Bandit靶站

实验地址:

http://overthewire.org/wargames/bandit/

level 0

level 1

note

当cat将字符串-视为文件名时,它将其视为stdin的同义词。要解决这个问题,您需要更改cat看到的字符串,使其仍然引用一个名为的文件-。通常的方法是在文件名前添加一个路径 - ./-

payload:

1
2
bandit1@bandit:~$ cat  ./-
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

level 2

note

cat “file name with space” or cat file\ name\ with\ space

payload:

1
2
bandit2@bandit:~$ cat spaces\ in\ this\ filename 
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

level 3

level 4

note

Linux reset命令其实和tset是同一个命令,它的用途是设定终端机的状态。一般而言,这个命令会自动的从环境变数、命令列或是其它的组态档决定目前终端机的型态。如果指定型态是’?’的话,这个程序会要求使用者输入终端机的型别。

payload:

1
2
bandit4@bandit:~/inhere$ cat ./-file07
koReBOKuIDDepwhWk7jZC0RTdopnAYKh

level 5

require:human-readable、1033 bytes in size、not executable

note

-a或-all 显示目录中个别文件的大小。
-b或-bytes 显示目录或文件大小时,以byte为单位。

payload:

1
2
3
4
bandit5@bandit:~/inhere$ find . -size 1033c
./maybehere07/.file2
bandit5@bandit:~/inhere$ cat ./maybehere07/.file2
DXjZPULLxYr17uwoI01bNLQbtFemEgo7

level 6

require

The password for the next level is stored somewhere on the server and has all of the following properties:

  • owned by user bandit7
  • owned by group bandit6
  • 33 bytes in size

note

2表示标准错误,>表示重定向,/dev/null表示空设备2>/dev/nul,将标准错误重定向到空设备里,即不输出错误信息.

payload:

1
2
3
4
bandit6@bandit:/$ find / -user bandit7 -group bandit6 -size 33c 2>/dev/null
/var/lib/dpkg/info/bandit7.password
bandit6@bandit:/$ cat /var/lib/dpkg/info/bandit7.password
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

level 7

require

The password for the next level is stored in the file data.txt next to the word millionth

note

payload:

1
2
bandit7@bandit:~$ cat data.txt | grep millionth
millionth cvX2JJa4CFALtqS87jk27qwqGhBM9plV

level 8

require

The password for the next level is stored in the file data.txt and is the only line of text that occurs only once

note

sort用于将文件排序,uniq用于处理相邻的重复情况。

  • 删除重复行:sort file.txt
  • 只显示单一行: uniq -u file.txt
  • 统计各行在文件中出现的次数: sort file.txt | uniq -c
  • 在文件中找出重复的行: sort file.txt | uniq -d

    payload:

1
2
bandit8@bandit:~$ cat data.txt |sort | uniq -u
UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR

level 9

require

The password for the next level is stored in the file data.txt in one of the few human-readable strings, beginning with several ‘=’ characters.

note

strings 是在文件中查找可打印字符串并输出长度为4个或更多的字符串,遇到换行或空字符结束.

payload:

1
2
bandit9@bandit:~$ strings data.txt |grep = 
========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk

level 10

require

The password for the next level is stored in the file data.txt, which contains base64 encoded data

note

1
2
3
4
[root@vultr ~]# echo 123456 | base64
MTIzNDU2Cg==
[root@vultr ~]# echo MTIzNDU2Cg== | base64 -d
123456

payload:

1
2
bandit10@bandit:~$ cat data.txt |base64 -d
The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

level 11

require

The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions

note

tr命令可以对来自标准输入的字符进行替换、压缩和删除。它可以将一组字符变成另一组字符,经常用来编写优美的单行命令。

  • -c或——complerment:取代所有不属于第一字符集的字符;
  • -d或——delete:删除所有属于第一字符集的字符;
  • -s或–squeeze-repeats:把连续重复的字符以单独一个字符表示;
  • -t或–truncate-set1:先删除第一字符集较第二字符集多出的字符。

payload:

1
2
bandit11@bandit:~$ cat data.txt |tr 'a-zA-Z' 'n-za-mN-ZA-N'
The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

level 12

require

The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv

note

xxd的作用就是将一个文件以十六进制的形式显示出来

  • b: 以2进制格式进行输出
  • c: 每行输出多少个字节
  • g: 几个字节组成一组
  • i:将文件内容输出成 c的一个数组格式
  • l : 输出几个字节后结束
  • p:以一个整块输出所有的hex, 不使用空格进行分割
  • r: 反转操作,将16进制转成2进制

0x1f8b开头的,就是gz压缩,使用gzip -d data.gz
0x425a开头的,就是bzip2压缩,使用bzip2 -d data.bz2
两者都不是,则应该是tar打包,使用tar -xvf data.tar

payload:

1
2
bandit12@bandit:/tmp/tmp$ cat data8 
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

level 13

require

The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on

note

payload:

1
2
3
bandit13@bandit:~$ ssh bandit14@localhost -i sshkey.private
bandit14@bandit:/etc/bandit_pass$ cat bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e

level 14

require

The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.

note

payload:

1
2
3
4
bandit14@bandit:~$ nc localhost 30000
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr

level 15

require

The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…

note

-ign_eof:当输入文件到达文件尾的时候并不断开连接。
-quiet:不打印出session和证书的信息。同时会打开-ign_eof这个选项。

payload:

1
2
openssl s_client -connect localhost:30001  -ign_eof 
cluFn7wTiGryunymYOu4RcffSxQluehd

level 16

require

The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.

note

payload:

1
2
3
4
5
6
bandit16@bandit:~$ nmap -A localhost -p 31000-32000
bandit16@bandit:~$ openssl s_client -connect localhost:31790 -quiet
bandit16@bandit:~$ mkdir /tmp/key1
bandit16@bandit:~$ openssl s_client -connect localhost:31790 -quiet >/tmp/key1/key
bandit16@bandit:/tmp/key1$ chmod 700 key
bandit16@bandit:/tmp/key1$ ssh bandit17@localhost -i /tmp/key1/key

level 17

require

There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new

note

payload:

1
2
bandit17@bandit:~$ diff passwords.old passwords.new 
kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd

level 18

require

The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.

note

通过ssh登陆,要想拿到正确结果,可以直接用scp拷贝文件到本地。还能在登录的时候直接进行操作。

payload:

1
2
bandit17@bandit:~$ ssh bandit18@localhost 'cat readme'
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x

level 19

require

To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.

note

payload:

1
2
bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0j

level 20

require

There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
NOTE: Try connecting to your own network daemon to see if it works as you think

note

payload:

1、
bandit20@bandit:~$ nc 1234 -l </etc/bandit_pass/bandit20

2、
bandit20@bandit:~$ ./suconnect 1234

3、终端1收到结果。
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr

level 21

require

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

note

cron 指 Linux 系统下一个自动执行指定任务的程序

payload:

1
2
3
bandit21@bandit:/etc/cron.d$ cat cronjob_bandit22
bandit21@bandit:/etc/cron.d$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

level 22

require

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.

note

cut -d[分隔符] -f[域] file

1
2
3
4
5
6
7
8
9
bandit22@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit23.sh 
#!/bin/bash

myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)

echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"

cat /etc/bandit_pass/$myname > /tmp/$mytarget

payload:

1
2
3
bandit22@bandit:/etc/cron.d$ echo I am user bandit22 | md5sum | cut -d ' ' -f 1 
cat /tmp/8ca319486bfbbc3663ea0fbe81326349
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

level 23

require

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!

NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…

note

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
\#!bash

myname=$(whoami)

cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
do
if [ "$i" != "." -a "$i" != ".." ];
then
echo "Handling $i"
timeout -s 9 60 "./$i"
rm -f "./$i"
fi
done

payload:

1
2
3
4
bandit23@bandit:/tmp/crayon$ vim /tmp/band/bandit24.sh
bandit23@bandit:/tmp/band$ chmod 777 bandit24.sh
bandit23@bandit:/tmp/band$ cp bandit24.sh /var/spool/bandit24/
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ

level 24

require

A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.

note

1
2
3
4
5
6
f = open('dic.txt','w')
data14= "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ"
for code in range(10000):
data =data14 + " " + str(code).zfill(4) + '\n'
f.write(data)
f.close()

payload:

1
2
3
4
bandit24@bandit:/tmp/aaaaa$ python aaaaa.py
bandit24@bandit:/tmp/aaaaa$ nc localhost 30002 < /tmp/aaaaa/dic.txt > /tmp/aaaaa/passwd.txt
bandit24@bandit:/tmp/aaaaa$ cat passwd.txt| sort | uniq -u
uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG

level 25

require

Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.

note

就是 more 命令显示的 text.txt 的内容,因为行数足以一屏显示完,所以没有显示 more 就没有显示,我们的思路就在这个特点上。我们要让他卡在一屏读不完的位置,也就是让你的终端高度读不下字符画高度.

payload:

1
2
3
4
5
6
1、
bandit25@bandit:~$ ssh bandit26@localhost -i bandit26.sshkey
2、按V
ex! /etc/bandit_pass/bandit26
密码:
5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z

level 26

require

Good job getting a shell! Now hurry and grab the password for bandit27!

note

payload:

1
2
3
4
5
编辑模式:
:set shell sh=/bin/sh
$ ls -a
$ ./bandit27-do cat /etc/bandit_pass/bandit27
3ba3118a22e93127a4ed485be72ef5ea

level 27

require

There is a git repository at ssh://bandit27-git@localhost/home/bandit27-git/repo. The password for the user bandit27-git is the same as for the user bandit27.

note

payload:

1
2
bandit27@bandit:/tmp/aaaaa$ git clone ssh://bandit27-git@localhost/home/bandit27-git/repo
0ef186ac70e04ea33b4c1853d2526fa2

level 28

require

There is a git repository at ssh://bandit28-git@localhost/home/bandit28-git/repo. The password for the user bandit28-git is the same as for the user bandit28.

note

git log会按提交时间列出所有的更新,最近的更新排在最上面。每次更新都有一个 SHA-1 校验和、作者的名字和电子邮件地址、提交时间,最后缩进一个段落显示提交说明。 执行命令后看到一共有三次操作记录。
git show会显示各种类型的对象,这些对象包括 blobs,树,标签和提交。

payload:

1
2
3
4
bandit28@bandit:/tmp/bbbbb$ git clone ssh://bandit28-git@localhost/home/bandit28-git/repo
bandit28@bandit:/tmp/bbbbb$ git log
bandit28@bandit:/tmp/bbbbb/repo$ git show 196c3edc79e362fe89e0d75cfeef079d8c67beef
bbc96594b4e001778eee9975372716b2

level 29

require

There is a git repository at ssh://bandit29-git@localhost/home/bandit29-git/repo. The password for the user bandit29-git is the same as for the user bandit29.

note

git branch branchName 一般用于分支的操作,比如创建分支,查看分支等等

  • git branch -a查看所有分支列表,包括本地和远程

git checkout branchName 操作分支

payload:

1
2
3
4
5
6
同level 28,提示  “no passwords in production!”
bandit29@bandit:/tmp/test29/repo$ git branch -a
bandit29@bandit:/tmp/test29/repo$ git checkout remotes/origin/dev
bandit29@bandit:/tmp/test29/repo$ git log
bandit29@bandit:/tmp/test29/repo$ git show 77ec80e97de5f88f035911a8d0fce1982dc7da05
5b90576bedb2cc04c86a9e924ce42faf

level 30

require

There is a git repository at ssh://bandit30-git@localhost/home/bandit30-git/repo. The password for the user bandit30-git is the same as for the user bandit30.

note

.git文件夹是git init后在当前目录生成的一个管理git仓库的文件夹,这里包含所有git操作所需要的东西,包括对象存储,配置文件,分支和标签,HEAD 文件等

git reflog 可以查看所有分支的所有操作记录:提交、回退、已删除的提交操作记录等
git show-ref 它的作用是显示本地存储库中可用的引用以及关联的提交ID

payload:

1
2
3
4
bandit30@bandit:/tmp/test30/repo/.git$ ls
bandit30@bandit:/tmp/test30/repo/.git$ git show-ref
bandit30@bandit:/tmp/test30/repo/.git$ git show f17132340e8ee6c159e0a4a6bc6f80e1da3b1aea
47e603bb428404d265f59c42920d81e5

level 31

require

There is a git repository at ssh://bandit31-git@localhost/home/bandit31-git/repo. The password for the user bandit31-git is the same as for the user bandit31.

note

payload:

1
2
3
bandit31@bandit:/tmp/test31/repo$ git add key.txt 
bandit31@bandit:/tmp/test31/repo$ git commit
56a9bf19c63d650ce78e6ec0354ee45e

level 32

require

After all this git stuff its time for another esape. Good luck!

note

payload:

1
2
3
bandit32@bandit:~$ chmod 777 /tmp/test32/SHELL
bandit33@bandit:/tmp/test32$ cat /etc/bandit_pass/bandit33
c9c3199ddf4121b10cf581a98d51caee