0x-1 Level 0
The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org, on port 2220. The username is bandit0 and the password is bandit0. Once logged in, go to the Level 1 page to find out how to beat Level 1.
ssh bandit0@bandit.labs.overthewire.org -p 2220
bandit0
0x00 Level 0 → Level 1
The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.
ssh bandit0@bandit.labs.overthewire.org -p 2220
bandit0
ls
cat readme
boJ9jbbUNNfktd78OOpsqOltutMc3MY1
0x01 Level 1 → Level 2
The password for the next level is stored in a file called - located in the home directory
ls
cat ./-
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
0x02 Level 2 → Level 3
The password for the next level is stored in a file called spaces in this filename located in the home directory
ls
cat "spaces in this filename"
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
0x03 Level 3 → Level 4
The password for the next level is stored in a hidden file in the inhere directory.
ls
cd inhere
ls -a
cat ./.hidden
pIwrPrtPN36QITSp3EQaw936yaFoFgAB
0x04 Level 4 → Level 5
The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.
ls
cd inhere
ls -a
file ./*
cat ./-file07
koReBOKuIDDepwhWk7jZC0RTdopnAYKh
0x05 Level 5 → Level 6
The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:
human-readable
1033 bytes in size
not executable
ls
cd inhere
ls
find . -type f -size 1033c
cat ./maybehere07/.file2
DXjZPULLxYr17uwoI01bNLQbtFemEgo7
0x06 Level 6 → Level 7
The password for the next level is stored somewhere on the server and has all of the following properties:
owned by user bandit7
owned by group bandit6
33 bytes in size
ls
find / -user bandit7 -group bandit6 -size 33c 2>/dev/null
cat /var/lib/dpkg/info/bandit7.password
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs
0x07 Level 7 → Level 8
The password for the next level is stored in the file data.txt next to the word millionth
ls
cat data.txt|grep millionth
* grep: 用于查找文件里符合条件的字符串。
* |: 上一条命令的输出,作为下一条命令参数
cvX2JJa4CFALtqS87jk27qwqGhBM9plV
0x08 Level 8 → Level 9
The password for the next level is stored in the file data.txt and is the only line of text that occurs only once
ls
sort data.txt|uniq -u
* sort: 可针对文本文件的内容,以行为单位来排序。
* uniq 可检查文本文件中重复出现的行列
-u或--unique 仅显示出一次的行列
UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR
0x09 Level 9 → Level 10
The password for the next level is stored in the file data.txt in one of the few human-readable strings, beginning with several ‘=’ characters.
ls
strings data.txt|grep =
* strings: 在对象文件或二进制文件中查找可打印的字符串
truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
0x10 Level 10 → Level 11
The password for the next level is stored in the file data.txt, which contains base64 encoded data
ls
cat data.txt
cat data.txt|base64 -d
IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR
0x11 Level 11 → Level 12
The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions
ls
cat data.txt
cat data.txt|tr 'a-zA-Z' 'n-za-mN-ZA-M'
* tr: “Text Replacer”,该命令用于进行文本替换,从标准输入中通过替换或删除操作进行字符转换
5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu
0x12 Level 12 → Level 13
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)
* xxd -r data.txt data.bin
十六进制文件转二进制格式
* mv data.bin data.gz
文件重命名
* gzip -d data.gz
gzip类型文件解压
* bzip2 -d data.bz
bzip2类型文件解压
* tar -xvf data.tar
tar类型文件解压
8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
0x13 Level 13 → Level 14
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on
ssh -i sshkey.private bandit14@localhost
cat /etc/bandit_pass/bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
0x14 Level 14 → Level 15
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
telnet localhost 30000
BfMYroe26WYalil77FoDi9qh59eK5xNr
0x15 Level 15 → Level 16
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…
openssl s_client -connect localhost:30001 -ign_eof
* openssl s_client -connect host:port:设置服务器地址和端口号
如果没有设置,则默认为本地主机以及端口号4433。
* -ign_eof:当输入文件到达文件尾的时候并不断开连接。
cluFn7wTiGryunymYOu4RcffSxQluehd
0x16 Level 16 → Level 17
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
nmap localhost -p 31000-32000
openssl s_client -connect localhost:31790
mkdir /tmp/hf1dw
cd /tmp/hf1dw
touch 1.priv
chmod 777 1.priv
vim 1.priv
chmod 600 1.priv
ssh -i 1.priv bandit17@localhost
执行完直接就到了第17关了
(A_A)>>???密码在/etc/bandit_pass/bandit17
xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn
0x17 Level 17 → Level 18
There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new
NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19
diff passwords.new passwords.old
kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
0x18 Level 18 → Level 19
The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.
ssh bandit18@bandit.labs.overthewire.org -p 2220 ls
ssh bandit18@bandit.labs.overthewire.org -p 2220 cat readme
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
0x19 Level 19 → Level 20
To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.
ls -l
./bandit20-do cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
0x20 Level 20 → Level 21
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
NOTE: Try connecting to your own network daemon to see if it works as you think
ls
echo "GbKksEFF4yrVs6il55v6gwY5aVje5f0j" | nc -l -p 12312 & ./suconnect 12312
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
0x21 Level 21 → Level 22
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
ls
cd /etc/cron.d/
ls
cat cronjob_bandit22
cat /usr/bin/cronjob_bandit22.sh
cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
0x22 Level 22 → Level 23
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.
cd /etc/cron.d/
ls
cat cronjob_bandit23
cat /usr/bin/cronjob_bandit23.sh
echo I am user bandit23 | md5sum | cut -d ' ' -f 1
cat /tmp/8ca319486bfbbc3663ea0fbe81326349
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
0x23 Level 23 → Level 24
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…
cd /etc/cron.d/
ls
cat cronjob_bandit24
cat /usr/bin/cronjob_bandit24.sh
mkdir /tmp/hf1dw2
cd ..
chmod 777 hf1dw2
cd hf1dw2
touch shell.sh
chmod 777 shell.sh
vim shell.sh
#!/bin/bash
cat /etc/bandit_pass/bandit24 >> /tmp/hf1dw2/password
cp shell.sh /var/spool/bandit24
wait..........
cat password
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
0x24 Level 24 → Level 25
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.
cd /tmp/hf1dw2
touch 24.py
chmod 777 24.py
vim 24.py
from pwn import *
r = remote('localhost', 30002)
for i in range(0, 10):
for j in range(0, 10):
for k in range(0, 10):
for p in range(0, 10):
flag = str(i) + str(j) + str(k) + str(p)
s = "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ "+ flag
#注意空格字母与数字衔接处的空格
r.sendline(s)
response = r.recvline()
if 'Wrong!' not in response:
print 'Correct! ' + response
这个不知为何爆破很慢,没等下去,借别人的结果一用。。。。
uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG
0x25 Level 25 → Level 26
Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.
ls
ssh -i bandit26.sshkey bandit26@localhost
cat /etc/passwd |grep bandit26
cat /usr/bin/showtext
缩小终端,再次执行ssh -i bandit26.sshkey bandit26@localhost
v
:e /etc/bandit_pass/bandit26
5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z
0x26 Level 26 → Level 27
Good job getting a shell! Now hurry and grab the password for bandit27!
ssh登录
缩小终端
ssh登录
v
:set shell=/bin/sh
:sh
ls
./bandit27-do cat /etc/bandit_pass/bandit27
3ba3118a22e93127a4ed485be72ef5ea
0x27 Level 27 → Level 28
There is a git repository at ssh://bandit27-git@localhost/home/bandit27-git/repo. The password for the user bandit27-git is the same as for the user bandit27.
Clone the repository and find the password for the next level.
cd /tmp/hf1dw2
git clone ssh://bandit27-git@localhost/home/bandit27-git/repo
输入26-27得到的密码
cd repo
ls
cat README
0ef186ac70e04ea33b4c1853d2526fa2
0x28 Level 28 → Level 29
There is a git repository at ssh://bandit28-git@localhost/home/bandit28-git/repo. The password for the user bandit28-git is the same as for the user bandit28.
mkdir /tmp/hf1dw3
cd /tmp/hf1dw3
git clone ssh://bandit28-git@localhost/home/bandit28-git/repo
cd repo
cat README.md
git log
git show
git log --pretty 列出文件的所有改动历史
git show 打印出来针对文件的所有的改动历史
bbc96594b4e001778eee9975372716b2
0x29 Level 29 → Level 30
There is a git repository at ssh://bandit29-git@localhost/home/bandit29-git/repo. The password for the user bandit29-git is the same as for the user bandit29.
Clone the repository and find the password for the next level.
git branch -a
git checkout remotes/origin/dev
git log
git show
git branch -a 查看当前所有分支
git checkout filename 清空当前工作区的修改,如果缓冲区有数据,就恢复成缓冲区,如果没有就恢复成上一个提交的版本
5b90576bedb2cc04c86a9e924ce42faf
0x30 Level 30 → Level 31
There is a git repository at ssh://bandit30-git@localhost/home/bandit30-git/repo. The password for the user bandit30-git is the same as for the user bandit30.
Clone the repository and find the password for the next level.
git show-ref
git show f17132340e8ee6c159e0a4a6bc6f80e1da3b1aea
git-show-ref - 在本地存储库中列出引用,显示本地存储库中可用的引用以及关联的提交ID。
47e603bb428404d265f59c42920d81e5
0x31 Level 31 → Level 32
There is a git repository at ssh://bandit31-git@localhost/home/bandit31-git/repo. The password for the user bandit31-git is the same as for the user bandit31.
Clone the repository and find the password for the next level.
cat README.md
echo 'May I come in?' > key.txt
git add -f key.txt
git commit -m 'key.txt'
git push
添加操作是Git是最基本操作之一,当你在工作区(working directory)进行内容改动后,需要add操作,将文件添加到暂存区(index),然后再commit,改动的内容才在本地仓库(local repository,或者也叫版本库)中生效,之后你才能push到远程仓库(remote repository),让你的工作被团队中其他人共享到。
git commit -m “message”
-m 参数表示可以直接输入后面的“message”,如果不加 -m参数,那么是不能直接输入message的,而是会调用一个编辑器一般是vim来让你输入这个message
56a9bf19c63d650ce78e6ec0354ee45e
0x32 Level 32 → Level 33
After all this git stuff its time for another escape. Good luck!
$0
cat /etc/bandit_pass/bandit33
c9c3199ddf4121b10cf581a98d51caee
0x33 Level 33 → Level 34
At this moment, level 34 does not exist yet.
网友评论