Month: September 2019

十一月的里程碑

这么快我们已经相识一年,相爱也满一年了。聚少离多的日子,我们实在是有些无法忍受。十一月的机票、住宿,我已经都安排好,到时候,我将带着支持我们爱情的父母来见面,安排下我们明年的婚期。这样细细想来,我也是一个快要结婚的人儿了呢。

五月我离开了阿里,六月来岘港和你度过了快乐的半个月。因为太快乐,太开心,每一分每一秒都显得那样的弥足珍贵,以至于都没有时间多拍些照片,写下只言片语来讲述我们的第一次旅行——大叻。

想到这里我就愈发得开心,谁又能想到一年前,我还是在歌声中听到大叻,听说你想去看看。一年之后,我们竟一起坐飞机去玩了一个星期。

大叻是冷飕飕的,一点儿也不像我心中的越南。那儿有些干冷,但是市中心有一个湖;每天下午三点准时下雨,一会儿就停;整个地区没有一个信号灯,人们穿梭其中,危险又神奇……亲爱的,这是我们第一次旅行啊,多美妙的一件事!

我们还是有一些小小的争吵,但是我们一点儿也不担心谁会离开谁。当然,我们也从来没有把这一点当作肆无忌惮的理由。看到那些异地恋的人儿最终分离,我内心一些些波澜都没有。因为我知道,好的人总能遇上好的人,对的人终究是对的人,他们只是不合适,我们却是真心地知道对方好,努力去爱,用尽气力去爱。

我不知道一天当中我们有多少次想到对方,就像我不知道天上有多少繁星在闪烁。但是我知道你知道,你知道我知道,爱,在一天天累积,不曾减少。

未来有你有我的日子,一定是美好的,因为我们相爱,所以我们坚信;因为我们坚信,所以我们看见。

Bandit Level 32 → Level 33

After all this git stuff its time for another escape. Good luck!

解密

>>> $0
$ whoami
bandit33
$ cat /etc/bandit_pass/bandit33
c9c3199ddf4121b10cf581a98d51caee

知识点

  1. 作为脚本的第一个参数,都是当前执行文件名称,这里使用$0相当于执行了sh(看开头是一个$可以得出是sh而非bash);
  2. whoami发现是bandit33,那么直接看密码就行了;

Bandit Level 31 → Level 32

解密

bandit31@bandit:~$ mktemp -d
/tmp/tmp.UHFbV1v7DX
bandit31@bandit:~$ cd /tmp/tmp.UHFbV1v7DX
bandit31@bandit:/tmp/tmp.UHFbV1v7DX$ git clone ssh://bandit31-git@localhost/home/bandit31-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit31/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit31/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

bandit31-git@localhost's password:
remote: Counting objects: 4, done.
remote: Compressing objects: 100% (3/3), done.
remote: Total 4 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (4/4), done.
bandit31@bandit:/tmp/tmp.UHFbV1v7DX$ cd repo/
bandit31@bandit:/tmp/tmp.UHFbV1v7DX/repo$ ls
README.md
bandit31@bandit:/tmp/tmp.UHFbV1v7DX/repo$ cat README.md
This time your task is to push a file to the remote repository.

Details:
    File name: key.txt
    Content: 'May I come in?'
    Branch: master

bandit31@bandit:/tmp/tmp.UHFbV1v7DX/repo$ echo 'May I come in?' > key.txt
bandit31@bandit:/tmp/tmp.UHFbV1v7DX/repo$ git add -A
bandit31@bandit:/tmp/tmp.UHFbV1v7DX/repo$ git status
On branch master
Your branch is up-to-date with 'origin/master'.
nothing to commit, working tree clean
bandit31@bandit:/tmp/tmp.UHFbV1v7DX/repo$ cat .gitignore
*.txt
bandit31@bandit:/tmp/tmp.UHFbV1v7DX/repo$ :>.gitignore
bandit31@bandit:/tmp/tmp.UHFbV1v7DX/repo$ git status
On branch master
Your branch is up-to-date with 'origin/master'.
Changes not staged for commit:
  (use "git add <file>..." to update what will be committed)
  (use "git checkout -- <file>..." to discard changes in working directory)

        modified:   .gitignore

Untracked files:
  (use "git add <file>..." to include in what will be committed)

        key.txt

no changes added to commit (use "git add" and/or "git commit -a")
bandit31@bandit:/tmp/tmp.UHFbV1v7DX/repo$ git add -A
bandit31@bandit:/tmp/tmp.UHFbV1v7DX/repo$ git commit -m 'Try to resolve it.'
[master e515574] Try to resolve it.
 2 files changed, 1 insertion(+), 1 deletion(-)
 create mode 100644 key.txt
bandit31@bandit:/tmp/tmp.UHFbV1v7DX/repo$ git push
Could not create directory '/home/bandit31/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit31/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

bandit31-git@localhost's password:
Counting objects: 4, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (2/2), done.
Writing objects: 100% (4/4), 339 bytes | 0 bytes/s, done.
Total 4 (delta 0), reused 0 (delta 0)
remote: ### Attempting to validate files... ####
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
remote: Well done! Here is the password for the next level:
remote: 56a9bf19c63d650ce78e6ec0354ee45e
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
To ssh://localhost/home/bandit31-git/repo
 ! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to 'ssh://bandit31-git@localhost/home/bandit31-git/repo'

知识点

  1. git工具使用add将所有工作区改动存储到暂存区;
  2. commit命令将暂存区内容存储到索引区;
  3. push命令将本地差异内容提交到远端;
  4. 这里有一个.gitignore文件,用于正则匹配不被git察觉到文件;

Bandit Level 30 → Level 31

There is a git repository at ssh://bandit30-git@localhost/home/bandit30-git/repo. The password for the user bandit30-git is the same as for the user bandit30.

Clone the repository and find the password for the next level.

解密

bandit30@bandit:~$ mktemp -d
/tmp/tmp.UkNUXze0ar
bandit30@bandit:~$ cd /tmp/tmp.UkNUXze0ar
bandit30@bandit:/tmp/tmp.UkNUXze0ar$ git clone ssh://bandit30-git@localhost/home/bandit30-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit30/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit30/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

bandit30-git@localhost's password:
remote: Counting objects: 4, done.
remote: Total 4 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (4/4), done.
bandit30@bandit:/tmp/tmp.UkNUXze0ar$ cd repo/
bandit30@bandit:/tmp/tmp.UkNUXze0ar/repo$ ls
README.md
bandit30@bandit:/tmp/tmp.UkNUXze0ar/repo$ git tag
secret
bandit30@bandit:/tmp/tmp.UkNUXze0ar/repo$ git show secret
47e603bb428404d265f59c42920d81e5

知识点

  1. git tag

Bandit Level 29 → Level 30

There is a git repository at ssh://bandit29-git@localhost/home/bandit29-git/repo. The password for the user bandit29-git is the same as for the user bandit29.

Clone the repository and find the password for the next level.

解密

bandit29@bandit:~$ mktemp -d
/tmp/tmp.5vEfTyPY8r
bandit29@bandit:~$ cd /tmp/tmp.5vEfTyPY8r
bandit29@bandit:/tmp/tmp.5vEfTyPY8r$ git clone ssh://bandit29-git@localhost/home/bandit29-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit29/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit29/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

bandit29-git@localhost's password:
remote: Counting objects: 16, done.
remote: Compressing objects: 100% (11/11), done.
remote: Total 16 (delta 2), reused 0 (delta 0)
Receiving objects: 100% (16/16), done.
Resolving deltas: 100% (2/2), done.
bandit29@bandit:/tmp/tmp.5vEfTyPY8r$ cd repo/
bandit29@bandit:/tmp/tmp.5vEfTyPY8r/repo$ git log
commit 84abedc104bbc0c65cb9eb74eb1d3057753e70f8
Author: Ben Dover <noone@overthewire.org>
Date:   Tue Oct 16 14:00:41 2018 +0200

    fix username

commit 9b19e7d8c1aadf4edcc5b15ba8107329ad6c5650
Author: Ben Dover <noone@overthewire.org>
Date:   Tue Oct 16 14:00:41 2018 +0200

    initial commit of README.md
bandit29@bandit:/tmp/tmp.5vEfTyPY8r/repo$ git tag
bandit29@bandit:/tmp/tmp.5vEfTyPY8r/repo$ git branch
* master
bandit29@bandit:/tmp/tmp.5vEfTyPY8r/repo$ git branch -r
  origin/HEAD -> origin/master
  origin/dev
  origin/master
  origin/sploits-dev
bandit29@bandit:/tmp/tmp.5vEfTyPY8r/repo$ git checkout dev
Branch dev set up to track remote branch dev from origin.
Switched to a new branch 'dev'
bandit29@bandit:/tmp/tmp.5vEfTyPY8r/repo$ git log
commit 33ce2e95d9c5d6fb0a40e5ee9a2926903646b4e3
Author: Morla Porla <morla@overthewire.org>
Date:   Tue Oct 16 14:00:41 2018 +0200

    add data needed for development

commit a8af722fccd4206fc3780bd3ede35b2c03886d9b
Author: Ben Dover <noone@overthewire.org>
Date:   Tue Oct 16 14:00:41 2018 +0200

    add gif2ascii

commit 84abedc104bbc0c65cb9eb74eb1d3057753e70f8
Author: Ben Dover <noone@overthewire.org>
Date:   Tue Oct 16 14:00:41 2018 +0200

    fix username

commit 9b19e7d8c1aadf4edcc5b15ba8107329ad6c5650
Author: Ben Dover <noone@overthewire.org>
Date:   Tue Oct 16 14:00:41 2018 +0200

    initial commit of README.md
bandit29@bandit:/tmp/tmp.5vEfTyPY8r/repo$ ls
code  README.md
bandit29@bandit:/tmp/tmp.5vEfTyPY8r/repo$ cat code/gif2ascii.py

bandit29@bandit:/tmp/tmp.5vEfTyPY8r/repo$ cat README.md
# Bandit Notes
Some notes for bandit30 of bandit.

## credentials

- username: bandit30
- password: 5b90576bedb2cc04c86a9e924ce42faf

知识点

  1. git命令存在多个分支branch,分支只是历史树上的一个游标;

Bandit Level 28 → Level 29

There is a git repository at ssh://bandit28-git@localhost/home/bandit28-git/repo. The password for the user bandit28-git is the same as for the user bandit28.

Clone the repository and find the password for the next level.

解密

bandit28@bandit:~$ mktemp -d
/tmp/tmp.0HXHG7V3Lt
bandit28@bandit:~$ cd /tmp/tmp.0HXHG7V3Lt
bandit28@bandit:/tmp/tmp.0HXHG7V3Lt$ git clone ssh://bandit28-git@localhost/home/bandit28-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit28/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit28/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

bandit28-git@localhost's password:
remote: Counting objects: 9, done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 9 (delta 2), reused 0 (delta 0)
Receiving objects: 100% (9/9), done.
Resolving deltas: 100% (2/2), done.
bandit28@bandit:/tmp/tmp.0HXHG7V3Lt$ cd repo/
bandit28@bandit:/tmp/tmp.0HXHG7V3Lt/repo$ ls
README.md
bandit28@bandit:/tmp/tmp.0HXHG7V3Lt/repo$ cat README.md
# Bandit Notes
Some notes for level29 of bandit.

## credentials

- username: bandit29
- password: xxxxxxxxxx

bandit28@bandit:/tmp/tmp.0HXHG7V3Lt/repo$ git log
commit 073c27c130e6ee407e12faad1dd3848a110c4f95
Author: Morla Porla <morla@overthewire.org>
Date:   Tue Oct 16 14:00:39 2018 +0200

    fix info leak

commit 186a1038cc54d1358d42d468cdc8e3cc28a93fcb
Author: Morla Porla <morla@overthewire.org>
Date:   Tue Oct 16 14:00:39 2018 +0200

    add missing data

commit b67405defc6ef44210c53345fc953e6a21338cc7
Author: Ben Dover <noone@overthewire.org>
Date:   Tue Oct 16 14:00:39 2018 +0200

    initial commit of README.md
bandit28@bandit:/tmp/tmp.0HXHG7V3Lt/repo$ git checkout b67405defc6ef44210c53345fc953e6a21338cc7
Note: checking out 'b67405defc6ef44210c53345fc953e6a21338cc7'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by performing another checkout.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -b with the checkout command again. Example:

  git checkout -b <new-branch-name>

HEAD is now at b67405d... initial commit of README.md
bandit28@bandit:/tmp/tmp.0HXHG7V3Lt/repo$ ls
README.md
bandit28@bandit:/tmp/tmp.0HXHG7V3Lt/repo$ cat README.md
# Bandit Notes
Some notes for level29 of bandit.

## credentials

- username: bandit29
- password: <TBD>

bandit28@bandit:/tmp/tmp.0HXHG7V3Lt/repo$ git checkout 186a1038cc54d1358d42d468cdc8e3cc28a93fcb
Previous HEAD position was b67405d... initial commit of README.md
HEAD is now at 186a103... add missing data
bandit28@bandit:/tmp/tmp.0HXHG7V3Lt/repo$ cat README.md
# Bandit Notes
Some notes for level29 of bandit.

## credentials

- username: bandit29
- password: bbc96594b4e001778eee9975372716b2

知识点

  1. git作为版本追踪工具,查看历史log
  2. 检出(checkout)到某个SHA历史点;

Bandit Level 27 → Level 28

There is a git repository at ssh://bandit27-git@localhost/home/bandit27-git/repo. The password for the user bandit27-git is the same as for the user bandit27.

Clone the repository and find the password for the next level.

解密

bandit27@bandit:~$ mktemp -d
/tmp/tmp.RG0BBbh379
bandit27@bandit:~$ cd /tmp/tmp.RG0BBbh379
bandit27@bandit:/tmp/tmp.RG0BBbh379$ git clone ssh://bandit27-git@localhost/home/bandit27-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit27/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit27/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

bandit27-git@localhost's password:

remote: Counting objects: 3, done.
remote: Compressing objects: 100% (2/2), done.
remote: Total 3 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (3/3), done.
bandit27@bandit:/tmp/tmp.RG0BBbh379$ cd repo/
bandit27@bandit:/tmp/tmp.RG0BBbh379/repo$ ls
README
bandit27@bandit:/tmp/tmp.RG0BBbh379/repo$ cat README
The password to the next level is: 0ef186ac70e04ea33b4c1853d2526fa2

知识点

  1. git版本追踪工具基本命令clone

Bandit Level 26 → Level 27

Good job getting a shell! Now hurry and grab the password for bandit27!

解密

bandit26@bandit:~$ ls -l bandit27-do
-rwsr-x--- 1 bandit27 bandit26 7296 Oct 16  2018 bandit27-do
bandit26@bandit:~$ ./bandit27-do cat /etc/bandit_pass/bandit27
3ba3118a22e93127a4ed485be72ef5ea

知识点

  1. ls -l发现可执行文件bandit27-do设置了setuid

Bandit Level 25 → Level 26

Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.

解密

使用ssh -i登陆bandit24发现直接退出,但是在退出前打印了很多内容。
这个时候,把终端高度缩小到只有几行(不能完全打印登陆内容),再次登陆,会发现输出信息不完全,并且没有迅速退出。
此时,直接按v进入VIM,就保存住了bandit26的登陆。
使用VIM命令模式,打开bandit26的密码文件:e /etc/bandit_pas/bandit26。
得到密码:5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z
不过依旧在VIM里,无法做什么事情(一些环境变量都没有,无法执行系统命令)。我们设置下变量set shell=/bin/bash,然后再执行shell,就成功使用bash了。

知识点

  1. VIM的基本操作;
  2. VIM的命令;

Bandit Level 24 → Level 25

A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.

解密

bandit24@bandit:~$ :>/tmp/tmp.1YN5hffeea
bandit24@bandit:~$ for i in {0000..9999}
> do
> echo "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i" >> /tmp/tmp.1YN5hffeea
> done

bandit24@bandit:~$ nc localhost 30002 < /tmp/tmp.1YN5hffeea

...

Correct!
The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG

知识点

  1. 循环i in {0000..9999},从00009999,在前面拼上bandit24密码输入到文件中;
  2. 使用nc从文件中读入传输到本地端口30002;