반응형
반응형
반응형


http://overthewire.org/wargames/bandit/bandit0.html


OverTheWire Bandit 문제 풀이입니다.






Level 0


ssh 접속

ssh bandit0@bandit.labs.overthewire.org -p2220






Level 0 -> Level 1


readme 파일 읽기


ls

cat readme






Level 1 -> Level 2


파일명이 '-'인 파일 읽기

명령에서 -는 옵션을 의미하기 때문에 cat - 으로는 -파일을 읽을 수 없다.


- 파일을 읽으려면 cat ./- 를 사용하면 된다고 구글이 알려준다.






Level 2 -> Level 3


spaces in this filename 파일 읽기


파일명 일부분을 타이핑하고 Tab키를 누르면 자동완성이 되는 것을 이용해서 풀었다.


cat spaces\ in\ this\ filename


파일명에 스페이스바가 들어가있으면 '\ '로 바꿔서 입력해주면 되는 것 같다.






Level 3 -> Level 4


cd inhere

ls -al


숨겨진 .hidden이라는 파일을 찾을 수 있다.


cat .hidden






Level 4 -> Level 5


inhere 디렉토리에 들어가보면 

-로 시작하는 파일이 많다.


level 1에서 사용했던 방법을 사용해 파일들을 하나하나 읽어보면

-file07에서 패스워드를 찾을 수 있다.






Level 5 -> Level 6


파일과 디렉토리가 많다. 이 것들 중에서 패스워드가 담긴 파일을 찾아야 한다.

다만, 단서가 있다. http://overthewire.org/wargames/bandit/bandit6.html


  • human-readable
  • 1033 bytes in size
  • not executable


find 명령어를 이용해 크기가 1033bytes인 파일을 찾으면 된다.


find . -size 1033c






Level 6 -> Level 7


http://overthewire.org/wargames/bandit/bandit7.html


서버 어딘가에서 아래 조건을 만족하는 파일을 찾아야 한다.


  • owned by user bandit7
  • owned by group bandit6
  • 33 bytes in size


find / -user bandit7 -group bandit6






Level 7 -> Level 8


The password for the next level is stored in the file data.txt next to the word millionth

cat data.txt | grep millionth






Level 8 -> Level 9


The password for the next level is stored in the file data.txt and is the only line of text that occurs only once


cat data.txt | sort






Level 9 -> Level 10


The password for the next level is stored in the file data.txt in one of the few human-readable strings, beginning with several ‘=’ characters.


strings data.txt






Level 10 -> Level 11


The password for the next level is stored in the file data.txt, which contains base64 encoded data


base64로 디코딩해주면 된다.


base64 -di data.txt






Level 11 -> Level 12


The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions


복호화 사이트를 이용해 풀 수도 있지만, 리눅스 명령어 tr을 이용해 풀 수도 있다. https://www.chmag.in/articles/momsguide/decoding-rot-using-the-echo-and-tr-commands-in-your-linux-terminal/


cat data.txt | tr ‘n-za-mN-ZA-M’ ‘a-zA-Z’






Level 12 -> Level 13


The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)


hexdump를 바이너리로 바꿔주어야 합니다.


bandit12@bandit:~$ mkdir /tmp/m4ndu

bandit12@bandit:~$ cp data.txt /tmp/m4ndu


bandit12@bandit:~$ cd /tmp/m4ndu


bandit12@bandit:/tmp/m4ndu$ xxd -r data.txt > data


bandit12@bandit:/tmp/m4ndu$ file data

data: gzip compressed data, was "data2.bin", last modified: Tue Oct 16 12:00:23 2018, max compression, from Unix



확장자 .gz를 달아주고 gzip 압축을 풀어줍니다.


bandit12@bandit:/tmp/m4ndu$ mv data data.gz

bandit12@bandit:/tmp/m4ndu$ gzip -d data.gz


bandit12@bandit:/tmp/m4ndu$ file data
data: bzip2 compressed data, block size = 900k


이번에는 확장자 .bz2를 달아주고 bzip2 압축을 풀어줍니다.

mv data data.bz2
bunzip2 data.bz2

file data
data: gzip compressed data, was "data4.bin", last modified: Tue Oct 16 12:00:23 2018, max compression, from Unix


다시 gzip


bandit12@bandit:/tmp/m4ndu$ mv data data.gz

bandit12@bandit:/tmp/m4ndu$ gzip -d data.gz

bandit12@bandit:/tmp/m4ndu$ file data

data: POSIX tar archive (GNU)



이번엔 tar 압축풀기


bandit12@bandit:/tmp/m4ndu$ mv data data.tar

bandit12@bandit:/tmp/m4ndu$ tar -xvf data.tar
data5.bin
bandit12@bandit:/tmp/m4ndu$ file data5.bin 
data5.bin: POSIX tar archive (GNU)


계속 같은방법으로 진행하면 된다.

bandit12@bandit:/tmp/m4ndu$ mv data5.bin data5.tar
bandit12@bandit:/tmp/m4ndu$ tar -xvf data5.tar 
data6.bin
bandit12@bandit:/tmp/m4ndu$ file data6.bin 
data6.bin: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/m4ndu$ mv data6.bin data6.bz2
bandit12@bandit:/tmp/m4ndu$ bunzip2 data6.bz2 
bandit12@bandit:/tmp/m4ndu$ ls
data5.tar  data6  data.tar  data.txt
bandit12@bandit:/tmp/m4ndu$ file data6
data6: POSIX tar archive (GNU)
bandit12@bandit:/tmp/m4ndu$ mv data6 data6.tar
bandit12@bandit:/tmp/m4ndu$ tar -xvf data6.tar 
data8.bin
bandit12@bandit:/tmp/m4ndu$ file data8.bin 
data8.bin: gzip compressed data, was "data9.bin", last modified: Tue Oct 16 12:00:23 2018, max compression, from Unix
bandit12@bandit:/tmp/m4ndu$ mv data8.bin data8.gz
bandit12@bandit:/tmp/m4ndu$ gzip -d data8.gz 
bandit12@bandit:/tmp/m4ndu$ ls
data5.tar  data6.tar  data8  data.tar  data.txt
bandit12@bandit:/tmp/m4ndu$ file data8
data8: ASCII text
bandit12@bandit:/tmp/m4ndu$ cat data8





Level 13 -> Level 14


The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on


private ssh key를 이용해 bandit14로 ssh 접속을 해서 해당 파일을 읽으면 된다.


ssh -i sshkey.private bandit14@localhost

cat /etc/bandit_pass/bandit14






Level 14 -> Level 15


The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.


bandit14@bandit:~$ nc localhost 30000

4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e

Correct!

BfMYroe26WYalil77FoDi9qh59eK5xNr






Level 15 -> Level 16


The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.

Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…


openssl s_client -connect localhost:30001


그다음 level 15의 패스워드를 제출하면 된다.






Level 16 -> Level 17


The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.


31000 에서 32000 사이의 포트중에서 열려있는 포트를 찾는다.


bandit16@bandit:~$ nmap -sT -p 31000-32000 localhost


Starting Nmap 7.40 ( https://nmap.org ) at 2019-01-08 05:23 CET

Nmap scan report for localhost (127.0.0.1)

Host is up (0.00020s latency).

Not shown: 999 closed ports

PORT      STATE SERVICE

31518/tcp open  unknown

31790/tcp open  unknown


Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds



2개의 포트가 열려있고, 이 중 ssl을 사용하는 서비스를 찾으면 된다. 두 개밖에 없으니 두 번 시도해보자.


openssl s_client -connect localhost:31518

openssl s_client -connect localhost:31790


31790에서 rsa private key를 보내준다.


복사해서 저장해둔다 -> 17.private


권한설정이 필요하다. 


sudo chmod 400 17.private






Level 17 -> Level 18

ssh -i 17.private bandit17@bandit.labs.overthewire.org -p2220


There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed betweenpasswords.old and passwords.new


NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19


bandit17@bandit:~$ diff passwords.old passwords.new 






Level 18 -> Level 19


The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.


ssh bandit18@bandit.labs.overthewire.org -p2220 "cat readme"






Level 19 -> Level 20


To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.


bandit20-do 의 bandit20 권한을 빌려서 파일을 읽을 수 있다.


./bandit20-do cat /etc/bandit_pass/bandit20






Level 20 -> Level 21


There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).

NOTE: Try connecting to your own network daemon to see if it works as you think


터미널을 새로 하나 열어서 ssh 연결을 하나 더 해준다.
새로 연결한 터미널에서 nc listen 포트를 열어준다.

nc -l -p 31555


다른 터미널에서 접속을 시도한다.


./suconnect 31555


포트를 열어준 터미널에서 패스워드를 입력해주면 다음 레벨 패스워드가 넘어온다.





Level 21 -> Level 22


A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.


cd /etc/cron.d

ls

cat cronjob_bandit22

cat /usr/bin/cronjob_bandit22.sh
cat /tmp/t706lds9S0RqQh9aMcz6ShpAoZKF7fgb






Level 22 -> Level 23


A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.



cd /etc/cron.d

ls

cat cronjob_bandit23

cat /usr/bin/cronjob_bandit23.sh
echo I am user bandit23 | md5sum | cut -d ' ' -f 1
cat /tmp/8ca319486bfbbc3663ea0fbe81326349






Level 23 -> Level 24


A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!

NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…



cd /etc/cron.d

ls

cat cronjob_bandit24

cat /usr/bin/cronjob_bandit24.sh

mkdir /tmp/mandu
chmod 777 /tmp/mandu/

cd /var/spool/bandit24/
vi 24.sh
chmod 777 24.sh


24.sh

#!/bin/bash

cat /etc/bandit_pass/bandit24 > /tmp/mandu/m


cat /tmp/mandu/m


tmp디렉토리에 있는 내 디렉토리의 권한 설정을 확인해야 한다. 권한 설정이 되어있지 않은 경우 쓰기 권한문제로 파일이 생성되지 않는다.






Level 24 -> Level 25


A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.


파이썬이 되길레 파이썬 코드를 짜서 돌렸다.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
#!/usr/bin/python
import socket
 
host = "127.0.0.1"
port = 30002
 
= socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.recv(1024)
 
for i in range(010):
    for j in range(010):
        for k in range(010):
            for l in range(010):
                pincode = str(i) + str(j) + str(k) + str(l)
                print(pincode)
                s.send("UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ " + pincode + "\n")
                result = s.recv(1024).strip();
                print(result)
s.close()
cs

답이 나오는 경우 서버에서 자동으로 연결을 끊기 때문에, 돌려놓고 좀 있다가 보면 마지막 쯤에 답이 출력되어 있다.





Level 25 -> Level 26


Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.


passwd 파일에 어떤 쉘을 사용하는지가 있다.


grep bandit26 /etc/passwd


cat /usr/bin/passwd




uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG

반응형

+ Recent posts