Bandit

Bandit靶场:https://overthewire.org/wargames/bandit/

Level0

Level Goal

The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org, on port 2220. The username is bandit0 and the password is bandit0. Once logged in, go to the Level 1 page to find out how to beat Level 1.

Commands you may need to solve this level

ssh

解题思路:

我们需要连接bandit服务器。参数如下:

主机名:bandit.labs.overthewire.org

端口:2220

用户名:bandit0

密码:bandit0

登录后进入Level1页面继续答题。

解题过程:

1.首先在 Xshell 中输入ssh链接命令:

1
ssh bandit.labs.overthewire.org:2220

2.弹出来是否保存主机密钥,选择接受并保存。

3.输入用户名、密码,返回欢迎信息,登录成功。

Level0 -> Level1

Level Goal

The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.

Commands you may need to solve this level

ls, cd, cat, file, du, find

解题思路:

密码保存在家目录的readme文件中,使用cat命令读取这个密码。

解题过程:

1.直接执行cat命令读取家目录下的readme文件:

1
2
bandit0@bandit:~$ cat readme
boJ9jbbUNNfktd78OOpsqOltutMc3MY1

Level1 -> Level2

Level Goal

The password for the next level is stored in a file called - located in the home directory

Commands you may need to solve this level

ls, cd, cat, file, du, find

解题思路:

貌似和前一关一样,但是 - 有特殊含义,直接使用 cat - 会出现错误。 我们可以写完整的目录表明它是一个文件。继续cat读取文件即可。

解题过程:

1.执行下列代码,读取 - 里的密码。

1
2
bandit1@bandit:~$ cat ./-
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

Level2 -> Level3

Level Goal

The password for the next level is stored in a file called spaces in this filename located in the home directory

Commands you may need to solve this level

ls, cd, cat, file, du, find

解题思路:

又是读取文件的题目,与前面不同的是文件名中包含空格。如果直接使用cat+文件名会在第一个空格处中止。我们可以用双引号表示完整文件名。

解题过程:

1.执行下列代码,读取文件中密码:

1
2
bandit2@bandit:~$ cat "spaces in this filename"
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

Level3 -> Level4

Level Goal

The password for the next level is stored in a hidden file in the inhere directory.

Commands you may need to solve this level

ls, cd, cat, file, du, find

解题思路:

这题依旧很简单,我们首先进入 inhere 文件夹,然后打开里面的隐藏文件

解题过程:

1.首先进入inhere目录:

1
2
bandit3@bandit:~$ cd inhere
bandit3@bandit:~/inhere$

2.查看当前目录文件,发现没有文件:

1
bandit3@bandit:~/inhere$ ls

3.使用 -a 参数查看所有文件(包括隐藏文件):

1
2
bandit3@bandit:~/inhere$ ls -a
. .. .hidden

4.发现除了当前目录和上级目录,还有一个 .hidden 隐藏文件,打开获得密码:

1
2
bandit3@bandit:~/inhere$ cat .hidden
pIwrPrtPN36QITSp3EQaw936yaFoFgAB

Level4 -> Level5

Level Goal

The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.

Commands you may need to solve this level

ls, cd, cat, file, du, find

解题思路:

进入 inhere 文件夹,找到可读文件打开即可。

解题过程:

1.首先进入 inhere 目录:

1
2
bandit4@bandit:~$ cd inhere
bandit4@bandit:~/inhere$

2.查看当前目录的所有文件:

1
2
3
bandit4@bandit:~/inhere$ ls -a
. -file00 -file02 -file04 -file06 -file08
.. -file01 -file03 -file05 -file07 -file09

3.发现有很多文件,我们使用 file ./* 查看所以文件的类型。

1
2
3
4
5
6
7
8
9
10
11
bandit4@bandit:~/inhere$ file ./*
./-file00: data
./-file01: data
./-file02: data
./-file03: data
./-file04: data
./-file05: data
./-file06: data
./-file07: ASCII text
./-file08: data
./-file09: data

4.只有 -file07 是ascii文本文件,我们读取它获得密码。

1
2
bandit4@bandit:~/inhere$ cat ./-file07
koReBOKuIDDepwhWk7jZC0RTdopnAYKh

Level5 -> Level6

Level Goal

The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:

  • human-readable
  • 1033 bytes in size
  • not executable

Commands you may need to solve this level

ls, cd, cat, file, du, find

解题思路:

进入inhere文件夹,找到人类可读的大小为1033的不可执行文件。

解题过程:

1.查看当前目录。

1
2
bandit5@bandit:~$ ls
inhere

2.进入inhere文件夹,查看文件夹下的文件。

1
2
3
4
bandit5@bandit:~$ cd inhere
bandit5@bandit:~/inhere$ ls
maybehere00 maybehere02 maybehere04 maybehere06 maybehere08 maybehere10 maybehere12 maybehere14 maybehere16 maybehere18
maybehere01 maybehere03 maybehere05 maybehere07 maybehere09 maybehere11 maybehere13 maybehere15 maybehere17 maybehere19

3.发现一堆文件,不能一一找,根据条件可以用find命令查找。

1
2
bandit5@bandit:~/inhere$ find . -type f -size 1033c
./maybehere07/.file2

4.发现符合条件的文件,cat打开即可找到密码。

1
2
bandit5@bandit:~/inhere$ cat ./maybehere07/.file2
DXjZPULLxYr17uwoI01bNLQbtFemEgo7

Level6 -> Level7

Level Goal

The password for the next level is stored somewhere on the server and has all of the following properties:

  • owned by user bandit7
  • owned by group bandit6
  • 33 bytes in size

Commands you may need to solve this level

ls, cd, cat, file, du, find, grep

解题思路:

密码保存在文件中,文件大小为33字节,被用户bandit7所有,用户组bandit6所有。

解题过程:

1.执行查找命令即可:

1
find / -user bandit7 -group bandit6 -size 33c

2.出现一堆无权限提示,忽略即可,发现一个符合条件的文件:

1
/var/lib/dpkg/info/bandit7.password

3.打开即可得到下一关的密码:

1
2
bandit6@bandit:~$ cat /var/lib/dpkg/info/bandit7.password
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

Level7 -> Level8

Level Goal

The password for the next level is stored in the file data.txt next to the word millionth

Commands you may need to solve this level

grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd

解题思路:

密码被保存在 data.txt 中,并且密码紧挨着 millionth 单词。

解题过程:

1.打开文件发现内容太多,人工筛选太累,直接grep搜索。

1
2
bandit7@bandit:~$ cat data.txt|grep millionth
millionth cvX2JJa4CFALtqS87jk27qwqGhBM9plV

Leve8 -> Level9

Level Goal

The password for the next level is stored in the file data.txt and is the only line of text that occurs only once

Commands you may need to solve this level

grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd

解题思路:

依旧存储在 data.txt 中,密码是唯一出现过一次的一行文本。

解题方法:

1.使用sort对data.txt排序。

2.使用 uniq -u 去除重复行,筛选出唯一出现一次的文本行。

1
2
bandit8@bandit:~$ sort data.txt|uniq -u
s

Level9 -> Level10

Level Goal

The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters.

Commands you may need to solve this level

grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd

解题思路:

密码存储在 data.txt 中,在人类可读字符串中,并且前面有若干 = 。

解题方法:

1.使用cat读取文本发现一堆乱码,我们使用 strings 读取可识别字符串。

2.找到含有一堆 = 的行,后面即密码。

1
2
bandit9@bandit:~$ strings data.txt
&========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk

Level10 -> Level11

Level Goal

The password for the next level is stored in the file data.txt, which contains base64 encoded data

Commands you may need to solve this level

grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd

解题思路:

又是 data.txt ,密码被以base64加密。

解题过程:

1.直接查看,发现是一段base64加密的文本。

1
2
bandit10@bandit:~$ cat data.txt
VGhlIHBhc3N3b3JkIGlzIElGdWt3S0dzRlc4TU9xM0lSRnFyeEUxaHhUTkViVVBSCg==

2.直接使用base64命令解码即可:

1
2
bandit10@bandit:~$ base64 -d data.txt
The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

Level11 -> Level12

Level Goal

The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions

Commands you may need to solve this level

grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd

解题思路:

依旧data.txt,看不太懂题意,百度翻译一下:其中所有小写(a-z)和大写(a-z)字母都旋转了13个位置。what???

解题过程:

1.不懂,打开看看再说:

1
2
bandit11@bandit:~$ cat data.txt
Gur cnffjbeq vf 5Gr8L4qetPEsPk8htqjhRK8XSP6x2RHh

2.耐心品味题干,字母旋转了13个位置。意思是右移了13个,A代表N,以此类推。一共26个字母,相当于前13个和后13个调换位置。

1
2
bandit11@bandit:~$ cat data.txt|tr 'a-zA-Z' 'n-za-mN-ZA-M'
The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

Level12 -> Level13

Level Goal

The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)

Commands you may need to solve this level

grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd, mkdir, cp, mv, file

解题思路:

这是一个被反复压缩的Hex Dump文件,题目提示我们在 /tmp 下创建一个目录。然后可以使用cp和mv命令操作文件。

解题过程:

1.先打开看看,发现打开是一堆十六进制:

1
bandit12@bandit:~$ cat data.txt

2.我们按照题目提示创建目录:

1
2
3
bandit12@bandit:~$ mkdir /tmp/my
bandit12@bandit:~$ cp data.txt /tmp/my
bandit12@bandit:~$ cd /tmp/my

3.使用xxd -r将文件转换为二进制文件并查看文件类型:

1
2
3
bandit12@bandit:/tmp/my$ xxd -r data.txt > data.bin
bandit12@bandit:/tmp/my$ file data.bin
data.bin: gzip compressed data, was "data2.bin", last modified: Thu May 7 18:14:30 2020, max compression, from Unix

4.发现是一个 gzip 压缩文件,我们修改后缀名为gz并解压:

1
2
3
4
bandit12@bandit:/tmp/my$ mv data.bin data.gz
bandit12@bandit:/tmp/my$ gzip -d data.gz
bandit12@bandit:/tmp/my$ file data
data: bzip2 compressed data, block size = 900k

5.继续使用 file 命令查看data的文件类型,发现解压出来的data是一个bzip2压缩文件。

1
2
bandit12@bandit:/tmp/my$ file data
data: bzip2 compressed data, block size = 900k

6.修改后缀名为bz2,并解压:

1
2
3
4
bandit12@bandit:/tmp/my$ mv data data.bz2
bandit12@bandit:/tmp/my$ bzip2 -d data.bz2
bandit12@bandit:/tmp/my$ ls
data data.txt

7.继续查看 data 的文件类型,发现是个gzip压缩文件,修改后缀解压。

1
2
bandit12@bandit:/tmp/my$ file data
data: gzip compressed data, was "data4.bin", last modified: Thu May 7 18:14:30 2020, max compression, from Unix

8.解压出来继续file命令查看,发现又是个tar压缩文件!!!

1
2
3
4
5
6
bandit12@bandit:/tmp/my$ mv data data.gz
bandit12@bandit:/tmp/my$ gzip -d data.gz
bandit12@bandit:/tmp/my$ ls
data data.txt
bandit12@bandit:/tmp/my$ file data
data: POSIX tar archive (GNU)

9.修改后缀,使用tar命令解压:

1
2
3
4
5
bandit12@bandit:/tmp/my$ mv data data.tar
bandit12@bandit:/tmp/my$ tar -xvf data.tar
data5.bin
bandit12@bandit:/tmp/my$ file data5.bin
data5.bin: POSIX tar archive (GNU)

10.得到的data5.bin依旧是个tar压缩文件,继续改后缀解压:

1
2
3
bandit12@bandit:/tmp/my$ mv data5.bin data5.tar
bandit12@bandit:/tmp/my$ tar -xvf data5.tar
data6.bin

此处省略N次反复改后缀解压,bzip2、gzip、tar格式来回改后缀解压,最终得到ascii格式的data8文件:

1
2
3
4
bandit12@bandit:/tmp/my$ file data8
data8: ASCII text
bandit12@bandit:/tmp/my$ cat data8
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

Level13 - > Level14

Level Goal

The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on

Commands you may need to solve this level

ssh, telnet, nc, openssl, s_client, nmap

解题思路:

终于不是 data.txt 了,下一关的密码存储在这个只能被bandit14用户访问的文件中。这一关我们不会直接获得下一关的密码,但是提供了用于登录下一关的SSH私钥。最后提示了我们, localhost 指向正在工作的主机名。

解题过程:

1.我们使用 ssh -i 使用私钥进行登录bandit14:

1
ssh -i sshkey.private bandit14@localhost

2.登录成功后直接cat命令读取文件即可:

1
2
bandit14@bandit:~$ cat /etc/bandit_pass/bandit14 and can only be read by user bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e

Level14 -> Level15

Level Goal

The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.

Commands you may need to solve this level

ssh, telnet, nc, openssl, s_client, nmap

解题思路:

题目告诉我们,提交当前关卡的密码到本地主机的30000端口,新的密码会被返回。

解题过程:

1.使用 telnet 命令连接到本地主机的30000端口,然后提交本关卡的密码换取下一关的密码:

1
2
3
4
5
6
7
8
9
bandit14@bandit:~$ telnet localhost 30000
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr

Connection closed by foreign host.

Level15 -> Level16

Level Goal

The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.

Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…

Commands you may need to solve this level

ssh, telnet, nc, openssl, s_client, nmap

解题思路:

使用SSL加密协议提交本关卡的密码到本地主机的30001端口上可以获得下一关的密码。

解题过程:

1
2
3
4
5
bandit15@bandit:~$ openssl s_client -connect localhost:30001
--------此处省略连接信息----------
BfMYroe26WYalil77FoDi9qh59eK5xNr
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehd

Level16 -> Level17

Level Goal

The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.

Commands you may need to solve this level

ssh, telnet, nc, openssl, s_client, nmap

解题思路:

提交当前关卡密码到 31000-32000 端口即可返回下一关密码,我们需要找到哪个端口开启了监听服务,然后找到哪个使用SSL协议,只有一个端口服务会提供下一关的密码,其它端口会返回你提交的内容。

解题过程:

1.使用namp命令查看开放的端口:

1
2
3
4
5
6
7
8
9
10
11
12
bandit16@bandit:~$ nmap localhost -p 31000-32000

Starting Nmap 7.40 ( https://nmap.org ) at 2020-11-10 17:34 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00034s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
31046/tcp open unknown
31518/tcp open unknown
31691/tcp open unknown
31790/tcp open unknown
31960/tcp open unknown

2.使用telnet命令测试,发现31518和31790不是返回发送的内容。然后看下是否支持ssl协议。

1
2
openssl s_client -connect localhost:31518
openssl s_client -connect localhost:31790

3.发现只有31790端口支持ssl协议,使用sslopen命令连接31790端口发送当前关卡密码。发现返回了RSA加密的私钥。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----