本文基于学习网站
这是一个为计算机专业打下坚实的Linux,Web,Git基础知识的网站或项目。
The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org, on port 2220. The username is bandit0 and the password is bandit0. Once logged in, go to the Level 1 page to find out how to beat Level 1.
ssh -p 2220 bandit0@bandit.labs.overthewire.org
输入密码bandit0.
The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.
ls , cd , cat , file , du , find
获得的密码用来下一关的ssh的登录认证。
The password for the next level is stored in a file called - located in the home directory
ls , cd , cat , file , du , find
方法1:用相对路径./
方法2:查看当前目录pwd
The password for the next level is stored in a file called spaces in this filename located in the home directory
ls , cd , cat , file , du , find
方法1:用字符串
方法2:用转义字符\
The password for the next level is stored in a hidden file in the inhere directory.
ls , cd , cat , file , du , find
用ls -al 找到隐藏的文件,用相对路径获取密码。
The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.
ls , cd , cat , file , du , find
只需用file 找到可读(ASCII)文件。
用cat ./-file* 虽然也能查看到密码,但难以判断密码从何开始。
The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:
ls , cd , cat , file , du , find
下一级的密码存储在以下某处的文件中 inhere 目录,并具有以下所有属性:
这样比下图更合乎请求。
find . -type f -readable ! -executable -size 1033c
The password for the next level is stored somewhere on the server and has all of the following properties:
ls , cd , cat , file , du , find , grep
在根目录下查找会经常有很多权限的报错信息,可以用2>/dev/null这种方式将错误信息重定向到/dev/null 以保持输出干净。
或者执行
find / -size 33c -user bandit7 -group bandit6
后,直接找到bandit7.password文件
The password for the next level is stored in the file data.txt next to the word millionth
man, grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
./可以省略。
The password for the next level is stored in the file data.txt and is the only line of text that occurs only once
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
可以用-c列出出现的次数,然后从中找到是1的那一行即可
man uniq
The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters.
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
The password for the next level is stored in the file data.txt, which contains base64 encoded data
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
base64 解码即可。
The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
方法一(输入重定向):~$ tr 'a-zA-Z' 'n-za-mN-ZA-M' < data.txt
方法二(管道传递):~$ cat data.txt | tr 'a-zA-Z' 'n-za-mN-ZA-M'
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work. Use mkdir with a hard to guess directory name. Or better, use the command “mktemp -d”. Then copy the datafile using cp, and rename it using mv (read the manpages!)
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd, mkdir, cp, mv, file
这题考的压缩的知识,但是非常的需要耐心(无聊)。
mv data data.gz然后gzip -d data.gz或`gunzip data.gz。mv data data.bz然后bzip2 -d data.bz或` bunzip2 data.bz。mv data data.tar然后tar -xf data.tar,依此类推。xxd -r data.txt > data :使用 xxd 工具将十六进制格式的 data.txt 文件反向转换为二进制文件 data。-r 表示反向操作。file file1,file2... 用于查看文件类型。进入环境后,直接 cat data.txt,发现是他是十六进制的文本。于是xxd -r data.txt > data.
bandit12@bandit:~$ ls
data.txt
bandit12@bandit:~$ cat data.txt
00000000: 1f8b 0808 41d4 f767 0203 6461 7461 322e ....A..g..data2.
00000010: 6269 6e00 0149 02b6 fd42 5a68 3931 4159 bin..I...BZh91AY
00000020: 2653 59a8 ffa7 8f00 001d 7fff dbeb 7ffa &SY.............
00000030: bb7f a5ef bb7e f5fb fdff b7c7 f3ff ff7f .....~..........
00000040: ff7f fff7 deba fdfa eff7 dddf b001 3b19 ..............;.
00000050: a200 d01a 0190 0034 0006 800d 0340 0346 .......4.....@.F
00000060: 8000 0340 0320 0069 a034 0640 0346 4680 ...@. .i.4.@.FF.
00000070: 68d1 a68c 8321 9313 4da4 f510 6406 8003 h....!..M...d...
00000080: 4006 9a00 000d 000d 0069 a007 a9a0 001a @........i......
00000090: 1b50 03d4 01a6 9a1e a001 a343 4683 469a .P.........CF.F.
000000a0: 3d40 001a 7a8d 01a0 074c 801e a1a6 8064 =@..z....L.....d
000000b0: 01a3 d434 00c4 0d00 000d 0001 a680 1a19 ...4............
000000c0: 0061 0f53 41a0 0000 0d00 341a 0320 0034 .a.SA.....4.. .4
000000d0: d1ea 0168 4882 8244 0130 5550 f16b f52e ...hH..D.0UP.k..
000000e0: a322 cb9f bb8c aaf6 e244 cc70 b151 47c8 .".......D.p.QG.
000000f0: 6c03 a3ae 4a81 1ee0 03ce 840e a978 2046 l...J........x F
00000100: 630b 4b0d 9883 7078 e7e8 5bfb 68f1 f685 c.K...px..[.h...
00000110: 6f46 771c 3920 449f f0cb 39e2 0841 10b5 oFw.9 D...9..A..
00000120: 8714 e981 115c d1bc 2da4 318b 106c 904e .....\..-.1..l.N
00000130: 9328 5e97 405a 4054 21db e049 1a32 5f3d .(^.@Z@T!..I.2_=
00000140: 7069 408f f0a4 8ce5 fbea 282c 51d1 49e4 pi@.......(,Q.I.
00000150: d52f 0762 dd90 27b8 79d3 0499 52e0 060c ./.b..'.y...R...
00000160: fd91 a474 d408 88f3 1fda d2d1 325a baeb ...t........2Z..
00000170: bfe7 f0f6 cc3c 776d f369 e73c 47d4 66ea .....<wm.i.<G.f.
00000180: 4b90 e404 03b3 6a09 4687 945d 09ef 706b K.....j.F..]..pk
00000190: 8f82 2503 80d0 0a0a 3e60 f879 bf02 2d42 ..%.....>`.y..-B
000001a0: bf37 9c96 4b22 585c 35c8 3cf1 da9f 518b .7..K"X\5.<...Q.
000001b0: ccd5 a68c 9647 aa38 8a50 89d2 f89c 1ff0 .....G.8.P......
000001c0: 1042 18c3 6549 400d fe17 ec74 3171 6d74 .B..eI@....t1qmt
000001d0: a8bb 0def f11a 5a69 0e70 aa34 0037 b180 ......Zi.p.4.7..
000001e0: 1540 c4d2 0af7 e290 8784 ce9e 147a 6836 .@...........zh6
000001f0: 944b 3f18 2ba2 c620 af92 fb01 184f 3def .K?.+.. .....O=.
00000200: 1b7d 0162 733d adca 90ac 7142 8319 f703 .}.bs=....qB....
00000210: 5930 69e2 8320 9110 5d63 0db9 9294 d4ef Y0i.. ..]c......
00000220: 50b9 5907 0924 92c1 014e a284 25ce a6ef P.Y..$...N..%...
00000230: 67b2 4e06 6d21 4136 2ac0 292d 6638 033c g.N.m!A6*.)-f8.<
00000240: 21af be4e 13bb b74f 2c10 18c7 eea3 c436 !..N...O,......6
00000250: c988 05e6 5638 1ff1 7724 5385 090a 8ffa ....V8..w$S.....
00000260: 78f0 d951 192d 4902 0000 x..Q.-I...
bandit12@bandit:~$ mkdir /tmp/dig
bandit12@bandit:~$ cp data.txt /tmp/dig
bandit12@bandit:~$ cd /tmp/dig
bandit12@bandit:/tmp/dig$ ls
data.txt
bandit12@bandit:/tmp/dig$ file data.txt
data.txt: ASCII text
bandit12@bandit:/tmp/dig$ xxd -r data.txt > data
bandit12@bandit:/tmp/dig$ file data
data: gzip compressed data, was "data2.bin", last modified: Thu Apr 10 14:22:57 2025, max compression, from Unix, original size modulo 2^32 585
然后不断地用预备知识中的移动文件(相当于重命名,mv)、解压缩(gzip,bzip2,tar)、查看文件类型(file)的模板,
bandit12@bandit:/tmp/dig$ mv data data.gz
bandit12@bandit:/tmp/dig$ gunzip data.gz
bandit12@bandit:/tmp/dig$ file data
data: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/dig$ mv data data.bz
bandit12@bandit:/tmp/dig$ bunzip data.bz
Command 'bunzip' not found, did you mean:
command 'bunzip2' from deb bzip2 (1.0.8-5.1build0.1)
command 'lunzip' from deb lunzip (1.13-6)
command 'funzip' from deb unzip (6.0-28ubuntu4.1)
command 'gunzip' from deb gzip (1.12-1ubuntu1)
command 'bunzip3' from deb bzip3 (1.3.2-1)
command 'unzip' from deb unzip (6.0-28ubuntu4.1)
command 'ebunzip' from deb eb-utils (4.4.3-14)
command 'runzip' from deb rzip (2.1-4.1)
Try: apt install <deb name>
bandit12@bandit:/tmp/dig$ bunzip2 data.bz
bandit12@bandit:/tmp/dig$ file data
data: gzip compressed data, was "data4.bin", last modified: Thu Apr 10 14:22:57 2025, max compression, from Unix, original size modulo 2^32 20480
bandit12@bandit:/tmp/dig$ mv data data.gz
bandit12@bandit:/tmp/dig$ gzip -d data.gz
bandit12@bandit:/tmp/dig$ file data
data: POSIX tar archive (GNU)
bandit12@bandit:/tmp/dig$ mv data data.tar
bandit12@bandit:/tmp/dig$ tar -xf data.tar
bandit12@bandit:/tmp/dig$ ls
data5.bin data.tar data.txt
运行tar -xf data.tar命令后,结果将 data.tar 中的内容解压到当前目录。它的特点是,
data5.bin(如 ls 所示)。data.tar 仍保留在目录中(需手动删除)。最后,不断地用查看文件目录(ls)、查看文件属性(file)、移动文件(重命名,mv)、解压缩(gzip,bzip2,tar)的命令,直到.bin文件消失,再查看新出现的文件,就能看到下一关的通行证。不好意思,截图少了两个命令,现补充上。
mv data5.bin data5.tar
tar -xf data5.tar
以下是用deepseek对上述操作总结后得到的 Shell 脚本内容,保存为 .sh 文件后可直接运行:
bandit12@bandit:~$ mkdir /tmp/dig
bandit12@bandit:~$ cd /tmp/dig
bandit12@bandit:/tmp/dig$ vim 1.sh
bandit12@bandit:/tmp/dig$ bash 1.sh
cp: cannot stat 'data.txt': No such file or directory
gzip: data8 already exists; do you wish to overwrite (y or n)? y
Password: The password is FO5dwFsc0cbaIiH0h8J2eUks2vdTDwAn
其中,1.sh写入的shell脚本是,
#!/bin/bash
# 创建临时目录并复制文件
mkdir -p /tmp/dig
cp data.txt /tmp/dig
cd /tmp/dig
# 十六进制转二进制
xxd -r data.txt > data
# 处理 gzip 压缩
mv data data.gz
gzip -d data.gz
# 处理 bzip2 压缩
mv data data.bz
bzip2 -d data.bz
# 处理第一次 tar 解包
mv data data.tar
tar -xf data.tar
# 处理第二次 tar 解包 (data5.bin)
mv data5.bin data5.tar
tar -xf data5.tar
# 处理 bzip2 压缩的 data6.bin
mv data6.bin data6.bz
bzip2 -d data6.bz
# 处理第三次 tar 解包 (data6)
mv data6 data6.tar
tar -xf data6.tar
# 处理最终 gzip 压缩的 data8.bin
mv data8.bin data8.gz
gzip -d data8.gz
# 输出密码
echo "Password: $(cat data8)"
看起来不太聪明的样子(还不如手动),网上的脚本更好,详见zip的shell脚本1,zip的shell脚本2
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on
ssh, telnet, nc, openssl, s_client, nmap
用ssh配合私钥,在端口号2220,指定用户bandit14访问本地localhost。
看到登录到bandit14@bandit界面 ,
题目说密码在用户bandit14的/etc/bandit_pass/bandit14目录下,用cat从上往下查找即可。
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
ssh, telnet, nc, openssl, s_client, nmap
通过运行 nmap 命令来检查端口 30000 是否打开:~$ nmap -p 30000 localhost。
若正常打开,使用nc或telnet命令在本地访问30000端口。
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL/TLS encryption.
Helpful note: Getting “DONE”, “RENEGOTIATING” or “KEYUPDATE”? Read the “CONNECTED COMMANDS” section in the manpage.
ssh, telnet, nc, ncat, socat, openssl, s_client, nmap, netstat, ss
使用 OpenSSL 工具与本地主机上的 30001 端口建立 SSL/TLS 连接。
添加代码块(上一关的通行证)
得到了通行证kSkvUpMQ7lBYyCM4GBPvCvT1BfWRy0Dx!
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL/TLS and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
Helpful note: Getting “DONE”, “RENEGOTIATING” or “KEYUPDATE”? Read the “CONNECTED COMMANDS” section in the manpage.
ssh, telnet, nc, ncat, socat, openssl, s_client, nmap, netstat, ss
首先,熟悉vim编辑模式。Linux vi/vim | 菜鸟教程
vim 退出模式
:q! 强制退出并丢弃修改。
:wq! 强制保存并退出。
:q 退出,如果没有修改。
版本检测后(-sV),经检查,发现只有31790端口可用。(这个过程可以自行研读其他文献)
得到rsa私钥
创建临时文件,将私钥rsa.private(包含头部和尾部)存储起来。方法1存在文件rsa.priv中。
遇到上述问题(bug)后,用chatgpt询问
在你执行
ssh -i /tmp/ssh.key/rsa.priv bandit17@localhost时,你遇到了两个问题:
- 权限问题:你收到了
Could not create directory '/home/bandit16/.ssh' (Permission denied)和Permission denied的错误信息。这表明在连接时你没有权限在bandit16用户的主目录中创建.ssh文件夹。- 密钥加载问题:你收到
Load key "/tmp/ssh.key/rsa.priv": Permission denied错误。这通常是因为密钥文件/tmp/ssh.key/rsa.priv的权限设置不正确,或者你没有足够的权限来读取该文件。
.ssh 目录你还遇到无法创建 .ssh 目录的问题。这可能是因为你没有权限在 /home/bandit16/ 下创建目录。为了绕过这个问题,你可以使用 -o StrictHostKeyChecking=no 和 -o UserKnownHostsFile=/dev/null 来禁用 SSH 主机密钥验证:
ssh -i /tmp/ssh.key/rsa.priv -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null bandit17@localhost
这条命令会绕过主机密钥检查,并且不会尝试将主机密钥保存到 known_hosts 文件中,这样就不需要创建 .ssh 目录了。
然后根据 “This is an OverTheWire game server. !!! You are trying to log into this SSH server on port 22, which is not intended.” 添加端口2220。
ssh -i /tmp/ssh.key/rsa.priv -p 2220 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null bandit17@localhost
总结
- 设置正确的权限:
chmod 600 /tmp/ssh.key/rsa.priv。- 使用
-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null禁用主机密钥检查。- 检查正确的端口号。
bandit16@bandit:/$ ssh -i /tmp/ssh.key/rsa.priv -p 2220 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null band
it17@localhost
Warning: Permanently added '[localhost]:2220' (ED25519) to the list of known hosts.
_ _ _ _
| |__ __ _ _ __ __| (_) |_
| '_ \ / _` | '_ \ / _` | | __|
| |_) | (_| | | | | (_| | | |_
|_.__/ \__,_|_| |_|\__,_|_|\__|
This is an OverTheWire game server.
More information on http://www.overthewire.org/wargames
!!! You are trying to log into this SSH server with a password on port 2220 from localhost.
!!! Connecting from localhost is blocked to conserve resources.
!!! Please log out and log in again.
.........
Welcome to OverTheWire!
If you find any problems, please report them to the #wargames channel on
discord or IRC.
.........
--[ More information ]--
For more information regarding individual wargames, visit
http://www.overthewire.org/wargames/
For support, questions or comments, contact us on discord or IRC.
Enjoy your stay!
注意nano的使用如何在 Linux 中使用 Nano 文本编辑器
方法2将rsa.private(包含头部和尾部)写入了文件rsafile中。
接着来到了bandit17的界面,这时候不用花多余的时间登录到bandit17@bandit。直接查看[官网|level17-18]后,在终端输入diff跳入[#Level 18 → Level 19]。亦可以用cat /etc/bandit_pass/bandit17得到的密码进入bandit17@bandit。
There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new
NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19
见上一关的[[#link]]部分。
The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.
ssh, ls, cat
先前得到的passwords.new ([[#link]] 中的x2gLTTjFwMOhQ8oWNbMN362QKxfRqGlO),打开后显示
无论登录多少次,都只会登陆失败!这是由ssh的语法决定的,不信的话,可以再Linux中用man ssh或ssh --help查看。
于是就有
输入密码后无回显,接着输入Linux命令,在文件readme中找到了password。
To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
NOTE: Try connecting to your own network daemon to see if it works as you think
ssh, nc, cat, bash, screen, tmux, Unix ‘job control’ (bg, fg, jobs, &, CTRL-Z, …)
[!note] 思路
使用“netcat”,我们可以在服务器模式下创建一个连接 ,该连接侦听入站连接。为了让 netcat 发送密码,我使用 echo 并将其通过管道传输到 netcat。
使用端口 1234 运行 setuid 二进制文件意味着它将连接到我们的 netcat 服务器,接收输入的密码并发回下一个密码。
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
cron, crontab, crontab(5) (use “man 5 crontab” to access this)
1.cat cronjob_bandit22
&> /dev/null:这表示将脚本的标准输出(stdout)和标准错误输出(stderr)都重定向到 /dev/null,即丢弃所有输出信息。这样,即使脚本产生输出或错误,系统也不会记录任何内容。
@reboot 部分确保了系统启动时执行一次脚本 /usr/bin/cronjob_bandit22.sh,并且不产生输出。* * * * * 部分确保每分钟执行一次相同的脚本,同样不产生输出。2.cat /usr/bin/cronjob_bandit22.sh
该脚本的作用是:
/tmp/t706Ids9S0RqQh9aMcz6ShpAoZKF7fgv 文件的权限更改为可由文件所有者读写、其他用户只读。/etc/bandit_pass/bandit22 文件的内容复制到 /tmp/t706Ids9S0RqQh9aMcz6ShpAoZKF7fgv 文件中。
因而,执行/tmp/t706Ids9S0RqQh9aMcz6ShpAoZKF7fgv后,可以查看答案。
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.
cron, crontab, crontab(5) (use “man 5 crontab” to access this)
前面几条命令跟上一关[[#Level 21 → Level 22]]一样,后面略微有点差异。
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…
chmod, cron, crontab, crontab(5) (use “man 5 crontab” to access this)
有关chmod,建议阅读chmod
在运行cat /usr/bin/cronjob_bandit24.sh之前都是跟上一关类似的命令。运行cat /usr/bin/cronjob_bandit24.sh后,
看到的是上图中的shell语句。下面难了我好久/(ㄒoㄒ)/~~ ,因而这一关看起来有点乱。
对此分析后,创建/tmp/game目录,在/var/spool/bandit24/foo下用nano写入shell文件test.sh。
写入的文本是
#/bin/bash
cat /etc/bandit_pass/bandit24 > /tmp/game/pass.txt
这段代码将下一关的通行证写入到/tmp/game目录的pass.txt文件中,
将test.sh复制到/var/spool/bandit24/foo/目录下,出现诸多报错。其实,主要是没有权限写入。
find . -type f -readable ! -executable -size 1033c
0于是,为所有用户添加读、写和执行权限,主要赋予test.sh写和执行的权限。
find . -type f -readable ! -executable -size 1033c
1终于查看到/tmp/game目录的pass.txt文件(ls),此时pass.txt存储的是下一关的通行证(/etc/bandit_pass/bandit24)。
因为目录/var/spool/bandit24/foo下的所有脚本(包含test.sh)在60s内会被删除,所以写入的脚本test.sh将/etc/bandit_pass/bandit24复制到/tmp/game/pass.txt。这样就能绕过时间的限制。因而,可以直接用cat命令获取相关内容。
总结:(打破之前的混乱)主要是在临时目录/tmp/game下写入一个重定向shell,写入之前发现没有写和执行权限,所以赋予其权限。然后copy到/var/spool/bandit24/foo,发现test.sh已有执行权限,由于时间限制的原因,可能要稍等片刻后,才能得到凭证。
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.
You do not need to create new connections each time
brute-forcing,暴力破解,retrieve the pincode with password for bandit24 and a secret numeric 4-digit pincode.
find . -type f -readable ! -executable -size 1033c
2Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.
NOTE: if you’re a Windows user and typically use Powershell to
sshinto bandit: Powershell is known to cause issues with the intended solution to this level. You should use command prompt instead.
ssh, cat, more, vi, ls, id, pwd
用google浏览器搜索以下问题。
Q1:shell commands for vi (google)
Q2:how to change shell in vi
Q3:man more
参数v的详细说明。
find . -type f -readable ! -executable -size 1033c
3用ssh 连接26关,发现连接自动断开。
find . -type f -readable ! -executable -size 1033c
4查看/etc/passwd的内容,用管道指定用户bandit26。
find . -type f -readable ! -executable -size 1033c
5我们发现,在linux终端下,text.txt文本执行系统命令more之后,总是会退出(exit 0)。这是由于more执行大文本文件后,会自动退出。(这里的表述有点不同,详细参考Q3 more参数v的详细说明)
这解释为什么之前执行ssh -i bandit26.sshkey bandit26@localhost -p 2220命令后,连接自动断开。同样,解释了下一关为什么无法打开。
事先复制该命令
find . -type f -readable ! -executable -size 1033c
6于是,利用more的v参数的属性,缩小终端界面(直至很小很小,最好是最小)。快捷键运行复制的命令。按下v,依据Q1图片中的命令输入,发现输入:!ls有效,而:shell无反应。
同样,依据Q2图片中的命令输入:set shell?,查看到shell=/usr/bin/showtext。
这并不是我们需要的,我们想要shell为/bin/bash。于是输入set shell=/bin/bash命令。
输入:set shell?,查看shell设定的值
回车,发现shell已然是我们所需。
这时候在输入 :shell ,终端就出来了。
立马能够得到如下的通行证。
find . -type f -readable ! -executable -size 1033c
7总结:本关利用shell和vi的交互模式,模拟了shell逃逸。原来还能这么玩?!
Good job getting a shell! Now hurry and grab the password for bandit27!
ls
这是一个奇怪的事,25关得到的通行证无法进入26关,好像一直不奏效,即上一关得到的密码(s0773xxkk0MXfdqOfPRVr9L3jJBUOgCZ)无法打开26关的ssh -p 2220 bandit26 @bandit.labs.overthewire.org ,总是显示连接失败。
find . -type f -readable ! -executable -size 1033c
8这是因为/usr/bin/showtext中说明,linux读取大文本之后,系统会自动退出。因而,我想到在25关的vi里面shell显示的终端继续运行。
不幸的是如果你此刻关掉了前一关,则要返回上一关,跟进到shell终端出来。
find . -type f -readable ! -executable -size 1033c
9然后做法与19关一样?来自我的大大震惊。
find / -size 33c -user bandit7 -group bandit6
0用得到的密码(upsNCc7vzaRDx6oZC6GiR6ERwe1MowGB)连接27关,直接成功!说明我的推测压根没错!这关真的是tkl !
总结:联合了上一关和19关,果然能够解决综合性难题都是循序渐进的!没有基础,地动山摇。
There is a git repository at ssh://bandit27-git@localhost/home/bandit27-git/repo via the port 2220. The password for the user bandit27-git is the same as for the user bandit27.
Clone the repository and find the password for the next level.
git
以下几关全部都是跟git有关的内容了,可以抽个时间一起拿下。
find / -size 33c -user bandit7 -group bandit6
1在暂存区的README文件获取到password。
There is a git repository at ssh://bandit28-git@localhost/home/bandit28-git/repo via the port 2220. The password for the user bandit28-git is the same as for the user bandit28.
Clone the repository and find the password for the next level.
git
在git clone之前和上一关类似。
find / -size 33c -user bandit7 -group bandit6
2如果忘记密码了,通过cat /etc/bandit_pass/bandit28查看。
find / -size 33c -user bandit7 -group bandit6
3然后查看repo里面的文件,发现password被加密了。
find / -size 33c -user bandit7 -group bandit6
4查看日志,并检查每次的commit。
[!note] git checkout
git checkout 哈希值 命令的作用是切换到某个特定的提交(commit)。在Git中,每次提交都会生成一个唯一的哈希值(即commit hash),可以通过这个哈希值来定位某个特定的提交。
继续,发现附带备注信息'add missing data'的此次提交,与他所匹配的哈希值能够依靠git checkout 的特点获取bandit29的通行证。
是4pT1t5DENaYuqnqvadYs1oE4QLCdjmJ7!
There is a git repository at ssh://bandit29-git@localhost/home/bandit29-git/repo via the port 2220. The password for the user bandit29-git is the same as for the user bandit29.
Clone the repository and find the password for the next level.
git
创建并切换到sc目录,git clone一波。
查看repo仓库里的东西,发现只有用户名而没有密码。查看其他分支、返回master分支及检查当前版本,得到的东西仍然有限。
find / -size 33c -user bandit7 -group bandit6
5查看所有分支,检查其子目录。
find / -size 33c -user bandit7 -group bandit6
6There is a git repository at ssh://bandit30-git@localhost/home/bandit30-git/repo via the port 2220. The password for the user bandit30-git is the same as for the user bandit30.
Clone the repository and find the password for the next level.
git
创建目录sd,但是git clone的时候一直提示权限不足。于是,改为了se,成功克隆!
实际上应该可以通过chown命令来绕过,建议阅读 chown 。不过,这里直接成功了,就不再演示。
按照前面几关的经验试试看。结果什么也没找到,空文件?
find / -size 33c -user bandit7 -group bandit6
7[!note] git tag
git tag 列出所有标签。
git show secret 显示 secret 标签指向的提交的详细信息。
最后,用tag标签找到/显示出(show)了密码。
find / -size 33c -user bandit7 -group bandit6
8There is a git repository at ssh://bandit31-git@localhost/home/bandit31-git/repo via the port 2220. The password for the user bandit31-git is the same as for the user bandit31.
Clone the repository and find the password for the next level.
git
git clone之后,用nano编辑文本,输入Content后面的内容(不包含引号)。
或者重定向文本echo "May I come in?"。
查看写入文本后的根目录,提交key.txt到remote。但是提示.gitignore被覆盖(?)并且忽略了key.txt。于是,尝试读取、删除.gitignore。
然后,重新提交key.txt,检查当前版本信息,发现key.txt已经提交(new file: key.txt)。
暂存、提交并远程推送到仓库:
find / -size 33c -user bandit7 -group bandit6
9After all this git stuff, it’s time for another escape. Good luck!
sh, man
没有说明关卡目标?很疑惑。
打开关卡后,发现输入什么都会被变成大写,提示权限不足。这与关卡前的“WELCOME TO THE UPPERCASE SHELL”相符。
多次尝试后发现可以用$0来绕过。
bandit12@bandit:~$ ls
data.txt
bandit12@bandit:~$ cat data.txt
00000000: 1f8b 0808 41d4 f767 0203 6461 7461 322e ....A..g..data2.
00000010: 6269 6e00 0149 02b6 fd42 5a68 3931 4159 bin..I...BZh91AY
00000020: 2653 59a8 ffa7 8f00 001d 7fff dbeb 7ffa &SY.............
00000030: bb7f a5ef bb7e f5fb fdff b7c7 f3ff ff7f .....~..........
00000040: ff7f fff7 deba fdfa eff7 dddf b001 3b19 ..............;.
00000050: a200 d01a 0190 0034 0006 800d 0340 0346 .......4.....@.F
00000060: 8000 0340 0320 0069 a034 0640 0346 4680 ...@. .i.4.@.FF.
00000070: 68d1 a68c 8321 9313 4da4 f510 6406 8003 h....!..M...d...
00000080: 4006 9a00 000d 000d 0069 a007 a9a0 001a @........i......
00000090: 1b50 03d4 01a6 9a1e a001 a343 4683 469a .P.........CF.F.
000000a0: 3d40 001a 7a8d 01a0 074c 801e a1a6 8064 =@..z....L.....d
000000b0: 01a3 d434 00c4 0d00 000d 0001 a680 1a19 ...4............
000000c0: 0061 0f53 41a0 0000 0d00 341a 0320 0034 .a.SA.....4.. .4
000000d0: d1ea 0168 4882 8244 0130 5550 f16b f52e ...hH..D.0UP.k..
000000e0: a322 cb9f bb8c aaf6 e244 cc70 b151 47c8 .".......D.p.QG.
000000f0: 6c03 a3ae 4a81 1ee0 03ce 840e a978 2046 l...J........x F
00000100: 630b 4b0d 9883 7078 e7e8 5bfb 68f1 f685 c.K...px..[.h...
00000110: 6f46 771c 3920 449f f0cb 39e2 0841 10b5 oFw.9 D...9..A..
00000120: 8714 e981 115c d1bc 2da4 318b 106c 904e .....\..-.1..l.N
00000130: 9328 5e97 405a 4054 21db e049 1a32 5f3d .(^.@Z@T!..I.2_=
00000140: 7069 408f f0a4 8ce5 fbea 282c 51d1 49e4 pi@.......(,Q.I.
00000150: d52f 0762 dd90 27b8 79d3 0499 52e0 060c ./.b..'.y...R...
00000160: fd91 a474 d408 88f3 1fda d2d1 325a baeb ...t........2Z..
00000170: bfe7 f0f6 cc3c 776d f369 e73c 47d4 66ea .....<wm.i.<G.f.
00000180: 4b90 e404 03b3 6a09 4687 945d 09ef 706b K.....j.F..]..pk
00000190: 8f82 2503 80d0 0a0a 3e60 f879 bf02 2d42 ..%.....>`.y..-B
000001a0: bf37 9c96 4b22 585c 35c8 3cf1 da9f 518b .7..K"X\5.<...Q.
000001b0: ccd5 a68c 9647 aa38 8a50 89d2 f89c 1ff0 .....G.8.P......
000001c0: 1042 18c3 6549 400d fe17 ec74 3171 6d74 .B..eI@....t1qmt
000001d0: a8bb 0def f11a 5a69 0e70 aa34 0037 b180 ......Zi.p.4.7..
000001e0: 1540 c4d2 0af7 e290 8784 ce9e 147a 6836 .@...........zh6
000001f0: 944b 3f18 2ba2 c620 af92 fb01 184f 3def .K?.+.. .....O=.
00000200: 1b7d 0162 733d adca 90ac 7142 8319 f703 .}.bs=....qB....
00000210: 5930 69e2 8320 9110 5d63 0db9 9294 d4ef Y0i.. ..]c......
00000220: 50b9 5907 0924 92c1 014e a284 25ce a6ef P.Y..$...N..%...
00000230: 67b2 4e06 6d21 4136 2ac0 292d 6638 033c g.N.m!A6*.)-f8.<
00000240: 21af be4e 13bb b74f 2c10 18c7 eea3 c436 !..N...O,......6
00000250: c988 05e6 5638 1ff1 7724 5385 090a 8ffa ....V8..w$S.....
00000260: 78f0 d951 192d 4902 0000 x..Q.-I...
bandit12@bandit:~$ mkdir /tmp/dig
bandit12@bandit:~$ cp data.txt /tmp/dig
bandit12@bandit:~$ cd /tmp/dig
bandit12@bandit:/tmp/dig$ ls
data.txt
bandit12@bandit:/tmp/dig$ file data.txt
data.txt: ASCII text
bandit12@bandit:/tmp/dig$ xxd -r data.txt > data
bandit12@bandit:/tmp/dig$ file data
data: gzip compressed data, was "data2.bin", last modified: Thu Apr 10 14:22:57 2025, max compression, from Unix, original size modulo 2^32 585
0At this moment, level 34 does not exist yet.
参考链接:
1.OverTheWire - Bandit Walkthrough | R4f4soft
2.[OTW] Write-up for the Bandit Wargame - BreakInSecurity