OverTheWire的bandit游戏(0-10)

bandit solution(0-10)

这是一个Linux command教学游戏

Bandit Level 0

Level Goal

The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org, on port 2220. The username is bandit0 and the password is bandit0. Once logged in, go to the Level 1 page to find out how to beat Level 1.

这一关

• 什么ssh？
• 怎么使用ssh命令连接远程主机

首先通过ssh连接远程主机

ssh bandit0@bandit.labs.overthewire.org -p 2220

连接成功进入下一关

Bandit Level 0 → Level 1

Level Goal

The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.

这一关是如何读取文件，非常简单

bandit0@bandit:~$ ls
readme
bandit0@bandit:~$ cat readme
boJ9jbbUNNfktd78OOpsqOltutMc3MY1

然而因为这个密码过于像加密，所以拿到后用base64，cmd5都没有成功，实际上这就是下一关的密码😂

使用该密码进入下一关

Bandit Level 1 → Level 2

Level Goal

The password for the next level is stored in a file called - located in the home directory

andit1@bandit:~$ ls
-
bandit1@bandit:~$ cd -
-bash: cd: OLDPWD not set

打不开？😱这是为什么呢？真是奇怪

cd - 的作用是进入上一次cd的目录，也就是说cd命令后面的参数’’-’’，是代替上一次cd后面的参数。

同样cd - 也等同于cd OLDPWD命令。

而且这并不是一个目录

bandit1@bandit:~$ cat<-
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9y
bandit1@bandit:~$ cat ./-
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

ok进入下一关😋

Bandit Level 2 → Level 3

Level Goal

The password for the next level is stored in a file called spaces in this filename located in the home directory

bandit2@bandit:~$ ls
spaces in this filename
bandit2@bandit:~$ cat spaces in this filename
cat: spaces: No such file or directory
cat: in: No such file or directory
cat: this: No such file or directory
cat: filename: No such file or directory

果然直接空格是不行的，会理解成参数。这该怎么办呢？

有2种方法解决

• 用 \ 来将空格转意
• 用双引号括起来

bandit2@bandit:~$ cat spaces\ in\ this\ filename
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
bandit2@bandit:~$ cat "spaces in this filename"
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

Bandit Level 3 → Level 4

Level Goal

The password for the next level is stored in a hidden file in the inhere directory.

这一题的关键是如何显示出隐藏目录

bandit3@bandit:~$ ls -a
.  ..  .bash_logout  .bashrc  inhere  .profile

bandit3@bandit:~$ cd inhere

bandit3@bandit:~/inhere$ ls

bandit3@bandit:~/inhere$ ls -a
.  ..  .hidden
bandit3@bandit:~/inhere$ ls -al
total 12
drwxr-xr-x 2 root    root    4096 May  7  2020 .
drwxr-xr-x 3 root    root    4096 May  7  2020 ..
-rw-r----- 1 bandit4 bandit3   33 May  7  2020 .hidden

bandit3@bandit:~/inhere$ cat .hidden
pIwrPrtPN36QITSp3EQaw936yaFoFgAB
bandit3@bandit:~/inhere$ cat<.hidden
pIwrPrtPN36QITSp3EQaw936yaFoFgAB

特别查了一下

cat filename

cat程序会打开filename并读取然后关闭filename

cat < filename

打开filename的是shell程序并将读取结果重定向给cat程序。

Bandit Level 4 → Level 5

The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.

这一关需要用到file命令

file command in Linux with examples

bandit4@bandit:~$ ls
inhere
bandit4@bandit:~$ cd inhere
bandit4@bandit:~/inhere$ ls
-file00  -file02  -file04  -file06  -file08
-file01  -file03  -file05  -file07  -file09

一个一个试当然可行，但是题目提示human-readable的话自然不可能用这么暴力的办法。

但可恶的是🤬竟然在filename上做了手脚👹因为-f被解释成了option

bandit4@bandit:~/inhere$ file *
file: Cannot open `ile00' (No such file or directory).
file: Cannot open `ile01' (No such file or directory).
file: Cannot open `ile02' (No such file or directory).
file: Cannot open `ile03' (No such file or directory).
file: Cannot open `ile04' (No such file or directory).
file: Cannot open `ile05' (No such file or directory).
file: Cannot open `ile06' (No such file or directory).
file: Cannot open `ile07' (No such file or directory).
file: Cannot open `ile08' (No such file or directory).
file: Cannot open `ile09' (No such file or directory).

只能这样了，发现./-file07是human-readable的

bandit4@bandit:~/inhere$ file ./*
./-file00: data
./-file01: data
./-file02: data
./-file03: data
./-file04: data
./-file05: data
./-file06: data
./-file07: ASCII text
./-file08: data
./-file09: data

直接读取获得密码，提供2种方法读取

bandit4@bandit:~/inhere$ cat "./-file07"
koReBOKuIDDepwhWk7jZC0RTdopnAYKh
bandit4@bandit:~/inhere$ cat ./-file07
koReBOKuIDDepwhWk7jZC0RTdopnAYKh

Bandit Level 5 → Level 6

Level Goal

The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:

• human-readable
• 1033 bytes in size
• not executable

这一道题对find命令又增加一些了解，首先连接进入第5关

bandit5@bandit:~$ ls
inhere
bandit5@bandit:~$ cd inhere && ls
maybehere00  maybehere03  maybehere06  maybehere09  maybehere12  maybehere15  maybehere18
maybehere01  maybehere04  maybehere07  maybehere10  maybehere13  maybehere16  maybehere19
maybehere02  maybehere05  maybehere08  maybehere11  maybehere14  maybehere17
bandit5@bandit:~/inhere$ file *
maybehere00: directory
maybehere01: directory
maybehere02: directory
maybehere03: directory
maybehere04: directory
maybehere05: directory
maybehere06: directory
maybehere07: directory
maybehere08: directory
maybehere09: directory
maybehere10: directory
maybehere11: directory
maybehere12: directory
maybehere13: directory
maybehere14: directory
maybehere15: directory
maybehere16: directory
maybehere17: directory
maybehere18: directory
maybehere19: directory

牙咧牙咧😥这么多肯定不能一个一个去找的了。不过无需担心，题目留下了3个条件

• human-readable
• 1033 bytes in size
• not executable

那么我们该如何利用这3个条件进行搜索呢？

3个条件对应的option

1. -readable
2. -size
3. -executable

但是第3个条件是not executable那么怎么样表示呢？

通过查找资料想要表示not的话只需要在该选项前面加上一个\!就🆗了😁

在find的帮助手册中有这样一段，不同的仅仅是加在-readable前面

find /sbin /usr/sbin -executable \! -readable -print

Search for files which are executable but not readable.

因为之前已经进入了inhere目录，所以直接*即可答案到手。

bandit5@bandit:~/inhere$ find * -size 1033c -readable \! -executable
maybehere07/.file2
bandit5@bandit:~/inhere$ cat maybehere07/.file2
DXjZPULLxYr17uwoI01bNLQbtFemEgo7

Bandit Level 6 → Level 7

Level Goal

The password for the next level is stored somewhere on the server and has all of the following properties:

• owned by user bandit7
• owned by group bandit6
• 33 bytes in size

根据提示需要知道user和group

这一关学习到了所属用户和所属组的概念

简单来说，文件的user就是创建者，为了统一管理权限对该文件有相同权限的一组user被划为group

详细可见下文

Linux文件权限（所有者，所属组）及含义详解

┌──────────────┬───────────────────────────────┐
│ Option       │ Explanation                   │
├──────────────┼───────────────────────────────┤
│ /            │ Root Directory                │
│--------------|-------------------------------│
│ -user uname  │ File is owned by user uname   │
│              │ (numeric user ID allowed)     │
│--------------|-------------------------------|
│ -group gname │ File belongs to group gname   │
│              │ (numeric group ID allowed)    │
└──────────────┴───────────────────────────────┘

进入服务器，发现该目录下啥也没有，通过路径查看发现需要到根目录

bandit6@bandit:~$ pwd
/home/bandit6
bandit6@bandit:~$ ls -l
total 0
bandit6@bandit:~$ cd ../ && pwd
/home
bandit6@bandit:/home$ ls -a -l
total 164
drwxr-xr-x 41 root         root         4096 May  7  2020 .
drwxr-xr-x 26 root         root         4096 May 13  2020 ..
drwxr-xr-x  2 root         root         4096 May  7  2020 bandit0
drwxr-xr-x  2 root         root         4096 May  7  2020 bandit1
drwxr-xr-x  2 root         root         4096 May  7  2020 bandit10
drwxr-xr-x  2 root         root         4096 May  7  2020 bandit11
drwxr-xr-x  2 root         root         4096 May  7  2020 bandit12
...太长写出来了

根据前面的学习这一关完全不难，但是因为整个服务器里很多文件我们是没有权限访问的所以可以看到大串的Permission denied

bandit6@bandit:/home$ find / -user bandit7 -group bandit6 -size 33c
find: ‘/root’: Permission denied
find: ‘/home/bandit28-git’: Permission denied
find: ‘/home/bandit30-git’: Permission denied
find: ‘/home/bandit5/inhere’: Permission denied
find: ‘/home/bandit27-git’: Permission denied
find: ‘/home/bandit29-git’: Permission denied
find: ‘/home/bandit31-git’: Permission denied
find: ‘/lost+found’: Permission denied
find: ‘/etc/ssl/private’: Permission denied
find: ‘/etc/polkit-1/localauthority’: Permission denied
find: ‘/etc/lvm/archive’: Permission denied
find: ‘/etc/lvm/backup’: Permission denied
find: ‘/sys/fs/pstore’: Permission denied
find: ‘/proc/tty/driver’: Permission denied
find: ‘/proc/25944/task/25944/fd/6’: No such file or directory
find: ‘/proc/25944/task/25944/fdinfo/6’: No such file or directory
find: ‘/proc/25944/fd/5’: No such file or directory
find: ‘/proc/25944/fdinfo/5’: No such file or directory
find: ‘/cgroup2/csessions’: Permission denied
find: ‘/boot/lost+found’: Permission denied
find: ‘/tmp’: Permission denied
find: ‘/run/lvm’: Permission denied
find: ‘/run/screen/S-bandit12’: Permission denied
find: ‘/run/screen/S-bandit11’: Permission denied
find: ‘/run/screen/S-bandit10’: Permission denied
find: ‘/run/screen/S-bandit3’: Permission denied
find: ‘/run/screen/S-bandit29’: Permission denied
find: ‘/run/screen/S-bandit15’: Permission denied
find: ‘/run/screen/S-bandit8’: Permission denied
find: ‘/run/screen/S-bandit13’: Permission denied
find: ‘/run/screen/S-bandit19’: Permission denied
find: ‘/run/screen/S-bandit9’: Permission denied
find: ‘/run/screen/S-bandit27’: Permission denied
find: ‘/run/screen/S-bandit2’: Permission denied
find: ‘/run/screen/S-bandit14’: Permission denied
find: ‘/run/screen/S-bandit16’: Permission denied
find: ‘/run/screen/S-bandit22’: Permission denied
find: ‘/run/screen/S-bandit4’: Permission denied
find: ‘/run/screen/S-bandit31’: Permission denied
find: ‘/run/screen/S-bandit24’: Permission denied
find: ‘/run/screen/S-bandit21’: Permission denied
find: ‘/run/screen/S-bandit25’: Permission denied
find: ‘/run/screen/S-bandit23’: Permission denied
find: ‘/run/screen/S-bandit20’: Permission denied
find: ‘/run/shm’: Permission denied
find: ‘/run/lock/lvm’: Permission denied
find: ‘/var/spool/bandit24’: Permission denied
find: ‘/var/spool/cron/crontabs’: Permission denied
find: ‘/var/spool/rsyslog’: Permission denied
find: ‘/var/tmp’: Permission denied
find: ‘/var/lib/apt/lists/partial’: Permission denied
find: ‘/var/lib/polkit-1’: Permission denied
/var/lib/dpkg/info/bandit7.password
find: ‘/var/log’: Permission denied
find: ‘/var/cache/apt/archives/partial’: Permission denied
find: ‘/var/cache/ldconfig’: Permission denied

这些报错信息显然是无用的，我们可以将他丢弃

bandit6@bandit:/home$ find / -user bandit7 -group bandit6 -size 33c 2>/dev/null
/var/lib/dpkg/info/bandit7.password
bandit6@bandit:/home$ cat /var/lib/dpkg/info/bandit7.password
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

What does 2>/dev/null mean? tips：需要翻墙😋

Bandit Level 7 → Level 8

Level Goal

The password for the next level is stored in the file data.txt next to the word millionth

这一关是简单的学习grep

grep searchword filename

grep会显示匹配的每一行结果

根据题目信息那就非常简单了

bandit7@bandit:~$ ls -a -l
total 4108
drwxr-xr-x  2 root    root       4096 May  7  2020 .
drwxr-xr-x 41 root    root       4096 May  7  2020 ..
-rw-r--r--  1 root    root        220 May 15  2017 .bash_logout
-rw-r--r--  1 root    root       3526 May 15  2017 .bashrc
-rw-r-----  1 bandit8 bandit7 4184396 May  7  2020 data.txt
-rw-r--r--  1 root    root        675 May 15  2017 .profile
bandit7@bandit:~$ grep millionth data.txt
millionth	cvX2JJa4CFALtqS87jk27qwqGhBM9plV

密码到手，下一关😋

Bandit Level 8 → Level 9

Level Goal

The password for the next level is stored in the file data.txt and is the only line of text that occurs only once

根据题意可知密码在data.txt中只出现过一次，我们先来看看data.txt

bandit8@bandit:~$ ls -l
total 36
-rw-r----- 1 bandit9 bandit8 33033 May  7  2020 data.txt
bandit8@bandit:~$ head -15 data.txt
VkBAEWyIibVkeURZV5mowiGg6i3m7Be0
zdd2ctVveROGeiS2WE3TeLZMeL5jL7iM
sYSokIATVvFUKU4sAHTtMarfjlZWWj5i
ySvsTwlMgnUF0n86Fgmn2TNjkSOlrV72
NLWvtQvL7EaqBNx2x4eznRlQONULlCYZ
LfrBHfAh0pP9bgGAZP4QrVkut3pysAYC
U0NYdD3wHZKpfEg9qGQOLJimAJy6qxhS
flyKxCbHB8uLTaIB5LXqQNuJj3yj00eh
TThRArdF2ZEXMO47TIYkyPPLtvzzLcDf
cIPbot7oYveUPNxDMhv1hiri50CqpkTG
kJTBMD8k9OHyXwZ2aJMQkV23u0gyuoIO
J6Lzp6ZqTJsOuJRTXcvhwKfM0KK3Xtbl
NLWvtQvL7EaqBNx2x4eznRlQONULlCYZ
0N65ZPpNGkUJePzFxctCRZRXVrCbUGfm
SHMAMUEzQe4mV7SJpETTZFsyNRJsZE2k

从output来看说明ture密码藏在了这一堆fake密码中，而且唯一出现，换句话说fake密码是重复出现的，我们只要把所有重复项给剔除掉，那么最后剩下的就是true密码了。

那么怎么剔除重复选项呢？

uniq Command in LINUX with examples tips:需要代理🌏

uniq可以剔除文本中的重复行，但是uniq本身不能发现重复行，它的功能仅仅是剔除

Note: uniq isn’t able to detect the duplicate lines unless they are adjacent to each other. The content in the file must be therefore sorted before using uniq or you can simply use sort -u instead of uniq command.

因此在这之前需要用sort给data.txt排序，然后使用u选项即可

-u – -unique : It allows you to print only unique lines.

了解完这些咱们就拿下密码吧😋

andit8@bandit:~$ sort data.txt | uniq -u
UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR

这里需要用到一点pipe的小知识，如果你不清楚什么是管道和重定向的话就看看这个吧👉Piping and Redirection这是一篇非常棒的简单易懂的博客🎉🎉🎉

Bandit Level 9 → Level 10

Level Goal

The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters.

根据题目这回的data.txt是不可读文件，来看看是怎么一回事

bandit9@bandit:~$ file data.txt
data.txt: data
bandit9@bandit:~$ head -1 data.txt
�L�lω;��ßOܛ��ǤX��NdT��B��M֢�Z/,_��w��#�5���
                                 Ў�e�&�-��Ϣ�6Q8��J�%fa�

通过file得知data.txt是data也就是二进制文件因此不可读，不过我们可以用strings来读取二进制文件 Linux strings command tips:需要代理🌏

当然在这里我们可以用grep来小小的操作一下

bandit9@bandit:~$ strings data.txt | grep -E '=+'
========== the*2i"4
=:G e
========== password
<I=zsGi
Z)========== is
A=|t&E
Zdb=
c^ LAh=3G
*SF=s
&========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
S=A.H&^

在前面的关卡我们简单的介绍了grep在这里将会更详细的介绍grep👉grep command in Unix/Linux

-E选项就是将后面的表达式当作一个regular expression处理

grep [options] pattern [files]

Options Description
-c : This prints only a count of the lines that match a pattern
-h : Display the matched lines, but do not display the filenames.
-i : Ignores, case for matching
-l : Displays list of a filenames only.
-n : Display the matched lines and their line numbers.
-v : This prints out all the lines that do not matches the pattern
-e exp : Specifies expression with this option. Can use multiple times.
-f file : Takes patterns from file, one per line.
-E : Treats pattern as an extended regular expression (ERE)
-w : Match whole word
-o : Print only the matched parts of a matching line,
 with each such part on a separate output line.

-A n : Prints searched line and nlines after the result.
-B n : Prints searched line and n line before the result.
-C n : Prints searched line and n lines after before the result.