Overthewire wargame-bandit
文章目录
- Bandit
- **Level 0->Level 1**
- **Level 1-> Level 2**
- **Level 2->Level 3**
- **Level 3-> Level 4**
- **Level 4->Level 5**
- **Level 6 -> level 7**
- Level 7-> Level 8
- Level 8 -> Level 9
- Level 9-> Level 10
- Level 10-> Level 11
- Level 11-> Level 12
- Level 12->Level 13
- Level 13->Level 14
- Level 14->Level 15
- Level 15->Level 16
- Level 16->Level 17
- Level 17 -> Level 18
- Level 18->Level 19
#Overthewire wargame
Bandit
Level 0->Level 1
ssh [email protected] -p 2220
cat readme
Level 1-> Level 2
cat ./-
password: CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
Level 2->Level 3
cat spaces\ in\ this\ filename
password: UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
Level 3-> Level 4
cat inhere/.hidden
password: pIwrPrtPN36QITSp3EQaw936yaFoFgAB
Level 4->Level 5
The password for the next level is stored in the only human-readable file in the inhere directory
find . -exec file {} \;|grep ASCII|cut -b -9|xargs cat
password: koReBOKuIDDepwhWk7jZC0RTdopnAYKh
Level 5->Level 6
The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:
- human-readable
- 1033 bytes in size
- not executable
find inhere/ -size 1033c -exec file {} \;|cut -d : -f 1|xargs cat
password: DXjZPULLxYr17uwoI01bNLQbtFemEgo7
Level 6 -> level 7
The password for the next level is stored somewhere on the server and has all of the following properties:
- owned by user bandit7
- owned by group bandit6
- 33 bytes in size
find / -user bandit7 -group bandit6 -size 33c
password; HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs
Level 7-> Level 8
grep millionth data.txt
password: cvX2JJa4CFALtqS87jk27qwqGhBM9plV
Level 8 -> Level 9
The password for the next level is stored in the file data.txt and is the only line of text that occurs only once
cat data.txt |sort|uniq -c|grep '1 '
password: UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR
Level 9-> Level 10
The password for the next level is stored in the file data.txt in one of the few human-readable strings, beginning with several ‘=’ characters.
strings data.txt |grep ===
password: truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
Level 10-> Level 11
The password for the next level is stored in the file data.txt, which contains base64 encoded data
strings data.txt |base64 -d
password: IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR
Level 11-> Level 12
The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions
cat data.txt |tr 'A-Za-z' 'N-ZA-Mn-za-m'
password:5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu
Level 12->Level 13
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)
xxd -r data.txt > data
file data
mv data data.gz
gunzip data.gz
反复用file gunzip, tar xvf 或bunzip2
password: 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
Level 13->Level 14
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on
ssh bandit14@localhost -i private.key
password: 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Level 14->Level 15
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
telnet localhost 30000
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
password: BfMYroe26WYalil77FoDi9qh59eK5xNr
Level 15->Level 16
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
openssl s_client -ign_eof -connect localhost:30001
password: cluFn7wTiGryunymYOu4RcffSxQluehd
Level 16->Level 17
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
nmap localhost -p 31001-32001
openssl s_client -connect localhost:31xxx
or
echo aaa |nc localhost 31xxx and then openssl s_client -connect localhost:31xxx -quiet
private key: -----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama +TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT 8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM 77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3 vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY= -----END RSA PRIVATE KEY-----
save the private key to a file and chmod 400 abc.priv
Level 17 -> Level 18
There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new
diff passwords.old passwords.new
password: kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
Level 18->Level 19
The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.
cmd: ssh [email protected] -p 2220 /bin/sh
password: IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x