overthewire是一個wargame網站,網址:http://overthewire.org/wargames/。其中bandit是最簡單的系列,主要是考察一些基本的Linux操作。作為一個Linux初學者,我花了兩個星期左右把它“通關”了。下面逐關講解。網上也能搜到很多相關攻略,所以這篇文章一部分目的是為了進行一下復習。想看直接看密碼的可以直接跳到最后。
Level Goal
The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org. The username is bandit0 and the password is bandit0. Once logged in, go to the Level 1 page to find out how to beat Level 1.
這一關不用多說,直接ssh連接上目標主機,ssh命令可以直接谷歌。
ssh bandit.labs.overthewire.org -l bandit0
然后密碼在readme里面。
Level Goal
The password for the next level is stored in a file called - located in the home directory
這一關主要是cat的使用,但是因為文件名是一個'-',所以不能直接cat。根據下面提示直接谷歌,輸入以下命令解決。
cat ./-
得到密碼 CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
Level Goal
The password for the next level is stored in a file called spaces in this filename located in the home directory
這一關是文件名有空格,直接加雙引號。
cat "spaces in this filename"
Level Goal
The password for the next level is stored in a hidden file in the inhere directory.
這一關是一個隱藏文件,直接利用ll -a命令。不多說。
Level Goal
The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.
這一關就是不斷使用cat ./-file0x然后觀察,最后發現在-file07里面。
Level Goal
The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties: - human-readable - 1033 bytes in size - not executable
這一關是關于find和du命令的使用。由于文件具有1033的大小,通過找男人(man)命令查看du的手冊,發現可以通過
du -ab | grep 1033
命令可以發現要找的文件就是 inhere/maybehere07/.file2 然后cat就可以了。
Level Goal
The password for the next level is stored somewhere on the server and has all of the following properties: - owned by user bandit7 - owned by group bandit6 - 33 bytes in size
仍然是find和du的使用。查看find的手冊,用以下命令可以達到目的:
find -group bandit6 -user bandit7 -size 33c
以上命令就是根據題目所給的條件進行篩選,具體查看手冊33c表示是33bytes。
Level Goal
The password for the next level is stored in the file data.txt next to the word millionth
這一關是grep的使用。直接
grep millionth data.txt
就可得到密碼。這個題目里面密碼和匹配模式在同一行,所以可以直接grep。如果并不是在同一行還要加其他參數。其實這道題我解的時候直接cat,然后不小心就看到了密碼(data.txt比較短)(逃。
Level Goal
The password for the next level is stored in the file data.txt and is the only line of text that occurs only once
這一關難度增加了一點點,不過畢竟是基礎訓練。這里要用到“管道”的知識,具體請谷歌^^; 直接用:
sort data.txt | uniq -u
輕松搞定。
Level Goal
The password for the next level is stored in the file data.txt in one of the few human-readable strings, beginning with several ‘=’ characters.
仍然是grep的應用。如果僅僅是想過關的話也可以人肉搜索。如果用grep的話可以這樣
cat data.txt | grep == -a
加-a是為了讓grep強行將文件判定為文本文檔。
Level Goal
The password for the next level is stored in the file data.txt, which contains base64 encoded data
既然說了是base64,那就:
base64 data.txt -d
好,下一關
Level Goal
The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions
這是一個移位13位的凱撒密碼,最初我是用python來解密的,后來谷歌了一下用shell也可以
echo "The Quick Brown Fox Jumps Over The Lazy Dog" | tr 'A-Za-z' 'N-ZA-Mn-za-m'
在這個題目則可以這樣
cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'
所以shell腳本有時候還是挺好用的。ps:tr是translate的縮寫。
Level Goal
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)
這關主要是考察各種解包工具的使用。首先將hexdump還原成文件:
xdd -d data.txt > out
然后接下來不斷用file命令和對應的解包命令就可以了,boring...
Level Goal
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on
這一關是SSH命令的另一種用法。之前我們都是用密碼登錄的,這次要用私鑰登錄。并沒有什么難度,加上-i選項后面跟上密鑰文件就可以了。
Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
這一關要求你想本機30000端口發送這一關的密碼來獲取下一關的密碼。可以通過各種方法實現,比如自己寫程序。當然也可以使用netcat實現這一功能。
nc localhost 30000 < /etc/bandit_pass/bandit14
Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
這一關換了一個花樣,要求使用ssl加密來傳輸密碼。可以使用s_client命令。
openssl s_client -connect localhost:30001 -quiet </etc/bandit_pass/bandit15
至于為什么要用-quiet,請看man。
Level Goal
The password for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next password, the others will simply send back to you whatever you send to it.
Oops,這次題目只給了一個端口范圍,那就可以用namp來掃描一下。推薦看一下nmap的man,內容很詳細,也介紹了一些掃描的原理。
首先,掃描一下:
nmap -A -p31000-32000 localhost
得到以下結果:
PORT STATE SERVICE VERSION
31046/tcp open echo
31518/tcp open msdtc Microsoft Distributed Transaction Coordinator (error)
31691/tcp open echo
31790/tcp open msdtc Microsoft Distributed Transaction Coordinator (error)
31960/tcp open echo
我們可以看到兩種服務類型,一種是echo,顧名思義就是直接將你發給他的東西扔回來。那另外一種服務就是我們關心的了。我們嘗試分別給這兩個端口發送密碼。
然后我們發現31790端口是我們想要的,得到如下key:
#!bash
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----
這個就是SSL的私鑰,將它保存起來,用ssh連接。。。然后你會發現Ooops!
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
好吧,看來還要修改權限,用chmod 400修改文件的權限,然后成功進入下一關。
Level Goal
There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new
考察diff命令的用法,恩,我想不用多說了。
Level Goal
The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.
這一關你無法正常登陸,但是沒關系,ssh支持直接執行命令,既然我們知道密碼就存在~/readme里面,那就容易了。
ssh localhost -l bandit18 "cat ~/readme"
Level Goal
To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used to setuid binary.
目錄下面有一個bandit20-do的程序,可以以bandit20的權限執行命令,那么我們就可以借此來查看bandit20的密碼:
./bandit20-do cat /etc/bandit_pass/bandit20
Bandit Level 20 → Level 21
Level Goal
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
這次要分兩步,先用nc運行一個進程進行監聽,讓程序來連接。
nc localhost 40000 -l < /etc/bandit_pass/bandit20
端口任意
然后用本關給的程序進行連接:
./suconnect 40000
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
這一關開始就要用到cron相關的程序,cron就是相當于任務計劃之類的東西。 進入/etc/cron.d目錄。發現好多文件。剛開始我直接傻眼了,在這一關卡了好久。后來直接找與bandit21關最相近的文件,那就是cronjob_bandit22。cat一下,里面是運行一段腳本。看下腳本里面的內容
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
看來密碼就在/tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv這個文件里面
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
仍然是cron。進入剛才的目錄,然后看下cronjob_bandit23的內容,仍然是一段腳本,看腳本內容:
myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
cat /etc/bandit_pass/$myname > /tmp/$mytarget
看來腳本是將bandit23的密碼存進了/tmp/$mytarget文件里面,關鍵就是找出mytarget的值。為了得出這個值,可將腳本copy一份,將myname=bandit23。然后將后面兩行去掉,直接echo mytarget就可得到存儲密碼的文件名。
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
廢話不多說,直接看腳本內容:
#!bash
myname=$(whoami)
cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
do
if [ "$i" != "." -a "$i" != ".." ];
then
echo "Handling $i"
timeout -s 9 60 "./$i"
rm -f "./$i"
fi
done
可以看出來以上腳本會將/var/spool/bandit24文件夾下的所有文件執行一遍并清除。根據crontab可知每分鐘執行一次。那就好辦了,我們將寫好的腳本放入這個文件夾,bandit24每分鐘就會執行腳本,而這個腳本具有bandit24的權限。恩,你懂的。
cat /etc/bandit_pass/bandit24 > /tmp/save/pass
先在/tmp下新建save文件夾,chmod 777 ,然后將以上腳本放入上述文件夾里面,等一分鐘。泡一杯咖啡,丁!去/tmp/save/文件夾下可以看見pass。如果發現沒有任何東西,請考慮權限問題(chmod)。
Bandit Level 24 → Level 25
Level Goal
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinaties, called brute-forcing.
這是比較有意思的一關,寫一個腳本進行窮舉,于是我一開始寫了一下這個:
pass=UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
for i in $(seq 0 9999)
do
if
echo $pass $i| nc localhost 30002 | grep Wrong>/dev/null
then
echo $i
else
echo $pass $i| nc localhost 30002 > result
break
fi
done
運行這個腳本,然后你就可以去打幾把DOTA了,反正我是掛了一晚上。。。。。 這樣當然不行啊,所以就有了后來的改進版本:
pass=UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
for i in $(seq 0 9999)
do {
if
echo $pass $i| nc localhost 30002 | grep Wrong > /dev/null
then
echo $i
else
echo $pass $i| nc localhost 30002 > result
exit
fi
}&
done
wait
這里用了&和wait實現了偽多線程。&表示可以并行執行,wait表示父進程等待子進程執行完畢。 這樣果然快多了 ,只用了幾分鐘就搞定了。
然而這個腳本并不能在找到正確的密碼的時候停止,這個就作為思考題吧。
Level Goal
Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.
這道題,,額,,只能說腦凍好大。
用home目錄下的sshkey登陸,Oops:
_ _ _ _ ___ __
| | | (_) | |__ \ / /
| |__ __ _ _ __ __| |_| |_ ) / /_
| '_ \ / _` | '_ \ / _` | | __| / / '_ \
| |_) | (_| | | | | (_| | | |_ / /| (_) |
|_.__/ \__,_|_| |_|\__,_|_|\__|____\___/
扔給我這樣一個東西。。。 坑爹呢!
grep bandit26 /etc/passwd
運行以上命令,
bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext
那么/usr/bin/showtext又是什么鬼
#!/bin/sh
more ~/text.txt
exit 0
好吧,原來是這樣,用的是more程序。
step1:將終端窗口縮小到只有兩行
step2:登陸
step3:這時More會阻塞(因為沒有顯示完)
step4:按v鍵,進入vim編輯器
step5::r /etc/bandit_pass/bandit26
我真是太tm機智了。
level2:UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
level3:pIwrPrtPN36QITSp3EQaw936yaFoFgAB
level4:koReBOKuIDDepwhWk7jZC0RTdopnAYKh
level5:DXjZPULLxYr17uwoI01bNLQbtFemEgo7
level6:HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs
level7:cvX2JJa4CFALtqS87jk27qwqGhBM9plV
level8:UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR
level9:truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
level10:IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR
level11:5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu
level12:8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
level13:ssh [email protected] -i sshkey.private
level14:BfMYroe26WYalil77FoDi9qh59eK5xNr
level15:cluFn7wTiGryunymYOu4RcffSxQluehd
level17:kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
level18:IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
level19:GbKksEFF4yrVs6il55v6gwY5aVje5f0j
level20:gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
level21:Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
level22:jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
level23:UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
level24:uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG
level25:5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z