文章目录
- 前言
- Level 0 -> Level 1
- Level 1 -> Level 2
- Level 2 -> Level 3
- Level 3 -> Level 4
- Level 4 -> Level 5
- Level 5 -> Level 6
- Level 6 -> Level 7
- Level 7 -> Level 8
- Level 8 -> Level 9
- Level 9 -> Level 10
- Level 10 -> Level 11
- Level 11 -> Level 12
- Level 12 -> Level 13
- Level 13 -> Level 14
- Level 14 -> Level 15
- Level 15 -> Level 16
- Level 16 -> Level 17
- Level 17 -> Level 18
- Level 18 -> Level 19
- Level 19 -> Level 20
- Level 20 -> Level 21
- Level 21 -> Level 22
- Level 22 -> Level 23
- Level 23 -> Level 24
- Level 24 -> Level 25
- Level 25 -> Level 26
- Level 26 -> Level 27
- Level 27 -> Level 28
- Level 28 -> Level 29
- Level 29 -> Level 30
- Level 30 -> Level 31
- Level 31 -> Level 32
- Level 32 -> Level 33
- 总结
前言
本篇文章为OverTheWire网站Bandit关卡的学习记录。
通过ssh登录服务器进入Level 0。
- ssh bandit.labs.overthewire.org 2220
- username:bandit0
- password:bandit0
Level 0 -> Level 1
提示密码存放在home目录下的readme文件上。
- 获取密码登录服务器进入Level1。
bandit0@bandit:~$ ls
bandit0@bandit:~$ cat readme
Level 1 -> Level 2
提示密码存放在 - 文件上。
- 关键词“dashed filename”。
bandit1@bandit:~$ cat ./-
或者
bandit1@bandit:~$ cat < -
Level 2 -> Level 3
提示密码存放在 spaces in this filename 文件上。
- 关键词“spaces in filename”。
bandit2@bandit:~$ cat ./spaces\ in\ this\ filename
或者
bandit2@bandit:~$ cat 'spaces in this filename'
Level 3 -> Level 4
提示密码存放在 inhere 目录下一个 隐藏 hidden 文件上。
bandit3@bandit:~$ ls
bandit3@bandit:~$ ls -al ./inhere/
bandit3@bandit:~$ cat ./inhere/.hidden
Level 4 -> Level 5
提示密码存放在 inhere 目录下 一个 人类可读的 文件上。
bandit4@bandit:~$ ls -l ./inhere/
bandit4@bandit:~$ cat ./inhere/-file0*
bandit4@bandit:~$ cat ./inhere/-file07
Level 5 -> Level 6
提示密码存放在 inhere 目录,并且有如下属性。
- human-readable
- 1033 bytes in size
- not executable
bandit5@bandit:~$ find . -type f -size 1033c
bandit5@bandit:~$ cat ./inhere/maybehere07/.file2
Level 6 -> Level 7
提示密码存放在 somewhere on the server ,并且具有如下属性。
- owned by user bandit7
- owned by group bandit6
- 33 bytes in size
bandit6@bandit:~$ find / -user bandit7 -group bandit6 -size 33c 2>/dev/null
bandit6@bandit:~$ cat /var/lib/dpkg/info/bandit7.password
Level 7 -> Level 8
提示密码存放在 data.txt 文件上,并且位于 millionth 后。
bandit7@bandit:~$ cat data.txt | grep millionth
Level 8 -> Level 9
提示密码存放在 data.txt 文件上,并且仅出现一次。
- 使用uniq比较上下两行是否相同,需要先用sort排序。
bandit8@bandit:~$ sort data.txt | uniq -u
或者
bandit8@bandit:~$ sort data.txt | uniq -c
Level 9 -> Level 10
提示密码存放在 data.txt 文件上,并且 字符可读,前面有数个 = 字符。
bandit9@bandit:~$ strings data.txt | grep ===
Level 10 -> Level 11
提示密码存放在 data.txt 文件上,并且包含base64编码数据。
bandit10@bandit:~$ base64 -d data.txt
Level 11 -> Level 12
提示密码存放在 data.txt 文件上,并且经过ROT13变换。
bandit11@bandit:~$ cat data.txt | tr 'a-zA-Z' 'n-za-mN-ZA-M'
Level 12 -> Level 13
提示密码存放在 data.txt 文件上,并且经过多次重复的压缩。
提示需要在/tmp目录下创建目录进行实验。
bandit12@bandit:~$ mkdir kangkang
bandit12@bandit:~$ cp data.txt /tmp/kangkang
bandit12@bandit:~$ cd /tmp/kangkang
bandit12@bandit:/tmp/kangkang$ file data.txt
data.txt: ASCII text
bandit12@bandit:/tmp/kangkang$ xxd -r data.txt data.bin
bandit12@bandit:/tmp/kangkang$ file data.bin
data.bin: gzip compressed data, was "data2.bin", last modified: Thu May 7 18:14:30 2020, max compression, from Unix
bandit12@bandit:/tmp/kangkang$ mv data.bin data.gz
bandit12@bandit:/tmp/kangkang$ gzip -d data.gz
bandit12@bandit:/tmp/kangkang$ file data
data: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/kangkang$ bzip2 -d data
bandit12@bandit:/tmp/kangkang$ ls
data.out data.txt
bandit12@bandit:/tmp/kangkang$ file data.out
data.out: gzip compressed data, was "data4.bin", last modified: Thu May 7 18:14:30 2020, max compression, from Unix
bandit12@bandit:/tmp/kangkang$ mv data.out data.gz
bandit12@bandit:/tmp/kangkang$ gzip -d data.gz
bandit12@bandit:/tmp/kangkang$ ls
data data.txt
bandit12@bandit:/tmp/kangkang$ file data
data: POSIX tar archive (GNU)
bandit12@bandit:/tmp/kangkang$ tar -xvf data
data5.bin
bandit12@bandit:/tmp/kangkang$ ls
data data5.bin data.txt
bandit12@bandit:/tmp/kangkang$ file data5.bin
data5.bin: POSIX tar archive (GNU)
bandit12@bandit:/tmp/kangkang$ tar -xvf data5.bin
data6.bin
bandit12@bandit:/tmp/kangkang$ file data6.bin
data6.bin: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/kangkang$ bzip2 -d data6.bin
bzip2: Can't guess original name for data6.bin -- using data6.bin.out
bandit12@bandit:/tmp/kangkang$ ls
data data5.bin data6.bin.out data.txt
bandit12@bandit:/tmp/kangkang$ file data6.bin.out
data6.bin.out: POSIX tar archive (GNU)
bandit12@bandit:/tmp/kangkang$ tar -xvf data6.bin.out
data8.bin
bandit12@bandit:/tmp/kangkang$ file data8.bin
data8.bin: gzip compressed data, was "data9.bin", last modified: Thu May 7 18:14:30 2020, max compression, from Unix
bandit12@bandit:/tmp/kangkang$ mv data8.bin data8.gz
bandit12@bandit:/tmp/kangkang$ gzip -d data8.gz
bandit12@bandit:/tmp/kangkang$ ls
data data5.bin data6.bin.out data8 data.txt
bandit12@bandit:/tmp/kangkang$ file data8
data8: ASCII text
bandit12@bandit:/tmp/kangkang$ cat data8
Level 13 -> Level 14
提示密码存放在/etc/bandit_pass/bandit14 中,并且仅能被bandit14用户访问。这一关无法获取下一关密码,但可以通过ssh 私钥登录进下一关。
bandit13@bandit:~$ ssh -i ./sshkey.private bandit14@localhost
Level 14 -> Level 15
提示下一关的密码可以通过向localhost的30000端口提交 当前 关卡的密码 来恢复。
- telnet 或 nc 都可以。
bandit14@bandit:~$ cat /etc/bandit_pass/bandit14
bandit14@bandit:~$ nc localhost 30000
Level 15 -> Level 16
提示下一关的密码可以通过向localhost的30001端口提交 当前 关卡经过ssl加密的密码 来恢复。
- 使用openssl s_client。
bandit15@bandit:~$ openssl s_client -connect localhost:30001
Level 16 -> Level 17
提示下一关的证书可以通过向localhost的31000-32000其中一个端口提交 当前 关卡的密码 来恢复。并且仅有一个端口 是 ssl 和 返回证书信息 的服务。
- 使用nmap。
bandit16@bandit:~$ nmap -p31000-32000 -sV localhost
Starting Nmap 7.40 ( https://nmap.org ) at 2021-04-30 07:07 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00025s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
31046/tcp open echo
31518/tcp open ssl/echo
31691/tcp open echo
31790/tcp open ssl/unknown
31960/tcp open echo
bandit16@bandit:~$ openssl s_client -connect localhost:31518
bandit16@bandit:~$ mkdir /tmp/mybandit16
bandit16@bandit:~$ cd /tmp/mybandit16
bandit16@bandit:/tmp/mybandit16$ vim sshkey.private
bandit16@bandit:/tmp/mybandit16$ chmod 600 sshkey.private
bandit16@bandit:/tmp/mybandit16$ ssh -i ./sshkey.private bandit17@localhost
Level 17 -> Level 18
提示下一关的密码 是 password.old 和 password.new 这两个文件中 仅修改的一行信息。
bandit17@bandit:~$ diff passwords.new passwords.old
Level 18 -> Level 19
提示下一关的密码存放在 readme中,但无法通过ssh正常登录。
- 使用ssh -T 。
bandit17@bandit:~$ ssh -T bandit18@localhost
ls
cat readme
Level 19 -> Level 20
提示利用setuid 二进制文件 获取密码。
bandit19@bandit:~$ ./bandit20-do
Run a command as another user.
Example: ./bandit20-do id
bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
Level 20 -> Level 21
提示目录下的程序会连接指定端口的服务,读取一行文本并匹配是否为关卡20的密码,若是,则返回下一关的密码。
- 使用nc -l 创建监听程序,并返回当前关卡的密码。
bandit20@bandit:~$ echo 'GbKksEFF4yrVs6il55v6gwY5aVje5f0j' | nc -l localhost -p 1111
另一个命令行界面
bandit20@bandit:~$ ./suconnect 1111
Level 21 -> Level 22
提示需要查看/etc/cron.d/目录下的任务计划的执行命令。
bandit21@bandit:~$ ls /etc/cron.d/
cronjob_bandit15_root cronjob_bandit22 cronjob_bandit24
cronjob_bandit17_root cronjob_bandit23 cronjob_bandit25_root
bandit21@bandit:~$ cat /etc/cron.d/cronjob_bandit22
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
bandit21@bandit:~$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
bandit21@bandit:~$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Level 22 -> Level 23
提示需要查看/etc/cron.d/目录下的任务计划的执行命令,并理解执行过程。
bandit22@bandit:~$ ls /etc/cron.d/
cronjob_bandit15_root cronjob_bandit22 cronjob_bandit24
cronjob_bandit17_root cronjob_bandit23 cronjob_bandit25_root
bandit22@bandit:~$ cat /etc/cron.d/cronjob_bandit23
@reboot bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
bandit22@bandit:~$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash
myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
cat /etc/bandit_pass/$myname > /tmp/$mytarget
bandit22@bandit:~$ echo I am user bandit23 | md5sum | cut -d ' ' -f 1
8ca319486bfbbc3663ea0fbe81326349
bandit22@bandit:~$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
Level 23 -> Level 24
提示需要查看/etc/cron.d/目录下的任务计划的执行命令,并理解执行过程。
- 提示任务计划的执行过程会执行一次自己的脚本并删除,所以需要拷贝操作。
bandit23@bandit:~$ ls /etc/cron.d/
cronjob_bandit15_root cronjob_bandit22 cronjob_bandit24
cronjob_bandit17_root cronjob_bandit23 cronjob_bandit25_root
bandit23@bandit:~$ cat /etc/cron.d/cronjob_bandit24
@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
bandit23@bandit:~$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash
myname=$(whoami)
cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
do
if [ "$i" != "." -a "$i" != ".." ];
then
echo "Handling $i"
owner="$(stat --format "%U" ./$i)"
if [ "${owner}" = "bandit23" ]; then
timeout -s 9 60 ./$i
fi
rm -f ./$i
fi
done
bandit23@bandit:~$ cd /var/spool/bandit24/
bandit23@bandit:/var/spool/bandit24$ vim getpass.sh
cat /etc/bandit_pass/bandit24 > /tmp/bandit24pass
bandit23@bandit:/var/spool/bandit24$ chmod 777 getpass.sh
bandit23@bandit:/var/spool/bandit24$ cat /tmp/bandit24pass
Level 24 -> Level 25
提示一个守护进程正在监听端口30002,需要提供bandit24的密码和4位数字pincode,返回bandit25的密码。没有办法检索pincode,除非遍历所有10000个组合,需要暴力破解。
bandit24@bandit:~$ cd /tmp/bandit25
bandit24@bandit:/tmp/bandit25$ cat data.py
# !/usr/bin/env python
f = open('password.txt','w')
passwd = "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ"
for id in range(10000):
data = passwd + " " + str(id).zfill(4) + '\n'
f.write(data)
f.close()
bandit24@bandit:/tmp/bandit25$ python data.py
bandit24@bandit:/tmp/bandit25$ nc localhost 30002 < /tmp/bandit25/password.txt > /tmp/bandit25/result.txt
bandit24@bandit:/tmp/bandit25$ sort /tmp/bandit25/result.txt | uniq -u
Level 25 -> Level 26
提示bandit26的shell不是/bin/bash,而是其他的。找出它是什么,它是如何工作的,以及如何摆脱它。
bandit25@bandit:~$ ls
bandit26.sshkey
bandit25@bandit:~$ ssh -i bandit26.sshkey bandit26@localhost
bandit25@bandit:~$ cat /etc/passwd | grep bandit26
bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext
bandit25@bandit:~$ cat /usr/bin/showtext
#!/bin/sh
export TERM=linux
more ~/text.txt
exit 0
more
命令有一个特性,当输出的内容行数多于终端行数的时候会停下来,等你去翻页,所以可以通过缩小终端窗口让界面显示翻页信息。- 然后就利用
more
可以按v
调用vi
编辑器的特点,在vi
编辑器下输入下方命令就能导入密码文件到编辑器中。
:e /etc/bandit_pass/bandit26
Level 26 -> Level 27
提示获取shell,然后在获取密码。上一关已经通过vi
编辑器导入bandit26的密码了,但由于登录shell是showtext,无法直接登录,所以需要通过vi
编辑器设置新的shell。
:set shell=/bin/bash
:sh
bandit26@bandit:~$ ls
bandit27-do text.txt
bandit26@bandit:~$ ./bandit27-do cat /etc/bandit_pass/bandit27
Level 27 -> Level 28
提示git存储库在ssh://bandit27-git@localhost/home/bandit27-git/repo。用户bandit27-git的密码与用户bandit27的密码相同。克隆存储库并查找下一级别的密码。
- 创建临时目录,并将git存储库克隆下来。
bandit27@bandit:~$ cd /tmp/
bandit27@bandit:/tmp$ mkdir bandit27
bandit27@bandit:/tmp$ cd ./bandit27
bandit27@bandit:/tmp/bandit27$ git clone ssh://bandit27-git@localhost/home/bandit27-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit27/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit27/.ssh/known_hosts).This is a OverTheWire game server.
More information on http://www.overthewire.org/wargames
bandit27-git@localhost's password:
remote: Counting objects: 3, done.
remote: Compressing objects: 100% (2/2), done.
remote: Total 3 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (3/3), done.
bandit27@bandit:/tmp/bandit27$ ls
repo
bandit27@bandit:/tmp/bandit27$ cd repo/
bandit27@bandit:/tmp/bandit27/repo$ ls
README
bandit27@bandit:/tmp/bandit27/repo$ cat README
Level 28 -> Level 29
提示git存储库在ssh://bandit28-git@localhost/home/bandit28-git/repo。用户bandit28-git的密码与用户bandit28的密码相同。克隆存储库并查找下一级别的密码。
- 前面步骤跟上一关一样,下载git存储库。
- 需要通过git log 、git show等命令 查看日志记录,找到密码。
bandit28@bandit:~$ cd /tmp
bandit28@bandit:/tmp$ mkdir bandit28
bandit28@bandit:/tmp$ cd ./bandit28
bandit28@bandit:/tmp/bandit28$ git clone ssh://bandit28-git@localhost/home/bandit
28-git/repoCloning into 'repo'...
Could not create directory '/home/bandit28/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit28/.ssh/known_host
s).This is a OverTheWire game server. More information on http://www.overthewire.org
/wargames
bandit28-git@localhost's password:
remote: Counting objects: 9, done.
remote: Compressing objects: 100% (6/6), done.
Receiving objects: 100% (9/9), 796 bytes | 0 bytes/s, done.
remote: Total 9 (delta 2), reused 0 (delta 0)
Resolving deltas: 100% (2/2), done.
bandit28@bandit:/tmp/bandit28$ ls
repo
bandit28@bandit:/tmp/bandit28$ cd ./repo/
bandit28@bandit:/tmp/bandit28/repo$ ls
README.md
bandit28@bandit:/tmp/bandit28/repo$ cat README.md
# Bandit Notes
Some notes for level29 of bandit.
## credentials
- username: bandit29
- password: xxxxxxxxxx
bandit28@bandit:/tmp/bandit28/repo$ git log
commit edd935d60906b33f0619605abd1689808ccdd5ee
Author: Morla Porla <morla@overthewire.org>
Date: Thu May 7 20:14:49 2020 +0200
fix info leak
commit c086d11a00c0648d095d04c089786efef5e01264
Author: Morla Porla <morla@overthewire.org>
Date: Thu May 7 20:14:49 2020 +0200
add missing data
commit de2ebe2d5fd1598cd547f4d56247e053be3fdc38
Author: Ben Dover <noone@overthewire.org>
Date: Thu May 7 20:14:49 2020 +0200
initial commit of README.md
bandit28@bandit:/tmp/bandit28/repo$ git show c086d11a00c0648d095d04c089786efef5e0
Level 29 -> Level 30
提示git存储库在ssh://bandit29-git@localhost/home/bandit29-git/repo。用户bandit29-git的密码与用户bandit29的密码相同。克隆存储库并查找下一级别的密码。
- 前面步骤跟上一关一样,下载git存储库。
- 需要使用 git branch -a 查看分支,git checkout 切换分支,在分支下找到密码。
bandit29@bandit:~$ cd /tmp
bandit29@bandit:/tmp$ mkdir bandit29
bandit29@bandit:/tmp$ cd ./bandit29
bandit29@bandit:/tmp/bandit29$ git clone ssh://bandit29-git@localhost/home/bandit
29-git/repoCloning into 'repo'...
Could not create directory '/home/bandit29/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit29/.ssh/known_hosts).This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit29-git@localhost's password:
remote: Counting objects: 16, done.
remote: Compressing objects: 100% (11/11), done.
remote: Total 16 (delta 2), reused 0 (delta 0)
Receiving objects: 100% (16/16), done.
Resolving deltas: 100% (2/2), done.
bandit29@bandit:/tmp/bandit29$ ls
repo
bandit29@bandit:/tmp/bandit29$ cd ./repo
bandit29@bandit:/tmp/bandit29/repo$ ls
README.md
bandit29@bandit:/tmp/bandit29/repo$ cat README.md
# Bandit Notes
Some notes for bandit30 of bandit.
## credentials
- username: bandit30
- password: <no passwords in production!>
bandit29@bandit:/tmp/bandit29/repo$ git branch -a
* master
remotes/origin/HEAD -> origin/master
remotes/origin/dev
remotes/origin/master
remotes/origin/sploits-dev
bandit29@bandit:/tmp/bandit29/repo$ git checkout dev
Branch dev set up to track remote branch dev from origin.
Switched to a new branch 'dev'
bandit29@bandit:/tmp/bandit29/repo$ ls
code README.md
bandit29@bandit:/tmp/bandit29/repo$ cat README.md
Level 30 -> Level 31
提示git存储库在ssh://bandit30-git@localhost/home/bandit30-git/repo。用户bandit30-git的密码与用户bandit30的密码相同。克隆存储库并查找下一级别的密码。
- 前面步骤跟上一关一样,下载git存储库。
- git show-ref可以现实本地存储库的所有可用的引用以及关联的提交ID。
bandit30@bandit:~$ cd /tmp/
bandit30@bandit:/tmp$ mkdir bandit30
bandit30@bandit:/tmp$ cd ./bandit30
bandit30@bandit:/tmp/bandit30$ git clone ssh://bandit30-git@localhost/home/bandit
30-git/repoCloning into 'repo'...
Could not create directory '/home/bandit30/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit30/.ssh/known_host
s).This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit30-git@localhost's password:
remote: Counting objects: 4, done.
remote: Total 4 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (4/4), 298 bytes | 0 bytes/s, done.
bandit30@bandit:/tmp/bandit30$ ls
repo
bandit30@bandit:/tmp/bandit30$ cd ./repo
bandit30@bandit:/tmp/bandit30/repo$ ls
README.md
bandit30@bandit:/tmp/bandit30/repo$ cat README.md
just an epmty file... muahaha
bandit30@bandit:/tmp/bandit30/repo$ git show-ref
3aefa229469b7ba1cc08203e5d8fa299354c496b refs/heads/master
3aefa229469b7ba1cc08203e5d8fa299354c496b refs/remotes/origin/HEAD
3aefa229469b7ba1cc08203e5d8fa299354c496b refs/remotes/origin/master
f17132340e8ee6c159e0a4a6bc6f80e1da3b1aea refs/tags/secret
bandit30@bandit:/tmp/bandit30/repo$ git show f17132340e8ee6c159e0a4a6bc6f80e1da3b
1aea
Level 31 -> Level 32
提示git存储库在ssh://bandit31-git@localhost/home/bandit31-git/repo。用户bandit31-git的密码与用户bandit31的密码相同。克隆存储库并查找下一级别的密码。
- 前面步骤跟上一关一样,下载git存储库。
- README.md 文件提示获取密码的方法。
- 通过git add 、git commit 、git push origin master等命令提交文件到远程仓库。
bandit31@bandit:~$ cd /tmp/
bandit31@bandit:/tmp$ mkdir bandit31
bandit31@bandit:/tmp$ cd ./bandit31
bandit31@bandit:/tmp/bandit31$ git clone ssh://bandit31-git@localhost/home/bandit
31-git/repoCloning into 'repo'...
Could not create directory '/home/bandit31/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit31/.ssh/known_hosts).This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit31-git@localhost's password:
remote: Counting objects: 4, done.
remote: Compressing objects: 100% (3/3), done.
Receiving objects: 100% (4/4), done.
remote: Total 4 (delta 0), reused 0 (delta 0)
bandit31@bandit:/tmp/bandit31$ ls
repo
bandit31@bandit:/tmp/bandit31$ cd ./repo/
bandit31@bandit:/tmp/bandit31/repo$ ls
README.md
bandit31@bandit:/tmp/bandit31/repo$ cat README.md
This time your task is to push a file to the remote repository.
Details:
File name: key.txt
Content: 'May I come in?'
Branch: master
bandit31@bandit:/tmp/bandit31/repo$ echo 'May I come in?' > key.txt
bandit31@bandit:/tmp/bandit31/repo$ ls
key.txt README.md
bandit31@bandit:/tmp/bandit31/repo$ git add -f key.txt
bandit31@bandit:/tmp/conn31/repo$ git commit -m 'add key.txt'
bandit31@bandit:/tmp/bandit31/repo$ git push origin master
Level 32 -> Level 33
这一关没什么明显的提示。
- 通过$0 进入shell执行bash,就可以获取bandit33的shell。
/usr/bin/xauth: timeout in locking authority file /home/bandit32/.Xauthority
WELCOME TO THE UPPERCASE SHELL
>> $0
$ ls
uppershell
$ bash
bandit33@bandit:~$ whoami
bandit33
bandit33@bandit:~$ cat /etc/bandit_pass/bandit33
c9c3199ddf4121b10cf581a98d51caee
总结
- 熟悉一些Linux命令及工具的用法。
- 了解通过搜索引擎寻找相关命令使用方法。