bandit(16-20)

Bandit Level 16 → Level 17

Level Goal

The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.

 

知识点：

nmap命令

操作：

nmap -sV localhost -p 31000-32000

openssl s_client  -connect localhost:31790

注意：存入秘钥时需要创建/tmp/bandit16/priv_name，并降低秘钥权限至少到700，否则无法登录成功。

密码：xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn

 

 

Bandit Level 17 → Level 18

Level Goal
There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new

知识点：

diff命令。参考https://www.runoob.com/linux/linux-comm-diff.html

操作：

diff passwords.new passwords.old 

密码：kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd

 

Bandit Level 18 → Level 19

Level Goal
The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.

 

知识点：

ssh登录时执行命令。参考https://blog.csdn.net/liweigao01/article/details/84142576?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522160083822019195246646195%2522%252C%2522scm%2522%253A%252220140713.130102334..%2522%257D&request_id=160083822019195246646195&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~all~first_rank_v2~rank_v28-3-84142576.pc_first_rank_v2_rank_v28&utm_term=ssh%E7%99%BB%E5%BD%95%E6%89%A7%E8%A1%8C%E5%91%BD%E4%BB%A4&spm=1018.2118.3001.4187

操作：

ssh bandit18@bandit.labs.overthewire.org -p 2220 "cat ./readme"

或者ssh bandit18@bandit.labs.overthewire.org -p 2220 cat ./readme

密码：IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x

 

Bandit Level 19 → Level 20

Level Goal
To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.

 

知识点：

setuid权限问题。参考https://blog.csdn.net/weixin_44575881/article/details/86552016

操作：

ls -l 查看其setuid权限，发现已经为s，且文件所有者为bandit20。

./bandit20-do cat /etc/bandit_pass/bandit20

密码：GbKksEFF4yrVs6il55v6gwY5aVje5f0j

 

Bandit Level 20 → Level 21

Level Goal
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).

NOTE: Try connecting to your own network daemon to see if it works as you think

知识点：

nc侦听命令

操作：

nc -lv < /etc/bandit_pass/bandit20 &

./suconnect [port]

注意，侦听时加上v参数，防止系统自己分配端口自己却不知道

密码：gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr