bandit,主要练习linux命令

  • Level 10 → Level 11
    • 关卡介绍:
    • 解决方案:
  • Level 11 → Level 12
    • 关卡介绍:
    • 解决方案:
  • Level 12 → Level 13
    • 关卡介绍:
    • 解决方案:
  • Level 13 → Level 14
    • 关卡介绍:
    • 解决方案:
  • Level 14 → Level 15
    • 关卡介绍:
    • 解决方案:
  • Level 15 → Level 16
    • 关卡介绍:
    • 解决方案:
  • Level 16 → Level 17
    • 关卡介绍:
    • 解决方案:
  • Level 17 → Level 18
    • 关卡介绍:
    • 解决方案:
  • Level 18 → Level 19
    • 关卡介绍:
    • 解决方案:
  • Level 19 → Level 20
    • 关卡介绍:
    • 解决方案:

Level 10 → Level 11

关卡介绍:

下下一级别的密码存储在文件data.txt 中,其中包含 base64 编码的数据

解决方案:

#base64解码
bandit10@bandit:~$ ls
data.txt
bandit10@bandit:~$ cat data.txt
VGhlIHBhc3N3b3JkIGlzIElGdWt3S0dzRlc4TU9xM0lSRnFyeEUxaHhUTkViVVBSCg==
bandit10@bandit:~$
bandit10@bandit:~$
bandit10@bandit:~$ base64 data.txt
VkdobElIQmhjM04zYjNKa0lHbHpJRWxHZFd0M1MwZHpSbGM0VFU5eE0wbFNSbkZ5ZUVVeGFIaFVU
a1ZpVlZCU0NnPT0K
bandit10@bandit:~$
bandit10@bandit:~$ base64 -d data.txt
The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR
bandit10@bandit:~$

Level 11 → Level 12

关卡介绍:

提示:下一级别的密码存储在文件data.txt 中,其中所有小写 (az) 和大写 (AZ) 字母都旋转了 13 个位置

解决方案:


#就相当26个字母的前13个位置与后13个位置调换了。根据提示,会用到tr命令,去了解一下它的用法。a往后数13个是n ,那么就把a换成n
bandit11@bandit:~$ cat data.txt
Gur cnffjbeq vf 5Gr8L4qetPEsPk8htqjhRK8XSP6x2RHh
bandit11@bandit:~$ man trbandit11@bandit:~$ cat data.txt |tr 'a-zA-Z' 'n-za-mN-ZA-M'
The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

Level 12 → Level 13

关卡介绍:

下一级的密码存储在文件data.txt 中,该文件是经过反复压缩的文件的十六进制转储。对于这个级别,在 /tmp 下创建一个目录可能很有用,您可以在其中使用 mkdir 工作。例如:mkdir /tmp/myname123。然后使用 cp 复制数据文件,并使用 mv 重命名它(阅读联机帮助页!)

解决方案:

#这一关真的是气人,脾气不好的估计要砸键盘了、、、
主要考的解压方面的知识点,大家不要暴躁,不要动怒,日子还很长。
bandit12@bandit:~$ cd /tmp/
bandit12@bandit:/tmp$ mkdir /tmp/abc
bandit12@bandit:/tmp$ cd /tmp/abc
bandit12@bandit:/tmp/abc$ cp ~/data.txt ./
bandit12@bandit:/tmp/abc$ ls
data.txt
bandit12@bandit:/tmp/abc$
bandit12@bandit:/tmp/abc$ cat data.txt
00000000: 1f8b 0808 0650 b45e 0203 6461 7461 322e  .....P.^..data2.
00000010: 6269 6e00 013d 02c2 fd42 5a68 3931 4159  bin..=...BZh91AY
00000020: 2653 598e 4f1c c800 001e 7fff fbf9 7fda  &SY.O...........#后面加密乱码没用的地方我就不放了
#上面加密文件里有提示,转换成data2.bin文件bandit12@bandit:/tmp/abc$ xxd -r data.txt > data2.bin
bandit12@bandit:/tmp/abc$ ls
data2.bin  data.txtbandit12@bandit:/tmp/abc$ file data2.bin
data2.bin: gzip compressed data, was "data2.bin", last modified: Thu May  7 18:14:30 2020, max compression, from Unix
#上面说是gzip格式,那我们就把对应文件重命名为gzip可解压的后缀名去进行解压
bandit12@bandit:/tmp/abc$ mv data2.bin data.gz
bandit12@bandit:/tmp/abc$
bandit12@bandit:/tmp/abc$ gzip -d data.gz
bandit12@bandit:/tmp/abc$ ls
data  data.txt
bandit12@bandit:/tmp/abc$ file data
data: bzip2 compressed data, block size = 900k#解压后发现变成了bzip格式,再继续重命名为bzip可解压的格式,然后去解压。。不断吐血。
bandit12@bandit:/tmp/abc$ bzip -d data
-bash: bzip: command not found
bandit12@bandit:/tmp/abc$ mv data data.bz2
bandit12@bandit:/tmp/abc$ file *
data.bz2: bzip2 compressed data, block size = 900k
data.txt: ASCII text
bandit12@bandit:/tmp/abc$ bzip2 -d data.bz2
bandit12@bandit:/tmp/abc$ ls
data  data.txt
bandit12@bandit:/tmp/abc$ file data
data: gzip compressed data, was "data4.bin", last modified: Thu May  7 18:14:30 2020, max compression, from Unix
bandit12@bandit:/tmp/abc$ mv data data.gz
bandit12@bandit:/tmp/abc$ ls
data.gz  data.txt
bandit12@bandit:/tmp/abc$ gzip -d data.gz
bandit12@bandit:/tmp/abc$ ls
data  data.txt
bandit12@bandit:/tmp/abc$ file data
data: POSIX tar archive (GNU)
bandit12@bandit:/tmp/abc$ mv data data.tarbandit12@bandit:/tmp/abc$ tar -xvf data.tar
data5.bin
bandit12@bandit:/tmp/abc$ cat data5.bin
data6.bin0000644000000000000000000000033613655050006011247 0ustar  rootrootBZh91AY&SY+
£A Ϻ<jA¤Ӫ                                                                          ÿܙ@ᅰÿt!ހõ   @ѣ ѓ! hiM BȨ$fz&1*姲貧}+Q²P̻(f}ѳ©@Թ»¢ªTj»1Pㆆ®ۏߨ²@Țɒ=ڳ¯ā*怳*Y!$r忏䄳堂@ 0¬,bandit12@bandit:/tmp/abc$ Xshell
-bash: Xshell: command not found
bandit12@bandit:/tmp/abc$ file data5.bin
data5.bin: POSIX tar archive (GNU)
bandit12@bandit:/tmp/abc$ mv data5.bin  data.tar
bandit12@bandit:/tmp/abc$ tar xvf data.tar
data6.bin
bandit12@bandit:/tmp/abc$ file data6.bin
data6.bin: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/abc$ mv data6.bin data.bz2bandit12@bandit:/tmp/abc$
bandit12@bandit:/tmp/abc$ ls
data.bz2  data.tar  data.txt
bandit12@bandit:/tmp/abc$ bzip2 -d data.bz2
bandit12@bandit:/tmp/abc$ ls
data  data.tar  data.txt
bandit12@bandit:/tmp/abc$ file *
data:     POSIX tar archive (GNU)
data.tar: POSIX tar archive (GNU)
data.txt: ASCII text
bandit12@bandit:/tmp/abc$ rm -rf data.tar
bandit12@bandit:/tmp/abc$ mv data data.tar
bandit12@bandit:/tmp/abc$ tar xvf data.tar
data8.bin
bandit12@bandit:/tmp/abc$
bandit12@bandit:/tmp/abc$ file data8.bin
data8.bin: gzip compressed data, was "data9.bin", last modified: Thu May  7 18:14:30 2020, max compression, from Unix
bandit12@bandit:/tmp/abc$ cat data8.bin                                                                                                                       P´^data9.binȈU(H,..ͯJQƬV°ʪtɴ
w͎KMͰ(¯p.3.O2J4ꉴ1bandit12@bandit:/tmp/abc$ mv data8.bin data8.gz
bandit12@bandit:/tmp/abc$ gzip -d data8.gz
bandit12@bandit:/tmp/abc$ ls
data8  data.tar  data.txt
bandit12@bandit:/tmp/abc$ file *
data8:    ASCII text
data.tar: POSIX tar archive (GNU)
data.txt: ASCII text
bandit12@bandit:/tmp/abc$ cat data8
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
bandit12@bandit:/tmp/abc$
#不管怎么说,最后还是得到了下一关密码。我们继续

Level 13 → Level 14

关卡介绍:

下一级的密码存储在 /etc/bandit_pass/bandit14 中,只能由用户 bandit14 读取。对于此级别,您不会获得下一个密码,但您会获得一个可用于登录下一个级别的私有 SSH 密钥。 注意: localhost是一个主机名,指的是你正在使用的机器

解决方案:

#考ssh的使用方法,给出密钥。可以用-i选项使用密钥去登陆下一关
bandit13@bandit:~$ ls
sshkey.private
bandit13@bandit:~$ cat sshkey.private
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAxkkOE83W2cOT7IWhFc9aPaaQmQDdgzuXCv+ppZHa++buSkN+
gg0tcr7Fw8NLGa5+Uzec2rEg0WmeevB13AIoYp0MZyETq46t+jk9puNwZwIt9XgB
ZufGtZEwWbFWw/vVLNwOXBe4UWStGRWzgPpEeSv5Tb1VjLZIBdGphTIK22Amz6Zb
ThMsiMnyJafEwJ/T8PQO3myS91vUHEuoOMAzoUID4kN0MEZ3+XahyK0HJVq68KsV
ObefXG1vvA3GAJ29kxJaqvRfgYnqZryWN7w3CHjNU4c/2Jkp+n8L0SnxaNA+WYA7
jiPyTF0is8uzMlYQ4l1Lzh/8/MpvhCQF8r22dwIDAQABAoIBAQC6dWBjhyEOzjeA
J3j/RWmap9M5zfJ/wb2bfidNpwbB8rsJ4sZIDZQ7XuIh4LfygoAQSS+bBw3RXvzE
pvJt3SmU8hIDuLsCjL1VnBY5pY7Bju8g8aR/3FyjyNAqx/TLfzlLYfOu7i9Jet67
xAh0tONG/u8FB5I3LAI2Vp6OviwvdWeC4nOxCthldpuPKNLA8rmMMVRTKQ+7T2VS
nXmwYckKUcUgzoVSpiNZaS0zUDypdpy2+tRH3MQa5kqN1YKjvF8RC47woOYCktsD
o3FFpGNFec9Taa3Msy+DfQQhHKZFKIL3bJDONtmrVvtYK40/yeU4aZ/HA2DQzwhe
ol1AfiEhAoGBAOnVjosBkm7sblK+n4IEwPxs8sOmhPnTDUy5WGrpSCrXOmsVIBUf
laL3ZGLx3xCIwtCnEucB9DvN2HZkupc/h6hTKUYLqXuyLD8njTrbRhLgbC9QrKrS
M1F2fSTxVqPtZDlDMwjNR04xHA/fKh8bXXyTMqOHNJTHHNhbh3McdURjAoGBANkU
1hqfnw7+aXncJ9bjysr1ZWbqOE5Nd8AFgfwaKuGTTVX2NsUQnCMWdOp+wFak40JH
PKWkJNdBG+ex0H9JNQsTK3X5PBMAS8AfX0GrKeuwKWA6erytVTqjOfLYcdp5+z9s
8DtVCxDuVsM+i4X8UqIGOlvGbtKEVokHPFXP1q/dAoGAcHg5YX7WEehCgCYTzpO+
xysX8ScM2qS6xuZ3MqUWAxUWkh7NGZvhe0sGy9iOdANzwKw7mUUFViaCMR/t54W1
GC83sOs3D7n5Mj8x3NdO8xFit7dT9a245TvaoYQ7KgmqpSg/ScKCw4c3eiLava+J
3btnJeSIU+8ZXq9XjPRpKwUCgYA7z6LiOQKxNeXH3qHXcnHok855maUj5fJNpPbY
iDkyZ8ySF8GlcFsky8Yw6fWCqfG3zDrohJ5l9JmEsBh7SadkwsZhvecQcS9t4vby
9/8X4jS0P8ibfcKS4nBP+dT81kkkg5Z5MohXBORA7VWx+ACohcDEkprsQ+w32xeD
qT1EvQKBgQDKm8ws2ByvSUVs9GjTilCajFqLJ0eVYzRPaY6f++Gv/UVfAPV4c+S0
kAWpXbv5tbkkzbS0eaLPTKgLzavXtQoTtKwrjpolHKIHUz6Wu+n4abfAIRFubOdN
/+aLoRQ0yBDRbdXMsZN/jvY44eM+xRLdRVyMmdPtP8belRi2E2aEzA==
-----END RSA PRIVATE KEY-----
bandit13@bandit:~$
bandit13@bandit:~$ ssh bandit14@localhost -i sshkey.private Enjoy your stay!bandit14@bandit:~$ cat /etc/bandit_pass/bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
bandit14@bandit:~$

Level 14 → Level 15

关卡介绍:

提示:可以通过将当前级别的密码提交到localhost上的端口 30000来检索下一级别的密码。

解决方案:

#题目有提示使用nc命令,那我们就用nc监听一下localhost的30000端口。
bandit14@bandit:~$ nc localhost:30000
localhost:30000: forward host lookup failed: No address associated with name
bandit14@bandit:~$ nc localhost 30000
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNrbandit14@bandit:~$

Level 15 → Level 16

关卡介绍:

使用SSL加密将当前级别的密码提交到本地主机上的30001端口,即可检索到下一级别的密码。

有用的提示:获得“心跳”和“读取 R 块”?使用 -ign_eof 并阅读联机帮助页中的“CONNECTED COMMANDS”部分。在“R”和“Q”旁边,“B”命令也适用于该命令的这个版本…

解决方案:

#提示使用openssl命令,我们可以百度一下openssl命令的使用方法。
bandit15@bandit:~$ openssl s_client -connect localhost:30001
CONNECTED(00000003)
depth=0 CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = localhost
verify return:1
---
Certificate chain0 s:/CN=localhosti:/CN=localhost
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICBjCCAW+gAwIBAgIEfftLGTANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDDAls
b2NhbGhvc3QwHhcNMjEwNDEzMDgzODA3WhcNMjIwNDEzMDgzODA3WjAUMRIwEAYD
VQQDDAlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMLfXBVa
jVKDHlA3U+S0hBMJMJlfue3xKECpmx1Ajp4/khUuWwvPB7+wLjqasBO2WfFYJzcq
z9t7FfAPIlYjgvOTQs5X4vQ1aGzanvnNn+1VknpOnFAJQBSFq6ZD3ipWrhwm9XZq
8CgFhTGp9IPthZp8Y0B7OgobhlMtXD/zLaTbAgMBAAGjZTBjMBQGA1UdEQQNMAuC
CWxvY2FsaG9zdDBLBglghkgBhvhCAQ0EPhY8QXV0b21hdGljYWxseSBnZW5lcmF0
ZWQgYnkgTmNhdC4gU2VlIGh0dHBzOi8vbm1hcC5vcmcvbmNhdC8uMA0GCSqGSIb3
DQEBBQUAA4GBAMFH9rsZovwnb5k71/MpyCnXEwGlIhixUu6qfi1kiFvhJ6lJCvaO
weOYxV4oJy1OEB0LSEAQOnSPfzC8dDasijFcdVhuIGGPuQ2GZ05nCiiIZUNnrMRB
0z2RuRxgxMVjOvcSIJyvwyjVH4jY4I434fMyldePLxO1POLd1cxoKNTO
-----END CERTIFICATE-----
subject=/CN=localhost
issuer=/CN=localhost
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1019 bytes and written 269 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:Protocol  : TLSv1.2Cipher    : ECDHE-RSA-AES256-GCM-SHA384Session-ID: 34F0BDBF3693D10396A60B5DED939CCB5F98EC1308E2A9674C321D24F55CE870Session-ID-ctx: Master-Key: 5224505911B4AF9F76F374F8029E321A8BAA0089B3899D119BF468D8DAD727E98B394F0638372F76C6E84AA105DEE373PSK identity: NonePSK identity hint: NoneSRP username: NoneTLS session ticket lifetime hint: 7200 (seconds)TLS session ticket:0000 - f2 5b 83 7e f0 ca 58 ca-aa f3 8f 83 b9 65 d5 23   .[.~..X......e.#0010 - e0 fd 2b 64 15 08 58 d4-6e 6b 05 c5 1d a2 32 cc   ..+d..X.nk....2.0020 - 90 68 ee ac f3 e3 f9 f2-e7 23 fc ec e6 99 61 36   .h.......#....a60030 - 97 71 79 08 d0 06 d3 9e-50 46 19 d1 ac 28 fc 10   .qy.....PF...(..0040 - af fb 1a 86 60 39 27 a9-8d 9f d1 27 9f 9a ca 5d   ....`9'....'...]0050 - cf 0a 8a fa 50 9a 79 80-08 00 c6 c6 9d ed b6 88   ....P.y.........0060 - dc 5a d9 e6 2f 80 16 25-23 c4 ca 38 c4 ff 18 56   .Z../..%#..8...V0070 - cb db dc 11 db 5a d1 be-d2 28 b5 26 eb a5 5c b9   .....Z...(.&..\.0080 - 71 d5 e8 49 99 d6 26 c1-8a 25 b0 36 c2 95 14 5f   q..I..&..%.6..._0090 - cd 38 c9 41 56 ce 5a 41-ea 3b 1c 38 f7 a2 8d b0   .8.AV.ZA.;.8....Start Time: 1623844041Timeout   : 7200 (sec)Verify return code: 18 (self signed certificate)Extended master secret: yes
---
BfMYroe26WYalil77FoDi9qh59eK5xNr
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehdclosed
bandit15@bandit:~$

Level 16 → Level 17

关卡介绍:

可以通过将当前级别的密码提交到localhost 上 31000 到 32000 范围内的端口来检索下一级别的凭据。首先找出这些端口中的哪些端口有服务器监听它们。然后找出哪些会说 SSL,哪些不会。只有 1 个服务器会提供下一个凭据,其他服务器只会将您发送给它的任何内容发送回给您。

解决方案:

#这一关来说比较绕,思路是这样,先用nmap扫一下端口,看哪个端口开了ssl。然后openssl去交互一下,
通过线索,连上上一关的方法,去拿到密码bandit16@bandit:~$ nmap -sV -A -p 31000-32000 localhost
Starting Nmap 7.40 ( https://nmap.org ) at 2021-06-17 05:01 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00049s latency).
Not shown: 996 closed ports
PORT      STATE SERVICE     VERSION
31046/tcp open  echo
31518/tcp open  ssl/echo
| ssl-cert: Subject: commonName=localhost
| Subject Alternative Name: DNS:localhost
| Not valid before: 2021-04-13T08:39:02
|_Not valid after:  2022-04-13T08:39:02
|_ssl-date: TLS randomness does not represent time
31691/tcp open  echo
31790/tcp open  ssl/unknown
| fingerprint-strings:
|   FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SIPOptions, SSLSessionReq, TLSSessionReq:
|_    Wrong! Please enter the correct current password
| ssl-cert: Subject: commonName=localhost
| Subject Alternative Name: DNS:localhost
| Not valid before: 2021-06-14T19:39:02
|_Not valid after:  2022-06-14T19:39:02
|_ssl-date: TLS randomness does not represent time
31960/tcp open  echo
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port31790-TCP:V=7.40%T=SSL%I=7%D=6/17%Time=60CABB10%P=x86_64-pc-linux-g
SF:nu%r(GenericLines,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20cu
SF:rrent\x20password\n")%r(GetRequest,31,"Wrong!\x20Please\x20enter\x20the
SF:\x20correct\x20current\x20password\n")%r(HTTPOptions,31,"Wrong!\x20Plea
SF:se\x20enter\x20the\x20correct\x20current\x20password\n")%r(RTSPRequest,
SF:31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20current\x20password\
SF:n")%r(Help,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20current\x
SF:20password\n")%r(SSLSessionReq,31,"Wrong!\x20Please\x20enter\x20the\x20
SF:correct\x20current\x20password\n")%r(TLSSessionReq,31,"Wrong!\x20Please
SF:\x20enter\x20the\x20correct\x20current\x20password\n")%r(Kerberos,31,"W
SF:rong!\x20Please\x20enter\x20the\x20correct\x20current\x20password\n")%r
SF:(FourOhFourRequest,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20c
SF:urrent\x20password\n")%r(LPDString,31,"Wrong!\x20Please\x20enter\x20the
SF:\x20correct\x20current\x20password\n")%r(LDAPSearchReq,31,"Wrong!\x20Pl
SF:ease\x20enter\x20the\x20correct\x20current\x20password\n")%r(SIPOptions
SF:,31,"Wrong!\x20Please\x20enter\x20the\x20correct\x20current\x20password
SF:\n");
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 88.44 seconds
bandit16@bandit:~$
bandit16@bandit:~$
bandit16@bandit:~$ openssl s_client -connect localhost:31518---
cluFn7wTiGryunymYOu4RcffSxQluehd
cluFn7wTiGryunymYOu4RcffSxQluehd
^C
bandit16@bandit:~$ openssl s_client -connect localhost:31790
CONNECTED(00000003)
depth=0 CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = localhost
verify return:1
---
Certificate chain0 s:/CN=localhosti:/CN=localhost
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICBjCCAW+gAwIBAgIESK0prjANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDDAls
b2NhbGhvc3QwHhcNMjEwNjE0MTkzOTAyWhcNMjIwNjE0MTkzOTAyWjAUMRIwEAYD
VQQDDAlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL3AJi7+
mhQwXXHZweajk45kDauQ8gItcbmfbmCE8dvjBuzjFho+nN9OZ/5xPHjNy+15d+Kr
iv+p1DPsjtPdDP5LNhShGBJIdj+h1DanaQbZnILW64fmbZPQzsvf1U0q3KUX/Hr5
OlZNV5eryXtPGELBddTVB4QyRo7qEdCIjf83AgMBAAGjZTBjMBQGA1UdEQQNMAuC
CWxvY2FsaG9zdDBLBglghkgBhvhCAQ0EPhY8QXV0b21hdGljYWxseSBnZW5lcmF0
ZWQgYnkgTmNhdC4gU2VlIGh0dHBzOi8vbm1hcC5vcmcvbmNhdC8uMA0GCSqGSIb3
DQEBBQUAA4GBACDBqqnOEy6516ocDng2iqNRS+mLAiaVKONccL+847NK54W4g4Wo
0PdPF4dVhkNiLGJDcrx3aY4A+u+aFAcZmDYJOFsGJMCBOdle8v9PvQ6V/y8x4TkR
JUvpO+seiTk7lj/4byRQXlHcYxMdAflrDl+m9tKeDJlYaAPO5d9P28Iv
-----END CERTIFICATE-----
subject=/CN=localhost
issuer=/CN=localhost
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1019 bytes and written 269 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:Protocol  : TLSv1.2Cipher    : ECDHE-RSA-AES256-GCM-SHA384Session-ID: F76F2BF192BA039D7FE98C959FB5658D3F8EA09B90B3821CCBDCED0B65E562D8Session-ID-ctx: Master-Key: F63C2DC264297170A15C251E04AEFF4B243AACE3E86A192FC19EF7F1EF76BCBE411D0F39B385054B5B0D3987D0B0AB2EPSK identity: NonePSK identity hint: NoneSRP username: NoneTLS session ticket lifetime hint: 7200 (seconds)TLS session ticket:0000 - 4d 56 29 e9 f1 5c 3e 86-5d 40 4d 5e 38 22 f0 d1   MV)..\>.]@M^8"..0010 - f4 89 94 b7 96 76 29 79-89 1e 31 4c 2f c9 bd 0c   .....v)y..1L/...0020 - 9f 7d 2f 21 6e dd 2b 8a-a3 19 d4 c5 50 9d b3 94   .}/!n.+.....P...0030 - 3c 40 4a 23 ec ed 85 ea-72 00 fa db e3 34 40 cd   <@J#....r....4@.0040 - 96 8d 92 65 7c 30 25 f9-39 55 64 70 d4 0b 9c d3   ...e|0%.9Udp....0050 - 6e 09 66 7b 65 a6 1b 7e-6b 85 5c e6 f9 b7 cd ac   n.f{e..~k.\.....0060 - 7c 10 4b 8d 9e 12 74 2a-bf cb 82 58 de 9f 85 a9   |.K...t*...X....0070 - 06 73 3d a0 ec 8f 9a e2-fb 12 91 7b 63 3d 15 e4   .s=........{c=..0080 - ac 21 fe 1f 83 65 f2 24-bf 14 35 e8 51 67 fd cb   .!...e.$..5.Qg..0090 - d6 7d df 3d 7a 41 ca fa-57 3f 9c 33 54 73 c6 fb   .}.=zA..W?.3Ts..Start Time: 1623899921Timeout   : 7200 (sec)Verify return code: 18 (self signed certificate)Extended master secret: yes
---
cluFn7wTiGryunymYOu4RcffSxQluehd
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----closed
bandit16@bandit:~$ vim a.priv
bandit16@bandit:~$
bandit16@bandit:~$ cd /tmp
bandit16@bandit:/tmp$ vim a.priv
bandit16@bandit:/tmp$
bandit16@bandit:/tmp$
bandit16@bandit:/tmp$ ls
ls: cannot open directory '.': Permission denied
bandit16@bandit:/tmp$ ls -l
ls: cannot open directory '.': Permission denied
bandit16@bandit:/tmp$ mkdir a
bandit16@bandit:/tmp$ cd a
bandit16@bandit:/tmp/a$ vim a.priv
bandit16@bandit:/tmp/a$
bandit16@bandit:/tmp/a$
bandit16@bandit:/tmp/a$ ssh -i a.priv bandit17@localhost
Could not create directory '/home/bandit16/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit16/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'a.priv' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "a.priv": bad permissions
bandit17@localhost's password:
Permission denied, please try again.
bandit17@localhost's password: bandit16@bandit:/tmp/a$ ls -l
total 4
-rw-r--r-- 1 bandit16 root 1676 Jun 17 05:20 a.privbandit16@bandit:/tmp/a$ chmod 600 a.priv
bandit16@bandit:/tmp/a$ ls -l
total 4
-rw------- 1 bandit16 root 1676 Jun 17 05:20 a.priv
bandit16@bandit:/tmp/a$
bandit16@bandit:/tmp/a$ ssh -i a.priv bandit17@localhost
Could not create directory '/home/bandit16/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit16/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargamesLinux bandit.otw.local 5.4.8 x86_64 GNU/Linux,----..            ,----,          .---./   /   \         ,/   .`|         /. ./|/   .     :      ,`   .'  :     .--'.  ' ;.   /   ;.  \   ;    ;     /    /__./ \ : |.   ;   /  ` ; .'___,/    ,' .--'.  '   \' .;   |  ; \ ; | |    :     | /___/ \ |    ' '|   :  | ; | ' ;    |.';  ; ;   \  \;      :.   |  ' ' ' : `----'  |  |  \   ;  `      |'   ;  \; /  |     '   :  ;   .   \    .\  ;\   \  ',  /      |   |  '    \   \   ' \ |;   :    /       '   :  |     :   '  |--"\   \ .'        ;   |.'       \   \ ;www. `---` ver     '---' he       '---" ire.orgWelcome to OverTheWire!If you find any problems, please report them to Steven or morla on
irc.overthewire.org.--[ Playing the games ]--This machine might hold several wargames.If you are playing "somegame", then:* USERNAMES are somegame0, somegame1, ...* Most LEVELS are stored in /somegame/.* PASSWORDS for each level are stored in /etc/somegame_pass/.Write-access to homedirectories is disabled. It is advised to create aworking directory with a hard-to-guess name in /tmp/.  You can use thecommand "mktemp -d" in order to generate a random and hard to guessdirectory in /tmp/.  Read-access to both /tmp/ and /proc/ is disabledso that users can not snoop on eachother. Files and directories witheasily guessable or short names will be periodically deleted!Please play nice:* don't leave orphan processes running* don't leave exploit-files laying around* don't annoy other players* don't post passwords or spoilers* again, DONT POST SPOILERS!This includes writeups of your solution on your blog or website!--[ Tips ]--This machine has a 64bit processor and many security-features enabledby default, although ASLR has been switched off.  The followingcompiler flags might be interesting:-m32                    compile for 32bit-fno-stack-protector    disable ProPolice-Wl,-z,norelro          disable relroIn addition, the execstack tool can be used to flag the stack asexecutable on ELF binaries.Finally, network-access is limited for most levels by a localfirewall.--[ Tools ]--For your convenience we have installed a few usefull tools which you can findin the following locations:* gef (https://github.com/hugsy/gef) in /usr/local/gef/* pwndbg (https://github.com/pwndbg/pwndbg) in /usr/local/pwndbg/* peda (https://github.com/longld/peda.git) in /usr/local/peda/* gdbinit (https://github.com/gdbinit/Gdbinit) in /usr/local/gdbinit/* pwntools (https://github.com/Gallopsled/pwntools)* radare2 (http://www.radare.org/)* checksec.sh (http://www.trapkit.de/tools/checksec.html) in /usr/local/bin/checksec.sh--[ More information ]--For more information regarding individual wargames, visithttp://www.overthewire.org/wargames/For support, questions or comments, contact us through IRC onirc.overthewire.org #wargames.Enjoy your stay!bandit17@bandit:~$ bandit17@bandit:~$ cat /etc/bandit_pass/bandit17
xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn
bandit17@bandit:~$

Level 17 → Level 18

关卡介绍:

主目录中有 2 个文件:passwords.old 和 passwords.new。下一级别的密码在 passwords.new 中,并且是passwords.old 和 passwords.new之间唯一更改的行

注意:如果你已经解决了这个级别并看到“再见!” 尝试登录bandit18时,这与下一个级别bandit19有关

解决方案:

#这关没什么好说的,diff比较差异就行
bandit17@bandit:~$ ls
passwords.new  passwords.old
bandit17@bandit:~$
bandit17@bandit:~$
bandit17@bandit:~$ diff passwords.new  passwords.old
42c42
< kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
---
> w0Yfolrc5bwjS4qw5mq1nnQi6mF03bii
bandit17@bandit:~$

Level 18 → Level 19

关卡介绍:

下一级的密码存储在主目录的自述文件中。不幸的是, 当您使用 SSH 登录时,有人修改了.bashrc以将您注销。

不过我发现登录这一关的时候,直接就弹出一个Byebye。然后断开连接我就很懵。

--[ More information ]--For more information regarding individual wargames, visithttp://www.overthewire.org/wargames/For support, questions or comments, contact us through IRC onirc.overthewire.org #wargames.Enjoy your stay!Byebye !Connection closed by foreign host.

解决方案:

#我们可以直接在上一关的基础上用ssh连接下一关,并且执行命令查看readme文件
bandit17@bandit:~$ ssh bandit18@localhost -t cat readme
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit17/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/home/bandit17/.ssh/id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "/home/bandit17/.ssh/id_rsa": bad permissions
bandit18@localhost's password:
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
Connection to localhost closed.
bandit17@bandit:~$

Level 19 → Level 20

关卡介绍:

要访问下一个级别,您应该使用主目录中的 setuid 二进制文件。不带参数执行它以了解如何使用它。在您使用 setuid 二进制文件后,可以在通常的位置 (/etc/bandit_pass) 中找到此级别的密码。

解决方案:

#先看下当前目录有什么,ls -l 发现rws,s是什么意思呢,我们需要去查一下。
bandit19@bandit:~$ ll
-bash: ll: command not found
bandit19@bandit:~$ ls -l
total 8
-rwsr-x--- 1 bandit20 bandit19 7296 May  7  2020 bandit20-do
bandit19@bandit:~$
bandit19@bandit:~$ ./bandit20-do  cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0j

以上命令均为实验过,如有改进请私信留言

overthewire靶场之——bandit(11-20)相关推荐

  1. overthewire靶场之——bandit(1-10)

    bandit,主要练习linux命令 Level 0 关卡介绍: Level 0 → Level 1 关卡介绍: 解决方案: Level 1 → Level 2 关卡介绍: 解决方案: Level 2 ...

  2. python题库刷题训练软件_Python基础练习100题 ( 11~ 20)

    刷题继续 上一期和大家分享了前10道题,今天继续来刷11~20 Question 11: Write a program which accepts a sequence of comma separ ...

  3. 第F题 真约束之和(通解)古希腊数学家毕达哥拉斯在自然数研究中发现,220的所有真约数(即不是自身的约数)之和为:  1+2+4+5+10+11+20+22+44+55+110=284

    古希腊数学家毕达哥拉斯在自然数研究中发现,220的所有真约数(即不是自身的约数)之和为: 1+2+4+5+10+11+20+22+44+55+110=284. 而284的所有真约数为1.2.4.71. ...

  4. 【不忘初心】Win10_LTSC2021_19044.1381_X64_可更新[纯净精简版][2.52G](2021.11.20)

    此版可正常更新补丁,母版来自UUP WIN10_LTSC2021 19044.1288集成补丁到19044.1381为了保证稳定初心的系统全部都是离线精简和优化,非二次封装.系统纯净.流畅.进程少无任 ...

  5. 记账开始,记录个时间,免得偷懒2018年2月26日11:20:33

    2018年2月26日11:20:27 2018年2月26日11:20:42 2018年2月26日11:20:49 2018年2月26日11:21:02 点击打开链接啊啊啊啊哦

  6. 牛客网面试高频题top100(11~20)

    ** 牛客网面试高频题top100(11~20 java实现) ** 11.跳台阶 一只青蛙一次可以跳上1级台阶,也可以跳上2级.求该青蛙跳上一个 n 级的台阶总共有多少种跳法(先后次序不同算不同的结 ...

  7. sql-labs 闯关 11~20

    sql-labs 闯关 11~20 友善爱国公正敬业爱国爱国诚信自由友善爱国公正诚信民主和谐敬业平等 复习笔记1 内容: POST请求介绍 sql-labs第11关(POST请求-基于错误-单引号-字 ...

  8. 六级备考19天|CET-6|翻译练习|真题·青藏铁路|9:30~11:20

    目录 1 中文 2 练习 ​ 3 答案​ 4 解析 5 订正 复习 1 中文 2 练习  3 答案 4 解析 铁路         railway/railroad 全长         with a ...

  9. 尚硅谷——谷粒商城项目开发记录——2021.11.20

    尚硅谷--谷粒商城项目开发记录--2021.11.20 概念: 1.SpringCloud Alibaba: 简介: Spring Cloud Alibaba 致力于提供微服务开发的一站式解决方案.此 ...

最新文章

  1. ggplot01:R语言坐标轴离散、连续与图例离散连续的区分
  2. 本地tomcat的start.bat启动时访问不出现小猫图标
  3. 【跨平台网络抓包神器のtcpdump】ubuntu下编译tcpdump开源抓包工具
  4. Linux mount 修改文件系统的读写属性
  5. 使用 “vue-cropper“进行图片裁剪
  6. Ubuntu 搭建 GitLab 笔记 ***
  7. Windows Phone 7Silverlight控件之--Panorama
  8. linux下共享文件夹(windows可访问,linux也可访问)
  9. A*算法一个简单的记录
  10. Bailian2721 忽略大小写比较字符串大小(POJ NOI0107-16)【字符串】
  11. C++类引用中的构造函数与析构函数的执行顺序练习
  12. matlab如何看算法时间,【Matlab实现】动态时间规划调整算法(DTW算法)——计算两个序...
  13. 数据库 的日志已满,备份该数据库的事务日志以释放一些日志空间的解决办法 ...
  14. 【目标检测-YOLO】YOLO v2总结
  15. 技术领导者 第44讲|空降技术高管的“择业七计”
  16. 为什么不吃米和面之后,体重掉得比较快?答案或许不是你想的那样
  17. 因收费被抵制、如今又被明星索赔百万,丰巢出路在何方?
  18. linux 多个文件内容查找,Linux 根据一个文件内容查找另一个文件中的内容
  19. 360 私有云平台 MySQL 自动化实现剖析
  20. 【Java】session.getAttribute出现[classes/:na]报错如何解决

热门文章

  1. Redis八股文笔记
  2. Python抓取分析“创造101 ”菊姐微博
  3. last-child 与 last-of-type
  4. C#——树视图TreeView控件使用
  5. 网络抓包工具——【wireshark】使用入门教程
  6. iPhone问世15年:苹果的成功靠的是用户体验 而不是硬件
  7. 索尼A7 IV 评测
  8. setTimeout函数
  9. 移动端——常见的移动端mate
  10. 【Oracle VM VirtualBox安装SteamOS 教程】