Bandit Level 16 → Level 17
Level Goal
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
知识点:
nmap命令
操作:
nmap -sV localhost -p 31000-32000
openssl s_client -connect localhost:31790
注意:存入秘钥时需要创建/tmp/bandit16/priv_name,并降低秘钥权限至少到700,否则无法登录成功。
密码:xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn
Bandit Level 17 → Level 18
Level Goal
There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new
知识点:
diff命令。参考https://www.runoob.com/linux/linux-comm-diff.html
操作:
diff passwords.new passwords.old
密码:kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
Bandit Level 18 → Level 19
Level Goal
The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.
知识点:
操作:
ssh bandit18@bandit.labs.overthewire.org -p 2220 "cat ./readme"
或者ssh bandit18@bandit.labs.overthewire.org -p 2220 cat ./readme
密码:IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
Bandit Level 19 → Level 20
Level Goal
To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.
知识点:
setuid权限问题。参考https://blog.csdn.net/weixin_44575881/article/details/86552016
操作:
ls -l 查看其setuid权限,发现已经为s,且文件所有者为bandit20。
./bandit20-do cat /etc/bandit_pass/bandit20
密码:GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Bandit Level 20 → Level 21
Level Goal
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
NOTE: Try connecting to your own network daemon to see if it works as you think
知识点:
nc侦听命令
操作:
nc -lv < /etc/bandit_pass/bandit20 &
./suconnect [port]
注意,侦听时加上v参数,防止系统自己分配端口自己却不知道
密码:gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr