Overthewire-Bandit——Linux命令熟悉
Overthewire-Bandit——Linux命令熟悉
Natro92挺好玩的,层层递进,有点像之前看过有个git学习的流程。
太菜了,很多基础的命令虽然都会,但是实际上用起来还是有偏差。
脚踏实地一点。
注意
如果网络出现问题,注意网卡的配置以及代理的问题。
0
ssh链接
The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org, on port 2220. The username is bandit0 and the password is bandit0. Once logged in, go to the Level 1 page to find out how to beat Level 1.
就是基础ssh连接
1 | ssh bandit0@bandit.labs.overthewire.org -p 2220 |
按照要求输入密码
0-1
The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.
可以发现在根目录有个readme,然后查看密码,每个密码都是下一级的密码。
比如:
用这个去ssh bandit1NH2SXQwcBdpmTEzi3bvBHMM9H66vVXjL
1-2
Level Goal
The password for the next level is stored in a file called - located in the home directory
Commands you may need to solve this level
ls, cd, cat, file, du, find
他说密码在文件中,但是cat之后看不到。
好在他给了提示,
我们跟着google可以看到:
也就是说它代表的是标准输出和标准输入,你cat时的-
不会被当作文件名,因此需要相对位置或者用<
才可以。
那么cat -
是什么呢:
如果你运行 cat - 命令,cat 将会等待来自标准输入的内容,你可以从键盘输入一些文本,结束输入后,按下 Ctrl + D(在Windows上是 Ctrl + Z 然后回车),cat 会将你输入的内容显示在标准输出上。
1 | cat < - |
rRGizSaX8Mk1RTb1CNQoXTcYZWU6lgzi
2-3
Level Goal
The password for the next level is stored in a file called spaces in this filename located in the home directory
Commands you may need to solve this level
ls, cd, cat, file, du, find
如果中间文件中间有空格:
1 | cat s* |
aBZ0W5EmUfAf7kHTQeOwd8bauFJ2lAiG
3-4
Level Goal
The password for the next level is stored in a hidden file in the inhere directory.
Commands you may need to solve this level
ls, cd, cat, file, du, find
1 | 查看所有文件 |
1 | 2EW7BBsr6aMMoJ2HjW067dm8EgX26xNe |
但是可以cat 之后加一个tab直接补全
4-5
The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.
Commands you may need to solve this level
ls, cd, cat, file, du, find
查看文件是否是ascii编码
1 | file ./* |
查看的时候要用相对路径
1 | cat ./-file07 |
lrIWWI6bB37kxfiCQZqUdOIYfr6eEeqR
5-6
The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:
- human-readable
- 1033 bytes in size
- not executable
给了一堆文件夹,需要找到其中大小为1033b的文件。
1 | find . -type f -size 1033c |
P4L4vucdmLnm8I7Vl7jG1ApGSfjYKqJU
6-7
Level Goal
The password for the next level is stored somewhere on the server and has all of the following properties:
- owned by user bandit7
- owned by group bandit6
- 33 bytes in size
Commands you may need to solve this level
ls, cd, cat, file, du, find, grep
整体查找,不在home下,如果少的话,是可以用ls -al
查看用户和组的
1 | find / -user bandit7 -group bandit6 -size 33c |
z7WtoNQU2XfjmMtWA8u5rN4vzqu4v99S
7-8
Level Goal
The password for the next level is stored in the file data.txt next to the word millionth
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
需要寻找文本,那就要用grep等命令:
1 | cat ./data.txt | grep millionth |
TESKZC0XvTetK0S9xNwm25STk5iWrBvP
8-9
Level Goal
The password for the next level is stored in the file data.txt and is the only line of text that occurs only once
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
uniq比较上下行判断是否重复,sort寻找。
1 | sort ./data.txt | uniq -u |
EN632PlfYiZbn3PhVK3XOGSlNInNE00t
9-10
Level Goal
The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters.
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
密码在若干=后,用strings
命令来打印可见字符。
cat后可以发现有很多乱码,就可以用strings
查看所有可见字符。
1 | strings ./data.txt |
G7w8LIi6J3kTb8A7j9LgrywtEUlyyp6s
10-11
Level Goal
The password for the next level is stored in the file data.txt, which contains base64 encoded data
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
1 | base64 --decode data.txt |
直接base64解析。6zPeziLdR2RKNdNYFNb6nVCKzphlXHBM
11-12
Level Goal
The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
ROT13解密
1 | echo '加密或解密的字符串' | tr 'A-Za-z' 'N-ZA-Mn-za-m' |
1 | cat ./data.txt | tr 'a-zA-Z' 'n-za-mN-ZA-M' |
JVNBBFSmZwKKOP0XbFXOoW8chDz5yVRv
12-13
Level Goal
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd, mkdir, cp, mv, file
cat查看后发现是十六进制文件。
将文件复制给tmp文件夹下,然后使用xxd解析16进制文件。
1 | mkdir /tmp/bandit12 |
1 | cp data.txt /tmp/bandit12/test |
1 | xxd -r ./test ./test.out |
gz压缩包,需要gzip解压,然后继续查看看
先重命名,然后解压。mv test.out test.gz
1 | gzip -d test.gz |
bzip压缩包
1 | mv test ./test.bz2 |
最后还是一层gzip
1 | mv test test.gz |
tar一层
1 | tar xvf test |
按照以下步骤完成既可。
1 | bandit12@bandit:/tmp/bandit12$ xxd -r ./test ./test.out |
13-14
Level Goal
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working onCommands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap
ssh登录bandit14 。
目录下有sshkey.private
用私钥来连接14
1 | ssh -i ./sshkey.private bandit14@localhost -p 2220 |
1 | cat /etc/bandit_pass/bandit14 |
fGrHPx402xGC7U7rXKDaxiWFTOiF0ENq
14-15
Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap
用nc将密码发送到30000端口。
1 | nc localhost 30000 |
jN2kgmIXJ6fShzhT2avhotn4Zcka6tnt
15-16
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…
Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap
使用openssl链接30001端口。
1 | opensssl s_client -connect localhost:30001 -ign_eof |
- drwxr-xr-x 表示一个目录
- -rw-r–r– 表示一个文件
- -rwsr-x— 也表示一个文件,但有特殊权限
权限分为三组,每组三位,分别表示文件所有者、同组用户和其他用户的权限。具体到 bandit20-do 文件:
- 在最前面表示这是一个文件
- rws 表示文件的所有者(在这个例子中是用户 bandit20)拥有读(r)、写(w)和执行(s)的权限
- r-x 表示同组用户(在这个例子中组名是 bandit19)有读(r)和执行(x)的权限
- — 表示其他用户没有任何权限
其中的 s 位于所有者权限组的执行位(x),表示设置了 SUID(Set User ID)特殊权限。这意味着任何用户运行 bandit20-do 文件时,程序将以文件所有者的身份(在这个例子是 bandit20)运行,而不是以实际运行它的用户的身份运行。
连接之后输入本关密码。JQttfApK4SeyHwDlI9SXGR50qclOAil1
16-17
Level Goal
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap
需要扫端口了,31000到32000中有一个ssl的端口。使用nmap来测试:
1 | nmap -sV localhost -p 31000-32000 |
1 | bandit16@bandit:~$ nmap -sV localhost -p 31000-32000 |
31790 尝试链接:
1 | -----BEGIN RSA PRIVATE KEY----- |
17-18
Level Goal
There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.newNOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19
将key保存在本地,然后chmod修改权限为600,正正好好600。
寻找不同 diff 指令
1 | diff -d passwords.new passwords.old |
hga5tuuCLF6fFzUpnagiMN8ssu9LFrdg
18-19
Level Goal
The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.Commands you may need to solve this level
ssh, ls, cat
直接用密码登录会导致返回一个byebye,原因是.bashrc
被改动了。
可以直接用带命令的ssh来查看命令:
1 | ssh bandit18@bandit.labs.overthewire.org -p 2220 "cat ./readme" |
awhqfNnAbc1naukrpqDYcF95h7HoMTrC
PS:也可以起一个shell:
https://blog.csdn.net/weixin_47610939/article/details/122509060
1 | ssh -p 2220 bandit18@bandit.labs.overthewire.org "/bin/bash" |
awhqfNnAbc1naukrpqDYcF95h7HoMTrC
19-20
Level Goal
To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.
1 | ls -al |
查看所有用户权限,发现~目录下bandit20-do具有:-rwsr-x---
权限。
1 | ./bandit20-do cat /etc/bandit_pass/bandit20 |
VxCazJaVykI6W36BkBU0mJTCM8rR95XT
解释
drwxr-xr-x
表示一个目录-rw-r--r--
表示一个文件-rwsr-x---
也表示一个文件,但有特殊权限
权限分为三组,每组三位,分别表示文件所有者、同组用户和其他用户的权限。具体到 bandit20-do 文件:
-
在最前面表示这是一个文件rws
表示文件的所有者(在这个例子中是用户 bandit20)拥有读(r)、写(w)和执行(s)的权限r-x
表示同组用户(在这个例子中组名是 bandit19)有读(r)和执行(x)的权限---
表示其他用户没有任何权限
其中的 s 位于所有者权限组的执行位(x),表示设置了 SUID(Set User ID)特殊权限。这意味着任何用户运行 bandit20-do 文件时,程序将以文件所有者的身份(在这个例子是 bandit20)运行,而不是以实际运行它的用户的身份运行。
20-21
Level Goal
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
NOTE: Try connecting to your own network daemon to see if it works as you think
Commands you may need to solve this level
ssh, nc, cat, bash, screen, tmux, Unix ‘job control’ (bg, fg, jobs, &, CTRL-Z, …)
1 | echo "VxCazJaVykI6W36BkBU0mJTCM8rR95XT" |nc -l -p 8888 & |
NvEJF7oVjkddltPSrdKEFOllh9V1IBcq
21-22
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.Commands you may need to solve this level
cron, crontab, crontab(5) (use “man 5 crontab” to access this)
在/etc/cron.d/
下 cat ./*
查看记时任务。
1 | bandit21@bandit:/etc/cron.d$ cat ./* |
1 | bandit21@bandit:/etc/cron.d$ cat ./cronjob_bandit22 |
查看对应文件WdDozAdTM2z9DiFEQ2mGlwngMfj4EZff
22-23
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.
Commands you may need to solve this level
cron, crontab, crontab(5) (use “man 5 crontab” to access this)
相同操作。
1 | bandit22@bandit:~$ cat /etc/cron.d/cronjob_bandit23 |
注意这个内容是bandit23的whoami。
1 | bandit22@bandit:~$ echo I am user "bandit23" | md5sum | cut -d ' ' -f 1 |
QYw0Y2aiA672PsMmh9puTQuhoz8SyR2G
23-24
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…
Commands you may need to solve this level
cron, crontab, crontab(5) (use “man 5 crontab” to access this)
1 | cat /etc/cron.d/* |
1 | bandit23@bandit:~$ cat /usr/bin/cronjob_bandit24.sh |
内容是执行文件/var/spool/bandit24
下的文件,如果用户是bandit23
,就先执行然后再删除。
1 | bandit23@bandit:~$ ls /var/spool -al |
编写一个简单脚本让内容输出出来就好了。
1 | bandit23@bandit:~$ mktemp -d |
不知道为什么写不进去文件,没法搞。先搁置在这吧。