OverTheWire的bandit游戏(11-20)
bandit solution(11-20)
Bandit Level 10 → Level 11
Level Goal
The password for the next level is stored in the file data.txt, which contains base64 encoded data
這一題非常的簡單只需要簡單的使用base64解碼即可
andit10@bandit:~$ ls data.txt bandit10@bandit:~$ cat data.txt VGhlIHBhc3N3b3JkIGlzIElGdWt3S0dzRlc4TU9xM0lSRnFyeEUxaHhUTkViVVBSCg== bandit10@bandit:~$ base64 -d data.txt The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR直接下一關
Bandit Level 11 → Level 12
Level Goal
The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions
這題的關鍵是理解劃出部分,這是一種遠古且又簡單的加密方式,就是每個字母往后推x位就是真正的含義,比如a往后推13位代表的就是n依此類推。
明確了這一點之后只需要了解tr指令即可Linux tr命令 | 菜鳥教程
bandit11@bandit:~$ ls | cat data.txt bandit11@bandit:~$ cat data.txt Gur cnffjbeq vf 5Gr8L4qetPEsPk8htqjhRK8XSP6x2RHh bandit11@bandit:~$ cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m' The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu搞定😋
Bandit Level 12 → Level 13
Level Goal
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)
這一關非常非常的麻煩,建議直接看wp😥
開始吧!根據提示copy了一份data.txt
bandit12@bandit:~$ pwd /home/bandit12 bandit12@bandit:~$ mkdir /tmp/highway && cp data.txt /tmp/highway bandit12@bandit:~$ cd /tmp/highway bandit12@bandit:/tmp/highway$ cp data.txt /tmp/highway/mytest andit12@bandit:/tmp/highway$ xxd -r data.txt > mytest bandit12@bandit:/tmp/highway$ file mytest mytest: gzip compressed data, was "data2.bin", last modified: Thu May 7 18:14:30 2020, max compression, from Unix經過簡單Google了解到要用gzip來解壓(該指令不單單是解壓還能進行壓縮)
Gzip Command in Linux tips:需要代理🌏
-d option : This option allows to decompress a file using the “gzip” command.
gzip -d mydoc.txt.gz
因為 gzip 需要一個 .gz 作為后綴名所以用 mv 改一下名字就行了。解壓后后綴就會消失
andit12@bandit:/tmp/highway$ mv mytest mytest.gz bandit12@bandit:/tmp/highway$ gzip -d mytest.gz bandit12@bandit:/tmp/highway$ file mytest mytest: bzip2 compressed data, block size = 900k根據提示下一步需要用到 bzip2 那么我們繼續Google一下咯😥
bzip2 command in Linux with Examples tips:需要代理🌏
-d : This option is used for decompression of compressed files.
bzip2 -d input.txt.bz2
故技重施
bandit12@bandit:/tmp/highway$ mv mytest mytest.bz2 bandit12@bandit:/tmp/highway$ bzip2 -d mytest.bz2 && file mytest mytest: gzip compressed data, was "data4.bin", last modified: Thu May 7 18:14:30 2020, max compression, from Unixemmmm🤪🤪🤪
bandit12@bandit:/tmp/highway$ mv mytest mytest.gz bandit12@bandit:/tmp/highway$ gzip -d mytest.gz && file mytest mytest: POSIX tar archive (GNU)得到是一個tar壓縮目錄,我們需要用tar來解壓縮
tar command in Linux with examples tips:需要代理🌏
-x : Extract the archive
-f : creates archive with given filename
-v : Displays Verbose Information
bandit12@bandit:/tmp/highway$ mv mytest mytest.tar bandit12@bandit:/tmp/highway$ tar xvf mytest.tar data5.bin bandit12@bandit:/tmp/highway$ file * data5.bin: POSIX tar archive (GNU) data.txt: ASCII text mytest.tar: POSIX tar archive (GNU)得到的還是一個tar壓縮目錄,那么繼續吧
bandit12@bandit:/tmp/highway$ mv data5.bin data5.tar bandit12@bandit:/tmp/highway$ tar xvf data5.tar data6.bin bandit12@bandit:/tmp/highway$ file data6.bin data6.bin: bzip2 compressed data, block size = 900k馬達馬達😥繼續繼續
bandit12@bandit:/tmp/highway$ bzip2 -d data6.bin bzip2: Can't guess original name for data6.bin -- using data6.bin.out bandit12@bandit:/tmp/highway$ file data6.bin.out data6.bin.out: POSIX tar archive (GNU)怎么還沒結束啊😭
bandit12@bandit:/tmp/highway$ mv data6.bin.out data6.bin.out.gz bandit12@bandit:/tmp/highway$ tar xvf data6.bin.out.gz data8.bin bandit12@bandit:/tmp/highway$ file data8.bin data8.bin: gzip compressed data, was "data9.bin", last modified: Thu May 7 18:14:30 2020, max compression, from Unix怎么還沒結束啊😭😭
bandit12@bandit:/tmp/highway$ mv data8.bin data8.gz bandit12@bandit:/tmp/highway$ gzip -d data8.gz bandit12@bandit:/tmp/highway$ file * data5.tar: POSIX tar archive (GNU) data6.bin.out.gz: POSIX tar archive (GNU) data8: ASCII text總算帶頭了😭😭😭
bandit12@bandit:/tmp/highway$ cat data8 The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL密碼到手,下一關
Bandit Level 13 → Level 14
Level Goal
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on
這一關是讓你了解ssh key的存在。所以只要稍微Google一下即可
通過查看手冊得知 -i 指明私鑰文件
bandit13@bandit:~$ pwd /home/bandit13 bandit13@bandit:~$ ssh bandit14@localhost -i sshkey.private Could not create directory '/home/bandit13/.ssh'. The authenticity of host 'localhost (127.0.0.1)' can't be established. ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc. Are you sure you want to continue connecting (yes/no)? yes Failed to add the host to the list of known hosts (/home/bandit13/.ssh/known_hosts). This is a OverTheWire game server. More information on http://www.overthewire.org/wargames 登錄成功 bandit14@bandit:~$ cat /etc/bandit_pass/bandit14 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e密碼到手,下一關和這一關聯系很大,一鼓作氣解決掉吧
Bandit Level 14 → Level 15
Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
通過上一關連接到了bandit14用戶,根據提示需要把當前密碼發送給30000端口即可。這里需要介紹一個對于端口發送接收監聽與一聽的工具netcat這里只需簡單知道存在就🆗了
Netcat aka nc is an extremely versatile tool. It allows users to connect to specific ports and send and receive data. It also allows machines to receive data and connections on specific ports, which makes nc a very popular tool to gain a Reverse Shell.
After you connect to a port with nc you will be able to send data, this also has the consequence of the user being able to pipe data through nc. For example one can doecho hello | nc 1234 to send the string hello to the service running on port 1234
Note: There are multiple versions of nc, so if you are unable to find an answer in your specific man page, try reading the man page for others
bandit14@bandit:~$ cat /etc/bandit_pass/bandit14 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e bandit14@bandit:~$ nc localhost 30000 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e Correct! BfMYroe26WYalil77FoDi9qh59eK5xNrBandit Level 15 → Level 16
Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…
這一題是讓你了解 TLS/SSL 協議的,雖然跟 ssh 很像都是基于加密通信隧道的協議但他們用途不同, SSL 是已被棄用 TLS 的繼承者用于數據傳輸,而 ssh 則是執行命令的
bandit15@bandit:~$ echo BfMYroe26WYalil77FoDi9qh59eK5xNr | openssl s_client -quiet -connect localhost:30001 depth=0 CN = localhost verify error:num=18:self signed certificate verify return:1 depth=0 CN = localhost verify return:1 Correct! cluFn7wTiGryunymYOu4RcffSxQluehd密碼到手
Bandit Level 16 → Level 17
Level Goal
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
這一題就是需要知道Nmap即可,為了這個我卻去花了2天時間稍微深入的學習😥
根據要求掃描看看哪個端口是開放的其實非常的簡單
bandit16@bandit:~$ nmap localhost -p 31000-32000Starting Nmap 7.40 ( https://nmap.org ) at 2021-06-19 11:15 CEST Nmap scan report for localhost (127.0.0.1) Host is up (0.00024s latency). Not shown: 996 closed ports PORT STATE SERVICE 31046/tcp open unknown 31518/tcp open unknown 31691/tcp open unknown 31790/tcp open unknown 31960/tcp open unknownNmap done: 1 IP address (1 host up) scanned in 0.09 seconds一下子就出結果了,發現有5個端口是打開的。根據題意,只要把當前關卡的密碼通過SSL發送給正確的端口就能得到下一關的憑證可能是個密鑰吧?
試試第一個端口
bandit16@bandit:~$ echo cluFn7wTiGryunymYOu4RcffSxQluehd | openssl s_client -quiet -connect localhost:31046 140117198303296:error:141A10F4:SSL routines:ossl_statem_client_read_transition:unexpected message:../ssl/statem/statem_clnt.c:284:很明顯第一個不是看看下一個
bandit16@bandit:~$ echo cluFn7wTiGryunymYOu4RcffSxQluehd | openssl s_client -quiet -connect localhost:31518 depth=0 CN = localhost verify error:num=18:self signed certificate verify return:1 depth=0 CN = localhost verify return:1 cluFn7wTiGryunymYOu4RcffSxQluehdemmm下一個
bandit16@bandit:~$ echo cluFn7wTiGryunymYOu4RcffSxQluehd | openssl s_client -quiet -connect localhost:31691 140168639586368:error:141A10F4:SSL routines:ossl_statem_client_read_transition:unexpected message:../ssl/statem/statem_clnt.c:284:還是不行那再看看下一個
bandit16@bandit:~$ echo cluFn7wTiGryunymYOu4RcffSxQluehd | openssl s_client -quiet -connect localhost:31790 depth=0 CN = localhost verify error:num=18:self signed certificate verify return:1 depth=0 CN = localhost verify return:1 Correct! -----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama +TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT 8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM 77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3 vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY= -----END RSA PRIVATE KEY-----你以為進入下一關了嘛?并沒有哦事情沒有想的這么簡單。
首先我們在保存私鑰文件就遇到了一個問題,不過問題不難因為bandit只允許我們在tmp目錄下有創建文件的權限,創建后我們還需要賦予chmod讀寫權限
bandit16@bandit:~$ cd /tmp bandit16@bandit:/tmp$ touch sshkey.private bandit16@bandit:/tmp$ chmod 755 sshkey.private bandit16@bandit:/tmp$ file sshkey.private sshkey.private: PEM RSA private key bandit16@bandit:/tmp$ vim sshkey.private將私鑰復制并保存即可。
快點連接吧
bandit16@bandit:/tmp$ ssh bandit17@localhost -i sshkey.private Could not create directory '/home/bandit16/.ssh'. The authenticity of host 'localhost (127.0.0.1)' can't be established. ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc. Are you sure you want to continue connecting (yes/no)? y Please type 'yes' or 'no': yes Failed to add the host to the list of known hosts (/home/bandit16/.ssh/known_hosts). This is a OverTheWire game server. More information on http://www.overthewire.org/wargames@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0755 for 'sshkey.private' are too open. It is required that your private key files are NOT accessible by others. This private key will be ignored. Load key "sshkey.private": bad permissions bandit17@localhost's password: [3]+ Stopped ssh bandit17@localhost -i sshkey.private好像出了點小問題🙃根據最后的提示說這個文件是bad permissions這就涉及到RSA keys的權限問題了,Google了一下給出如下解釋
ssh directory permissions should be 700 (drwx------).
The public key (. pub file) should be 644 (-rw-r–r--).
The private key (id_rsa) on the client host, and the authorized_keys file on the server, should be 600 (-rw-------)
當然其實并不唯一,其本質就是安全,例如私鑰只有自己有rw權限,其他人無權限。公鑰其他人只給了r權限。在這里我給700或者400都是可以的
bandit16@bandit:/tmp$ chmod 700 sshkey.private bandit16@bandit:/tmp$ ssh bandit17@localhost -i sshkey.private登錄成功進入下一關
Bandit Level 17 → Level 18
Level Goal
There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new
NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19
這一關簡單的了解 diff 即可
diff command in Linux with examples tips:需要代理🌏
bandit17@bandit:~$ ls -l total 8 -rw-r----- 1 bandit18 bandit17 3300 May 7 2020 passwords.new -rw-r----- 1 bandit18 bandit17 3300 May 7 2020 passwords.oldbandit17@bandit:~$ diff -c passwords.new passwords.old *** passwords.new 2020-05-07 20:14:35.528729706 +0200 --- passwords.old 2020-05-07 20:14:35.376729786 +0200 *************** *** 39,45 ****sydIUj42mUfYK9xw1S9aPPB72rgagnxhpcpkwztEjxg5EK0HABjmEvGUSCSdQW4FLlomcOUT6d7lA2cJrYhCEhCChKCPrRao ! kfBf3eYk5BPBRzwjqutbbfE887SVc5YdTVzFbgWpqUPE4fwAJPCz4rT7GemAZUjzWCETP1i90TZJSbKZ24ly5rhNKva8sSdy2o4oJXwgWyWIdKb9WpNDFUcWXlcghSzR --- 39,45 ----sydIUj42mUfYK9xw1S9aPPB72rgagnxhpcpkwztEjxg5EK0HABjmEvGUSCSdQW4FLlomcOUT6d7lA2cJrYhCEhCChKCPrRao ! w0Yfolrc5bwjS4qw5mq1nnQi6mF03biiTVzFbgWpqUPE4fwAJPCz4rT7GemAZUjzWCETP1i90TZJSbKZ24ly5rhNKva8sSdy2o4oJXwgWyWIdKb9WpNDFUcWXlcghSzR根據題目提示密碼在passwords.new里,那么密碼顯而易見了。但是下一關的登錄卻遇到了一點麻煩?
Bandit Level 18 → Level 19
Level Goal
The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.
這一關需要用到-t選項,查看manual得知該選項可以在遠程主機上執行任意終端程序,而根據提示,因為一些奇特的配置我們在用ssh登錄時會被登出。
這意味著我們其實是登陸后才被登出了。
highway@ubuntu:~/Desktop$ ssh bandit18@bandit.labs.overthewire.org -p 2220 -t cat readme This is a OverTheWire game server. More information on http://www.overthewire.org/wargamesbandit18@bandit.labs.overthewire.org's password: IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x Connection to bandit.labs.overthewire.org closed.下一關
Bandit Level 19 → Level 20
Level Goal
To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.
這一關是簡單介紹了一種Linux文件類型
bandit19@bandit:~$ ls -l total 8 -rwsr-x--- 1 bandit20 bandit19 7296 May 7 2020 bandit20-do bandit19@bandit:~$ file bandit20-do bandit20-do: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=8e941f24b8c5cd0af67b22b724c57e1ab92a92a1, not stripped可以看到這是setuid程序二進制程序,那么什么是setuid呢?setuid常常與setgid相提并論,這是一個權限設置位,可以在文件上設置。值得注意的是在可執行文件上有效,但是對腳本無效。這里簡單說說就是當一個可執行文件的setuid 或者 setgid屬性被設置了,那么允許的用戶可以像擁有者一樣運行這個可執行文件
When set on an executable file
When the setuid or setgid attributes are set on an executable file, then any users able to execute the file will automatically execute the file with the privileges of the file’s owner (commonly root) and/or the file’s group, depending upon the flags set.[2] This allows the system designer to permit trusted programs to be run which a user would otherwise not be allowed to execute. These may not always be obvious. For example, the ping command may need access to networking privileges that a normal user cannot access; therefore it may be given the setuid flag to ensure that a user who needs to ping another system can do so, even if their own account does not have the required privilege for sending packets.
For security purposes, the invoking user is usually prohibited by the system from altering the new process in any way, such as by using ptrace, LD_LIBRARY_PATH or sending signals to it, to exploit the raised privilege, although signals from the terminal will still be accepted.
The setuid and setgid bits are normally set with the command chmod by setting the high-order octal digit to 4 for setuid or 2 for setgid. “chmod 6711 file” will set both the setuid and setgid bits (4+2=6), making the file read/write/executable for the owner (7), and executable by the group (first 1) and others (second 1). When a user other than the owner executes the file, the process will run with user and group permissions set upon it by its owner. For example, if the file is owned by user root and group wheel, it will run as root:wheel no matter who executes the file.
Most implementations of the chmod command also support finer-grained, symbolic arguments to set these bits. The preferably finer-grained mode is shown in the demonstration below as the “chmod ug+s”
根據題目的提示不帶參數的運行
bandit19@bandit:~$ ./bandit20-do Run a command as another user. Example: ./bandit20-do id根據提示我們運行一下Example
bandit19@bandit:~$ ./bandit20-do id uid=11019(bandit19) gid=11019(bandit19) euid=11020(bandit20) groups=11019(bandit19)再試幾個就可以確實了
bandit19@bandit:~$ ./bandit20-do ls bandit20-do可以確定是以bandit20用戶權限執行一個命令
bandit19@bandit:~$ ./bandit20-do ls /etc/bandit_pass bandit0 bandit13 bandit18 bandit22 bandit27 bandit31 bandit6 bandit1 bandit14 bandit19 bandit23 bandit28 bandit32 bandit7 bandit10 bandit15 bandit2 bandit24 bandit29 bandit33 bandit8 bandit11 bandit16 bandit20 bandit25 bandit3 bandit4 bandit9 bandit12 bandit17 bandit21 bandit26 bandit30 bandit5 bandit19@bandit:~$ ./bandit20-do file /etc/bandit_pass/bandit20 /etc/bandit_pass/bandit20: ASCII text bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20 GbKksEFF4yrVs6il55v6gwY5aVje5f0j密碼到手
總結
以上是生活随笔為你收集整理的OverTheWire的bandit游戏(11-20)的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 科学电子计算机百分数怎么弄,计算器上的百
- 下一篇: 文件服务器索引服务,ftp服务器文件索引