Bandit Walkthrough
来源:互联网 发布:关于网络犯罪的电影 编辑:程序博客网 时间:2024/05/07 12:16
我在overthewire的wargame中bandit的通关记录。题目的地址是http://www.overthewire.org/wargames
Bandit walkthrough
level 0
使用 ssh 命令远程登录到网站所提供的服务器,就可以完成
ssh bandit0@bandit.labs.overthewire.org
或
ssh -l bandit0 bandit.labs.overthewire.org
level0 -> level1
password就在主目录下的readme文件中,首先用 ls 命令可以看到readme文件,于是使用cat 命令查看文件内容,得到password
bandit0@melinda:~$ lsreadmebandit0@melinda:~$ cat readmeboJ9jbbUNNfktd78OOpsqOltutMc3MY1
level1 -> level2
password在主目录的名字叫-的文件下,可以像上一题用ls查看,如果直接输入 cat - ,则不会查看文件内容,而是仍在等待输入,原因是”-“与命令的选项符号重合。
bandit1@melinda:~$ cat ./-CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
level2 -> level3
文件名字中间有空格,用”\”转义
bandit2@melinda:~$ lsspaces in this filenamebandit2@melinda:~$ cat spaces\ in\ this\ filenameUmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
level3 -> level4
bandit3@melinda:~$ lsinherebandit3@melinda:~$ cd ~/inherebandit3@melinda:~/inhere$ lsbandit3@melinda:~/inhere$ ls -a. .. .hiddenbandit3@melinda:~/inhere$ cat ./.hiddenpIwrPrtPN36QITSp3EQaw936yaFoFgAB
level4 -> level5
inhere文件夹下面有10个文件,一个个试验,试到07,得到password
bandit3@melinda:~$ lsinherebandit3@melinda:~$ cd ~/inherebandit3@melinda:~/inhere$ ls-file00 -file02 -file04 -file06 -file08-file01 -file03 -file05 -file07 -file09bandit4@melinda:~/inhere$ cat ./-file07koReBOKuIDDepwhWk7jZC0RTdopnAYKh
level5 -> level6
bandit5@melinda:~$ cd ~/inherebandit5@melinda:~/inhere$ find . -size 1033c -type f./maybehere07/.file2bandit5@melinda:~/inhere$ cat ./maybehere07/.file2DXjZPULLxYr17uwoI01bNLQbtFemEgo7
level6 -> level7
文件在服务器的某个地方,直接从根目录用find,但是输出很多错误信息,于是加上 2>/dev/null 不输出错误信息,剩下的信息便是真正有用的
bandit6@melinda:~$ find / -group bandit6 -size 33c -user bandit7 -type f 2>/dev/null /var/lib/dpkg/info/bandit7.passwordbandit6@melinda:~$ cat /var/lib/dpkg/info/bandit7.passwordHKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs
level7 -> level8
使用grep命令找到data.txt中 “millionth” 所在的行,就可以找到password
bandit7@melinda:~$ lsdata.txtbandit7@melinda:~$ cat data.txt | grep 'millionth'millionth cvX2JJa4CFALtqS87jk27qwqGhBM9plV
level8 -> level9
对于data.txt的内容 先用sort排序,然后再用uniq -c 显示每行出现的次数,在里面找到 1 UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR
bandit8@melinda:~$ cat data.txt | sort | uniq -c
或者用sort排序 用uniq -u 显示不重复出现的行
bandit8@melinda:~$ sort data.txtx | uniq -ubandit8@melinda:~$ UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR
level9 -> level10
data.txt是二进制的文件,用strings命令找出其中的字符串,用grep命令找 “=”
bandit9@melinda:~$ strings data.txt | grep '^='========== password========== ism========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
level10 -> level11
简单的base64解密,直接用base64 -d
bandit10@melinda:~$ cat data.txt | base64 -dThe password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR
level11 -> level12
使用tr将文件中的字符再转换回来,因为每个字符都往后13个,即a被变为n,b被变为o,z被变为m 依次类推,于是用这个规律逆向转换。
bandit11@melinda:~$ cat data.txt | tr "a-mn-z" "n-za-m" | tr "A-MN-Z" "N-ZA-M"The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu
level12 -> level13
首先在tmp文件夹中创建一个临时文件夹,将data.txt用cp命令复制进去,用xxd查看data.txt,发现开头的字节是 1f8b.因为Gzip数据以1F8B开头,于是知道是用gzip来压缩的,用gzip来解压,也可以用file命令直接看它的实际类型
bandit12@melinda:~$ mkdir /tmp/cchbandit12@melinda:~$ cp data.txt /tmp/cchbandit12@melinda:/tmp/cch$ cat data.txt | xxd -r > databandit12@melinda:/tmp/cch$ file datadata: gzip compressed data, was "data2.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compressionbandit12@melinda:/tmp/cch$ mv data data.gzbandit12@melinda:/tmp/cch$ gzip -d data.gzbandit12@melinda:/tmp/cch$ lsdata data.txtbandit12@melinda:/tmp/cch$ file datadata: bzip2 compressed data, block size = 900kbandit12@melinda:/tmp/cch$ mv data data.bz2bandit12@melinda:/tmp/cch$ bzip2 -d data.bz2bandit12@melinda:/tmp/cch$ file datadata: gzip compressed data, was "data4.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compressionbandit12@melinda:/tmp/cch$ mv data data.gzbandit12@melinda:/tmp/cch$ gzip -d data.gzbandit12@melinda:/tmp/cch$ lsdata data.txtbandit12@melinda:/tmp/cch$ file datadata: POSIX tar archive (GNU)bandit12@melinda:/tmp/cch$ mv data data.tarbandit12@melinda:/tmp/cch$ tar -xvf data.tar data5.binbandit12@melinda:/tmp/cch$ file data5.bindata5.bin: POSIX tar archive (GNU)bandit12@melinda:/tmp/cch$ tar -xvf data5.bindata6.binbandit12@melinda:/tmp/cch$ file data6.bindata6.bin: bzip2 compressed data, block size = 900kbandit12@melinda:/tmp/cch$ mv data6.bin data6.bin.bz2bandit12@melinda:/tmp/cch$ bzip2 -d data6.bin.bz2 bandit12@melinda:/tmp/cch$ lsdata.tar data.txt data5.bin data6.binbandit12@melinda:/tmp/cch$ file data6.bindata6.bin: POSIX tar archive (GNU)bandit12@melinda:/tmp/cch$ tar -xvf data6.bindata8.binbandit12@melinda:/tmp/cch$ file data8.bindata8.bin: gzip compressed data, was "data9.bin", from Unix, last modified: Fri Nov 14 10:32:20 2014, max compressionbandit12@melinda:/tmp/cch$ mv data8.bin data8.bin.gzbandit12@melinda:/tmp/cch$ gzip -d data8.bin.gz bandit12@melinda:/tmp/cch$ lsdata.tar data.txt data5.bin data6.bin data8.binbandit12@melinda:/tmp/cch$ file data8.bindata8.bin: ASCII textbandit12@melinda:/tmp/cch$ cat data8.binThe password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
弄到这里,我已经有点不耐烦了,幸亏password出来了
level13-> level14
告诉我们password文件在 /etc/bandit_pass/bandit14 并且只有bandit14用户可以读。进服务器后用ls发现有个sshkey.private文件,然后我就在本地用scp把服务器上的文件下载到本地了
bandit13@melinda:~$ lssshkey.private
注意下面的命令在本地进行
Chs-MacBook:~ chenchaohao$ scp bandit13@bandit.labs.overthewire.org:./sshkey.private ~/desktopThis is the OverTheWire game server. More information on http://www.overthewire.org/wargamesPlease note that wargame usernames are no longer level<X>, but wargamename<X>e.g. vortex4, semtex2, ...Note: at this moment, blacksun is not available.bandit13@bandit.labs.overthewire.org's password: sshkey.private 100% 1679 1.6KB/s 00:00 Chs-MacBook:desktop chenchaohao$ chmod 0600 sshkey.private
如果不改权限,直接用这个文件登录,会显示
Permissions 0640 for ‘/Users/chenchaohao/desktop/sshkey.private’ are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
就悲剧了。所有命令完成后,我们就可以用这个文件登录到下一关啦!
Chs-MacBook:~ chenchaohao$ ssh bandit14@bandit.labs.overthewire.org -i ~/desktop/sshkey.private
level14-> level15
根据上一题的题目描述,bandit14的password在/etc/bandit_pass/bandit14中,先获得密码,然后再用这个密码 通过nc发到localhost 30000端口
bandit14@melinda:~$ cat /etc/bandit_pass/bandit144wcYUJFw0k0XLShlDzztnTBHiqxU3b3ebandit14@melinda:~$ echo '4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e' | nc localhost 30000Correct!BfMYroe26WYalil77FoDi9qh59eK5xNr
level15-> level16
题目的意思就是把这关的密码用ssl加密发给localhost 30001端口,提示中叫我们加-quiet选项。
bandit15@melinda:~$ echo 'BfMYroe26WYalil77FoDi9qh59eK5xNr' | openssl s_client -connect localhost:30001 -quietdepth=0 CN = li190-250.members.linode.comverify error:num=18:self signed certificateverify return:1depth=0 CN = li190-250.members.linode.comverify return:1Correct!cluFn7wTiGryunymYOu4RcffSxQluehd
level16-> level17
用nmap扫描31000-32000端口,用选项-sV(该选项下,如果这些端口 打开,将使用版本检测来确定哪种应用在运行。)试出31790端口就是我们要找的。得到一个RSA 的private key,就知道成功了!机智如我。将内容复制到本地,创建一个sshkey.private文件。然后该文件登录下一关
bandit16@melinda:~$ nmap -p 31000-32000 localhost -sVStarting Nmap 6.40 ( http://nmap.org ) at 2015-10-13 08:49 UTCStats: 0:00:26 elapsed; 0 hosts completed (1 up), 1 undergoing Service ScanService scan Timing: About 40.00% done; ETC: 08:50 (0:00:39 remaining)Nmap scan report for localhost (127.0.0.1)Host is up (0.00082s latency).Not shown: 996 closed portsPORT STATE SERVICE VERSION31046/tcp open echo31518/tcp open msdtc Microsoft Distributed Transaction Coordinator (error)31691/tcp open echo31790/tcp open msdtc Microsoft Distributed Transaction Coordinator (error)31960/tcp open echoService Info: OS: Windows; CPE: cpe:/o:microsoft:windowsService detection performed. Please report any incorrect results at http://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 41.46 secondsbandit16@melinda:~$ echo 'cluFn7wTiGryunymYOu4RcffSxQluehd' | openssl s_client -connect localhost:31790 -quietdepth=0 CN = li190-250.members.linode.comverify error:num=18:self signed certificateverify return:1depth=0 CN = li190-250.members.linode.comverify return:1Correct!-----BEGIN RSA PRIVATE KEY-----MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJimZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQJa6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTuDSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbWJGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNXx0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvDKHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBlJ9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovdd8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nCYNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8AvLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnxSatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHdHCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+ExdvtSghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0AR57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDiTtiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCgR8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiuL8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Niblh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkUYOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0bdxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=-----END RSA PRIVATE KEY-----read:errno=0bandit16@melinda:~$ exitlogoutConnection to bandit.labs.overthewire.org closed.Chs-MacBook:~ chenchaohao$ ssh -l bandit17 bandit.labs.overthewire.org -i ~/desktop/sshkey.private
level17-> level18
这关非常简单,只需用diff命令显示两个文件的不同之处.
bandit17@melinda:~$ lspasswords.new passwords.oldbandit17@melinda:~$ diff passwords.new passwords.old42c42< kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd---> BS8bqB1kqkinKJjuxL6k072Qq9NRwQpR
前一个字符串就是在passwords.new中的密码,通向下一关
level18-> level19
登录到18关的服务器就会被自动退出,因为某个设置文件被修改了。没事,我们可以用scp命令直接把password所在的文件下载的本地啊。在本地终端上进行:
Chs-MacBook:~ chenchaohao$ scp bandit18@bandit.labs.overthewire.org:~/readme ~/desktopThis is the OverTheWire game server. More information on http://www.overthewire.org/wargamesPlease note that wargame usernames are no longer level<X>, but wargamename<X>e.g. vortex4, semtex2, ...Note: at this moment, blacksun is not available.bandit18@bandit.labs.overthewire.org's password: readme 100% 33 0.0KB/s 00:00 Chs-MacBook:~ chenchaohao$ cd ~/desktopChs-MacBook:desktop chenchaohao$ cat readmeIueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
完成啦~
level19-> level20
进入主目录以后,发现有个可执行文件。试了一下,感觉用这个可执行文件可以以bandit20的用户id来看它的文件(从题意中也可以读出)。可以了解一下SUID的知识。
bandit19@melinda:~$ lsbandit20-dobandit19@melinda:~$ ./bandit20-doRun a command as another user. Example: ./bandit20-do idbandit19@melinda:~$ ./bandit20-do cat /etc/bandit_pass/bandit20GbKksEFF4yrVs6il55v6gwY5aVje5f0j
level20-> level21
打开两个终端,都登入bandit20,我们用nc -l 来监听随意一个合适的端口,比如2015,然后在另一个登录窗口用suconnect来连接这个2015端口。在前者,输入GbKksEFF4yrVs6il55v6gwY5aVje5f0j,就会发给后者,然后就匹配了,后者就会发给前者这一关的密码
终端1
bandit20@melinda:~$ nc -l 2015GbKksEFF4yrVs6il55v6gwY5aVje5f0j
终端2
bandit20@melinda:~$ ./suconnect 2015
结果
终端1bandit20@melinda:~$ nc -l 2015GbKksEFF4yrVs6il55v6gwY5aVje5f0jgE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr终端2 bandit20@melinda:~$ ./suconnect 2015Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0jPassword matches, sending next password
得到password
level21-> level22
题目意思是有一个程序在后台间断地运行(可以看有关cron的知识),我们进入 /etc/cron.d/ 看到有很多程序,选择cronjob_bandit22看看,毕竟这是跟我们这关最相关的了。
bandit21@melinda:~$ cd /etc/cron.dbandit21@melinda:/etc/cron.d$ lsbehemoth4_cleanup leviathan5_cleanup natas25_cleanup~ semtex0-ppccron-apt manpage3_resetpw_job natas26_cleanup semtex5cronjob_bandit22 melinda-stats natas27_cleanup sysstatcronjob_bandit23 natas-session-toucher php5 vortex0cronjob_bandit24 natas-stats semtex0-32 vortex20cronjob_bandit24_root natas25_cleanup semtex0-64bandit21@melinda:/etc/cron.d$ cat cronjob_bandit22* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
cronjob_bandit22调用一个在/usr/bin中的一个cronjob_bandit22.sh的脚本,我们看看这个脚本是做什么的。
bandit21@melinda:/etc/cron.d$ cat /usr/bin/cronjob_bandit22.sh#!/bin/bashchmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgvcat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
脚本的作用其实就是把存有下一关password的文件bandit22的内容放到tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv 里面。既然我们看不了bandit22的内容,那我们看看tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv 里面的内容不就好了。
bandit21@melinda:/etc/cron.d$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgvYk7owGAcWjwMVRwrTesJEwB7WVOiILLI
拿到password。
level22-> level23
与上一关一样,同样适用cron来实现一个程序在后台间断地执行,一样的配方,先去/etc/cron.d看看。
bandit22@melinda:~$ cd /etc/cron.dbandit22@melinda:/etc/cron.d$ lsbehemoth4_cleanup leviathan5_cleanup natas25_cleanup~ semtex0-ppccron-apt manpage3_resetpw_job natas26_cleanup semtex5cronjob_bandit22 melinda-stats natas27_cleanup sysstatcronjob_bandit23 natas-session-toucher php5 vortex0cronjob_bandit24 natas-stats semtex0-32 vortex20cronjob_bandit24_root natas25_cleanup semtex0-64bandit22@melinda:/etc/cron.d$ cat cronjob_bandit23* * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
我选择看cronjob_bandit23.sh的内容。又是运行一个脚本
bandit22@melinda:/etc/cron.d$ cat /usr/bin/cronjob_bandit23.sh#!/bin/bashmyname=$(whoami)mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"cat /etc/bandit_pass/$myname > /tmp/$mytarget
脚本先有一个myname变量来放一个名字,后面就是把文件名为myname(这里指myname变量的值)的文件,拷贝到/tmp/
bandit22@melinda:/etc/cron.d$ whoamibandit22
如何知道如果我是bandit23 那么mytarget变量的值是多少呢?可以自己写个脚本运行一下看看。我嫌麻烦,直接在命令行里写了。
bandit22@melinda:/etc/cron.d$ myname=bandit23;mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1);echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"Copying passwordfile /etc/bandit_pass/bandit23 to /tmp/8ca319486bfbbc3663ea0fbe81326349
嗯,mytarget就是8ca319486bfbbc3663ea0fbe81326349。我们看看/tmp/8ca319486bfbbc3663ea0fbe81326349的内容
bandit22@melinda:/etc/cron.d$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
level23-> level24
刚开始还是一样的步骤,看一下后台的程序调用的是哪个脚本,看看那个脚本的内容。我们看到脚本一次执行文件夹下面的每一个脚本。那么我们写一个自己的脚本,放到那个文件夹下面试试。
bandit23@melinda:/tmp/ch$ cd /etc/cron.dbandit23@melinda:/etc/cron.d$ lsbehemoth4_cleanup leviathan5_cleanup natas25_cleanup~ semtex0-ppccron-apt manpage3_resetpw_job natas26_cleanup semtex5cronjob_bandit22 melinda-stats natas27_cleanup sysstatcronjob_bandit23 natas-session-toucher php5 vortex0cronjob_bandit24 natas-stats semtex0-32 vortex20cronjob_bandit24_root natas25_cleanup semtex0-64bandit23@melinda:/etc/cron.d$ cat cronjob_bandit24 * * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/nullbandit23@melinda:/etc/cron.d$ cat /usr/bin/cronjob_bandit24.sh #!/bin/bashmyname=$(whoami)cd /var/spool/$mynameecho "Executing and deleting all scripts in /var/spool/$myname:"for i in * .*;do if [ "$i" != "." -a "$i" != ".." ]; then echo "Handling $i" timeout -s 9 60 "./$i" rm -f "./$i" fidone
接下来写脚本
bandit23@melinda:~$ mkdir /tmp/chbandit23@melinda:~$ cd /tmp/chbandit23@melinda:/tmp/ch$ vim 1.sh #用vim编写bandit23@melinda:/tmp/ch$ cat 1.sh #脚本代码 #!/bin/bashcat /etc/bandit_pass/bandit24 > /tmp/bandit24
接下来把代码放到那个文件夹下 /var/spool/bandit24/ 是从脚本中得来的
bandit23@melinda:/tmp/ch$ chmod 777 1.shbandit23@melinda:/tmp/ch$ cp 1.sh /var/spool/bandit24/
等待一会儿,然后后台会运行这个脚本,然后就可以看到在/tmp下有个bandit24的文件夹,进去就有password
bandit23@melinda:/tmp/ch$ cd /tmp/bandit24bandit23@melinda:/tmp/bandit24$ lspass24 passwordbandit23@melinda:/tmp/bandit24$ cat password#!/bin/bashcat /etc/bandit_pass/bandit24 > /tmp/bandit24/pass24bandit23@melinda:/tmp/bandit24$ cat pass24UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
这里我想记录一下,我刚开始在脚本里写的是 cat /etc/bandit_pass/bandit24 > /tmp/ch/bandit24 却怎么也得不到bandit24,不知道是什么原因
level24-> level25
暴力解题。。。让我想起高中的数学一个个代进去算。我本来写了个脚本,从0到9999一个个试验。如下:
#!bin/bashfor i in $(seq 0 9999)do if echo "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i" | nc localhost 30002| grep "Wrong" > /dev/null then echo "wrong $i" > wrong.txt else echo "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i" | nc localhost 30002 fidone
结果发现太慢了。参考了下乌云上的攻略,说弄个多线程的:
pass=UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZfor i in $(seq 0 9999)do {if echo $pass $i| nc localhost 30002 | grep Wrong > /dev/nullthen echo $ielse echo $pass $i| nc localhost 30002 > result exitfi}&donewait
运行完以后还是不行,result里面没有正确的,而且运行过程中不断出现resource unavailable的错误
于是我自己再写了10个脚本,每个脚本处理1000个数字。比如1.sh如下。
#!bin/bashfor i in $(seq 0 1000)do if echo "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i" | nc localhost 30002| grep "Wrong" > /dev/null then echo "wrong $i" > wrong.txt else echo "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i" | nc localhost 30002 fidone
就这样写了1-10.sh,每个文件就是for循环里的范围变一下。然后一个个在后台执行每个脚本
bandit24@melinda:/tmp/aq$ ./1.sh &[1] 28151bandit24@melinda:/tmp/aq$ ./2.sh &[2] 28187bandit24@melinda:/tmp/aq$ ./3.sh &[3] 28276bandit24@melinda:/tmp/aq$ ./4.sh &[4] 28350.......#以下省略5-10.sh
耐心的等待了一会儿,结果出来了
bandit24@melinda:/tmp/aq$ I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.Correct!The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzGExiting.5669^C
还是靠自己啊。
level24-> level25
在bandit25中发现bandit26.sshkey,
bandit25@melinda:~$ lsbandit26.sshkey
用前面某关用过的方法,用这个文件登录bandit26,结果一进去就出来了。我们回bandit25看看。通过题目的提示,我们就去找找给bandit26的shell是什么
bandit25@melinda:~$ cat /etc/passwd | grep bandit26bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext
看看showtext是什么玩意
bandit25@melinda:~$ cat /usr/bin/showtext#!/bin/shmore ~/text.txtexit 0
原来就是用more显示一个文本。要用.sshkey文件进入bandit26是不行了。但是我们可以在用它登录的时候,进入vim,用:r 来写入/etc/bandit_pass/bandit26的内容,毕竟好几关都是看这个文件的。
Chs-MacBook:~ chenchaohao$ ssh bandit26@bandit.labs.overthewire.org -i ~/desktop/bandit26.sshkey
进入的过程中输入v 进入vim模式
然后输入:r /etc/bandit_pass/bandit26。回车之后发现text.txt中多了
5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z 这个字符串。拿到password。
- Bandit Walkthrough
- Bandit破解
- bandit regret
- Pillar Walkthrough
- Systrace Walkthrough
- Necko walkthrough
- 改进 RSS Bandit 应用程序
- n-armed bandit problem
- n-armed bandit problem
- Wargames-Bandit过关记录
- wargames bandit 1-25
- Multi-armed Bandit Experiments
- n-armed bandit problem
- N-armed bandit problem
- OverTheWire的Bandit题
- Stochastic Bandit Problem
- bandit 算法资料大全
- OpenStack Bandit项目介绍
- SeaJS模块化基础
- Code Forces 586 A. Alena's Schedule(水~)
- android之ExpandableListActivity
- vim命令
- poj 2774(后缀数组)
- Bandit Walkthrough
- hdoj Reorder the Books 5500 (技巧) 好题
- poj(3254)——Corn Fields
- jQuery源码分析之从off方法看unbind,undelegate方法
- wireshark过滤规则
- eclipse项目更换数据库
- iOS理解扩展的运行机制
- <LeetCode><Easy> 26 Remove Duplitcates from Sorted Array
- HUST 1214 Cubic-free numbers II 容斥原理