Bandit Level 16 → Level 17

The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.

解密

bandit15@bandit:~$ nmap -p31000-32000 localhost

Starting Nmap 7.40 ( https://nmap.org ) at 2019-09-07 16:57 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00019s latency).
Not shown: 999 closed ports
PORT      STATE SERVICE
31518/tcp open  unknown
31790/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds

bandit15@bandit:~$ openssl s_client -host localhost -port 31790

....

---
BfMYroe26WYalil77FoDi9qh59eK5xNr
Wrong! Please enter the correct current password
closed

知识点

  1. nmap命令是强大的网络扫描工具,在这里使用参数-p来指定需要扫描端口的区间范围;
  2. openssl s_client用于建立TLS链接;

Bandit Level 14 → Level 15

The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.

解密

bandit14@bandit:~$ cat /etc/bandit_pass/bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
bandit14@bandit:~$ nc localhost 30000 < /etc/bandit_pass/bandit14
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr

知识点

  1. nc命令,被描述为nc - TCP/IP swiss army knife,在这里我们拿它作为客户端,向localhost30000端口发送/etc/bandit_pass/bandit14内容

Bandit Level 13 → Level 14

The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on

解密

bandit13@bandit:~$ ssh -i sshkey.private bandit14@localhost
Could not create directory '/home/bandit13/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes

...

知识点

  1. ssh命令-i参数指定私钥

Bandit Level 12 → Level 13

The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)

解密

bandit12@bandit:~$ mktemp -d
/tmp/tmp.NXvJ0vbt5I
bandit12@bandit:~$ cp data.txt /tmp/tmp.NXvJ0vbt5I/
bandit12@bandit:~$ cd /tmp/tmp.NXvJ0vbt5I/
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ file data.txt
data.txt: ASCII text
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ xxd -r data.txt > data1
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ file data1
data1: gzip compressed data, was "data2.bin", last modified: Tue Oct 16 12:00:23 2018, max compression, from Unix
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ xxd -r data.txt > data1.gz
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ gzip -d data1.gz
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ file data1
data1: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ bzip2 -d data1
bzip2: Can't guess original name for data1 -- using data1.out
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ file data1.out
data1.out: gzip compressed data, was "data4.bin", last modified: Tue Oct 16 12:00:23 2018, max compression, from Unix
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ mv data1.out data1.gz
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ gzip -d data1.gz
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ ls
data1  data.txt
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ file data1
data1: POSIX tar archive (GNU)
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ tar -xf data1
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ ls
data1  data5.bin  data.txt
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ file data5.bin
data5.bin: POSIX tar archive (GNU)
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ tar -xf data5.bin
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ ls
data1  data5.bin  data6.bin  data.txt
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ file data6.bin
data6.bin: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ bzip2 -d data6.bin
bzip2: Can't guess original name for data6.bin -- using data6.bin.out
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ ls
data1  data5.bin  data6.bin.out  data.txt
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ file data6.bin.out
data6.bin.out: POSIX tar archive (GNU)
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ tar -xf data6.bin.out
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ ls
data1  data5.bin  data6.bin.out  data8.bin  data.txt
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ file data8.bin
data8.bin: gzip compressed data, was "data9.bin", last modified: Tue Oct 16 12:00:23 2018, max compression, from Unix
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ mv data8.bin data8.gz
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ gzip -d data8.gz
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ ls
data1  data5.bin  data6.bin.out  data8  data.txt
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ file data8
data8: ASCII text
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ cat data8
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

知识点

  1. mktemp -d/tmp/下创建随机名称目录;
  2. xxd -r逆向文件,从十六进制文件逆向回之前的文件;
  3. gzip -d解压gz压缩文件;
  4. bzip2解压bzip2压缩文件;
  5. tar -xf解包tar打包文件;
  6. IMPORTANT: PATIENCE

Bandit Level 11 → Level 12

The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions

解密

bandit11@bandit:~$ cat data.txt | tr 'a-zA-Z' 'n-za-mN-ZA-M'
The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

知识点

  1. tr是一个神奇的命令,用于各种编辑字符串(官方说:Translate, squeeze, and/or delete characters from standard input, writing to standard output.),这里使用凯撒密码的方式转换一下对应字符

Bandit Level 10 → Level 11

The password for the next level is stored in the file data.txt, which contains base64 encoded data

解密

bandit10@bandit:~$ base64 -d data.txt
The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

知识点

  1. base64 -d进行base64解码

Bandit Level 9 → Level 10

The password for the next level is stored in the file data.txt in one of the few human-readable strings, beginning with several ‘=’ characters.

解密

bandit9@bandit:~$ strings data.txt | grep -e '^='
========== password
========== isa
=FQ?P\U
=       F[
=)$=
========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk

知识点

  1. strings读取文件中可打印内容
  2. grep -e正则方式匹配,^=正则表达表示=开头

Bandit Level 8 → Level 9

The password for the next level is stored in the file data.txt and is the only line of text that occurs only once

解密

bandit8@bandit:~$ sort data.txt | uniq -u
UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR

知识点

  1. sort命令用于排序输入内容;
  2. uniq -u命令将连续输入内容去重;

Bandit Level 7 → Level 8

The password for the next level is stored in the file data.txt next to the word millionth

解密

bandit7@bandit:~$ cat data.txt | grep 'millionth'
millionth       cvX2JJa4CFALtqS87jk27qwqGhBM9plV

知识点

没啥好说的,都是之前用过的命令。

Bandit Level 6 → Level 7

The password for the next level is stored somewhere on the server and has all of the following properties:

owned by user bandit7
owned by group bandit6
33 bytes in size

解密

bandit6@bandit:~$ find /  -type f -size 33c -user bandit7 -group bandit6 2>&1 | grep -v denied | grep -v 'No such'
/var/lib/dpkg/info/bandit7.password
bandit6@bandit:~$ cat /var/lib/dpkg/info/bandit7.password
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

知识点

  1. find命令-user指定文件所属用户
  2. find命令-group指定文件所属用户组
  3. 2>&1重定向标准错误输出到标准输出
  4. grep -v用于去除匹配输出