http://overthewire.org/wargames/bandit/bandit0.html
OverTheWire Bandit 문제 풀이입니다.
Level 0
ssh 접속
ssh bandit0@bandit.labs.overthewire.org -p2220
Level 0 -> Level 1
readme 파일 읽기
ls
cat readme
Level 1 -> Level 2
파일명이 '-'인 파일 읽기
명령에서 -는 옵션을 의미하기 때문에 cat - 으로는 -파일을 읽을 수 없다.
- 파일을 읽으려면 cat ./- 를 사용하면 된다고 구글이 알려준다.
Level 2 -> Level 3
spaces in this filename 파일 읽기
파일명 일부분을 타이핑하고 Tab키를 누르면 자동완성이 되는 것을 이용해서 풀었다.
cat spaces\ in\ this\ filename
파일명에 스페이스바가 들어가있으면 '\ '로 바꿔서 입력해주면 되는 것 같다.
Level 3 -> Level 4
cd inhere
ls -al
숨겨진 .hidden이라는 파일을 찾을 수 있다.
cat .hidden
Level 4 -> Level 5
inhere 디렉토리에 들어가보면
-로 시작하는 파일이 많다.
level 1에서 사용했던 방법을 사용해 파일들을 하나하나 읽어보면
-file07에서 패스워드를 찾을 수 있다.
Level 5 -> Level 6
파일과 디렉토리가 많다. 이 것들 중에서 패스워드가 담긴 파일을 찾아야 한다.
다만, 단서가 있다. http://overthewire.org/wargames/bandit/bandit6.html
- human-readable
- 1033 bytes in size
- not executable
find 명령어를 이용해 크기가 1033bytes인 파일을 찾으면 된다.
find . -size 1033c
Level 6 -> Level 7
http://overthewire.org/wargames/bandit/bandit7.html
서버 어딘가에서 아래 조건을 만족하는 파일을 찾아야 한다.
- owned by user bandit7
- owned by group bandit6
- 33 bytes in size
find / -user bandit7 -group bandit6
Level 7 -> Level 8
cat data.txt | grep millionth
Level 8 -> Level 9
The password for the next level is stored in the file data.txt and is the only line of text that occurs only once
cat data.txt | sort
Level 9 -> Level 10
The password for the next level is stored in the file data.txt in one of the few human-readable strings, beginning with several ‘=’ characters.
strings data.txt
Level 10 -> Level 11
The password for the next level is stored in the file data.txt, which contains base64 encoded data
base64로 디코딩해주면 된다.
base64 -di data.txt
Level 11 -> Level 12
The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions
복호화 사이트를 이용해 풀 수도 있지만, 리눅스 명령어 tr을 이용해 풀 수도 있다. https://www.chmag.in/articles/momsguide/decoding-rot-using-the-echo-and-tr-commands-in-your-linux-terminal/
cat data.txt | tr ‘n-za-mN-ZA-M’ ‘a-zA-Z’
Level 12 -> Level 13
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)
hexdump를 바이너리로 바꿔주어야 합니다.
bandit12@bandit:~$ mkdir /tmp/m4ndu
bandit12@bandit:~$ cp data.txt /tmp/m4ndu
bandit12@bandit:~$ cd /tmp/m4ndu
bandit12@bandit:/tmp/m4ndu$ xxd -r data.txt > data
bandit12@bandit:/tmp/m4ndu$ file data
data: gzip compressed data, was "data2.bin", last modified: Tue Oct 16 12:00:23 2018, max compression, from Unix
확장자 .gz를 달아주고 gzip 압축을 풀어줍니다.
bandit12@bandit:/tmp/m4ndu$ mv data data.gz
bandit12@bandit:/tmp/m4ndu$ gzip -d data.gz
다시 gzip
bandit12@bandit:/tmp/m4ndu$ mv data data.gz
bandit12@bandit:/tmp/m4ndu$ gzip -d data.gz
bandit12@bandit:/tmp/m4ndu$ file data
data: POSIX tar archive (GNU)
이번엔 tar 압축풀기
bandit12@bandit:/tmp/m4ndu$ mv data data.tar
Level 13 -> Level 14
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on
private ssh key를 이용해 bandit14로 ssh 접속을 해서 해당 파일을 읽으면 된다.
ssh -i sshkey.private bandit14@localhost
cat /etc/bandit_pass/bandit14
Level 14 -> Level 15
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
bandit14@bandit:~$ nc localhost 30000
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr
Level 15 -> Level 16
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…
openssl s_client -connect localhost:30001
Level 16 -> Level 17
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
31000 에서 32000 사이의 포트중에서 열려있는 포트를 찾는다.
bandit16@bandit:~$ nmap -sT -p 31000-32000 localhost
Starting Nmap 7.40 ( https://nmap.org ) at 2019-01-08 05:23 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00020s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
31518/tcp open unknown
31790/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds
2개의 포트가 열려있고, 이 중 ssl을 사용하는 서비스를 찾으면 된다. 두 개밖에 없으니 두 번 시도해보자.
openssl s_client -connect localhost:31518
openssl s_client -connect localhost:31790
31790에서 rsa private key를 보내준다.
복사해서 저장해둔다 -> 17.private
권한설정이 필요하다.
sudo chmod 400 17.private
There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed betweenpasswords.old and passwords.new
NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19
bandit17@bandit:~$ diff passwords.old passwords.new
Level 18 -> Level 19
The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.
ssh bandit18@bandit.labs.overthewire.org -p2220 "cat readme"
Level 19 -> Level 20
To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.
bandit20-do 의 bandit20 권한을 빌려서 파일을 읽을 수 있다.
./bandit20-do cat /etc/bandit_pass/bandit20
Level 20 -> Level 21
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
NOTE: Try connecting to your own network daemon to see if it works as you think
다른 터미널에서 접속을 시도한다.
./suconnect 31555
Level 21 -> Level 22
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
cd /etc/cron.d
ls
cat cronjob_bandit22
Level 22 -> Level 23
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.
cd /etc/cron.d
ls
cat cronjob_bandit23
Level 23 -> Level 24
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…
cd /etc/cron.d
ls
cat cronjob_bandit24
24.sh
#!/bin/bash
cat /etc/bandit_pass/bandit24 > /tmp/mandu/m
cat /tmp/mandu/m
tmp디렉토리에 있는 내 디렉토리의 권한 설정을 확인해야 한다. 권한 설정이 되어있지 않은 경우 쓰기 권한문제로 파일이 생성되지 않는다.
Level 24 -> Level 25
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.
파이썬이 되길레 파이썬 코드를 짜서 돌렸다.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | #!/usr/bin/python import socket host = "127.0.0.1" port = 30002 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) s.recv(1024) for i in range(0, 10): for j in range(0, 10): for k in range(0, 10): for l in range(0, 10): pincode = str(i) + str(j) + str(k) + str(l) print(pincode) s.send("UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ " + pincode + "\n") result = s.recv(1024).strip(); print(result) s.close() | cs |
Level 25 -> Level 26
Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.
passwd 파일에 어떤 쉘을 사용하는지가 있다.
grep bandit26 /etc/passwd
cat /usr/bin/passwd
uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG