Breif

Bandit是一個學習linux命令的WarGame，通過闖關的模式，不斷的學習新的命令，對于程序員亦或者安全愛好者來說都是一個不錯的學習平臺，網址是 http://overthewire.org/wargames/bandit/ 分享給大家～

[文章已同步至個人博客，歡迎閱讀～]

Level 0 → Level 1

• Level Goal

The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org, on port 2220. The username is bandit0 and the password is bandit0. Once logged in, go to the Level 1 page to find out how to beat Level 1.

The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.
第一關直接ssh登陸就好了

ssh bandit0@bandit.labs.overthewire.org -p 2220
密碼：bandit0

直接查看readme得到密碼boJ9jbbUNNfktd78OOpsqOltutMc3MY1

bandit0

Level 1 → Level 2

• Level Goal
  The password for the next level is stored in a file called - located in the home directory

利用上一關得到的密碼ssh登陸

ssh bandit1@bandit.labs.overthewire.org -p 2220

ls發現文件名是一個-，但是這個在linux中有特殊意義導致直接cat不好用

bandit1

cat ./-

密碼是CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

Level 2 → Level 3

• Level Goal
  The password for the next level is stored in a file called spaces in this filename located in the home directory
  這道題文件名中有空格，可以用雙引號把文件名包裹起來

cat "spaces in this filename"

bandit2

Level 3 → Level 4

• Level Goal
  The password for the next level is stored in a hidden file in the inhere directory.

如題，文件是隱藏文件，在linux中，文件名前面有.的就是隱藏文件，可以使用ls -a來顯示

bandit3

Level 4 → Level 5

• Level Goal
  The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.

本題有10個文件，題目說是密碼在人類可讀的文件，那么就要判斷文件的類型，用file命令

file ./*

bandit4

Level 5 → Level 6

• Level Goal
  The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:

human-readable
1033 bytes in size
not executable

這道題又是一個找文件的題目，ls -R目測有好幾十個文件，一個個找肯定不現實，根據題目的要求，是一個人類可讀文件，并且1033字節，非可執行文件，那么可以用find命令

find . -type f -size 1033c

解釋一下-type f指定為普通文件，-size 1033c指定為1033字節，更多的用法如下

-size n[cwbkMG] : 檔案大小 為 n 個由后綴決定的數據塊。其中后綴含義為：
b: 代表 512 位元組的區塊（如果用戶沒有指定后綴，則默認為 b）
c: 表示字節數
k: 表示 kilo bytes （1024字節）
w: 字 （2字節）
M:兆字節（1048576字節）
G: 千兆字節 （1073741824字節）
-type c : 檔案類型是 c 。
d: 目錄
c: 字型裝置檔案
b: 區塊裝置檔案
p: 具名貯列
f: 一般檔案
l: 符號連結
s: socket

最后找到了目標文件

bandit4

Level 6 → Level 7

• Level Goal
  The password for the next level is stored somewhere on the server and has all of the following properties:

owned by user bandit7
owned by group bandit6
33 bytes in size

又是找文件，那么依然可以使用find命令，只不過參數稍稍的改變

find / -user bandit7 -group bandit6 -size 33c 2>/dev/null

這里-user指定user組，-group指定group組，-size指定大小，后面的2>/dev/null因為find命令在根目錄下查找會經常有很多權限的報錯信息，所有在linux中通常用這種方式將錯誤信息重定向到“黑洞中”

bandit6

Level 7 → Level 8

• Level Goal
  The password for the next level is stored in the file data.txt next to the word millionth

題目說密碼在單詞millionth的后面，那么我們就在data.txt中搜索這個單詞即可

cat data.txt|grep millionth

bandit7

Level 8 → Level 9

• Level Goal
  The password for the next level is stored in the file data.txt and is the only line of text that occurs only once

這題是要找到出現一次的那個行，肯定用uniq命令了，但是使用之前需要用sort命令對文本進行排序，因為uniq命令是通過判斷上下兩行是否一樣來判斷的，所以用sort排序一下然后在uniq就能找到唯一出現的那一行了

sort data.txt|uniq -u
sort data.txt|uniq -c

這題我想了兩種解法，一個是直接-u獲取，還有就是-c列出出現的次數，然后從中找到是1的那一行即可

bandit8

Level 9 → Level 10

• Level Goal
  The password for the next level is stored in the file data.txt in one of the few human-readable strings, beginning with several ‘=’ characters.

這題用cat命令之后會出現很多亂碼，因此需要使用strings命令，獲取可打印的字符

strings data.txt

bandit9

Level 10 → Level 11

• Level Goal
  The password for the next level is stored in the file data.txt, which contains base64 encoded data

查看文件發現是個base64的字符串，直接base64 -d解碼即可

bandit10

Level 11 → Level 12

• Level Goal
  The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions

根據題目所說的字母的的順序旋轉了13個位置，就相當去26個字母的前13個位置與后13個位置調換了。那么我們就是用tr命令進行調換

cat data.txt | tr 'a-zA-Z' 'n-za-mN-ZA-M'

bandit11

Level 12 → Level 13

• Level Goal
  The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)

這道題比較麻煩。首先我們按照提示，在/tmp目錄下創建自定義的文件夾

mkdir /tmp/pino
cp data.txt /tmp/pino
cd /tmp/pino
cat data.txt

然后我們發現data.txt是一個hex dump文件，里面是十六進制的內容，我們可以用xxd命令將其轉換成二進制文件

xxd -r data.txt > data.bin

然后我們用file命令看一下這個二進制是什么文件

image.png

mv data.bin data.gz

然后用gzip -d命令解壓，發現還是一個二進制文件，繼續file命令查看

mv data data.bz2
bzip -d data.bz2

之后重復工作，后來還遇到了tar壓縮文件

mv data data.tar
tar -xvf data.tar

如此解壓，最后類似，得到密碼8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

Level 13 → Level 14

• Level Goal
  The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on

這道題我們使用bandit13用戶登陸的，但是題目說需要我們用bandit14用戶登陸才能查看密碼，并且給了我們ssh的私鑰，那么我們就可以利用ssh -i參數指定私鑰進行登陸

ssh -i sshkey.private bandit14@localhost

登陸之后

cat  /etc/bandit_pass/bandit14

bandit13

Level 14 → Level 15

• Level Goal
  The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.

根據題目要求我們要把這關的密碼提交到localhost的30000端口上，那么我就想到了用telnet連接到本地的30000端口上，然后把這關的密碼發送過去

Level 15 → Level 16

• Level Goal
  The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.

Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…

這道題用openssl命令
這個命令不太常用，直接openssl help查看幫助，發現命令openssl s_client help
根據幫助找到登陸命令

openssl s_client -connect localhost:30001

將本關的密碼發送過去，發現

Level 16 → Level 17

• Level Goal
  The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.

這道題做完之后感覺挺有意思的，首先看了一下題目要求，其實我是一臉懵逼的，本來想netstat看一下的，結果發現沒權限。。。然后我就隨手一發ps aux之后，發現有個nmap的進程，給了我靈感。。。

nmap localhost -p 31000-32000

有5個端口，但是題目說錯誤的端口是你發啥它回啥，于是測試了一下發現有兩個端口可能是正確的，分別是31518和31790，題目又說了存在ssl服務，于是再挨個測試了一下

openssl s_client -connect localhost:31518
openssl s_client -connect localhost:31790

發現31790是正確的

發現它返回了一個類似ssh私鑰的文件，然后果斷保存到一個文件中ssh.priv，這里需要在/tmp目錄下創建一個自己的目錄，才能寫入到文件中，因為有權限管理。
再利用上一關的知識

ssh -i /tmp/bandit16/ssh.priv bandit17@localhost

成功登陸，密碼在/etc/bandit_pass/bandit17
密碼xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn

Level 17 → Level 18

• Level Goal
  There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new

NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19

這種比較新舊的問題肯定是用diff命令了

diff passwords.old passwords.new

Level 18 → Level 19

• Level Goal
  The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.

這道題我們正常登陸的話

ssh bandit18@bandit.labs.overthewire.org -p2220

然后我們就發現直接斷開了

其實我們在ssh登陸的時候可以直接后面跟上命令，雖然被斷開了，但是命令還是可以執行的，我們在后面加上cat readme，照常輸入上一關的密碼，下一關的密碼就會顯示出來的

Level 19 → Level 20

• Level Goal
  To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.

這題也不知道要我們做什么，反正就莫名其妙的得到密碼了

Level 20 → Level 21

• Level Goal
  There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).

NOTE: Try connecting to your own network daemon to see if it works as you think

題目說這個suconnect程序會連接到我們指定的端口，并且讀取內容并于bandit20的密碼進行比較，如果相同的話就返回下一關的密碼
我們知道密碼是存放在/etc/bandit_pass/bandit20這個文件中的，因此我們就在本地開啟一個端口，并且把密碼發送到這個端口，然后我們在用這個程序連接到這個端口中就可以成功了。

nc -l 2333 < /etc/bandit_pass/bandit20 &

這里我在命令后面加了&符號，可以讓這條命令在后臺執行，這樣我們就可以繼續執行./suconnect 2333命令來連接2333端口了

Level 21 → Level 22

• Level Goal
  A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

按照提示到/etc/cron.d目錄下查看cronjob_bandit22的定時任務

Level 22 → Level 23

• Level Goal
  A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.

解題看下圖

密碼jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

Level 23 → Level 24

• Level Goal
  A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!

NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…

這道題先看一下contab文件

分析一下知道定時任務會執行/usr/bin/cronjob_bandit24.sh這個文件
shell腳本的功能是執行/var/spool/bandit24中的所有文件，如果60秒內沒有執行就刪除所有文件.
因此思路就是我們寫一個查看密碼的shell腳本放到這個目錄下，讓他以bandit24用戶來執行就好了。

mkdir /tmp/bandit23
chmod 777 /tmp/bandit23
cd /tmp/bandit23
vim shell.sh

shell.sh的內容如下

#!/bin/bash
cat /etc/bandit_pass/bandit24 >> /tmp/bandit/pass

然后chmod 777 shell.sh，再然后將shell.sh復制到/var/spool/bandit24目錄下，等待一些時間，就會發現/tmp/bandit23/目錄下多了一個pass文件，內容就是密碼

Level 24 → Level 25

• Level Goal
  A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.

這道題目首先nc連接一下

根據要求輸入上一關的密碼加空格加4位數字，果斷報錯了。。
所以要寫腳本進行爆破。
我想到的是使用pwntools來進行爆破（CTF打多了...）
腳本如下:

from pwn import *

r = remote('localhost', 30002)
for i in range(0, 10):
    for j in range(0, 10):
        for k in range(0, 10):
            for p in range(0, 10):
                flag = str(i) + str(j) + str(k) + str(p)
                s = "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ "+ flag
                r.sendline(s)
                response = r.recvline()
                if 'Wrong!' not in response:
                    print 'Correct! ' + response

一個比較粗糙的爆破腳本就寫好了，執行就好了

Level 25 → Level 26

• Level Goal
  Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.

這道題登陸上去后發現home目錄下有一個ssh的私鑰，果斷ssh連接上去

ssh -i ssh.private bandit26@localhost

但是登陸之后直接就切斷了
根據提示，說用戶bandit26用的shell有問題，這種情況我們可以查看/etc/passwd文件

:e /etc/bandit_pass/bandit26

Level 26 → Level 27

• Level Goal
  Good job getting a shell! Now hurry and grab the password for bandit27!

這一關使用密碼ssh登陸之后也是直接斷開了，所以跟上一關套路一樣，進入more模式，利用vim模式執行命令，這次不能用e來讀取文件了，因為權限不夠。!command也不行，!sh也不行，后來查看資料發現vim還有一種需要先設置shell的目錄才行

vim模式下
:set shell=/bin/sh
:sh

這樣得到了一個shell,ls發現有一個程序，跟以前一樣，直接讀取密碼文件即可

Level 27 → Level 28

• Level Goal
  There is a git repository at ssh://bandit27-git@localhost/home/bandit27-git/repo. The password for the user bandit27-git is the same as for the user bandit27.

Clone the repository and find the password for the next level.

解題如圖

Level 28 → Level 29

• Level Goal
  There is a git repository at ssh://bandit28-git@localhost/home/bandit28-git/repo. The password for the user bandit28-git is the same as for the user bandit28.

Clone the repository and find the password for the next level.

跟上一關一樣使用git clone把東西下載下來，然后有一個READ.ME，查看

Level 29 → Level 30

• Level Goal
  There is a git repository at ssh://bandit29-git@localhost/home/bandit29-git/repo. The password for the user bandit29-git is the same as for the user bandit29.

Clone the repository and find the password for the next level.

這道題還是老套路，git clone一下，然后git log、git show都試了一下，也沒啥發現，然后git branch -a了一下，看到了有四個分支

git checkout remotes/origin/master

Level 30 → Level 31

Level Goal
There is a git repository at ssh://bandit30-git@localhost/home/bandit30-git/repo. The password for the user bandit30-git is the same as for the user bandit30.

Clone the repository and find the password for the next level.

git show-ref可以現實本地存儲庫的所有可用的引用以及關聯的提交ID

Level 31 → Level 32

• Level Goal
  There is a git repository at ssh://bandit31-git@localhost/home/bandit31-git/repo. The password for the user bandit31-git is the same as for the user bandit31.

Clone the repository and find the password for the next level.

本題要求我們把key.txt文件push到遠程服務器上。
首先按照要求創建key.txt

echo 'May I come in ?' > key.txt

然后

git add -f key.txt
git commit

這里git commit會打開nano編輯器，具體如何操作自行百度
之后git push即可
得到密碼56a9bf19c63d650ce78e6ec0354ee45e

Level 32 → Level 33

After all this git stuff its time for another esape. Good luck!

執行uppershell發現他會把輸入的命令變成大寫之后再執行，導致命令并不能正常執行。因此我們可以寫一個名字為大寫的shell文件
TEST文件

#!/bin/bash
bash

這樣就能獲取到bandit33的bash了

Level 33 → Level 34

結束啦～～