这是overthewire靶场里面一个练习Linux命令的关卡。
一共有34关,按照关卡提示进行相应的操作就可以轻松过关。
那么先复习一下上课内容,然后就开始吧。
Level 0
The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org, on port 2220. The username is bandit0 and the password is bandit0. Once logged in, go to the Level 1 page to find out how to beat Level 1.
意思就是要我们使用SSH远程连接,host是bandit.labs.overthewire.org,端口是2220,用户名和密码是bandit0。
ssh的用法:
ssh -p 2220 bandit0@bandit.labs.overthewire.org
提示输入password:
输入bandit0:
第一关通过。
Level 0-1
The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.
需要找到home目录下的readme文件,里面存了密码。
使用ls命令可以列出目录和文件列表,cat命令可以显示文件内容。
获取到密码,退出bandit0,使用密码登录bandit1。
ssh -p 2220 bandit1@bandit.labs.overthewire.org
bandit1@bandit.labs.overthewire.org's password:NH2SXQwcBdpmTEzi3bvBHMM9H66vVXjL
bandit1@bandit:~$
Level 1-2
The password for the next level is stored in a file called - located in the home directory
cat的用法:
因为-在Linux里面表示命令后面接的参数,cat -会产生语法错误,所以可以在前面加一个当前路径。
Level 2-3
The password for the next level is stored in a file called spaces in this filename located in the home directory
密码存在这个spaces in this filename文件之中,文件名含有空格。
所以要用'引用整个文件名。
Level 3-4
The password for the next level is stored in a hidden file in the inhere directory.
密码存在inhere目录下一个隐藏文件里。
目录和文件名前面有.的就是隐藏文件,可以用ls -a查看隐藏目录和文件。
Level 4-5
The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.
密码存在人类可读的文件里面。
ls发现一共有-file00-09 10个文件。
尝试查看一下其中一个文件,显示乱码。
根据提示,只有一个文件是人类可以看得懂的,所以要使用file命令查看一下文件的类型。
其他文件都是二进制数据文件,只有07是ASCII编码的文本文件。
Level 5-6
The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:
human-readable
1033 bytes in size
not executable
密码存储在inhere目录,文件属性人类可读,大小为 1033 字节,不可执行。
可以使用find命令,查找大小为1033c的文件。
Level 6-7
The password for the next level is stored somewhere on the server and has all of the following properties:
owned by user bandit7
owned by group bandit6
33 bytes in size
密码文件在服务器的某处,属于用户bandit7,属于组bandit6,大小33字节。
可以用find命令查找,在之前的限制条件上加入用户组为bandit6,用户为bandit7。
基本都是禁止访问,但是找到了一个文件。
Level 7-8
The password for the next level is stored in the file data.txt next to the word millionth
密码存储在文件data.txt中,在单词millionth旁边。
提示使用grep。grep命令用于查找文件里符合条件的字符串或正则表达式,如果发现某文件的内容符合所指定的范本样式,预设 grep 指令会把含有范本样式的那一列显示出来。
grep [options] pattern [files]
Level 8-9
The password for the next level is stored in the file data.txt and is the only line of text that occurs only once
密码存储在文件data.txt并且本行只出现一次。
sort 命令用于将文本文件内容加以排序,sort可针对文本文件的内容,以行为单位来排序。sort命令将以默认的方式将文本文件的第一列以 ASCII 码的次序排列,并将结果输出到标准输出。
sort testfile
uniq 命令用于检查及删除文本文件中重复出现的行列,一般与 sort 命令结合使用。uniq 可检查文本文件中重复出现的行列。-u或--unique 仅显示出一次的行列。
uniq [-cdu][-f<栏位>][-s<字符位置>][-w<字符位置>][--help][--version][输入文件][输出文件]
可以先使用sort进行排序,然后使用管道符|输出到uniq进行检查。
管道符是一条竖线:"|",用于将第一个命令的执行结果输出给第二个命令。
command 1 | command 2
Level 9-10
The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters.
密码存储在data.txt中,是几个人类可读字符串其中之一,前面有几个“=” 字符。
没有说明有几个=,所以不能精确匹配,但是提示了string命令。
strings 打印文件中的文本字符。
先strings输出文本,然后找到有几个=的那行。
Level 10-11
The password for the next level is stored in the file data.txt, which contains base64 encoded data
密码存储在data.txt中,包含base64编码数据。
这个应该是用base64加密过的。先man一下base64。
可以使用base64 -d 解密数据。或者直接复制到在线解密网站也行。
Level 11-12
The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions
密码存储在data.txt, 其中所有小写(a-z)和大写(A-Z)字母均平移了13个位置。
有点考你密码学的味道啊。提示了tr命令。
移位密码简直形同虚设,一看就知道Gur=The。
tr [-cdst][--help][--version][第一字符集][第二字符集]
tr [OPTION]…SET1[SET2]
CHAR1-CHAR2 :字符范围从 CHAR1 到 CHAR2 的指定,范围的指定以 ASCII 码的次序为基础,只能由小到大,不能由大到小。
我们需要构造字符转换表,因为是移位密码,移动了13位,所以按照语法a-zA-Z,对应的就是n-mN-M,但是按照语法,za和ZA必须断开,所以CHAR应该是n-za-mN-ZA-M
tr 'a-zA-Z' 'n-za-mN-ZA-M'
因为tr只能接收标准输入,所以用cat进行标准输出。
Level 12-13
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)
密码是反复压缩的文件的十六进制转储。对于本关,在/tmp下创建一个目录可能很有用,您可以使用MKDIR工作。例如:mkdir /tmp/myname123。然后使用cp复制数据文件,并使用mv重命名。
Kali上没有xxd,apt安装似乎也失败了,只能先百度一下。
xxd命令,能将一个给定文件或标准输入转换为十六进制形式,也能将十六进制转换回二进制形式。首先需要将十六进制转换为二进制。
Usage:
xxd [options] [infile [outfile]]
or
xxd -r [-s [-]offset] [-c cols] [-ps] [infile [outfile]]
Options:
-a toggle autoskip: A single '*' replaces nul-lines. Default off.
-b binary digit dump (incompatible with -ps,-i,-r). Default hex.
-c cols format <cols> octets per line. Default 16 (-i: 12, -ps: 30).
-E show characters in EBCDIC. Default ASCII.
-g number of octets per group in normal output. Default 2.
-h print this summary.
-i output in C include file style.
-l len stop after <len> octets.
-ps output in postscript plain hexdump style.
-r reverse operation: convert (or patch) hexdump into binary.
-r -s off revert with <off> added to file positions found in hexdump.
-s [+][-]seek start at <seek> bytes abs. (or +: rel.) infile offset.
-u use upper case hex letters.
-v show version: "xxd V1.10 27oct98 by Juergen Weigert".
-r是将hexdump转换为binary。首先建个新目录,用了几个名字都提示已存在,居然别人建的文件也在,里面还有生成的文件,不过我们还是用自己的。
首先使用xxd转换为二进制文件,然后file查看文件属性,mv改对应的后缀名,然后用对应的gzip,bzip2,tar解压命令。
整到data6的时候搞乱了,所以只能再建一个目录把data6复制进去接着整,最后拿到密码。
Level 13-14
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on
密码存储在/etc/bandit_pass/bandit14中,只能由用户bandit14读取。对于此级别,您不会获得下一个密码,但您获取可用于登录下一级别的私有 SSH 密钥。
提示可以使用这个ssh密钥登录下一级,localhost就是现在正在使用的主机名。
Level 14-15
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
可以通过检索localhost:30000并提交密码,获得下一级密码。
使用nc命令可以读取和设置目的主机的参数。
Level 15-16
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…
使用密码通过SSL连接localhost的30000端口。
Openssl提供了简单的client和server工具,可以用来模拟SSL连接,做测试使用。
#连接到远程服务器
#openssl s_client -connect localhost:30001
Level 16-17
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
可以通过提交当前级别的密码到localhost的端口31000-32000。首先找出这些端口中哪些正在监听。然后找出哪些使用SSL以及哪些不需要使用SSL。只有1台服务器将提供下一个凭据。
就是nmap扫描端口嘛。
nmap -sV -p 31000-32000 localhost
有两个端口开放了SSL,其中31790端口返回了凭据。
复制凭据内容,然后使用vim创建凭据文件,i进入编辑模式,粘贴凭据内容,然后:wq保存退出。使用chmod 600 rsa.key更改权限,然后使用ssh连接bandit17@localhost,最后获取密钥。
vim rsa.key
chmod 600 rsa.key
Level 17-18
There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new
NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19
主目录中有 2 个文件:passwords.old 和 passwords.new。下一级的密码位于passwords.new中,并且是passwords.old 和 password.new 之间唯一更改的行。
注意:如果您已经解决了此级别并在尝试登录时看到‘Byebye!’,这与下一级 Bandit19 有关。
根据提示,可以使用diff命令比较两个文件。
登录后看到byebye!然后就自动退出了。
Level 18-19
The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.
下一级的密码存储在主目录的readme文件中。不幸的是,有人修改了.bashrc,以便在您使用SSH登录时将您注销。
可以看到有个readme文件,按照提示使用cat显示密钥内容。
Level 19-20
To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.
有个bandit20-do文件,尝试执行,提示需要使用别的用户id。密码可以在/etc/bandit_pass中找到。
ll查看文件属性,发现可以使用bandit20运行。按照Example尝试运行一下。
根据提示,密码保存在/etc/bandit_pass中,可以使用bandit20的id去运行这个文件。
Level 20-21
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
NOTE: Try connecting to your own network daemon to see if it works as you think
主目录中有一个setuid二进制文件,它执行以下:它本地主机的端口建立连接。然后,它从连接处获取密码并将其与上一级的密码进行比较。如果密码正确,它将传输下一级密码(Bandit21)。
使用nc监听一个空闲的端口,然后用suconnect连接这个端口,nc发送bandit20密码,suconnect就会返回bandit21的密码。
Level 21-22
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
Cron 是一个程序,它将在特定时间或时间间隔运行特定命令或脚本。
可以查看bandit22的脚本,获取到密码文件的信息。
Level 22-23
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.
程序从基于时间的作业调度程序 cron 定期自动运行。在 /etc/cron.d/ 中查找 配置并查看正在执行的命令。
注意:查看其他人编写的 shell 脚本是一个 非常有用的技能。此级别的脚本是有意制作的 易于阅读。如果您在理解它的作用时遇到问题, 尝试执行它以查看它打印的调试信息。
和上一关一样,查看脚本,首先获取当前用户,然后通过md5生成密码文件,并写入mytarget。所以我们同样可以执行一遍,注意要将用户换成bandit23。
Level 23-24
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…
程序从基于时间的作业调度程序cron定期自动运行。在/etc/cron.d/中查找配置并查看正在执行的命令。
注意:此级别要求您先创建自己的shell脚本。这是非常大的一步,你应该为此感到自豪 当你通过这个关卡时,你自己!
注2:请记住,您的 shell 脚本将被删除一次 执行,所以你可能想保留一个副本...
先找到脚本。
这个脚本会定位到一个目录foo,然后执行并删除所有脚本。因为foo目录下是可以执行shell脚本的,我们可以在这里编写一个获取密码的脚本。
#!/bin/bash
cat /etc/bandit_pass/bandit24 >> /tmp/bandit24pass
等待cron执行它之后,可以在输出文件里找到密码。
Level 24-25
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.
You do not need to create new connections each time
一个守护进程正在侦听端口30002,并将为您提供Bandit25密码。需要提交Bandit24的密码和一个4位密码。需要通过脚本进行暴力破解。您不需要每次都创建新连接。
需要写一个shell脚本暴力破解一个4位数的密码,一般会使用for循环:
for var in 1 2 ... N
do
#循环体
done
首先生成一个pass文件,就是bandit24的密码+4位数数字,然后使用nc命令进行连接,返回的结果放到result文件里。
mktemp -d
cd /tmp/tmp.woB20NVxPJ
vim getpass.sh
使用vim编写以下脚本:
#!/bin/bash
for i in {0000..9999}
do
echo VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar $i >> pass.txt
done
cat pass.txt | nc localhost 30002 > result.txt
赋予可执行属性:
chmod +x getpass.sh
./getpass.sh
跑完后使用grep排除错误的行:
sort result.txt | grep -v "Wrong!"
可能是网络不稳定,循环10000次会停止响应,所以实际上只能分段运行,最后还是找到了。
Level 25-26
Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.
从bandit25登录bandit26应该相当容易...... 用户bandit26的shell不是 /bin/bash,而是别的东西。找出它是什么,它是如何工作的以及如何摆脱它。
连接后自动下线,提示shell有问题,我们查一下/etc/passwd文件,再根据返回的信息,看一下showtext,发现最后一句是exit 0,也就是执行到最后一条命令就会退出。
可以看到倒数第二行more和less都是可以执行命令的,所以可以缩短teminal的行数,重新登陆。
这里可以按V进入vim,因为密码是再固定位置的,所以可以利用e命令将文件导入。
Level 26-27
Good job getting a shell! Now hurry and grab the password for bandit27!
干得漂亮,得到一个shell,快点拿到bandit27的密码吧。
和上一关情况一样,因为是可以执行命令的,这里可以获取一个shell。
:set shell sh=/bin/bash
:sh
有一个可执行的程序bandit27-do,可以通过它来获取密码。
Level 27-28
There is a git repository at ssh://bandit27-git@localhost/home/bandit27-git/repo via the port 2220. The password for the user bandit27-git is the same as for the user bandit27.
Clone the repository and find the password for the next level.
有一个git库用户的密码与bandit27用户的密码相同。地址为ssh://bandit27-git@localhost/home/bandit27-git/repo,端口2220。克隆存储库并查找下一级的密码。
以下主要是git命令的使用。
使用git clone命令,找到密码。
Level 28-29
There is a git repository at ssh://bandit28-git@localhost/home/bandit28-git/repo via the port 2220. The password for the user bandit28-git is the same as for the user bandit28.
Clone the repository and find the password for the next level.
和上一关一样操作。
clone下来发现密码是一串xxxxxxxx,啥意思啊,给人x掉了吗?
用git log查看,发现最后一次commit修改了文件。
git show可以查看日志消息和文本差异。
Level 29-30
There is a git repository at ssh://bandit29-git@localhost/home/bandit29-git/repo via the port 2220. The password for the user bandit29-git is the same as for the user bandit29.
Clone the repository and find the password for the next level.
密码是空的。
可以用git branch列出分支。有4个分支,发现dev分支增加了数据,add data needed for development,开发需要的数据,其他的分支加了一些乱七八糟的东西。我们可以判断一下,dev分支应该是我们需要的密码。切换到dev分支,然后就可以找到密码。
Level 30-31
There is a git repository at ssh://bandit30-git@localhost/home/bandit30-git/repo via the port 2220. The password for the user bandit30-git is the same as for the user bandit30.
Clone the repository and find the password for the next level.
git show-ref可以现实本地存储库的所有可用的引用以及关联的提交ID,可以看到secret,所以直接查看这个得到密码。
Level 31-32
There is a git repository at ssh://bandit31-git@localhost/home/bandit31-git/repo via the port 2220. The password for the user bandit31-git is the same as for the user bandit31.
Clone the repository and find the password for the next level.
提示需要提交一个文件到远程存储库。先按要求生成key.exe,然后push,返回密码。
Level 32-33
After all this git stuff its time for another escape. Good luck!
登录后是一个不正常的shell,命令会改成大写导致无法执行,$0可以转成正常的shell,然后在老地方拿到密码。
Level 33-34
At this moment, level 34 does not exist yet.
登录后提示通关。
