Wargames——Bandit

ra1nb0wsea1974

已于 2024-06-14 22:43:39 修改

阅读量216

点赞数 9

文章标签： linux 网络安全学习笔记

于 2024-06-14 22:42:24 首次发布

本文链接：https://blog.csdn.net/qq_44647488/article/details/139691355

版权

Bandit

来自Wargames

练习ssh和linux操作

Level0

ssh -p 2220 bandit0@bandit.labs.overthewire.org
密码：bandit0

bandit0@bandit:~$ ls
readme
bandit0@bandit:~$ cat readme
NH2SXQwcBdpmTEzi3bvBHMM9H66vVXjL
bandit0@bandit:~$

Level1

ssh -p 2220 bandit1@bandit.labs.overthewire.org
密码：NH2SXQwcBdpmTEzi3bvBHMM9H66vVXjL

bandit1@bandit:~$ ls
-
bandit1@bandit:~$ cat ./-  #使用相对路径，可以查看特殊文件名
rRGizSaX8Mk1RTb1CNQoXTcYZWU6lgzi
bandit1@bandit:~$

Level2

ssh -p 2220 bandit2@bandit.labs.overthewire.org
密码：rRGizSaX8Mk1RTb1CNQoXTcYZWU6lgzi

bandit2@bandit:~$ ls -l
total 4
-rw-r----- 1 bandit3 bandit2 33 Oct  5  2023 spaces in this filename
bandit2@bandit:~$ cat spaces\ in\ this\ filename #使用\转移特殊字符
aBZ0W5EmUfAf7kHTQeOwd8bauFJ2lAiG
bandit2@bandit:~$

Level3

ssh -p 2220 bandit3@bandit.labs.overthewire.org
密码：aBZ0W5EmUfAf7kHTQeOwd8bauFJ2lAiG

bandit3@bandit:~$ ls -al inhere/
total 12
drwxr-xr-x 2 root    root    4096 Oct  5  2023 .
drwxr-xr-x 3 root    root    4096 Oct  5  2023 ..
-rw-r----- 1 bandit4 bandit3   33 Oct  5  2023 .hidden
bandit3@bandit:~$ cat inhere/.hidden  #查看隐藏文件
2EW7BBsr6aMMoJ2HjW067dm8EgX26xNe
bandit3@bandit:~$

Level4

ssh -p 2220 bandit4@bandit.labs.overthewire.org
密码：2EW7BBsr6aMMoJ2HjW067dm8EgX26xNe

bandit4@bandit:~$ file inhere/*
inhere/-file00: data
inhere/-file01: data
inhere/-file02: data
inhere/-file03: data
inhere/-file04: data
inhere/-file05: data
inhere/-file06: data
inhere/-file07: ASCII text  #找到不同的文件类型
inhere/-file08: data
inhere/-file09: data
bandit4@bandit:~$ cat inhere/-file07
lrIWWI6bB37kxfiCQZqUdOIYfr6eEeqR
bandit4@bandit:~$

Level5

提示找大小1033bytes且没有可执行权限的文件

ssh -p 2220 bandit5@bandit.labs.overthewire.org
密码：lrIWWI6bB37kxfiCQZqUdOIYfr6eEeqR

bandit5@bandit:~$ find inhere/ -size 1033c ! -executable
inhere/maybehere07/.file2
bandit5@bandit:~$ cat inhere/maybehere07/.file2
P4L4vucdmLnm8I7Vl7jG1ApGSfjYKqJU
bandit8@bandit:~$

Level6

ssh -p 2220 bandit6@bandit.labs.overthewire.org
密码：P4L4vucdmLnm8I7Vl7jG1ApGSfjYKqJU

bandit6@bandit:~$ find / -user bandit7 -group bandit6 -size 33c
/var/lib/dpkg/info/bandit7.password
bandit6@bandit:~$ cat /var/lib/dpkg/info/bandit7.password
z7WtoNQU2XfjmMtWA8u5rN4vzqu4v99S
bandit6@bandit:~$

Level7

ssh -p 2220 bandit7@bandit.labs.overthewire.org
密码：z7WtoNQU2XfjmMtWA8u5rN4vzqu4v99S

bandit7@bandit:~$ cat data.txt | grep millionth
millionth       TESKZC0XvTetK0S9xNwm25STk5iWrBvP
bandit8@bandit:~$

Level8

ssh -p 2220 bandit8@bandit.labs.overthewire.org
密码：TESKZC0XvTetK0S9xNwm25STk5iWrBvP

bandit8@bandit:~$ cat data.txt | sort | uniq -u
EN632PlfYiZbn3PhVK3XOGSlNInNE00t
bandit8@bandit:~$

Level9

ssh -p 2220 bandit9@bandit.labs.overthewire.org
密码：EN632PlfYiZbn3PhVK3XOGSlNInNE00t

bandit9@bandit:~$ strings data.txt | grep =
========== G7w8LIi6J3kTb8A7j9LgrywtEUlyyp6s
bandit9@bandit:~$

Level10

ssh -p 2220 bandit10@bandit.labs.overthewire.org
密码：G7w8LIi6J3kTb8A7j9LgrywtEUlyyp6s

bandit10@bandit:~$ cat data.txt
VGhlIHBhc3N3b3JkIGlzIDZ6UGV6aUxkUjJSS05kTllGTmI2blZDS3pwaGxYSEJNCg==
bandit10@bandit:~$ cat data.txt | base64 -d
The password is 6zPeziLdR2RKNdNYFNb6nVCKzphlXHBM
bandit10@bandit:~$

Level11

ssh -p 2220 bandit10@bandit.labs.overthewire.org
密码：6zPeziLdR2RKNdNYFNb6nVCKzphlXHBM

bandit11@bandit:~$ cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m' #使用tr命令构造ROT13加解密
The password is JVNBBFSmZwKKOP0XbFXOoW8chDz5yVRv

Level12

ssh -p 2220 bandit12@bandit.labs.overthewire.org
密码：JVNBBFSmZwKKOP0XbFXOoW8chDz5yVRv

解密过程：xdd->gzip->bzip2->gzip->tar->tar->tar->gzip
bandit12@bandit:/tmp/bandit12$ xxd -r data.txt data.out
继续解压
bandit12@bandit:/tmp/bandit12$ cat data8
The password is wbWdlBxEir4CaE8LaPhauuOo6pwRmrDw

Level13

ssh -p 2220 bandit13@bandit.labs.overthewire.org
密码：wbWdlBxEir4CaE8LaPhauuOo6pwRmrDw

bandit13@bandit:~$ ssh -i ./sshkey.private bandit14@localhost -p 2220
bandit14@bandit:~$ cat /etc/bandit_pass/bandit14
fGrHPx402xGC7U7rXKDaxiWFTOiF0ENq
bandit14@bandit:~$

Level14

ssh -p 2220 bandit14@bandit.labs.overthewire.org
密码：fGrHPx402xGC7U7rXKDaxiWFTOiF0ENq

bandit14@bandit:~$ nc localhost 30000 
fGrHPx402xGC7U7rXKDaxiWFTOiF0ENq
Correct!
jN2kgmIXJ6fShzhT2avhotn4Zcka6tnt

Level15

ssh -p 2220 bandit15@bandit.labs.overthewire.org
密码：jN2kgmIXJ6fShzhT2avhotn4Zcka6tnt
#使用openssl连接服务器或者
openssl s_client -connect localhost:30001 -ign_eof
bandit15@bandit:~$ openssl s_client -connect localhost:30001
read R BLOCK
jN2kgmIXJ6fShzhT2avhotn4Zcka6tnt
Correct!
JQttfApK4SeyHwDlI9SXGR50qclOAil1
closed
bandit15@bandit:~$

Level16

ssh -p 2220 bandit16@bandit.labs.overthewire.org
密码：JQttfApK4SeyHwDlI9SXGR50qclOAil1

bandit16@bandit:~$ nmap -v -sV localhost -p 31000-32000
Discovered open port 31518/tcp on 127.0.0.1
Discovered open port 31046/tcp on 127.0.0.1
Discovered open port 31691/tcp on 127.0.0.1
Discovered open port 31960/tcp on 127.0.0.1
Discovered open port 31790/tcp on 127.0.0.1
bandit16@bandit:~$ openssl s_client -connect localhost:31790
发送本关密码得到Level17的ssh_key，保存到/tmp/tmp_123/123.txt中，权限设置只读
bandit16@bandit:~$ ssh -i /tmp/tmp_123/123.txt bandit17@bandit.labs.overthewire.org -p 2220
bandit17@bandit:~$ cat /etc/bandit_pass/bandit17
VwOSWtCA7lRKkTfbr2IDh6awj9RNZM5e
bandit17@bandit:~$

Level17

ssh -p 2220 bandit17@bandit.labs.overthewire.org
密码：VwOSWtCA7lRKkTfbr2IDh6awj9RNZM5e

bandit17@bandit:~$ diff --color passwords.new passwords.old
42c42
< hga5tuuCLF6fFzUpnagiMN8ssu9LFrdg
---
> p6ggwdNHncnmCNxuAt0KtKVq185ZU7AW
bandit17@bandit:~$

Level18

ssh -p 2220 bandit18@bandit.labs.overthewire.org
密码：hga5tuuCLF6fFzUpnagiMN8ssu9LFrdg
#一连接会自动断开，可以尝试执行命令
ssh -p 2220 bandit18@bandit.labs.overthewire.org '/bin/bash' #执行一个shell
cat readme
ssh -p 2220 bandit18@bandit.labs.overthewire.org 'cat readme'
awhqfNnAbc1naukrpqDYcF95h7HoMTrC

Level19

ssh -p 2220 bandit19@bandit.labs.overthewire.org
密码：awhqfNnAbc1naukrpqDYcF95h7HoMTrC
#有一个可执行文件，执行命令
bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
VxCazJaVykI6W36BkBU0mJTCM8rR95XT

Level20

ssh -p 2220 bandit20@bandit.labs.overthewire.org
密码：VxCazJaVykI6W36BkBU0mJTCM8rR95XT

bandit20@bandit:~$ echo 'VxCazJaVykI6W36BkBU0mJTCM8rR95XT' | nc -l -p 30088 &
[1] 3249375
bandit20@bandit:~$ ./suconnect 30088
Read: VxCazJaVykI6W36BkBU0mJTCM8rR95XT
Password matches, sending next password
NvEJF7oVjkddltPSrdKEFOllh9V1IBcq
bandit20@bandit:~$

Level21

ssh -p 2220 bandit21@bandit.labs.overthewire.org
密码：NvEJF7oVjkddltPSrdKEFOllh9V1IBcq
#提示查看定时任务

bandit21@bandit:~$ cd /etc/cron.d
bandit21@bandit:/etc/cron.d$ ls
cronjob_bandit15_root  cronjob_bandit22  cronjob_bandit24       e2scrub_all  sysstat
cronjob_bandit17_root  cronjob_bandit23  cronjob_bandit25_root  otw-tmp-dir
bandit21@bandit:/etc/cron.d$ cat cronjob_bandit22
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
bandit21@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
bandit21@bandit:/etc/cron.d$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
WdDozAdTM2z9DiFEQ2mGlwngMfj4EZff
bandit21@bandit:/etc/cron.d$

Level22

ssh -p 2220 bandit22@bandit.labs.overthewire.org
密码：WdDozAdTM2z9DiFEQ2mGlwngMfj4EZff

bandit22@bandit:~$ cd /etc/cron.d
bandit22@bandit:/etc/cron.d$ ls
cronjob_bandit15_root  cronjob_bandit22  cronjob_bandit24       e2scrub_all  sysstat
cronjob_bandit17_root  cronjob_bandit23  cronjob_bandit25_root  otw-tmp-dir
bandit22@bandit:/etc/cron.d$ cat cronjob_bandit23
@reboot bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
bandit22@bandit:/etc/cron.d$ cat  /usr/bin/cronjob_bandit23.sh
#!/bin/bash
myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
cat /etc/bandit_pass/$myname > /tmp/$mytarget
bandit22@bandit:~$ echo "I am user bandit23" | md5sum | cut -d ' ' -f 1
8ca319486bfbbc3663ea0fbe81326349
bandit22@bandit:~$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
QYw0Y2aiA672PsMmh9puTQuhoz8SyR2G
bandit22@bandit:~$

Level23

ssh -p 2220 bandit23@bandit.labs.overthewire.org
密码：QYw0Y2aiA672PsMmh9puTQuhoz8SyR2G
#可以知道这个定时脚本，目的是切换到/var/spool/bandit24文件夹，然后遍历所有文件，并且执行这个文件，如果遇到用户是bandit23的话，先执行，持续一段时间，然后再删除文件
bandit23@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash
myname=$(whoami)
cd /var/spool/$myname/foo
echo "Executing and deleting all scripts in /var/spool/$myname/foo:"
for i in * .*;
do
    if [ "$i" != "." -a "$i" != ".." ];
    then
        echo "Handling $i"
        owner="$(stat --format "%U" ./$i)"
        if [ "${owner}" = "bandit23" ]; then
            timeout -s 9 60 ./$i
        fi
        rm -f ./$i
    fi
done
bandit23@bandit:~$ vim /tmp/123.sh  #读取密码的脚本
#!/bin/bash
cat /etc/bandit_pass/bandit24 > /tmp/bandit24_pass
bandit23@bandit:~$ chmod 777 /tmp/123.sh
bandit23@bandit:~$ cp /tmp/123.sh /var/spool/bandit24/foo/
bandit23@bandit:~$ cat /tmp/bandit24_pass
VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar
bandit23@bandit:~$

Level24

ssh -p 2220 bandit24@bandit.labs.overthewire.org
密码：VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar

bandit24@bandit:~$ vim /tmp/123.py
#!/usr/bin/python3
# coding: utf-8
import sys
import socket
pincode = 6000
password = "VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar"
try:
    # Connect to server
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect(("127.0.0.1", 30002))
    # Print welcome message
    welcome_msg = s.recv(2048).decode()  # Decode bytes to string
    print(welcome_msg)
    # Try brute-forcing
    while pincode < 10000:
        pincode_string = str(pincode).zfill(4)
        message = password + " " + pincode_string + "\n"
        # Send message
        s.sendall(message.encode())
        receive_msg = s.recv(1024).decode()  # Decode bytes to string
        # Check result
        if "Wrong" in receive_msg:
            print("Wrong PINCODE: %s" % pincode_string)
        else:
            print(receive_msg)
            break
        pincode += 1
finally:
    s.close()  # Close the socket connection
    sys.exit(0)  # Use 0 for normal exit
bandit24@bandit:~$ python3 /tmp/123.py
Wrong PINCODE: 9014
Correct!
The password of user bandit25 is p7TaowMYrmu23Ol8hiZh9UvD0O9hpx8d

Exiting.
bandit24@bandit:~$

Level25

ssh -p 2220 bandit25@bandit.labs.overthewire.org
密码：p7TaowMYrmu23Ol8hiZh9UvD0O9hpx8d
#目录下看到bandit26的ssh_key，复制下来改700权限，连接bandit26会自动退出

bandit25@bandit:~$ cat /etc/passwd | grep bandit26
bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext
bandit25@bandit:~$
bandit25@bandit:~$ cat /usr/bin/showtext #看到bandit26账号的shell路径
#!/bin/sh
export TERM=linux
exec more ~/text.txt  #由于执行了more，所以把窗口调小，more就不会全部显示出来，可以进行编辑模式
exit 0
bandit25@bandit:~$
#登录bandit26会，卡住在more的显示画面，进入编辑模式
:e /etc/bandit_pass/bandit26
c7GvcKlw9mC7aUQaPx7nwFstuAIBw1o1

Level26

ssh -p 2220 bandit26@bandit.labs.overthewire.org
密码：c7GvcKlw9mC7aUQaPx7nwFstuAIBw1o1
#如上一题手法，进入编辑模式，进行提权
:set shell sh=/bin/sh
sh
$ ls -alh
total 44K
drwxr-xr-x  3 root     root     4.0K Oct  5  2023 .
drwxr-xr-x 70 root     root     4.0K Oct  5  2023 ..
-rw-r--r--  1 root     root      220 Jan  6  2022 .bash_logout
-rw-r--r--  1 root     root     3.7K Jan  6  2022 .bashrc
-rw-r--r--  1 root     root      807 Jan  6  2022 .profile
drwxr-xr-x  2 root     root     4.0K Oct  5  2023 .ssh
-rwsr-x---  1 bandit27 bandit26  15K Oct  5  2023 bandit27-do #可执行文件，提权
-rw-r-----  1 bandit26 bandit26  258 Oct  5  2023 text.txts
$ ./bandit27-do cat /etc/bandit_pass/bandit27
YnQpBuifNMas1hcUFk70ZmqkhUU2EuaS
$

Level27

ssh -p 2220 bandit27@bandit.labs.overthewire.org
密码：YnQpBuifNMas1hcUFk70ZmqkhUU2EuaS
#根据提示git，过程需要输入bandit27的密码
bandit27@bandit:~$ mkdir /tmp/git_ssh
bandit27@bandit:~$ cd /tmp/git_ssh
bandit27@bandit:/tmp/git_ssh$ git clone ssh://bandit27-git@localhost:2220/home/bandit27-git/repo
bandit27@bandit:/tmp/git_ssh$ cat repo/README
The password to the next level is: AVanL161y9rsbcJIsFHuw35rjaOM19nR
bandit27@bandit:/tmp/git_ssh$

Level28

ssh -p 2220 bandit28@bandit.labs.overthewire.org
密码：AVanL161y9rsbcJIsFHuw35rjaOM19nR
#根据提示git，过程需要输入bandit28的密码
bandit28@bandit:~$ mkdir /tmp/git_ssh
bandit28@bandit:~$ cd /tmp/git_ssh
bandit28@bandit:/tmp/git_ssh$ git clone ssh://bandit27-git@localhost:2220/home/bandit27-git/repo
bandit28@bandit:/tmp/git_ssh/repo$ git show
commit 14f754b3ba6531a2b89df6ccae6446e8969a41f3 (HEAD -> master, origin/master, origin/HEAD)
Author: Morla Porla <morla@overthewire.org>
Date:   Thu Oct 5 06:19:41 2023 +0000
    fix info leak
diff --git a/README.md b/README.md
index b302105..5c6457b 100644
--- a/README.md
+++ b/README.md
@@ -4,5 +4,5 @@ Some notes for level29 of bandit.
 ## credentials
 - username: bandit29
-- password: tQKvmcwNYcFS6vmPHIUSI3ShmsrQZK8S
+- password: xxxxxxxxxx
bandit28@bandit:/tmp/git_ssh/repo$

Level29

ssh -p 2220 bandit29@bandit.labs.overthewire.org
密码：tQKvmcwNYcFS6vmPHIUSI3ShmsrQZK8S
#查看git分支
bandit29@bandit:~$ mkdir /tmp/git_3
bandit29@bandit:~$ cd /tmp/git_3
bandit29@bandit:/tmp/git_3$ git clone ssh://bandit29-git@localhost:2220/home/bandit29-git/repo
bandit29@bandit:/tmp/git_3/repo$ git branch -a
* master
  remotes/origin/HEAD -> origin/master
  remotes/origin/dev
  remotes/origin/master
  remotes/origin/sploits-dev
bandit29@bandit:/tmp/git_3/repo$ git checkout dev
Branch 'dev' set up to track remote branch 'dev' from 'origin'.
Switched to a new branch 'dev'
bandit29@bandit:/tmp/git_3/repo$ git show
commit 1d160de5f8f647f00634bbf3d49b9244275217b6 (HEAD -> dev, origin/dev)
Author: Morla Porla <morla@overthewire.org>
Date:   Thu Oct 5 06:19:43 2023 +0000
    add data needed for development
diff --git a/README.md b/README.md
index 1af21d3..a4b1cf1 100644
--- a/README.md
+++ b/README.md
@@ -4,5 +4,5 @@ Some notes for bandit30 of bandit.
 ## credentials
 - username: bandit30
-- password: <no passwords in production!>
+- password: xbhV3HpNGlTIdnjUrdAlPzc2L6y9EOnS
bandit29@bandit:/tmp/git_3/repo$

Level30

ssh -p 2220 bandit30@bandit.labs.overthewire.org
密码：xbhV3HpNGlTIdnjUrdAlPzc2L6y9EOnS
#查看分支,提交日志,只能查看本地引用
bandit30@bandit:~$ mkdir -p /tmp/git_30
bandit30@bandit:~$ cd /tmp/git_3
bandit30@bandit:/tmp/git_30$ git clone ssh://bandit30-git@localhost:2220/home/bandit30-git/repo
bandit30@bandit:/tmp/git_30$ cd repo
bandit30@bandit:/tmp/git_30/repo$ git show-ref
d39631d73f786269b895ae9a7b14760cbf40a99f refs/heads/master
d39631d73f786269b895ae9a7b14760cbf40a99f refs/remotes/origin/HEAD
d39631d73f786269b895ae9a7b14760cbf40a99f refs/remotes/origin/master
831aac2e2341f009e40e46392a4f5dd318483019 refs/tags/secret
bandit30@bandit:/tmp/git_30/repo$ git show 831aac2e2341f009e40e46392a4f5dd318483019
OoffzGDlzhAlerFJ2cAiz1D41JW1Mhmt
bandit30@bandit:/tmp/git_30/repo$

Level31

ssh -p 2220 bandit31@bandit.labs.overthewire.org
密码：OoffzGDlzhAlerFJ2cAiz1D41JW1Mhmt
#根据提示，commit一个key.txt
bandit31@bandit:~$ mkdir /tmp/git_5
bandit31@bandit:~$ cd /tmp/git_5
bandit31@bandit:/tmp/git_5$ git clone ssh://bandit31-git@localhost:2220/home/bandit31-git/repo
bandit31@bandit:/tmp/git_5/repo$ echo "May I come in?" > key.txt
bandit31@bandit:/tmp/git_5/repo$ git add .
bandit31@bandit:/tmp/git_5/repo$ git commit -m "key.txt"
bandit31@bandit:/tmp/git_5/repo$ git push origin master
The authenticity of host '[localhost]:2220 ([127.0.0.1]:2220)' can't be established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Could not create directory '/home/bandit31/.ssh' (Permission denied).
Failed to add the host to the list of known hosts (/home/bandit31/.ssh/known_hosts).
                         _                     _ _ _
                        | |__   __ _ _ __   __| (_) |_
                        | '_ \ / _` | '_ \ / _` | | __|
                        | |_) | (_| | | | | (_| | | |_
                        |_.__/ \__,_|_| |_|\__,_|_|\__|
                      This is an OverTheWire game server.
            More information on http://www.overthewire.org/wargames
bandit31-git@localhost's password:
Enumerating objects: 4, done.
Counting objects: 100% (4/4), done.
Delta compression using up to 2 threads
Compressing objects: 100% (2/2), done.
Writing objects: 100% (3/3), 320 bytes | 320.00 KiB/s, done.
Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
remote: ### Attempting to validate files... ####
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
remote: Well done! Here is the password for the next level:
remote: rmCBvG56y58BXzv98yZGdO7ATVL5dW8y
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
To ssh://localhost:2220/home/bandit31-git/repo
 ! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to 'ssh://localhost:2220/home/bandit31-git/repo'
bandit31@bandit:/tmp/git_5/repo$

Level32

ssh -p 2220 bandit32@bandit.labs.overthewire.org
密码：rmCBvG56y58BXzv98yZGdO7ATVL5dW8y

$0 的含义

在 Unix-like 系统的 shell 环境中，$0 是一个特殊的变量，用来表示当前正在执行的脚本或命令的名称。如果是在一个脚本中，$0 将显示该脚本的名称；如果是在命令行直接执行的命令，$0 通常显示 shell 的名称或路径。
如何使用 $0 返回正常的 shell

当你在 shell 中输入 $0 并执行时，实际上你是在请求启动一个新的 shell 实例，该实例的类型或路径由 $0 的值决定。例如，如果你在 bash 环境下输入 $0，通常会启动一个新的 bash shell。

>>$0  #进入正常shell
$ cat /etc/bandit_pass/bandit33
odHo63fHiFqcWWJG9rLiLDtPm45KzUKy
$

Level33

ssh -p 2220 bandit33@bandit.labs.overthewire.org
密码：odHo63fHiFqcWWJG9rLiLDtPm45KzUKy
#游戏结束
bandit33@bandit:~$ cat README.txt
Congratulations on solving the last level of this game!
At this moment, there are no more levels to play in this game. However, we are constantly working
on new levels and will most likely expand this game with more levels soon.
Keep an eye out for an announcement on our usual communication channels!
In the meantime, you could play some of our other wargames.
If you have an idea for an awesome new level, please let us know!
bandit33@bandit:~$