OverTheWire是由OverTheWire 社区设计,在充满乐趣的游戏(类似CTF)中,可以学习一些安全的实例。

官网:OverTheWire

游戏建议的顺序:

  1. Bandit
  2. Leviathan or Natas or Krypton
  3. Narnia
  4. Behemoth
  5. Utumno
  6. Maze

我们先从bandit开始吧…
题目地址
http://overthewire.org/wargames/bandit/

level # 中#是当前关卡的用户bandit #

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
➜  ~ ssh [email protected]
The authenticity of host 'bandit.labs.overthewire.org (178.79.134.250)' can't be established.
ECDSA key fingerprint is SHA256:Hlh5ZcIKRiQ3pRRjBT2Z873ALJtRx6XragCg3suK4nU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'bandit.labs.overthewire.org,178.79.134.250' (ECDSA) to the list of known hosts.
This is the OverTheWire game server. More information on http://www.overthewire.org/wargames
Please note that wargame usernames are no longer level<X>, but wargamename<X>
e.g. vortex4, semtex2, ...
Note: at this moment, blacksun is not available.
[email protected]'s password:

,----.. ,----, .---.
/ / \ ,/ .`| /. ./|
/ . : ,` .' : .--'. ' ;
. / ;. \ ; ; / /__./ \ : |
. ; / ` ; .'___,/ ,' .--'. ' \' .
; | ; \ ; | | : | /___/ \ | ' '
| : | ; | ' ; |.'; ; ; \ \; :
. | ' ' ' : `----' | | \ ; ` |
' ; \; / | ' : ; . \ .\ ;
\ \ ', / | | ' \ \ ' \ |
; : / ' : | : ' |--"
\ \ .' ; |.' \ \ ;
www. `---` ver '---' he '---" ire.org


Welcome to the OverTheWire games machine!
If you find any problems, please report them to Steven on
irc.overthewire.org.
--[ Playing the games ]--
This machine holds several wargames.
If you are playing "somegame", then:
* USERNAMES are somegame0, somegame1, ...
* Most LEVELS are stored in /somegame/.
* PASSWORDS for each level are stored in /etc/somegame_pass/.
Write-access to homedirectories is disabled. It is advised to create a
working directory with a hard-to-guess name in /tmp/. You can use the
command "mktemp -d" in order to generate a random and hard to guess
directory in /tmp/. Read-access to both /tmp/ and /proc/ is disabled
so that users can not snoop on eachother.
Please play nice:

* don't leave orphan processes running
* don't leave exploit-files laying around
* don't annoy other players
* don't post passwords or spoilers
* again, DONT POST SPOILERS!
This includes writeups of your solution on your blog or website!
--[ Tips ]--
This machine has a 64bit processor and many security-features enabled
by default, although ASLR has been switched off. The following
compiler flags might be interesting:
-m32 compile for 32bit
-fno-stack-protector disable ProPolice
-Wl,-z,norelro disable relro
In addition, the execstack tool can be used to flag the stack as
executable on ELF binaries.
Finally, network-access is limited for most levels by a local
firewall.
--[ Tools ]--
For your convenience we have installed a few usefull tools which you can find
in the following locations:
* peda (https://github.com/longld/peda.git) in /usr/local/peda/
* gdbinit (https://github.com/gdbinit/Gdbinit) in /usr/local/gdbinit/
* pwntools (https://github.com/Gallopsled/pwntools) in /usr/src/pwntools/
* radare2 (http://www.radare.org/) should be in $PATH
--[ More information ]--
For more information regarding individual wargames, visit
http://www.overthewire.org/wargames/
For questions or comments, contact us through IRC on
irc.overthewire.org.

level 0

1
2
3
4
bandit0@melinda:~$ pwd
/home/bandit0
bandit0@melinda:~$ cat readme
boJ9jbbUNNfktd78OOpsqOltutMc3MY1

以后做题都要这样ssh连到服务器,获取下一关的password
这是bandit1用户的密码

level 1

需要读取文件名为-的文件

提示:

Google Search for “dashed filename”
Advanced Bash-scripting Guide - Chapter 3 - Special Characters

1
2
3
4
bandit1@melinda:~$ ls
-
bandit1@melinda:~$ cat ./-
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

level 2

需要读取一个文件名里有空格的文件

tab补全即可

提示:
Google Search for “spaces in filename”

1
2
3
4
5
6
bandit2@melinda:~$ ls
spaces in this filename
bandit2@melinda:~$ pwd
/home/bandit2
bandit2@melinda:~$ cat spaces\ in\ this\ filename
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

level 3

读取隐藏文件

1
2
3
4
5
6
7
8
9
10
11
12
13
bandit3@melinda:~$ ls
inhere
bandit3@melinda:~$ cd inhere/
bandit3@melinda:~/inhere$ ls
bandit3@melinda:~/inhere$ ls -l
total 0
bandit3@melinda:~/inhere$ ls -la
total 12
drwxr-xr-x 2 root root 4096 Nov 14 2014 .
drwxr-xr-x 3 root root 4096 Nov 14 2014 ..
-rw-r----- 1 bandit4 bandit3 33 Nov 14 2014 .hidden
bandit3@melinda:~/inhere$ cat .hidden
pIwrPrtPN36QITSp3EQaw936yaFoFgAB

level 4

The password for the next level is stored in the only human-readable file in the inhere directory.

Tip: if your terminal is messed up, try the “reset” command.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
bandit4@melinda:~/inhere$ cat -file00
cat: invalid option -- 'f'
Try 'cat --help' for more information.
bandit4@melinda:~/inhere$ cat "-file00"
cat: invalid option -- 'f'
Try 'cat --help' for more information.
bandit4@melinda:~/inhere$ cat ./-file00
;�-i�(��z��У��ޘ��8鑾bandit4@melinda:~/inhere$ cat ./-file01
?�@c
O8�L��c�Ч7�zb~��ף���U�bandit4@melinda:~/inhere$ cat ./-file02
�g�f�4�6+>"��B�Vx��d��;de�Obandit4@melinda:~/inhere$ cat ./-file03
�:n����8S��Ѕ[�/q�(��@��M�.�tbandit4@melinda:~/inhere$ cat ./-file04
����+��5�`�¶R
�1*6C�u#Nr�bandit4@melinda:~/inhere$ cat ./-file05
��hZ����P�邚���{#��TP��6�]��X:bandit4@melinda:~/inhere$ cat ./-file06
����!��>P�
d{����ҏH���xX|�bandit4@melinda:~/inhere$ cat ./-file07
koReBOKuIDDepwhWk7jZC0RTdopnAYKh

koReBOKuIDDepwhWk7jZC0RTdopnAYKh

level 5

1
2
3
4
5
6
7
8
bandit5@melinda:~$ ls
inhere
bandit5@melinda:~$ cd inhere/
bandit5@melinda:~/inhere$ ls
maybehere00 maybehere04 maybehere08 maybehere12 maybehere16
maybehere01 maybehere05 maybehere09 maybehere13 maybehere17
maybehere02 maybehere06 maybehere10 maybehere14 maybehere18
maybehere03 maybehere07 maybehere11 maybehere15 maybehere19

可以的。。

要找1033字节的文件

1
2
3
4
bandit5@melinda:~/inhere$ find ./ -size 1033c
./maybehere07/.file2
bandit5@melinda:~/inhere$ cat ./maybehere07/.file2
DXjZPULLxYr17uwoI01bNLQbtFemEgo7

level 6

1
2
3
4
bandit6@melinda:~$ find / -user bandit7 -group bandit6 -size 33c
1:/var/lib/dpkg/info/bandit7.password
bandit6@melinda:~$ cat /var/lib/dpkg/info/bandit7.password
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

level 7

1
2
bandit7@melinda:~$ cat data.txt | grep millionth
millionth cvX2JJa4CFALtqS87jk27qwqGhBM9plV

level 8

要找出只出现一次的那一行

1
bandit8@melinda:~$ cat data.txt | sort | uniq -c | sort -rn

这样会输出计数排行榜

但是我们只需要是1的那一行

1
2
bandit8@melinda:~$ cat data.txt | sort | uniq -c | sort -rn | grep -w "1" 
1 UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR

其实也可以

1
cat data.txt | sort | uniq -u

level 9

1
2
bandit9@melinda:~$ cat data.txt | grep "="
Binary file (standard input) matches

二进制文件?

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
bandit9@melinda:~$ strings data.txt | grep "=" 
epr~F=K
7?YD=
?M=HqAH
/(Ne=
C=_"
I========== the6
z5Y=
`h(8=`
n\H=;
========== password
========== ism
N$=&
l/a=L)
f=C(
========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
ie)=5e

level 10

1
2
3
4
bandit10@melinda:~$ cat data.txt 
VGhlIHBhc3N3b3JkIGlzIElGdWt3S0dzRlc4TU9xM0lSRnFyeEUxaHhUTkViVVBSCg==
bandit10@melinda:~$ cat data.txt | base64 -d
The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

有用的参考:
Base64 on Wikipedia

level 11

这是rot13

1
2
bandit11@melinda:~$ cat data.txt | tr '[A-Za-z]' '[N-ZA-Mn-za-m]'
The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

有用的参考:
Rot13 on Wikipedia

level 12

我想用binwalk来检测

于是将data.txt拖回本地

1
2
3
4
5
6
7
➜  ~ scp [email protected]:/home/bandit12/data.txt . 
This is the OverTheWire game server. More information on http://www.overthewire.org/wargames
Please note that wargame usernames are no longer level<X>, but wargamename<X>
e.g. vortex4, semtex2, ...
Note: at this moment, blacksun is not available.
[email protected]'s password:
data.txt 100% 2546 6.3KB/s 00:00

xxd转换进制

1
2
3
4
5
6
➜  ~ cat data.txt| xxd -r > data
➜ ~ binwalk data
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 gzip compressed data, maximum compression, has original file name: "data2.bin", from Unix, last modified: 2014-11-14 10:32:20
25 0x19 bzip2 compressed data, block size = 900k

-r: 反转操作,将16进制转成2进制

使用binwalk递归解包

1
➜  ~ binwalk -Me data

最后找到password

1
2
3
4
➜  _data8.bin.extracted pwd
/root/_data.extracted/_19.extracted/_data4.bin.extracted/_data5.bin.extracted/_data6.bin.extracted/_0.extracted/_data8.bin.extracted
➜ _data8.bin.extracted cat data9.bin
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

但是我这样算作弊了吧。。

手工解法

参考:http://blog.zer0w1re.net/over-the-wire-bandit-walkthrough/

这道题有些麻烦,不知道是否还有更好的解法。我在/tmp下创建了一个文件夹,手动运行,一层层的解压。进展缓慢而乏味。以下是我的全部操作。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
bandit12@melinda:~$ mkdir /tmp/zer0w1re
bandit12@melinda:~$ cd /tmp/zer0w1re
bandit12@melinda:/tmp/zer0w1re$ cat ~/data.txt | xxd -r > ./data
bandit12@melinda:/tmp/zer0w1re$ file data
data: gzip compressed data, was "data2.bin", from Unix, last modified: Thu Jun 6 13:59:44 2013, max compression
bandit12@melinda:/tmp/zer0w1re$ mv data{,.gz}
bandit12@melinda:/tmp/zer0w1re$ gunzip data.gz
bandit12@melinda:/tmp/zer0w1re$ file data
data: bzip2 compressed data, block size = 900k
bandit12@melinda:/tmp/zer0w1re$ mv data{,.bz2}
bandit12@melinda:/tmp/zer0w1re$ bzip2 -d data.bz2
bandit12@melinda:/tmp/zer0w1re$ file data
data: gzip compressed data, was "data4.bin", from Unix, last modified: Thu Jun 6 13:59:43 2013, max compression
bandit12@melinda:/tmp/zer0w1re$ mv data{,.gz}
bandit12@melinda:/tmp/zer0w1re$ gunzip data.gz
bandit12@melinda:/tmp/zer0w1re$ file data
data: POSIX tar archive (GNU)
bandit12@melinda:/tmp/zer0w1re$ tar xvf data
data5.bin
bandit12@melinda:/tmp/zer0w1re$ file data5.bin
data5.bin: POSIX tar archive (GNU)
bandit12@melinda:/tmp/zer0w1re$ tar xvf data5.bin
data6.bin
bandit12@melinda:/tmp/zer0w1re$ file data6.bin
data6.bin: bzip2 compressed data, block size = 900k
bandit12@melinda:/tmp/zer0w1re$ mv data6{.bin,.bz2}
bandit12@melinda:/tmp/zer0w1re$ bzip2 -d data6.bz2
bandit12@melinda:/tmp/zer0w1re$ ls
data5.bin data6
bandit12@melinda:/tmp/zer0w1re$ file data6
data6: POSIX tar archive (GNU)
bandit12@melinda:/tmp/zer0w1re$ tar xvf data6
data8.bin
bandit12@melinda:/tmp/zer0w1re$ file data8.bin
data8.bin: gzip compressed data, was "data9.bin", from Unix, last modified: Thu Jun 6 13:59:43 2013, max compression
bandit12@melinda:/tmp/zer0w1re$ mv data8{.bin,.gz}
bandit12@melinda:/tmp/zer0w1re$ gunzip data8.gz
bandit12@melinda:/tmp/zer0w1re$ ls
data5.bin data6 data8
bandit12@melinda:/tmp/zer0w1re$ file data8
data8: ASCII text
bandit12@melinda:/tmp/zer0w1re$ cat data8
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

level 13

参考:
SSH/OpenSSH/Keys

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
bandit13@melinda:~$ cd .ssh                 
-bash: cd: .ssh: No such file or directory
bandit13@melinda:~$ ls -l
total 4
-rw-r----- 1 bandit14 bandit13 1679 Nov 14 2014 sshkey.private
bandit13@melinda:~$ cat sshkey.private
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAxkkOE83W2cOT7IWhFc9aPaaQmQDdgzuXCv+ppZHa++buSkN+
gg0tcr7Fw8NLGa5+Uzec2rEg0WmeevB13AIoYp0MZyETq46t+jk9puNwZwIt9XgB
ZufGtZEwWbFWw/vVLNwOXBe4UWStGRWzgPpEeSv5Tb1VjLZIBdGphTIK22Amz6Zb
ThMsiMnyJafEwJ/T8PQO3myS91vUHEuoOMAzoUID4kN0MEZ3+XahyK0HJVq68KsV
ObefXG1vvA3GAJ29kxJaqvRfgYnqZryWN7w3CHjNU4c/2Jkp+n8L0SnxaNA+WYA7
jiPyTF0is8uzMlYQ4l1Lzh/8/MpvhCQF8r22dwIDAQABAoIBAQC6dWBjhyEOzjeA
J3j/RWmap9M5zfJ/wb2bfidNpwbB8rsJ4sZIDZQ7XuIh4LfygoAQSS+bBw3RXvzE
pvJt3SmU8hIDuLsCjL1VnBY5pY7Bju8g8aR/3FyjyNAqx/TLfzlLYfOu7i9Jet67
xAh0tONG/u8FB5I3LAI2Vp6OviwvdWeC4nOxCthldpuPKNLA8rmMMVRTKQ+7T2VS
nXmwYckKUcUgzoVSpiNZaS0zUDypdpy2+tRH3MQa5kqN1YKjvF8RC47woOYCktsD
o3FFpGNFec9Taa3Msy+DfQQhHKZFKIL3bJDONtmrVvtYK40/yeU4aZ/HA2DQzwhe
ol1AfiEhAoGBAOnVjosBkm7sblK+n4IEwPxs8sOmhPnTDUy5WGrpSCrXOmsVIBUf
laL3ZGLx3xCIwtCnEucB9DvN2HZkupc/h6hTKUYLqXuyLD8njTrbRhLgbC9QrKrS
M1F2fSTxVqPtZDlDMwjNR04xHA/fKh8bXXyTMqOHNJTHHNhbh3McdURjAoGBANkU
1hqfnw7+aXncJ9bjysr1ZWbqOE5Nd8AFgfwaKuGTTVX2NsUQnCMWdOp+wFak40JH
PKWkJNdBG+ex0H9JNQsTK3X5PBMAS8AfX0GrKeuwKWA6erytVTqjOfLYcdp5+z9s
8DtVCxDuVsM+i4X8UqIGOlvGbtKEVokHPFXP1q/dAoGAcHg5YX7WEehCgCYTzpO+
xysX8ScM2qS6xuZ3MqUWAxUWkh7NGZvhe0sGy9iOdANzwKw7mUUFViaCMR/t54W1
GC83sOs3D7n5Mj8x3NdO8xFit7dT9a245TvaoYQ7KgmqpSg/ScKCw4c3eiLava+J
3btnJeSIU+8ZXq9XjPRpKwUCgYA7z6LiOQKxNeXH3qHXcnHok855maUj5fJNpPbY
iDkyZ8ySF8GlcFsky8Yw6fWCqfG3zDrohJ5l9JmEsBh7SadkwsZhvecQcS9t4vby
9/8X4jS0P8ibfcKS4nBP+dT81kkkg5Z5MohXBORA7VWx+ACohcDEkprsQ+w32xeD
qT1EvQKBgQDKm8ws2ByvSUVs9GjTilCajFqLJ0eVYzRPaY6f++Gv/UVfAPV4c+S0
kAWpXbv5tbkkzbS0eaLPTKgLzavXtQoTtKwrjpolHKIHUz6Wu+n4abfAIRFubOdN
/+aLoRQ0yBDRbdXMsZN/jvY44eM+xRLdRVyMmdPtP8belRi2E2aEzA==
-----END RSA PRIVATE KEY-----

私钥的使用

ssh -i private_key [ip]

1
2
3
4
bandit13@melinda:~$ ls
sshkey.private
bandit13@melinda:~$ ssh -i sshkey.private bandit.labs.overthewire.org
ssh: Could not resolve hostname bandit.labs.overthewire.org: Name or service not known

貌似没配置DNS?

ping 谷歌? 没权限

看到题目的note。。瞬间想起了。。

1
2
3
4
5
6
7
8
9
10
11
bandit13@melinda:~$ ssh -i sshkey.private localhost                  
Could not create directory '/home/bandit13/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is 05:3a:1c:25:35:0a:ed:2f:cd:87:1c:f6:fe:69:e4:f6.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit13/.ssh/known_hosts).
This is the OverTheWire game server. More information on http://www.overthewire.org/wargames
Please note that wargame usernames are no longer level<X>, but wargamename<X>
e.g. vortex4, semtex2, ...
Note: at this moment, blacksun is not available.
bandit13@localhost's password:

bandit13?

需要指定用户

成功登录

1
2
3
4
5
6
bandit13@melinda:~$ ssh -i sshkey.private bandit14@localhost
Could not create directory '/home/bandit13/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is 05:3a:1c:25:35:0a:ed:2f:cd:87:1c:f6:fe:69:e4:f6.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit13/.ssh/known_hosts).

目录下有很多passwd

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
bandit14@melinda:~$ ls -l /etc/bandit_pass/      
total 108
-r-------- 1 bandit0 bandit0 8 Nov 14 2014 bandit0
-r-------- 1 bandit1 bandit1 33 Nov 14 2014 bandit1
-r-------- 1 bandit10 bandit10 33 Nov 14 2014 bandit10
-r-------- 1 bandit11 bandit11 33 Nov 14 2014 bandit11
-r-------- 1 bandit12 bandit12 33 Nov 14 2014 bandit12
-r-------- 1 bandit13 bandit13 33 Nov 14 2014 bandit13
-r-------- 1 bandit14 bandit14 33 Nov 14 2014 bandit14
-r-------- 1 bandit15 bandit15 33 Nov 14 2014 bandit15
-r-------- 1 bandit16 bandit16 33 Jul 9 2015 bandit16
-r-------- 1 bandit17 bandit17 33 Nov 14 2014 bandit17
-r-------- 1 bandit18 bandit18 33 Nov 14 2014 bandit18
-r-------- 1 bandit19 bandit19 33 Nov 14 2014 bandit19
-r-------- 1 bandit2 bandit2 33 Nov 14 2014 bandit2
-r-------- 1 bandit20 bandit20 33 Nov 14 2014 bandit20
-r-------- 1 bandit21 bandit21 33 Nov 14 2014 bandit21
-r-------- 1 bandit22 bandit22 33 Nov 14 2014 bandit22
-r-------- 1 bandit23 bandit23 33 Nov 14 2014 bandit23
-r-------- 1 bandit24 bandit24 33 May 3 2015 bandit24
-r-------- 1 bandit25 bandit25 33 Nov 16 2014 bandit25
-r-------- 1 bandit26 bandit26 33 Nov 16 2014 bandit26
-r-------- 1 bandit3 bandit3 33 Nov 14 2014 bandit3
-r-------- 1 bandit4 bandit4 33 Nov 14 2014 bandit4
-r-------- 1 bandit5 bandit5 33 Nov 14 2014 bandit5
-r-------- 1 bandit6 bandit6 33 Nov 14 2014 bandit6
-r-------- 1 bandit7 bandit7 33 Nov 14 2014 bandit7
-r-------- 1 bandit8 bandit8 33 Nov 14 2014 bandit8
-r-------- 1 bandit9 bandit9 33 Nov 14 2014 bandit9

但是我们只能读取bandit14

1
2
bandit14@melinda:~$ cat /etc/bandit_pass/bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e

level 14

参考:

How the Internet works in 5 minutes (YouTube) (Not completely accurate, but good enough for beginners)

IP Addresses

IP Address on Wikipedia

Localhost on Wikipedia

Ports

Port (computer networking) on Wikipedia

1
2
3
4
bandit14@melinda:~$ nc localhost 30000 
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr

level 15

参考:

Secure Socket Layer/Transport Layer Security on Wikipedia

OpenSSL Cookbook - Testing with OpenSSL

使用openssl 连接

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
bandit15@melinda:~$ openssl s_client -connect localhost:30001
CONNECTED(00000003)
depth=0 CN = li190-250.members.linode.com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = li190-250.members.linode.com
verify return:1
---
Certificate chain
0 s:/CN=li190-250.members.linode.com
i:/CN=li190-250.members.linode.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC3jCCAcagAwIBAgIJAI5QiWZw4YHbMA0GCSqGSIb3DQEBCwUAMCcxJTAjBgNV
BAMTHGxpMTkwLTI1MC5tZW1iZXJzLmxpbm9kZS5jb20wHhcNMTQxMTE0MTAyODA0
WhcNMjQxMTExMTAyODA0WjAnMSUwIwYDVQQDExxsaTE5MC0yNTAubWVtYmVycy5s
aW5vZGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsKmy9o5z
WU+1EH7Z3bB5TGQA+16zXDcEJy6tZWZ8CDrRyQXiahendp45BWUc/ZuLDo0+B3Wt
ZXjofmLw/F4fmR+8X1s1fQZX2dFt920qEm7LxqzWd0c7FdHiBwwRrwhkk+3cQpOB
TTGdLWEgpdmwwNZDTUdsDLzjDczPnju6T6p6ArTECztPbmTjfY4QIRtC6capL1Z+
yPJSQVAuAMEX1wTDWTGdm0VV7oW4F5cGZutf6QAP51jdhSyZuGilIPHbnj0l6Qc7
a7+OtEsEGi31aJ8KpRf7LNZ7DXCuoB3Hf75Pd6VjDgoOIagcH0NYqa75gEjBkGzs
ktLWykT7ag7fKwIDAQABow0wCzAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IB
AQCaZdUNAj8WDEKWdoU3LNXUBJlTJwiWBrh550PbHSQORcCz2K0kiMei1A4ojK2N
dMHFGAqAeUEaxtz92p2BoFpZasAtdSa3u63tBckFhfUolIS1TC7Cj51y19ysTeep
fGPFpuPCVqVPsruei8Z/iqn3bFIhQQdmumeePZQdPMwZSWHNVYC5XODd7PvNDrDu
5MZJjkz4+6LbwwAvyew62meFN2QEsYbK2Brtbhze+IjE27FGWlSw4K3jlwa409MD
MTf4JU41ELaYY8G/LSNDJsBVhhkHzvXR9iCbXxNz3IL0dQDNj7h4LKhBy0q7hvqg
kDzwlmBO4WKSmCAuky44cXmd
-----END CERTIFICATE-----
subject=/CN=li190-250.members.linode.com
issuer=/CN=li190-250.members.linode.com
---
No client certificate CA names sent
---
SSL handshake has read 1714 bytes and written 637 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : DHE-RSA-AES256-SHA
Session-ID: 2869BF09721D31527955F1DB9278B577A8D6DDC34FCD56AEF47461B47DC69F11
Session-ID-ctx:
Master-Key: 5F34E95A73A52D3594B2DB3090A4591AA1D3CA8572F69CBA19218C350D607058E419594FE3B11B54AFC5DA9335729EC0
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1476598004
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
BfMYroe26WYalil77FoDi9qh59eK5xNr
HEARTBEATING
read R BLOCK
read:errno=0

然而并没有给我password

仔细看看Helpful note。。。。还是不明白。。还是看答案吧。。。

1
2
3
4
5
6
7
8
9
10
bandit15@melinda:~$ openssl s_client -connect localhost:30001 -quiet
depth=0 CN = li190-250.members.linode.com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = li190-250.members.linode.com
verify return:1
BfMYroe26WYalil77FoDi9qh59eK5xNr
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehd
read:errno=0

level 16

先要从本地localhost的31000-32000找出那个监听(开放)的端口,然后再找出应答(?)SSL连接的

1
2
3
4
5
6
7
8
9
10
11
12
bandit16@melinda:~$ nmap localhost -p 31000-32000
Starting Nmap 6.40 ( http://nmap.org ) at 2016-10-16 06:53 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00033s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
31046/tcp open unknown
31518/tcp open unknown
31691/tcp open unknown
31790/tcp open unknown
31960/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds

上一题中。30001是开放了SSL的端口。

1
2
3
4
bandit15@melinda:~$ nc localhost 30001
hhhh
ERROR
140737354049184:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:351:

向开放了SSL端口的发送字符串会回复
140737354049184:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:351:

nc尝试

1
2
3
4
5
6
bandit16@melinda:~$ nc localhost 31046
ffff
ffff
ffff
ffff
^C

31046只会重复我发的信息

经测试,31518和 31790都会回复ssl的

还可以用namp的-sV选项

1
nmap -p31000-32000 localhost -sV

1
2
3
4
bandit16@melinda:~$ nc localhost 31518
dddd
ERROR
140737354049184:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:351:
1
2
3
4
bandit16@melinda:~$ nc localhost 31790
asdasd
ERROR
140737354049184:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:351:

发送信息

只有31790回复了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
bandit16@melinda:~$ openssl s_client -connect localhost:31790 -quiet
depth=0 CN = li190-250.members.linode.com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = li190-250.members.linode.com
verify return:1
cluFn7wTiGryunymYOu4RcffSxQluehd
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----
read:errno=0

level 17

可能需要的命令:cat, grep, ls, diff

将上题得到的ssh private key复制到文本中

连接

1
2
3
4
5
6
7
8
9
10
11
12
13
➜  ~ ssh -i bandit17 [email protected]
This is the OverTheWire game server. More information on http://www.overthewire.org/wargames
Please note that wargame usernames are no longer level<X>, but wargamename<X>
e.g. vortex4, semtex2, ...
Note: at this moment, blacksun is not available.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'bandit17' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "bandit17": bad permissions
[email protected]'s password:

私钥文件的权限要设置为600

1
2
chmod 600 bandit17
ssh -i bandit17 [email protected]

再连接就可以了

1
2
3
4
5
6
bandit17@melinda:~$ diff passwords.old passwords.new
42c42
< BS8bqB1kqkinKJjuxL6k072Qq9NRwQpR
---
> kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
42c42

表示在f1的42行 c表示内容改变

<

表示在f1中的该行的内容

表示在f1中的该行的内容

note:箭头的指向的方向为某一方的文字内容

1
password:kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd

关于diff:http://www.ruanyifeng.com/blog/2012/08/how_to_read_diff.html

另一个命令 vimdiff

level 18

1
2
3
➜  ~ ssh -l bandit18 bandit.labs.overthewire.org    
Byebye !
Connection to bandit.labs.overthewire.org closed.

????.jpg

一进去就会被退出。。

1
2
3
4
5
6
7
➜  ~ ssh -l bandit18 bandit.labs.overthewire.org "cat readme"
This is the OverTheWire game server. More information on http://www.overthewire.org/wargames
Please note that wargame usernames are no longer level<X>, but wargamename<X>
e.g. vortex4, semtex2, ...
Note: at this moment, blacksun is not available.
[email protected]'s password:
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x

让我们看看.bashrc写的啥

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
➜  ~ ssh -l bandit18 bandit.labs.overthewire.org "cat .bashrc"
This is the OverTheWire game server. More information on http://www.overthewire.org/wargames
Please note that wargame usernames are no longer level<X>, but wargamename<X>
e.g. vortex4, semtex2, ...
Note: at this moment, blacksun is not available.
[email protected]'s password:
# ~/.bashrc: executed by bash(1) for non-login shells.
# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)
# for examples
# If not running interactively, don't do anything
case $- in
*i*) ;;
*) return;;
esac
# don't put duplicate lines or lines starting with space in the history.
# See bash(1) for more options
HISTCONTROL=ignoreboth
# append to the history file, don't overwrite it
shopt -s histappend
# for setting history length see HISTSIZE and HISTFILESIZE in bash(1)
HISTSIZE=1000
HISTFILESIZE=2000
# check the window size after each command and, if necessary,
# update the values of LINES and COLUMNS.
shopt -s checkwinsize
# If set, the pattern "**" used in a pathname expansion context will
# match all files and zero or more directories and subdirectories.
#shopt -s globstar
# make less more friendly for non-text input files, see lesspipe(1)
[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)"
# set variable identifying the chroot you work in (used in the prompt below)
if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then
debian_chroot=$(cat /etc/debian_chroot)
fi
# set a fancy prompt (non-color, unless we know we "want" color)
case "$TERM" in
xterm-color) color_prompt=yes;;
esac
# uncomment for a colored prompt, if the terminal has the capability; turned
# off by default to not distract the user: the focus in a terminal window
# should be on the output of commands, not on the prompt
#force_color_prompt=yes
if [ -n "$force_color_prompt" ]; then
if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
# We have color support; assume it's compliant with Ecma-48
# (ISO/IEC-6429). (Lack of such support is extremely rare, and such
# a case would tend to support setf rather than setaf.)
color_prompt=yes
else
color_prompt=
fi
fi
if [ "$color_prompt" = yes ]; then
PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
else
PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
fi
unset color_prompt force_color_prompt
# If this is an xterm set the title to user@host:dir
case "$TERM" in
xterm*|rxvt*)
PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1"
;;
*)
;;
esac
# enable color support of ls and also add handy aliases
if [ -x /usr/bin/dircolors ]; then
test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
alias ls='ls --color=auto'
#alias dir='dir --color=auto'
#alias vdir='vdir --color=auto'
alias grep='grep --color=auto'
alias fgrep='fgrep --color=auto'
alias egrep='egrep --color=auto'
fi
# some more ls aliases
alias ll='ls -alF'
alias la='ls -A'
alias l='ls -CF'
# Add an "alert" alias for long running commands. Use like so:
# sleep 10; alert
alias alert='notify-send --urgency=low -i "$([ $? = 0 ] && echo terminal || echo error)" "$(history|tail -n1|sed -e '\''s/^\s*[0-9]\+\s*//;s/[;&|]\s*alert$//'\'')"'
# Alias definitions.
# You may want to put all your additions into a separate file like
# ~/.bash_aliases, instead of adding them here directly.
# See /usr/share/doc/bash-doc/examples in the bash-doc package.
if [ -f ~/.bash_aliases ]; then
. ~/.bash_aliases
fi
# enable programmable completion features (you don't need to enable
# this, if it's already enabled in /etc/bash.bashrc and /etc/profile
# sources /etc/bash.bashrc).
if ! shopt -oq posix; then
if [ -f /usr/share/bash-completion/bash_completion ]; then
. /usr/share/bash-completion/bash_completion
elif [ -f /etc/bash_completion ]; then
. /etc/bash_completion
fi
fi
echo 'Byebye !'
exit 0

这可以用于ctf搅屎棍哈。。
但还是要看有没有权限写.bashrc

IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x

level 19

参考:

setuid on Wikipedia

尝试

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
bandit19@melinda:~$ ./bandit20-do 
Run a command as another user.
Example: ./bandit20-do id
bandit19@melinda:~$ ./bandit20-do bandit20
env: bandit20: No such file or directory
bandit19@melinda:~$ ./bandit20-do bandit19
env: bandit19: No such file or directory
bandit19@melinda:~$ ./bandit20-do bandit18
env: bandit18: No such file or directory
bandit19@melinda:~$ ./bandit20-do root
env: root: No such file or directory
bandit19@melinda:~$ ./bandit20-do xx|ls
env: xx: No such file or directory
bandit20-do
bandit19@melinda:~$ ./bandit20-do /etc/bandit_pass/bandit19
env: /etc/bandit_pass/bandit19: Permission denied
bandit19@melinda:~$ ./bandit20-do /etc/bandit_pass/bandit20
env: /etc/bandit_pass/bandit20: Permission denied
bandit19@melinda:~$ ./bandit20-do /etc/bandit_pass/bandit18
env: /etc/bandit_pass/bandit18: Permission denied
bandit19@melinda:~$ ./bandit20-do 19
env: 19: No such file or directory
bandit19@melinda:~$ ./bandit20-do 19|ls
env: 19: No such file or directory
bandit20-do
bandit19@melinda:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0j

level 20

可能需要的命令:

ssh,nc,cat

1
2
3
4
5
bandit20@melinda:~$ ls
suconnect
bandit20@melinda:~$ ./suconnect
Usage: ./suconnect <portnumber>
This program will connect to the given port on localhost using TCP. If it receives the correct password from the other side, the next password is transmitted back.

提示可能需要nc。。

猜测要用ssh登录两个终端,一个让nc作为服务端,另一个用suconnect去连接,如果收到了正确的password,就返回下一关的password

一开始搞了个乌龙

1
2
bandit20@melinda:~$ nc -l -p 80
nc: Permission denied

80是运行有apache的。。。所以可能导致了nc的denied。。。

A终端中:

1
bandit20@melinda:~$ nc -l -p 9999

B终端中:

1
bandit20@melinda:~$ ./suconnect 9999

在A终端中直接粘贴出本关password,得到下一关:

1
2
3
bandit20@melinda:~$ nc -l -p 9999
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr

B终端中返回:

1
2
3
bandit20@melinda:~$ ./suconnect 9999
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Password matches, sending next password

level 21

可能需要的命令

cron, crontab, crontab(5) (use “man 5 crontab” to access this)

进入目录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
bandit21@melinda:~$ cd /etc/cron.d/
bandit21@melinda:/etc/cron.d$ ls -l
total 92
-r--r----- 1 root root 46 Nov 14 2014 behemoth4_cleanup
-rw-r--r-- 1 root root 355 May 25 2013 cron-apt
-rw-r--r-- 1 root root 61 Nov 14 2014 cronjob_bandit22
-rw-r--r-- 1 root root 62 Nov 14 2014 cronjob_bandit23
-rw-r--r-- 1 root root 61 May 3 2015 cronjob_bandit24
-rw-r--r-- 1 root root 62 May 3 2015 cronjob_bandit24_root
-r--r----- 1 root root 47 Nov 14 2014 leviathan5_cleanup
-rw------- 1 root root 233 Nov 14 2014 manpage3_resetpw_job
-rw-r--r-- 1 root root 51 Nov 14 2014 melinda-stats
-rw-r--r-- 1 root root 54 Jun 25 12:42 natas-session-toucher
-rw-r--r-- 1 root root 49 Jun 25 12:42 natas-stats
-r--r----- 1 root root 44 Jun 25 12:43 natas25_cleanup
-r--r----- 1 root root 47 Aug 3 2015 natas25_cleanup~
-r--r----- 1 root root 47 Jun 25 12:43 natas26_cleanup
-r--r----- 1 root root 43 Jun 25 12:43 natas27_cleanup
-rw-r--r-- 1 root root 510 Oct 29 2014 php5
-rw-r--r-- 1 root root 63 Jul 8 2015 semtex0-32
-rw-r--r-- 1 root root 63 Jul 8 2015 semtex0-64
-rw-r--r-- 1 root root 64 Jul 8 2015 semtex0-ppc
-rw-r--r-- 1 root root 35 Nov 14 2014 semtex5
-rw-r--r-- 1 root root 396 Nov 10 2013 sysstat
-rw-r--r-- 1 root root 29 Nov 14 2014 vortex0
-rw-r--r-- 1 root root 30 Nov 14 2014 vortex20

我勒个去。。这么多

1
2
bandit21@melinda:/etc/cron.d$ cat cronjob_bandit22
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null

查看内容

1
2
3
4
bandit21@melinda:/etc/cron.d$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

password在/tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv里

1
2
bandit21@melinda:/etc/cron.d$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

因为每时每分每秒都在生成,所以导致无法补全?

是因为当前用户对/tmp/目录没有读取权限。

level 22

可能需要用到的命令

cron, crontab, crontab(5) (use “man 5 crontab” to access this)

1
2
bandit22@melinda:/etc/cron.d$ cat cronjob_bandit23
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null

查看sh内容

1
2
3
4
5
6
bandit22@melinda:/etc/cron.d$ cat /usr/bin/cronjob_bandit23.sh 
#!/bin/bash
myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
cat /etc/bandit_pass/$myname > /tmp/$mytarget

在本地终端运行

1
2
➜  ~ echo I am user bandit23 | md5sum | cut -d ' ' -f 1
8ca319486bfbbc3663ea0fbe81326349

查看内容

1
2
bandit22@melinda:~$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

level 23

NOTE:需要写一个shell脚本。脚本一旦运行,就会被删除,请保留备份。

1
2
3
4
5
6
7
bandit23@melinda:~$ cd /etc/cron.d/
bandit23@melinda:/etc/cron.d$ cat cronjob_bandit24
cronjob_bandit24 cronjob_bandit24_root
bandit23@melinda:/etc/cron.d$ cat cronjob_bandit24
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
bandit23@melinda:/etc/cron.d$ cat cronjob_bandit24_root
* * * * * root /usr/bin/cronjob_bandit24_root.sh &> /dev/null

查看脚本内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
bandit23@melinda:/etc/cron.d$ cat /usr/bin/cronjob_bandit24
cronjob_bandit24.sh cronjob_bandit24_root.sh
bandit23@melinda:/etc/cron.d$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash
myname=$(whoami)
cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
do
if [ "$i" != "." -a "$i" != ".." ];
then
echo "Handling $i"
timeout -s 9 60 "./$i"
rm -f "./$i"
fi
done
bandit23@melinda:/etc/cron.d$ cat /usr/bin/cronjob_bandit24_root.sh
cat: /usr/bin/cronjob_bandit24_root.sh: Permission denied

写一个脚本放到/var/spool/bandit24/

读取/etc/bandit_pass/bandit24 内容即可

1
2
3
#!/bin/bash
cd /etc/bandit_pass
cat bandit24 > /tmp/bandit24.txt

这里

因为bandit24 只能由bandit24用户才能读取

所以必须要把脚本放到指定目录

由cron.d调用bandit24用户来运行脚本

执行

1
2
3
4
bandit23@melinda:/tmp$ vim read.sh
bandit23@melinda:/tmp$ cp read.sh /var/spool/bandit24/
bandit23@melinda:/tmp$ cat bandit24.txt
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ

level 24

暴力破解
pin 1000-9999

可以tmp目录下写sh 其他目录没试过

payload

1
bandit24@melinda:/tmp$ echo -n "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 1000" | nc localhost 30002 > 1111.txt

得到的结果会写入1111.txt

因为输出很多

写入到文件中 再grep

开始使用seq
read2.sh

1
2
3
4
5
#!/bin/bash
pass="UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ"
for pin in `seq 1000 9999`;do
echo -n "$pass $pin" | nc localhost 30002 > bandit25.txt
done

可能运算量会大一点

后来换成for循环递增可能会好点
加上进度显示 不然都不知道跑到哪了
read3.sh

1
2
3
4
5
6
#!/bin/bash
pass="UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ"
for((pin=1000;pin<10000;pin++));do
echo "current $pin"
echo -n "$pass $pin" | nc localhost 30002 > bandit25aaaaa.txt
done

一分钟40个
这样跑还是很慢。。不知道还有没有其他办法。。

跑到3300还没有

1
bandit24@melinda:/tmp$ cat bandit25bb.txt | grep is

跑到6180

1
2
bandit24@melinda:~$ cat /tmp/bandit25bb.txt | grep is
The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG

后续:
怎么得到pin呢
知道pin的范围是3300-6180了

1
2
3
4
5
6
7
#!/bin/bash
pass="UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ"
for((pin=3300;pin<6180;pin++));do
echo "current $pin"
echo -n "$pass $pin" | nc localhost 30002 >> bandit25bba.txt
cat /tmp/bandit25bba.txt | grep is
done

其实这脚本还是有bug的。。

只要一旦写入password那行。。。

每次grep都有。。都会打印出来。。

虽然说我们可以找到第一行有password的

1
2
current 5669
The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG

pin是5669

再次改进
echo $? 可用于查看上一条命令是否正确执行

比如

1
2
3
4
5
6
7
bandit24@melinda:~$ cat /tmp/bandit25.txt | grep is
bandit24@melinda:~$ echo $?
1
bandit24@melinda:~$ cat /tmp/bandit25bba.txt | grep is
The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG
bandit24@melinda:~$ echo $?
0

正确执行
$?是0

反之
$? 不为0

详见:http://blog.163.com/bobile45@126/blog/static/96061992201311712658570/

1
2
3
4
5
6
7
8
9
10
#!/bin/bash
pass="UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ"
for((pin=5660;pin<6180;pin++));do
echo "current $pin"
echo -n "$pass $pin" | nc localhost 30002 >> bandit25bba.txt
cat /tmp/bandit25bba.txt | grep is
if [ "$?" -eq "0" ];then
exit 0
fi
done

测试

1
2
3
4
5
6
7
8
9
10
11
12
bandit24@melinda:/tmp$ bash read3.sh
current 5660
current 5661
current 5662
current 5663
current 5664
current 5665
current 5666
current 5667
current 5668
current 5669
The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG

舒服多了

其他方法

https://github.com/ZimbiX/infosec-ctf-writeups/blob/master/OverTheWire%20-%20Bandit.md

使用的是ruby

/tmp/ZimbiX_24-25.rb

1
2
3
4
5
6
7
8
9
10
#!/usr/bin/env ruby
require 'socket'
s = TCPSocket.new 'localhost', 30002
(0..9999).each do |i|
x = i.to_s.rjust 4, '0'
msg = "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ #{x}"
puts msg
s.puts msg
puts s.gets
end

http://codebluedev.blogspot.com/2015/07/overthewire-bandit-level-25.html

这个比较详细

用的也是sh 就不贴出来了

level 25