碼上歡樂
相關內容    簡體    繁體

bandit

本文轉載自   查看原文   2020-09-28 16:45   456    bandit/ wargame

bandit官網為:https://overthewire.org/wargames/bandit

0-10

0

直接給我們提示了用戶名和密碼是bandit0
直接使用命令登陸:
ssh -p 2220 bandit0@bandit.labs.overthewire.org
輸入密碼bandit0登陸成功(密碼輸入是沒有回顯的)

ls看到一個readme文件,里面保存着下一級的登陸密碼
cat readme
得到下一級的登陸密碼:boJ9jbbUNNfktd78OOpsqOltutMc3MY1

1

ssh -p 2220 bandit1@bandit.labs.overthewire.org
ls
看到一個-命名的特殊字符文件
cat -不能直接獲得其中內容,會被當做其他命令來解釋,回顯你輸入的內容,可ctrl+d停止
cat ./-即可讀取文件中的內容,由此得到下一級的登陸密碼:
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

2

ssh -p 2220 bandit2@bandit.labs.overthewire.org
直接cat space,使用tab鍵補全,得到下級密碼:
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
如圖所示:

3

ssh -p 2220 bandit3@bandit.labs.overthewire.org
可以看到有一個inhere的文件夾

進去后ls查看發現是空的,
於是使用ls -a查看隱藏文件
cat .hidden得到下級密碼:
pIwrPrtPN36QITSp3EQaw936yaFoFgAB

4

file ./*
使用file命令查看文件類型
cat ./-file07
獲得下一級密碼:
koReBOKuIDDepwhWk7jZC0RTdopnAYKh
如圖:

5

ssh -p 2220 bandit5@bandit.labs.overthewire.org
發現有許多文件夾
find -type f -size 1033c
查找出來:

f:一般文檔
c:是指字節
找到密碼:DXjZPULLxYr17uwoI01bNLQbtFemEgo7

6

ssh -p 2220 bandit6@bandit.labs.overthewire.org
根據提示:

find / -size 33c -user bandit7 -group bandit6 2>/dev/null
2>/dev/null過濾掃描根目錄下文件因權限不足而報錯的信息
得到下級密碼:
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs
如圖:

7

ssh -p 2220 bandit7@bandit.labs.overthewire.org
根據提示,使用grep
cat data.txt|grep millionth
如圖:

密碼為:cvX2JJa4CFALtqS87jk27qwqGhBM9plV

8

ssh -p 2220 bandit8@bandit.labs.overthewire.org
sort data.txt|uniq -u
如圖:

sort排序,
uniq命令:
-i 忽略大小寫
-c 計數
-u 只顯示唯一的行
下級密碼為:UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR

9

ssh -p 2220 bandit9@bandit.labs.overthewire.org
strings data.txt查看里面的字符串
得到下級密碼:truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk

10

ssh -p 2220 bandit10@bandit.labs.overthewire.org
base64解密,base64 -d data.txt
下級密碼:IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

11-20

11

ssh -p 2220 bandit11@bandit.labs.overthewire.org
題意為按順序旋轉了13位,及前半段和后半段的字母位置置換了
tr命令 后面接兩個字符串,第一個查詢,第二個置換
cat data.txt |tr 'a-zA-Z' 'n-za-mN-ZA-M'
同理:cat data.txt |tr 'a-zA-Z' 'a-mn-zA-MN-Z'也是一樣的效果
下級密碼為:5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

12

ssh -p 2220 bandit12@bandit.labs.overthewire.org
有點繞,不過我們還是可以一步步根據命令提示來
xxd -r將16進制轉化為2進制
下面包含大量tar,bz2,gz的解壓操作,具體詳細參數的解釋此處不做解釋
只是看起來繁雜,希望各位讀者別被嚇着了,多敲敲也就熟悉了
由於在當前目錄下權限不足,我們轉移到題目提示的工作目錄/tmp下面,全部命令如下,如有不理解的請自行百度查看相關參數

bandit12@bandit:~$ mkdir /tmp/ss
bandit12@bandit:~$ cp  data.txt /tmp/ss
bandit12@bandit:~$ cd /tmp/ss
bandit12@bandit:/tmp/ss$ file data.txt 
data.txt: ASCII text
bandit12@bandit:/tmp/ss$ xxd -r data.txt >data.bin
bandit12@bandit:/tmp/ss$ file data.bin 
data.bin: gzip compressed data, was "data2.bin", last modified: Thu May  7 18:14:30 2020, max compression, from Unix
bandit12@bandit:/tmp/ss$ mv data.bin data.gz
bandit12@bandit:/tmp/ss$ gzip -d data.gz 
bandit12@bandit:/tmp/ss$ ls
data  data.txt
bandit12@bandit:/tmp/ss$ file data
data: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/ss$ bunzip2 -d data
bunzip2: Can't guess original name for data -- using data.out
bandit12@bandit:/tmp/ss$ ls
data.out  data.txt
bandit12@bandit:/tmp/ss$ bunzip2 -d data.out
bunzip2: Can't guess original name for data.out -- using data.out.out
bunzip2: data.out is not a bzip2 file.
bandit12@bandit:/tmp/ss$ ls
data.out  data.txt
bandit12@bandit:/tmp/ss$ mv data.out data
bandit12@bandit:/tmp/ss$ mv data data.bz2
bandit12@bandit:/tmp/ss$ bunzip2 -d data.bz2 
bunzip2: data.bz2 is not a bzip2 file.
bandit12@bandit:/tmp/ss$ ls
data.bz2  data.txt
bandit12@bandit:/tmp/ss$ mv data.bz2 data
bandit12@bandit:/tmp/ss$ mv data data.bz
bandit12@bandit:/tmp/ss$ bunzip2 -d data.bz 
bunzip2: data.bz is not a bzip2 file.
bandit12@bandit:/tmp/ss$ mv data.
data.bz   data.txt  
bandit12@bandit:/tmp/ss$ mv data.bz data
bandit12@bandit:/tmp/ss$ file data
data: gzip compressed data, was "data4.bin", last modified: Thu May  7 18:14:30 2020, max compression, from Unix
bandit12@bandit:/tmp/ss$ ls
data  data.txt
bandit12@bandit:/tmp/ss$ ls
data  data.txt
bandit12@bandit:/tmp/ss$ rm -rf data
bandit12@bandit:/tmp/ss$ ls
data.txt
bandit12@bandit:/tmp/ss$ xxd -r data.txt >data.bin
bandit12@bandit:/tmp/ss$ ls
data.bin  data.txt
bandit12@bandit:/tmp/ss$ rm -rf data.bin
bandit12@bandit:/tmp/ss$ ls
data.txt
bandit12@bandit:/tmp/ss$ file data.txt 
data.txt: ASCII text
bandit12@bandit:/tmp/ss$ xxd -r data.txt >data.bin
bandit12@bandit:/tmp/ss$ file data.bin 
data.bin: gzip compressed data, was "data2.bin", last modified: Thu May  7 18:14:30 2020, max compression, from Unix
bandit12@bandit:/tmp/ss$ mv data.bin data.gz
bandit12@bandit:/tmp/ss$ gzip -d data.gz 
bandit12@bandit:/tmp/ss$ file data
data: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/ss$ mv data data.bz2
bandit12@bandit:/tmp/ss$ bunzip2 -d data.bz2 
bandit12@bandit:/tmp/ss$ ls
data  data.txt
bandit12@bandit:/tmp/ss$ file data
data: gzip compressed data, was "data4.bin", last modified: Thu May  7 18:14:30 2020, max compression, from Unix
bandit12@bandit:/tmp/ss$ mv data data.gz
bandit12@bandit:/tmp/ss$ gzip -d data.gz 
bandit12@bandit:/tmp/ss$ ls
data  data.txt
bandit12@bandit:/tmp/ss$ file data
data: POSIX tar archive (GNU)
bandit12@bandit:/tmp/ss$ mv data data.tar
bandit12@bandit:/tmp/ss$ tar xvf data.tar 
data5.bin
bandit12@bandit:/tmp/ss$ file data5.bin 
data5.bin: POSIX tar archive (GNU)
bandit12@bandit:/tmp/ss$ mv data5.bin data5.tar
bandit12@bandit:/tmp/ss$ tar xvf data5.tar 
data6.bin
bandit12@bandit:/tmp/ss$ file data6.bin 
data6.bin: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/ss$ mv data6.bin data6.bz2
bandit12@bandit:/tmp/ss$ bunzip2 -d data6.bz2 
bandit12@bandit:/tmp/ss$ ls
data5.tar  data6  data.tar  data.txt
bandit12@bandit:/tmp/ss$ file data6
data6: POSIX tar archive (GNU)
bandit12@bandit:/tmp/ss$ mv data6 data6.tar
bandit12@bandit:/tmp/ss$ tar xvf data6.tar 
data8.bin
bandit12@bandit:/tmp/ss$ file data8.bin 
data8.bin: gzip compressed data, was "data9.bin", last modified: Thu May  7 18:14:30 2020, max compression, from Unix
bandit12@bandit:/tmp/ss$ mv data8.bin data8.gz
bandit12@bandit:/tmp/ss$ gzip -d data8.gz 
bandit12@bandit:/tmp/ss$ ls
data5.tar  data6.tar  data8  data.tar  data.txt
bandit12@bandit:/tmp/ss$ file data8
data8: ASCII text
bandit12@bandit:/tmp/ss$ cat data8
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

得到下級密碼為:8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
ssh -p 2220 bandit12@bandit.labs.overthewire.org

13

ssh -p 2220 bandit13@bandit.labs.overthewire.org
這一關告訴我們密碼存放/etc/bandit_pass/bandit14里,要使用密鑰文件連接ssh,bandit14登陸
ssh -i sshkey.private bandit@127.0.0.1
cat /etc/bandit_pass/bandit14
得到下級密碼:
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e

14

ssh -p 2220 bandit14@bandit.labs.overthewire.org

bandit14@bandit:~$ telnet localhost 30000
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.

Wrong! Please enter the correct current password
Connection closed by foreign host.
bandit14@bandit:~$ telnet localhost 30000
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr

Connection closed by foreign host.

得到下級密碼:BfMYroe26WYalil77FoDi9qh59eK5xNr

15

ssh -p 2220 bandit15@bandit.labs.overthewire.org
使用ssl連接:
openssl s_client -connect localhost:30001
下級密碼:cluFn7wTiGryunymYOu4RcffSxQluehd

16

ssh -p 2220 bandit16@bandit.labs.overthewire.org
nmap -sV查找主機版本服務號
nmap -sV localhost -p 31000-32000
掃描出有兩個端口31518和31790
按照一般套路,前一個端口都是用來浪費你時間的,我們直接去嘗試31790這個端口
openssl s_client -connect localhost -port 31790
得到一串ssh密鑰:

MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=

生成密鑰文件,使用bandit17進行連接
chmod 600 a.priv
ssh -i a.priv bandit17@localhost

不知道為什么提示還要輸入passphrase和password,還有點問題,我看了幾篇博客,關於此關也寫的不是很詳細,希望大家指正
參考別人博客還是給出下級密碼:xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn

17

ssh -p 2220 bandit17@bandit.labs.overthewire.org
ls查看有password.new和password.old兩個文件
cat命令分別查看,發現許多相同的行,
diff password.new password.old找出不同行
密碼為:kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd

18

ssh -p 2220 bandit18@bandit.labs.overthewire.org
都遇到byebye了,題意說.bashrc文件被修改了,當我們登陸進去的時候就會登出
但是還是可以執行命令的
如:
ssh -p 2220 bandit18@bandit.labs.overthewire.org cat ./readme
輸入密碼,獲得下級密碼:
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x

19

ssh -p 2220 bandit19@bandit.labs.overthewire.org
ls -l查看:
-rwsr-x--- 1 bandit20 bandit19 7296 May 7 20:14 bandit20-do
(文件顯示為紅色,表示為壓縮文件或包文件,七列從左往右分別是,權限、文件數、歸屬用戶、歸屬群組、文件大小、創建日期、文件名稱)
簡單了解ruid和euid:ruid誰執行就是誰,euid是判斷到底用什么權限執行
s位表示,任意用戶執行此文件時,都以所有者的身份去執行(若為大S則表示文件未被賦予執行權限)
所有者是bandit20
./bandit20-do cat /etc/bandit_pass/bandit20
下級密碼為:GbKksEFF4yrVs6il55v6gwY5aVje5f0j

20

ssh -p 2220 bandit20@bandit.labs.overthewire.org
nc偵聽命令
nc -lv < /etc/bandit_pass/bandit20 &
-l 指定nc處於偵聽模式
-v 輸出詳細信息
& 放在命令后面表示,此進程為后台進程,有時進程把shell占了,又沒有交互,所以我們希望它在后台執行即可
然后利用soconnect這個文件訪問端口獲取密碼
./suconnect [port]
完整操作如下:

bandit20@bandit:~$ nc -lv < /etc/bandit_pass/bandit20 &
[1] 6617
bandit20@bandit:~$ listening on [any] 36263 ...

bandit20@bandit:~$ ./suconnect 36263
connect to [127.0.0.1] from localhost [127.0.0.1] 42488
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Password matches, sending next password
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
bandit20@bandit:~$

下級密碼為:gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr

21-30

21

ssh -p 2220 bandit21@bandit.labs.overthewire.org
根據題目提示:cd /etc/cron.d
關於cron(crontab)我們只需要了解它是一個鬧鍾即可,就像人定鬧鍾,到點了人就該去洗漱,吃飯之類的,

完整操作如下:

bandit21@bandit:~$ cd  /etc/cron.d/
bandit21@bandit:/etc/cron.d$ ls
cronjob_bandit15_root  cronjob_bandit22  cronjob_bandit24
cronjob_bandit17_root  cronjob_bandit23  cronjob_bandit25_root
bandit21@bandit:/etc/cron.d$ vim cronjob_bandit22
bandit21@bandit:/etc/cron.d$ cat cronjob_bandit22
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
bandit21@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
bandit21@bandit:/etc/cron.d$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

cronjob_bandit22是一個鬧鍾
前五個號是定時參數,表示任意可能的值,即每分鍾都執行一次/usr/bin/cronjob_bandit22.sh腳本,
該腳本則是將密碼寫入到/tmp目錄下
>/dev/null表示將腳本輸出的一些報錯或者顯示信息輸出到虛空
(cat /etc/bandit_pass/bandit22提示權限不夠 )
得到下級密碼:Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

22

ssh -p 2220 bandit22@bandit.labs.overthewire.org
根據題目提示再次進入 /etc/cron.d/目錄
查看cronjob_bandit23
繼續跟進查看腳本
發現是將密碼放在I am user bandit23的md5之和的值的文件

操作如下:

bandit22@bandit:~$ ls /etc/cron.d/    //根據題目我們查看運行的周期任務
cronjob_bandit15_root  cronjob_bandit22  cronjob_bandit24
cronjob_bandit17_root  cronjob_bandit23  cronjob_bandit25_root
bandit22@bandit:~$ cat /etc/cron.d/cronjob_bandit22    //查看本關的bandit22內容
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
bandit22@bandit:~$ cat /usr/bin/cronjob_bandit22.sh    //查看對應的腳本文件
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv  //由此可知,將密碼寫到了/tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv中
bandit22@bandit:~$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

得到密碼如下:

Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

23

不知道為什么使用上關得到的密碼登不上,不過沒有影響,我們可以用上關的賬號進行查看
和上一題差不多,查看任務,讀取對應腳本文件
操作如下:

bandit22@bandit:~$ cat /etc/cron.d/cronjob_bandit23 
@reboot bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
bandit22@bandit:~$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash

myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)

echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"

cat /etc/bandit_pass/$myname > /tmp/$mytarget

這里需要我們了解shell腳本的一些東西,$表示變量,將$myname換成bandit23執行一下:

echo I am user bandit23 | md5sum | cut -d ' ' -f 1

得到bandit24的密碼:

8ca319486bfbbc3663ea0fbe81326349

24-33

可參考:https://zhuanlan.zhihu.com/p/107968265


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 codeforces 1436D - Bandit in a City (貪心) MindSpore:基於本地差分隱私的 Bandit 算法 基於Python的三種Bandit算法的實現 關於推薦系統冷啟動中的Bandit算法 OverTheWire--bandit--level0~level33 【RL系列】Multi-Armed Bandit問題筆記 使用bandit對目標python代碼進行安全函數掃描 Multi-armed Bandit Problem與增強學習的聯系 【CF960G】Bandit Blues(第一類斯特林數,FFT) 【RL系列】Multi-Armed Bandit筆記——UCB策略與Gradient策略
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM