Bandit Walkthrough

我在overthewire的wargame中bandit的通关记录。题目的地址是http://www.overthewire.org/wargames

Bandit walkthrough

level 0

使用 ssh 命令远程登录到网站所提供的服务器,就可以完成

ssh bandit0@bandit.labs.overthewire.org

ssh -l bandit0 bandit.labs.overthewire.org

level0 -> level1

password就在主目录下的readme文件中,首先用 ls 命令可以看到readme文件,于是使用cat 命令查看文件内容,得到password

bandit0@melinda:~$ ls
readme
bandit0@melinda:~$ cat readme
boJ9jbbUNNfktd78OOpsqOltutMc3MY1

level1 -> level2

password在主目录的名字叫-的文件下,可以像上一题用ls查看,如果直接输入 cat - ,则不会查看文件内容,而是仍在等待输入,原因是”-“与命令的选项符号重合。

bandit1@melinda:~$ cat ./-
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

level2 -> level3

文件名字中间有空格,用”\”转义

bandit2@melinda:~$ ls
spaces in this filename
bandit2@melinda:~$ cat spaces\ in\ this\ filename
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

level3 -> level4

bandit3@melinda:~$ ls
inhere
bandit3@melinda:~$ cd ~/inhere
bandit3@melinda:~/inhere$ ls
bandit3@melinda:~/inhere$ ls -a
.  ..  .hidden
bandit3@melinda:~/inhere$ cat ./.hidden
pIwrPrtPN36QITSp3EQaw936yaFoFgAB

level4 -> level5

inhere文件夹下面有10个文件,一个个试验,试到07,得到password

bandit3@melinda:~$ ls
inhere
bandit3@melinda:~$ cd ~/inhere
bandit3@melinda:~/inhere$ ls
-file00  -file02  -file04  -file06  -file08
-file01  -file03  -file05  -file07  -file09
bandit4@melinda:~/inhere$ cat ./-file07
koReBOKuIDDepwhWk7jZC0RTdopnAYKh

level5 -> level6

bandit5@melinda:~$ cd ~/inhere
bandit5@melinda:~/inhere$ find . -size 1033c -type f
./maybehere07/.file2
bandit5@melinda:~/inhere$ cat ./maybehere07/.file2
DXjZPULLxYr17uwoI01bNLQbtFemEgo7

level6 -> level7

文件在服务器的某个地方,直接从根目录用find,但是输出很多错误信息,于是加上 2>/dev/null 不输出错误信息,剩下的信息便是真正有用的

bandit6@melinda:~$ find / -group bandit6 -size 33c -user bandit7 -type f 2>/dev/null 
/var/lib/dpkg/info/bandit7.password
bandit6@melinda:~$ cat /var/lib/dpkg/info/bandit7.password
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

level7 -> level8

使用grep命令找到data.txt中 “millionth” 所在的行,就可以找到password

bandit7@melinda:~$ ls
data.txt
bandit7@melinda:~$ cat data.txt | grep 'millionth'
millionth   cvX2JJa4CFALtqS87jk27qwqGhBM9plV

level8 -> level9

对于data.txt的内容 先用sort排序,然后再用uniq -c 显示每行出现的次数,在里面找到 1 UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR

bandit8@melinda:~$ cat data.txt | sort | uniq -c      

或者用sort排序 用uniq -u 显示不重复出现的行

bandit8@melinda:~$ sort data.txtx | uniq -u
bandit8@melinda:~$ UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR 

level9 -> level10

data.txt是二进制的文件,用strings命令找出其中的字符串,用grep命令找 “=”

bandit9@melinda:~$ strings data.txt | grep '^='
========== password
========== ism
========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk

level10 -> level11

简单的base64解密,直接用base64 -d

bandit10@melinda:~$ cat data.txt | base64 -d
The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

level11 -> level12

使用tr将文件中的字符再转换回来,因为每个字符都往后13个,即a被变为n,b被变为o,z被变为m 依次类推,于是用这个规律逆向转换。

bandit11@melinda:~$ cat data.txt | tr "a-mn-z" "n-za-m" | tr "A-MN-Z" "N-ZA-M"
The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

level12 -> level13

首先在tmp文件夹中创建一个临时文件夹,将data.txt用cp命令复制进去,用xxd查看data.txt,发现开头的字节是 1f8b.因为Gzip数据以1F8B开头,于是知道是用gzip来压缩的,用gzip来解压,也可以用file命令直接看它的实际类型

bandit12@melinda:~$ mkdir /tmp/cch
bandit12@melinda:~$ cp data.txt /tmp/cch
bandit12@melinda:/tmp/cch$ cat data.txt | xxd -r > data
bandit12@melinda:/tmp/cch$ file data
data: gzip compressed data, was "data2.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression
bandit12@melinda:/tmp/cch$ mv data data.gz
bandit12@melinda:/tmp/cch$ gzip -d data.gz
bandit12@melinda:/tmp/cch$ ls
data  data.txt
bandit12@melinda:/tmp/cch$ file data
data: bzip2 compressed data, block size = 900k
bandit12@melinda:/tmp/cch$ mv data data.bz2
bandit12@melinda:/tmp/cch$ bzip2 -d data.bz2
bandit12@melinda:/tmp/cch$ file data
data: gzip compressed data, was "data4.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression
bandit12@melinda:/tmp/cch$ mv data data.gz
bandit12@melinda:/tmp/cch$ gzip -d data.gz
bandit12@melinda:/tmp/cch$ ls
data  data.txt
bandit12@melinda:/tmp/cch$ file data
data: POSIX tar archive (GNU)
bandit12@melinda:/tmp/cch$ mv data data.tar
bandit12@melinda:/tmp/cch$ tar -xvf data.tar   
data5.bin
bandit12@melinda:/tmp/cch$ file data5.bin
data5.bin: POSIX tar archive (GNU)
bandit12@melinda:/tmp/cch$ tar -xvf data5.bin
data6.bin
bandit12@melinda:/tmp/cch$ file data6.bin
data6.bin: bzip2 compressed data, block size = 900k
bandit12@melinda:/tmp/cch$ mv data6.bin data6.bin.bz2
bandit12@melinda:/tmp/cch$ bzip2 -d data6.bin.bz2 
bandit12@melinda:/tmp/cch$ ls
data.tar  data.txt  data5.bin  data6.bin
bandit12@melinda:/tmp/cch$ file data6.bin
data6.bin: POSIX tar archive (GNU)
bandit12@melinda:/tmp/cch$ tar -xvf data6.bin
data8.bin
bandit12@melinda:/tmp/cch$ file data8.bin
data8.bin: gzip compressed data, was "data9.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression
bandit12@melinda:/tmp/cch$ mv data8.bin data8.bin.gz
bandit12@melinda:/tmp/cch$ gzip -d data8.bin.gz 
bandit12@melinda:/tmp/cch$ ls
data.tar  data.txt  data5.bin  data6.bin  data8.bin
bandit12@melinda:/tmp/cch$ file data8.bin
data8.bin: ASCII text
bandit12@melinda:/tmp/cch$ cat data8.bin
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

弄到这里,我已经有点不耐烦了,幸亏password出来了

level13-> level14

告诉我们password文件在 /etc/bandit_pass/bandit14 并且只有bandit14用户可以读。进服务器后用ls发现有个sshkey.private文件,然后我就在本地用scp把服务器上的文件下载到本地了

bandit13@melinda:~$ ls
sshkey.private

注意下面的命令在本地进行

Chs-MacBook:~ chenchaohao$ scp [email protected]:./sshkey.private ~/desktop

This is the OverTheWire game server. More information on http://www.overthewire.org/wargames

Please note that wargame usernames are no longer level, but wargamename
e.g. vortex4, semtex2, ...

Note: at this moment, blacksun is not available.

[email protected]'s password: 
sshkey.private                                                                 100% 1679     1.6KB/s   00:00    
Chs-MacBook:desktop chenchaohao$ chmod 0600 sshkey.private

如果不改权限,直接用这个文件登录,会显示

Permissions 0640 for ‘/Users/chenchaohao/desktop/sshkey.private’ are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.

就悲剧了。所有命令完成后,我们就可以用这个文件登录到下一关啦!

Chs-MacBook:~ chenchaohao$ ssh bandit14@bandit.labs.overthewire.org -i ~/desktop/sshkey.private

level14-> level15

根据上一题的题目描述,bandit14的password在/etc/bandit_pass/bandit14中,先获得密码,然后再用这个密码 通过nc发到localhost 30000端口

bandit14@melinda:~$ cat /etc/bandit_pass/bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
bandit14@melinda:~$ echo '4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e' | nc localhost 30000
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr

level15-> level16

题目的意思就是把这关的密码用ssl加密发给localhost 30001端口,提示中叫我们加-quiet选项。

bandit15@melinda:~$ echo 'BfMYroe26WYalil77FoDi9qh59eK5xNr'  | openssl s_client  -connect localhost:30001 -quiet
depth=0 CN = li190-250.members.linode.com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = li190-250.members.linode.com
verify return:1
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehd

level16-> level17

用nmap扫描31000-32000端口,用选项-sV(该选项下,如果这些端口 打开,将使用版本检测来确定哪种应用在运行。)试出31790端口就是我们要找的。得到一个RSA 的private key,就知道成功了!机智如我。将内容复制到本地,创建一个sshkey.private文件。然后该文件登录下一关

bandit16@melinda:~$ nmap -p 31000-32000 localhost -sV
Starting Nmap 6.40 ( http://nmap.org ) at 2015-10-13 08:49 UTC
Stats: 0:00:26 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 40.00% done; ETC: 08:50 (0:00:39 remaining)
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00082s latency).
Not shown: 996 closed ports
PORT      STATE SERVICE VERSION
31046/tcp open  echo
31518/tcp open  msdtc   Microsoft Distributed Transaction Coordinator (error)
31691/tcp open  echo
31790/tcp open  msdtc   Microsoft Distributed Transaction Coordinator (error)
31960/tcp open  echo
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.46 seconds
bandit16@melinda:~$ echo 'cluFn7wTiGryunymYOu4RcffSxQluehd' | openssl s_client -connect localhost:31790 -quiet
depth=0 CN = li190-250.members.linode.com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = li190-250.members.linode.com
verify return:1
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----

read:errno=0
bandit16@melinda:~$ exit
logout
Connection to bandit.labs.overthewire.org closed.
Chs-MacBook:~ chenchaohao$ ssh -l bandit17 bandit.labs.overthewire.org -i ~/desktop/sshkey.private

level17-> level18

这关非常简单,只需用diff命令显示两个文件的不同之处.

bandit17@melinda:~$ ls
passwords.new  passwords.old
bandit17@melinda:~$ diff passwords.new passwords.old
42c42
< kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
---
> BS8bqB1kqkinKJjuxL6k072Qq9NRwQpR

前一个字符串就是在passwords.new中的密码,通向下一关

level18-> level19

登录到18关的服务器就会被自动退出,因为某个设置文件被修改了。没事,我们可以用scp命令直接把password所在的文件下载的本地啊。在本地终端上进行:

Chs-MacBook:~ chenchaohao$ scp [email protected]:~/readme ~/desktop

This is the OverTheWire game server. More information on http://www.overthewire.org/wargames

Please note that wargame usernames are no longer level, but wargamename
e.g. vortex4, semtex2, ...

Note: at this moment, blacksun is not available.

[email protected]'s password: 
readme                                        100%   33     0.0KB/s   00:00    
Chs-MacBook:~ chenchaohao$ cd ~/desktop
Chs-MacBook:desktop chenchaohao$ cat readme
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x

完成啦~

level19-> level20

进入主目录以后,发现有个可执行文件。试了一下,感觉用这个可执行文件可以以bandit20的用户id来看它的文件(从题意中也可以读出)。可以了解一下SUID的知识。

bandit19@melinda:~$ ls
bandit20-do
bandit19@melinda:~$ ./bandit20-do
Run a command as another user.
  Example: ./bandit20-do id
bandit19@melinda:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0j

level20-> level21

打开两个终端,都登入bandit20,我们用nc -l 来监听随意一个合适的端口,比如2015,然后在另一个登录窗口用suconnect来连接这个2015端口。在前者,输入GbKksEFF4yrVs6il55v6gwY5aVje5f0j,就会发给后者,然后就匹配了,后者就会发给前者这一关的密码

终端1

bandit20@melinda:~$ nc -l 2015
GbKksEFF4yrVs6il55v6gwY5aVje5f0j

终端2

bandit20@melinda:~$ ./suconnect 2015

结果

终端1
bandit20@melinda:~$ nc -l 2015
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
终端2 
bandit20@melinda:~$ ./suconnect 2015
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Password matches, sending next password

得到password

level21-> level22

题目意思是有一个程序在后台间断地运行(可以看有关cron的知识),我们进入 /etc/cron.d/ 看到有很多程序,选择cronjob_bandit22看看,毕竟这是跟我们这关最相关的了。

bandit21@melinda:~$ cd /etc/cron.d
bandit21@melinda:/etc/cron.d$ ls
behemoth4_cleanup      leviathan5_cleanup     natas25_cleanup~  semtex0-ppc
cron-apt               manpage3_resetpw_job   natas26_cleanup   semtex5
cronjob_bandit22       melinda-stats          natas27_cleanup   sysstat
cronjob_bandit23       natas-session-toucher  php5              vortex0
cronjob_bandit24       natas-stats            semtex0-32        vortex20
cronjob_bandit24_root  natas25_cleanup        semtex0-64
bandit21@melinda:/etc/cron.d$ cat cronjob_bandit22
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null

cronjob_bandit22调用一个在/usr/bin中的一个cronjob_bandit22.sh的脚本,我们看看这个脚本是做什么的。

bandit21@melinda:/etc/cron.d$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

脚本的作用其实就是把存有下一关password的文件bandit22的内容放到tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv 里面。既然我们看不了bandit22的内容,那我们看看tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv 里面的内容不就好了。

bandit21@melinda:/etc/cron.d$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

拿到password。

level22-> level23

与上一关一样,同样适用cron来实现一个程序在后台间断地执行,一样的配方,先去/etc/cron.d看看。

bandit22@melinda:~$ cd /etc/cron.d
bandit22@melinda:/etc/cron.d$ ls
behemoth4_cleanup      leviathan5_cleanup     natas25_cleanup~  semtex0-ppc
cron-apt               manpage3_resetpw_job   natas26_cleanup   semtex5
cronjob_bandit22       melinda-stats          natas27_cleanup   sysstat
cronjob_bandit23       natas-session-toucher  php5              vortex0
cronjob_bandit24       natas-stats            semtex0-32        vortex20
cronjob_bandit24_root  natas25_cleanup        semtex0-64
bandit22@melinda:/etc/cron.d$ cat cronjob_bandit23
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null

我选择看cronjob_bandit23.sh的内容。又是运行一个脚本

bandit22@melinda:/etc/cron.d$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash

myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)

echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"

cat /etc/bandit_pass/$myname > /tmp/$mytarget

脚本先有一个myname变量来放一个名字,后面就是把文件名为myname(这里指myname变量的值)的文件,拷贝到/tmp/ targettargetmynamemd5/tmp/ target里。我们想要的是bandit23(规律就是每一关的password就在与关卡名字相同的文件中。)然而whoami命令返回的是bandit22。(我在这关里当然是bandit22啦。。)

bandit22@melinda:/etc/cron.d$ whoami
bandit22

如何知道如果我是bandit23 那么mytarget变量的值是多少呢?可以自己写个脚本运行一下看看。我嫌麻烦,直接在命令行里写了。

bandit22@melinda:/etc/cron.d$ myname=bandit23;mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1);echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
Copying passwordfile /etc/bandit_pass/bandit23 to /tmp/8ca319486bfbbc3663ea0fbe81326349

嗯,mytarget就是8ca319486bfbbc3663ea0fbe81326349。我们看看/tmp/8ca319486bfbbc3663ea0fbe81326349的内容

bandit22@melinda:/etc/cron.d$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

level23-> level24

刚开始还是一样的步骤,看一下后台的程序调用的是哪个脚本,看看那个脚本的内容。我们看到脚本一次执行文件夹下面的每一个脚本。那么我们写一个自己的脚本,放到那个文件夹下面试试。

bandit23@melinda:/tmp/ch$ cd /etc/cron.d
bandit23@melinda:/etc/cron.d$ ls
behemoth4_cleanup      leviathan5_cleanup     natas25_cleanup~  semtex0-ppc
cron-apt               manpage3_resetpw_job   natas26_cleanup   semtex5
cronjob_bandit22       melinda-stats          natas27_cleanup   sysstat
cronjob_bandit23       natas-session-toucher  php5              vortex0
cronjob_bandit24       natas-stats            semtex0-32        vortex20
cronjob_bandit24_root  natas25_cleanup        semtex0-64
bandit23@melinda:/etc/cron.d$ cat cronjob_bandit24 
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
bandit23@melinda:/etc/cron.d$ cat /usr/bin/cronjob_bandit24.sh  #!/bin/bash

myname=$(whoami)

cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
do
    if [ "$i" != "." -a "$i" != ".." ];
    then
    echo "Handling $i"
    timeout -s 9 60 "./$i"
    rm -f "./$i"
    fi
done

接下来写脚本

bandit23@melinda:~$ mkdir /tmp/ch
bandit23@melinda:~$ cd /tmp/ch
bandit23@melinda:/tmp/ch$ vim 1.sh  #用vim编写
bandit23@melinda:/tmp/ch$ cat 1.sh  #脚本代码     
#!/bin/bash
cat /etc/bandit_pass/bandit24 > /tmp/bandit24

接下来把代码放到那个文件夹下 /var/spool/bandit24/ 是从脚本中得来的

bandit23@melinda:/tmp/ch$ chmod 777 1.sh
bandit23@melinda:/tmp/ch$ cp 1.sh /var/spool/bandit24/

等待一会儿,然后后台会运行这个脚本,然后就可以看到在/tmp下有个bandit24的文件夹,进去就有password

bandit23@melinda:/tmp/ch$ cd /tmp/bandit24
bandit23@melinda:/tmp/bandit24$ ls
pass24  password
bandit23@melinda:/tmp/bandit24$ cat password
#!/bin/bash

cat /etc/bandit_pass/bandit24 > /tmp/bandit24/pass24
bandit23@melinda:/tmp/bandit24$ cat pass24
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ

这里我想记录一下,我刚开始在脚本里写的是 cat /etc/bandit_pass/bandit24 > /tmp/ch/bandit24 却怎么也得不到bandit24,不知道是什么原因

level24-> level25

暴力解题。。。让我想起高中的数学一个个代进去算。我本来写了个脚本,从0到9999一个个试验。如下:

#!bin/bash
for i in $(seq 0 9999)
do
   if
   echo "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i" | nc localhost 30002| grep "Wrong" > /dev/null
   then 
        echo "wrong $i" > wrong.txt
   else
    echo "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i" | nc localhost 30002
   fi
done

结果发现太慢了。参考了下乌云上的攻略,说弄个多线程的:

pass=UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
for i in $(seq 0 9999)
do {
if
    echo $pass $i| nc localhost 30002 | grep Wrong > /dev/null
then
    echo $i
else
    echo $pass $i| nc localhost 30002 > result
    exit
fi
}&
done
wait

运行完以后还是不行,result里面没有正确的,而且运行过程中不断出现resource unavailable的错误
于是我自己再写了10个脚本,每个脚本处理1000个数字。比如1.sh如下。

#!bin/bash
for i in $(seq 0 1000)
do
   if
   echo "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i" | nc localhost 30002| grep "Wrong" > /dev/null
   then 
        echo "wrong $i" > wrong.txt
   else
    echo "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i" | nc localhost 30002
   fi
done

就这样写了1-10.sh,每个文件就是for循环里的范围变一下。然后一个个在后台执行每个脚本

bandit24@melinda:/tmp/aq$ ./1.sh &
[1] 28151
bandit24@melinda:/tmp/aq$ ./2.sh &
[2] 28187
bandit24@melinda:/tmp/aq$ ./3.sh &
[3] 28276
bandit24@melinda:/tmp/aq$ ./4.sh &
[4] 28350
.......#以下省略5-10.sh

耐心的等待了一会儿,结果出来了

bandit24@melinda:/tmp/aq$ I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
Correct!
The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG

Exiting.
5669
^C

还是靠自己啊。

level24-> level25

在bandit25中发现bandit26.sshkey,

bandit25@melinda:~$ ls
bandit26.sshkey

用前面某关用过的方法,用这个文件登录bandit26,结果一进去就出来了。我们回bandit25看看。通过题目的提示,我们就去找找给bandit26的shell是什么

bandit25@melinda:~$ cat /etc/passwd | grep bandit26
bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext

看看showtext是什么玩意

bandit25@melinda:~$ cat /usr/bin/showtext
#!/bin/sh

more ~/text.txt
exit 0

原来就是用more显示一个文本。要用.sshkey文件进入bandit26是不行了。但是我们可以在用它登录的时候,进入vim,用:r 来写入/etc/bandit_pass/bandit26的内容,毕竟好几关都是看这个文件的。

Chs-MacBook:~ chenchaohao$ ssh bandit26@bandit.labs.overthewire.org -i ~/desktop/bandit26.sshkey

进入的过程中输入v 进入vim模式
然后输入:r /etc/bandit_pass/bandit26。回车之后发现text.txt中多了
5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z 这个字符串。拿到password。

你可能感兴趣的:(wargame)