Overthewire-Bandit——Linux命令熟悉

挺好玩的,层层递进,有点像之前看过有个git学习的流程。
太菜了,很多基础的命令虽然都会,但是实际上用起来还是有偏差。
脚踏实地一点。

注意

如果网络出现问题,注意网卡的配置以及代理的问题。

0

ssh链接

The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org, on port 2220. The username is bandit0 and the password is bandit0. Once logged in, go to the Level 1 page to find out how to beat Level 1.

就是基础ssh连接‍

1
ssh bandit0@bandit.labs.overthewire.org -p 2220

按照要求输入密码

0-1

The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.

可以发现在根目录有个readme,然后查看密码,每个密码都是下一级的密码。
比如:
image.png
用这个去ssh bandit1
NH2SXQwcBdpmTEzi3bvBHMM9H66vVXjL

1-2

Level Goal
The password for the next level is stored in a file called - located in the home directory
Commands you may need to solve this level
ls, cd, cat, file, du, find

他说密码在文件中,但是cat之后看不到。
好在他给了提示,
image.png
我们跟着google可以看到:
image.png
也就是说它代表的是标准输出和标准输入,你cat时的-不会被当作文件名,因此需要相对位置或者用< 才可以。
那么cat - 是什么呢:

如果你运行 cat - 命令,cat 将会等待来自标准输入的内容,你可以从键盘输入一些文本,结束输入后,按下 Ctrl + D(在Windows上是 Ctrl + Z 然后回车),cat 会将你输入的内容显示在标准输出上。

1
2
cat < -
cat ./-

rRGizSaX8Mk1RTb1CNQoXTcYZWU6lgzi

2-3

Level Goal
The password for the next level is stored in a file called spaces in this filename located in the home directory
Commands you may need to solve this level
ls, cd, cat, file, du, find

如果中间文件中间有空格:
image.png

1
cat s*

aBZ0W5EmUfAf7kHTQeOwd8bauFJ2lAiG

3-4

Level Goal
The password for the next level is stored in a hidden file in the inhere directory.
Commands you may need to solve this level
ls, cd, cat, file, du, find

1
2
3
# 查看所有文件
ls -a
cat .hidden
1
2EW7BBsr6aMMoJ2HjW067dm8EgX26xNe

但是可以cat 之后加一个tab直接补全

4-5

The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.
Commands you may need to solve this level
ls, cd, cat, file, du, find

查看文件是否是ascii编码

1
file ./*

image.png
查看的时候要用相对路径

1
cat ./-file07

lrIWWI6bB37kxfiCQZqUdOIYfr6eEeqR

5-6

The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:

  • human-readable
  • 1033 bytes in size
  • not executable

给了一堆文件夹,需要找到其中大小为1033b的文件。

1
find . -type f -size 1033c

P4L4vucdmLnm8I7Vl7jG1ApGSfjYKqJU

6-7

Level Goal
The password for the next level is stored somewhere on the server and has all of the following properties:

  • owned by user bandit7
  • owned by group bandit6
  • 33 bytes in size

Commands you may need to solve this level

ls, cd, cat, file, du, find, grep

整体查找,不在home下,如果少的话,是可以用ls -al查看用户和组的

1
find / -user bandit7 -group bandit6 -size 33c

image.png
z7WtoNQU2XfjmMtWA8u5rN4vzqu4v99S

7-8

Level Goal
The password for the next level is stored in the file data.txt next to the word millionth
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd

需要寻找文本,那就要用grep等命令:

1
cat ./data.txt | grep millionth

TESKZC0XvTetK0S9xNwm25STk5iWrBvP

8-9

Level Goal
The password for the next level is stored in the file data.txt and is the only line of text that occurs only once
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd

uniq比较上下行判断是否重复,sort寻找。
image.png

1
sort ./data.txt | uniq -u

EN632PlfYiZbn3PhVK3XOGSlNInNE00t

9-10

Level Goal
The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters.
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd

密码在若干=后,用strings命令来打印可见字符。
cat后可以发现有很多乱码,就可以用strings查看所有可见字符。
image.png

1
strings ./data.txt

G7w8LIi6J3kTb8A7j9LgrywtEUlyyp6s

10-11

Level Goal
The password for the next level is stored in the file data.txt, which contains base64 encoded data
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd

1
base64 --decode data.txt

直接base64解析。
6zPeziLdR2RKNdNYFNb6nVCKzphlXHBM

11-12

Level Goal
The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd

ROT13解密

1
echo '加密或解密的字符串' | tr 'A-Za-z' 'N-ZA-Mn-za-m'
1
cat ./data.txt | tr 'a-zA-Z' 'n-za-mN-ZA-M'

JVNBBFSmZwKKOP0XbFXOoW8chDz5yVRv

12-13

Level Goal
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)

Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd, mkdir, cp, mv, file

cat查看后发现是十六进制文件。
将文件复制给tmp文件夹下,然后使用xxd解析16进制文件。

1
mkdir /tmp/bandit12
1
cp data.txt /tmp/bandit12/test
1
xxd -r ./test ./test.out

image.png
gz压缩包,需要gzip解压,然后继续查看看
先重命名,然后解压。
mv test.out test.gz
image.png

1
2
gzip -d test.gz
file test

bzip压缩包
image.png

1
2
mv test ./test.bz2
bunzip2 -d test.bz2

最后还是一层gzip

1
2
3
mv test test.gz
gzip -d test.gz
file test

image.png
tar一层

1
tar xvf test

按照以下步骤完成既可。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
bandit12@bandit:/tmp/bandit12$ xxd -r ./test ./test.out
bandit12@bandit:/tmp/bandit12$ ls
data1 data.txt test test.out
bandit12@bandit:/tmp/bandit12$ file test.out
test.out: gzip compressed data, was "data2.bin", last modified: Thu Oct 5 06:19:20 2023, max compression, from Unix, original size modulo 2^32 573
bandit12@bandit:/tmp/bandit12$ mv test.out ./test.gz
bandit12@bandit:/tmp/bandit12$ gzip -d ./data.gz ./data.out
gzip: ./data.gz: No such file or directory
gzip: ./data.out.gz: No such file or directory
bandit12@bandit:/tmp/bandit12$ gzip -d ./test.gz ./test.out
gzip: ./test already exists; do you wish to overwrite (y or n)? n
not overwritten
gzip: ./test.out.gz: No such file or directory
bandit12@bandit:/tmp/bandit12$ gzip -d ./test.gz ./test.out
gzip: ./test already exists; do you wish to overwrite (y or n)? y
gzip: ./test.out.gz: No such file or directory
bandit12@bandit:/tmp/bandit12$ ls
data1 data.txt test
bandit12@bandit:/tmp/bandit12$ cat test
�h44�z��A����@=�h4hh�▒▒��4�i��1����▒��hd����;,�
�At.��L�"�f�+~��鍪�����2�3d*58�~ �S�▒ZP^��luY��Br$�FP!%�s��h�?�)[=�h��O(B��2A���)�tZc��:�pã)�A�ˈ�0���΅A�yjeϢx,�(����z�E�+"�2�/�-��e"���^����t�j���$�d�@�dJơ'7\���$��m1c��#>�aԽ�EV��F��OCӐc@M�C���]��Y2^h8���D=��~ O�I��NDpF�+�|b#Jv�#�J��d�LފW$�Û�▒y�`
�\& ���[�@*w�M�0�nr��C��`e$b
~�{���
��`�<����a��?e:T���e�T4±b����)�@bandit12@bandit:/tmp/bandit12$ file test
test: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/bandit12$ mv test ./test.bz2
bandit12@bandit:/tmp/bandit12$ bunzip2 -d test.bz2 ./data.out
bunzip2: Can't open input file ./data.out: No such file or directory.
bandit12@bandit:/tmp/bandit12$ bunzip2 -d test.bz2
bunzip2: Can't open input file test.bz2: No such file or directory.
bandit12@bandit:/tmp/bandit12$ ls
data1 data.txt test
bandit12@bandit:/tmp/bandit12$ file test
test: gzip compressed data, was "data4.bin", last modified: Thu Oct 5 06:19:20 2023, max compression, from Unix, original size modulo 2^32 20480
bandit12@bandit:/tmp/bandit12$ mv test test.gz
bandit12@bandit:/tmp/bandit12$ gzip -d test.gz
bandit12@bandit:/tmp/bandit12$ ls
data1 data.txt test
bandit12@bandit:/tmp/bandit12$ file test
test: POSIX tar archive (GNU)
bandit12@bandit:/tmp/bandit12$ tar xvf test
data5.bin
bandit12@bandit:/tmp/bandit12$ file data5.bin
data5.bin: POSIX tar archive (GNU)
bandit12@bandit:/tmp/bandit12$ tar xvf data5.bin
data6.bin
bandit12@bandit:/tmp/bandit12$ file data.6
data.6: cannot open `data.6' (No such file or directory)
bandit12@bandit:/tmp/bandit12$ file data6.bin
data6.bin: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/bandit12$ file data6.bin
data6.bin: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/bandit12$ mv data6.bin data6.bz2
bandit12@bandit:/tmp/bandit12$ bunzip2 -d data6.bz2
bandit12@bandit:/tmp/bandit12$ ls
data1 data5.bin data6 data.txt test
bandit12@bandit:/tmp/bandit12$ file data6
data6: POSIX tar archive (GNU)
bandit12@bandit:/tmp/bandit12$ tar xvf data6
data8.bin
bandit12@bandit:/tmp/bandit12$ file data8.bin
data8.bin: gzip compressed data, was "data9.bin", last modified: Thu Oct 5 06:19:20 2023, max compression, from Unix, original size modulo 2^32 49
bandit12@bandit:/tmp/bandit12$ mv data8.bin data8.gz
bandit12@bandit:/tmp/bandit12$ gzip -d data8.gz
bandit12@bandit:/tmp/bandit12$ ls
data1 data5.bin data6 data8 data.txt test
bandit12@bandit:/tmp/bandit12$ file data8
data8: ASCII text
bandit12@bandit:/tmp/bandit12$ cat data8
The password is wbWdlBxEir4CaE8LaPhauuOo6pwRmrDw

13-14

Level Goal
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on

Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap

ssh登录bandit14 。
目录下有sshkey.private用私钥来连接14

1
ssh -i ./sshkey.private bandit14@localhost -p 2220
1
cat /etc/bandit_pass/bandit14

fGrHPx402xGC7U7rXKDaxiWFTOiF0ENq

14-15

Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.

Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap

用nc将密码发送到30000端口。

1
nc localhost 30000

image.png
jN2kgmIXJ6fShzhT2avhotn4Zcka6tnt

15-16

The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.

Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…

Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap

使用openssl链接30001端口。

1
opensssl s_client -connect localhost:30001 -ign_eof
  • drwxr-xr-x 表示一个目录
  • -rw-r–r– 表示一个文件
  • -rwsr-x— 也表示一个文件,但有特殊权限

权限分为三组,每组三位,分别表示文件所有者、同组用户和其他用户的权限。具体到 bandit20-do 文件:

    • 在最前面表示这是一个文件
  • rws 表示文件的所有者(在这个例子中是用户 bandit20)拥有读(r)、写(w)和执行(s)的权限
  • r-x 表示同组用户(在这个例子中组名是 bandit19)有读(r)和执行(x)的权限
  • — 表示其他用户没有任何权限

其中的 s 位于所有者权限组的执行位(x),表示设置了 SUID(Set User ID)特殊权限。这意味着任何用户运行 bandit20-do 文件时,程序将以文件所有者的身份(在这个例子是 bandit20)运行,而不是以实际运行它的用户的身份运行。
连接之后输入本关密码。
JQttfApK4SeyHwDlI9SXGR50qclOAil1

16-17

Level Goal
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.

Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap

需要扫端口了,31000到32000中有一个ssl的端口。使用nmap来测试:

1
nmap -sV localhost -p 31000-32000
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
bandit16@bandit:~$ nmap -sV localhost -p 31000-32000
Starting Nmap 7.80 ( https://nmap.org ) at 2024-03-12 08:41 UTC

bandit16@bandit:~$ nmap -sV localhost -p 31000-32000
Starting Nmap 7.80 ( https://nmap.org ) at 2024-03-12 08:42 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00014s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
31046/tcp open echo
31518/tcp open ssl/echo
31691/tcp open echo
31790/tcp open ssl/unknown
31960/tcp open echo
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port31790-TCP:V=7.80%T=SSL%I=7%D=3/12%Time=65F01574%P=x86_64-pc-linux-g
SF:nu%r(GenericLines,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20cu
SF:rrent\x20password\n")%r(GetRequest,31,"Wrong!\x20Please\x20enter\x20the
SF:\x20correct\x20current\x20password\n")%r(HTTPOptions,31,"Wrong!\x20Plea
SF:se\x20enter\x20the\x20correct\x20current\x20password\n")%r(RTSPRequest,
SF:31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20current\x20password\
SF:n")%r(Help,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20current\x
SF:20password\n")%r(SSLSessionReq,31,"Wrong!\x20Please\x20enter\x20the\x20
SF:correct\x20current\x20password\n")%r(TerminalServerCookie,31,"Wrong!\x2
SF:0Please\x20enter\x20the\x20correct\x20current\x20password\n")%r(TLSSess
SF:ionReq,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20current\x20pa
SF:ssword\n")%r(Kerberos,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x
SF:20current\x20password\n")%r(FourOhFourRequest,31,"Wrong!\x20Please\x20e
SF:nter\x20the\x20correct\x20current\x20password\n")%r(LPDString,31,"Wrong
SF:!\x20Please\x20enter\x20the\x20correct\x20current\x20password\n")%r(LDA
SF:PSearchReq,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20current\x
SF:20password\n")%r(SIPOptions,31,"Wrong!\x20Please\x20enter\x20the\x20cor
SF:rect\x20current\x20password\n");

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 99.39 seconds

31790 尝试链接:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----

17-18

Level Goal
There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new

NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19

将key保存在本地,然后chmod修改权限为600,正正好好600。
寻找不同 diff 指令

1
diff -d passwords.new passwords.old

image.png
hga5tuuCLF6fFzUpnagiMN8ssu9LFrdg

18-19

Level Goal
The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.

Commands you may need to solve this level
ssh, ls, cat

直接用密码登录会导致返回一个byebye,原因是.bashrc被改动了。
可以直接用带命令的ssh来查看命令:

1
ssh bandit18@bandit.labs.overthewire.org -p 2220 "cat ./readme"

awhqfNnAbc1naukrpqDYcF95h7HoMTrC
PS:也可以起一个shell:

https://blog.csdn.net/weixin_47610939/article/details/122509060

1
2
3
ssh -p 2220 bandit18@bandit.labs.overthewire.org "/bin/bash"
ssh -p 2220 bandit18@bandit.labs.overthewire.org "/bin/sh"
ssh -p 2220 bandit18@bandit.labs.overthewire.org "export TERM=xterm;python -c 'import pty;pty.spawn(\"/bin/bash\")'"

image.png
awhqfNnAbc1naukrpqDYcF95h7HoMTrC

19-20

Level Goal
To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.

1
ls -al

查看所有用户权限,发现~目录下bandit20-do具有:
-rwsr-x---权限。

1
./bandit20-do cat /etc/bandit_pass/bandit20

VxCazJaVykI6W36BkBU0mJTCM8rR95XT

解释

  • drwxr-xr-x 表示一个目录
  • -rw-r--r-- 表示一个文件
  • -rwsr-x--- 也表示一个文件,但有特殊权限

权限分为三组,每组三位,分别表示文件所有者、同组用户和其他用户的权限。具体到 bandit20-do 文件:

  • - 在最前面表示这是一个文件
  • rws 表示文件的所有者(在这个例子中是用户 bandit20)拥有读(r)、写(w)和执行(s)的权限
  • r-x 表示同组用户(在这个例子中组名是 bandit19)有读(r)和执行(x)的权限
  • --- 表示其他用户没有任何权限

其中的 s 位于所有者权限组的执行位(x),表示设置了 SUID(Set User ID)特殊权限。这意味着任何用户运行 bandit20-do 文件时,程序将以文件所有者的身份(在这个例子是 bandit20)运行,而不是以实际运行它的用户的身份运行。

20-21

Level Goal
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
NOTE: Try connecting to your own network daemon to see if it works as you think
Commands you may need to solve this level
ssh, nc, cat, bash, screen, tmux, Unix ‘job control’ (bg, fg, jobs, &, CTRL-Z, …)

1
2
echo "VxCazJaVykI6W36BkBU0mJTCM8rR95XT" |nc -l -p 8888 &
./suconnect 8888

NvEJF7oVjkddltPSrdKEFOllh9V1IBcq
image.png

21-22

Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

Commands you may need to solve this level
cron, crontab, crontab(5) (use “man 5 crontab” to access this)

/etc/cron.d/cat ./* 查看记时任务。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
bandit21@bandit:/etc/cron.d$ cat ./*
* * * * * root /usr/bin/cronjob_bandit15_root.sh &> /dev/null
* * * * * root /usr/bin/cronjob_bandit17_root.sh &> /dev/null
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
@reboot bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
* * * * * root /usr/bin/cronjob_bandit25_root.sh &> /dev/null
30 3 * * 0 root test -e /run/systemd/system || SERVICE_MODE=1 /usr/lib/x86_64-linux-gnu/e2fsprogs/e2scrub_all_cron
10 3 * * * root test -e /run/systemd/system || SERVICE_MODE=1 /sbin/e2scrub_all -A -r
cat: ./otw-tmp-dir: Permission denied
# The first element of the path is a directory where the debian-sa1
# script is located
PATH=/usr/lib/sysstat:/usr/sbin:/usr/sbin:/usr/bin:/sbin:/bin

# Activity reports every 10 minutes everyday
5-55/10 * * * * root command -v debian-sa1 > /dev/null && debian-sa1 1 1

# Additional run at 23:59 to rotate the statistics file
59 23 * * * root command -v debian-sa1 > /dev/null && debian-sa1 60 2
1
2
3
4
5
6
7
bandit21@bandit:/etc/cron.d$ cat ./cronjob_bandit22
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
bandit21@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

查看对应文件
WdDozAdTM2z9DiFEQ2mGlwngMfj4EZff

22-23

Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.

Commands you may need to solve this level
cron, crontab, crontab(5) (use “man 5 crontab” to access this)

相同操作。

1
2
3
4
5
6
7
8
9
10
11
12
bandit22@bandit:~$ cat /etc/cron.d/cronjob_bandit23
@reboot bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
bandit22@bandit:~$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash

myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)

echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"

cat /etc/bandit_pass/$myname > /tmp/$mytarget

注意这个内容是bandit23的whoami。

1
2
3
bandit22@bandit:~$ echo I am user "bandit23" | md5sum | cut -d ' ' -f 1
8ca319486bfbbc3663ea0fbe81326349
cat /tmp/8ca319486bfbbc3663ea0fbe81326349

QYw0Y2aiA672PsMmh9puTQuhoz8SyR2G

23-24

Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!

NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…

Commands you may need to solve this level
cron, crontab, crontab(5) (use “man 5 crontab” to access this)

1
cat /etc/cron.d/*
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
bandit23@bandit:~$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash

myname=$(whoami)

cd /var/spool/$myname/foo
echo "Executing and deleting all scripts in /var/spool/$myname/foo:"
for i in * .*;
do
if [ "$i" != "." -a "$i" != ".." ];
then
echo "Handling $i"
owner="$(stat --format "%U" ./$i)"
if [ "${owner}" = "bandit23" ]; then
timeout -s 9 60 ./$i
fi
rm -f ./$i
fi
done

内容是执行文件/var/spool/bandit24下的文件,如果用户是bandit23,就先执行然后再删除。

1
2
3
4
5
6
7
8
bandit23@bandit:~$ ls /var/spool -al
total 20
drwxr-xr-x 5 root root 4096 Oct 5 06:19 .
drwxr-xr-x 13 root root 4096 Oct 5 06:19 ..
dr-xr-x--- 3 bandit24 bandit23 4096 Oct 5 06:19 bandit24
drwxr-xr-x 3 root root 4096 Sep 19 02:19 cron
lrwxrwxrwx 1 root root 7 Sep 19 02:19 mail -> ../mail
drwx------ 2 syslog adm 4096 Dec 30 2021 rsyslog

编写一个简单脚本让内容输出出来就好了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
bandit23@bandit:~$ mktemp -d
/tmp/tmp.VvZN2w6uDO
bandit23@bandit:~$ cd /tmp/tmp.VvZN2w6uDO
bandit23@bandit:/tmp/tmp.VvZN2w6uDO$ vim bandit24_pass.sh
bandit23@bandit:/tmp/tmp.VvZN2w6uDO$ chmod +rx bandit24_pass.sh
bandit23@bandit:/tmp/tmp.VvZN2w6uDO$ chmod 777 /tmp/tmp.VvZN2w6uDO
bandit23@bandit:/tmp/tmp.VvZN2w6uDO$ touch password
bandit23@bandit:/tmp/tmp.VvZN2w6uDO$ chmod +rwx password
bandit23@bandit:/tmp/tmp.VvZN2w6uDO$
bandit23@bandit:/tmp/tmp.VvZN2w6uDO$ ls -la
total 408
drwxrwxrwx 2 bandit23 bandit23 4096 Mar 12 12:31 .
drwxrwx-wt 850 root root 405504 Mar 12 12:31 ..
-rwxrwxr-x 1 bandit23 bandit23 73 Mar 12 12:29 bandit24_pass.sh
-rwxrwxr-x 1 bandit23 bandit23 0 Mar 12 12:31 password
bandit23@bandit:/tmp/tmp.VvZN2w6uDO$ cp bandit24_pass.sh /var/spool/bandit24/bandit24_pass.sh
cp: cannot create regular file '/var/spool/bandit24/bandit24_pass.sh': Operation not permitted

不知道为什么写不进去文件,没法搞。先搁置在这吧。