偶然发现国外一个linux命令语法练习靶场bandit
玩法就是根据给出的提示和特征运用shell命令找口令文件,网址在这里 → OverTheWire: Bandit
Level 1
cat readme
boJ9jbbUNNfktd78OOpsqOltutMc3MY1
Level 2
cat ./-
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
https://overthewire.org/wargames/bandit/bandit2.html
Level 3
cat "spaces in this filename" UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
新版的又不一样了
MNk8KNH3Usiio41PRUEoDFPqfxLPlSmx
cat ./--spaces\ in\ this\ filename--
cat ./-tab键
Level 4
cd inhere/ cat .hidden pIwrPrtPN36QITSp3EQaw936yaFoFgAB
新版的
2WmrDFRmJIq3IPxneAaMGhap0pFhF3NJ
Level 5
找出人类可读文件
cd inhere/ cat ./-file07 koReBOKuIDDepwhWk7jZC0RTdopnAYKh
file命令判断文件类型,ASCII text
新版
4oQYVPkxZOOEOO5pTW81FB8j8lxXGUQw
Level 6
找下面特征文件
- human-readable
- 1033 bytes in size
- not executable
find . -type f -size 1033c ./inhere/maybehere07/.file2 cat ./inhere/maybehere07/.file2 DXjZPULLxYr17uwoI01bNLQbtFemEgo7
新版
HWasnPhtq9AVKe0dmk45nxy20cvUa6EG
Level 7
The password for the next level is stored somewhere on the server and has all of the following properties:
- owned by user bandit7
- owned by group bandit6
- 33 bytes in size
find / -type f -size 33c -user bandit7 -group bandit6 cat /var/lib/dpkg/info/bandit7.password HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs
morbNTDkSW6jIlUc0ymOdMaLnOlFVAaj
Level 8
ssh bandit7@bandit.labs.overthewire.org -p 2220
cat data.txt |grep "millionth" millionth cvX2JJa4CFALtqS87jk27qwqGhBM9plV
dfwvzFQi4mU0wfNbFOe9RoWskMLg7eEc
Level 9
ssh bandit8@bandit.labs.overthewire.org -p 2220
The password for the next level is stored in the file data.txt and is the only line of text that occurs only once
data.txt中有大量随意排列和重复的随机字符串↓
用sort按头字母排序后,用uniq -u选出唯一一行的
cat data.txt |sort |uniq -u UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR
官方给出的帮助文档↓
Learn Piping and Redirection - Linux Tutorial
4CKMh1JI91bUIZZPXDqGanal4xvAg0JM
Level 10
ssh bandit9@bandit.labs.overthewire.org -p 2220
The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters.
根据提示人类可读和有=,想到之前打CTF时用过的命令strings选出可读字符串并grep出有==号的
strings data.txt |grep "==" ========== the*2i"4 ========== password Z)========== is &========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
FGUW5ilLVJrxX9kMYMmlN4MgbpfMiqey
Level 11
ssh bandit10@bandit.labs.overthewire.org -p 2220
The password for the next level is stored in the file data.txt, which contains base64 encoded data
cat data.txt VGhlIHBhc3N3b3JkIGlzIElGdWt3S0dzRlc4TU9xM0lSRnFyeEUxaHhUTkViVVBSCg==
The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR
dtR173fZKb0RRsDFSGsg2RWnpNVj3qRr
Level 12
ssh bandit11@bandit.labs.overthewire.org -p 2220
The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions
cat data.txt Gur cnffjbeq vf 5Gr8L4qetPEsPk8htqjhRK8XSP6x2RHh
看到一串乱码,页面后面有个提示链接
Helpful Reading Material
了解了ROT13算法,有点类似古典密码的恺撒密码
ROT13在线解码计算器 ← 这里可以解!!
此题看到还有其他解法,用tr命令转换
按照这里对应替换
cat 1| tr a-mn-zA-MN-Z n-za-mN-ZA-M The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu #可以用下面更简单的格式 cat 1| tr a-zA-Z n-za-mN-ZA-M The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu
参考:
tr命令_东城绝神-CSDN博客_tr命令 (tr可以替换、删除、压缩)
或者用python codecs库
>>> a = "Gur cnffjbeq vf 5Gr8L4qetPEsPk8htqjhRK8XSP6x2RHh" >>> import codecs >>> a = "Gur cnffjbeq vf 5Gr8L4qetPEsPk8htqjhRK8XSP6x2RHh" >>> print(codecs.encode(a, 'rot13')) The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu
7x16WNeHIi5YkIhWsfFIqoognUTyj9Q4
Level 13
ssh bandit12@bandit.labs.overthewire.org -p 2220
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)
cat data.txt
这关要配合file命令查看文件类型,根据类型去改名相应处理等等
data.txt是个hex文件,也叫hex dump文件
用于提权的Linux命令,即“xxd” | 《Linux就该这么学》
mkdir /tmp/z cp ~/data.txt /tmp/z cd /tmp/z xxd -r data.txt data mv data data.gz gzip -d data.gz mv data data.bz2 bzip2 -d data.bz2 mv data data.gz gzip -d data.gz mv data data.tar tar -xvf data.tar mv data5.bin data.tar tar -xvf data.tar mv data6.bin a.bz2 bzip2 -d a.bz2 mv a a.tar tar -xvf a.tar mv data8.bin b.gz gzip -d b.gz cat b The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
FO5dwFsc0cbaIiH0h8J2eUks2vdTDwAn
Level 14(续上)
ssh bandit13@bandit.labs.overthewire.org -p 2220
进入下一关要用ssh私钥登录,不需要口令了
使用本机私钥和下一个用户名登录
ssh -i sshkey.private bandit14@localhost -p 2220
进来后看下/etc/bandit_pass/bandit14
MU4VWeTyJk8ROof1qqmcBPaLh7lDCPvS
Level 15
可从上一关转进来,也可以直接用上面口令跳进来
ssh bandit14@bandit.labs.overthewire.org -p 2220
用当前口令提交到本机的30000端口就有下一关口令,用到nc命令,telnet不行,没有反馈
8xCjnmgoKbGLhHFAZlGE5Tmu4M2tKJQo
Level 16
ssh bandit15@bandit.labs.overthewire.org -p 2220
跟上一关差不多,只是这次要求采用SSL/TLS加密传输
百度了下,参考这个命令
openssl s_client -connect localhost:30001
kSkvUpMQ7lBYyCM4GBPvCvT1BfWRy0Dx
Level 17---------
ssh bandit16@bandit.labs.overthewire.org -p 2220
Level 18
Level 19
Level 20
Level 21
Level 22
Level 23
Level 24
Level 25
Level 26
Level 27
Level 28
Level 29
Level 30
Level 31
Level 32
Level 33
参考:
浙公网安备 33010602011771号