OverTheWire是由OverTheWire 社区设计,在充满乐趣的游戏(类似CTF)中,可以学习一些安全的实例。
官网:OverTheWire
游戏建议的顺序:
- Bandit
- Leviathan or Natas or Krypton
- Narnia
- Behemoth
- Utumno
- Maze
- …
我们先从bandit开始吧…
题目地址
http://overthewire.org/wargames/bandit/
level # 中#是当前关卡的用户bandit #
1 | ➜ ~ ssh [email protected] |
level 0
1 | bandit0@melinda:~$ pwd |
以后做题都要这样ssh连到服务器,获取下一关的password
这是bandit1用户的密码
level 1
需要读取文件名为-的文件
提示:
Google Search for “dashed filename”
Advanced Bash-scripting Guide - Chapter 3 - Special Characters
1 | bandit1@melinda:~$ ls |
level 2
需要读取一个文件名里有空格的文件
tab补全即可
提示:
Google Search for “spaces in filename”
1 | bandit2@melinda:~$ ls |
level 3
读取隐藏文件
1 | bandit3@melinda:~$ ls |
level 4
The password for the next level is stored in the only human-readable file in the inhere directory.
Tip: if your terminal is messed up, try the “reset” command.
1 | bandit4@melinda:~/inhere$ cat -file00 |
koReBOKuIDDepwhWk7jZC0RTdopnAYKh
level 5
1 | bandit5@melinda:~$ ls |
可以的。。
要找1033字节的文件
1 | bandit5@melinda:~/inhere$ find ./ -size 1033c |
level 6
1 | bandit6@melinda:~$ find / -user bandit7 -group bandit6 -size 33c |
level 7
1 | bandit7@melinda:~$ cat data.txt | grep millionth |
level 8
要找出只出现一次的那一行
1 | bandit8@melinda:~$ cat data.txt | sort | uniq -c | sort -rn |
这样会输出计数排行榜
但是我们只需要是1的那一行
1 | bandit8@melinda:~$ cat data.txt | sort | uniq -c | sort -rn | grep -w "1" |
其实也可以1
cat data.txt | sort | uniq -u
level 9
1 | bandit9@melinda:~$ cat data.txt | grep "=" |
二进制文件?
1 | bandit9@melinda:~$ strings data.txt | grep "=" |
level 10
1 | bandit10@melinda:~$ cat data.txt |
有用的参考:
Base64 on Wikipedia
level 11
这是rot13
1 | bandit11@melinda:~$ cat data.txt | tr '[A-Za-z]' '[N-ZA-Mn-za-m]' |
有用的参考:
Rot13 on Wikipedia
level 12
我想用binwalk来检测
于是将data.txt拖回本地
1 | ➜ ~ scp [email protected]:/home/bandit12/data.txt . |
xxd转换进制
1 | ➜ ~ cat data.txt| xxd -r > data |
-r: 反转操作,将16进制转成2进制
使用binwalk递归解包
1 | ➜ ~ binwalk -Me data |
最后找到password1
2
3
4➜ _data8.bin.extracted pwd
/root/_data.extracted/_19.extracted/_data4.bin.extracted/_data5.bin.extracted/_data6.bin.extracted/_0.extracted/_data8.bin.extracted
➜ _data8.bin.extracted cat data9.bin
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
但是我这样算作弊了吧。。
手工解法
参考:http://blog.zer0w1re.net/over-the-wire-bandit-walkthrough/
这道题有些麻烦,不知道是否还有更好的解法。我在/tmp下创建了一个文件夹,手动运行,一层层的解压。进展缓慢而乏味。以下是我的全部操作。
1 | bandit12@melinda:~$ mkdir /tmp/zer0w1re |
level 13
1 | bandit13@melinda:~$ cd .ssh |
私钥的使用
ssh -i private_key [ip]
1 | bandit13@melinda:~$ ls |
貌似没配置DNS?
ping 谷歌? 没权限
看到题目的note。。瞬间想起了。。1
2
3
4
5
6
7
8
9
10
11bandit13@melinda:~$ ssh -i sshkey.private localhost
Could not create directory '/home/bandit13/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is 05:3a:1c:25:35:0a:ed:2f:cd:87:1c:f6:fe:69:e4:f6.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit13/.ssh/known_hosts).
This is the OverTheWire game server. More information on http://www.overthewire.org/wargames
Please note that wargame usernames are no longer level<X>, but wargamename<X>
e.g. vortex4, semtex2, ...
Note: at this moment, blacksun is not available.
bandit13@localhost's password:
bandit13?
需要指定用户
成功登录1
2
3
4
5
6bandit13@melinda:~$ ssh -i sshkey.private bandit14@localhost
Could not create directory '/home/bandit13/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is 05:3a:1c:25:35:0a:ed:2f:cd:87:1c:f6:fe:69:e4:f6.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit13/.ssh/known_hosts).
目录下有很多passwd1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29bandit14@melinda:~$ ls -l /etc/bandit_pass/
total 108
-r-------- 1 bandit0 bandit0 8 Nov 14 2014 bandit0
-r-------- 1 bandit1 bandit1 33 Nov 14 2014 bandit1
-r-------- 1 bandit10 bandit10 33 Nov 14 2014 bandit10
-r-------- 1 bandit11 bandit11 33 Nov 14 2014 bandit11
-r-------- 1 bandit12 bandit12 33 Nov 14 2014 bandit12
-r-------- 1 bandit13 bandit13 33 Nov 14 2014 bandit13
-r-------- 1 bandit14 bandit14 33 Nov 14 2014 bandit14
-r-------- 1 bandit15 bandit15 33 Nov 14 2014 bandit15
-r-------- 1 bandit16 bandit16 33 Jul 9 2015 bandit16
-r-------- 1 bandit17 bandit17 33 Nov 14 2014 bandit17
-r-------- 1 bandit18 bandit18 33 Nov 14 2014 bandit18
-r-------- 1 bandit19 bandit19 33 Nov 14 2014 bandit19
-r-------- 1 bandit2 bandit2 33 Nov 14 2014 bandit2
-r-------- 1 bandit20 bandit20 33 Nov 14 2014 bandit20
-r-------- 1 bandit21 bandit21 33 Nov 14 2014 bandit21
-r-------- 1 bandit22 bandit22 33 Nov 14 2014 bandit22
-r-------- 1 bandit23 bandit23 33 Nov 14 2014 bandit23
-r-------- 1 bandit24 bandit24 33 May 3 2015 bandit24
-r-------- 1 bandit25 bandit25 33 Nov 16 2014 bandit25
-r-------- 1 bandit26 bandit26 33 Nov 16 2014 bandit26
-r-------- 1 bandit3 bandit3 33 Nov 14 2014 bandit3
-r-------- 1 bandit4 bandit4 33 Nov 14 2014 bandit4
-r-------- 1 bandit5 bandit5 33 Nov 14 2014 bandit5
-r-------- 1 bandit6 bandit6 33 Nov 14 2014 bandit6
-r-------- 1 bandit7 bandit7 33 Nov 14 2014 bandit7
-r-------- 1 bandit8 bandit8 33 Nov 14 2014 bandit8
-r-------- 1 bandit9 bandit9 33 Nov 14 2014 bandit9
但是我们只能读取bandit141
2bandit14@melinda:~$ cat /etc/bandit_pass/bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
level 14
参考:
Port (computer networking) on Wikipedia
1 | bandit14@melinda:~$ nc localhost 30000 |
level 15
参考:
Secure Socket Layer/Transport Layer Security on Wikipedia
OpenSSL Cookbook - Testing with OpenSSL
使用openssl 连接1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61bandit15@melinda:~$ openssl s_client -connect localhost:30001
CONNECTED(00000003)
depth=0 CN = li190-250.members.linode.com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = li190-250.members.linode.com
verify return:1
---
Certificate chain
0 s:/CN=li190-250.members.linode.com
i:/CN=li190-250.members.linode.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC3jCCAcagAwIBAgIJAI5QiWZw4YHbMA0GCSqGSIb3DQEBCwUAMCcxJTAjBgNV
BAMTHGxpMTkwLTI1MC5tZW1iZXJzLmxpbm9kZS5jb20wHhcNMTQxMTE0MTAyODA0
WhcNMjQxMTExMTAyODA0WjAnMSUwIwYDVQQDExxsaTE5MC0yNTAubWVtYmVycy5s
aW5vZGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsKmy9o5z
WU+1EH7Z3bB5TGQA+16zXDcEJy6tZWZ8CDrRyQXiahendp45BWUc/ZuLDo0+B3Wt
ZXjofmLw/F4fmR+8X1s1fQZX2dFt920qEm7LxqzWd0c7FdHiBwwRrwhkk+3cQpOB
TTGdLWEgpdmwwNZDTUdsDLzjDczPnju6T6p6ArTECztPbmTjfY4QIRtC6capL1Z+
yPJSQVAuAMEX1wTDWTGdm0VV7oW4F5cGZutf6QAP51jdhSyZuGilIPHbnj0l6Qc7
a7+OtEsEGi31aJ8KpRf7LNZ7DXCuoB3Hf75Pd6VjDgoOIagcH0NYqa75gEjBkGzs
ktLWykT7ag7fKwIDAQABow0wCzAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IB
AQCaZdUNAj8WDEKWdoU3LNXUBJlTJwiWBrh550PbHSQORcCz2K0kiMei1A4ojK2N
dMHFGAqAeUEaxtz92p2BoFpZasAtdSa3u63tBckFhfUolIS1TC7Cj51y19ysTeep
fGPFpuPCVqVPsruei8Z/iqn3bFIhQQdmumeePZQdPMwZSWHNVYC5XODd7PvNDrDu
5MZJjkz4+6LbwwAvyew62meFN2QEsYbK2Brtbhze+IjE27FGWlSw4K3jlwa409MD
MTf4JU41ELaYY8G/LSNDJsBVhhkHzvXR9iCbXxNz3IL0dQDNj7h4LKhBy0q7hvqg
kDzwlmBO4WKSmCAuky44cXmd
-----END CERTIFICATE-----
subject=/CN=li190-250.members.linode.com
issuer=/CN=li190-250.members.linode.com
---
No client certificate CA names sent
---
SSL handshake has read 1714 bytes and written 637 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : DHE-RSA-AES256-SHA
Session-ID: 2869BF09721D31527955F1DB9278B577A8D6DDC34FCD56AEF47461B47DC69F11
Session-ID-ctx:
Master-Key: 5F34E95A73A52D3594B2DB3090A4591AA1D3CA8572F69CBA19218C350D607058E419594FE3B11B54AFC5DA9335729EC0
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1476598004
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
BfMYroe26WYalil77FoDi9qh59eK5xNr
HEARTBEATING
read R BLOCK
read:errno=0
然而并没有给我password
仔细看看Helpful note。。。。还是不明白。。还是看答案吧。。。
1 | bandit15@melinda:~$ openssl s_client -connect localhost:30001 -quiet |
level 16
先要从本地localhost的31000-32000找出那个监听(开放)的端口,然后再找出应答(?)SSL连接的1
2
3
4
5
6
7
8
9
10
11
12bandit16@melinda:~$ nmap localhost -p 31000-32000
Starting Nmap 6.40 ( http://nmap.org ) at 2016-10-16 06:53 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00033s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
31046/tcp open unknown
31518/tcp open unknown
31691/tcp open unknown
31790/tcp open unknown
31960/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds
上一题中。30001是开放了SSL的端口。1
2
3
4bandit15@melinda:~$ nc localhost 30001
hhhh
ERROR
140737354049184:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:351:
向开放了SSL端口的发送字符串会回复
140737354049184:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:351:
nc尝试1
2
3
4
5
6bandit16@melinda:~$ nc localhost 31046
ffff
ffff
ffff
ffff
^C
31046只会重复我发的信息
经测试,31518和 31790都会回复ssl的
还可以用namp的-sV选项1
nmap -p31000-32000 localhost -sV
1 | bandit16@melinda:~$ nc localhost 31518 |
1 | bandit16@melinda:~$ nc localhost 31790 |
发送信息
只有31790回复了1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36bandit16@melinda:~$ openssl s_client -connect localhost:31790 -quiet
depth=0 CN = li190-250.members.linode.com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = li190-250.members.linode.com
verify return:1
cluFn7wTiGryunymYOu4RcffSxQluehd
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----
read:errno=0
level 17
可能需要的命令:cat, grep, ls, diff
将上题得到的ssh private key复制到文本中
连接1
2
3
4
5
6
7
8
9
10
11
12
13➜ ~ ssh -i bandit17 [email protected]
This is the OverTheWire game server. More information on http://www.overthewire.org/wargames
Please note that wargame usernames are no longer level<X>, but wargamename<X>
e.g. vortex4, semtex2, ...
Note: at this moment, blacksun is not available.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'bandit17' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "bandit17": bad permissions
[email protected]'s password:
私钥文件的权限要设置为6001
2chmod 600 bandit17
ssh -i bandit17 [email protected]
再连接就可以了
1 | bandit17@melinda:~$ diff passwords.old passwords.new |
表示在f1的42行 c表示内容改变
<
表示在f1中的该行的内容
表示在f1中的该行的内容
note:箭头的指向的方向为某一方的文字内容
1 | password:kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd |
关于diff:http://www.ruanyifeng.com/blog/2012/08/how_to_read_diff.html
另一个命令 vimdiff
level 18
1 | ➜ ~ ssh -l bandit18 bandit.labs.overthewire.org |
????.jpg
一进去就会被退出。。
1 | ➜ ~ ssh -l bandit18 bandit.labs.overthewire.org "cat readme" |
让我们看看.bashrc写的啥
1 | ➜ ~ ssh -l bandit18 bandit.labs.overthewire.org "cat .bashrc" |
这可以用于ctf搅屎棍哈。。
但还是要看有没有权限写.bashrc
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
level 19
参考:
尝试1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27bandit19@melinda:~$ ./bandit20-do
Run a command as another user.
Example: ./bandit20-do id
bandit19@melinda:~$ ./bandit20-do bandit20
env: bandit20: No such file or directory
bandit19@melinda:~$ ./bandit20-do bandit19
env: bandit19: No such file or directory
bandit19@melinda:~$ ./bandit20-do bandit18
env: bandit18: No such file or directory
bandit19@melinda:~$ ./bandit20-do root
env: root: No such file or directory
bandit19@melinda:~$ ./bandit20-do xx|ls
env: xx: No such file or directory
bandit20-do
bandit19@melinda:~$ ./bandit20-do /etc/bandit_pass/bandit19
env: /etc/bandit_pass/bandit19: Permission denied
bandit19@melinda:~$ ./bandit20-do /etc/bandit_pass/bandit20
env: /etc/bandit_pass/bandit20: Permission denied
bandit19@melinda:~$ ./bandit20-do /etc/bandit_pass/bandit18
env: /etc/bandit_pass/bandit18: Permission denied
bandit19@melinda:~$ ./bandit20-do 19
env: 19: No such file or directory
bandit19@melinda:~$ ./bandit20-do 19|ls
env: 19: No such file or directory
bandit20-do
bandit19@melinda:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
level 20
可能需要的命令:
ssh,nc,cat
1 | bandit20@melinda:~$ ls |
提示可能需要nc。。
猜测要用ssh登录两个终端,一个让nc作为服务端,另一个用suconnect去连接,如果收到了正确的password,就返回下一关的password
一开始搞了个乌龙1
2bandit20@melinda:~$ nc -l -p 80
nc: Permission denied
80是运行有apache的。。。所以可能导致了nc的denied。。。
A终端中:1
bandit20@melinda:~$ nc -l -p 9999
B终端中:1
bandit20@melinda:~$ ./suconnect 9999
在A终端中直接粘贴出本关password,得到下一关:1
2
3bandit20@melinda:~$ nc -l -p 9999
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
B终端中返回:1
2
3bandit20@melinda:~$ ./suconnect 9999
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Password matches, sending next password
level 21
可能需要的命令
cron, crontab, crontab(5) (use “man 5 crontab” to access this)
进入目录
1 | bandit21@melinda:~$ cd /etc/cron.d/ |
我勒个去。。这么多
1 | bandit21@melinda:/etc/cron.d$ cat cronjob_bandit22 |
查看内容
1 | bandit21@melinda:/etc/cron.d$ cat /usr/bin/cronjob_bandit22.sh |
password在/tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv里
1 | bandit21@melinda:/etc/cron.d$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv |
因为每时每分每秒都在生成,所以导致无法补全?
是因为当前用户对/tmp/目录没有读取权限。
level 22
可能需要用到的命令
cron, crontab, crontab(5) (use “man 5 crontab” to access this)
1 | bandit22@melinda:/etc/cron.d$ cat cronjob_bandit23 |
查看sh内容
1 | bandit22@melinda:/etc/cron.d$ cat /usr/bin/cronjob_bandit23.sh |
在本地终端运行
1 | ➜ ~ echo I am user bandit23 | md5sum | cut -d ' ' -f 1 |
查看内容
1 | bandit22@melinda:~$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349 |
level 23
NOTE:需要写一个shell脚本。脚本一旦运行,就会被删除,请保留备份。
1 | bandit23@melinda:~$ cd /etc/cron.d/ |
查看脚本内容
1 | bandit23@melinda:/etc/cron.d$ cat /usr/bin/cronjob_bandit24 |
写一个脚本放到/var/spool/bandit24/
读取/etc/bandit_pass/bandit24 内容即可
1 |
|
这里
因为bandit24 只能由bandit24用户才能读取
所以必须要把脚本放到指定目录
由cron.d调用bandit24用户来运行脚本
执行1
2
3
4bandit23@melinda:/tmp$ vim read.sh
bandit23@melinda:/tmp$ cp read.sh /var/spool/bandit24/
bandit23@melinda:/tmp$ cat bandit24.txt
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
level 24
暴力破解
pin 1000-9999
可以tmp目录下写sh 其他目录没试过
payload1
bandit24@melinda:/tmp$ echo -n "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 1000" | nc localhost 30002 > 1111.txt
得到的结果会写入1111.txt
因为输出很多
写入到文件中 再grep
开始使用seq
read2.sh1
2
3
4
5
pass="UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ"
for pin in `seq 1000 9999`;do
echo -n "$pass $pin" | nc localhost 30002 > bandit25.txt
done
可能运算量会大一点
后来换成for循环递增可能会好点
加上进度显示 不然都不知道跑到哪了
read3.sh1
2
3
4
5
6
pass="UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ"
for((pin=1000;pin<10000;pin++));do
echo "current $pin"
echo -n "$pass $pin" | nc localhost 30002 > bandit25aaaaa.txt
done
一分钟40个
这样跑还是很慢。。不知道还有没有其他办法。。
跑到3300还没有1
bandit24@melinda:/tmp$ cat bandit25bb.txt | grep is
跑到61801
2bandit24@melinda:~$ cat /tmp/bandit25bb.txt | grep is
The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG
后续:
怎么得到pin呢
知道pin的范围是3300-6180了1
2
3
4
5
6
7
pass="UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ"
for((pin=3300;pin<6180;pin++));do
echo "current $pin"
echo -n "$pass $pin" | nc localhost 30002 >> bandit25bba.txt
cat /tmp/bandit25bba.txt | grep is
done
其实这脚本还是有bug的。。
只要一旦写入password那行。。。
每次grep都有。。都会打印出来。。
虽然说我们可以找到第一行有password的
1 | current 5669 |
pin是5669
再次改进
echo $? 可用于查看上一条命令是否正确执行
比如
1 | bandit24@melinda:~$ cat /tmp/bandit25.txt | grep is |
正确执行
$?是0
反之
$? 不为0
详见:http://blog.163.com/bobile45@126/blog/static/96061992201311712658570/
1 |
|
测试1
2
3
4
5
6
7
8
9
10
11
12bandit24@melinda:/tmp$ bash read3.sh
current 5660
current 5661
current 5662
current 5663
current 5664
current 5665
current 5666
current 5667
current 5668
current 5669
The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG
舒服多了
其他方法
https://github.com/ZimbiX/infosec-ctf-writeups/blob/master/OverTheWire%20-%20Bandit.md
使用的是ruby
/tmp/ZimbiX_24-25.rb1
2
3
4
5
6
7
8
9
10#!/usr/bin/env ruby
require 'socket'
s = TCPSocket.new 'localhost', 30002
(0..9999).each do |i|
x = i.to_s.rjust 4, '0'
msg = "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ #{x}"
puts msg
s.puts msg
puts s.gets
end
http://codebluedev.blogspot.com/2015/07/overthewire-bandit-level-25.html
这个比较详细
用的也是sh 就不贴出来了