Category: Bandit解密

http://overthewire.org/wargames/bandit 程序员的小游戏

Posted on

Bandit Level 13 → Level 14

The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on

解密

bandit13@bandit:~$ ssh -i sshkey.private bandit14@localhost
Could not create directory '/home/bandit13/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes

...

知识点

  1. ssh命令-i参数指定私钥
Posted on

Bandit Level 12 → Level 13

The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)

解密

bandit12@bandit:~$ mktemp -d
/tmp/tmp.NXvJ0vbt5I
bandit12@bandit:~$ cp data.txt /tmp/tmp.NXvJ0vbt5I/
bandit12@bandit:~$ cd /tmp/tmp.NXvJ0vbt5I/
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ file data.txt
data.txt: ASCII text
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ xxd -r data.txt > data1
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ file data1
data1: gzip compressed data, was "data2.bin", last modified: Tue Oct 16 12:00:23 2018, max compression, from Unix
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ xxd -r data.txt > data1.gz
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ gzip -d data1.gz
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ file data1
data1: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ bzip2 -d data1
bzip2: Can't guess original name for data1 -- using data1.out
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ file data1.out
data1.out: gzip compressed data, was "data4.bin", last modified: Tue Oct 16 12:00:23 2018, max compression, from Unix
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ mv data1.out data1.gz
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ gzip -d data1.gz
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ ls
data1  data.txt
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ file data1
data1: POSIX tar archive (GNU)
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ tar -xf data1
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ ls
data1  data5.bin  data.txt
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ file data5.bin
data5.bin: POSIX tar archive (GNU)
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ tar -xf data5.bin
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ ls
data1  data5.bin  data6.bin  data.txt
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ file data6.bin
data6.bin: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ bzip2 -d data6.bin
bzip2: Can't guess original name for data6.bin -- using data6.bin.out
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ ls
data1  data5.bin  data6.bin.out  data.txt
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ file data6.bin.out
data6.bin.out: POSIX tar archive (GNU)
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ tar -xf data6.bin.out
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ ls
data1  data5.bin  data6.bin.out  data8.bin  data.txt
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ file data8.bin
data8.bin: gzip compressed data, was "data9.bin", last modified: Tue Oct 16 12:00:23 2018, max compression, from Unix
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ mv data8.bin data8.gz
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ gzip -d data8.gz
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ ls
data1  data5.bin  data6.bin.out  data8  data.txt
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ file data8
data8: ASCII text
bandit12@bandit:/tmp/tmp.NXvJ0vbt5I$ cat data8
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

知识点

  1. mktemp -d/tmp/下创建随机名称目录;
  2. xxd -r逆向文件,从十六进制文件逆向回之前的文件;
  3. gzip -d解压gz压缩文件;
  4. bzip2解压bzip2压缩文件;
  5. tar -xf解包tar打包文件;
  6. IMPORTANT: PATIENCE
Posted on

Bandit Level 11 → Level 12

The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions

解密

bandit11@bandit:~$ cat data.txt | tr 'a-zA-Z' 'n-za-mN-ZA-M'
The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

知识点

  1. tr是一个神奇的命令,用于各种编辑字符串(官方说:Translate, squeeze, and/or delete characters from standard input, writing to standard output.),这里使用凯撒密码的方式转换一下对应字符
Posted on

Bandit Level 10 → Level 11

The password for the next level is stored in the file data.txt, which contains base64 encoded data

解密

bandit10@bandit:~$ base64 -d data.txt
The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

知识点

  1. base64 -d进行base64解码
Posted on

Bandit Level 9 → Level 10

The password for the next level is stored in the file data.txt in one of the few human-readable strings, beginning with several ‘=’ characters.

解密

bandit9@bandit:~$ strings data.txt | grep -e '^='
========== password
========== isa
=FQ?P\U
=       F[
=)$=
========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk

知识点

  1. strings读取文件中可打印内容
  2. grep -e正则方式匹配,^=正则表达表示=开头
Posted on

Bandit Level 8 → Level 9

The password for the next level is stored in the file data.txt and is the only line of text that occurs only once

解密

bandit8@bandit:~$ sort data.txt | uniq -u
UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR

知识点

  1. sort命令用于排序输入内容;
  2. uniq -u命令将连续输入内容去重;
Posted on

Bandit Level 7 → Level 8

The password for the next level is stored in the file data.txt next to the word millionth

解密

bandit7@bandit:~$ cat data.txt | grep 'millionth'
millionth       cvX2JJa4CFALtqS87jk27qwqGhBM9plV

知识点

没啥好说的,都是之前用过的命令。

Posted on

Bandit Level 6 → Level 7

The password for the next level is stored somewhere on the server and has all of the following properties:

owned by user bandit7
owned by group bandit6
33 bytes in size

解密

bandit6@bandit:~$ find /  -type f -size 33c -user bandit7 -group bandit6 2>&1 | grep -v denied | grep -v 'No such'
/var/lib/dpkg/info/bandit7.password
bandit6@bandit:~$ cat /var/lib/dpkg/info/bandit7.password
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

知识点

  1. find命令-user指定文件所属用户
  2. find命令-group指定文件所属用户组
  3. 2>&1重定向标准错误输出到标准输出
  4. grep -v用于去除匹配输出
Posted on

Bandit Level 5 → Level 6

The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:

human-readable
1033 bytes in size
not executable

解密

bandit5@bandit:~/inhere$ find . -type f -size 1033c ! -executable -exec file {} \;
./maybehere07/.file2: ASCII text, with very long lines
bandit5@bandit:~/inhere$ cat ./maybehere07/.file2
DXjZPULLxYr17uwoI01bNLQbtFemEgo7

知识点

  1. find命令-size指定文件大小,字节用c后缀表示;
  2. find命令-executable用于标示可执行文件,前面加否定前缀!
Posted on

Bandit Level 4 → Level 5

The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.

解密

bandit4@bandit:~/inhere$ find . -type f -exec file {} \;
./-file09: data
./-file06: data
./-file01: data
./-file02: data
./-file05: data
./-file03: data
./-file08: data
./-file07: ASCII text
./-file04: data
./-file00: data
bandit4@bandit:~/inhere$ cat ./-file07
koReBOKuIDDepwhWk7jZC0RTdopnAYKh

知识点

  1. 使用find命令,-type获取文件,-exec将输出给到下一个命令,使用{}代表每一个输出,最后需要\;来结束
  2. file命令可以帮助你获取文件的基本信息