overthewire黑客游戏(level0-23)

https://overthewire.org/wargames/bandit/
1.Bandit Level 0
Level Goal
The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org, on port 2220. The username is bandit0 and the password is bandit0. Once logged in, go to the Level 1 page to find out how to beat Level 1.

bandit.labs.overthewire.org
bandit0 2220
2.Level 0 → Level 1
The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.

NH2SXQwcBdpmTEzi3bvBHMM9H66vVXjL
bandit1
3.Level 1 → Level 2
The password for the next level is stored in a file called - located in the home directory

rRGizSaX8Mk1RTb1CNQoXTcYZWU6lgzi
./ 代表当前文件目录
4.Level 2 → Level 3
The password for the next level is stored in a file called spaces in this filename located in the home directory

aBZ0W5EmUfAf7kHTQeOwd8bauFJ2lAiG
5.Level 3 → Level 4
The password for the next level is stored in a hidden file in the inhere directory.

2EW7BBsr6aMMoJ2HjW067dm8EgX26xNe
6.Level 4 → Level 5
The password for the next level is stored in a hidden file in the inhere directory.

lrIWWI6bB37kxfiCQZqUdOIYfr6eEeqR
7.Level 5 → Level 6
The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:

human-readable
1033 bytes in size
not executable
先用du -a -b按文件大小过滤

P4L4vucdmLnm8I7Vl7jG1ApGSfjYKqJU
8.Level 6 → Level 7
The password for the next level is stored somewhere on the server and has all of the following properties:

owned by user bandit7
owned by group bandit6
33 bytes in size
ban
dit6@bandit:~$ find / -group bandit6 -user bandit7 -size 33c
bandit6@bandit:~$ cat ‘/var/lib/dpkg/info/bandit7.password’
z7WtoNQU2XfjmMtWA8u5rN4vzqu4v99S
9. Level 7 → Level 8
10.The password for the next level is stored in the file data.txt next to the word millionth

TESKZC0XvTetK0S9xNwm25STk5iWrBvP
10.Level 8 → Level 9
The password for the next level is stored in the file data.txt and is the only line of text that occurs only once
bandit8@bandit:~$ sort data.txt | uniq -u
EN632PlfYiZbn3PhVK3XOGSlNInNE00t
uniq 命令用于检查及删除文本文件中重复出现的行列，一般与 sort 命令结合使用。uniq 可检查文本文件中重复出现的行列。-u或–unique 仅显示出一次的行列。
11.Level 9 → Level 10
The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters.
先strings输出文本，然后找到有几个=的那行。

G7w8LIi6J3kTb8A7j9LgrywtEUlyyp6s

11.Level 9 → Level 10
先strings输出文本，然后找到有几个=的那行。

G7w8LIi6J3kTb8A7j9LgrywtEUlyyp6s

12.Level 10 → Level 11
The password for the next level is stored in the file data.txt, which contains base64 encoded data

6zPeziLdR2RKNdNYFNb6nVCKzphlXHBM
13.Level 11 → Level 12
The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions
a 偏移13位m a-m
n 偏移13位 z n-z

JVNBBFSmZwKKOP0XbFXOoW8chDz5yVRv
14.Level 12 → Level 13
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)
复制文件到有权限目录
bandit12@bandit:~$ cp data.txt /tmp/myname123
bandit12@bandit:~$ cd /tmp/myname123
使用xxd -r将hexdump的data.txt转换为二进制data2
bandit12@bandit:/tmp/myname123$ xxd -r data.txt data2
bandit12@bandit:/tmp/myname123$ file data2
data2: gzip compressed data, was “data2.bin”, last modified: Sun Apr 23 18:04:23 2023, max compression, from Unix, original size modulo 2^32 581
File查看文件格式，说明是gzip压缩格式，将文件重命名为压缩格式
bandit12@bandit:/tmp/myname123$ mv data2 data.gz
使用gzip decompress解压缩生成data
bandit12@bandit:/tmp/myname123$ gzip -d data.gz
bandit12@bandit:/tmp/myname123$ file data
data: bzip2 compressed data, block size = 900k
说明data还是bzip2压缩格式，再使用bzip2 decompress解压缩
bandit12@bandit:/tmp/myname123$ bzip2 -d data
bzip2: Can’t guess original name for data – using data.out
bandit12@bandit:/tmp/myname123$ file data.out
data.out: gzip compressed data, was “data4.bin”, last modified: Sun Apr 23 18:04:23 2023, max compression, from Unix, original size modulo 2^32 20480
说明data.out是gzip压缩格式，使用zcat将data.out解压缩为标准输出的data3。
bandit12@bandit:/tmp/myname123$ zcat data.out > data3
bandit12@bandit:/tmp/myname123$ file data3
data3: POSIX tar archive (GNU)
说明是tar压缩格式，需tar标准解压缩data3
bandit12@bandit:/tmp/myname123$ tar -xvf data3
data5.bin
bandit12@bandit:/tmp/myname123$ file data5.bin
data5.bin: POSIX tar archive (GNU)
说明是tar压缩格式，需再次解压
bandit12@bandit:/tmp/myname123$ tar -xvf data5.bin
data6.bin
bandit12@bandit:/tmp/myname123$ file data6.bin
data6.bin: bzip2 compressed data, block size = 900k
说明是bzip2压缩格式，再使用bzip2 decompress解压缩
bandit12@bandit:/tmp/myname123$ bzip2 -d data6.bin
bzip2: Can’t guess original name for data6.bin – using data6.bin.out
bandit12@bandit:/tmp/myname123$ file data6.bin.out
data6.bin.out: POSIX tar archive (GNU)
说明是tar压缩格式，需再次解压
bandit12@bandit:/tmp/myname123$ tar -xvf data6.bin.out
data8.bin
bandit12@bandit:/tmp/myname123$ file data8.bin
data8.bin: gzip compressed data, was “data9.bin”, last modified: Sun Apr 23 18:04:23 2023, max compression, from Unix, original size modulo 2^32 49
使用zcat 将data8.bin解压缩为标准输出的data9.bin
bandit12@bandit:/tmp/myname123$ zcat data8.bin > data9.bin
bandit12@bandit:/tmp/myname123$ file data9.bin
data9.bin: ASCII text
text说明已是最终解压结果
bandit12@bandit:/tmp/myname123$ cat data9.bin
The password is wbWdlBxEir4CaE8LaPhauuOo6pwRmrDw
总结：使用file观察文件格式类型做相应格式解压，直到文件格式是可识别的text为止
15.Level 13 → Level 14
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on
已给出私钥，使用ssh -i连接 bandit14@localhost

报错，增加端口指定，使用2220连接
bandit13@bandit:~$ ssh -i sshkey.private bandit14@localhost -p 2220

bandit14@bandit:~$ cat /etc/bandit_pass/bandit14
fGrHPx402xGC7U7rXKDaxiWFTOiF0ENq
16. Level 14 → Level 15
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
使用telnet 远程连接已知IP端口主机，需输入密码
bandit14@bandit:~$ telnet localhost 30000
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.
fGrHPx402xGC7U7rXKDaxiWFTOiF0ENq
Correct!
jN2kgmIXJ6fShzhT2avhotn4Zcka6tnt
Connection closed by foreign host.
17.Level 15 → Level 16
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
bandit15@bandit:~$ openssl s_client -connect localhost:30001

JQttfApK4SeyHwDlI9SXGR50qclOAil1
可以使用man openssl查看用法

18.Level 16 → Level 17
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
使用nmpa扫描指定范围端口主机

使用openssl逐个尝试连接，命令是
openssl s_client -connect localhost:port
只有31518和31790可以连接，但是31518只是重复输入

bandit16@bandit:/tmp$ mkdir bandit16
bandit16@bandit:/tmp$ cd bandit16
bandit16@bandit:/tmp/bandit16$ ls
bandit16@bandit:/tmp/bandit16$ touch sshkey.private
bandit16@bandit:/tmp/bandit16$ vi sshkey.private
将该输出秘钥保存到tmp新建目录里
使用以下命令连接
ssh -i sshkey.private bandit17@localhost -p 2220
bandit17@bandit:~$ ls
passwords.new passwords.old
19.Level 17 → Level 18
There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new
NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19
这里需要比对两个密码文件，找出passwords.new唯一不同的行即是密码

所以密码应该是
hga5tuuCLF6fFzUpnagiMN8ssu9LFrdg

关于diff
Linux diff命令用于比较文件的差异。diff以逐行的方式，比较文本文件的异同处。如果指定要比较目录，则diff会比较目录中相同文件名的文件，但不会比较其中子目录。diff的输出结果表明需要对一个文件做怎样的操作之后才能与第二个文件相匹配。diff并不会改变文件的内容，但是diff可以输出一个ed脚本来应用这些改变。
20.Level 18 → Level 19
The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.
ssh bandit18@localhost -t cat readme
在界面连接增加命令cat readme

awhqfNnAbc1naukrpqDYcF95h7HoMTrC

21.Level 19 → Level 20
To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.

VxCazJaVykI6W36BkBU0mJTCM8rR95XT
22.Level 20 → Level 21
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
NOTE: Try connecting to your own network daemon to see if it works as you think
首先nc -l 12345(端口随意，表示监听该端口)
然后再开启一个终端 ./suconnect 12345
接着在第一个终端中输入上个单元获得的密码
然后suconnect会发送新的密码到第一个终端中

NvEJF7oVjkddltPSrdKEFOllh9V1IBcq
关于nc
nc是netcat的简写，是一个功能强大的网络工具，有着网络界的瑞士军刀美誉。nc命令在linux系统中实际命令是ncat，nc是软连接到ncat。nc命令的主要作用如下：
1.实现任意TCP/UDP端口的侦听，nc可以作为server以TCP或UDP方式侦听指定端口
2.机器之间传输文件
3.端口的扫描，nc可以作为client发起TCP或UDP连接
4.机器之间网络测速

23.Level 21 → Level 22
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

查看/etc/cron.d/cronjob_bandit22这个文件内容，可以看到其正在运行的命令是
/usr/bin/cronjob_bandit22.sh
查看脚本执行内容
可以发现它设置了/tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv的属性并写入了这个文件
最后查看该文档可以看到密码

WdDozAdTM2z9DiFEQ2mGlwngMfj4EZff

24.Level 22 → Level 23
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.
这次的操作和上次差不多，但是需要先解读下sh内容

$ cat /tmp/echo I am user bandit23 | md5sum

md5sum 用于计算和校验文件的MD5值。常常被用来验证网络文件传输的完整性，防止文件被人篡改。在日常工作当中，我们可以用来判断系统中的重要文件是否被篡改。
最后的cut整理格式仅保留md5部分。密码在/tmp中保存的文件名可以通过md5sum计算，如此就能获得密码了
其中``是反引号而非单引号，其起到的作用与$()是相同的。

QYw0Y2aiA672PsMmh9puTQuhoz8SyR2G
此节可以学到echo的输出可以直接用Y = ’echo XXX’拼接在另一个命令cat /tmp/Y
25.Level 23 → Level 24
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…