Wargames

发表于 | 分类于 |

https://overthewire.org/wargames/

Bandit

  • host: ssh bandit0@bandit.labs.overthewire.org -p 2220
  • pass: bandit0
$ cat readme
$ cat ./-
$ cat *
$ cd inhere/;cat .hidden
$ cd inhere/;file ./*;strings ./*
$ cat `find . -size 1033c`
$ cat `find / -size 33c -group bandit6 -user bandit7 2>/dev/null`
$ cat data.txt | grep millionth
$ sort data.txt | uniq -u
$ strings data.txt | grep ====
$ cat data.txt | base64 -d
$ cat data.txt | tr "a-zA-Z" "n-za-mN-ZA-M"
$ rm -rf /tmp/xuan;mkdir /tmp/xuan;cp data.txt /tmp/xuan;cd /tmp/xuan;xxd -r data.txt > data.bin;file data.bin;mv data.bin data.gz;gzip -d data.gz;file data;bzip2 -d data;cp data.out data.gz;gzip -d data.gz;tar -xvf data;tar -xvf data5.bin;bzip2 -d data6.bin;tar -xvf data6.bin.out;mv data8.bin data8.gz;gzip -d data8.gz;cat data8
$ ssh -i sshkey.private bandit14@localhost -o stricthostkeychecking=no "cat  /etc/bandit_pass/bandit14"
$ echo "4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e" | nc localhost 30000
$ echo "BfMYroe26WYalil77FoDi9qh59eK5xNr" | openssl s_client -connect localhost:30001 -quiet 2>/dev/null
$ rm -rf /tmp/gogodena;mkdir /tmp/gogodena;nmap -p 31000-32000 localhost;nmap -sV -p 31046,31518,31691,31790,31960 localhost;echo "cluFn7wTiGryunymYOu4RcffSxQluehd" | openssl s_client -connect localhost:31790 -quiet 2>/dev/null | tail -n 28 >> /tmp/gogodena/ssh.private;cd /tmp/gogodena;chmod 600 ssh.private;ssh -i ssh.private bandit17@localhost -o stricthostkeychecking=no "cat /etc/bandit_pass/bandit17"
$ diff passwords.old  passwords.new
$ ssh bandit18@bandit.labs.overthewire.org -p 2220 "cat readme"
$ ./bandit20-do cat /etc/bandit_pass/bandit20
$ sh -c "echo 'GbKksEFF4yrVs6il55v6gwY5aVje5f0j' | nc -l -p 8888 &";./suconnect 8888
$ cat /etc/cron.d/*;cat /usr/bin/cronjob_bandit22.sh;cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
$ cat /etc/cron.d/*;cat /usr/bin/cronjob_bandit23.sh;echo I am user bandit23 | md5sum | cut -d ' ' -f 1;cat /tmp/8ca319486bfbbc3663ea0fbe81326349
$ rm -rf /tmp/xuan23;mkdir /tmp/xuan23;chmod 777 /tmp/xuan23;echo -e '#!/bin/sh\ncat  /etc/bandit_pass/bandit24  > /tmp/xuan23/pass' > script.sh;chmod 777 script.sh;sleep 60;cat /tmp/xuan23/pass
$ python -c 'for i in range(10000):print("UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ "+str(i).zfill(4))' | nc localhost 30002
$ ssh -i bandit26.sshkey bandit26@localhost  -o stricthostkeychecking=no # 缩小屏幕,卡在more应用程序上,然后按v进入编辑模式,然后输入:r /etc/bandit_pass/bandit26 获得密码,或者输入:set shell=/bin/bash,然后继续输入:shell进而getshell
$ ./bandit27-do cat /etc/bandit_pass/bandit27

$ git clone;cd repo/;cat README
$ git clone;cd repo/;git log;git reset --hard 186a;cat README.md
$ git clone;cd repo/;git branch -a;git checkout origin/dev;cat README.md
$ git clone;cd repo/;cd .git/;cat *;git show --name-only secret
$ git clone;cd repo/;echo "May I come in?" > key.txt;rm -rf .gitignore;git add .;git commit -m "xxx";git push origin master
$ $0;cat /etc/bandit_pass/bandit33