Wargames-Linux 闯关游戏

2018/08/24 Linux linux 39613 words views

Linux 闯关游戏的通关秘籍,想通过这个游戏来熟悉 linux 命令,参考别人的通关秘籍来做的,这里主要记录一下我自己的实操过程。

参考:
http://overthewire.org/wargames/bandit/
Linux 闯关游戏之通关秘籍
Linux 闯关游戏之通关秘籍续
Over The Wire

做题之前,要看题目和提示

Level 0 → Level 1

$ssh -p 2220 bandit0@bandit.labs.overthewire.org 

$bandit0@bandit:~$ ls
readme
$bandit0@bandit:~$ cat readme 
boJ9jbbUNNfktd78OOpsqOltutMc3MY1	=> 下一关连接 ssh 的密码

Level 1 → Level 2

$ssh -p 2220 bandit1@bandit.labs.overthewire.org

$bandit1@bandit:~$ ls
-
$bandit1@bandit:~$ cat ./-
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

Level 2 → Level 3

$ssh -p 2220 bandit2@bandit.labs.overthewire.org
$bandit2@bandit:~$ cat spaces\ in\ this\ filename	<=> 这里我直接使用 tab 键自动补齐
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

Level 3→ Level 4

$ssh -p 2220 bandit3@bandit.labs.overthewire.org
$bandit3@bandit:~$ cd inhere
$bandit3@bandit:~/inhere$ cat .hidden
pIwrPrtPN36QITSp3EQaw936yaFoFgAB

Level 4→ Level 5

$ssh -p 2220 bandit4@bandit.labs.overthewire.org
$bandit4@bandit:~/inhere$ ls
-file00  -file01  -file02  -file03  -file04  -file05  -file06  -file07  -file08  -file09
$bandit4@bandit:~/inhere$ file ./*	<=>	"file" 命令辨识文件类型
./-file00: data
./-file01: data
./-file02: data
./-file03: data
./-file04: data
./-file05: data
./-file06: data
./-file07: ASCII text
./-file08: data
./-file09: data
$bandit4@bandit:~/inhere$ cat ./-file07
koReBOKuIDDepwhWk7jZC0RTdopnAYKh

Level 5→ Level 6

$ssh -p 2220 bandit5@bandit.labs.overthewire.org
bandit5@bandit:~$ ls
inhere
bandit5@bandit:~$ cd inhere
bandit5@bandit:~/inhere$ ls
bandit5@bandit:~/inhere$ ls -l
total 80
drwxr-x--- 2 root bandit5 4096 Oct 16 14:00 maybehere00
drwxr-x--- 2 root bandit5 4096 Oct 16 14:00 maybehere01
drwxr-x--- 2 root bandit5 4096 Oct 16 14:00 maybehere02
drwxr-x--- 2 root bandit5 4096 Oct 16 14:00 maybehere03
drwxr-x--- 2 root bandit5 4096 Oct 16 14:00 maybehere04
drwxr-x--- 2 root bandit5 4096 Oct 16 14:00 maybehere05
drwxr-x--- 2 root bandit5 4096 Oct 16 14:00 maybehere06
drwxr-x--- 2 root bandit5 4096 Oct 16 14:00 maybehere07
drwxr-x--- 2 root bandit5 4096 Oct 16 14:00 maybehere08
drwxr-x--- 2 root bandit5 4096 Oct 16 14:00 maybehere09
drwxr-x--- 2 root bandit5 4096 Oct 16 14:00 maybehere10
drwxr-x--- 2 root bandit5 4096 Oct 16 14:00 maybehere11
drwxr-x--- 2 root bandit5 4096 Oct 16 14:00 maybehere12
drwxr-x--- 2 root bandit5 4096 Oct 16 14:00 maybehere13
drwxr-x--- 2 root bandit5 4096 Oct 16 14:00 maybehere14
drwxr-x--- 2 root bandit5 4096 Oct 16 14:00 maybehere15
drwxr-x--- 2 root bandit5 4096 Oct 16 14:00 maybehere16
drwxr-x--- 2 root bandit5 4096 Oct 16 14:00 maybehere17
drwxr-x--- 2 root bandit5 4096 Oct 16 14:00 maybehere18
drwxr-x--- 2 root bandit5 4096 Oct 16 14:00 maybehere19
bandit5@bandit:~/inhere$ find . -type f -size 1033c
./maybehere07/.file2
bandit5@bandit:~/inhere$ cat ./maybehere07/.file2
DXjZPULLxYr17uwoI01bNLQbtFemEgo7

主要解释一下这个命令:

$find . -type f -size 1033c
"ls -l" 除文件名称外,亦将文件型态、权限、拥有者、文件大小等资讯详细列出,发现有很多文件夹

"find . -type f -size 1033c","." 查找当前目录以及子目录,
-type f 指定文件类型为普通文件,-size 1033c 指定文件大小为 1033 bytes

Level 6→ Level 7

根据题目的提示来

bandit6@bandit:~$ find / -group bandit6 -user bandit7 -size 33c 2>/dev/null
/var/lib/dpkg/info/bandit7.password
$bandit6@bandit:~$ cat /var/lib/dpkg/info/bandit7.password
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

这里主要解释一下

2>/dev/null
代表忽略掉错误提示信息

2:文件描述符
文件描述符是与文件输入、输出关联的整数。它们用来跟踪已打开的文件。最常见的文件描述符是stidin、stdout、和stderr。我们可以将某个文件描述符的内容重定向到另外一个文件描述符中。
文件描述符我们常见的就是系统预留的0,1和2这三个,他们的意义分别有如下对应关系:
0 —— stdin(标准输入)
1 —— stdout(标准输出)
2 —— stderr(标准错误)

>:重定向操作

/dev/null:是一个特殊的设备文件,这个文件接收到的任何数据都会被丢弃。因此,null这个设备通常也被成为位桶(bit bucket)或黑洞。

Level 7→ Level 8

bandit7@bandit:~$ grep millionth data.txt
millionth	cvX2JJa4CFALtqS87jk27qwqGhBM9plV
bandit7@bandit:~$ 
grep match_pattern file_name:在文件中搜索一个单词,命令会返回一个包含 “match_pattern” 的文本行

Level 8→ Level 9

bandit8@bandit:~$ sort data.txt | uniq -u
UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR
sort 命令用于将文本文件内容加以排序,可针对文本文件的内容,以行为单位来排序。
"uniq -u" 是上下相邻两行对比得到是否为单一行。
uniq 可检查文本文件中重复出现的行列
-u 或--unique 仅显示出一次的行列

Level 9→ Level 10

bandit9@bandit:ü$ strings data.txt | grep ==
2========== the
========== password
========== isa
========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
strings 是在文件中查找可打印字符串并输出长度为 4 个或更多的字符串,遇到换行或空字符结束
用 grep 命令筛选 含有 "==" 的字符串

Level 10→ Level 11

bandit10@bandit:~$ cat data.txt
VGhlIHBhc3N3b3JkIGlzIElGdWt3S0dzRlc4TU9xM0lSRnFyeEUxaHhUTkViVVBSCg==
bandit10@bandit:~$ base64 -d data.txt
The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

Level 11→ Level 12

bandit11@bandit:~$ cat data.txt
Gur cnffjbeq vf 5Gr8L4qetPEsPk8htqjhRK8XSP6x2RHh
bandit11@bandit:~$ cat data.txt | tr 'a-zA-Z' 'n-za-mN-ZA-M'
The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu
tr 命令,参数为两个字符集,把第一个字符集中的字符替换为第二个字符集中的对应字符。
题目中说旋转了 13 个位置,相当于 26 个字母前十三个和后十三个换了个位置。按照这样的对应关系,调整给出的字符集。

Level 12→ Level 13

bandit12@bandit:~$ ls
data.txt
bandit12@bandit:~$ mkdir /tmp/catcher
mkdir: cannot create directory ‘/tmp/catcher’: File exists
bandit12@bandit:~$ cp data.txt /tmp/catcher
bandit12@bandit:~$ cd /tmp/catcher
bandit12@bandit:/tmp/catcher$ ls
data.txt
bandit12@bandit:/tmp/catcher$ file data.txt
data.txt: ASCII text
bandit12@bandit:/tmp/catcher$ man xxd
bandit12@bandit:/tmp/catcher$ xxd -r data.txt
?4h??6??@4bi???hBZh91AY&SY????????ϟ???????????????׽??9??
  ?mF?h?h44
??B??,0?   ??4@?????@2C@h?? ?
?ɋ?^-K?????}?\,?ǿ?}E?F?_!r?U?g?E?i??9x??TB@?lȲ???BF.hM?SC4?V?F?R?Br"?<(Hت$	$???KBs??%l~?_?ݿ???g?zM?w?#P"2@??????

??\??WQO4?p?i????S?#&??/?#??[j?ŀ?<D?uԐ^_?H.?-??wAt
                                                  ?[??UP?G?CP??&:?2?*?)?\???????H?
?\?7??w<bandit12@bandit:/tmp/catcher$ xxd -r data.txt newdata
bandit12@bandit:/tmp/catcher$ ls
data.txt  newdata
bandit12@bandit:/tmp/catcher$ file newdata
newdata: gzip compressed data, was "data2.bin", last modified: Tue Oct 16 12:00:23 2018, max compression, from Unix
bandit12@bandit:/tmp/catcher$ man gzip
bandit12@bandit:/tmp/catcher$ mv newdata newdata.gz
bandit12@bandit:/tmp/catcher$ ls
data.txt  newdata.gz
bandit12@bandit:/tmp/catcher$ gzip -d newdata.gz
bandit12@bandit:/tmp/catcher$ ls
data.txt  newdata
bandit12@bandit:/tmp/catcher$ file newdata
newdata: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/catcher$ man bzip2
bandit12@bandit:/tmp/catcher$ mv newdata newdata.bz2
bandit12@bandit:/tmp/catcher$ ls
data.txt  newdata.bz2
bandit12@bandit:/tmp/catcher$ bzip2 -d newdata.bz2
bandit12@bandit:/tmp/catcher$ ls
data.txt  newdata
bandit12@bandit:/tmp/catcher$ file newdata
newdata: gzip compressed data, was "data4.bin", last modified: Tue Oct 16 12:00:23 2018, max compression, from Unix
bandit12@bandit:/tmp/catcher$ mv newdata newdata.gz
bandit12@bandit:/tmp/catcher$ gzip -d newdata.gz
bandit12@bandit:/tmp/catcher$ ls
data.txt  newdata
bandit12@bandit:/tmp/catcher$ file newdata
newdata: POSIX tar archive (GNU)
bandit12@bandit:/tmp/catcher$ man tar
bandit12@bandit:/tmp/catcher$ tar -xvf newdata
data5.bin
bandit12@bandit:/tmp/catcher$ file data5.bin
data5.bin: POSIX tar archive (GNU)
bandit12@bandit:/tmp/catcher$ tar -xvf data5.bin
data6.bin
bandit12@bandit:/tmp/catcher$ file data6.bin
data6.bin: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/catcher$ mv data6.bin data6.bz2
bandit12@bandit:/tmp/catcher$ bzip2 -d data6.bz2
bandit12@bandit:/tmp/catcher$ ls
data5.bin  data6  data.txt  newdata
bandit12@bandit:/tmp/catcher$ file data6
data6: POSIX tar archive (GNU)
bandit12@bandit:/tmp/catcher$ tar -xvf data6
data8.bin
bandit12@bandit:/tmp/catcher$ file data8.bin
data8.bin: gzip compressed data, was "data9.bin", last modified: Tue Oct 16 12:00:23 2018, max compression, from Unix
bandit12@bandit:/tmp/catcher$ mv data8.bin data9.gz
bandit12@bandit:/tmp/catcher$ ls
data5.bin  data6  data9.gz  data.txt  newdata
bandit12@bandit:/tmp/catcher$ gzip -d data9.gz
bandit12@bandit:/tmp/catcher$ ls
data5.bin  data6  data9  data.txt  newdata
bandit12@bandit:/tmp/catcher$ file data9
data9: ASCII text
bandit12@bandit:/tmp/catcher$ cat data9
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
文件最开始是 16 进制,用 "xxd -r" 将 16 进制文件转换为二进制文件
然后每一步都查看一次文件类型,并重命名为相应的文件类型
主要运用 "bzip2 -d" , "gzip -d" , "tar -xvf" 这些解压方法

https://dynamicparallax.wordpress.com/2015/09/22/bandit-level-12-%E2%86%92-level-13/

Level 13→ Level 14

bandit13@bandit:~$ ls
sshkey.private
bandit13@bandit:~$ ssh -i sshkey.private bandit14@localhost
bandit14@bandit:~$ cat  /etc/bandit_pass/bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
ssh
-i:指定身份文件

Level 14→ Level 15

bandit14@bandit:~$ nc localhost 30000
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr
直接通过 nc 连接本地的 30000 端口,输入当前级别的密码后返回下一级密码。

Level 15→ Level 16

bandit15@bandit:~$ openssl s_client -quiet -connect localhost:30001
depth=0 CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = localhost
verify return:1
BfMYroe26WYalil77FoDi9qh59eK5xNr
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehd

bandit15@bandit:~$ openssl s_client -connect localhost:30001
CONNECTED(00000003)
depth=0 CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = localhost
verify return:1
---
Certificate chain
 0 s:/CN=localhost
   i:/CN=localhost
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICBjCCAW+gAwIBAgIENHv1njANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDDAls
b2NhbGhvc3QwHhcNMTkwMTEzMTkzNDMwWhcNMjAwMTEzMTkzNDMwWjAUMRIwEAYD
VQQDDAlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALOkCuqD
hi2X8nQ1Fu/p2hHx+3SeORNWt76H7Q/Wr8ZYapwViACu7h/d+Gn1Z4/1ZVN5Ukz3
fiS7UiA73eJg2iLo9rXzPw01hVB+IA4RtSTBmsUm7vwIgNDv5RsrYLl6JCGaZ+ns
/z5ihBHILWT3zvLyAn98HUiVAjAahiuwBtHxAgMBAAGjZTBjMBQGA1UdEQQNMAuC
CWxvY2FsaG9zdDBLBglghkgBhvhCAQ0EPhY8QXV0b21hdGljYWxseSBnZW5lcmF0
ZWQgYnkgTmNhdC4gU2VlIGh0dHBzOi8vbm1hcC5vcmcvbmNhdC8uMA0GCSqGSIb3
DQEBBQUAA4GBABiUJgikW8Ig5kuqkB3VCZiACRm5bsC4T5EH531RtzDi6Yywnqm3
xDbfWzLIoWpVq2U2pViIVsPmQ6nGjASQSlQhxsg9kZBaqYB26AcgrmbVIruywtij
JXvZkb10yrXeqtfK5bO8+kILa8XSBVbIXQ55Cn4HiHE7NtDZBOLBTl2/
-----END CERTIFICATE-----
subject=/CN=localhost
issuer=/CN=localhost
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1019 bytes and written 269 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 80262F7928E2C9288C931689BBB5C293B7CDFFC08296B783E00CA60EC58873F8
    Session-ID-ctx: 
    Master-Key: 2C67B9CD46A98D58CD30B68930C87BE7AA345F342974D172B731E4C16B64CCF89BFAF5024571B21E0670AC36BA75C9C3
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 32 a4 5b 29 4b c8 06 db-a5 7e c7 95 4f fd c4 c1   2.[)K....~..O...
    0010 - b7 19 ed 5a 5f c1 a7 25-02 11 47 bc 3d 4a 70 a7   ...Z_..%..G.=Jp.
    0020 - 78 17 b6 bd db e8 be 94-2d 72 a4 03 b8 b3 65 a5   x.......-r....e.
    0030 - 28 35 ab de fc 56 f1 76-66 64 b0 49 88 d1 a3 bc   (5...V.vfd.I....
    0040 - e6 64 8b 1a 1b 30 98 77-de 99 3e 43 b0 98 99 a8   .d...0.w..>C....
    0050 - 88 02 a0 e3 0d ff 2e de-91 68 fb 4c 56 62 08 2b   .........h.LVb.+
    0060 - 5b ed 26 2a af 46 c4 46-81 d8 1a c8 2e 16 e1 94   [.&*.F.F........
    0070 - 53 1d 62 02 db c3 f3 b8-f4 80 49 0f 48 e0 bd f3   S.b.......I.H...
    0080 - 0c 87 50 e0 ed 69 af fe-05 8c 84 d9 c8 d2 67 ed   ..P..i........g.
    0090 - ae 33 50 10 c5 76 53 31-6c fe 9f 16 ee a3 76 13   .3P..vS1l.....v.

    Start Time: 1549251437
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: yes
---
BfMYroe26WYalil77FoDi9qh59eK5xNr
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehd

closed
使用 SSL 加密将当前级别的密码提交到本地主机上的端口 30001 来检索下一级别的密码。

openssl
-ign_eof:当输入文件到达文件尾的时候并不断开连接。
-quiet:不打印出session和证书的信息。同时会打开-ign_eof这个选项

连接到远程服务器
openssl s_client -connect www.google.com.hk:443

Level 16→ Level 17

bandit16@bandit:~$ nmap -p31000-32000 localhost

Starting Nmap 7.40 ( https://nmap.org ) at 2019-02-05 03:14 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00032s latency).
Not shown: 999 closed ports
PORT      STATE SERVICE
31518/tcp open  unknown
31790/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds
bandit16@bandit:~$ echo cluFn7wTiGryunymYOu4RcffSxQluehd | openssl s_client -quiet -connect localhost:31518
depth=0 CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = localhost
verify return:1
cluFn7wTiGryunymYOu4RcffSxQluehd
^C
bandit16@bandit:~$ echo cluFn7wTiGryunymYOu4RcffSxQluehd | openssl s_client -quiet -connect localhost:31790
depth=0 CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = localhost
verify return:1
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----
bandit16@bandit:~$ mkdir /tmp/yp
bandit16@bandit:~$ cd /tmp/yp
bandit16@bandit:/tmp/yp$ touch sshkey.private
bandit16@bandit:/tmp/yp$ vim sshkey.private
bandit16@bandit:/tmp/yp$ chmod 600 sshkey.private
bandit16@bandit:/tmp/yp$ ssh -i ./sshkey.private bandit17@localhost
Could not create directory '/home/bandit16/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit16/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

Linux bandit 4.18.12 x86_64 GNU/Linux
               
      ,----..            ,----,          .---. 
     /   /   \         ,/   .`|         /. ./|
    /   .     :      ,`   .'  :     .--'.  ' ;
   .   /   ;.  \   ;    ;     /    /__./ \ : |
  .   ;   /  ` ; .'___,/    ,' .--'.  '   \' .
  ;   |  ; \ ; | |    :     | /___/ \ |    ' ' 
  |   :  | ; | ' ;    |.';  ; ;   \  \;      : 
  .   |  ' ' ' : `----'  |  |  \   ;  `      |
  '   ;  \; /  |     '   :  ;   .   \    .\  ; 
   \   \  ',  /      |   |  '    \   \   ' \ |
    ;   :    /       '   :  |     :   '  |--"  
     \   \ .'        ;   |.'       \   \ ;     
  www. `---` ver     '---' he       '---" ire.org     
               
              
Welcome to OverTheWire!

If you find any problems, please report them to Steven or morla on
irc.overthewire.org.

--[ Playing the games ]--

  This machine might hold several wargames. 
  If you are playing "somegame", then:

    * USERNAMES are somegame0, somegame1, ...
    * Most LEVELS are stored in /somegame/.
    * PASSWORDS for each level are stored in /etc/somegame_pass/.

  Write-access to homedirectories is disabled. It is advised to create a
  working directory with a hard-to-guess name in /tmp/.  You can use the
  command "mktemp -d" in order to generate a random and hard to guess
  directory in /tmp/.  Read-access to both /tmp/ and /proc/ is disabled
  so that users can not snoop on eachother. Files and directories with 
  easily guessable or short names will be periodically deleted!
	
  Please play nice:
      
    * don't leave orphan processes running
    * don't leave exploit-files laying around
    * don't annoy other players
    * don't post passwords or spoilers
    * again, DONT POST SPOILERS! 
      This includes writeups of your solution on your blog or website!

--[ Tips ]--

  This machine has a 64bit processor and many security-features enabled
  by default, although ASLR has been switched off.  The following
  compiler flags might be interesting:

    -m32                    compile for 32bit
    -fno-stack-protector    disable ProPolice
    -Wl,-z,norelro          disable relro 

  In addition, the execstack tool can be used to flag the stack as
  executable on ELF binaries.

  Finally, network-access is limited for most levels by a local
  firewall.

--[ Tools ]--

 For your convenience we have installed a few usefull tools which you can find
 in the following locations:

    * pwndbg (https://github.com/pwndbg/pwndbg) in /usr/local/pwndbg/
    * peda (https://github.com/longld/peda.git) in /usr/local/peda/
    * gdbinit (https://github.com/gdbinit/Gdbinit) in /usr/local/gdbinit/
    * pwntools (https://github.com/Gallopsled/pwntools)
    * radare2 (http://www.radare.org/)
    * checksec.sh (http://www.trapkit.de/tools/checksec.html) in /usr/local/bin/checksec.sh

--[ More information ]--

  For more information regarding individual wargames, visit
  http://www.overthewire.org/wargames/

  For support, questions or comments, contact us through IRC on
  irc.overthewire.org #wargames.

  Enjoy your stay!
bandit17@bandit:~$ ls
passwords.new  passwords.old
bandit17@bandit:~$ cat /etc/bandit_pass/bandit17
xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn
这里主要要知道 Level 17 的密码的路径在哪里/etc/bandit_pass/bandit17
下面还有一种解法直接获取到 Level 18 的密码然后直接到 Level 19

Level 17→ Level 18

不要密码的方法,直接获取到 Level 18 的密码

bandit17@bandit:~$ ls
passwords.new  passwords.old
bandit17@bandit:~$ diff passwords.old passwords.new
42c42
< hlbSBPAWJmL6WFDb06gpTx1pPButblOA
---
> kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd

#第二个是下一关的密码

Level 18→ Level 19

Level 18 要在 Level 17 的 shell 里面接着做

bandit17@bandit:~$ ssh bandit18@localhost cat readme
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit17/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/home/bandit17/.ssh/id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "/home/bandit17/.ssh/id_rsa": bad permissions
bandit18@localhost's password: 
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x

Level 19→ Level 20

bandit19@bandit:~$ ls
bandit20-do
bandit19@bandit:~$ ls -l bandit20-do 
-rwsr-x--- 1 bandit20 bandit19 7296 Oct 16 14:00 bandit20-do
bandit19@bandit:~$ ./bandit20-do 
Run a command as another user.
  Example: ./bandit20-do id
bandit19@bandit:~$ ./bandit20-do id
uid=11019(bandit19) gid=11019(bandit19) euid=11020(bandit20) groups=11019(bandit19)
bandit19@bandit:~$ ./bandit20-do whoami
bandit20
bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0j

Level 20→ Level 21

bandit20@bandit:~$ echo "GbKksEFF4yrVs6il55v6gwY5aVje5f0j" | nc -l -p 2333
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
bandit20@bandit:~$ ls
suconnect
bandit20@bandit:~$ ./suconnect 
Usage: ./suconnect <portnumber>
This program will connect to the given port on localhost using TCP. If it receives the correct password from the other side, the next password is transmitted back.
bandit20@bandit:~$ ./suconnect 2333
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Password matches, sending next password

Level 21→ Level 22

bandit21@bandit:~$ cd /etc/cron.d/
bandit21@bandit:/etc/cron.d$ ls -al
total 24
drwxr-xr-x  2 root root 4096 Oct 16 14:00 .
drwxr-xr-x 88 root root 4096 Oct 16 14:00 ..
-rw-r--r--  1 root root  120 Oct 16 14:00 cronjob_bandit22
-rw-r--r--  1 root root  122 Oct 16 14:00 cronjob_bandit23
-rw-r--r--  1 root root  120 Oct 16 14:00 cronjob_bandit24
-rw-r--r--  1 root root  102 Oct  7  2017 .placeholder
bandit21@bandit:/etc/cron.d$ cat cronjob_bandit22
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
bandit21@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit22.sh 
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
bandit21@bandit:/etc/cron.d$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
cron 指 Linux 系统下一个自动执行指定任务的程序(计划任务)
"* * * * * bandit22   /usr/bin/cronjob_bandit22.sh &> /dev/null" 中的 "*" 表示每分钟执行一次这个脚本

#!/bin/bash 声明这是一个 bash 脚本文件
chmod 644 表示只有所有者可以写,其他用户只可以读(/tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv)

最后两行是脚本要执行的: 将 /etc/bandit_pass/bandit22 输出到 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

Level 22→ Level 23

bandit22@bandit:/etc/cron.d$ cd /etc/cron.d
bandit22@bandit:/etc/cron.d$ ls -al
total 24
drwxr-xr-x  2 root root 4096 Oct 16 14:00 .
drwxr-xr-x 88 root root 4096 Oct 16 14:00 ..
-rw-r--r--  1 root root  120 Oct 16 14:00 cronjob_bandit22
-rw-r--r--  1 root root  122 Oct 16 14:00 cronjob_bandit23
-rw-r--r--  1 root root  120 Oct 16 14:00 cronjob_bandit24
-rw-r--r--  1 root root  102 Oct  7  2017 .placeholder
bandit22@bandit:/etc/cron.d$ cat cronjob_bandit23
@reboot bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
bandit22@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash

myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)

echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"

cat /etc/bandit_pass/$myname > /tmp/$mytarget
bandit22@bandit:/etc/cron.d$ whoami
bandit22
bandit22@bandit:/etc/cron.d$ echo I am user bandit23 | md5sum | cut -d ' ' -f 1
8ca319486bfbbc3663ea0fbe81326349
bandit22@bandit:/etc/cron.d$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

Level 23→ Level 24

这道题似乎有点 bug,按照套路来没有获取到应该获取到的 password

bandit23@bandit:~$ cd /etc/cron.d
bandit23@bandit:/etc/cron.d$ ls
cronjob_bandit22  cronjob_bandit23  cronjob_bandit24
bandit23@bandit:/etc/cron.d$ ls -al
total 24
drwxr-xr-x  2 root root 4096 Oct 16 14:00 .
drwxr-xr-x 88 root root 4096 Oct 16 14:00 ..
-rw-r--r--  1 root root  120 Oct 16 14:00 cronjob_bandit22
-rw-r--r--  1 root root  122 Oct 16 14:00 cronjob_bandit23
-rw-r--r--  1 root root  120 Oct 16 14:00 cronjob_bandit24
-rw-r--r--  1 root root  102 Oct  7  2017 .placeholder
bandit23@bandit:/etc/cron.d$ cat cronjob_bandit24
@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
bandit23@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash

myname=$(whoami)

cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
do
    if [ "$i" != "." -a "$i" != ".." ];
    then
	echo "Handling $i"
	timeout -s 9 60 ./$i
	rm -f ./$i
    fi
done


bandit23@bandit:/etc/cron.d$ mkdir /tmp/crayon
bandit23@bandit:/etc/cron.d$ cd /tmp/crayon
bandit23@bandit:/tmp/crayon$ vim bandit24.sh
bandit23@bandit:/tmp/crayon$ cat bandit24.sh
#!/bin/bash
cat/etc/bandit_pass/bandit24 >> /tmp/crayon/level24
bandit23@bandit:/tmp/crayon$ chmod 777 bandit24.sh
bandit23@bandit:/tmp/crayon$ cp bandit24.sh /var/spool/bandit24
bandit23@bandit:/tmp/crayon$ chmod 777 /tmp/crayon
bandit23@bandit:/tmp/crayon$ ls /var/spool/bandit24
ls: cannot open directory '/var/spool/bandit24': Permission denied
bandit23@bandit:/tmp/crayon$ ls
bandit24.sh
bandit23@bandit:/tmp/crayon$ ls
bandit24.sh
bandit23@bandit:/tmp/crayon$ ls
bandit24.sh
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ

chmod 777 filename 表示将这个文件改成所有的用户都可读可写可执行

Level 24→ Level 25

bandit24@bandit:~$ cd /tmp/crayon
bandit24@bandit:/tmp/crayon$ vim data.py
bandit24@bandit:/tmp/crayon$ cat data.py
# !/usr/bin/env python
f = open('crayon.txt','w')
passwd = "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ"
for id in range(10000):
    data =passwd + " " + str(id).zfill(4) + '\n'
    f.write(data)
f.close()
bandit24@bandit:/tmp/crayon$ python data.py
bandit24@bandit:/tmp/crayon$ ls
bandit24.sh  crayon.txt  data.py
bandit24@bandit:/tmp/crayon$ nc localhost 30002 < /tmp/crayon/crayon.txt > /tmp/crayon/password.txt
bandit24@bandit:/tmp/crayon$ ls
bandit24.sh  crayon.txt  data.py  password.txt
bandit24@bandit:/tmp/crayon$ sort ./password.txt | uniq -u

Correct!
Exiting.
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG

Level 25→ Level 26

bandit25@bandit:~$ ls
bandit26.sshkey
bandit25@bandit:~$ ssh -i bandit26.sshkey bandit26@localhost
Connection to localhost closed.
bandit25@bandit:~$ cat /etc/passwd | grep bandit26
bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext
bandit25@bandit:~$ cat /usr/bin/showtext
#!/bin/sh

export TERM=linux

more ~/text.txt
exit 0

# 缩小 shell 重新使用 ssh -i bandit26.sshkey bandit26@localhost

看到More后按V进入编辑模式
然后使用命令  :ex! /etc/bandit_pass/bandit26  打开我们需要的密码文件
5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z                                                                             
"/etc/bandit_pass/bandit26" [readonly] 1L, 33C                1,1           All
more 命令是一次显示一屏文字,然后左下角会显示一个 more 和当前显示了百分之多少, 之前在其他登陆中不曾见过,想必就是 more 命令显示的 text.txt 的内容,因为行数足以一屏显示完,所以没有显示 more 就没有显示,我们的思路就在 more 的这个特点上。我们要让他卡在一屏读不完的位置,也就是让你的终端高度读不下 6 行(字符画高度), 这样我们可以在 more 的状态下通过一些特性执行命令找到我们下一关的密码

Level 26→ Level 27

这里是接着上一关的 shell 来的

ssh -p 2220 bandit26@bandit.labs.overthewire.org
:set shell sh=/bin/sh
:sh
$ ls -l
total 12
-rwsr-x--- 1 bandit27 bandit26 7296 Oct 16 14:00 bandit27-do
-rw-r----- 1 bandit26 bandit26  258 Oct 16 14:00 text.txt
$ cat text.txt
  _                     _ _ _   ___   __  
 | |                   | (_) | |__ \ / /  
 | |__   __ _ _ __   __| |_| |_   ) / /_  
 | '_ \ / _` | '_ \ / _` | | __| / / '_ \ 
 | |_) | (_| | | | | (_| | | |_ / /| (_) |
 |_.__/ \__,_|_| |_|\__,_|_|\__|____\___/ 
$ ./bandit27-do
Run a command as another user.
  Example: ./bandit27-do id
$ ./bandit27-do cat /etc/bandit_pass/bandit27
3ba3118a22e93127a4ed485be72ef5ea
$ 

Level 27→ Level 28

从这一关开始是关于 Git 的了

bandit27@bandit:~$ git clone ssh://bandit27-git@localhost/home/bandit27-git/repo
fatal: could not create work tree dir 'repo': Permission denied
bandit27@bandit:~$ cd /tmp/
bandit27@bandit:/tmp$ ls
ls: cannot open directory '.': Permission denied
bandit27@bandit:/tmp$ mkdir yppp
bandit27@bandit:/tmp$ cd yppp
bandit27@bandit:/tmp/yppp$ git clone ssh://bandit27-git@localhost/home/bandit27-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit27/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit27/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

bandit27-git@localhost's password: 
remote: Counting objects: 3, done.
remote: Compressing objects: 100% (2/2), done.
remote: Total 3 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (3/3), done.
bandit27@bandit:/tmp/yppp$ ls
repo
bandit27@bandit:/tmp/yppp$ cd repo/
bandit27@bandit:/tmp/yppp/repo$ ls
README
bandit27@bandit:/tmp/yppp/repo$ cat README 
The password to the next level is: 0ef186ac70e04ea33b4c1853d2526fa2
bandit27@bandit:/tmp/yppp/repo$ 

Level 28→ Level 29

bandit28@bandit:~$ cd /tmp/
bandit28@bandit:/tmp$ ls
ls: cannot open directory '.': Permission denied
bandit28@bandit:/tmp$ cd yyp
bandit28@bandit:/tmp/yyp$ ls
repo
bandit28@bandit:/tmp/yyp$ cd repo/
bandit28@bandit:/tmp/yyp/repo$ ls
README.md
bandit28@bandit:/tmp/yyp/repo$ cat README.md 
# Bandit Notes
Some notes for level29 of bandit.

## credentials

- username: bandit29
- password: xxxxxxxxxx

bandit28@bandit:/tmp/yyp/repo$ git log
commit 073c27c130e6ee407e12faad1dd3848a110c4f95
Author: Morla Porla <morla@overthewire.org>
Date:   Tue Oct 16 14:00:39 2018 +0200

    fix info leak

commit 186a1038cc54d1358d42d468cdc8e3cc28a93fcb
Author: Morla Porla <morla@overthewire.org>
Date:   Tue Oct 16 14:00:39 2018 +0200

    add missing data

commit b67405defc6ef44210c53345fc953e6a21338cc7
Author: Ben Dover <noone@overthewire.org>
Date:   Tue Oct 16 14:00:39 2018 +0200

    initial commit of README.md
bandit28@bandit:/tmp/yyp/repo$ git show 186a1038cc54d1358d42d468cdc8e3cc28a93fcb
commit 186a1038cc54d1358d42d468cdc8e3cc28a93fcb
Author: Morla Porla <morla@overthewire.org>
Date:   Tue Oct 16 14:00:39 2018 +0200

    add missing data

diff --git a/README.md b/README.md
index 7ba2d2f..3f7cee8 100644
--- a/README.md
+++ b/README.md
@@ -4,5 +4,5 @@ Some notes for level29 of bandit.
 ## credentials
 
 - username: bandit29
-- password: <TBD>
+- password: bbc96594b4e001778eee9975372716b2
 
bandit28@bandit:/tmp/yyp/repo$ 
git log  会按提交时间列出所有的更新,最近的更新排在最上面。每次更新都有一个 SHA-1 校验和、作者的名字和电子邮件地址、提交时间,最后缩进一个段落显示提交说明。 执行命令后看到一共有三次操作记录。

git show 会显示各种类型的对象,这些对象包括 blobs,树,标签和提交。

Level 29→ Level 30

bandit29@bandit:~$ ls
bandit29@bandit:~$ cd /tmp/
bandit29@bandit:/tmp$ mkdir yp29
bandit29@bandit:/tmp$ cd yp29
bandit29@bandit:/tmp/yp29$ git clone ssh://bandit29-git@localhost/home/bandit29-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit29/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit29/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

bandit29-git@localhost's password: 
remote: Counting objects: 16, done.
remote: Compressing objects: 100% (11/11), done.
remote: Total 16 (delta 2), reused 0 (delta 0)
Receiving objects: 100% (16/16), done.
Resolving deltas: 100% (2/2), done.
bandit29@bandit:/tmp/yp29$ ls
repo
bandit29@bandit:/tmp/yp29$ cd repo/
bandit29@bandit:/tmp/yp29/repo$ ls
README.md
bandit29@bandit:/tmp/yp29/repo$ cat README.md 
# Bandit Notes
Some notes for bandit30 of bandit.

## credentials

- username: bandit30
- password: <no passwords in production!>

bandit29@bandit:/tmp/yp29/repo$ git branch -a
* master
  remotes/origin/HEAD -> origin/master
  remotes/origin/dev
  remotes/origin/master
  remotes/origin/sploits-dev
bandit29@bandit:/tmp/yp29/repo$ git checkout remotes/origin/dev
Note: checking out 'remotes/origin/dev'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by performing another checkout.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -b with the checkout command again. Example:

  git checkout -b <new-branch-name>

HEAD is now at 33ce2e9... add data needed for development
bandit29@bandit:/tmp/yp29/repo$ git log
commit 33ce2e95d9c5d6fb0a40e5ee9a2926903646b4e3
Author: Morla Porla <morla@overthewire.org>
Date:   Tue Oct 16 14:00:41 2018 +0200

    add data needed for development

commit a8af722fccd4206fc3780bd3ede35b2c03886d9b
Author: Ben Dover <noone@overthewire.org>
Date:   Tue Oct 16 14:00:41 2018 +0200

    add gif2ascii

commit 84abedc104bbc0c65cb9eb74eb1d3057753e70f8
Author: Ben Dover <noone@overthewire.org>
Date:   Tue Oct 16 14:00:41 2018 +0200

    fix username

commit 9b19e7d8c1aadf4edcc5b15ba8107329ad6c5650
Author: Ben Dover <noone@overthewire.org>
Date:   Tue Oct 16 14:00:41 2018 +0200

    initial commit of README.md
bandit29@bandit:/tmp/yp29/repo$ git show 33ce2e95d9c5d6fb0a40e5ee9a2926903646b4e3
commit 33ce2e95d9c5d6fb0a40e5ee9a2926903646b4e3
Author: Morla Porla <morla@overthewire.org>
Date:   Tue Oct 16 14:00:41 2018 +0200

    add data needed for development

diff --git a/README.md b/README.md
index 1af21d3..39b87a8 100644
--- a/README.md
+++ b/README.md
@@ -4,5 +4,5 @@ Some notes for bandit30 of bandit.
 ## credentials
 
 - username: bandit30
-- password: <no passwords in production!>
+- password: 5b90576bedb2cc04c86a9e924ce42faf
 
bandit29@bandit:/tmp/yp29/repo$ 
创建新分支:
git branch branchName

切换到新分支:
git checkout branchName

这里关键的就是去切换分支,有两个分支  remotes/origin/dev  和  remotes/origin/sploits-dev ,一个一个去看,接着套路就跟上一关一样了。

Level 30→ Level 31

bandit30@bandit:~$ ls
bandit30@bandit:~$ cd /tmp/
bandit30@bandit:/tmp$ mkdir yp30
bandit30@bandit:/tmp$ cd yp30
bandit30@bandit:/tmp/yp30$ git clone ssh://bandit30-git@localhost/home/bandit30-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit30/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit30/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

bandit30-git@localhost's password: 
remote: Counting objects: 4, done.
remote: Total 4 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (4/4), done.
bandit30@bandit:/tmp/yp30$ ls
repo
bandit30@bandit:/tmp/yp30$ cd repo/
bandit30@bandit:/tmp/yp30/repo$ ls
README.md
bandit30@bandit:/tmp/yp30/repo$ cat README.md 
just an epmty file... muahaha
bandit30@bandit:/tmp/yp30/repo$ ls -al
total 16
drwxr-sr-x 3 bandit30 root 4096 Feb 10 04:04 .
drwxr-sr-x 3 bandit30 root 4096 Feb 10 04:04 ..
drwxr-sr-x 8 bandit30 root 4096 Feb 10 04:04 .git
-rw-r--r-- 1 bandit30 root   30 Feb 10 04:04 README.md
bandit30@bandit:/tmp/yp30/repo$ ls -al ./.git
total 52
drwxr-sr-x 8 bandit30 root 4096 Feb 10 04:04 .
drwxr-sr-x 3 bandit30 root 4096 Feb 10 04:04 ..
drwxr-sr-x 2 bandit30 root 4096 Feb 10 04:04 branches
-rw-r--r-- 1 bandit30 root  276 Feb 10 04:04 config
-rw-r--r-- 1 bandit30 root   73 Feb 10 04:04 description
-rw-r--r-- 1 bandit30 root   23 Feb 10 04:04 HEAD
drwxr-sr-x 2 bandit30 root 4096 Feb 10 04:04 hooks
-rw-r--r-- 1 bandit30 root  137 Feb 10 04:04 index
drwxr-sr-x 2 bandit30 root 4096 Feb 10 04:04 info
drwxr-sr-x 3 bandit30 root 4096 Feb 10 04:04 logs
drwxr-sr-x 4 bandit30 root 4096 Feb 10 04:04 objects
-rw-r--r-- 1 bandit30 root  165 Feb 10 04:04 packed-refs
drwxr-sr-x 5 bandit30 root 4096 Feb 10 04:04 refs
bandit30@bandit:/tmp/yp30/repo$ git reflog
3aa4c23 HEAD@{0}: clone: from ssh://bandit30-git@localhost/home/bandit30-git/repo
bandit30@bandit:/tmp/yp30/repo$ git show-ref
3aa4c239f729b07deb99a52f125893e162daac9e refs/heads/master
3aa4c239f729b07deb99a52f125893e162daac9e refs/remotes/origin/HEAD
3aa4c239f729b07deb99a52f125893e162daac9e refs/remotes/origin/master
f17132340e8ee6c159e0a4a6bc6f80e1da3b1aea refs/tags/secret
bandit30@bandit:/tmp/yp30/repo$ git show f17132340e8ee6c159e0a4a6bc6f80e1da3b1aea
47e603bb428404d265f59c42920d81e5
bandit30@bandit:/tmp/yp30/repo$ 
git clone 还会创建一个 .git 的目录,这个目录下包含了所有 git 正常工作所需要的信息,包括对象存储,配置文件,分支和标签,HEAD 文件等

git reflog  可以查看所有分支的所有操作记录(包括提交、回退、已删除的提交操作记录等) 
git show-ref 它的作用是显示本地存储库中可用的引用以及关联的提交 ID。此外,它可以用来测试一个特定的 ref 是否存在。

Level 31→ Level 32

bandit31@bandit:~$ ls
bandit31@bandit:~$ cd tmp
-bash: cd: tmp: No such file or directory
bandit31@bandit:~$ cd /tmp/
bandit31@bandit:/tmp$ cd yp31
bandit31@bandit:/tmp/yp31$ ls
repo
bandit31@bandit:/tmp/yp31$ cd repo
bandit31@bandit:/tmp/yp31/repo$ ls
README.md
bandit31@bandit:/tmp/yp31/repo$ ls -al
total 20
drwxr-sr-x 3 bandit31 root 4096 Feb 10 04:09 .
drwxr-sr-x 3 bandit31 root 4096 Feb 10 04:09 ..
drwxr-sr-x 8 bandit31 root 4096 Feb 10 04:09 .git
-rw-r--r-- 1 bandit31 root    6 Feb 10 04:09 .gitignore
-rw-r--r-- 1 bandit31 root  147 Feb 10 04:09 README.md
bandit31@bandit:/tmp/yp31/repo$ cat README.md 
This time your task is to push a file to the remote repository.

Details:
    File name: key.txt
    Content: 'May I come in?'
    Branch: master

bandit31@bandit:/tmp/yp31/repo$ echo "May I come in?"> key.txt
bandit31@bandit:/tmp/yp31/repo$ git add .
bandit31@bandit:/tmp/yp31/repo$ git add key.txt
The following paths are ignored by one of your .gitignore files:
key.txt
Use -f if you really want to add them.
bandit31@bandit:/tmp/yp31/repo$ cat .gitignore
*.txt
bandit31@bandit:/tmp/yp31/repo$ git add -f key.txt
bandit31@bandit:/tmp/yp31/repo$ git commit 
Unable to create directory /home/bandit31/.nano: Permission denied
It is required for saving/loading search history or cursor positions.

Press Enter to continue

Aborting commit due to empty commit message.
bandit31@bandit:/tmp/yp31/repo$ git commit -m "test"
[master e6417a7] test
 1 file changed, 1 insertion(+)
 create mode 100644 key.txt
bandit31@bandit:/tmp/yp31/repo$ git push 
Could not create directory '/home/bandit31/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit31/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

bandit31-git@localhost's password: 
Counting objects: 3, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (2/2), done.
Writing objects: 100% (3/3), 316 bytes | 0 bytes/s, done.
Total 3 (delta 0), reused 0 (delta 0)
remote: ### Attempting to validate files... ####
remote: 
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote: 
remote: Well done! Here is the password for the next level:
remote: 56a9bf19c63d650ce78e6ec0354ee45e
remote: 
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote: 
To ssh://localhost/home/bandit31-git/repo
 ! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to 'ssh://bandit31-git@localhost/home/bandit31-git/repo'
bandit31@bandit:/tmp/yp31/repo$ 
.gitignore 忽略了我们提交的文件,如果想提交请用 -f 参数

Level 32→ Level 33

bandit31@bandit:~$ cd /tmp/7893
bandit31@bandit:/tmp/7893$ ls
TEST
bandit31@bandit:/tmp/7893$ chmod 777 TEST
bandit31@bandit:/tmp/7893$ cat TEST
#!/bin/bash
bash
bandit31@bandit:/tmp/7893$ exit
logout
Connection to bandit.labs.overthewire.org closed.
$ ssh -p 2220 bandit32@bandit.labs.overthewire.org 
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

bandit32@bandit.labs.overthewire.org's password: 
Linux bandit 4.18.12 x86_64 GNU/Linux
               
      ,----..            ,----,          .---. 
     /   /   \         ,/   .`|         /. ./|
    /   .     :      ,`   .'  :     .--'.  ' ;
   .   /   ;.  \   ;    ;     /    /__./ \ : |
  .   ;   /  ` ; .'___,/    ,' .--'.  '   \' .
  ;   |  ; \ ; | |    :     | /___/ \ |    ' ' 
  |   :  | ; | ' ;    |.';  ; ;   \  \;      : 
  .   |  ' ' ' : `----'  |  |  \   ;  `      |
  '   ;  \; /  |     '   :  ;   .   \    .\  ; 
   \   \  ',  /      |   |  '    \   \   ' \ |
    ;   :    /       '   :  |     :   '  |--"  
     \   \ .'        ;   |.'       \   \ ;     
  www. `---` ver     '---' he       '---" ire.org     
               
WELCOME TO THE UPPERCASE SHELL
>> /???/7893/TEST
bandit33@bandit:~$ cat /etc/bandit_pass/bandit33
c9c3199ddf4121b10cf581a98d51caee
bandit33@bandit:~$ 
先提前写好一个名字为大写 TEST 的 shell 脚本,然后利用 linux 下的 ? 模糊匹配来执行/tmp/7893/TEST 脚本,然后查看密码

Search

    Table of Contents