本文详细记录了一位玩家在OverTheWire的Bandit游戏中,从Level10到Level20的解谜过程。涉及的技能包括base64解码、文件操作、SSH连接、SSL加密通信、端口扫描、文件权限调整等。玩家通过解决各种谜题,最终获取到各个级别的密码,逐步解锁新的关卡。
bandit,主要练习linux命令
Level 10 → Level 11
关卡介绍:
下下一级别的密码存储在文件data.txt 中,其中包含 base64 编码的数据
解决方案:
#base64解码
bandit10@bandit:~$ ls
data.txt
bandit10@bandit:~$ cat data.txt
VGhlIHBhc3N3b3JkIGlzIElGdWt3S0dzRlc4TU9xM0lSRnFyeEUxaHhUTkViVVBSCg==
bandit10@bandit:~$
bandit10@bandit:~$
bandit10@bandit:~$ base64 data.txt
VkdobElIQmhjM04zYjNKa0lHbHpJRWxHZFd0M1MwZHpSbGM0VFU5eE0wbFNSbkZ5ZUVVeGFIaFVU
a1ZpVlZCU0NnPT0K
bandit10@bandit:~$
bandit10@bandit:~$ base64 -d data.txt
The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR
bandit10@bandit:~$
Level 11 → Level 12
关卡介绍:
提示:下一级别的密码存储在文件data.txt 中,其中所有小写 (az) 和大写 (AZ) 字母都旋转了 13 个位置
解决方案:
#就相当26个字母的前13个位置与后13个位置调换了。根据提示,会用到tr命令,去了解一下它的用法。
a往后数13个是n ,那么就把a换成n
bandit11@bandit:~$ cat data.txt
Gur cnffjbeq vf 5Gr8L4qetPEsPk8htqjhRK8XSP6x2RHh
bandit11@bandit:~$ man tr
bandit11@bandit:~$ cat data.txt |tr 'a-zA-Z' 'n-za-mN-ZA-M'
The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu
Level 12 → Level 13
关卡介绍:
下一级的密码存储在文件data.txt 中,该文件是经过反复压缩的文件的十六进制转储。对于这个级别,在 /tmp 下创建一个目录可能很有用,您可以在其中使用 mkdir 工作。例如:mkdir /tmp/myname123。然后使用 cp 复制数据文件,并使用 mv 重命名它(阅读联机帮助页!)
解决方案:
#这一关真的是气人,脾气不好的估计要砸键盘了、、、
主要考的解压方面的知识点,大家不要暴躁,不要动怒,日子还很长。
bandit12@bandit:~$ cd /tmp/
bandit12@bandit:/tmp$ mkdir /tmp/abc
bandit12@bandit:/tmp$ cd /tmp/abc
bandit12@bandit:/tmp/abc$ cp ~/data.txt ./
bandit12@bandit:/tmp/abc$ ls
data.txt
bandit12@bandit:/tmp/abc$
bandit12@bandit:/tmp/abc$ cat data.txt
00000000: 1f8b 0808 0650 b45e 0203 6461 7461 322e .....P.^..data2.
00000010: 6269 6e00 013d 02c2 fd42 5a68 3931 4159 bin..=...BZh91AY
00000020: 2653 598e 4f1c c800 001e 7fff fbf9 7fda &SY.O...........
#后面加密乱码没用的地方我就不放了
#上面加密文件里有提示,转换成data2.bin文件
bandit12@bandit:/tmp/abc$ xxd -r data.txt > data2.bin
bandit12@bandit:/tmp/abc$ ls
data2.bin data.txt
bandit12@bandit:/tmp/abc$ file data2.bin
data2.bin: gzip compressed data, was "data2.bin", last modified: Thu May 7 18:14:30 2020, max compression, from Unix
#上面说是gzip格式,那我们就把对应文件重命名为gzip可解压的后缀名去进行解压
bandit12@bandit:/tmp/abc$ mv data2.bin data.gz
bandit12@bandit:/tmp/abc$
bandit12@bandit:/tmp/abc$ gzip -d data.gz
bandit12@bandit:/tmp/abc$ ls
data data.txt
bandit12@bandit:/tmp/abc$ file data
data: bzip2 compressed data, block size = 900k
#解压后发现变成了bzip格式,再继续重命名为bzip可解压的格式,然后去解压。。不断吐血。
bandit12@bandit:/tmp/abc$ bzip -d data
-bash: bzip: command not found
bandit12@bandit:/tmp/abc$ mv data data.bz2
bandit12@bandit:/tmp/abc$ file *
data.bz2: bzip2 compressed data, block size = 900k
data.txt: ASCII text
bandit12@bandit:/tmp/abc$ bzip2 -d data.bz2
bandit12@bandit:/tmp/abc$ ls
data data.txt
bandit12@bandit:/tmp/abc$ file data
data: gzip compressed data, was "data4.bin", last modified: Thu May 7 18:14:30 2020, max compression, from Unix
bandit12@bandit:/tmp/abc$ mv data data.gz
bandit12@bandit:/tmp/abc$ ls
data.gz data.txt
bandit12@bandit:/tmp/abc$ gzip -d data.gz
bandit12@bandit:/tmp/abc$ ls
data data.txt
bandit12@bandit:/tmp/abc$ file data
data: POSIX tar archive (GNU)
bandit12@bandit:/tmp/abc$ mv data data.tar
bandit12@bandit:/tmp/abc$ tar -xvf data.tar
data5.bin
bandit12@bandit:/tmp/abc$ cat data5.bin
data6.bin0000644000000000000000000000033613655050006011247 0ustar rootrootBZh91AY&SY
+
£A Ϻ<jA¤Ӫ ÿܙ@ᅰÿt!ހõ
@ѣ ѓ! hiM
BȨ$fz&1*姲貧}+Q²P̻(f}ѳ©@Թ»¢ªTj»1Pㆆ®ۏߨ²@Țɒ=ڳ¯ā*怳*Y!$r忏䄳堂@ 0¬,bandit12@bandit:/tmp/abc$ Xshell
-bash: Xshell: command not found
bandit12@bandit:/tmp/abc$ file data5.bin
data5.bin: POSIX tar archive (GNU)
bandit12@bandit:/tmp/abc$ mv data5.bin data.tar
bandit12@bandit:/tmp/abc$ tar xvf data.tar
data6.bin
bandit12@bandit:/tmp/abc$ file data6.bin
data6.bin: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/abc$ mv data6.bin data.bz2
bandit12@bandit:/tmp/abc$
bandit12@bandit:/tmp/abc$ ls
data.bz2 data.tar data.txt
bandit12@bandit:/tmp/abc$ bzip2 -d data.bz2
bandit12@bandit:/tmp/abc$ ls
data data.tar data.txt
bandit12@bandit:/tmp/abc$ file *
data: POSIX tar archive (GNU)
data.tar: POSIX tar archive (GNU)
data.txt: ASCII text
bandit12@bandit:/tmp/abc$ rm -rf data.tar
bandit12@bandit:/tmp/abc$ mv data data.tar
bandit12@bandit:/tmp/abc$ tar xvf data.tar
data8.bin
bandit12@bandit:/tmp/abc$
bandit12@bandit:/tmp/abc$ file data8.bin
data8.bin: gzip compressed data, was "data9.bin", last modified: Thu May 7 18:14:30 2020, max compression, from Unix
bandit12@bandit:/tmp/abc$ cat data8.bin P´^data9.bin
ȈU(H,..ͯJQƬV°ʪtɴ
w͎KMͰ(¯p.3.O2J4ꉴ1bandit12@bandit:/tmp/abc$ mv data8.bin data8.gz
bandit12@bandit:/tmp/abc$ gzip -d data8.gz
bandit12@bandit:/tmp/abc$ ls
data8 data.tar data.txt
bandit12@bandit:/tmp/abc$ file *
data8: ASCII text
data.tar: POSIX tar archive (GNU)
data.txt: ASCII text
bandit12@bandit:/tmp/abc$ cat data8
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
bandit12@bandit:/tmp/abc$
#不管怎么说,最后还是得到了下一关密码。我们继续
Level 13 → Level 14
关卡介绍:
下一级的密码存储在 /etc/bandit_pass/bandit14 中,只能由用户 bandit14 读取。对于此级别,您不会获得下一个密码,但您会获得一个可用于登录下一个级别的私有 SSH 密钥。 注意: localhost是一个主机名,指的是你正在使用的机器
解决方案:
#考ssh的使用方法,给出密钥。可以用-i选项使用密钥去登陆下一关
bandit13@bandit:~$ ls
sshkey.private
bandit13@bandit:~$ cat sshkey.private
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAxkkOE83W2cOT7IWhFc9aPaaQmQDdgzuXCv+ppZHa++buSkN+
gg0tcr7Fw8NLGa5+Uzec2rEg0WmeevB13AIoYp0MZyETq46t+jk9puNwZwIt9XgB
ZufGtZEwWbFWw/vVLNwOXBe4UWStGRWzgPpEeSv5Tb1VjLZIBdGphTIK22Amz6Zb
ThMsiMnyJafEwJ/T8PQO3myS91vUHEuoOMAzoUID4kN0MEZ3+XahyK0HJVq68KsV
ObefXG1vvA3GAJ29kxJaqvRfgYnqZryWN7w3CHjNU4c/2Jkp+n8L0SnxaNA+WYA7
jiPyTF0is8uzMlYQ4l1Lzh/8/MpvhCQF8r22dwIDAQABAoIBAQC6dWBjhyEOzjeA
J3j/RWmap9M5zfJ/wb2bfidNpwbB8rsJ4sZIDZQ7XuIh4LfygoAQSS+bBw3RXvzE
pvJt3SmU8hIDuLsCjL1VnBY5pY7Bju8g8aR/3FyjyNAqx/TLfzlLYfOu7i9Jet67
xAh0tONG/u8FB5I3LAI2Vp6OviwvdWeC4nOxCthldpuPKNLA8rmMMVRTKQ+7T2VS
nXmwYckKUcUgzoVSpiNZaS0zUDypdpy2+tRH3MQa5kqN1YKjvF8RC47woOYCktsD
o3FFpGNFec9Taa3Msy+DfQQhHKZFKIL3bJDONtmrVvtYK40/yeU4aZ/HA2DQzwhe
ol1AfiEhAoGBAOnVjosBkm7sblK+n4IEwPxs8sOmhPnTDUy5WGrpSCrXOmsVIBUf
laL3ZGLx3xCIwtCnEucB9DvN2HZkupc/h6hTKUYLqXuyLD8njTrbRhLgbC9QrKrS
M1F2fSTxVqPtZDlDMwjNR04xHA/fKh8bXXyTMqOHNJTHHNhbh3McdURjAoGBANkU
1hqfnw7+aXncJ9bjysr1ZWbqOE5Nd8AFgfwaKuGTTVX2NsUQnCMWdOp+wFak40JH
PKWkJNdBG+ex0H9JNQsTK3X5PBMAS8AfX0GrKeuwKWA6erytVTqjOfLYcdp5+z9s
8DtVCxDuVsM+i4X8UqIGOlvGbtKEVokHPFXP1q/dAoGAcHg5YX7WEehCgCYTzpO+
xysX8ScM2qS6xuZ3MqUWAxUWkh7NGZvhe0sGy9iOdANzwKw7mUUFViaCMR/t54W1
GC83sOs3D7n5Mj8x3NdO8xFit7dT9a245TvaoYQ7KgmqpSg/ScKCw4c3eiLava+J
3btnJeSIU+8ZXq9XjPRpKwUCgYA7z6LiOQKxNeXH3qHXcnHok855maUj5fJNpPbY
iDkyZ8ySF8GlcFsky8Yw6fWCqfG3zDrohJ5l9JmEsBh7SadkwsZhvecQcS9t4vby
9/8X4jS0P8ibfcKS4nBP+dT81kkkg5Z5MohXBORA7VWx+ACohcDEkprsQ+w32xeD
qT1EvQKBgQDKm8ws2ByvSUVs9GjTilCajFqLJ0eVYzRPaY6f++Gv/UVfAPV4c+S0
kAWpXbv5tbkkzbS0eaLPTKgLzavXtQoTtKwrjpolHKIHUz6Wu+n4abfAIRFubOdN
/+aLoRQ0yBDRbdXMsZN/jvY44eM+xRLdRVyMmdPtP8belRi2E2aEzA==
-----END RSA PRIVATE KEY-----
bandit13@bandit:~$
bandit13@bandit:~$ ssh bandit14@localhost -i sshkey.private
Enjoy your stay!
bandit14@bandit:~$ cat /etc/bandit_pass/bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
bandit14@bandit:~$
Level 14 → Level 15
关卡介绍:
提示:可以通过将当前级别的密码提交到localhost上的端口 30000来检索下一级别的密码。
解决方案:
#题目有提示使用nc命令,那我们就用nc监听一下localhost的30000端口。
bandit14@bandit:~$ nc localhost:30000
localhost:30000: forward host lookup failed: No address associated with name
bandit14@bandit:~$ nc localhost 30000
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr
bandit14@bandit:~$
Level 15 → Level 16
关卡介绍:
使用SSL加密将当前级别的密码提交到本地主机上的30001端口,即可检索到下一级别的密码。有用的提示:获得“心跳”和“读取 R 块”?使用 -ign_eof 并阅读联机帮助页中的“CONNECTED COMMANDS”部分。在“R”和“Q”旁边,“B”命令也适用于该命令的这个版本…
解决方案:
#提示使用openssl命令,我们可以百度一下openssl命令的使用方法。
bandit15@bandit:~$ openssl s_client -connect localhost:30001
CONNECTED(00000003)
depth=0 CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = localhost
verify return:1
---
Certificate chain
0 s:/CN=localhost
i:/CN=localhost
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICBjCCAW+gAwIBAgIEfftLGTANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDDAls
b2NhbGhvc3QwHhcNMjEwNDEzMDgzODA3WhcNMjIwNDEzMDgzODA3WjAUMRIwEAYD
VQQDDAlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMLfXBVa
jVKDHlA3U+S0hBMJMJlfue3xKECpmx1Ajp4/khUuWwvPB7+wLjqasBO2WfFYJzcq
z9t7FfAPIlYjgvOTQs5X4vQ1aGzanvnNn+1VknpOnFAJQBSFq6ZD3ipWrhwm9XZq
8CgFhTGp9IPthZp8Y0B7OgobhlMtXD/zLaTbAgMBAAGjZTBjMBQGA1UdEQQNMAuC
CWxvY2FsaG9zdDBLBglghkgBhvhCAQ0EPhY8QXV0b21hdGljYWxseSBnZW5lcmF0
ZWQgYnkgTmNhdC4gU2VlIGh0dHBzOi8vbm1hcC5vcmcvbmNhdC8uMA0GCSqGSIb3
DQEBBQUAA4GBAMFH9rsZovwnb5k71/MpyCnXEwGlIhixUu6qfi1kiFvhJ6lJCvaO
weOYxV4oJy1OEB0LSEAQOnSPfzC8dDasijFcdVhuIGGPuQ2GZ05nCiiIZUNnrMRB
0z2RuRxgxMVjOvcSIJyvwyjVH4jY4I434fMyldePLxO1POLd1cxoKNTO
-----END CERTIFICATE-----
subject=/CN=localhost
issuer=/CN=localhost
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1019 bytes and written 269 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 34F0BDBF3693D10396A60B5DED939CCB5F98EC1308E2A9674C321D24F55CE870
Session-ID-ctx:
Master-Key: 5224505911B4AF9F76F374F8029E321A8BAA0089B3899D119BF468D8DAD727E98B394F0638372F76C6E84AA105DEE373
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - f2 5b 83 7e f0 ca 58 ca-aa f3 8f 83 b9 65 d5 23 .[.~..X......e.#
0010 - e0 fd 2b 64 15 08 58 d4-6e 6b 05 c5 1d a2 32 cc ..+d..X.nk....2.
0020 - 90 68 ee ac f3 e3 f9 f2-e7 23 fc ec e6 99 61 36 .h.......#....a6
0030 - 97 71 79 08 d0 06 d3 9e-50 46 19 d1 ac 28 fc 10 .qy.....PF...(..
0040 - af fb 1a 86 60 39 27 a9-8d 9f d1 27 9f 9a ca 5d ....`9'....'...]
0050 - cf 0a 8a fa 50 9a 79 80-08 00 c6 c6 9d ed b6 88 ....P.y.........
0060 - dc 5a d9 e6 2f 80 16 25-23 c4 ca 38 c4 ff 18 56 .Z../..%#..8...V
0070 - cb db dc 11 db 5a d1 be-d2 28 b5 26 eb a5 5c b9 .....Z...(.&..\.
0080 - 71 d5 e8 49 99 d6 26 c1-8a 25 b0 36 c2 95 14 5f q..I..&..%.6..._
0090 - cd 38 c9 41 56 ce 5a 41-ea 3b 1c 38 f7 a2 8d b0 .8.AV.ZA.;.8....
Start Time: 1623844041
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
Extended master secret: yes
---
BfMYroe26WYalil77FoDi9qh59eK5xNr
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehd
closed
bandit15@bandit:~$
Level 16 → Level 17
关卡介绍:
可以通过将当前级别的密码提交到localhost 上 31000 到 32000 范围内的端口来检索下一级别的凭据。首先找出这些端口中的哪些端口有服务器监听它们。然后找出哪些会说 SSL,哪些不会。只有 1 个服务器会提供下一个凭据,其他服务器只会将您发送给它的任何内容发送回给您。解决方案:
#这一关来说比较绕,思路是这样,先用nmap扫一下端口,看哪个端口开了ssl。然后openssl去交互一下,
通过线索,连上上一关的方法,去拿到密码
bandit16@bandit:~$ nmap -sV -A -p 31000-32000 localhost
Starting Nmap 7.40 ( https://nmap.org ) at 2021-06-17 05:01 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00049s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
31046/tcp open echo
31518/tcp open ssl/echo
| ssl-cert: Subject: commonName=localhost
| Subject Alternative Name: DNS:localhost
| Not valid before: 2021-04-13T08:39:02
|_Not valid after: 2022-04-13T08:39:02
|_ssl-date: TLS randomness does not represent time
31691/tcp open echo
31790/tcp open ssl/unknown
| fingerprint-strings:
| FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SIPOptions, SSLSessionReq, TLSSessionReq:
|_ Wrong! Please enter the correct current password
| ssl-cert: Subject: commonName=localhost
| Subject Alternative Name: DNS:localhost
| Not valid before: 2021-06-14T19:39:02
|_Not valid after: 2022-06-14T19:39:02
|_ssl-date: TLS randomness does not represent time
31960/tcp open echo
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port31790-TCP:V=7.40%T=SSL%I=7%D=6/17%Time=60CABB10%P=x86_64-pc-linux-g
SF:nu%r(GenericLines,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20cu
SF:rrent\x20password\n")%r(GetRequest,31,"Wrong!\x20Please\x20enter\x20the
SF:\x20correct\x20current\x20password\n")%r(HTTPOptions,31,"Wrong!\x20Plea
SF:se\x20enter\x20the\x20correct\x20current\x20password\n")%r(RTSPRequest,
SF:31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20current\x20password\
SF:n")%r(Help,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20current\x
SF:20password\n")%r(SSLSessionReq,31,"Wrong!\x20Please\x20enter\x20the\x20
SF:correct\x20current\x20password\n")%r(TLSSessionReq,31,"Wrong!\x20Please
SF:\x20enter\x20the\x20correct\x20current\x20password\n")%r(Kerberos,31,"W
SF:rong!\x20Please\x20enter\x20the\x20correct\x20current\x20password\n")%r
SF:(FourOhFourRequest,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20c
SF:urrent\x20password\n")%r(LPDString,31,"Wrong!\x20Please\x20enter\x20the
SF:\x20correct\x20current\x20password\n")%r(LDAPSearchReq,31,"Wrong!\x20Pl
SF:ease\x20enter\x20the\x20correct\x20current\x20password\n")%r(SIPOptions
SF:,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20current\x20password
SF:\n");
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 88.44 seconds
bandit16@bandit:~$
bandit16@bandit:~$
bandit16@bandit:~$ openssl s_client -connect localhost:31518
---
cluFn7wTiGryunymYOu4RcffSxQluehd
cluFn7wTiGryunymYOu4RcffSxQluehd
^C
bandit16@bandit:~$ openssl s_client -connect localhost:31790
CONNECTED(00000003)
depth=0 CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = localhost
verify return:1
---
Certificate chain
0 s:/CN=localhost
i:/CN=localhost
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICBjCCAW+gAwIBAgIESK0prjANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDDAls
b2NhbGhvc3QwHhcNMjEwNjE0MTkzOTAyWhcNMjIwNjE0MTkzOTAyWjAUMRIwEAYD
VQQDDAlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL3AJi7+
mhQwXXHZweajk45kDauQ8gItcbmfbmCE8dvjBuzjFho+nN9OZ/5xPHjNy+15d+Kr
iv+p1DPsjtPdDP5LNhShGBJIdj+h1DanaQbZnILW64fmbZPQzsvf1U0q3KUX/Hr5
OlZNV5eryXtPGELBddTVB4QyRo7qEdCIjf83AgMBAAGjZTBjMBQGA1UdEQQNMAuC
CWxvY2FsaG9zdDBLBglghkgBhvhCAQ0EPhY8QXV0b21hdGljYWxseSBnZW5lcmF0
ZWQgYnkgTmNhdC4gU2VlIGh0dHBzOi8vbm1hcC5vcmcvbmNhdC8uMA0GCSqGSIb3
DQEBBQUAA4GBACDBqqnOEy6516ocDng2iqNRS+mLAiaVKONccL+847NK54W4g4Wo
0PdPF4dVhkNiLGJDcrx3aY4A+u+aFAcZmDYJOFsGJMCBOdle8v9PvQ6V/y8x4TkR
JUvpO+seiTk7lj/4byRQXlHcYxMdAflrDl+m9tKeDJlYaAPO5d9P28Iv
-----END CERTIFICATE-----
subject=/CN=localhost
issuer=/CN=localhost
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1019 bytes and written 269 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: F76F2BF192BA039D7FE98C959FB5658D3F8EA09B90B3821CCBDCED0B65E562D8
Session-ID-ctx:
Master-Key: F63C2DC264297170A15C251E04AEFF4B243AACE3E86A192FC19EF7F1EF76BCBE411D0F39B385054B5B0D3987D0B0AB2E
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 4d 56 29 e9 f1 5c 3e 86-5d 40 4d 5e 38 22 f0 d1 MV)..\>.]@M^8"..
0010 - f4 89 94 b7 96 76 29 79-89 1e 31 4c 2f c9 bd 0c .....v)y..1L/...
0020 - 9f 7d 2f 21 6e dd 2b 8a-a3 19 d4 c5 50 9d b3 94 .}/!n.+.....P...
0030 - 3c 40 4a 23 ec ed 85 ea-72 00 fa db e3 34 40 cd <@J#....r....4@.
0040 - 96 8d 92 65 7c 30 25 f9-39 55 64 70 d4 0b 9c d3 ...e|0%.9Udp....
0050 - 6e 09 66 7b 65 a6 1b 7e-6b 85 5c e6 f9 b7 cd ac n.f{e..~k.\.....
0060 - 7c 10 4b 8d 9e 12 74 2a-bf cb 82 58 de 9f 85 a9 |.K...t*...X....
0070 - 06 73 3d a0 ec 8f 9a e2-fb 12 91 7b 63 3d 15 e4 .s=........{c=..
0080 - ac 21 fe 1f 83 65 f2 24-bf 14 35 e8 51 67 fd cb .!...e.$..5.Qg..
0090 - d6 7d df 3d 7a 41 ca fa-57 3f 9c 33 54 73 c6 fb .}.=zA..W?.3Ts..
Start Time: 1623899921
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
Extended master secret: yes
---
cluFn7wTiGryunymYOu4RcffSxQluehd
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----
closed
bandit16@bandit:~$ vim a.priv
bandit16@bandit:~$
bandit16@bandit:~$ cd /tmp
bandit16@bandit:/tmp$ vim a.priv
bandit16@bandit:/tmp$
bandit16@bandit:/tmp$
bandit16@bandit:/tmp$ ls
ls: cannot open directory '.': Permission denied
bandit16@bandit:/tmp$ ls -l
ls: cannot open directory '.': Permission denied
bandit16@bandit:/tmp$ mkdir a
bandit16@bandit:/tmp$ cd a
bandit16@bandit:/tmp/a$ vim a.priv
bandit16@bandit:/tmp/a$
bandit16@bandit:/tmp/a$
bandit16@bandit:/tmp/a$ ssh -i a.priv bandit17@localhost
Could not create directory '/home/bandit16/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit16/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'a.priv' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "a.priv": bad permissions
bandit17@localhost's password:
Permission denied, please try again.
bandit17@localhost's password:
bandit16@bandit:/tmp/a$ ls -l
total 4
-rw-r--r-- 1 bandit16 root 1676 Jun 17 05:20 a.priv
bandit16@bandit:/tmp/a$ chmod 600 a.priv
bandit16@bandit:/tmp/a$ ls -l
total 4
-rw------- 1 bandit16 root 1676 Jun 17 05:20 a.priv
bandit16@bandit:/tmp/a$
bandit16@bandit:/tmp/a$ ssh -i a.priv bandit17@localhost
Could not create directory '/home/bandit16/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit16/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
Linux bandit.otw.local 5.4.8 x86_64 GNU/Linux
,----.. ,----, .---.
/ / \ ,/ .`| /. ./|
/ . : ,` .' : .--'. ' ;
. / ;. \ ; ; / /__./ \ : |
. ; / ` ; .'___,/ ,' .--'. ' \' .
; | ; \ ; | | : | /___/ \ | ' '
| : | ; | ' ; |.'; ; ; \ \; :
. | ' ' ' : `----' | | \ ; ` |
' ; \; / | ' : ; . \ .\ ;
\ \ ', / | | ' \ \ ' \ |
; : / ' : | : ' |--"
\ \ .' ; |.' \ \ ;
www. `---` ver '---' he '---" ire.org
Welcome to OverTheWire!
If you find any problems, please report them to Steven or morla on
irc.overthewire.org.
--[ Playing the games ]--
This machine might hold several wargames.
If you are playing "somegame", then:
* USERNAMES are somegame0, somegame1, ...
* Most LEVELS are stored in /somegame/.
* PASSWORDS for each level are stored in /etc/somegame_pass/.
Write-access to homedirectories is disabled. It is advised to create a
working directory with a hard-to-guess name in /tmp/. You can use the
command "mktemp -d" in order to generate a random and hard to guess
directory in /tmp/. Read-access to both /tmp/ and /proc/ is disabled
so that users can not snoop on eachother. Files and directories with
easily guessable or short names will be periodically deleted!
Please play nice:
* don't leave orphan processes running
* don't leave exploit-files laying around
* don't annoy other players
* don't post passwords or spoilers
* again, DONT POST SPOILERS!
This includes writeups of your solution on your blog or website!
--[ Tips ]--
This machine has a 64bit processor and many security-features enabled
by default, although ASLR has been switched off. The following
compiler flags might be interesting:
-m32 compile for 32bit
-fno-stack-protector disable ProPolice
-Wl,-z,norelro disable relro
In addition, the execstack tool can be used to flag the stack as
executable on ELF binaries.
Finally, network-access is limited for most levels by a local
firewall.
--[ Tools ]--
For your convenience we have installed a few usefull tools which you can find
in the following locations:
* gef (https://github.com/hugsy/gef) in /usr/local/gef/
* pwndbg (https://github.com/pwndbg/pwndbg) in /usr/local/pwndbg/
* peda (https://github.com/longld/peda.git) in /usr/local/peda/
* gdbinit (https://github.com/gdbinit/Gdbinit) in /usr/local/gdbinit/
* pwntools (https://github.com/Gallopsled/pwntools)
* radare2 (http://www.radare.org/)
* checksec.sh (http://www.trapkit.de/tools/checksec.html) in /usr/local/bin/checksec.sh
--[ More information ]--
For more information regarding individual wargames, visit
http://www.overthewire.org/wargames/
For support, questions or comments, contact us through IRC on
irc.overthewire.org #wargames.
Enjoy your stay!
bandit17@bandit:~$
bandit17@bandit:~$ cat /etc/bandit_pass/bandit17
xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn
bandit17@bandit:~$
Level 17 → Level 18
关卡介绍:
主目录中有 2 个文件:passwords.old 和 passwords.new。下一级别的密码在 passwords.new 中,并且是passwords.old 和 passwords.new之间唯一更改的行
注意:如果你已经解决了这个级别并看到“再见!” 尝试登录bandit18时,这与下一个级别bandit19有关
解决方案:
#这关没什么好说的,diff比较差异就行
bandit17@bandit:~$ ls
passwords.new passwords.old
bandit17@bandit:~$
bandit17@bandit:~$
bandit17@bandit:~$ diff passwords.new passwords.old
42c42
< kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
---
> w0Yfolrc5bwjS4qw5mq1nnQi6mF03bii
bandit17@bandit:~$
Level 18 → Level 19
关卡介绍:
下一级的密码存储在主目录的自述文件中。不幸的是, 当您使用 SSH 登录时,有人修改了.bashrc以将您注销。不过我发现登录这一关的时候,直接就弹出一个Byebye。然后断开连接我就很懵。
--[ More information ]--
For more information regarding individual wargames, visit
http://www.overthewire.org/wargames/
For support, questions or comments, contact us through IRC on
irc.overthewire.org #wargames.
Enjoy your stay!
Byebye !
Connection closed by foreign host.
解决方案:
#我们可以直接在上一关的基础上用ssh连接下一关,并且执行命令查看readme文件
bandit17@bandit:~$ ssh bandit18@localhost -t cat readme
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit17/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/home/bandit17/.ssh/id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "/home/bandit17/.ssh/id_rsa": bad permissions
bandit18@localhost's password:
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
Connection to localhost closed.
bandit17@bandit:~$
Level 19 → Level 20
关卡介绍:
要访问下一个级别,您应该使用主目录中的 setuid 二进制文件。不带参数执行它以了解如何使用它。在您使用 setuid 二进制文件后,可以在通常的位置 (/etc/bandit_pass) 中找到此级别的密码。解决方案:
#先看下当前目录有什么,ls -l 发现rws,s是什么意思呢,我们需要去查一下。
bandit19@bandit:~$ ll
-bash: ll: command not found
bandit19@bandit:~$ ls -l
total 8
-rwsr-x--- 1 bandit20 bandit19 7296 May 7 2020 bandit20-do
bandit19@bandit:~$
bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
以上命令均为实验过,如有改进请私信留言
扫一扫
1218
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
