bandit labs 通关记

官方网站

level 0

1
The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org, on port 2220. The username is bandit0 and the password is bandit0. Once logged in, go to the Level 1 page to find out how to beat Level 1.
1
2
ssh bandit0@bandit.labs.overthewire.org -p 2220
bandit0

Level 0 → Level 1

1
The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.
1
2
find / -name readme
cat /home/bandit0/readme

Level 1 → Level 2

1
The password for the next level is stored in a file called - located in the home directory
1
2
ssh bandit1@bandit.labs.overthewire.org -p 2220
boJ9jbbUNNfktd78OOpsqOltutMc3MY1

查看-文件,但是根据Advanced Bash-Scripting Guide的定义,cat -进入到标准输入。
这里引出catcat -的区别
cat file打开文件,没有权限的可以sudo cat file
cat <file shell打开文件,将其作为cat标准输入传递

1
cat <-

Level 2 → Level 3

1
The password for the next level is stored in a file called spaces in this filename located in the home directory
1
2
ssh bandit2@bandit.labs.overthewire.org -p 2220
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

打开spaces in this filename文件,需要加双引号

1
cat "spaces in this filename"

Level 3 → Level 4

1
The password for the next level is stored in a hidden file in the inhere directory.
1
2
ssh bandit3@bandit.labs.overthewire.org -p 2220
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
1
cat inhere/.hidden

Level 4 → Level 5

1
The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.
1
2
ssh bandit4@bandit.labs.overthewire.org -p 2220
pIwrPrtPN36QITSp3EQaw936yaFoFgAB
1
2
3
4
cat inhere/*
cat inhere/-file07
cd inhere/
cat <-file07

Level 5 → Level 6

1
2
3
4
5
The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:

human-readable
1033 bytes in size
not executable
1
2
ssh bandit5@bandit.labs.overthewire.org -p 2220
koReBOKuIDDepwhWk7jZC0RTdopnAYKh
1
2
find -type f -size 1033c ! -executable
cat inhere/maybehere07/.file2

Level 6 → Level 7

1
2
3
4
5
The password for the next level is stored somewhere on the server and has all of the following properties:

owned by user bandit7
owned by group bandit6
33 bytes in size
1
2
ssh bandit6@bandit.labs.overthewire.org -p 2220
DXjZPULLxYr17uwoI01bNLQbtFemEgo7

文件特征

1
2
3
owned by user bandit7
owned by group bandit6
33 bytes in size
1
2
find / -user bandit7 -group bandit6 -size 33c 2>/dev/null
cat /var/lib/dpkg/info/bandit7.password

Level 7 → Level 8

1
The password for the next level is stored in the file data.txt next to the word millionth
1
2
ssh bandit7@bandit.labs.overthewire.org -p 2220
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs
1
cat data.txt | grep millionth

Level 8 → Level 9

1
The password for the next level is stored in the file data.txt and is the only line of text that occurs only once
1
2
ssh bandit8@bandit.labs.overthewire.org -p 2220
cvX2JJa4CFALtqS87jk27qwqGhBM9plV
1
2
3
4
5
6
7
8
cat data.txt | sort | uniq -c | sort -nr | tail -n 1
cat data.txt | sort | uniq -u
#sort排序
#sort -n 按数字排序
#sort -r 倒序排序
#uniq -c 删除文件中重复出现的行,并在行首显示该行重复出现的次数
#uniq -u 仅显示出一次的行列
#tail -n 1 显示最后一行

Level 9 → Level 10

1
The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters.
1
2
ssh bandit9@bandit.labs.overthewire.org -p 2220
UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR
1
cat data.txt | strings | grep =

Level 10 → Level 11

1
The password for the next level is stored in the file data.txt, which contains base64 encoded data
1
2
ssh bandit10@bandit.labs.overthewire.org -p 2220
truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk

直接解码

1
cat data.txt | base64 -d

Level 11 → Level 12

1
The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions
1
2
ssh bandit11@bandit.labs.overthewire.org -p 2220
IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR
1
cat data.txt | tr 'a-zA-Z' 'n-za-mN-ZA-M'

Level 12 → Level 13

1
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)
1
2
ssh bandit12@bandit.labs.overthewire.org -p 2220
5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

套娃题

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
bandit12@bandit:~$ mkdir /tmp/jxswcy
bandit12@bandit:~$ cp data.txt /tmp/jxswcy
bandit12@bandit:~$ cd /tmp/jxswcy
bandit12@bandit:/tmp/jxswcy$ file data.txt
data.txt: ASCII text
bandit12@bandit:/tmp/jxswcy$ xxd -r data.txt data
bandit12@bandit:/tmp/jxswcy$ file data
data: gzip compressed data, was "data2.bin", last modified: Thu May 7 18:14:30 2020, max compression, from Unix
bandit12@bandit:/tmp/jxswcy$ mv data data.gz
bandit12@bandit:/tmp/jxswcy$ gzip -d data.gz
bandit12@bandit:/tmp/jxswcy$ file data
data: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/jxswcy$ mv data data.bz2
bandit12@bandit:/tmp/jxswcy$ bzip2 -d data.bz2
bandit12@bandit:/tmp/jxswcy$ file data
data: gzip compressed data, was "data4.bin", last modified: Thu May 7 18:14:30 2020, max compression, from Unix
bandit12@bandit:/tmp/jxswcy$ mv data data.gz
bandit12@bandit:/tmp/jxswcy$ gzip -d data.gz
bandit12@bandit:/tmp/jxswcy$ file data
data: POSIX tar archive (GNU)
bandit12@bandit:/tmp/jxswcy$ mv data data.tar
bandit12@bandit:/tmp/jxswcy$ tar xvf data.tar
data5.bin
bandit12@bandit:/tmp/jxswcy$ file data5.bin
data5.bin: POSIX tar archive (GNU)
bandit12@bandit:/tmp/jxswcy$ mv data5.bin data5.tar
bandit12@bandit:/tmp/jxswcy$ tar xvf data5.tar
data6.bin
bandit12@bandit:/tmp/jxswcy$ file data6.bin
data6.bin: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/jxswcy$ mv data6.bin data6.tar
bandit12@bandit:/tmp/jxswcy$ tar xvf data6.tar
data8.bin
bandit12@bandit:/tmp/jxswcy$ file data8.bin
data8.bin: gzip compressed data, was "data9.bin", last modified: Thu May 7 18:14:30 2020, max compression, from Unix
bandit12@bandit:/tmp/jxswcy$ mv data8.bin data8.gz
bandit12@bandit:/tmp/jxswcy$ gzip -d data8.gz
bandit12@bandit:/tmp/jxswcy$ file data8
data8: ASCII text
bandit12@bandit:/tmp/jxswcy$ cat data8
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
bandit12@bandit:/tmp/jxswcy$ rm -rf /tmp/jxswcy

Level 13 → Level 14

1
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on
1
2
ssh bandit13@bandit.labs.overthewire.org -p 2220
8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
bandit13@bandit:~$ ls
sshkey.private
bandit13@bandit:~$ cat sshkey.private
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAxkkOE83W2cOT7IWhFc9aPaaQmQDdgzuXCv+ppZHa++buSkN+
gg0tcr7Fw8NLGa5+Uzec2rEg0WmeevB13AIoYp0MZyETq46t+jk9puNwZwIt9XgB
ZufGtZEwWbFWw/vVLNwOXBe4UWStGRWzgPpEeSv5Tb1VjLZIBdGphTIK22Amz6Zb
ThMsiMnyJafEwJ/T8PQO3myS91vUHEuoOMAzoUID4kN0MEZ3+XahyK0HJVq68KsV
ObefXG1vvA3GAJ29kxJaqvRfgYnqZryWN7w3CHjNU4c/2Jkp+n8L0SnxaNA+WYA7
jiPyTF0is8uzMlYQ4l1Lzh/8/MpvhCQF8r22dwIDAQABAoIBAQC6dWBjhyEOzjeA
J3j/RWmap9M5zfJ/wb2bfidNpwbB8rsJ4sZIDZQ7XuIh4LfygoAQSS+bBw3RXvzE
pvJt3SmU8hIDuLsCjL1VnBY5pY7Bju8g8aR/3FyjyNAqx/TLfzlLYfOu7i9Jet67
xAh0tONG/u8FB5I3LAI2Vp6OviwvdWeC4nOxCthldpuPKNLA8rmMMVRTKQ+7T2VS
nXmwYckKUcUgzoVSpiNZaS0zUDypdpy2+tRH3MQa5kqN1YKjvF8RC47woOYCktsD
o3FFpGNFec9Taa3Msy+DfQQhHKZFKIL3bJDONtmrVvtYK40/yeU4aZ/HA2DQzwhe
ol1AfiEhAoGBAOnVjosBkm7sblK+n4IEwPxs8sOmhPnTDUy5WGrpSCrXOmsVIBUf
laL3ZGLx3xCIwtCnEucB9DvN2HZkupc/h6hTKUYLqXuyLD8njTrbRhLgbC9QrKrS
M1F2fSTxVqPtZDlDMwjNR04xHA/fKh8bXXyTMqOHNJTHHNhbh3McdURjAoGBANkU
1hqfnw7+aXncJ9bjysr1ZWbqOE5Nd8AFgfwaKuGTTVX2NsUQnCMWdOp+wFak40JH
PKWkJNdBG+ex0H9JNQsTK3X5PBMAS8AfX0GrKeuwKWA6erytVTqjOfLYcdp5+z9s
8DtVCxDuVsM+i4X8UqIGOlvGbtKEVokHPFXP1q/dAoGAcHg5YX7WEehCgCYTzpO+
xysX8ScM2qS6xuZ3MqUWAxUWkh7NGZvhe0sGy9iOdANzwKw7mUUFViaCMR/t54W1
GC83sOs3D7n5Mj8x3NdO8xFit7dT9a245TvaoYQ7KgmqpSg/ScKCw4c3eiLava+J
3btnJeSIU+8ZXq9XjPRpKwUCgYA7z6LiOQKxNeXH3qHXcnHok855maUj5fJNpPbY
iDkyZ8ySF8GlcFsky8Yw6fWCqfG3zDrohJ5l9JmEsBh7SadkwsZhvecQcS9t4vby
9/8X4jS0P8ibfcKS4nBP+dT81kkkg5Z5MohXBORA7VWx+ACohcDEkprsQ+w32xeD
qT1EvQKBgQDKm8ws2ByvSUVs9GjTilCajFqLJ0eVYzRPaY6f++Gv/UVfAPV4c+S0
kAWpXbv5tbkkzbS0eaLPTKgLzavXtQoTtKwrjpolHKIHUz6Wu+n4abfAIRFubOdN
/+aLoRQ0yBDRbdXMsZN/jvY44eM+xRLdRVyMmdPtP8belRi2E2aEzA==
-----END RSA PRIVATE KEY-----
bandit13@bandit:~$ ssh -i sshkey.private bandit14@localhost
1
2
bandit14@bandit:~$ cat /etc/bandit_pass/bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e

Level 14 → Level 15

1
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
1
2
ssh bandit14@bandit.labs.overthewire.org -p 2220
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
1
2
3
4
telnet localhost 30000
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
nc localhost 30000
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e

Level 15 → Level 16

1
2
3
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.

Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command
1
2
ssh bandit15@bandit.labs.overthewire.org -p 2220
BfMYroe26WYalil77FoDi9qh59eK5xNr
1
2
3
openssl s_client -connect localhost:30001
BfMYroe26WYalil77FoDi9qh59eK5xNr
cat /etc/bandit_pass/bandit15 | openssl s_client -connect localhost:30001 -quiet

Level 16 → Level 17

1
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
1
2
ssh bandit16@bandit.labs.overthewire.org -p 2220
cluFn7wTiGryunymYOu4RcffSxQluehd
1
2
3
nmap -p 31000-32000 localhost
#对开放的端口尝试连接,在31790发现密钥
cat /etc/bandit_pass/bandit16 | openssl s_client -connect localhost:31790 -quiet
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----
1
2
3
4
5
mkdir /tmp/jxswcy
vim /tmp/jxswcy/sshkey.private
chmod 600 /tmp/jxswcy/sshkey.private
ssh -i /tmp/jxswcy/sshkey.private bandit17@localhost
cat /etc/bandit_pass/bandit17

Level 17 → Level 18

1
2
3
There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new

NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19
1
2
ssh bandit17@bandit.labs.overthewire.org -p 2220
xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn
1
diff passwords.new passwords.old

Level 18 → Level 19

1
The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.
1
2
ssh bandit18@bandit.labs.overthewire.org -p 2220
kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd

因为有人修改了.bashrc,通过bandit17登录bandit18

1
2
3
ssh -T bandit18@localhost
kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
cat readme

Level 19 → Level 20

1
To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.
1
2
ssh bandit19@bandit.labs.overthewire.org -p 2220
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
1
./bandit20-do cat /etc/bandit_pass/bandit20

Level 20 → Level 21

1
2
3
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).

NOTE: Try connecting to your own network daemon to see if it works as you think
1
2
ssh bandit20@bandit.labs.overthewire.org -p 2220
GbKksEFF4yrVs6il55v6gwY5aVje5f0j

先在一台上开启监听

1
nc -lvp 1234 < /etc/bandit_pass/bandit20

再在另一台上运行

1
./suconnect 1234



Level 21 → Level 22

1
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
1
2
ssh bandit21@bandit.labs.overthewire.org -p 2220
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
1
2
3
4
ls /etc/cron.d/
cat /etc/cron.d/*
cat /usr/bin/cronjob_bandit*
cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

Level 22 → Level 23

1
2
3
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.
1
2
ssh bandit22@bandit.labs.overthewire.org -p 2220
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
1
2
3
cat /usr/bin/cronjob_bandit23.sh
echo I am user bandit23 | md5sum | cut -d ' ' -f 1
cat /tmp/8ca319486bfbbc3663ea0fbe81326349

Level 23 → Level 24

1
2
3
4
5
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!

NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…
1
2
ssh bandit23@bandit.labs.overthewire.org -p 2220
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
1
2
3
4
5
6
7
cat /usr/bin/cronjob_bandit24.sh
mkdir /tmp/jxswcy24
vim /tmp/jxswcy24/jxswcy.sh
chmod 777 /tmp/jxswcy24
chmod 777 /tmp/jxswcy24/jxswcy.sh
cp /tmp/jxswcy24/jxswcy.sh /var/spool/bandit24/
cat /tmp/jxswcy24/password

Level 24 → Level 25

1
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.
1
2
ssh bandit24@bandit.labs.overthewire.org -p 2220
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ