Bandit
Bandit靶场:https://overthewire.org/wargames/bandit/
Level0
Level Goal
The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org, on port 2220. The username is bandit0 and the password is bandit0. Once logged in, go to the Level 1 page to find out how to beat Level 1.
Commands you may need to solve this level
ssh
解题思路:
我们需要连接bandit服务器。参数如下:
主机名:bandit.labs.overthewire.org
端口:2220
用户名:bandit0
密码:bandit0
登录后进入Level1页面继续答题。
解题过程:
1.首先在 Xshell 中输入ssh链接
命令:
1 | ssh bandit.labs.overthewire.org:2220 |
2.弹出来是否保存主机密钥,选择接受并保存。
3.输入用户名、密码,返回欢迎信息,登录成功。
Level0 -> Level1
Level Goal
The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.
Commands you may need to solve this level
ls, cd, cat, file, du, find
解题思路:
密码保存在家目录的readme文件中,使用cat命令
读取这个密码。
解题过程:
1.直接执行cat命令读取家目录下的readme文件:
1 | bandit0@bandit:~$ cat readme |
Level1 -> Level2
Level Goal
The password for the next level is stored in a file called - located in the home directory
Commands you may need to solve this level
ls, cd, cat, file, du, find
解题思路:
貌似和前一关一样,但是 - 有特殊含义
,直接使用 cat - 会出现错误。 我们可以写完整的目录
表明它是一个文件。继续cat读取文件即可。
解题过程:
1.执行下列代码,读取 - 里的密码。
1 | bandit1@bandit:~$ cat ./- |
Level2 -> Level3
Level Goal
The password for the next level is stored in a file called spaces in this filename located in the home directory
Commands you may need to solve this level
ls, cd, cat, file, du, find
解题思路:
又是读取文件的题目,与前面不同的是文件名中包含空格
。如果直接使用cat+文件名
会在第一个空格处中止。我们可以用双引号
表示完整文件名。
解题过程:
1.执行下列代码,读取文件中密码:
1 | bandit2@bandit:~$ cat "spaces in this filename" |
Level3 -> Level4
Level Goal
The password for the next level is stored in a hidden file in the inhere directory.
Commands you may need to solve this level
ls, cd, cat, file, du, find
解题思路:
这题依旧很简单,我们首先进入 inhere 文件夹
,然后打开里面的隐藏文件
。
解题过程:
1.首先进入inhere目录:
1 | bandit3@bandit:~$ cd inhere |
2.查看当前目录文件,发现没有文件:
1 | bandit3@bandit:~/inhere$ ls |
3.使用 -a 参数
查看所有文件(包括隐藏文件):
1 | bandit3@bandit:~/inhere$ ls -a |
4.发现除了当前目录和上级目录,还有一个 .hidden 隐藏文件
,打开获得密码:
1 | bandit3@bandit:~/inhere$ cat .hidden |
Level4 -> Level5
Level Goal
The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.
Commands you may need to solve this level
ls, cd, cat, file, du, find
解题思路:
进入 inhere 文件夹,找到可读文件打开即可。
解题过程:
1.首先进入 inhere 目录:
1 | bandit4@bandit:~$ cd inhere |
2.查看当前目录的所有文件:
1 | bandit4@bandit:~/inhere$ ls -a |
3.发现有很多文件,我们使用 file ./* 查看所以文件的类型。
1 | bandit4@bandit:~/inhere$ file ./* |
4.只有 -file07 是ascii文本文件,我们读取它获得密码。
1 | bandit4@bandit:~/inhere$ cat ./-file07 |
Level5 -> Level6
Level Goal
The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:
- human-readable
- 1033 bytes in size
- not executable
Commands you may need to solve this level
ls, cd, cat, file, du, find
解题思路:
进入inhere文件夹,找到人类可读的大小为1033的不可执行文件。
解题过程:
1.查看当前目录。
1 | bandit5@bandit:~$ ls |
2.进入inhere文件夹,查看文件夹下的文件。
1 | bandit5@bandit:~$ cd inhere |
3.发现一堆文件,不能一一找,根据条件可以用find命令查找。
1 | bandit5@bandit:~/inhere$ find . -type f -size 1033c |
4.发现符合条件的文件,cat打开即可找到密码。
1 | bandit5@bandit:~/inhere$ cat ./maybehere07/.file2 |
Level6 -> Level7
Level Goal
The password for the next level is stored somewhere on the server and has all of the following properties:
- owned by user bandit7
- owned by group bandit6
- 33 bytes in size
Commands you may need to solve this level
ls, cd, cat, file, du, find, grep
解题思路:
密码保存在文件中,文件大小为33字节,被用户bandit7所有,用户组bandit6所有。
解题过程:
1.执行查找命令即可:
1 | find / -user bandit7 -group bandit6 -size 33c |
2.出现一堆无权限提示,忽略即可,发现一个符合条件的文件:
1 | /var/lib/dpkg/info/bandit7.password |
3.打开即可得到下一关的密码:
1 | bandit6@bandit:~$ cat /var/lib/dpkg/info/bandit7.password |
Level7 -> Level8
Level Goal
The password for the next level is stored in the file data.txt next to the word millionth
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
解题思路:
密码被保存在 data.txt 中,并且密码紧挨着 millionth 单词。
解题过程:
1.打开文件发现内容太多,人工筛选太累,直接grep搜索。
1 | bandit7@bandit:~$ cat data.txt|grep millionth |
Leve8 -> Level9
Level Goal
The password for the next level is stored in the file data.txt and is the only line of text that occurs only once
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
解题思路:
依旧存储在 data.txt 中,密码是唯一出现过一次的一行文本。
解题方法:
1.使用sort对data.txt排序。
2.使用 uniq -u 去除重复行,筛选出唯一出现一次的文本行。
1 | bandit8@bandit:~$ sort data.txt|uniq -u |
Level9 -> Level10
Level Goal
The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters.
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
解题思路:
密码存储在 data.txt 中,在人类可读字符串中,并且前面有若干 = 。
解题方法:
1.使用cat读取文本发现一堆乱码,我们使用 strings 读取可识别字符串。
2.找到含有一堆 = 的行,后面即密码。
1 | bandit9@bandit:~$ strings data.txt |
Level10 -> Level11
Level Goal
The password for the next level is stored in the file data.txt, which contains base64 encoded data
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
解题思路:
又是 data.txt ,密码被以base64加密。
解题过程:
1.直接查看,发现是一段base64加密的文本。
1 | bandit10@bandit:~$ cat data.txt |
2.直接使用base64命令解码即可:
1 | bandit10@bandit:~$ base64 -d data.txt |
Level11 -> Level12
Level Goal
The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
解题思路:
依旧data.txt,看不太懂题意,百度翻译一下:其中所有小写(a-z)和大写(a-z)字母都旋转了13个位置。what???
解题过程:
1.不懂,打开看看再说:
1 | bandit11@bandit:~$ cat data.txt |
2.耐心品味题干,字母旋转了13个位置。意思是右移了13个,A代表N,以此类推。一共26个字母,相当于前13个和后13个调换位置。
1 | bandit11@bandit:~$ cat data.txt|tr 'a-zA-Z' 'n-za-mN-ZA-M' |
Level12 -> Level13
Level Goal
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd, mkdir, cp, mv, file
解题思路:
这是一个被反复压缩的Hex Dump文件,题目提示我们在 /tmp 下创建一个目录。然后可以使用cp和mv命令操作文件。
解题过程:
1.先打开看看,发现打开是一堆十六进制:
1 | bandit12@bandit:~$ cat data.txt |
2.我们按照题目提示创建目录:
1 | bandit12@bandit:~$ mkdir /tmp/my |
3.使用xxd -r将文件转换为二进制文件并查看文件类型:
1 | bandit12@bandit:/tmp/my$ xxd -r data.txt > data.bin |
4.发现是一个 gzip 压缩文件,我们修改后缀名为gz并解压:
1 | bandit12@bandit:/tmp/my$ mv data.bin data.gz |
5.继续使用 file 命令查看data的文件类型,发现解压出来的data是一个bzip2压缩文件。
1 | bandit12@bandit:/tmp/my$ file data |
6.修改后缀名为bz2,并解压:
1 | bandit12@bandit:/tmp/my$ mv data data.bz2 |
7.继续查看 data 的文件类型,发现是个gzip压缩文件,修改后缀解压。
1 | bandit12@bandit:/tmp/my$ file data |
8.解压出来继续file命令查看,发现又是个tar压缩文件!!!
1 | bandit12@bandit:/tmp/my$ mv data data.gz |
9.修改后缀,使用tar命令解压:
1 | bandit12@bandit:/tmp/my$ mv data data.tar |
10.得到的data5.bin依旧是个tar压缩文件,继续改后缀解压:
1 | bandit12@bandit:/tmp/my$ mv data5.bin data5.tar |
此处省略N次反复改后缀解压,bzip2、gzip、tar格式来回改后缀解压,最终得到ascii格式的data8文件:
1 | bandit12@bandit:/tmp/my$ file data8 |
Level13 - > Level14
Level Goal
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on
Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap
解题思路:
终于不是 data.txt 了,下一关的密码存储在这个只能被bandit14用户访问的文件中。这一关我们不会直接获得下一关的密码,但是提供了用于登录下一关的SSH私钥。最后提示了我们, localhost 指向正在工作的主机名。
解题过程:
1.我们使用 ssh -i 使用私钥进行登录bandit14:
1 | ssh -i sshkey.private bandit14@localhost |
2.登录成功后直接cat命令读取文件即可:
1 | bandit14@bandit:~$ cat /etc/bandit_pass/bandit14 and can only be read by user bandit14 |
Level14 -> Level15
Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap
解题思路:
题目告诉我们,提交当前关卡的密码到本地主机的30000端口,新的密码会被返回。
解题过程:
1.使用 telnet 命令连接到本地主机的30000端口,然后提交本关卡的密码换取下一关的密码:
1 | bandit14@bandit:~$ telnet localhost 30000 |
Level15 -> Level16
Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…
Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap
解题思路:
使用SSL加密协议提交本关卡的密码到本地主机的30001端口上可以获得下一关的密码。
解题过程:
1 | bandit15@bandit:~$ openssl s_client -connect localhost:30001 |
Level16 -> Level17
Level Goal
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap
解题思路:
提交当前关卡密码到 31000-32000 端口即可返回下一关密码,我们需要找到哪个端口开启了监听服务,然后找到哪个使用SSL协议,只有一个端口服务会提供下一关的密码,其它端口会返回你提交的内容。
解题过程:
1.使用namp命令查看开放的端口:
1 | bandit16@bandit:~$ nmap localhost -p 31000-32000 |
2.使用telnet命令测试,发现31518和31790不是返回发送的内容。然后看下是否支持ssl协议。
1 | openssl s_client -connect localhost:31518 |
3.发现只有31790端口支持ssl协议,使用sslopen命令连接31790端口发送当前关卡密码。发现返回了RSA加密的私钥。
1 | -----BEGIN RSA PRIVATE KEY----- |