    关于cron(crontab)我们只需要了解它是一个闹钟即可,就像人定闹钟,到点了人就该去洗漱,吃饭之类的,

    完整操作如下:

    bandit21@bandit:~$ cd  /etc/cron.d/
    bandit21@bandit:/etc/cron.d$ ls
    cronjob_bandit15_root  cronjob_bandit22  cronjob_bandit24
    cronjob_bandit17_root  cronjob_bandit23  cronjob_bandit25_root
    bandit21@bandit:/etc/cron.d$ vim cronjob_bandit22
    bandit21@bandit:/etc/cron.d$ cat cronjob_bandit22
    @reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
    * * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
    bandit21@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit22.sh
    #!/bin/bash
    chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
    cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
    bandit21@bandit:/etc/cron.d$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
    Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
    

    cronjob_bandit22是一个闹钟
    前五个号是定时参数,表示任意可能的值,即每分钟都执行一次/usr/bin/cronjob_bandit22.sh脚本,
    该脚本则是将密码写入到/tmp目录下
    >/dev/null表示将脚本输出的一些报错或者显示信息输出到虚空
    (cat /etc/bandit_pass/bandit22提示权限不够 )
    得到下级密码:Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

    22

    ssh -p 2220 bandit22@bandit.labs.overthewire.org
    根据题目提示再次进入 /etc/cron.d/目录
    查看cronjob_bandit23
    继续跟进查看脚本
    发现是将密码放在I am user bandit23的md5之和的值的文件

    操作如下:

    bandit22@bandit:~$ ls /etc/cron.d/    //根据题目我们查看运行的周期任务
    cronjob_bandit15_root  cronjob_bandit22  cronjob_bandit24
    cronjob_bandit17_root  cronjob_bandit23  cronjob_bandit25_root
    bandit22@bandit:~$ cat /etc/cron.d/cronjob_bandit22    //查看本关的bandit22内容
    @reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
    * * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
    bandit22@bandit:~$ cat /usr/bin/cronjob_bandit22.sh    //查看对应的脚本文件
    #!/bin/bash
    chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
    cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv  //由此可知,将密码写到了/tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv中
    bandit22@bandit:~$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
    Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
    

    得到密码如下:

    Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
    

    23

    不知道为什么使用上关得到的密码登不上,不过没有影响,我们可以用上关的账号进行查看
    和上一题差不多,查看任务,读取对应脚本文件
    操作如下:

    bandit22@bandit:~$ cat /etc/cron.d/cronjob_bandit23 
    @reboot bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
    * * * * * bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
    bandit22@bandit:~$ cat /usr/bin/cronjob_bandit23.sh
    #!/bin/bash
    
    myname=$(whoami)
    mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
    
    echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
    
    cat /etc/bandit_pass/$myname > /tmp/$mytarget
    

    这里需要我们了解shell脚本的一些东西,$表示变量,将$myname换成bandit23执行一下:

    echo I am user bandit23 | md5sum | cut -d ' ' -f 1
    

    得到bandit24的密码:

    8ca319486bfbbc3663ea0fbe81326349
    

    24-33

    可参考:https://zhuanlan.zhihu.com/p/107968265

    作者:
    除特别声明为原创博文外,均可转载,也欢迎转载,未经作者同意必须在文章页面给出原文链接,否则保留追究法律责任的权利,谢谢您的配合。
  • 相关阅读:
    shell的格式化输出命令printf
    shell数组
    shell字符串
    shell注释
    shell运算符
    shell替换
    shell特殊变量
    shell变量
    linux修改主机名
    ssh免密码登录设置
  • 原文地址:https://www.cnblogs.com/sillage/p/13730560.html
Copyright © 2020-2023  润新知