bandit solution(11-20)

Bandit Level 10 → Level 11

Level Goal

The password for the next level is stored in the file data.txt, which contains base64 encoded data

這一題非常的簡(jiǎn)單只需要簡(jiǎn)單的使用base64解碼即可

andit10@bandit:~$ ls data.txt bandit10@bandit:~$ cat data.txt VGhlIHBhc3N3b3JkIGlzIElGdWt3S0dzRlc4TU9xM0lSRnFyeEUxaHhUTkViVVBSCg== bandit10@bandit:~$ base64 -d data.txt The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

直接下一關(guān)

Bandit Level 11 → Level 12

Level Goal

The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions

這題的關(guān)鍵是理解劃出部分，這是一種遠(yuǎn)古且又簡(jiǎn)單的加密方式，就是每個(gè)字母往后推x位就是真正的含義，比如a往后推13位代表的就是n依此類推。

明確了這一點(diǎn)之后只需要了解tr指令即可Linux tr命令 | 菜鳥(niǎo)教程

bandit11@bandit:~$ ls | cat data.txt bandit11@bandit:~$ cat data.txt Gur cnffjbeq vf 5Gr8L4qetPEsPk8htqjhRK8XSP6x2RHh bandit11@bandit:~$ cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m' The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

搞定😋

Bandit Level 12 → Level 13

Level Goal

The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)

這一關(guān)非常非常的麻煩，建議直接看wp😥

開(kāi)始吧！根據(jù)提示copy了一份data.txt

bandit12@bandit:~$ pwd /home/bandit12 bandit12@bandit:~$ mkdir /tmp/highway && cp data.txt /tmp/highway bandit12@bandit:~$ cd /tmp/highway bandit12@bandit:/tmp/highway$ cp data.txt /tmp/highway/mytest andit12@bandit:/tmp/highway$ xxd -r data.txt > mytest bandit12@bandit:/tmp/highway$ file mytest mytest: gzip compressed data, was "data2.bin", last modified: Thu May 7 18:14:30 2020, max compression, from Unix

經(jīng)過(guò)簡(jiǎn)單Google了解到要用gzip來(lái)解壓（該指令不單單是解壓還能進(jìn)行壓縮）

Gzip Command in Linux tips:需要代理🌏

-d option : This option allows to decompress a file using the “gzip” command.
gzip -d mydoc.txt.gz

因?yàn)?gzip 需要一個(gè) .gz 作為后綴名所以用 mv 改一下名字就行了。解壓后后綴就會(huì)消失

andit12@bandit:/tmp/highway$ mv mytest mytest.gz bandit12@bandit:/tmp/highway$ gzip -d mytest.gz bandit12@bandit:/tmp/highway$ file mytest mytest: bzip2 compressed data, block size = 900k

根據(jù)提示下一步需要用到 bzip2 那么我們繼續(xù)Google一下咯😥

bzip2 command in Linux with Examples tips:需要代理🌏

-d : This option is used for decompression of compressed files.

bzip2 -d input.txt.bz2

故技重施

bandit12@bandit:/tmp/highway$ mv mytest mytest.bz2 bandit12@bandit:/tmp/highway$ bzip2 -d mytest.bz2 && file mytest mytest: gzip compressed data, was "data4.bin", last modified: Thu May 7 18:14:30 2020, max compression, from Unix

emmmm🤪🤪🤪

bandit12@bandit:/tmp/highway$ mv mytest mytest.gz bandit12@bandit:/tmp/highway$ gzip -d mytest.gz && file mytest mytest: POSIX tar archive (GNU)

得到是一個(gè)tar壓縮目錄，我們需要用tar來(lái)解壓縮

tar command in Linux with examples tips:需要代理🌏

-x : Extract the archive

-f : creates archive with given filename

-v : Displays Verbose Information

bandit12@bandit:/tmp/highway$ mv mytest mytest.tar bandit12@bandit:/tmp/highway$ tar xvf mytest.tar data5.bin bandit12@bandit:/tmp/highway$ file * data5.bin: POSIX tar archive (GNU) data.txt: ASCII text mytest.tar: POSIX tar archive (GNU)

得到的還是一個(gè)tar壓縮目錄，那么繼續(xù)吧

bandit12@bandit:/tmp/highway$ mv data5.bin data5.tar bandit12@bandit:/tmp/highway$ tar xvf data5.tar data6.bin bandit12@bandit:/tmp/highway$ file data6.bin data6.bin: bzip2 compressed data, block size = 900k

馬達(dá)馬達(dá)😥繼續(xù)繼續(xù)

bandit12@bandit:/tmp/highway$ bzip2 -d data6.bin bzip2: Can't guess original name for data6.bin -- using data6.bin.out bandit12@bandit:/tmp/highway$ file data6.bin.out data6.bin.out: POSIX tar archive (GNU)

怎么還沒(méi)結(jié)束啊😭

bandit12@bandit:/tmp/highway$ mv data6.bin.out data6.bin.out.gz bandit12@bandit:/tmp/highway$ tar xvf data6.bin.out.gz data8.bin bandit12@bandit:/tmp/highway$ file data8.bin data8.bin: gzip compressed data, was "data9.bin", last modified: Thu May 7 18:14:30 2020, max compression, from Unix

怎么還沒(méi)結(jié)束啊😭😭

bandit12@bandit:/tmp/highway$ mv data8.bin data8.gz bandit12@bandit:/tmp/highway$ gzip -d data8.gz bandit12@bandit:/tmp/highway$ file * data5.tar: POSIX tar archive (GNU) data6.bin.out.gz: POSIX tar archive (GNU) data8: ASCII text

總算帶頭了😭😭😭

bandit12@bandit:/tmp/highway$ cat data8 The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

密碼到手，下一關(guān)

Bandit Level 13 → Level 14

Level Goal

The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on

這一關(guān)是讓你了解ssh key的存在。所以只要稍微Google一下即可

通過(guò)查看手冊(cè)得知 -i 指明私鑰文件

bandit13@bandit:~$ pwd /home/bandit13 bandit13@bandit:~$ ssh bandit14@localhost -i sshkey.private Could not create directory '/home/bandit13/.ssh'. The authenticity of host 'localhost (127.0.0.1)' can't be established. ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc. Are you sure you want to continue connecting (yes/no)? yes Failed to add the host to the list of known hosts (/home/bandit13/.ssh/known_hosts). This is a OverTheWire game server. More information on http://www.overthewire.org/wargames 登錄成功 bandit14@bandit:~$ cat /etc/bandit_pass/bandit14 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e

密碼到手，下一關(guān)和這一關(guān)聯(lián)系很大，一鼓作氣解決掉吧

Bandit Level 14 → Level 15

Level Goal

The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.

通過(guò)上一關(guān)連接到了bandit14用戶，根據(jù)提示需要把當(dāng)前密碼發(fā)送給30000端口即可。這里需要介紹一個(gè)對(duì)于端口發(fā)送接收監(jiān)聽(tīng)與一聽(tīng)的工具netcat這里只需簡(jiǎn)單知道存在就🆗了

Netcat aka nc is an extremely versatile tool. It allows users to connect to specific ports and send and receive data. It also allows machines to receive data and connections on specific ports, which makes nc a very popular tool to gain a Reverse Shell.

After you connect to a port with nc you will be able to send data, this also has the consequence of the user being able to pipe data through nc. For example one can doecho hello | nc 1234 to send the string hello to the service running on port 1234

Note: There are multiple versions of nc, so if you are unable to find an answer in your specific man page, try reading the man page for others

bandit14@bandit:~$ cat /etc/bandit_pass/bandit14 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e bandit14@bandit:~$ nc localhost 30000 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e Correct! BfMYroe26WYalil77FoDi9qh59eK5xNr

Bandit Level 15 → Level 16

Level Goal

The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.

Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…

這一題是讓你了解 TLS/SSL 協(xié)議的，雖然跟 ssh 很像都是基于加密通信隧道的協(xié)議但他們用途不同， SSL 是已被棄用 TLS 的繼承者用于數(shù)據(jù)傳輸，而 ssh 則是執(zhí)行命令的

bandit15@bandit:~$ echo BfMYroe26WYalil77FoDi9qh59eK5xNr | openssl s_client -quiet -connect localhost:30001 depth=0 CN = localhost verify error:num=18:self signed certificate verify return:1 depth=0 CN = localhost verify return:1 Correct! cluFn7wTiGryunymYOu4RcffSxQluehd

密碼到手

Bandit Level 16 → Level 17

Level Goal

The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.

這一題就是需要知道Nmap即可，為了這個(gè)我卻去花了2天時(shí)間稍微深入的學(xué)習(xí)😥

根據(jù)要求掃描看看哪個(gè)端口是開(kāi)放的其實(shí)非常的簡(jiǎn)單

bandit16@bandit:~$ nmap localhost -p 31000-32000Starting Nmap 7.40 ( https://nmap.org ) at 2021-06-19 11:15 CEST Nmap scan report for localhost (127.0.0.1) Host is up (0.00024s latency). Not shown: 996 closed ports PORT STATE SERVICE 31046/tcp open unknown 31518/tcp open unknown 31691/tcp open unknown 31790/tcp open unknown 31960/tcp open unknownNmap done: 1 IP address (1 host up) scanned in 0.09 seconds

一下子就出結(jié)果了，發(fā)現(xiàn)有5個(gè)端口是打開(kāi)的。根據(jù)題意，只要把當(dāng)前關(guān)卡的密碼通過(guò)SSL發(fā)送給正確的端口就能得到下一關(guān)的憑證可能是個(gè)密鑰吧？

試試第一個(gè)端口

bandit16@bandit:~$ echo cluFn7wTiGryunymYOu4RcffSxQluehd | openssl s_client -quiet -connect localhost:31046 140117198303296:error:141A10F4:SSL routines:ossl_statem_client_read_transition:unexpected message:../ssl/statem/statem_clnt.c:284:

很明顯第一個(gè)不是看看下一個(gè)

bandit16@bandit:~$ echo cluFn7wTiGryunymYOu4RcffSxQluehd | openssl s_client -quiet -connect localhost:31518 depth=0 CN = localhost verify error:num=18:self signed certificate verify return:1 depth=0 CN = localhost verify return:1 cluFn7wTiGryunymYOu4RcffSxQluehd

emmm下一個(gè)

bandit16@bandit:~$ echo cluFn7wTiGryunymYOu4RcffSxQluehd | openssl s_client -quiet -connect localhost:31691 140168639586368:error:141A10F4:SSL routines:ossl_statem_client_read_transition:unexpected message:../ssl/statem/statem_clnt.c:284:

還是不行那再看看下一個(gè)

bandit16@bandit:~$ echo cluFn7wTiGryunymYOu4RcffSxQluehd | openssl s_client -quiet -connect localhost:31790 depth=0 CN = localhost verify error:num=18:self signed certificate verify return:1 depth=0 CN = localhost verify return:1 Correct! -----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama +TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT 8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM 77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3 vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY= -----END RSA PRIVATE KEY-----

你以為進(jìn)入下一關(guān)了嘛？并沒(méi)有哦事情沒(méi)有想的這么簡(jiǎn)單。

首先我們?cè)诒４嫠借€文件就遇到了一個(gè)問(wèn)題，不過(guò)問(wèn)題不難因?yàn)?strong>bandit只允許我們?cè)?strong>tmp目錄下有創(chuàng)建文件的權(quán)限，創(chuàng)建后我們還需要賦予chmod讀寫權(quán)限

bandit16@bandit:~$ cd /tmp bandit16@bandit:/tmp$ touch sshkey.private bandit16@bandit:/tmp$ chmod 755 sshkey.private bandit16@bandit:/tmp$ file sshkey.private sshkey.private: PEM RSA private key bandit16@bandit:/tmp$ vim sshkey.private

將私鑰復(fù)制并保存即可。

快點(diǎn)連接吧

bandit16@bandit:/tmp$ ssh bandit17@localhost -i sshkey.private Could not create directory '/home/bandit16/.ssh'. The authenticity of host 'localhost (127.0.0.1)' can't be established. ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc. Are you sure you want to continue connecting (yes/no)? y Please type 'yes' or 'no': yes Failed to add the host to the list of known hosts (/home/bandit16/.ssh/known_hosts). This is a OverTheWire game server. More information on http://www.overthewire.org/wargames@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0755 for 'sshkey.private' are too open. It is required that your private key files are NOT accessible by others. This private key will be ignored. Load key "sshkey.private": bad permissions bandit17@localhost's password: [3]+ Stopped ssh bandit17@localhost -i sshkey.private

好像出了點(diǎn)小問(wèn)題🙃根據(jù)最后的提示說(shuō)這個(gè)文件是bad permissions這就涉及到RSA keys的權(quán)限問(wèn)題了，Google了一下給出如下解釋

ssh directory permissions should be 700 (drwx------).

The public key (. pub file) should be 644 (-rw-r–r--).

The private key (id_rsa) on the client host, and the authorized_keys file on the server, should be 600 (-rw-------)

當(dāng)然其實(shí)并不唯一，其本質(zhì)就是安全，例如私鑰只有自己有rw權(quán)限，其他人無(wú)權(quán)限。公鑰其他人只給了r權(quán)限。在這里我給700或者400都是可以的

bandit16@bandit:/tmp$ chmod 700 sshkey.private bandit16@bandit:/tmp$ ssh bandit17@localhost -i sshkey.private

登錄成功進(jìn)入下一關(guān)

Bandit Level 17 → Level 18

Level Goal

There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new

NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19

這一關(guān)簡(jiǎn)單的了解 diff 即可

diff command in Linux with examples tips:需要代理🌏

bandit17@bandit:~$ ls -l total 8 -rw-r----- 1 bandit18 bandit17 3300 May 7 2020 passwords.new -rw-r----- 1 bandit18 bandit17 3300 May 7 2020 passwords.oldbandit17@bandit:~$ diff -c passwords.new passwords.old *** passwords.new 2020-05-07 20:14:35.528729706 +0200 --- passwords.old 2020-05-07 20:14:35.376729786 +0200 *************** *** 39,45 ****sydIUj42mUfYK9xw1S9aPPB72rgagnxhpcpkwztEjxg5EK0HABjmEvGUSCSdQW4FLlomcOUT6d7lA2cJrYhCEhCChKCPrRao ! kfBf3eYk5BPBRzwjqutbbfE887SVc5YdTVzFbgWpqUPE4fwAJPCz4rT7GemAZUjzWCETP1i90TZJSbKZ24ly5rhNKva8sSdy2o4oJXwgWyWIdKb9WpNDFUcWXlcghSzR --- 39,45 ----sydIUj42mUfYK9xw1S9aPPB72rgagnxhpcpkwztEjxg5EK0HABjmEvGUSCSdQW4FLlomcOUT6d7lA2cJrYhCEhCChKCPrRao ! w0Yfolrc5bwjS4qw5mq1nnQi6mF03biiTVzFbgWpqUPE4fwAJPCz4rT7GemAZUjzWCETP1i90TZJSbKZ24ly5rhNKva8sSdy2o4oJXwgWyWIdKb9WpNDFUcWXlcghSzR

根據(jù)題目提示密碼在passwords.new里，那么密碼顯而易見(jiàn)了。但是下一關(guān)的登錄卻遇到了一點(diǎn)麻煩?

Bandit Level 18 → Level 19

Level Goal

The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.

這一關(guān)需要用到-t選項(xiàng)，查看manual得知該選項(xiàng)可以在遠(yuǎn)程主機(jī)上執(zhí)行任意終端程序，而根據(jù)提示，因?yàn)橐恍┢嫣氐呐渲梦覀冊(cè)谟胹sh登錄時(shí)會(huì)被登出。

這意味著我們其實(shí)是登陸后才被登出了。

highway@ubuntu:~/Desktop$ ssh bandit18@bandit.labs.overthewire.org -p 2220 -t cat readme This is a OverTheWire game server. More information on http://www.overthewire.org/wargamesbandit18@bandit.labs.overthewire.org's password: IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x Connection to bandit.labs.overthewire.org closed.

下一關(guān)

Bandit Level 19 → Level 20

Level Goal

To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.

這一關(guān)是簡(jiǎn)單介紹了一種Linux文件類型

bandit19@bandit:~$ ls -l total 8 -rwsr-x--- 1 bandit20 bandit19 7296 May 7 2020 bandit20-do bandit19@bandit:~$ file bandit20-do bandit20-do: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=8e941f24b8c5cd0af67b22b724c57e1ab92a92a1, not stripped

可以看到這是setuid程序二進(jìn)制程序，那么什么是setuid呢？setuid常常與setgid相提并論，這是一個(gè)權(quán)限設(shè)置位，可以在文件上設(shè)置。值得注意的是在可執(zhí)行文件上有效，但是對(duì)腳本無(wú)效。這里簡(jiǎn)單說(shuō)說(shuō)就是當(dāng)一個(gè)可執(zhí)行文件的setuid 或者 setgid屬性被設(shè)置了，那么允許的用戶可以像擁有者一樣運(yùn)行這個(gè)可執(zhí)行文件

When set on an executable file

When the setuid or setgid attributes are set on an executable file, then any users able to execute the file will automatically execute the file with the privileges of the file’s owner (commonly root) and/or the file’s group, depending upon the flags set.[2] This allows the system designer to permit trusted programs to be run which a user would otherwise not be allowed to execute. These may not always be obvious. For example, the ping command may need access to networking privileges that a normal user cannot access; therefore it may be given the setuid flag to ensure that a user who needs to ping another system can do so, even if their own account does not have the required privilege for sending packets.

For security purposes, the invoking user is usually prohibited by the system from altering the new process in any way, such as by using ptrace, LD_LIBRARY_PATH or sending signals to it, to exploit the raised privilege, although signals from the terminal will still be accepted.

The setuid and setgid bits are normally set with the command chmod by setting the high-order octal digit to 4 for setuid or 2 for setgid. “chmod 6711 file” will set both the setuid and setgid bits (4+2=6), making the file read/write/executable for the owner (7), and executable by the group (first 1) and others (second 1). When a user other than the owner executes the file, the process will run with user and group permissions set upon it by its owner. For example, if the file is owned by user root and group wheel, it will run as root:wheel no matter who executes the file.

Most implementations of the chmod command also support finer-grained, symbolic arguments to set these bits. The preferably finer-grained mode is shown in the demonstration below as the “chmod ug+s”

根據(jù)題目的提示不帶參數(shù)的運(yùn)行

bandit19@bandit:~$ ./bandit20-do Run a command as another user. Example: ./bandit20-do id

根據(jù)提示我們運(yùn)行一下Example

bandit19@bandit:~$ ./bandit20-do id uid=11019(bandit19) gid=11019(bandit19) euid=11020(bandit20) groups=11019(bandit19)

再試幾個(gè)就可以確實(shí)了

bandit19@bandit:~$ ./bandit20-do ls bandit20-do

可以確定是以bandit20用戶權(quán)限執(zhí)行一個(gè)命令

bandit19@bandit:~$ ./bandit20-do ls /etc/bandit_pass bandit0 bandit13 bandit18 bandit22 bandit27 bandit31 bandit6 bandit1 bandit14 bandit19 bandit23 bandit28 bandit32 bandit7 bandit10 bandit15 bandit2 bandit24 bandit29 bandit33 bandit8 bandit11 bandit16 bandit20 bandit25 bandit3 bandit4 bandit9 bandit12 bandit17 bandit21 bandit26 bandit30 bandit5 bandit19@bandit:~$ ./bandit20-do file /etc/bandit_pass/bandit20 /etc/bandit_pass/bandit20: ASCII text bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20 GbKksEFF4yrVs6il55v6gwY5aVje5f0j

密碼到手

總結(jié)

以上是生活随笔為你收集整理的OverTheWire的bandit游戏(11-20)的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問(wèn)題。

如果覺(jué)得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。