http://overthewire.org/wargames/bandit/bandit0.html
OverTheWire Bandit 문제 풀이입니다.
Level 0
ssh 접속
ssh bandit0@bandit.labs.overthewire.org -p2220
Level 0 -> Level 1
readme 파일 읽기
Level 1 -> Level 2
파일명이 '-'인 파일 읽기
명령에서 -는 옵션을 의미하기 때문에 cat - 으로는 -파일을 읽을 수 없다.
- 파일을 읽으려면 cat ./- 를 사용하면 된다고 구글이 알려준다.
Level 2 -> Level 3
spaces in this filename 파일 읽기
파일명 일부분을 타이핑하고 Tab키를 누르면 자동완성이 되는 것을 이용해서 풀었다.
cat spaces\ in\ this\ filename
파일명에 스페이스바가 들어가있으면 '\ '로 바꿔서 입력해주면 되는 것 같다.
Level 3 -> Level 4
숨겨진 .hidden이라는 파일을 찾을 수 있다.
Level 4 -> Level 5
inhere 디렉토리에 들어가보면
-로 시작하는 파일이 많다.
level 1에서 사용했던 방법을 사용해 파일들을 하나하나 읽어보면
-file07에서 패스워드를 찾을 수 있다.
Level 5 -> Level 6
파일과 디렉토리가 많다. 이 것들 중에서 패스워드가 담긴 파일을 찾아야 한다.
다만, 단서가 있다. http://overthewire.org/wargames/bandit/bandit6.html
- human-readable
- 1033 bytes in size
- not executable
find 명령어를 이용해 크기가 1033bytes인 파일을 찾으면 된다.
Level 6 -> Level 7
http://overthewire.org/wargames/bandit/bandit7.html
서버 어딘가에서 아래 조건을 만족하는 파일을 찾아야 한다.
- owned by user bandit7
- owned by group bandit6
- 33 bytes in size
find / -user bandit7 -group bandit6
Level 7 -> Level 8
The password for the next level is stored in the file data.txt next to the word millionth
cat data.txt | grep millionth
Level 8 -> Level 9
The password for the next level is stored in the file data.txt and is the only line of text that occurs only once
Level 9 -> Level 10
The password for the next level is stored in the file data.txt in one of the few human-readable strings, beginning with several ‘=’ characters.
Level 10 -> Level 11
The password for the next level is stored in the file data.txt, which contains base64 encoded data
base64로 디코딩해주면 된다.
Level 11 -> Level 12
The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions
복호화 사이트를 이용해 풀 수도 있지만, 리눅스 명령어 tr을 이용해 풀 수도 있다. https://www.chmag.in/articles/momsguide/decoding-rot-using-the-echo-and-tr-commands-in-your-linux-terminal/
cat data.txt | tr ‘n-za-mN-ZA-M’ ‘a-zA-Z’
Level 12 -> Level 13
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)
hexdump를 바이너리로 바꿔주어야 합니다.
bandit12@bandit:~$ mkdir /tmp/m4ndu
bandit12@bandit:~$ cp data.txt /tmp/m4ndu
bandit12@bandit:~$ cd /tmp/m4ndu
bandit12@bandit:/tmp/m4ndu$ xxd -r data.txt > data
bandit12@bandit:/tmp/m4ndu$ file data
data: gzip compressed data, was "data2.bin", last modified: Tue Oct 16 12:00:23 2018, max compression, from Unix
확장자 .gz를 달아주고 gzip 압축을 풀어줍니다.
bandit12@bandit:/tmp/m4ndu$ mv data data.gz
bandit12@bandit:/tmp/m4ndu$ gzip -d data.gz
bandit12@bandit:/tmp/m4ndu$ file data
data: bzip2 compressed data, block size = 900k
이번에는 확장자 .bz2를 달아주고 bzip2 압축을 풀어줍니다.
mv data data.bz2
file data
data: gzip compressed data, was "data4.bin", last modified: Tue Oct 16 12:00:23 2018, max compression, from Unix
다시 gzip
bandit12@bandit:/tmp/m4ndu$ mv data data.gz
bandit12@bandit:/tmp/m4ndu$ gzip -d data.gz
bandit12@bandit:/tmp/m4ndu$ file data
data: POSIX tar archive (GNU)
이번엔 tar 압축풀기
bandit12@bandit:/tmp/m4ndu$ mv data data.tar
bandit12@bandit:/tmp/m4ndu$ tar -xvf data.tar
data5.bin
bandit12@bandit:/tmp/m4ndu$ file data5.bin
data5.bin: POSIX tar archive (GNU)
계속 같은방법으로 진행하면 된다.
bandit12@bandit:/tmp/m4ndu$ mv data5.bin data5.tar
bandit12@bandit:/tmp/m4ndu$ tar -xvf data5.tar
data6.bin
bandit12@bandit:/tmp/m4ndu$ file data6.bin
data6.bin: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/m4ndu$ mv data6.bin data6.bz2
bandit12@bandit:/tmp/m4ndu$ bunzip2 data6.bz2
bandit12@bandit:/tmp/m4ndu$ ls
data5.tar data6 data.tar data.txt
bandit12@bandit:/tmp/m4ndu$ file data6
data6: POSIX tar archive (GNU)
bandit12@bandit:/tmp/m4ndu$ mv data6 data6.tar
bandit12@bandit:/tmp/m4ndu$ tar -xvf data6.tar
data8.bin
bandit12@bandit:/tmp/m4ndu$ file data8.bin
data8.bin: gzip compressed data, was "data9.bin", last modified: Tue Oct 16 12:00:23 2018, max compression, from Unix
bandit12@bandit:/tmp/m4ndu$ mv data8.bin data8.gz
bandit12@bandit:/tmp/m4ndu$ gzip -d data8.gz
bandit12@bandit:/tmp/m4ndu$ ls
data5.tar data6.tar data8 data.tar data.txt
bandit12@bandit:/tmp/m4ndu$ file data8
data8: ASCII text
bandit12@bandit:/tmp/m4ndu$ cat data8
Level 13 -> Level 14
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on
private ssh key를 이용해 bandit14로 ssh 접속을 해서 해당 파일을 읽으면 된다.
ssh -i sshkey.private bandit14@localhost
cat /etc/bandit_pass/bandit14
Level 14 -> Level 15
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
bandit14@bandit:~$ nc localhost 30000
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr
Level 15 -> Level 16
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…
openssl s_client -connect localhost:30001
그다음 level 15의 패스워드를 제출하면 된다.
Level 16 -> Level 17
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
31000 에서 32000 사이의 포트중에서 열려있는 포트를 찾는다.
bandit16@bandit:~$ nmap -sT -p 31000-32000 localhost
Starting Nmap 7.40 ( https://nmap.org ) at 2019-01-08 05:23 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00020s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
31518/tcp open unknown
31790/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds
2개의 포트가 열려있고, 이 중 ssl을 사용하는 서비스를 찾으면 된다. 두 개밖에 없으니 두 번 시도해보자.
openssl s_client -connect localhost:31518
openssl s_client -connect localhost:31790
31790에서 rsa private key를 보내준다.
복사해서 저장해둔다 -> 17.private
권한설정이 필요하다.
sudo chmod 400 17.private
Level 17 -> Level 18
ssh -i 17.private bandit17@bandit.labs.overthewire.org -p2220
There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed betweenpasswords.old and passwords.new
NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19
bandit17@bandit:~$ diff passwords.old passwords.new
Level 18 -> Level 19
The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.
ssh bandit18@bandit.labs.overthewire.org -p2220 "cat readme"
Level 19 -> Level 20
To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.
bandit20-do 의 bandit20 권한을 빌려서 파일을 읽을 수 있다.
./bandit20-do cat /etc/bandit_pass/bandit20
Level 20 -> Level 21
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
NOTE: Try connecting to your own network daemon to see if it works as you think
터미널을 새로 하나 열어서 ssh 연결을 하나 더 해준다.
새로 연결한 터미널에서 nc listen 포트를 열어준다.
다른 터미널에서 접속을 시도한다.
포트를 열어준 터미널에서 패스워드를 입력해주면 다음 레벨 패스워드가 넘어온다.
Level 21 -> Level 22
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
cd /etc/cron.d
ls
cat cronjob_bandit22
cat /usr/bin/cronjob_bandit22.sh
cat /tmp/t706lds9S0RqQh9aMcz6ShpAoZKF7fgb
Level 22 -> Level 23
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.
cd /etc/cron.d
ls
cat cronjob_bandit23
cat /usr/bin/cronjob_bandit23.sh
echo I am user bandit23 | md5sum | cut -d ' ' -f 1
cat /tmp/8ca319486bfbbc3663ea0fbe81326349
Level 23 -> Level 24
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…
cd /etc/cron.d
ls
cat cronjob_bandit24
cat /usr/bin/cronjob_bandit24.sh
mkdir /tmp/mandu
chmod 777 /tmp/mandu/
cd /var/spool/bandit24/
chmod 777 24.sh
24.sh
#!/bin/bash
cat /etc/bandit_pass/bandit24 > /tmp/mandu/m
tmp디렉토리에 있는 내 디렉토리의 권한 설정을 확인해야 한다. 권한 설정이 되어있지 않은 경우 쓰기 권한문제로 파일이 생성되지 않는다.
Level 24 -> Level 25
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.
파이썬이 되길레 파이썬 코드를 짜서 돌렸다.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | #!/usr/bin/python import socket host = "127.0.0.1" port = 30002 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) s.recv(1024) for i in range(0, 10): for j in range(0, 10): for k in range(0, 10): for l in range(0, 10): pincode = str(i) + str(j) + str(k) + str(l) print(pincode) s.send("UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ " + pincode + "\n") result = s.recv(1024).strip(); print(result) s.close() | cs |
답이 나오는 경우 서버에서 자동으로 연결을 끊기 때문에, 돌려놓고 좀 있다가 보면 마지막 쯤에 답이 출력되어 있다.
Level 25 -> Level 26
Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.
passwd 파일에 어떤 쉘을 사용하는지가 있다.
grep bandit26 /etc/passwd
cat /usr/bin/passwd
uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG