OverTheWire的Wargame对于想要学习攻防技术的入门同学来说是非常好的游戏,通过练习wargame获得基本工具的使用技巧和思路。本文梳理了Wargame入门的Bandit的一些通关技巧,旨在给一些刚开始的同学做一些思路上的整理,但本文的通关方法并不是唯一的最好的方法,仅供参考。由于密码会由官方定期修改,故没有参考性,请按照实际获取的为准。
OverTheWire的登录网址:OverTheWire: Wargames
https://overthewire.org/wargames/
点击左边的Bandit进入Bandit的wargame,本人使用的系统是MacOS,终端是iTerm2,Shell是oh-my-zsh。
在学习的过程中,除了去网上搜索各种命令外,也可以参考工具书《The Linux Command Line Second Edition》,下载链接: https://pan.baidu.com/s/13iWiNLR0gkB-kwfydzeyAw 提取码: jsf5
Bandit Level 0
Level Goal
The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org, on port 2220. The username is bandit0 and the password is bandit0. Once logged in, go to the level 1 page to find out how to beat Level 1.
Commands you may need to solve this level
ssh
第一关非常简单,就是使用ssh port2220登录bandit.labs.overthewire.org,账号密码都为 bandit0,打开terminal,登录
ssh -p 2220 bandit0@bandit.labs.overthewire.org登录成功后,使用ls查阅目录文件,发现readme,用cat读取readme内容,获得密码 boJ9jbbUNNfktd78OOpsqOltutMc3MY1,后面题目ssh的登录方式都是一样的,使用ssh和指定题目的账号bandit[xx]来登录(xx为level的数字,某些特殊的题目除外)。
Bandit Level 1 → Level 2
Level Goal
The password for the next level is stored in a file called - located in the home directory
Commands you may need to solve this level
ls, cd, cat, file, du, find
这一关也很简单,主要是考察文件读取,但是这里要注意,‘-’这个名字跟root目录名是一样的,所以必须使用相对路径来访问,用cat ./- 获得密码 CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
Bandit Level 2 → Level 3
Level Goal
The password for the next level is stored in a file called spaces in this filename located in the home directory
Commands you may need to solve this level
ls, cd, cat, file, du, find
这关考察的是cat的基本操作,访问带有空格的文件名,用转义字符\来转义空格即可,用cat获得密码UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
Bandit Level 3 → Level 4
Level Goal
The password for the next level is stored in a hidden file in the inhere directory.
Commands you may need to solve this level
ls, cd, cat, file, du, find
这一关考察访问隐藏文件的技巧,先用cd进入文件夹,再用ls -al列出所有文件,之后用cat访问,得到密码pIwrPrtPN36QITSp3EQaw936yaFoFgAB
Bandit Level 4 → Level 5
Level Goal
The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.
Commands you may need to solve this level
ls, cd, cat, file, du, find
进入到inhere目录后,可以看到很多文件,有一个文件藏着密码,用file命令查看一下文件,我们可以看到,只有一个文件是ASCII编码的,用cat来查看它,找到密码koReBOKuIDDepwhWk7jZC0RTdopnAYKh
Bandit Level 5 → Level 6
Level Goal
The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:
- human-readable
- 1033 bytes in size
- not executable
Commands you may need to solve this level
ls, cd, cat, file, du, find
进入到Bandit5的目录后发现目录里面有很多文件,根据提示,找到1033bytes的文件,用如下命令
find . -type f -size 1033c找到文件./maybehere07/.file2,找到密码DXjZPULLxYr17uwoI01bNLQbtFemEgo7
find命令的具体使用方法可以查看:Linux find 命令 | 菜鸟教程
Bandit Level 6 → Level 7
Level Goal
The password for the next level is stored somewhere on the server and has all of the following properties:
- owned by user bandit7
- owned by group bandit6
- 33 bytes in size
Commands you may need to solve this level
ls, cd, cat, file, du, find, grep
首先看题目的要求,bandit7的密码文件有3个属性:被用户bandit7所有,被用户组bandit6所有,并且拥有33字节,但是这个文件在哪里,我们不知道,这关还是考察find工具的使用,这三个属性都可以放到find命令的参数中去,如下
find / -user bandit7 -group bandit6 -size 33c因为我们不知道放哪里,所有直接从根目录开始查找,最后找到符合这个条件的文件
用cat命令查看这个文件,找到密码HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs
Bandit Level 7 → Level 8
Level Goal
The password for the next level is stored in the file data.txt next to the word millionthCommands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
这个关卡的密码藏在millionth这个单词的后面,grep这个命令可以匹配文件中的字符,grep命令功能非常强大,详细的命令使用手册请参考grep(1) - Linux manual page
grep简要使用方法就是直接在grep后面跟上要匹配的字符串,我们用grep来查找millionth这个单词,非常简单,如下
找到密码cvX2JJa4CFALtqS87jk27qwqGhBM9plV
Bandit Level 8 → Level 9
Level Goal
The password for the next level is stored in the file data.txt and is the only line of text that occurs only onceCommands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
看题目,密码在data.txt文件中,只出现了一次,所以,只要用uniq命令就能找到这个密码,uniq要跟sort一起用,因为uniq是通过比较上下行字符串来判断是否重复,所以先sort再uniq
uniq命令工具用法如下:
uniq [-cdu][-f<栏位>][-s<字符位置>][-w<字符位置>][--help][--version][输入文件][输出文件]参数:
- -c或--count 在每列旁边显示该行重复出现的次数。
- -d或--repeated 仅显示重复出现的行列。
- -f<栏位>或--skip-fields=<栏位> 忽略比较指定的栏位。
- -s<字符位置>或--skip-chars=<字符位置> 忽略比较指定的字符。
- -u或--unique 仅显示出一次的行列。
- -w<字符位置>或--check-chars=<字符位置> 指定要比较的字符。
- --help 显示帮助。
- --version 显示版本信息。
- [输入文件] 指定已排序好的文本文件。如果不指定此项,则从标准读取数据;
- [输出文件] 指定输出的文件。如果不指定此选项,则将内容显示到标准输出设备(显示终端)。
用uniq -u即可找到密码UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR
Bandit Level 9 → Level 10
Level Goal
The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters.Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
这一关的密码在很多个‘=’的后面,先用cat查看文件信息,输出是非常多的,但是很多不是human-readable的字符,可以用strings来过滤,strings命令在对象文件或二进制文件中查找可打印的字符串。字符串是4个或更多可打印字符的任意序列,以换行符或空字符结束。 strings命令对识别随机对象文件很有用。
strings的命令工具用法如下:
strings [ -a ] [ - ] [ -o ] [ -t Format ] [ -n Number ] [ -Number ] [file ... ]
- -a --all:扫描整个文件而不是只扫描目标文件初始化和装载段
- -f –print-file-name:在显示字符串前先显示文件名
- -n –bytes=[number]:找到并且输出所有NUL终止符序列
- - :设置显示的最少的字符数,默认是4个字符
- -t --radix={o,d,x} :输出字符的位置,基于八进制,十进制或者十六进制
- -o :类似--radix=o
- -T --target= :指定二进制文件格式
- -e --encoding={s,S,b,l,B,L} :选择字符大小和排列顺序:s = 7-bit, S = 8-bit, {b,l} = 16-bit, {B,L} = 32-bit
- @ :读取中选项
我们用如下命令
strings ./data.txt找到密码truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
Bandit Level 10 → Level 11
Level Goal
The password for the next level is stored in the file data.txt, which contains base64 encoded dataCommands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
这一关非常简单,用base64解码data.txt就行,获得密码IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR
Bandit Level 11 → Level 12
Level Goal
The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positionsCommands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
这一关考察是经典的ROT13加密,密码学是非常重要的一部分,有兴趣的同学可以去搜索一下ROT13,可以找到ROT13的介绍,以及更多的密码学知识,在Krypton的Wargame里面有非常多的关于密码学的关卡,可以用来学习密码学相关的技巧。
在这一关中,我们用tr来进行ROT13的解密,如下:
得到密码5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu
Bandit Level 12 → Level 13
Level Goal
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd, mkdir, cp, mv, file
先查看这关的文件,又是data.txt,用cat查看文件,是16进制文件,看提示是repeatedly compressed,按照提示,我们先去tmp目录创建一个临时目录,因为权限的问题,我们只能在tmp目录下创建目录,然后我们把文件复制过去,注意,不要给后缀名
bandit12@bandit:~$ mkdir /tmp/bandit12
bandit12@bandit:~$ cp ./data.txt /tmp/bandit12/data
bandit12@bandit:~$ cd /tmp/bandit12/然后,我们用xxd来解析这个16进制文件,之后用file命令来查看文件格式,发现是gz压缩包,用gzip解压,后续一直解压,过程如下:
bandit12@bandit:/tmp/bandit12$ file data
data: ASCII text
bandit12@bandit:/tmp/bandit12$ xxd -r ./data ./data.out
bandit12@bandit:/tmp/bandit12$ file data.out
data.out: gzip compressed data, was "data2.bin", last modified: Thu May 7 18:14:30 2020, max compression, from Unix
bandit12@bandit:/tmp/bandit12$ mv data.out ./data.gz
bandit12@bandit:/tmp/bandit12$ gzip -d ./data.gz ./data.out
bandit12@bandit:/tmp/bandit12$ file data.out
data.out: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/bandit12$ mv ./data.out ./data.bz2
bandit12@bandit:/tmp/bandit12$ bunzip2 -d ./data.bz2 ./data.out
bandit12@bandit:/tmp/bandit12$ file data.out
data.out: gzip compressed data, was "data4.bin", last modified: Thu May 7 18:14:30 2020, max compression, from Unix
bandit12@bandit:/tmp/bandit12$ mv ./data.out ./data.gz
bandit12@bandit:/tmp/bandit12$ gzip -d data.gz
bandit12@bandit:/tmp/bandit12$ ls
data4.bin
bandit12@bandit:/tmp/bandit12$ file data4.bin
data4.bin: POSIX tar archive (GNU)
bandit12@bandit:/tmp/bandit12$ mv data4.bin data.tar
bandit12@bandit:/tmp/bandit12$ tar xvf data.tar
data5.bin
bandit12@bandit:/tmp/bandit12$ file data5.bin
data5.bin: POSIX tar archive (GNU)
bandit12@bandit:/tmp/bandit12$ mv data5.bin data.tar
bandit12@bandit:/tmp/bandit12$ tar xvf data.tar
data6.bin
bandit12@bandit:/tmp/bandit12$ mv data6.bin data.tar
bandit12@bandit:/tmp/bandit12$ tar xvf data.tar
data8.bin
bandit12@bandit:/tmp/bandit12$ file data8.bin
data8.bin: gzip compressed data, was "data9.bin", last modified: Thu May 7 18:14:30 2020, max compression, from Unix
bandit12@bandit:/tmp/bandit12$ gzip -d data.gz
bandit12@bandit:/tmp/bandit12$ ls
data data.tar
bandit12@bandit:/tmp/bandit12$ file data
data: ASCII text
bandit12@bandit:/tmp/bandit12$ cat data
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL获得密码8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
在中间步骤中,如果遇到file的结果是gzip compressed data, was "xxx.bin"这种提示的时候,还有一种快捷的方法来获取压缩包内容而不使用gzip解压缩命令,可以用zcat,有兴趣的朋友可以用zcat试试,zcat的命令介绍zcat命令 - Linux命令大全 | linux教程
Bandit Level 13 → Level 14
Level Goal
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working onCommands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap
从这一关开始,解题工具开始更换了,我们要开始了解ssh、telnet、nc、openssl、nmap这些网络工具,这一关的题目是让我们用ssh来登录bandit14,我们查看一下文件,找一下线索。bandit13目录下,有bandit14的ssh private key,我们直接用ssh和私钥登录bandit14。
bandit13@bandit:~$ ssh -i ./sshkey.private bandit14@localhost -p2220登录成功,找一下bandit14的密码,在/etc/bandit_pass里面,找到bandit14的密码4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Bandit Level 14 → Level 15
Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap
这一关用nc把14的密码发送到30000这个端口,用nc命令就可以搞定,nc命令代码量小,但是功能强大,如果要学好攻防技术,一定要学习nc这个命令。用nc发送bandit14的密码就可以获得密码
BfMYroe26WYalil77FoDi9qh59eK5xNr
bandit14@bandit:~$ nc localhost 30000
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr也有同学用telnet来做这道题,telnet也可以做到,用如下命令
telnet -l bandit15 localhost 30000Bandit Level 15 → Level 16
Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…
Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap
这里,通过openssl连接30001端口,发送当前关卡的密码就可以获得16的密码cluFn7wTiGryunymYOu4RcffSxQluehd,非常简单。
bandit15@bandit:~$ openssl s_client -connect localhost:30001 -ign_eof
(省略了服务器信息)
---
BfMYroe26WYalil77FoDi9qh59eK5xNr
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehd这里有提示说要-ign_eof,但是加不加并没有影响到结果。
Bandit Level 16 → Level 17
Level Goal
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap
看题目,要求我们先扫描31000到32000端口,并且找到ssl的端口,用nmap可以扫描,nmap是非常好用的端口扫描器,这里nmap可以用很多种参数来实现扫描功能,-A -sV等,都可以,玩家可以自己尝试多种扫描参数。
bandit16@bandit:~$ nmap -sV localhost -p 31000-32000
Starting Nmap 7.40 ( https://nmap.org ) at 2022-01-17 15:36 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00031s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
31046/tcp open echo
31518/tcp open ssl/echo
31691/tcp open echo
31790/tcp open ssl/unknown
31960/tcp open echo
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port31790-TCP:V=7.40%T=SSL%I=7%D=1/17%Time=61E57EF4%P=x86_64-pc-linux-g
SF:nu%r(GenericLines,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20cu
SF:rrent\x20password\n")%r(GetRequest,31,"Wrong!\x20Please\x20enter\x20the
SF:\x20correct\x20current\x20password\n")%r(HTTPOptions,31,"Wrong!\x20Plea
SF:se\x20enter\x20the\x20correct\x20current\x20password\n")%r(RTSPRequest,
SF:31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20current\x20password\
SF:n")%r(Help,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20current\x
SF:20password\n")%r(SSLSessionReq,31,"Wrong!\x20Please\x20enter\x20the\x20
SF:correct\x20current\x20password\n")%r(TLSSessionReq,31,"Wrong!\x20Please
SF:\x20enter\x20the\x20correct\x20current\x20password\n")%r(Kerberos,31,"W
SF:rong!\x20Please\x20enter\x20the\x20correct\x20current\x20password\n")%r
SF:(FourOhFourRequest,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20c
SF:urrent\x20password\n")%r(LPDString,31,"Wrong!\x20Please\x20enter\x20the
SF:\x20correct\x20current\x20password\n")%r(LDAPSearchReq,31,"Wrong!\x20Pl
SF:ease\x20enter\x20the\x20correct\x20current\x20password\n")%r(SIPOptions
SF:,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20current\x20password
SF:\n");
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 89.48 seconds31790端口,我们连接试一下,返回ssh_privatekey。
bandit16@bandit:~$ openssl s_client -connect localhost:31790 -ign_eof
(省略服务器信息)
---
cluFn7wTiGryunymYOu4RcffSxQluehd
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----
closed用private key登录bandit17,我们在/tmp目录下新建一个目录,然后把私钥写到一个文件里面,这里一定要注意,要把文件的权限修改一下,用chmod 600修改权限,不然无法使用ssh -i 登录。
Bandit Level 17 → Level 18
Level Goal
There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.newNOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19
登录17之后,查看目录,发现有两个文件,看提示说,修改过的一行就是密码,用diff命令查看修改过的一行,找到密码:kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
bandit17@bandit:~$ ls
passwords.new passwords.old
bandit17@bandit:~$ diff -d passwords.new passwords.old
42c42
< kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
---
> w0Yfolrc5bwjS4qw5mq1nnQi6mF03biiBandit Level 18 → Level 19
Level Goal
The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.Commands you may need to solve this level
ssh, ls, cat
这一关直接登录的话,会显示一个“Byebye”,然后会话被关闭,原因是.bashrc被改动了,我们可以用带命令的ssh来查看文件。
ssh -p 2220 bandit18@bandit.labs.overthewire.org "cat ./readme"
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit18@bandit.labs.overthewire.org's password:
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x在关闭前读取主目录下的readme文件,获得密码IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
也可以使用其他参数,直接生成一个shell,如下:
ssh -p 2220 bandit18@bandit.labs.overthewire.org "/bin/bash"
ssh -p 2220 bandit18@bandit.labs.overthewire.org "/bin/sh"
ssh -p 2220 bandit18@bandit.labs.overthewire.org "export TERM=xterm;python -c 'import pty;pty.spawn(\"/bin/bash\")'" Bandit Level 19 → Level 20
Level Goal
To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.
setuid可以查看到用户权限,ls -al列出所有文件及权限,注意到bandit20-do是-rws-r-x---,这个文件有suid权限,也就是可以运行与创建者相同权限来运行程序,用它来读取Level 20的文件,获得密码 GbKksEFF4yrVs6il55v6gwY5aVje5f0j
bandit19@bandit:~$ ls -al
total 28
drwxr-xr-x 2 root root 4096 May 7 2020 .
drwxr-xr-x 41 root root 4096 May 7 2020 ..
-rwsr-x--- 1 bandit20 bandit19 7296 May 7 2020 bandit20-do
-rw-r--r-- 1 root root 220 May 15 2017 .bash_logout
-rw-r--r-- 1 root root 3526 May 15 2017 .bashrc
-rw-r--r-- 1 root root 675 May 15 2017 .profile
bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0jBandit Level 20 → Level 21
Level Goal
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).NOTE: Try connecting to your own network daemon to see if it works as you think
Commands you may need to solve this level
ssh, nc, cat, bash, screen, tmux, Unix ‘job control’ (bg, fg, jobs, &, CTRL-Z, …)
登录到Bandit20,查看文件,找到一个suconnect
bandit20@bandit:~$ ls -l
total 12
-rwsr-x--- 1 bandit21 bandit20 12088 May 7 2020 suconnect到题目里面找一下这个suconnect怎么用,题目里有个描述,it makes a connection to localhost on the port you specify as a commandline argument, 也就是说这个suconnect可以连接指定的端口,但是我们要把密码给到这个端口,有很多种方法可实现:
#方法1:把密码给到随机端口,&为放在后台运行,我们可以用suconnect连接
bandit20@bandit:~$ nc -lv < /etc/bandit_pass/bandit20 &
[3] 10522
[2] Exit 1 nc -lv < etc/bandit_pass/bandit20
bandit20@bandit:~$ listening on [any] 37469 ...
bandit20@bandit:~$ ./suconnect 37469
connect to [127.0.0.1] from localhost [127.0.0.1] 34980
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Password matches, sending next password
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
[3]- Done nc -lv < /etc/bandit_pass/bandit20
#方法2:把密码给到指定端口,同样加&
bandit20@bandit:~$ echo "GbKksEFF4yrVs6il55v6gwY5aVje5f0j" |nc -l -p 30088 &
[1] 21523
bandit20@bandit:~$ ./suconnect 30088
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Password matches, sending next password
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr获得密码gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
Bandit Level 21 → Level 22
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.Commands you may need to solve this level
cron, crontab, crontab(5) (use “man 5 crontab” to access this)
这里我们查看一下cron.d这个文件夹,找到定时任务,我们找到bandit22执行了什么,继续查看.sh件,找到/tmp里面的文档,然后查看这个文件。
bandit21@bandit:/etc/cron.d$ cat ./*
* * * * * root /usr/bin/cronjob_bandit15_root.sh &> /dev/null
* * * * * root /usr/bin/cronjob_bandit17_root.sh &> /dev/null
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
@reboot bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
* * * * * root /usr/bin/cronjob_bandit25_root.sh &> /dev/null
bandit21@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
bandit21@bandit:/etc/cron.d$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI获得密码Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
Bandit Level 22 → Level 23
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.
Commands you may need to solve this level
cron, crontab, crontab(5) (use “man 5 crontab” to access this)
跟21关一样,我们先到/etc/cron.d查看定时任务,看看bandit23这个用户写了啥,然后查看脚本里面执行了什么命令,最后找到密码jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
bandit22@bandit:/etc/cron.d$ cat ./*
* * * * * root /usr/bin/cronjob_bandit15_root.sh &> /dev/null
* * * * * root /usr/bin/cronjob_bandit17_root.sh &> /dev/null
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
@reboot bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
* * * * * root /usr/bin/cronjob_bandit25_root.sh &> /dev/null
bandit22@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash
myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
cat /etc/bandit_pass/$myname > /tmp/$mytarget
bandit22@bandit:/etc/cron.d$ echo I am user bandit23 | md5sum |cut -d ' ' -f 1
8ca319486bfbbc3663ea0fbe81326349
bandit22@bandit:/etc/cron.d$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n注意一下,这个whoami命令是bandit23来看的,不是bandit22,所以不能完全重新执行这个命令,把whoami这个变量用bandit23直接代替掉就行。
Bandit Level 23 → Level 24
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…
Commands you may need to solve this level
cron, crontab, crontab(5) (use “man 5 crontab” to access this)
老样子,先看/etc/cron.d里面的定时任务
bandit23@bandit:/etc/cron.d$ cat ./*
* * * * * root /usr/bin/cronjob_bandit15_root.sh &> /dev/null
* * * * * root /usr/bin/cronjob_bandit17_root.sh &> /dev/null
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
@reboot bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
* * * * * root /usr/bin/cronjob_bandit25_root.sh &> /dev/null
bandit23@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash
myname=$(whoami)
cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
do
if [ "$i" != "." -a "$i" != ".." ];
then
1 #!/bin/bash
echo "Handling $i"
owner="$(stat --format "%U" ./$i)"
if [ "${owner}" = "bandit23" ]; then
timeout -s 9 60 ./$i
fi
rm -f ./$i
fi
done这里,我们看到这个脚本执行的任务是:切换到/var/spool/bandit24文件夹,然后遍历所有文件,并且执行这个文件,如果遇到用户是bandit23的话,先执行,持续一段时间,然后再删除文件。
我们先看一下/var/spool/bandit24这个文件的属性
bandit23@bandit:/tmp$ ls -al /var/spool
total 20
drwxr-xr-x 5 root root 4096 May 14 2020 .
drwxr-xr-x 11 root root 4096 May 7 2020 ..
drwxrwx-wx 62 root bandit24 4096 Jan 19 12:46 bandit24
drwxr-xr-x 3 root root 4096 May 3 2020 cron
lrwxrwxrwx 1 root root 7 May 3 2020 mail -> ../mail
drwx------ 2 root root 4096 Jan 14 2018 rsyslogbandit24同一个group是可以读写的,我们写一个脚本,把脚本拷贝到这个文件夹下,脚本很简单,如下,写完脚本后,一定要记得chmod +x ./get_pass.sh,不然不运行。
bandit23@bandit:/tmp$ vim ./get_pass.sh
#!/bin/bash
cat /etc/bandit_pass/bandit24 > /tmp/bandit24pass拷贝到/var/spool/bandit24/foo里面,cp ./get_pass.sh /var/spool/bandit24/
然后我们就等待执行,执行结束之后,获得密码UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
因为有个等待时间,所以要等一会才能获得密码
Bandit Level 24 → Level 25
Level Goal
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.
这一关的提示是暴力破解,这里可以用好几种方式生成爆破密码,最简单的方式而且在很多机器上都可以执行的话,建议还是使用shell脚本,shell脚本在linux服务器上可以被顺利执行的可能性比较大,产生爆破密码的脚本如下
#!/bin/bash
bandit24='UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ'
for i in {0..9}{0..9}{0..9}{0..9}
do
echo $bandit24' '$i >> bandit25pin
done
cat ./bandit25pin | nc localhost 30002 >> ./bandit25pass
tail -n 5 ./bandit25pass这里要注意一下,bandit24的密码和pin码之间有个空格,不加空格返回不了正确的密码,tail是返回值,一旦有返回值,程序就退出,所以,我们只要tail -n 5就可以了,执行结果如下,获得密码uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG
bandit24@bandit:/tmp/bandit24$ ./get-pass.sh
Wrong! Please enter the correct pincode. Try again.
Correct!
The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG
Exiting.Bandit Level 25 → Level 26
Level Goal
Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.Commands you may need to solve this level
ssh, cat, more, vi, ls, id, pwd
登录bandit25,在主目录下面有bandit26的sshkey,用ssh -i 连接到bandit26,显示connection closed,重新看题目,shell有问题,不是/bin/bash,所以查看一下/etc/passwd,找一下bandit26的shell。
bandit25@bandit:~$ cat /etc/passwd|grep bandit26
bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext
bandit25@bandit:~$ cat /usr/bin/showtext
#!/bin/sh
export TERM=linux
more ~/text.txt
exit 0有个exit 0,被退出了…
这里要想办法,从这个shell的配置看,有一个more给我们用,所以我们把terminal缩小一点,这个时候more不会结束,然后我们按v,进入编辑模式,输入:r /etc/bandit_pass/bandit26
获得密码5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z
Bandit Level 26 → Level 27
Level Goal
Good job getting a shell! Now hurry and grab the password for bandit27!Commands you may need to solve this level
ls
直接用密码登录26会出现跟25一样的情况,bash直接被退出,同样继续利用more的特性,我们缩小terminal,然后按v进入vi模式,这里,我们要用vi模式来呼唤出shell,这种方式也是一个经典的提权问题,只要系统给了一个可用vim编辑的sudo权限的文本,也可以通过这个文本的vi模式来提权。
:set shell sh=/bin/sh
:sh
[No write since last change]
$ ls
bandit27-do text.txt
$ ls -al
total 36
drwxr-xr-x 3 root root 4096 May 7 2020 .
drwxr-xr-x 41 root root 4096 May 7 2020 ..
-rwsr-x--- 1 bandit27 bandit26 7296 May 7 2020 bandit27-do
-rw-r--r-- 1 root root 220 May 15 2017 .bash_logout
-rw-r--r-- 1 root root 3526 May 15 2017 .bashrc
-rw-r--r-- 1 root root 675 May 15 2017 .profile
drwxr-xr-x 2 root root 4096 May 7 2020 .ssh
-rw-r----- 1 bandit26 bandit26 258 May 7 2020 text.txt
$ ./bandit27-do cat /etc/bandit_pass/bandit27
3ba3118a22e93127a4ed485be72ef5ea想要学习vi/vim的同学,可以学习《Learning the vi and Vim Editors 7th》,作者是Anold Robbins, Elbert Hannab & Linda Lamb。
Bandit Level 27 → Level 28
Level Goal
There is a git repository at ssh://bandit27-git@localhost/home/bandit27-git/repo. The password for the user bandit27-git is the same as for the user bandit27.Clone the repository and find the password for the next level.
Commands you may need to solve this level
git
接下来的几个问题都跟git有关,git是非常重要的工具,git功能比较多,可以到git官方网站下载电子版的学习资料,官方提供了中文简体的版本。
这道题是用git把repo拖到本地,我们用git clone
bandit27@bandit:~$ cd /tmp
bandit27@bandit:/tmp$ git clone ssh://bandit27-git@localhost/home/bandit27-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit27/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit27/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit27-git@localhost's password:
remote: Counting objects: 3, done.
remote: Compressing objects: 100% (2/2), done.
remote: Total 3 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (3/3), done.
bandit27@bandit:/tmp$ cd repo
bandit27@bandit:/tmp/repo$ ls
README
bandit27@bandit:/tmp/repo$ cat README
The password to the next level is: 0ef186ac70e04ea33b4c1853d2526fa2查看README,找到密码0ef186ac70e04ea33b4c1853d2526fa2
Bandit Level 28 → Level 29
Level Goal
There is a git repository at ssh://bandit28-git@localhost/home/bandit28-git/repo. The password for the user bandit28-git is the same as for the user bandit28.Clone the repository and find the password for the next level.
Commands you may need to solve this level
git
一样,继续用git把repo克隆到本地
bandit28@bandit:~$ cd /tmp/
bandit28@bandit:/tmp$ mkdir bandit28
bandit28@bandit:/tmp$ cd bandit28
bandit28@bandit:/tmp/bandit28$ git clone ssh://bandit28-git@localhost/home/bandit28-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit28/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit28/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit28-git@localhost's password:
remote: Counting objects: 9, done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 9 (delta 2), reused 0 (delta 0)
Receiving objects: 100% (9/9), done.
Resolving deltas: 100% (2/2), done.
bandit28@bandit:/tmp/bandit28$ cd repo/
bandit28@bandit:/tmp/bandit28/repo$ ls
README.md
bandit28@bandit:/tmp/bandit28/repo$ cat README.md
# Bandit Notes
Some notes for level29 of bandit.
## credentials
- username: bandit29
- password: xxxxxxxxxx这个README.md里面没有密码,这个时候应该怎么思考这个问题,因为password是xxxxxxxx,是不是密码被修改了,所以我们查看一下版本变更记录。
bandit28@bandit:/tmp/bandit28/repo$ git show
commit edd935d60906b33f0619605abd1689808ccdd5ee
Author: Morla Porla <morla@overthewire.org>
Date: Thu May 7 20:14:49 2020 +0200
fix info leak
diff --git a/README.md b/README.md
index 3f7cee8..5c6457b 100644
--- a/README.md
+++ b/README.md
@@ -4,5 +4,5 @@ Some notes for level29 of bandit.
## credentials
- username: bandit29
-- password: bbc96594b4e001778eee9975372716b2
+- password: xxxxxxxxxxgit show 可以查看commit记录,最近的一次提交记录把密码改掉了,找到密码bbc96594b4e001778eee9975372716b2
Bandit Level 29 → Level 30
Level Goal
There is a git repository at ssh://bandit29-git@localhost/home/bandit29-git/repo. The password for the user bandit29-git is the same as for the user bandit29.Clone the repository and find the password for the next level.
Commands you may need to solve this level
git
同样,把repo克隆到本地,查看README.md的提示
bandit29@bandit:/tmp/bandit29/repo$ cat README.md
# Bandit Notes
Some notes for bandit30 of bandit.
## credentials
- username: bandit30
- password: <no passwords in production!>这里看到提示是no passwords in production,也就是这里没有密码,那我们看看其他分支。
bandit29@bandit:/tmp/bandit29/repo$ git branch -a
* master
remotes/origin/HEAD -> origin/master
remotes/origin/dev
remotes/origin/master
remotes/origin/sploits-dev
bandit29@bandit:/tmp/bandit29/repo$ git checkout dev
Branch dev set up to track remote branch dev from origin.
Switched to a new branch 'dev'
bandit29@bandit:/tmp/bandit29/repo$ ls
code README.md
bandit29@bandit:/tmp/bandit29/repo$ cat README.md
# Bandit Notes
Some notes for bandit30 of bandit.
## credentials
- username: bandit30
- password: 5b90576bedb2cc04c86a9e924ce42faf通过查看分支找到dev这个分支下,有个README.md,查看这个文件,找到密码5b90576bedb2cc04c86a9e924ce42faf
Bandit Level 30 → Level 31
Level Goal
There is a git repository at ssh://bandit30-git@localhost/home/bandit30-git/repo. The password for the user bandit30-git is the same as for the user bandit30.Clone the repository and find the password for the next level.
Commands you may need to solve this level
git
同样,克隆repo到本地,然后看文件,这次好像什么都没有
bandit30@bandit:/tmp/bandit30/repo$ cat README.md
just an epmty file... muahaha这个时候只能多试几个地方,找找可能在哪里。
bandit30@bandit:/tmp/bandit30/repo$ git show
commit 3aefa229469b7ba1cc08203e5d8fa299354c496b
Author: Ben Dover <noone@overthewire.org>
Date: Thu May 7 20:14:54 2020 +0200
initial commit of README.md
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..029ba42
--- /dev/null
+++ b/README.md
@@ -0,0 +1 @@
+just an epmty file... muahaha
bandit30@bandit:/tmp/bandit30/repo$ git log
commit 3aefa229469b7ba1cc08203e5d8fa299354c496b
Author: Ben Dover <noone@overthewire.org>
Date: Thu May 7 20:14:54 2020 +0200
initial commit of README.md
bandit30@bandit:/tmp/bandit30/repo$ git branch -a
* master
remotes/origin/HEAD -> origin/master
remotes/origin/master
bandit30@bandit:/tmp/bandit30/repo$都看了一下,这次分支也没有,commit日志也没有,我们再查看一下引用,用show-ref
bandit30@bandit:/tmp/bandit30/repo$ git show-ref
3aefa229469b7ba1cc08203e5d8fa299354c496b refs/heads/master
3aefa229469b7ba1cc08203e5d8fa299354c496b refs/remotes/origin/HEAD
3aefa229469b7ba1cc08203e5d8fa299354c496b refs/remotes/origin/master
f17132340e8ee6c159e0a4a6bc6f80e1da3b1aea refs/tags/secret
bandit30@bandit:/tmp/bandit30/repo$ git show f171
47e603bb428404d265f59c42920d81e5f171是一个引用secret,查看这个引用,找到密码47e603bb428404d265f59c42920d81e5
show-ref的教程:Git - git-show-ref Documentation
Bandit Level 31 → Level 32
Level Goal
There is a git repository at ssh://bandit31-git@localhost/home/bandit31-git/repo. The password for the user bandit31-git is the same as for the user bandit31.Clone the repository and find the password for the next level.
Commands you may need to solve this level
git
同样的过程,然后按照提示提交一个key.txt
#生成文件key.txt
bandit31@bandit:/tmp/bandit31/repo$ echo 'May I come in?' >> key.txt
#加到本地文件
bandit31@bandit:/tmp/bandit31/repo$ git add -f ./key.txt
#查看一下是否是master
bandit31@bandit:/tmp/bandit31/repo$ git status
On branch master
Your branch is up-to-date with 'origin/master'.
Changes to be committed:
(use "git reset HEAD <file>..." to unstage)
new file: key.txt
#commit到本地仓库
bandit31@bandit:/tmp/bandit31/repo$ git commit -m 'key.txt'
[master 088ccca] key.txt
1 file changed, 1 insertion(+)
create mode 100644 key.txt
#push到远程origin master
bandit31@bandit:/tmp/bandit31/repo$ git push origin master
Could not create directory '/home/bandit31/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit31/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit31-git@localhost's password:
Counting objects: 3, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (2/2), done.
Writing objects: 100% (3/3), 319 bytes | 0 bytes/s, done.
Total 3 (delta 0), reused 0 (delta 0)
remote: ### Attempting to validate files... ####
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
remote: Well done! Here is the password for the next level:
remote: 56a9bf19c63d650ce78e6ec0354ee45e
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
To ssh://localhost/home/bandit31-git/repo
! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to 'ssh://bandit31-git@localhost/home/bandit31-git/repo'找到密码56a9bf19c63d650ce78e6ec0354ee45e
Bandit Level 32 → Level 33
After all this git stuff its time for another escape. Good luck!
Commands you may need to solve this level
sh, man
还没有没有特别好的方法,$0可以到正常的shell,然后cat找密码
$ cat /etc/bandit_pass/bandit33
c9c3199ddf4121b10cf581a98d51caee关卡完结…不定期更新方法
扫一扫
1203
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
