一个学习Linux的游戏,可以很好的练习和理解学过的Linux命令
题目地址:Bandit
Bandit Level 0 任务目标使用SSH连接bandit.labs.overthewire.org
1 2 3 4 5 6 ssh bandit0@bandit.labs.overthewire.org 2220
(注意<N>表示第几关),如刚开始是bandit0
我个人使用的是Xshell来玩这个游戏,因为这个游戏一关过了就没上一关的事了,在接受主机密钥时选择一次性接收即可。
1 2 3 cat readmeboJ9jbbUNNfktd78OOpsqOltutMc3MY1
有一个readme文件,就是下一关的密码
KEY
boJ9jbbUNNfktd78OOpsqOltutMc3MY1
Level 1 –> Level 2 1 2 3 ssh bandit1@bandit.labs.overthewire.org 2220 boJ9jbbUNNfktd78OOpsqOltutMc3MY1
大致玩法就这样,以后会省略这步
ls查看后发现是一个特殊字符命名的文件,特殊字符命名的文件经常还会引起一些安全问题,所以最好避免以特殊字符命名文件。本题中的文件名为‘-’一个减号,要知道在Linux中这个符号经常用到指定参数上
为了解决这个问题,我们要告诉shell不要将特殊字符后的字符解释为参数。
1 2 3 4 5 vim -- - cat ./-CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
经测试cat不能使用– -打开vim可以。
Linux 下如何处理包含空格和特殊字符的文件名
KEY
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
Level 2 –> Level 3 这关文件名叫”spaces in this filename”,这个文件名里含有空格,啥都不说加反斜杠转义
1 2 3 bandit2@bandit:~$ cat spaces\ in \ this\ filename UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
KEY
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
Level 3 –> Level 4 这个简单,直接上过程
1 2 3 4 5 6 7 8 9 10 11 bandit3@bandit:~$ ls inhere bandit3@bandit:~$ cd inhere/ bandit3@bandit:~/inhere$ ls bandit3@bandit:~/inhere$ ls -al total 12 drwxr-xr-x 2 root root 4096 Oct 16 14:00 . drwxr-xr-x 3 root root 4096 Oct 16 14:00 .. -rw-r----- 1 bandit4 bandit3 33 Oct 16 14:00 .hidden bandit3@bandit:~/inhere$ cat .hidden pIwrPrtPN36QITSp3EQaw936yaFoFgAB
KEY
pIwrPrtPN36QITSp3EQaw936yaFoFgAB
Level 4 –> Level 5 刚开始硬着头皮直接
后来
1 2 3 4 5 6 7 8 9 10 11 12 13 bandit4@bandit:~/inhere$ file ./* ./-file00: data ./-file01: data ./-file02: data ./-file03: data ./-file04: data ./-file05: data ./-file06: data ./-file07: ASCII text ./-file08: data ./-file09: data koReBOKuIDDepwhWk7jZC0RTdopnAYKh
KEY
koReBOKuIDDepwhWk7jZC0RTdopnAYKh
Level 5 –> Level 6 一看那么多我第一步就是
1 bandit5@bandit:~$ cat inhere/maybehere*/*
可不要这样,文件多,数据还多
1 bandit5@bandit:~$ find inhere -size 1033c
KEY
DXjZPULLxYr17uwoI01bNLQbtFemEgo7
Level 6 –> Level 7 题目给出三个提示
属于用户bandit7
属于用户组bandit6
33bytes的大小
要使用find 的-user来指定文件拥有者,-group 来指定用户组,-size 来指定文件大小
1 find / -user bandit7 -group bandit6 -size 33c
出现很多Permission denied,想办法用grep过滤没有成功,不得不佩服大佬的 2> 的使用啊
1 find / -user bandit7 -group bandit6 -size 33c 2>/dev/null
KEY
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs
Level 7 –> Level 8 登录ls发现data.txt文件,出手就是
1 2 3 4 bandit7@bandit:~$ cat data.txt | grep "password" password's OnplaHV7DRbmveA3HgrPFBMwin0CAcZn password ZySlP1BLPNbPmeZkambeGEYvBC6zyyfu passwords QJIcoAmCWhkmsPbONAfFH3pmN91Ua9OX
注意题目,在单词millionth后
1 2 bandit7@bandit:~$ grep "millionth" data.txt millionth cvX2JJa4CFALtqS87jk27qwqGhBM9plV
(注意审题)
KEY
cvX2JJa4CFALtqS87jk27qwqGhBM9plV
Level 8 –> Level 9 sort 命令对文件的数据进行排序并使用uniq 命令的-u参数打印出不重复行
uniq接收或指定已排序好的文本文件。
1 2 bandit8@bandit:~$ sort data.txt | uniq -u UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR
KEY
UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR
Level 9 –> Level 10 strings可以打印出对象文件或二进制文件中可以打印的字符串,
1 2 3 4 5 6 7 bandit9@bandit:~$ strings data.txt | grep -P "^=" ========== password ========== isa =FQ?P\U = F[ =)$= ========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
KEY
truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
Level 10 –> Level 11 bash64编码问题,使用-d解码即可
1 2 bandit10@bandit:~$ bash64 -d data.txt The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR
KEY
IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR
Level 11 –> Level 12 刚开始还以为理解错题了,真是凯撒加密,这次偏移量为13,又叫ROT13
(python有个模块可以像下面这样转,此处待补充)
1 2 bandit11@bandit:~$ cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m' The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu
KEY
5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu
Level 12 –> Level 13 此题善于循环,主要是使用file,bzip2,gzip,tar
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 bandit12@bandit:~$ cd /tmp bandit12@bandit:/tmp$ ls ls: cannot open directory '.': Permission denied bandit12@bandit:/tmp$ mkdir bandit12 mkdir: cannot create directory ‘bandit12’: File exists bandit12@bandit:/tmp$ mkdir test2018 bandit12@bandit:/tmp$ cd test2018 bandit12@bandit:/tmp/test2018$ ls bandit12@bandit:/tmp/test2018$ cp /home/bandit12/data.txt . bandit12@bandit:/tmp/test2018$ ls data.txt bandit12@bandit:/tmp/test2018$ xxd -r data0 xxd: data0: No such file or directory bandit12@bandit:/tmp/test2018$ xxd -r data.txt data0 bandit12@bandit:/tmp/test2018$ ls data0 data.txt bandit12@bandit:/tmp/test2018$ file data0 data0: gzip compressed data, was "data2.bin", last modified: Tue Oct 16 12:00:23 2018, max compression, from Unix bandit12@bandit:/tmp/test2018$ mv data0 data.gz bandit12@bandit:/tmp/test2018$ gzip -d data.gz bandit12@bandit:/tmp/test2018$ file data data: bzip2 compressed data, block size = 900k bandit12@bandit:/tmp/test2018$ ls data data.txt bandit12@bandit:/tmp/test2018$ bzip -d data -bash: bzip: command not found bandit12@bandit:/tmp/test2018$ bzip2 -d data bzip2: Can't guess original name for data -- using data.out bandit12@bandit:/tmp/test2018$ ls data.out data.txt bandit12@bandit:/tmp/test2018$ file data.out data.out: gzip compressed data, was "data4.bin", last modified: Tue Oct 16 12:00:23 2018, max compression, from Unix bandit12@bandit:/tmp/test2018$ gzip -d data.out gzip: data.out: unknown suffix -- ignored bandit12@bandit:/tmp/test2018$ mv data.out data4.gz && gzip -d data4.gz bandit12@bandit:/tmp/test2018$ ls data4 data.txt bandit12@bandit:/tmp/test2018$ file data4 data4: POSIX tar archive (GNU) bandit12@bandit:/tmp/test2018$ tar -xvf data4 data5.bin bandit12@bandit:/tmp/test2018$ file data5.bin data5.bin: POSIX tar archive (GNU) bandit12@bandit:/tmp/test2018$ tar -xvf data5 tar: data5: Cannot open: No such file or directory tar: Error is not recoverable: exiting now bandit12@bandit:/tmp/test2018$ tar -xvf data5.bin data6.bin bandit12@bandit:/tmp/test2018$ file data6.bin data6.bin: bzip2 compressed data, block size = 900k bandit12@bandit:/tmp/test2018$ bzip2 -d data6.bin bzip2: Can't guess original name for data6.bin -- using data6.bin.out bandit12@bandit:/tmp/test2018$ file data6.bin.out data6.bin.out: POSIX tar archive (GNU) bandit12@bandit:/tmp/test2018$ tar -xvf data6.bin.out data8.bin bandit12@bandit:/tmp/test2018$ file data8.bin data8.bin: gzip compressed data, was "data9.bin", last modified: Tue Oct 16 12:00:23 2018, max compression, from Unix bandit12@bandit:/tmp/test2018$ mv data8.bin data8.gz && gzip -d data8.gz bandit12@bandit:/tmp/test2018$ ls data4 data5.bin data6.bin.out data8 data.txt bandit12@bandit:/tmp/test2018$ file data8 data8: ASCII text bandit12@bandit:/tmp/test2018$ cat data8 The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL bandit12@bandit:/tmp/test2018$
KEY
8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
Level 13 –> Level 14 这关需要使用ssh的-i参数
题目要求
下一级别的密码存储在 / etc / bandit_pass / bandit14中,只能由用户bandit14读取。对于此级别,您不会获得下一个密码,但您将获得可用于登录下一级别的私有SSH密钥。 注意: localhost是引用您正在处理的计算机的主机名(自豪的使用了谷歌翻译)
1 2 3 4 ssh -i sshkey.private bandit14@localhost bandit14@bandit:~$ cat /etc/bandit_pass/bandit14
KEY
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Level 14 –> Level 15 要求使用14账户连接本地30000端口发送上一关得到的密钥
1 2 3 4 bandit14@bandit:~$ nc localhost 30000 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e Correct! BfMYroe26WYalil77FoDi9qh59eK5xNr
KEY
BfMYroe26WYalil77FoDi9qh59eK5xNr
Level 15 –> Level 16 使用以下命令
1 2 3 4 5 openssl s_client -connect localhost:30001 -ign_eof # 提交 BfMYroe26WYalil77FoDi9qh59eK5xNr Correct!
参数-ign_eof的作用:当输入文件到达文件尾的时候并不断开连接
KEY
cluFn7wTiGryunymYOu4RcffSxQluehd
Level 16 –> Level 17 1 2 3 4 5 6 7 8 9 10 11 12 13 bandit16@bandit:~$ nmap -p31000-32000 127.0.0.1 Starting Nmap 7.40 ( https://nmap.org ) at 2018-12-27 03:52 CET Nmap scan report for localhost (127.0.0.1) Host is up (0.00019s latency). Not shown: 999 closed ports PORT STATE SERVICE 31518/tcp open unknown 31790/tcp open unknown Nmap done : 1 IP address (1 host up) scanned in 0.07 seconds bandit16@bandit:/tmp/pq$ echo cluFn7wTiGryunymYOu4RcffSxQluehd | openssl s_client -quiet -connect localhost:31790 > sshkey.private
因为使用了nmap的-A参数我这里没有反应,于是没有使用这个参数
-A: 启用操作系统检测,版本检测,脚本扫描和跟踪路由
经过测试在31518端口测试,都会返回你提交的内容,在31790端口测试时提交得到一个ssh私钥,保存下来
1 bandit16@bandit:/tmp/pq$ cat sshkey.private
KEY 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 -----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama +TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT 8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM 77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3 vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY= -----END RSA PRIVATE KEY-----
需要修改一下sshkey.private文件的权限
1 2 chmod 600 sshkey.privatessh -i sshkey.private bandit17@localhost
参考资料: file命令
openssl命令
参考博客:
Bandit-通关题解
OverTheWire Bandit Writeup(11-20)
总结 这个游戏真心不错,对我这种整天看书的来说,是一个实践的很好的机会,很多命令都知道但是不会使用,玩了一半,能掌握一些基本的命令操作,对我个人来说已经算是又进阶了一个层次。