Bandit Walkthrough
我在overthewire的wargame中bandit的通关记录。题目的地址是http://www.overthewire.org/wargames
Bandit walkthrough
level 0
使用 ssh 命令远程登录到网站所提供的服务器,就可以完成
ssh bandit0@bandit.labs.overthewire.org或
ssh -l bandit0 bandit.labs.overthewire.orglevel0 -> level1
password就在主目录下的readme文件中,首先用 ls 命令可以看到readme文件,于是使用cat 命令查看文件内容,得到password
bandit0@melinda:~$ ls
readme
bandit0@melinda:~$ cat readme
boJ9jbbUNNfktd78OOpsqOltutMc3MY1level1 -> level2
password在主目录的名字叫-的文件下,可以像上一题用ls查看,如果直接输入 cat - ,则不会查看文件内容,而是仍在等待输入,原因是”-“与命令的选项符号重合。
bandit1@melinda:~$ cat ./-
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
level2 -> level3
文件名字中间有空格,用”\”转义
bandit2@melinda:~$ ls
spaces in this filename
bandit2@melinda:~$ cat spaces\ in\ this\ filename
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luKlevel3 -> level4
bandit3@melinda:~$ ls
inhere
bandit3@melinda:~$ cd ~/inhere
bandit3@melinda:~/inhere$ ls
bandit3@melinda:~/inhere$ ls -a
. .. .hidden
bandit3@melinda:~/inhere$ cat ./.hidden
pIwrPrtPN36QITSp3EQaw936yaFoFgABlevel4 -> level5
inhere文件夹下面有10个文件,一个个试验,试到07,得到password
bandit3@melinda:~$ ls
inhere
bandit3@melinda:~$ cd ~/inhere
bandit3@melinda:~/inhere$ ls
-file00 -file02 -file04 -file06 -file08
-file01 -file03 -file05 -file07 -file09
bandit4@melinda:~/inhere$ cat ./-file07
koReBOKuIDDepwhWk7jZC0RTdopnAYKhlevel5 -> level6
bandit5@melinda:~$ cd ~/inhere
bandit5@melinda:~/inhere$ find . -size 1033c -type f
./maybehere07/.file2
bandit5@melinda:~/inhere$ cat ./maybehere07/.file2
DXjZPULLxYr17uwoI01bNLQbtFemEgo7
level6 -> level7
文件在服务器的某个地方,直接从根目录用find,但是输出很多错误信息,于是加上 2>/dev/null 不输出错误信息,剩下的信息便是真正有用的
bandit6@melinda:~$ find / -group bandit6 -size 33c -user bandit7 -type f 2>/dev/null
/var/lib/dpkg/info/bandit7.password
bandit6@melinda:~$ cat /var/lib/dpkg/info/bandit7.password
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs
level7 -> level8
使用grep命令找到data.txt中 “millionth” 所在的行,就可以找到password
bandit7@melinda:~$ ls
data.txt
bandit7@melinda:~$ cat data.txt | grep 'millionth'
millionth cvX2JJa4CFALtqS87jk27qwqGhBM9plVlevel8 -> level9
对于data.txt的内容 先用sort排序,然后再用uniq -c 显示每行出现的次数,在里面找到 1 UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR
bandit8@melinda:~$ cat data.txt | sort | uniq -c 或者用sort排序 用uniq -u 显示不重复出现的行
bandit8@melinda:~$ sort data.txtx | uniq -u
bandit8@melinda:~$ UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR level9 -> level10
data.txt是二进制的文件,用strings命令找出其中的字符串,用grep命令找 “=”
bandit9@melinda:~$ strings data.txt | grep '^='
========== password
========== ism
========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLklevel10 -> level11
简单的base64解密,直接用base64 -d
bandit10@melinda:~$ cat data.txt | base64 -d
The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPRlevel11 -> level12
使用tr将文件中的字符再转换回来,因为每个字符都往后13个,即a被变为n,b被变为o,z被变为m 依次类推,于是用这个规律逆向转换。
bandit11@melinda:~$ cat data.txt | tr "a-mn-z" "n-za-m" | tr "A-MN-Z" "N-ZA-M"
The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUulevel12 -> level13
首先在tmp文件夹中创建一个临时文件夹,将data.txt用cp命令复制进去,用xxd查看data.txt,发现开头的字节是 1f8b.因为Gzip数据以1F8B开头,于是知道是用gzip来压缩的,用gzip来解压,也可以用file命令直接看它的实际类型
bandit12@melinda:~$ mkdir /tmp/cch
bandit12@melinda:~$ cp data.txt /tmp/cch
bandit12@melinda:/tmp/cch$ cat data.txt | xxd -r > data
bandit12@melinda:/tmp/cch$ file data
data: gzip compressed data, was "data2.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression
bandit12@melinda:/tmp/cch$ mv data data.gz
bandit12@melinda:/tmp/cch$ gzip -d data.gz
bandit12@melinda:/tmp/cch$ ls
data data.txt
bandit12@melinda:/tmp/cch$ file data
data: bzip2 compressed data, block size = 900k
bandit12@melinda:/tmp/cch$ mv data data.bz2
bandit12@melinda:/tmp/cch$ bzip2 -d data.bz2
bandit12@melinda:/tmp/cch$ file data
data: gzip compressed data, was "data4.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression
bandit12@melinda:/tmp/cch$ mv data data.gz
bandit12@melinda:/tmp/cch$ gzip -d data.gz
bandit12@melinda:/tmp/cch$ ls
data data.txt
bandit12@melinda:/tmp/cch$ file data
data: POSIX tar archive (GNU)
bandit12@melinda:/tmp/cch$ mv data data.tar
bandit12@melinda:/tmp/cch$ tar -xvf data.tar
data5.bin
bandit12@melinda:/tmp/cch$ file data5.bin
data5.bin: POSIX tar archive (GNU)
bandit12@melinda:/tmp/cch$ tar -xvf data5.bin
data6.bin
bandit12@melinda:/tmp/cch$ file data6.bin
data6.bin: bzip2 compressed data, block size = 900k
bandit12@melinda:/tmp/cch$ mv data6.bin data6.bin.bz2
bandit12@melinda:/tmp/cch$ bzip2 -d data6.bin.bz2
bandit12@melinda:/tmp/cch$ ls
data.tar data.txt data5.bin data6.bin
bandit12@melinda:/tmp/cch$ file data6.bin
data6.bin: POSIX tar archive (GNU)
bandit12@melinda:/tmp/cch$ tar -xvf data6.bin
data8.bin
bandit12@melinda:/tmp/cch$ file data8.bin
data8.bin: gzip compressed data, was "data9.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression
bandit12@melinda:/tmp/cch$ mv data8.bin data8.bin.gz
bandit12@melinda:/tmp/cch$ gzip -d data8.bin.gz
bandit12@melinda:/tmp/cch$ ls
data.tar data.txt data5.bin data6.bin data8.bin
bandit12@melinda:/tmp/cch$ file data8.bin
data8.bin: ASCII text
bandit12@melinda:/tmp/cch$ cat data8.bin
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL弄到这里,我已经有点不耐烦了,幸亏password出来了
level13-> level14
告诉我们password文件在 /etc/bandit_pass/bandit14 并且只有bandit14用户可以读。进服务器后用ls发现有个sshkey.private文件,然后我就在本地用scp把服务器上的文件下载到本地了
bandit13@melinda:~$ ls
sshkey.private注意下面的命令在本地进行
Chs-MacBook:~ chenchaohao$ scp [email protected]:./sshkey.private ~/desktop
This is the OverTheWire game server. More information on http://www.overthewire.org/wargames
Please note that wargame usernames are no longer level, but wargamename
e.g. vortex4, semtex2, ...
Note: at this moment, blacksun is not available.
[email protected]'s password:
sshkey.private 100% 1679 1.6KB/s 00:00
Chs-MacBook:desktop chenchaohao$ chmod 0600 sshkey.private 如果不改权限,直接用这个文件登录,会显示
Permissions 0640 for ‘/Users/chenchaohao/desktop/sshkey.private’ are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
就悲剧了。所有命令完成后,我们就可以用这个文件登录到下一关啦!
Chs-MacBook:~ chenchaohao$ ssh bandit14@bandit.labs.overthewire.org -i ~/desktop/sshkey.privatelevel14-> level15
根据上一题的题目描述,bandit14的password在/etc/bandit_pass/bandit14中,先获得密码,然后再用这个密码 通过nc发到localhost 30000端口
bandit14@melinda:~$ cat /etc/bandit_pass/bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
bandit14@melinda:~$ echo '4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e' | nc localhost 30000
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNrlevel15-> level16
题目的意思就是把这关的密码用ssl加密发给localhost 30001端口,提示中叫我们加-quiet选项。
bandit15@melinda:~$ echo 'BfMYroe26WYalil77FoDi9qh59eK5xNr' | openssl s_client -connect localhost:30001 -quiet
depth=0 CN = li190-250.members.linode.com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = li190-250.members.linode.com
verify return:1
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehdlevel16-> level17
用nmap扫描31000-32000端口,用选项-sV(该选项下,如果这些端口 打开,将使用版本检测来确定哪种应用在运行。)试出31790端口就是我们要找的。得到一个RSA 的private key,就知道成功了!机智如我。将内容复制到本地,创建一个sshkey.private文件。然后该文件登录下一关
bandit16@melinda:~$ nmap -p 31000-32000 localhost -sV
Starting Nmap 6.40 ( http://nmap.org ) at 2015-10-13 08:49 UTC
Stats: 0:00:26 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 40.00% done; ETC: 08:50 (0:00:39 remaining)
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00082s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
31046/tcp open echo
31518/tcp open msdtc Microsoft Distributed Transaction Coordinator (error)
31691/tcp open echo
31790/tcp open msdtc Microsoft Distributed Transaction Coordinator (error)
31960/tcp open echo
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.46 seconds
bandit16@melinda:~$ echo 'cluFn7wTiGryunymYOu4RcffSxQluehd' | openssl s_client -connect localhost:31790 -quiet
depth=0 CN = li190-250.members.linode.com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = li190-250.members.linode.com
verify return:1
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----
read:errno=0
bandit16@melinda:~$ exit
logout
Connection to bandit.labs.overthewire.org closed.
Chs-MacBook:~ chenchaohao$ ssh -l bandit17 bandit.labs.overthewire.org -i ~/desktop/sshkey.privatelevel17-> level18
这关非常简单,只需用diff命令显示两个文件的不同之处.
bandit17@melinda:~$ ls
passwords.new passwords.old
bandit17@melinda:~$ diff passwords.new passwords.old
42c42
< kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
---
> BS8bqB1kqkinKJjuxL6k072Qq9NRwQpR前一个字符串就是在passwords.new中的密码,通向下一关
level18-> level19
登录到18关的服务器就会被自动退出,因为某个设置文件被修改了。没事,我们可以用scp命令直接把password所在的文件下载的本地啊。在本地终端上进行:
Chs-MacBook:~ chenchaohao$ scp [email protected]:~/readme ~/desktop
This is the OverTheWire game server. More information on http://www.overthewire.org/wargames
Please note that wargame usernames are no longer level, but wargamename
e.g. vortex4, semtex2, ...
Note: at this moment, blacksun is not available.
[email protected]'s password:
readme 100% 33 0.0KB/s 00:00
Chs-MacBook:~ chenchaohao$ cd ~/desktop
Chs-MacBook:desktop chenchaohao$ cat readme
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x 完成啦~
level19-> level20
进入主目录以后,发现有个可执行文件。试了一下,感觉用这个可执行文件可以以bandit20的用户id来看它的文件(从题意中也可以读出)。可以了解一下SUID的知识。
bandit19@melinda:~$ ls
bandit20-do
bandit19@melinda:~$ ./bandit20-do
Run a command as another user.
Example: ./bandit20-do id
bandit19@melinda:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0jlevel20-> level21
打开两个终端,都登入bandit20,我们用nc -l 来监听随意一个合适的端口,比如2015,然后在另一个登录窗口用suconnect来连接这个2015端口。在前者,输入GbKksEFF4yrVs6il55v6gwY5aVje5f0j,就会发给后者,然后就匹配了,后者就会发给前者这一关的密码
终端1
bandit20@melinda:~$ nc -l 2015
GbKksEFF4yrVs6il55v6gwY5aVje5f0j终端2
bandit20@melinda:~$ ./suconnect 2015结果
终端1
bandit20@melinda:~$ nc -l 2015
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
终端2
bandit20@melinda:~$ ./suconnect 2015
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Password matches, sending next password得到password
level21-> level22
题目意思是有一个程序在后台间断地运行(可以看有关cron的知识),我们进入 /etc/cron.d/ 看到有很多程序,选择cronjob_bandit22看看,毕竟这是跟我们这关最相关的了。
bandit21@melinda:~$ cd /etc/cron.d
bandit21@melinda:/etc/cron.d$ ls
behemoth4_cleanup leviathan5_cleanup natas25_cleanup~ semtex0-ppc
cron-apt manpage3_resetpw_job natas26_cleanup semtex5
cronjob_bandit22 melinda-stats natas27_cleanup sysstat
cronjob_bandit23 natas-session-toucher php5 vortex0
cronjob_bandit24 natas-stats semtex0-32 vortex20
cronjob_bandit24_root natas25_cleanup semtex0-64
bandit21@melinda:/etc/cron.d$ cat cronjob_bandit22
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/nullcronjob_bandit22调用一个在/usr/bin中的一个cronjob_bandit22.sh的脚本,我们看看这个脚本是做什么的。
bandit21@melinda:/etc/cron.d$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv脚本的作用其实就是把存有下一关password的文件bandit22的内容放到tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv 里面。既然我们看不了bandit22的内容,那我们看看tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv 里面的内容不就好了。
bandit21@melinda:/etc/cron.d$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI拿到password。
level22-> level23
与上一关一样,同样适用cron来实现一个程序在后台间断地执行,一样的配方,先去/etc/cron.d看看。
bandit22@melinda:~$ cd /etc/cron.d
bandit22@melinda:/etc/cron.d$ ls
behemoth4_cleanup leviathan5_cleanup natas25_cleanup~ semtex0-ppc
cron-apt manpage3_resetpw_job natas26_cleanup semtex5
cronjob_bandit22 melinda-stats natas27_cleanup sysstat
cronjob_bandit23 natas-session-toucher php5 vortex0
cronjob_bandit24 natas-stats semtex0-32 vortex20
cronjob_bandit24_root natas25_cleanup semtex0-64
bandit22@melinda:/etc/cron.d$ cat cronjob_bandit23
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null我选择看cronjob_bandit23.sh的内容。又是运行一个脚本
bandit22@melinda:/etc/cron.d$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash
myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
cat /etc/bandit_pass/$myname > /tmp/$mytarget脚本先有一个myname变量来放一个名字,后面就是把文件名为myname(这里指myname变量的值)的文件,拷贝到/tmp/ target,target变量的值是myname的值用md5等处理加密得到,别管多麻烦,反正最后文件在/tmp/ target里。我们想要的是bandit23(规律就是每一关的password就在与关卡名字相同的文件中。)然而whoami命令返回的是bandit22。(我在这关里当然是bandit22啦。。)
bandit22@melinda:/etc/cron.d$ whoami
bandit22如何知道如果我是bandit23 那么mytarget变量的值是多少呢?可以自己写个脚本运行一下看看。我嫌麻烦,直接在命令行里写了。
bandit22@melinda:/etc/cron.d$ myname=bandit23;mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1);echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
Copying passwordfile /etc/bandit_pass/bandit23 to /tmp/8ca319486bfbbc3663ea0fbe81326349嗯,mytarget就是8ca319486bfbbc3663ea0fbe81326349。我们看看/tmp/8ca319486bfbbc3663ea0fbe81326349的内容
bandit22@melinda:/etc/cron.d$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0nlevel23-> level24
刚开始还是一样的步骤,看一下后台的程序调用的是哪个脚本,看看那个脚本的内容。我们看到脚本一次执行文件夹下面的每一个脚本。那么我们写一个自己的脚本,放到那个文件夹下面试试。
bandit23@melinda:/tmp/ch$ cd /etc/cron.d
bandit23@melinda:/etc/cron.d$ ls
behemoth4_cleanup leviathan5_cleanup natas25_cleanup~ semtex0-ppc
cron-apt manpage3_resetpw_job natas26_cleanup semtex5
cronjob_bandit22 melinda-stats natas27_cleanup sysstat
cronjob_bandit23 natas-session-toucher php5 vortex0
cronjob_bandit24 natas-stats semtex0-32 vortex20
cronjob_bandit24_root natas25_cleanup semtex0-64
bandit23@melinda:/etc/cron.d$ cat cronjob_bandit24
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
bandit23@melinda:/etc/cron.d$ cat /usr/bin/cronjob_bandit24.sh #!/bin/bash
myname=$(whoami)
cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
do
if [ "$i" != "." -a "$i" != ".." ];
then
echo "Handling $i"
timeout -s 9 60 "./$i"
rm -f "./$i"
fi
done接下来写脚本
bandit23@melinda:~$ mkdir /tmp/ch
bandit23@melinda:~$ cd /tmp/ch
bandit23@melinda:/tmp/ch$ vim 1.sh #用vim编写
bandit23@melinda:/tmp/ch$ cat 1.sh #脚本代码
#!/bin/bash
cat /etc/bandit_pass/bandit24 > /tmp/bandit24接下来把代码放到那个文件夹下 /var/spool/bandit24/ 是从脚本中得来的
bandit23@melinda:/tmp/ch$ chmod 777 1.sh
bandit23@melinda:/tmp/ch$ cp 1.sh /var/spool/bandit24/等待一会儿,然后后台会运行这个脚本,然后就可以看到在/tmp下有个bandit24的文件夹,进去就有password
bandit23@melinda:/tmp/ch$ cd /tmp/bandit24
bandit23@melinda:/tmp/bandit24$ ls
pass24 password
bandit23@melinda:/tmp/bandit24$ cat password
#!/bin/bash
cat /etc/bandit_pass/bandit24 > /tmp/bandit24/pass24
bandit23@melinda:/tmp/bandit24$ cat pass24
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ这里我想记录一下,我刚开始在脚本里写的是 cat /etc/bandit_pass/bandit24 > /tmp/ch/bandit24 却怎么也得不到bandit24,不知道是什么原因
level24-> level25
暴力解题。。。让我想起高中的数学一个个代进去算。我本来写了个脚本,从0到9999一个个试验。如下:
#!bin/bash
for i in $(seq 0 9999)
do
if
echo "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i" | nc localhost 30002| grep "Wrong" > /dev/null
then
echo "wrong $i" > wrong.txt
else
echo "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i" | nc localhost 30002
fi
done结果发现太慢了。参考了下乌云上的攻略,说弄个多线程的:
pass=UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
for i in $(seq 0 9999)
do {
if
echo $pass $i| nc localhost 30002 | grep Wrong > /dev/null
then
echo $i
else
echo $pass $i| nc localhost 30002 > result
exit
fi
}&
done
wait运行完以后还是不行,result里面没有正确的,而且运行过程中不断出现resource unavailable的错误
于是我自己再写了10个脚本,每个脚本处理1000个数字。比如1.sh如下。
#!bin/bash
for i in $(seq 0 1000)
do
if
echo "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i" | nc localhost 30002| grep "Wrong" > /dev/null
then
echo "wrong $i" > wrong.txt
else
echo "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i" | nc localhost 30002
fi
done就这样写了1-10.sh,每个文件就是for循环里的范围变一下。然后一个个在后台执行每个脚本
bandit24@melinda:/tmp/aq$ ./1.sh &
[1] 28151
bandit24@melinda:/tmp/aq$ ./2.sh &
[2] 28187
bandit24@melinda:/tmp/aq$ ./3.sh &
[3] 28276
bandit24@melinda:/tmp/aq$ ./4.sh &
[4] 28350
.......#以下省略5-10.sh耐心的等待了一会儿,结果出来了
bandit24@melinda:/tmp/aq$ I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
Correct!
The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG
Exiting.
5669
^C
还是靠自己啊。
level24-> level25
在bandit25中发现bandit26.sshkey,
bandit25@melinda:~$ ls
bandit26.sshkey用前面某关用过的方法,用这个文件登录bandit26,结果一进去就出来了。我们回bandit25看看。通过题目的提示,我们就去找找给bandit26的shell是什么
bandit25@melinda:~$ cat /etc/passwd | grep bandit26
bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext看看showtext是什么玩意
bandit25@melinda:~$ cat /usr/bin/showtext
#!/bin/sh
more ~/text.txt
exit 0原来就是用more显示一个文本。要用.sshkey文件进入bandit26是不行了。但是我们可以在用它登录的时候,进入vim,用:r 来写入/etc/bandit_pass/bandit26的内容,毕竟好几关都是看这个文件的。
Chs-MacBook:~ chenchaohao$ ssh bandit26@bandit.labs.overthewire.org -i ~/desktop/bandit26.sshkey进入的过程中输入v 进入vim模式
然后输入:r /etc/bandit_pass/bandit26。回车之后发现text.txt中多了
5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z 这个字符串。拿到password。