Overthewire: Bandit Level0-Level33 通关版
本文基于学习网站
这是一个为计算机专业打下坚实的Linux,Web,git基础知识的网站或项目。
Level 0
Level Goal
The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org, on port 2220. The username is bandit0 and the password is bandit0. Once logged in, go to the Level 1 page to find out how to beat Level 1.
ssh -p 2220 bandit0@bandit.labs.overthewire.org

输入密码bandit0.
Level 0 → Level 1
Level Goal
The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.
Commands you may need to solve this level
ls , cd , cat , file , du , find

获得的密码用来下一关的ssh的登录认证。
Level 1 → Level 2
Level Goal
The password for the next level is stored in a file called - located in the home directory
Commands you may need to solve this level
ls , cd , cat , file , du , find
方法1:用相对路径./
方法2:查看当前目录pwd

Level 2 → Level 3
Level Goal
The password for the next level is stored in a file called spaces in this filename located in the home directory
Commands you may need to solve this level
ls , cd , cat , file , du , find
方法1:用字符串

方法2:用转义字符\
Level 3 → Level 4
Level Goal
The password for the next level is stored in a hidden file in the inhere directory.
Commands you may need to solve this level
ls , cd , cat , file , du , find
用ls -al 找到隐藏的文件,用相对路径获取密码。

Level 4 → Level 5
Level Goal
The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.
Commands you may need to solve this level
ls , cd , cat , file , du , find
只需用file 找到可读(ASCII)文件。

用cat ./-file* 虽然也能查看到密码,但难以判断密码从何开始。
Level 5 → Level 6
Level Goal
The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:
- human-readable
- 1033 bytes in size
- not executable
Commands you may need to solve this level
ls , cd , cat , file , du , find
下一级的密码存储在以下某处的文件中 inhere 目录,并具有以下所有属性:
- 人类可读
- 大小为 1033 字节
- 不可执行
这样比下图更合乎请求。
find . -type f -readable ! -executable -size 1033c

Level 6 → Level 7
Level Goal
The password for the next level is stored somewhere on the server and has all of the following properties:
- owned by user bandit7
- owned by group bandit6
- 33 bytes in size
Commands you may need to solve this level
ls , cd , cat , file , du , find , grep
在根目录下查找会经常有很多权限的报错信息,可以用2>/dev/null这种方式将错误信息重定向到/dev/null 以保持输出干净。
或者执行
find / -size 33c -user bandit7 -group bandit6
后,直接找到bandit7.password文件

Level 7 → Level 8
Level Goal
The password for the next level is stored in the file data.txt next to the word millionth
Commands you may need to solve this level
man, grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd

./可以省略。
Level 8 → Level 9
Level Goal
The password for the next level is stored in the file data.txt and is the only line of text that occurs only once
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
可以用-c列出出现的次数,然后从中找到是1的那一行即可

man uniq

Level 9 → Level 10
Level Goal
The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters.
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd

Level 10 → Level 11
Level Goal
The password for the next level is stored in the file data.txt, which contains base64 encoded data
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd

base64 解码即可。
Level 11 → Level 12
Level Goal
The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd

方法一(输入重定向):~$ tr 'a-zA-Z' 'n-za-mN-ZA-M' < data.txt
方法二(管道传递):~$ cat data.txt | tr 'a-zA-Z' 'n-za-mN-ZA-M'
Level 12 → Level 13
Level Goal
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work. Use mkdir with a hard to guess directory name. Or better, use the command “mktemp -d”. Then copy the datafile using cp, and rename it using mv (read the manpages!)
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd, mkdir, cp, mv, file
这题考的压缩的知识,但是非常的需要耐心(无聊)。
预备知识
- 处理gzip压缩:mv data data.gz然后gzip -d data.gz或`gunzip data.gz。
- 处理bzip2压缩:mv data data.bz然后bzip2 -d data.bz或` bunzip2 data.bz。
- 处理tar归档:mv data data.tar然后tar -xf data.tar,依此类推。
- xxd -r data.txt > data:使用- xxd工具将十六进制格式的- data.txt文件反向转换为二进制文件- data。- -r表示反向操作。
- file file1,file2...用于查看文件类型。
进入环境后,直接 cat data.txt,发现是他是十六进制的文本。于是xxd -r data.txt > data.
bandit12@bandit:~$ ls
data.txt
bandit12@bandit:~$ cat data.txt
00000000: 1f8b 0808 41d4 f767 0203 6461 7461 322e  ....A..g..data2.
00000010: 6269 6e00 0149 02b6 fd42 5a68 3931 4159  bin..I...BZh91AY
00000020: 2653 59a8 ffa7 8f00 001d 7fff dbeb 7ffa  &SY.............
00000030: bb7f a5ef bb7e f5fb fdff b7c7 f3ff ff7f  .....~..........
00000040: ff7f fff7 deba fdfa eff7 dddf b001 3b19  ..............;.
00000050: a200 d01a 0190 0034 0006 800d 0340 0346  .......4.....@.F
00000060: 8000 0340 0320 0069 a034 0640 0346 4680  ...@. .i.4.@.FF.
00000070: 68d1 a68c 8321 9313 4da4 f510 6406 8003  h....!..M...d...
00000080: 4006 9a00 000d 000d 0069 a007 a9a0 001a  @........i......
00000090: 1b50 03d4 01a6 9a1e a001 a343 4683 469a  .P.........CF.F.
000000a0: 3d40 001a 7a8d 01a0 074c 801e a1a6 8064  =@..z....L.....d
000000b0: 01a3 d434 00c4 0d00 000d 0001 a680 1a19  ...4............
000000c0: 0061 0f53 41a0 0000 0d00 341a 0320 0034  .a.SA.....4.. .4
000000d0: d1ea 0168 4882 8244 0130 5550 f16b f52e  ...hH..D.0UP.k..
000000e0: a322 cb9f bb8c aaf6 e244 cc70 b151 47c8  .".......D.p.QG.
000000f0: 6c03 a3ae 4a81 1ee0 03ce 840e a978 2046  l...J........x F
00000100: 630b 4b0d 9883 7078 e7e8 5bfb 68f1 f685  c.K...px..[.h...
00000110: 6f46 771c 3920 449f f0cb 39e2 0841 10b5  oFw.9 D...9..A..
00000120: 8714 e981 115c d1bc 2da4 318b 106c 904e  .....\..-.1..l.N
00000130: 9328 5e97 405a 4054 21db e049 1a32 5f3d  .(^.@Z@T!..I.2_=
00000140: 7069 408f f0a4 8ce5 fbea 282c 51d1 49e4  pi@.......(,Q.I.
00000150: d52f 0762 dd90 27b8 79d3 0499 52e0 060c  ./.b..'.y...R...
00000160: fd91 a474 d408 88f3 1fda d2d1 325a baeb  ...t........2Z..
00000170: bfe7 f0f6 cc3c 776d f369 e73c 47d4 66ea  .....<wm.i.<G.f.
00000180: 4b90 e404 03b3 6a09 4687 945d 09ef 706b  K.....j.F..]..pk
00000190: 8f82 2503 80d0 0a0a 3e60 f879 bf02 2d42  ..%.....>`.y..-B
000001a0: bf37 9c96 4b22 585c 35c8 3cf1 da9f 518b  .7..K"X\5.<...Q.
000001b0: ccd5 a68c 9647 aa38 8a50 89d2 f89c 1ff0  .....G.8.P......
000001c0: 1042 18c3 6549 400d fe17 ec74 3171 6d74  .B..eI@....t1qmt
000001d0: a8bb 0def f11a 5a69 0e70 aa34 0037 b180  ......Zi.p.4.7..
000001e0: 1540 c4d2 0af7 e290 8784 ce9e 147a 6836  .@...........zh6
000001f0: 944b 3f18 2ba2 c620 af92 fb01 184f 3def  .K?.+.. .....O=.
00000200: 1b7d 0162 733d adca 90ac 7142 8319 f703  .}.bs=....qB....
00000210: 5930 69e2 8320 9110 5d63 0db9 9294 d4ef  Y0i.. ..]c......
00000220: 50b9 5907 0924 92c1 014e a284 25ce a6ef  P.Y..$...N..%...
00000230: 67b2 4e06 6d21 4136 2ac0 292d 6638 033c  g.N.m!A6*.)-f8.<
00000240: 21af be4e 13bb b74f 2c10 18c7 eea3 c436  !..N...O,......6
00000250: c988 05e6 5638 1ff1 7724 5385 090a 8ffa  ....V8..w$S.....
00000260: 78f0 d951 192d 4902 0000                 x..Q.-I...
bandit12@bandit:~$ mkdir /tmp/dig
bandit12@bandit:~$ cp data.txt /tmp/dig
bandit12@bandit:~$ cd /tmp/dig
bandit12@bandit:/tmp/dig$ ls
data.txt
bandit12@bandit:/tmp/dig$ file data.txt
data.txt: ASCII text
bandit12@bandit:/tmp/dig$ xxd -r data.txt > data
bandit12@bandit:/tmp/dig$ file data
data: gzip compressed data, was "data2.bin", last modified: Thu Apr 10 14:22:57 2025, max compression, from Unix, original size modulo 2^32 585
然后不断地用预备知识中的移动文件(相当于重命名,mv)、解压缩(gzip,bzip2,tar)、查看文件类型(file)的模板,
bandit12@bandit:/tmp/dig$ mv data data.gz
bandit12@bandit:/tmp/dig$ gunzip data.gz
bandit12@bandit:/tmp/dig$ file data
data: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/dig$ mv data data.bz
bandit12@bandit:/tmp/dig$ bunzip data.bz
Command 'bunzip' not found, did you mean:
  command 'bunzip2' from deb bzip2 (1.0.8-5.1build0.1)
  command 'lunzip' from deb lunzip (1.13-6)
  command 'funzip' from deb unzip (6.0-28ubuntu4.1)
  command 'gunzip' from deb gzip (1.12-1ubuntu1)
  command 'bunzip3' from deb bzip3 (1.3.2-1)
  command 'unzip' from deb unzip (6.0-28ubuntu4.1)
  command 'ebunzip' from deb eb-utils (4.4.3-14)
  command 'runzip' from deb rzip (2.1-4.1)
Try: apt install <deb name>
bandit12@bandit:/tmp/dig$ bunzip2 data.bz
bandit12@bandit:/tmp/dig$ file data
data: gzip compressed data, was "data4.bin", last modified: Thu Apr 10 14:22:57 2025, max compression, from Unix, original size modulo 2^32 20480
bandit12@bandit:/tmp/dig$ mv data data.gz
bandit12@bandit:/tmp/dig$ gzip -d data.gz
bandit12@bandit:/tmp/dig$ file data
data: POSIX tar archive (GNU)
bandit12@bandit:/tmp/dig$ mv data data.tar
bandit12@bandit:/tmp/dig$ tar -xf data.tar
bandit12@bandit:/tmp/dig$ ls
data5.bin  data.tar  data.txt
运行tar -xf data.tar命令后,结果将 data.tar 中的内容解压到当前目录。它的特点是,
- 解压后生成新文件 data5.bin(如ls所示)。
- data.tar仍保留在目录中(需手动删除)。
最后,不断地用查看文件目录(ls)、查看文件属性(file)、移动文件(重命名,mv)、解压缩(gzip,bzip2,tar)的命令,直到.bin文件消失,再查看新出现的文件,就能看到下一关的通行证。不好意思,截图少了两个命令,现补充上。
mv data5.bin data5.tar
tar -xf data5.tar

以下是用deepseek对上述操作总结后得到的 Shell 脚本内容,保存为 .sh 文件后可直接运行:
bandit12@bandit:~$ mkdir /tmp/dig
bandit12@bandit:~$ cd /tmp/dig
bandit12@bandit:/tmp/dig$ vim 1.sh
bandit12@bandit:/tmp/dig$ bash 1.sh
cp: cannot stat 'data.txt': No such file or directory
gzip: data8 already exists; do you wish to overwrite (y or n)? y
Password: The password is FO5dwFsc0cbaIiH0h8J2eUks2vdTDwAn
其中,1.sh写入的shell脚本是,
#!/bin/bash
# 创建临时目录并复制文件
mkdir -p /tmp/dig
cp data.txt /tmp/dig
cd /tmp/dig
# 十六进制转二进制
xxd -r data.txt > data
# 处理 gzip 压缩
mv data data.gz
gzip -d data.gz
# 处理 bzip2 压缩
mv data data.bz
bzip2 -d data.bz
# 处理第一次 tar 解包
mv data data.tar
tar -xf data.tar
# 处理第二次 tar 解包 (data5.bin)
mv data5.bin data5.tar
tar -xf data5.tar
# 处理 bzip2 压缩的 data6.bin
mv data6.bin data6.bz
bzip2 -d data6.bz
# 处理第三次 tar 解包 (data6)
mv data6 data6.tar
tar -xf data6.tar
# 处理最终 gzip 压缩的 data8.bin
mv data8.bin data8.gz
gzip -d data8.gz
# 输出密码
echo "Password: $(cat data8)"
看起来不太聪明的样子(还不如手动),网上的脚本更好,详见zip的shell脚本1,zip的shell脚本2
Level 13 → Level 14
Level Goal
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on
Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap
用ssh配合私钥,在端口号2220,指定用户bandit14访问本地localhost。

看到登录到bandit14@bandit界面 ,

题目说密码在用户bandit14的/etc/bandit_pass/bandit14目录下,用cat从上往下查找即可。
Level 14 → Level 15
Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap
通过运行 nmap 命令来检查端口 30000 是否打开:~$ nmap -p 30000 localhost。
若正常打开,使用nc或telnet命令在本地访问30000端口。

Level 15 → Level 16
Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL/TLS encryption.
Helpful note: Getting “DONE”, “RENEGOTIATING” or “KEYUPDATE”? Read the “CONNECTED COMMANDS” section in the manpage.
Commands you may need to solve this level
ssh, telnet, nc, ncat, socat, openssl, s_client, nmap, netstat, ss
使用 OpenSSL 工具与本地主机上的 30001 端口建立 SSL/TLS 连接。

添加代码块(上一关的通行证)

得到了通行证kSkvUpMQ7lBYyCM4GBPvCvT1BfWRy0Dx!
Level 16 → Level 17
Level Goal
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL/TLS and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
Helpful note: Getting “DONE”, “RENEGOTIATING” or “KEYUPDATE”? Read the “CONNECTED COMMANDS” section in the manpage.
Commands you may need to solve this level
ssh, telnet, nc, ncat, socat, openssl, s_client, nmap, netstat, ss
首先,熟悉vim编辑模式。Linux vi/vim | 菜鸟教程
vim 退出模式
:q! 强制退出并丢弃修改。
:wq! 强制保存并退出。
:q 退出,如果没有修改。
版本检测后(-sV),经检查,发现只有31790端口可用。(这个过程可以自行研读其他文献)

得到rsa私钥

方法1:
创建临时文件,将私钥rsa.private(包含头部和尾部)存储起来。方法1存在文件rsa.priv中。

遇到上述问题(bug)后,用chatgpt询问
在你执行
ssh -i /tmp/ssh.key/rsa.priv bandit17@localhost时,你遇到了两个问题:
- 权限问题:你收到了
Could not create directory '/home/bandit16/.ssh' (Permission denied)和Permission denied的错误信息。这表明在连接时你没有权限在bandit16用户的主目录中创建.ssh文件夹。- 密钥加载问题:你收到
Load key "/tmp/ssh.key/rsa.priv": Permission denied错误。这通常是因为密钥文件/tmp/ssh.key/rsa.priv的权限设置不正确,或者你没有足够的权限来读取该文件。
SSH 无法创建 .ssh 目录
你还遇到无法创建 .ssh 目录的问题。这可能是因为你没有权限在 /home/bandit16/ 下创建目录。为了绕过这个问题,你可以使用 -o StrictHostKeyChecking=no 和 -o UserKnownHostsFile=/dev/null 来禁用 SSH 主机密钥验证:
ssh -i /tmp/ssh.key/rsa.priv -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null bandit17@localhost
这条命令会绕过主机密钥检查,并且不会尝试将主机密钥保存到 known_hosts 文件中,这样就不需要创建 .ssh 目录了。
然后根据 “This is an OverTheWire game server. !!! You are trying to log into this SSH server on port 22, which is not intended.” 添加端口2220。
ssh -i /tmp/ssh.key/rsa.priv -p 2220 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null bandit17@localhost
总结
- 设置正确的权限:
chmod 600 /tmp/ssh.key/rsa.priv。- 使用
-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null禁用主机密钥检查。- 检查正确的端口号。
bandit16@bandit:/$ ssh -i /tmp/ssh.key/rsa.priv -p 2220 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null band
it17@localhost
Warning: Permanently added '[localhost]:2220' (ED25519) to the list of known hosts.
                         _                     _ _ _
                        | |__   __ _ _ __   __| (_) |_
                        | '_ \ / _` | '_ \ / _` | | __|
                        | |_) | (_| | | | | (_| | | |_
                        |_.__/ \__,_|_| |_|\__,_|_|\__|
                      This is an OverTheWire game server.
            More information on http://www.overthewire.org/wargames
!!! You are trying to log into this SSH server with a password on port 2220 from localhost.
!!! Connecting from localhost is blocked to conserve resources.
!!! Please log out and log in again.
.........
Welcome to OverTheWire!
If you find any problems, please report them to the #wargames channel on
discord or IRC.
.........
--[ More information ]--
  For more information regarding individual wargames, visit
  http://www.overthewire.org/wargames/
  For support, questions or comments, contact us on discord or IRC.
  Enjoy your stay!
方法2:
注意nano的使用如何在 Linux 中使用 Nano 文本编辑器 
方法2将rsa.private(包含头部和尾部)写入了文件rsafile中。

link
接着来到了bandit17的界面,这时候不用花多余的时间登录到bandit17@bandit。直接查看[官网|level17-18]后,在终端输入diff跳入[#Level 18 → Level 19]。亦可以用cat /etc/bandit_pass/bandit17得到的密码进入bandit17@bandit。

Level 17 → Level 18
Level Goal
There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new
NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19
见上一关的[[#link]]部分。
Level 18 → Level 19
Level Goal
The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.
Commands you may need to solve this level
ssh, ls, cat
先前得到的passwords.new ([[#link]] 中的x2gLTTjFwMOhQ8oWNbMN362QKxfRqGlO),打开后显示

无论登录多少次,都只会登陆失败!这是由ssh的语法决定的,不信的话,可以再linux中用man ssh或ssh --help查看。
于是就有

输入密码后无回显,接着输入Linux命令,在文件readme中找到了password。
Level 19 → Level 20
Level Goal
To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.

Level 20 → Level 21
Level Goal
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
NOTE: Try connecting to your own network daemon to see if it works as you think
Commands you may need to solve this level
ssh, nc, cat, bash, screen, tmux, Unix ‘job control’ (bg, fg, jobs, &, CTRL-Z, …)
[!note] 思路
使用“netcat”,我们可以在服务器模式下创建一个连接 ,该连接侦听入站连接。为了让 netcat 发送密码,我使用 echo 并将其通过管道传输到 netcat。
使用端口 1234 运行 setuid 二进制文件意味着它将连接到我们的 netcat 服务器,接收输入的密码并发回下一个密码。

Level 21 → Level 22
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
Commands you may need to solve this level
cron, crontab, crontab(5) (use “man 5 crontab” to access this)
1.cat cronjob_bandit22
- &> /dev/null:这表示将脚本的标准输出(stdout)和标准错误输出(stderr)都重定向到- /dev/null,即丢弃所有输出信息。这样,即使脚本产生输出或错误,系统也不会记录任何内容。- @reboot部分确保了系统启动时执行一次脚本- /usr/bin/cronjob_bandit22.sh,并且不产生输出。
- * * * * *部分确保每分钟执行一次相同的脚本,同样不产生输出。
 
2.cat /usr/bin/cronjob_bandit22.sh
该脚本的作用是:
- 将 /tmp/t706Ids9S0RqQh9aMcz6ShpAoZKF7fgv文件的权限更改为可由文件所有者读写、其他用户只读。
- 将 /etc/bandit_pass/bandit22文件的内容复制到/tmp/t706Ids9S0RqQh9aMcz6ShpAoZKF7fgv文件中。
  
因而,执行/tmp/t706Ids9S0RqQh9aMcz6ShpAoZKF7fgv后,可以查看答案。
Level 22 → Level 23
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.
Commands you may need to solve this level
cron, crontab, crontab(5) (use “man 5 crontab” to access this)
前面几条命令跟上一关[[#Level 21 → Level 22]]一样,后面略微有点差异。
- 查看终端输入whoami的结果,得到$myname的值为用户bandit23。
- 此时$mytarget就是运行括号内的命令后输出的值。
- /etc/bandit_pass/bandit23 被写入/tmp/$mytarget(8ca319......26349)。
- 执行/tmp/$mytarget(8ca319......26349)后,查看到通行证。
  
Level 23 → Level 24
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…
Commands you may need to solve this level
chmod, cron, crontab, crontab(5) (use “man 5 crontab” to access this)
预备知识
有关chmod,建议阅读chmod
在运行cat /usr/bin/cronjob_bandit24.sh之前都是跟上一关类似的命令。运行cat /usr/bin/cronjob_bandit24.sh后,

看到的是上图中的shell语句。下面难了我好久/(ㄒoㄒ)/~~ ,因而这一关看起来有点乱。
对此分析后,创建/tmp/game目录,在/var/spool/bandit24/foo下用nano写入shell文件test.sh。
写入的文本是
#/bin/bash
cat /etc/bandit_pass/bandit24 > /tmp/game/pass.txt
这段代码将下一关的通行证写入到/tmp/game目录的pass.txt文件中,

将test.sh复制到/var/spool/bandit24/foo/目录下,出现诸多报错。其实,主要是没有权限写入。
bandit23@bandit:/var/spool/bandit24/foo$ cd /tmp 
bandit23@bandit:/tmp$ cd game
bandit23@bandit:/tmp/game$ cp test.sh /var/spool/bandit24/foo/
cp: cannot stat 'test.sh': No such file or directory
bandit23@bandit:/tmp/game$ nano test.sh
Unable to create directory /home/bandit23/.local/share/nano/: No such file or directory
Unable to create directory /home/bandit23/.local/share/nano/: No such file or directory
It is required for saving/loading search history or cursor positions.
于是,为所有用户添加读、写和执行权限,主要赋予test.sh写和执行的权限。
bandit23@bandit:/tmp/game$ chmod 777 ./test.sh
bandit23@bandit:/tmp/game$ cp test.sh /var/spool/bandit24/foo
bandit23@bandit:/tmp/game$ ls -al /var/spool/bandit24/foo
ls: cannot open directory '/var/spool/bandit24/foo': Permission denied
bandit23@bandit:/tmp/game$ ls /var/spool/bandit24/foo/test.sh -al
-rwxrwxr-x 1 bandit23 bandit23 65 Apr 23 08:16 /var/spool/bandit24/foo/test.sh
bandit23@bandit:/tmp/game$ ls
pass.txt  test.sh
bandit23@bandit:/tmp/game$ cat pass.txt
gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8
bandit23@bandit:/tmp/game$ exit
logout
Connection to bandit.labs.overthewire.org closed.
终于查看到/tmp/game目录的pass.txt文件(ls),此时pass.txt存储的是下一关的通行证(/etc/bandit_pass/bandit24)。
因为目录/var/spool/bandit24/foo下的所有脚本(包含test.sh)在60s内会被删除,所以写入的脚本test.sh将/etc/bandit_pass/bandit24复制到/tmp/game/pass.txt。这样就能绕过时间的限制。因而,可以直接用cat命令获取相关内容。
总结:(打破之前的混乱)主要是在临时目录/tmp/game下写入一个重定向shell,写入之前发现没有写和执行权限,所以赋予其权限。然后copy到/var/spool/bandit24/foo,发现test.sh已有执行权限,由于时间限制的原因,可能要稍等片刻后,才能得到凭证。
Level 24 → Level 25
Level Goal
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.
You do not need to create new connections each time
brute-forcing,暴力破解,retrieve the pincode with password for bandit24 and a secret numeric 4-digit pincode.
bandit24@bandit:~$ nc localhost 30002
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8
Wrong! Please enter the correct current password and pincode. Try again.
bandit24@bandit:/$ for i in {0000..9999};do echo "gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8" $i;done | nc localhost 30002
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
Wrong! Please enter the correct current password and pincode. Try again.
Wrong! Please enter the correct current password and pincode. Try again.
Wrong! Please enter the correct current password and pincode. Try again.
Wrong! Please enter the correct current password and pincode. Try again.
.....
.....
Wrong! Please enter the correct current password and pincode. Try again.
Wrong! Please enter the correct current password and pincode. Try again.
Wrong! Please enter the correct current password and pincode. Try again.
Correct!
The password of user bandit25 is iCi86ttT4KSNe1armKiwbQNmB3YJP3q4
bandit24@bandit:/$
Level 25 → Level 26
Level Goal
Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.
NOTE: if you’re a Windows user and typically use Powershell to
sshinto bandit: Powershell is known to cause issues with the intended solution to this level. You should use command prompt instead.
Commands you may need to solve this level
ssh, cat, more, vi, ls, id, pwd
预备知识
用google浏览器搜索以下问题。
Q1:shell commands for vi (google)

Q2:how to change shell in vi

Q3:man more
参数v的详细说明。
 v
           Start up an editor at current line. The editor is taken from the environment variable VISUAL if defined, or EDITOR if VISUAL is not defined, or defaults
           to vi(1) if neither VISUAL nor EDITOR is defined.
题解
用ssh 连接26关,发现连接自动断开。
bandit25@bandit:~$ ls
bandit26.sshkey
bandit25@bandit:~$ ssh -i bandit26.sshkey bandit26@localhost -p 2220
The authenticity of host '[localhost]:2220 ([127.0.0.1]:2220)' can't be established.
....
....
                      This is an OverTheWire game server.
            More information on http://www.overthewire.org/wargames
....
....
....
Connection to localhost closed.
查看/etc/passwd的内容,用管道指定用户bandit26。
bandit25@bandit:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
''''
''''
''''
krypton1:x:8001:8001:krypton level 1:/home/krypton1:/bin/bash
krypton2:x:8002:8002:krypton level 2:/home/krypton2:/bin/bash
krypton3:x:8003:8003:krypton level 3:/home/krypton3:/bin/bash
krypton4:x:8004:8004:krypton level 4:/home/krypton4:/bin/bash
krypton5:x:8005:8005:krypton level 5:/home/krypton5:/bin/bash
krypton6:x:8006:8006:krypton level 6:/home/krypton6:/bin/bash
krypton7:x:8007:8007:krypton level 7:/home/krypton7:/bin/bash
bandit25@bandit:~$ cat /etc/passwd | grep bandit26
bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext
bandit25@bandit:~$ cat /usr/bin/showtext
#!/bin/sh
export TERM=linux
exec more ~/text.txt
exit 0
我们发现,在linux终端下,text.txt文本执行系统命令more之后,总是会退出(exit 0)。这是由于more执行大文本文件后,会自动退出。(这里的表述有点不同,详细参考Q3 more参数v的详细说明)
这解释为什么之前执行ssh -i bandit26.sshkey bandit26@localhost -p 2220命令后,连接自动断开。同样,解释了下一关为什么无法打开。
事先复制该命令
bandit25@bandit:~$ ssh -i bandit26.sshkey bandit26@bandit.labs.overthewire.org -p 2220
于是,利用more的v参数的属性,缩小终端界面(直至很小很小,最好是最小)。快捷键运行复制的命令。按下v,依据Q1图片中的命令输入,发现输入:!ls有效,而:shell无反应。
同样,依据Q2图片中的命令输入:set shell?,查看到shell=/usr/bin/showtext。


这并不是我们需要的,我们想要shell为/bin/bash。于是输入set shell=/bin/bash命令。

输入:set shell?,查看shell设定的值

回车,发现shell已然是我们所需。

这时候在输入 :shell ,终端就出来了。

立马能够得到如下的通行证。
bandit26@bandit:~$ cat /etc/bandit_pass/bandit26
s0773xxkk0MXfdqOfPRVr9L3jJBUOgCZ
总结:本关利用shell和vi的交互模式,模拟了shell逃逸。原来还能这么玩?!
Level 26 → Level 27
Level Goal
Good job getting a shell! Now hurry and grab the password for bandit27!
Commands you may need to solve this level
ls
这是一个奇怪的事,25关得到的通行证无法进入26关,好像一直不奏效,即上一关得到的密码(s0773xxkk0MXfdqOfPRVr9L3jJBUOgCZ)无法打开26关的ssh -p 2220 bandit26 @bandit.labs.overthewire.org ,总是显示连接失败。
ssh -p 2220 bandit26@bandit.labs.overthewire.org
                         _                     _ _ _
                        | |__   __ _ _ __   __| (_) |_
                        | '_ \ / _` | '_ \ / _` | | __|
                        | |_) | (_| | | | | (_| | | |_
                        |_.__/ \__,_|_| |_|\__,_|_|\__|
                      This is an OverTheWire game server.
            More information on http://www.overthewire.org/wargames
bandit26@bandit.labs.overthewire.org's password:
      ,----..            ,----,          .---.
     /   /   \         ,/   .`|         /. ./|
    /   .     :      ,`   .'  :     .--'.  ' ;
   .   /   ;.  \   ;    ;     /    /__./ \ : |
  .   ;   /  ` ; .'___,/    ,' .--'.  '   \' .
  ;   |  ; \ ; | |    :     | /___/ \ |    ' '
  |   :  | ; | ' ;    |.';  ; ;   \  \;      :
  .   |  ' ' ' : `----'  |  |  \   ;  `      |
  '   ;  \; /  |     '   :  ;   .   \    .\  ;
   \   \  ',  /      |   |  '    \   \   ' \ |
    ;   :    /       '   :  |     :   '  |--"
     \   \ .'        ;   |.'       \   \ ;
  www. `---` ver     '---' he       '---" ire.org
Welcome to OverTheWire!
'''''
'''''
'''''
  In addition, the execstack tool can be used to flag the stack as
  executable on ELF binaries.
  Finally, network-access is limited for most levels by a local
  firewall.
'''''
'''''
Connection to bandit.labs.overthewire.org closed.
这是因为/usr/bin/showtext中说明,linux读取大文本之后,系统会自动退出。因而,我想到在25关的vi里面shell显示的终端继续运行。
不幸的是如果你此刻关掉了前一关,则要返回上一关,跟进到shell终端出来。
bandit25@bandit:~$ ssh -i bandit26.sshkey bandit26@bandit.labs.overthewire.org -p 2220
The authenticity of host '[bandit.labs.overthewire.org]:2220 ([127.0.0.1]:2220)' can't be established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Could not create directory '/home/bandit25/.ssh' (Permission denied).
Failed to add the host to the list of known hosts (/home/bandit25/.ssh/known_hosts).
                         _                     _ _ _
                        | |__   __ _ _ __   __| (_) |_
                        | '_ \ / _` | '_ \ / _` | | __|
                        | |_) | (_| | | | | (_| | | |_
                        |_.__/ \__,_|_| |_|\__,_|_|\__|
                      This is an OverTheWire game server.
            More information on http://www.overthewire.org/wargames
!!! You are trying to log into this SSH server with a password on port 2220 from localhost.
!!! Connecting from localhost is blocked to conserve resources.
!!! Please log out and log in again.
      ,----..            ,----,          .---.
     /   /   \         ,/   .`|         /. ./|
    /   .     :      ,`   .'  :     .--'.  ' ;
   .   /   ;.  \   ;    ;     /    /__./ \ : |
  .   ;   /  ` ; .'___,/    ,' .--'.  '   \' .
  ;   |  ; \ ; | |    :     | /___/ \ |    ' '
  |   :  | ; | ' ;    |.';  ; ;   \  \;      :
  .   |  ' ' ' : `----'  |  |  \   ;  `      |
  '   ;  \; /  |     '   :  ;   .   \    .\  ;
   \   \  ',  /      |   |  '    \   \   ' \ |
    ;   :    /       '   :  |     :   '  |--"
     \   \ .'        ;   |.'       \   \ ;
  www. `---` ver     '---' he       '---" ire.org
Welcome to OverTheWire!
If you find any problems, please report them to the #wargames channel on
discord or IRC.
--[ Playing the games ]--
  This machine might hold several wargames.
  If you are playing "somegame", then:
    * USERNAMES are somegame0, somegame1, ...
    * Most LEVELS are stored in /somegame/.
    * PASSWORDS for each level are stored in /etc/somegame_pass/.
  Write-access to homedirectories is disabled. It is advised to create a
  working directory with a hard-to-guess name in /tmp/.  You can use the
  command "mktemp -d" in order to generate a random and hard to guess
  directory in /tmp/.  Read-access to both /tmp/ is disabled and to /proc
  restricted so that users cannot snoop on eachother. Files and directories
  with easily guessable or short names will be periodically deleted! The /tmp
  directory is regularly wiped.
  Please play nice:
    * don't leave orphan processes running
    * don't leave exploit-files laying around
    * don't annoy other players
    * don't post passwords or spoilers
    * again, DONT POST SPOILERS!
      This includes writeups of your solution on your blog or website!
--[ Tips ]--
  This machine has a 64bit processor and many security-features enabled
  by default, although ASLR has been switched off.  The following
  compiler flags might be interesting:
    -m32                    compile for 32bit
    -fno-stack-protector    disable ProPolice
    -Wl,-z,norelro          disable relro
  In addition, the execstack tool can be used to flag the stack as
  executable on ELF binaries.
  Finally, network-access is limited for most levels by a local
  firewall.
--[ Tools ]--
 For your convenience we have installed a few useful tools which you can find
 in the following locations:
    * gef (https://github.com/hugsy/gef) in /opt/gef/
    * pwndbg (https://github.com/pwndbg/pwndbg) in /opt/pwndbg/
    * gdbinit (https://github.com/gdbinit/Gdbinit) in /opt/gdbinit/
    * pwntools (https://github.com/Gallopsled/pwntools)
    * radare2 (http://www.radare.org/)
--[ More information ]--
  For more information regarding individual wargames, visit
  http://www.overthewire.org/wargames/
  For support, questions or comments, contact us on discord or IRC.
  Enjoy your stay!
  _                     _ _ _   ___   __
 | |                   | (_) | |__ \ / /
 | |__   __ _ _ __   __| |_| |_   ) / /_
:!ls
  _                     _ _ _   ___   __
 | |                   | (_) | |__ \ / /
 | |__   __ _ _ __   __| |_| |_   ) / /_
Most commands optionally preceded by integer argument k.  Defaults in brackets.
Star (*) indicates argument becomes new default.
-------------------------------------------------------------------------------
<space>                 Display next k lines of text [current screen size]
z                       Display next k lines of text [current screen size]*
<return>                Display next k lines of text [1]*
d or ctrl-D             Scroll k lines [current scroll size, initially 11]*
q or Q or <interrupt>   Exit from more
s                       Skip forward k lines of text [1]
f                       Skip forward k screenfuls of text [1]
b or ctrl-B             Skip backwards k screenfuls of text [1]
'                       Go to place where previous search started
=                       Display current line number
/<regular expression>   Search for kth occurrence of regular expression [1]
n                       Search for kth occurrence of last r.e [1]
!<cmd> or :!<cmd>       Execute <cmd> in a subshell
v                       Start up '/usr/bin/vi' at current line
ctrl-L                  Redraw screen
:n                      Go to kth next file [1]
:p                      Go to kth previous file [1]
:f                      Display current file name and line number
.                       Repeat previous command
-------------------------------------------------------------------------------
...skipping 1 line
  _                     _ _ _   ___   __
 | |                   | (_) | |__ \ / /
 | |__   __ _ _ __   __| |_| |_   ) / /_
:shell
  _                     _ _ _   ___   __
 | |                   | (_) | |__ \ / /
 | |__   __ _ _ __   __| |_| |_   ) / /_
 | |                   | (_) | |__ \ / /
 | |__   __ _ _ __   __| |_| |_   ) / /_
 | '_ \ / _` | '_ \ / _` | | __| / / '_ \
:shell
然后做法与19关一样?来自我的大大震惊。
bandit26@bandit:~$ ls
bandit27-do  text.txt
bandit26@bandit:~$ file bandit27-do
bandit27-do: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=35d353cf6d732f515a73f50ed205265fe1e68f90, for GNU/Linux 3.2.0, not stripped
bandit26@bandit:~$ ./bandit27-do
Run a command as another user.
  Example: ./bandit27-do id
bandit26@bandit:~$ ./bandit27-do whoami
bandit27
bandit26@bandit:~$ cat /etc/bandit_pass/bandit27
cat: /etc/bandit_pass/bandit27: Permission denied
bandit26@bandit:~$ ./bandit27-do cat /etc/bandit_pass/bandi
t27
upsNCc7vzaRDx6oZC6GiR6ERwe1MowGB
bandit26@bandit:~$ 
用得到的密码(upsNCc7vzaRDx6oZC6GiR6ERwe1MowGB)连接27关,直接成功!说明我的推测压根没错!这关真的是tkl !
总结:联合了上一关和19关,果然能够解决综合性难题都是循序渐进的!没有基础,地动山摇。
Level 27 → Level 28
Level Goal
There is a git repository at ssh://bandit27-git@localhost/home/bandit27-git/repo via the port 2220. The password for the user bandit27-git is the same as for the user bandit27.
Clone the repository and find the password for the next level.
Commands you may need to solve this level
git
以下几关全部都是跟git有关的内容了,可以抽个时间一起拿下。
bandit27@bandit:/tmp/sa$ git clone ssh://bandit27-git@localhost:2220/home/bandit27-git/repo
Cloning into 'repo'...
The authenticity of host '[localhost]:2220 ([127.0.0.1]:2220)' can't be established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Could not create directory '/home/bandit27/.ssh' (Permission denied).
Failed to add the host to the list of known hosts (/home/bandit27/.ssh/known_hosts).
                         _                     _ _ _
                        | |__   __ _ _ __   __| (_) |_
                        | '_ \ / _` | '_ \ / _` | | __|
                        | |_) | (_| | | | | (_| | | |_
                        |_.__/ \__,_|_| |_|\__,_|_|\__|
                      This is an OverTheWire game server.
            More information on http://www.overthewire.org/wargames
bandit27-git@localhost's password:
remote: Enumerating objects: 3, done.
remote: Counting objects: 100% (3/3), done.
remote: Compressing objects: 100% (2/2), done.
remote: Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (3/3), done.
bandit27@bandit:/tmp/sa$ ls
pass.txt  repo  test1.sh  test.sh
bandit27@bandit:/tmp/sa$ cd repo
bandit27@bandit:/tmp/sa/repo$ ls
README
bandit27@bandit:/tmp/sa/repo$ cat README
The password to the next level is: Yz9IpL0sBcCeuG7m9uQFt8ZNpS4HZRcN
在暂存区的README文件获取到password。
Level 28 → Level 29
Level Goal
There is a git repository at ssh://bandit28-git@localhost/home/bandit28-git/repo via the port 2220. The password for the user bandit28-git is the same as for the user bandit28.
Clone the repository and find the password for the next level.
Commands you may need to solve this level
git
在git clone之前和上一关类似。
bandit28@bandit:/$ cd tmp
bandit28@bandit:/tmp$ mkdir sb
bandit28@bandit:/tmp$ cd sb
bandit28@bandit:/tmp/sb$ git clone ssh://bandit28-git@localhost:2220/home/bandit28-git/repo
Cloning into 'repo'...
The authenticity of host '[localhost]:2220 ([127.0.0.1]:2220)' can't be established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
''''
''''
bandit28-git@localhost's password:
remote: Enumerating objects: 9, done.
remote: Counting objects: 100% (9/9), done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 9 (delta 2), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (9/9), 798 bytes | 399.00 KiB/s, done.
Resolving deltas: 100% (2/2), done.
如果忘记密码了,通过cat /etc/bandit_pass/bandit28查看。
bandit28@bandit:/tmp/sb$ cat /etc/bandit_pass/bandit28
Yz9IpL0sBcCeuG7m9uQFt8ZNpS4HZRcN
然后查看repo里面的文件,发现password被加密了。
bandit28@bandit:/tmp/sb$ ls
repo
bandit28@bandit:/tmp/sb$ cd repo
bandit28@bandit:/tmp/sb/repo$ ls
README.md
bandit28@bandit:/tmp/sb/repo$ cat README.md
# Bandit Notes
Some notes for level29 of bandit.
## credentials
- username: bandit29
- password: xxxxxxxxxx
查看日志,并检查每次的commit。

[!note] git checkout
git checkout 哈希值 命令的作用是切换到某个特定的提交(commit)。在Git中,每次提交都会生成一个唯一的哈希值(即commit hash),可以通过这个哈希值来定位某个特定的提交。
继续,发现附带备注信息'add missing data'的此次提交,与他所匹配的哈希值能够依靠git checkout 的特点获取bandit29的通行证。

是4pT1t5DENaYuqnqvadYs1oE4QLCdjmJ7!
Level 29 → Level 30
Level Goal
There is a git repository at ssh://bandit29-git@localhost/home/bandit29-git/repo via the port 2220. The password for the user bandit29-git is the same as for the user bandit29.
Clone the repository and find the password for the next level.
Commands you may need to solve this level
git
创建并切换到sc目录,git clone一波。

查看repo仓库里的东西,发现只有用户名而没有密码。查看其他分支、返回master分支及检查当前版本,得到的东西仍然有限。
bandit29@bandit:/tmp/sc$ ls
repo
bandit29@bandit:/tmp/sc$ cd repo
bandit29@bandit:/tmp/sc/repo$ ls
README.md
bandit29@bandit:/tmp/sc/repo$ cat README.md
# Bandit Notes
Some notes for bandit30 of bandit.
## credentials
- username: bandit30
- password: <no passwords in production!>
bandit29@bandit:/tmp/sc/repo$ git branch
* master
bandit29@bandit:/tmp/sc/repo$ git checkout master
Already on 'master'
Your branch is up to date with 'origin/master'.
bandit29@bandit:/tmp/sc/repo$ git status
On branch master
Your branch is up to date with 'origin/master'.
nothing to commit, working tree clean
bandit29@bandit:/tmp/sc/repo$ ls
README.md
bandit29@bandit:/tmp/sc/repo$ cat README.md
# Bandit Notes
Some notes for bandit30 of bandit.
## credentials
- username: bandit30
- password: <no passwords in production!>
查看所有分支,检查其子目录。
bandit29@bandit:/tmp/sc/repo$ git branch -a # 或-r
* master
  remotes/origin/HEAD -> origin/master
  remotes/origin/dev
  remotes/origin/master
  remotes/origin/sploits-dev
bandit29@bandit:/tmp/sc/repo$ git checkout dev
branch 'dev' set up to track 'origin/dev'.
Switched to a new branch 'dev'
bandit29@bandit:/tmp/sc/repo$ ls
code  README.md
bandit29@bandit:/tmp/sc/repo$ cat README.md
# Bandit Notes
Some notes for bandit30 of bandit.
## credentials
- username: bandit30
- password: qp30ex3VLz5MDG1n91YowTv4Q8l7CDZL
Level 30 → Level 31
Level Goal
There is a git repository at ssh://bandit30-git@localhost/home/bandit30-git/repo via the port 2220. The password for the user bandit30-git is the same as for the user bandit30.
Clone the repository and find the password for the next level.
Commands you may need to solve this level
git
创建目录sd,但是git clone的时候一直提示权限不足。于是,改为了se,成功克隆!
实际上应该可以通过chown命令来绕过,建议阅读 chown 。不过,这里直接成功了,就不再演示。

按照前面几关的经验试试看。结果什么也没找到,空文件?
bandit30@bandit:/tmp/se$ ls
repo
bandit30@bandit:/tmp/se$ cd repo
bandit30@bandit:/tmp/se/repo$ ls
README.md
bandit30@bandit:/tmp/se/repo$ cat README.md
just an epmty file... muahaha
bandit30@bandit:/tmp/se/repo$ git log
commit fb05775f973256dc6d8d5bb6a8e6b96b0d8795c8 (HEAD -> master, origin/master, origin/HEAD)
Author: Ben Dover <noone@overthewire.org>
Date:   Thu Apr 10 14:23:24 2025 +0000
    initial commit of README.md
bandit30@bandit:/tmp/se/repo$ git checkout fb05775f973256dc6d8d5bb6a8e6b96b0d8795c8
.....
.....
HEAD is now at fb05775 initial commit of README.md
bandit30@bandit:/tmp/se/repo$ ls
README.md
bandit30@bandit:/tmp/se/repo$ cat README.md
just an epmty file... muahaha
bandit30@bandit:/tmp/se/repo$ git branch
* (HEAD detached at fb05775)
  master
bandit30@bandit:/tmp/se/repo$ git branch -a
* (HEAD detached at fb05775)
  master
  remotes/origin/HEAD -> origin/master
  remotes/origin/master
[!note] git tag
git tag 列出所有标签。
git show secret 显示 secret 标签指向的提交的详细信息。
最后,用tag标签找到/显示出(show)了密码。
bandit30@bandit:/tmp/se/repo$ git tag
secret
bandit30@bandit:/tmp/se/repo$ git show secret
fb5S2xb7bRyFmAvQYQGEqsbhVyJqhnDy
Level 31 → Level 32
Level Goal
There is a git repository at ssh://bandit31-git@localhost/home/bandit31-git/repo via the port 2220. The password for the user bandit31-git is the same as for the user bandit31.
Clone the repository and find the password for the next level.
Commands you may need to solve this level
git
git clone之后,用nano编辑文本,输入Content后面的内容(不包含引号)。

或者重定向文本echo "May I come in?"。
查看写入文本后的根目录,提交key.txt到remote。但是提示.gitignore被覆盖(?)并且忽略了key.txt。于是,尝试读取、删除.gitignore。
然后,重新提交key.txt,检查当前版本信息,发现key.txt已经提交(new file:  key.txt)。

暂存、提交并远程推送到仓库:
bandit31@bandit:/tmp/sf/repo$ git commit -m "hahaha" #备注信息随便打的,莫认真
[master 75243bc] hahaha
 1 file changed, 1 insertion(+)
 create mode 100644 key.txt
bandit31@bandit:/tmp/sf/repo$ git log
commit 75243bc8d134088611fe140da524282e04a68f71 (HEAD -> master)
Author: bandit31 <bandit31@overthewire.org>
Date:   Thu Apr 24 08:26:27 2025 +0000
    hahaha
commit 9f2814daa679b29d2c8f78f2766e7e9332445a41 (origin/master, origin/HEAD)
Author: Ben Dover <noone@overthewire.org>
Date:   Thu Apr 10 14:23:26 2025 +0000
    initial commit
bandit31@bandit:/tmp/sf/repo$ git push
The authenticity of host '[localhost]:2220 ([127.0.0.1]:2220)' can't be established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Could not create directory '/home/bandit31/.ssh' (Permission denied).
Failed to add the host to the list of known hosts (/home/bandit31/.ssh/known_hosts).
                         _                     _ _ _
                        | |__   __ _ _ __   __| (_) |_
                        | '_ \ / _` | '_ \ / _` | | __|
                        | |_) | (_| | | | | (_| | | |_
                        |_.__/ \__,_|_| |_|\__,_|_|\__|
                      This is an OverTheWire game server.
            More information on http://www.overthewire.org/wargames
bandit31-git@localhost's password:
Enumerating objects: 4, done.
Counting objects: 100% (4/4), done.
Delta compression using up to 2 threads
Compressing objects: 100% (2/2), done.
Writing objects: 100% (3/3), 318 bytes | 318.00 KiB/s, done.
Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
remote: ### Attempting to validate files... ####
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
remote: Well done! Here is the password for the next level:
remote: 3O9RfhqyAlVBEZpVb6LYStshZoqoSx5K
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
To ssh://localhost:2220/home/bandit31-git/repo
 ! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to 'ssh://localhost:2220/home/bandit31-git/repo'
bandit31@bandit:/tmp/sf/repo$ exit
Level 32 → Level 33
Level Goal
After all this git stuff, it’s time for another escape. Good luck!
Commands you may need to solve this level
sh, man
没有说明关卡目标?很疑惑。
打开关卡后,发现输入什么都会被变成大写,提示权限不足。这与关卡前的“WELCOME TO THE UPPERCASE SHELL”相符。
多次尝试后发现可以用$0来绕过。
WELCOME TO THE UPPERCASE SHELL
>> ls
sh: 1: LS: Permission denied
>> mkdir /tmp/ss
sh: 1: MKDIR: Permission denied
>> echo $0
sh: 1: ECHO: Permission denied
>> $0
$ ls
uppershell
$ whoami
bandit33
$ cat /etc/bandit_pass/bandit33
tQdtbs5D5i2vJwkO8mEyYEyTL8izoeJ0
$ exit
>>
Level 33 → Level 34
At this moment, level 34 does not exist yet.
参考链接:
1.OverTheWire - Bandit Walkthrough | R4f4soft
2.[OTW] Write-up for the Bandit Wargame - BreakInSecurity

 
                
            
         
         浙公网安备 33010602011771号
浙公网安备 33010602011771号