bandit solution(0-10)
这是一个Linux command教学游戏
Bandit Level 0
Level Goal
The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org, on port 2220. The username is bandit0 and the password is bandit0. Once logged in, go to the Level 1 page to find out how to beat Level 1.
这一关
- 什么ssh?
- 怎么使用ssh命令连接远程主机
首先通过ssh连接远程主机
ssh bandit0@bandit.labs.overthewire.org -p 2220
连接成功进入下一关
Bandit Level 0 → Level 1
Level Goal
The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.
这一关是如何读取文件,非常简单
bandit0@bandit:~$ ls
readme
bandit0@bandit:~$ cat readme
boJ9jbbUNNfktd78OOpsqOltutMc3MY1
然而因为这个密码过于像加密,所以拿到后用base64,cmd5都没有成功,实际上这就是下一关的密码😂
使用该密码进入下一关
Bandit Level 1 → Level 2
Level Goal
The password for the next level is stored in a file called - located in the home directory
andit1@bandit:~$ ls
-
bandit1@bandit:~$ cd -
-bash: cd: OLDPWD not set
打不开?😱这是为什么呢?真是奇怪
cd - 的作用是进入上一次cd的目录,也就是说cd命令后面的参数’’-’’,是代替上一次cd后面的参数。
同样cd - 也等同于cd OLDPWD命令。
而且这并不是一个目录
bandit1@bandit:~$ cat<-
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9y
bandit1@bandit:~$ cat ./-
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
ok进入下一关😋
Bandit Level 2 → Level 3
Level Goal
The password for the next level is stored in a file called spaces in this filename located in the home directory
bandit2@bandit:~$ ls
spaces in this filename
bandit2@bandit:~$ cat spaces in this filename
cat: spaces: No such file or directory
cat: in: No such file or directory
cat: this: No such file or directory
cat: filename: No such file or directory
果然直接空格是不行的,会理解成参数。这该怎么办呢?
有2种方法解决
- 用
\
来将空格转意 - 用双引号括起来
bandit2@bandit:~$ cat spaces\ in\ this\ filename
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
bandit2@bandit:~$ cat "spaces in this filename"
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
Bandit Level 3 → Level 4
Level Goal
The password for the next level is stored in a hidden file in the inhere directory.
这一题的关键是如何显示出隐藏目录
bandit3@bandit:~$ ls -a
. .. .bash_logout .bashrc inhere .profile
bandit3@bandit:~$ cd inhere
bandit3@bandit:~/inhere$ ls
bandit3@bandit:~/inhere$ ls -a
. .. .hidden
bandit3@bandit:~/inhere$ ls -al
total 12
drwxr-xr-x 2 root root 4096 May 7 2020 .
drwxr-xr-x 3 root root 4096 May 7 2020 ..
-rw-r----- 1 bandit4 bandit3 33 May 7 2020 .hidden
bandit3@bandit:~/inhere$ cat .hidden
pIwrPrtPN36QITSp3EQaw936yaFoFgAB
bandit3@bandit:~/inhere$ cat<.hidden
pIwrPrtPN36QITSp3EQaw936yaFoFgAB
特别查了一下
cat filename
cat程序会打开filename并读取然后关闭filename
cat < filename
打开filename的是shell程序并将读取结果重定向
给cat程序。
Bandit Level 4 → Level 5
The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.
这一关需要用到file命令
file command in Linux with examples
bandit4@bandit:~$ ls
inhere
bandit4@bandit:~$ cd inhere
bandit4@bandit:~/inhere$ ls
-file00 -file02 -file04 -file06 -file08
-file01 -file03 -file05 -file07 -file09
一个一个试当然可行,但是题目提示human-readable的话自然不可能用这么暴力的办法。
但可恶的是🤬竟然在filename上做了手脚👹因为-f
被解释成了option
bandit4@bandit:~/inhere$ file *
file: Cannot open `ile00' (No such file or directory).
file: Cannot open `ile01' (No such file or directory).
file: Cannot open `ile02' (No such file or directory).
file: Cannot open `ile03' (No such file or directory).
file: Cannot open `ile04' (No such file or directory).
file: Cannot open `ile05' (No such file or directory).
file: Cannot open `ile06' (No such file or directory).
file: Cannot open `ile07' (No such file or directory).
file: Cannot open `ile08' (No such file or directory).
file: Cannot open `ile09' (No such file or directory).
只能这样了,发现./-file07
是human-readable的
bandit4@bandit:~/inhere$ file ./*
./-file00: data
./-file01: data
./-file02: data
./-file03: data
./-file04: data
./-file05: data
./-file06: data
./-file07: ASCII text
./-file08: data
./-file09: data
直接读取获得密码,提供2种方法读取
bandit4@bandit:~/inhere$ cat "./-file07"
koReBOKuIDDepwhWk7jZC0RTdopnAYKh
bandit4@bandit:~/inhere$ cat ./-file07
koReBOKuIDDepwhWk7jZC0RTdopnAYKh
Bandit Level 5 → Level 6
Level Goal
The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:
- human-readable
- 1033 bytes in size
- not executable
这一道题对find命令又增加一些了解,首先连接进入第5关
bandit5@bandit:~$ ls
inhere
bandit5@bandit:~$ cd inhere && ls
maybehere00 maybehere03 maybehere06 maybehere09 maybehere12 maybehere15 maybehere18
maybehere01 maybehere04 maybehere07 maybehere10 maybehere13 maybehere16 maybehere19
maybehere02 maybehere05 maybehere08 maybehere11 maybehere14 maybehere17
bandit5@bandit:~/inhere$ file *
maybehere00: directory
maybehere01: directory
maybehere02: directory
maybehere03: directory
maybehere04: directory
maybehere05: directory
maybehere06: directory
maybehere07: directory
maybehere08: directory
maybehere09: directory
maybehere10: directory
maybehere11: directory
maybehere12: directory
maybehere13: directory
maybehere14: directory
maybehere15: directory
maybehere16: directory
maybehere17: directory
maybehere18: directory
maybehere19: directory
牙咧牙咧😥这么多肯定不能一个一个去找的了。不过无需担心,题目留下了3个条件
- human-readable
- 1033 bytes in size
- not executable
那么我们该如何利用这3个条件进行搜索呢?
3个条件对应的option
- -readable
- -size
- -executable
但是第3个条件是not executable那么怎么样表示呢?
通过查找资料想要表示not的话只需要在该选项前面加上一个\!
就🆗了😁
在find的帮助手册中有这样一段,不同的仅仅是加在-readable
前面
find /sbin /usr/sbin -executable \! -readable -print
Search for files which are executable but not readable.
因为之前已经进入了inhere目录,所以直接*
即可答案到手。
bandit5@bandit:~/inhere$ find * -size 1033c -readable \! -executable
maybehere07/.file2
bandit5@bandit:~/inhere$ cat maybehere07/.file2
DXjZPULLxYr17uwoI01bNLQbtFemEgo7
Bandit Level 6 → Level 7
Level Goal
The password for the next level is stored somewhere on the server and has all of the following properties:
- owned by user bandit7
- owned by group bandit6
- 33 bytes in size
根据提示需要知道user和group
这一关学习到了所属用户和所属组的概念
简单来说,文件的user就是创建者,为了统一管理权限对该文件有相同
权限的一组user被划为group
详细可见下文
┌──────────────┬───────────────────────────────┐
│ Option │ Explanation │
├──────────────┼───────────────────────────────┤
│ / │ Root Directory │
│--------------|-------------------------------│
│ -user uname │ File is owned by user uname │
│ │ (numeric user ID allowed) │
│--------------|-------------------------------|
│ -group gname │ File belongs to group gname │
│ │ (numeric group ID allowed) │
└──────────────┴───────────────────────────────┘
进入服务器,发现该目录下啥也没有,通过路径查看发现需要到根目录
bandit6@bandit:~$ pwd
/home/bandit6
bandit6@bandit:~$ ls -l
total 0
bandit6@bandit:~$ cd ../ && pwd
/home
bandit6@bandit:/home$ ls -a -l
total 164
drwxr-xr-x 41 root root 4096 May 7 2020 .
drwxr-xr-x 26 root root 4096 May 13 2020 ..
drwxr-xr-x 2 root root 4096 May 7 2020 bandit0
drwxr-xr-x 2 root root 4096 May 7 2020 bandit1
drwxr-xr-x 2 root root 4096 May 7 2020 bandit10
drwxr-xr-x 2 root root 4096 May 7 2020 bandit11
drwxr-xr-x 2 root root 4096 May 7 2020 bandit12
...太长写出来了
根据前面的学习这一关完全不难,但是因为整个服务器里很多文件我们是没有权限访问的所以可以看到大串的Permission denied
bandit6@bandit:/home$ find / -user bandit7 -group bandit6 -size 33c
find: ‘/root’: Permission denied
find: ‘/home/bandit28-git’: Permission denied
find: ‘/home/bandit30-git’: Permission denied
find: ‘/home/bandit5/inhere’: Permission denied
find: ‘/home/bandit27-git’: Permission denied
find: ‘/home/bandit29-git’: Permission denied
find: ‘/home/bandit31-git’: Permission denied
find: ‘/lost+found’: Permission denied
find: ‘/etc/ssl/private’: Permission denied
find: ‘/etc/polkit-1/localauthority’: Permission denied
find: ‘/etc/lvm/archive’: Permission denied
find: ‘/etc/lvm/backup’: Permission denied
find: ‘/sys/fs/pstore’: Permission denied
find: ‘/proc/tty/driver’: Permission denied
find: ‘/proc/25944/task/25944/fd/6’: No such file or directory
find: ‘/proc/25944/task/25944/fdinfo/6’: No such file or directory
find: ‘/proc/25944/fd/5’: No such file or directory
find: ‘/proc/25944/fdinfo/5’: No such file or directory
find: ‘/cgroup2/csessions’: Permission denied
find: ‘/boot/lost+found’: Permission denied
find: ‘/tmp’: Permission denied
find: ‘/run/lvm’: Permission denied
find: ‘/run/screen/S-bandit12’: Permission denied
find: ‘/run/screen/S-bandit11’: Permission denied
find: ‘/run/screen/S-bandit10’: Permission denied
find: ‘/run/screen/S-bandit3’: Permission denied
find: ‘/run/screen/S-bandit29’: Permission denied
find: ‘/run/screen/S-bandit15’: Permission denied
find: ‘/run/screen/S-bandit8’: Permission denied
find: ‘/run/screen/S-bandit13’: Permission denied
find: ‘/run/screen/S-bandit19’: Permission denied
find: ‘/run/screen/S-bandit9’: Permission denied
find: ‘/run/screen/S-bandit27’: Permission denied
find: ‘/run/screen/S-bandit2’: Permission denied
find: ‘/run/screen/S-bandit14’: Permission denied
find: ‘/run/screen/S-bandit16’: Permission denied
find: ‘/run/screen/S-bandit22’: Permission denied
find: ‘/run/screen/S-bandit4’: Permission denied
find: ‘/run/screen/S-bandit31’: Permission denied
find: ‘/run/screen/S-bandit24’: Permission denied
find: ‘/run/screen/S-bandit21’: Permission denied
find: ‘/run/screen/S-bandit25’: Permission denied
find: ‘/run/screen/S-bandit23’: Permission denied
find: ‘/run/screen/S-bandit20’: Permission denied
find: ‘/run/shm’: Permission denied
find: ‘/run/lock/lvm’: Permission denied
find: ‘/var/spool/bandit24’: Permission denied
find: ‘/var/spool/cron/crontabs’: Permission denied
find: ‘/var/spool/rsyslog’: Permission denied
find: ‘/var/tmp’: Permission denied
find: ‘/var/lib/apt/lists/partial’: Permission denied
find: ‘/var/lib/polkit-1’: Permission denied
/var/lib/dpkg/info/bandit7.password
find: ‘/var/log’: Permission denied
find: ‘/var/cache/apt/archives/partial’: Permission denied
find: ‘/var/cache/ldconfig’: Permission denied
这些报错信息显然是无用的,我们可以将他丢弃
bandit6@bandit:/home$ find / -user bandit7 -group bandit6 -size 33c 2>/dev/null
/var/lib/dpkg/info/bandit7.password
bandit6@bandit:/home$ cat /var/lib/dpkg/info/bandit7.password
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs
What does 2>/dev/null mean? tips:需要翻墙😋
Bandit Level 7 → Level 8
Level Goal
The password for the next level is stored in the file data.txt next to the word millionth
这一关是简单的学习grep
grep searchword filename
grep
会显示匹配的每一行结果
根据题目信息那就非常简单了
bandit7@bandit:~$ ls -a -l
total 4108
drwxr-xr-x 2 root root 4096 May 7 2020 .
drwxr-xr-x 41 root root 4096 May 7 2020 ..
-rw-r--r-- 1 root root 220 May 15 2017 .bash_logout
-rw-r--r-- 1 root root 3526 May 15 2017 .bashrc
-rw-r----- 1 bandit8 bandit7 4184396 May 7 2020 data.txt
-rw-r--r-- 1 root root 675 May 15 2017 .profile
bandit7@bandit:~$ grep millionth data.txt
millionth cvX2JJa4CFALtqS87jk27qwqGhBM9plV
密码到手,下一关😋
Bandit Level 8 → Level 9
Level Goal
The password for the next level is stored in the file data.txt and is the only line of text that occurs only once
根据题意可知密码在data.txt中只出现过一次,我们先来看看data.txt
bandit8@bandit:~$ ls -l
total 36
-rw-r----- 1 bandit9 bandit8 33033 May 7 2020 data.txt
bandit8@bandit:~$ head -15 data.txt
VkBAEWyIibVkeURZV5mowiGg6i3m7Be0
zdd2ctVveROGeiS2WE3TeLZMeL5jL7iM
sYSokIATVvFUKU4sAHTtMarfjlZWWj5i
ySvsTwlMgnUF0n86Fgmn2TNjkSOlrV72
NLWvtQvL7EaqBNx2x4eznRlQONULlCYZ
LfrBHfAh0pP9bgGAZP4QrVkut3pysAYC
U0NYdD3wHZKpfEg9qGQOLJimAJy6qxhS
flyKxCbHB8uLTaIB5LXqQNuJj3yj00eh
TThRArdF2ZEXMO47TIYkyPPLtvzzLcDf
cIPbot7oYveUPNxDMhv1hiri50CqpkTG
kJTBMD8k9OHyXwZ2aJMQkV23u0gyuoIO
J6Lzp6ZqTJsOuJRTXcvhwKfM0KK3Xtbl
NLWvtQvL7EaqBNx2x4eznRlQONULlCYZ
0N65ZPpNGkUJePzFxctCRZRXVrCbUGfm
SHMAMUEzQe4mV7SJpETTZFsyNRJsZE2k
从output来看说明ture
密码藏在了这一堆fake
密码中,而且唯一出现,换句话说fake
密码是重复出现的,我们只要把所有重复项给剔除掉,那么最后剩下的就是true
密码了。
那么怎么剔除重复选项呢?
uniq Command in LINUX with examples tips:需要代理🌏
uniq
可以剔除文本中的重复行,但是uniq
本身不能发现重复行,它的功能仅仅是剔除
Note: uniq isn’t able to detect the duplicate lines unless they are adjacent to each other. The content in the file must be therefore sorted before using uniq or you can simply use sort -u instead of uniq command.
因此在这之前需要用sort
给data.txt排序,然后使用u
选项即可
-u – -unique : It allows you to print only unique lines.
了解完这些咱们就拿下密码吧😋
andit8@bandit:~$ sort data.txt | uniq -u
UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR
这里需要用到一点pipe的小知识,如果你不清楚什么是管道
和重定向
的话就看看这个吧👉Piping and Redirection这是一篇非常棒的简单易懂的博客🎉🎉🎉
Bandit Level 9 → Level 10
Level Goal
The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters.
根据题目这回的data.txt是不可读文件,来看看是怎么一回事
bandit9@bandit:~$ file data.txt
data.txt: data
bandit9@bandit:~$ head -1 data.txt
�L�lω;��ßOܛ��ǤX��NdT��B��M֢�Z/,_��w��#�5���
Ў�e�&�-��Ϣ�6Q8��J�%fa�
通过file
得知data.txt是data也就是二进制文件因此不可读,不过我们可以用strings
来读取二进制文件 Linux strings command tips:需要代理🌏
当然在这里我们可以用grep
来小小的操作一下
bandit9@bandit:~$ strings data.txt | grep -E '=+'
========== the*2i"4
=:G e
========== password
<I=zsGi
Z)========== is
A=|t&E
Zdb=
c^ LAh=3G
*SF=s
&========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
S=A.H&^
在前面的关卡我们简单的介绍了grep
在这里将会更详细的介绍grep
👉grep command in Unix/Linux
-E
选项就是将后面的表达式当作一个regular expression处理
grep [options] pattern [files]
Options Description
-c : This prints only a count of the lines that match a pattern
-h : Display the matched lines, but do not display the filenames.
-i : Ignores, case for matching
-l : Displays list of a filenames only.
-n : Display the matched lines and their line numbers.
-v : This prints out all the lines that do not matches the pattern
-e exp : Specifies expression with this option. Can use multiple times.
-f file : Takes patterns from file, one per line.
-E : Treats pattern as an extended regular expression (ERE)
-w : Match whole word
-o : Print only the matched parts of a matching line,
with each such part on a separate output line.
-A n : Prints searched line and nlines after the result.
-B n : Prints searched line and n line before the result.
-C n : Prints searched line and n lines after before the result.