bandit系列(1-34)
游戏链接:https://overthewire.org/wargames/bandit
0.有手就行
ssh bandit0@bandit.labs.overthewire.org -p 2220
ls -al
cat readme
1.-文件读取
ls -al
cat /home/bandit1/- or cat ./-
2.文件名包含空格
空格前加\,or直接tab
3.隐藏文件
ls -al
cat .hidden
4.提示用file命令,非机读文件
识别混淆文件
file ./*
5.非机读、1033字节、不可置执行
find . -type f -size 1033c 2>/dev/null
2>/dev/null将stderr丢弃
6.33字节、user bandit7、group bandit6
find / -size 33c -user bandit7 -group bandit6 2>/dev/null
7.匹配单词
grep millionth data.txt
8.仅出现一次
sort data.txt|uniq -u
9.非人读,=后面是密码
strings data.txt|grep =
10.base64
base64 -d data.txt
11.凯撒密码,置换位13
复制到在线加解密网站即可
但题目提示可用tr
cat data.txt|tr [a-z] [n-za-m]|tr [A-Z] [N-ZA-M]
12.提示为hexdump16进制文件,且tmp文件夹可写
mkdir /tmp/test
xxd -r data.txt /tmp/fuck/test.zip
直接scp文件到本地,双机解压,当然也可以一层一层解,共9层每层解出来file查看类型并加相应后缀即可
13. sshkey
ssh -i key bandit14@localhost
14.传14的密码到本地30000端口
nc localhost 30000 < /etc/bandit_pass/bandit14
15.使用ssl传14密码到本地30001端口,且提示用-ign_eof参数
openssl s_client -connect localhost:30001 -ign_eof </etc/bandit_pass/bandit15
简化输出可使用quiet替换ign_eof
16.31000-32000有个端口用上关同样方法
nmap -A localhost -p 31000-32000
31790回显包含password字段
openssl s_client -connect localhost:31790 -ign_eof </etc/bandit_pass/bandit16
给了17的sshkey
17.文件对比
diff new old
18.登录会直接退出,但给了下一关pass目录
ssh bandit18@bandit.labs.overthewire.org -p 2220 cat readme
19.越权
./bandit20-do cat /etc/bandit_pass/bandit20
20.用给定程序验证当前密码
T1:nc -l port </etc/bandit_pass/bandit20
T2:./suconnect port
21.计划任务
一步步cat就完事
22.计划任务审计
#!/bin/bash
myname= ( w h o a m i ) m y t a r g e t = (whoami) mytarget= (whoami)mytarget=(echo I am user $myname | md5sum | cut -d ’ ’ -f 1)
echo “Copying passwordfile /etc/bandit_pass/ m y n a m e t o / t m p / myname to /tmp/ mynameto/tmp/mytarget”
cat /etc/bandit_pass/
m
y
n
a
m
e
>
/
t
m
p
/
myname > /tmp/
myname>/tmp/mytarget
修改myname为下一等级用户即可
23.计划任务审计困难
#!/bin/bash
myname=$(whoami)
cd /var/spool/
m
y
n
a
m
e
e
c
h
o
"
E
x
e
c
u
t
i
n
g
a
n
d
d
e
l
e
t
i
n
g
a
l
l
s
c
r
i
p
t
s
i
n
/
v
a
r
/
s
p
o
o
l
/
myname echo "Executing and deleting all scripts in /var/spool/
mynameecho"Executinganddeletingallscriptsin/var/spool/myname:"
for i in * .*;
do
if [ “
i
"
!
=
"
.
"
−
a
"
i" != "." -a "
i"!="."−a"i” != “…” ];
then
echo “Handling
i
"
o
w
n
e
r
=
"
i" owner="
i"owner="(stat --format “%U” ./
i
)
"
i
f
[
"
i)" if [ "
i)"if["{owner}” = “bandit23” ]; then
timeout -s 9 60 ./
i
f
i
r
m
−
f
.
/
i fi rm -f ./
ifirm−f./i
fi
done
每60s执行/var/spool/bandit23目录下所有脚本,然后并删除目录下所有文件
vim test.sh
#! /bin/bash
cat /etc/bandit_pass/bandit24 > /tmp/test
chmod 777 test
chmod 777 test.sh
cp test.sh /var/spool/bandit24/
24.30002端口上传输本关密码+空格+4位任意
组建字典
p=pass24
for i in {1000…9999}
do
echo $ p’ '$i>>test
done
cat test|nc localhost 30002 > test1
sort test1|uniq -u
25.more vi联动
缩小ter框,用key连接v进入vi,设置shell sh=/bin/bash,sh即可进入26
26.null
利用上关shell和给定文件
27-33.git系列
git clone克隆仓库
git show 查看历史操作git log查看日志
git show-branch -a查看远程仓库变动记录 git remote show <仓库>
git tag
git add file -f 上传 git commit -m "add key .txt"上传并注释
32.sh特性
$0等于又进一次shell
一套下来等于复习了一遍linux基础操作,上班摸鱼必备!!!!!