There are several things you can try when you are unsure how to continue:
First, if you know a command, but don’t know how to use it, try the manual (man page) by entering “**man **” (without the quotes). e.g. if you know about the “ls” command, type: man ls. The “man” command also has a manual, try it. Press q to quit the man command.
Second, if there is no man page, the command might be a shell built-in. In that case use the “**help **” command. E.g. help cd
Also, your favorite search-engine is your friend. Learn how to use it! I recommend Google.
--[ Playing the games ]--
This machine might hold several wargames.
If you are playing "somegame", then:
* USERNAMES are somegame0, somegame1, ...
* Most LEVELS are stored in /somegame/.
* PASSWORDS for each level are stored in /etc/somegame_pass/.
Write-access to homedirectories is disabled. It is advised to create a
working directory with a hard-to-guess name in /tmp/. You can use the
command "mktemp -d" in order to generate a random and hard to guess
directory in /tmp/. Read-access to both /tmp/ and /proc/ is disabled
so that users can not snoop on eachother. Files and directories with
easily guessable or short names will be periodically deleted!
Please play nice:
* don't leave orphan processes running
* don't leave exploit-files laying around
* don't annoy other players
* don't post passwords or spoilers
* again, DONT POST SPOILERS!
This includes writeups of your solution on your blog or website!
--[ Tips ]--
This machine has a 64bit processor and many security-features enabled
by default, although ASLR has been switched off. The following
compiler flags might be interesting:
-m32 compile for 32bit
-fno-stack-protector disable ProPolice
-Wl,-z,norelro disable relro
In addition, the execstack tool can be used to flag the stack as
executable on ELF binaries.
Finally, network-access is limited for most levels by a local
firewall.
--[ Tools ]--
For your convenience we have installed a few usefull tools which you can find
in the following locations:
* pwndbg (https://github.com/pwndbg/pwndbg) in /usr/local/pwndbg/
* peda (https://github.com/longld/peda.git) in /usr/local/peda/
* gdbinit (https://github.com/gdbinit/Gdbinit) in /usr/local/gdbinit/
* pwntools (https://github.com/Gallopsled/pwntools)
* radare2 (http://www.radare.org/)
* checksec.sh (http://www.trapkit.de/tools/checksec.html) in /usr/local/bin/checksec.sh
--[ More information ]--
For more information regarding individual wargames, visit
http://www.overthewire.org/wargames/
For support, questions or comments, contact us through IRC on
irc.overthewire.org #wargames.
Enjoy your stay!
bandit1@bandit:~$ ls
-
bandit1@bandit:~$ cd -
-bash: cd: OLDPWD not set
bandit1@bandit:~$ cd\-
-bash: cd: OLDPWD not set
bandit1@bandit:~$ cd /-
-bash: cd: /-: No such file or directory
bandit1@bandit:~$ ls -al
total 24
-rw-r----- 1 bandit2 bandit1 33 Oct 162018 -
drwxr-xr-x 2 root root 4096 Oct 162018 .
drwxr-xr-x 41 root root 4096 Oct 162018 ..
-rw-r--r-- 1 root root 220 May 152017 .bash_logout
-rw-r--r-- 1 root root 3526 May 152017 .bashrc
-rw-r--r-- 1 root root 675 May 152017 .profile
bandit1@bandit:~$ cat /-
cat: /-: No such file or directory
bandit1@bandit:~$ cat ./-
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
bandit2@bandit:~$ ls
spaces in this filename
bandit2@bandit:~$ ls -al
total 24
drwxr-xr-x 2 root root 4096 Oct 162018 .
drwxr-xr-x 41 root root 4096 Oct 162018 ..
-rw-r--r-- 1 root root 220 May 152017 .bash_logout
-rw-r--r-- 1 root root 3526 May 152017 .bashrc
-rw-r--r-- 1 root root 675 May 152017 .profile
-rw-r----- 1 bandit3 bandit2 33 Oct 162018 spaces in this filename
bandit2@bandit:~$ cat spaces\ in\ this\ filename
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
bandit2@bandit:~$ cat "spaces in this filename"
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
bandit2@bandit:~$ cat 'spaces in this filename'
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
bandit13@bandit:~$ ls
sshkey.private
bandit13@bandit:~$ cat /etc/bandit_pass/bandit14
cat: /etc/bandit_pass/bandit14: Permission denied
bandit13@bandit:~$ ssh
usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy][-b bind_address][-c cipher_spec][-D [bind_address:]port][-E log_file][-e escape_char][-F configfile][-I pkcs11][-i identity_file][-J [user@]host[:port]][-L address][-l login_name][-m mac_spec][-O ctl_cmd][-o option][-p port][-Q query_option][-R address][-S ctl_path][-W host:port][-w local_tun[:remote_tun]][user@]hostname [command]
bandit13@bandit:~$ ssh -i sshkey.private bandit14@localhost
Could not create directory '/home/bandit13/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit13/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
......
bandit14@bandit:~$ cat /etc/bandit_pass/bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
bandit14@bandit:~$ cat /etc/bandit_pass/bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
bandit14@bandit:~$
bandit14@bandit:~$ telnet localhost 30000
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Wrong! Please enter the correct current password
Connection closed by foreign host.
bandit14@bandit:~$ telnet localhost 30000
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr
Connection closed by foreign host.
bandit14@bandit:~$
bl@bl-virtual-machine:~/wargame$ echo'-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----' > b16.rsa
bl@bl-virtual-machine:~/wargame$ ssh bandit17@bandit.labs.overthewire.org -p 2220 -i b16.rsa
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644for'b16.rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "b16.rsa": bad permissions
bandit17@bandit.labs.overthewire.org's password:
bl@bl-virtual-machine:~/wargame$ chmod 600 b16.rsa
bl@bl-virtual-machine:~/wargame$ ssh bandit17@bandit.labs.overthewire.org -p 2220 -i b16.rsa
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit17@bandit:~$ cat /etc/bandit_pass/bandit17
xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn
bl@bl-virtual-machine:~/wargame$ ssh bandit18@bandit.labs.overthewire.org -p 2220'cat ./readme'
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit18@bandit.labs.overthewire.org's password:
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
第二种方式利用scp命令绕过
1
2
3
4
5
6
7
8
bl@bl-virtual-machine:~/wargame$ scp -P 2220 bandit18@bandit.labs.overthewire.org:./readme ./readme
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit18@bandit.labs.overthewire.org's password:
readme 100% 33 0.0KB/s 00:00
bl@bl-virtual-machine:~/wargame$ cat ./readme
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
bl@bl-virtual-machine:~/wargame$
# ~/.bashrc: executed by bash(1) for non-login shells.# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)# for examples# If not running interactively, don't do anythingcase$- in
*i*);;
*)return;;esac# don't put duplicate lines or lines starting with space in the history.# See bash(1) for more optionsHISTCONTROL=ignoreboth
# append to the history file, don't overwrite itshopt -s histappend
# for setting history length see HISTSIZE and HISTFILESIZE in bash(1)HISTSIZE=1000HISTFILESIZE=2000# check the window size after each command and, if necessary,# update the values of LINES and COLUMNS.shopt -s checkwinsize
# If set, the pattern "**" used in a pathname expansion context will# match all files and zero or more directories and subdirectories.#shopt -s globstar# make less more friendly for non-text input files, see lesspipe(1)#[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)"# set variable identifying the chroot you work in (used in the prompt below)if[ -z "${debian_chroot:-}"]&&[ -r /etc/debian_chroot ];thendebian_chroot=$(cat /etc/debian_chroot)fi# set a fancy prompt (non-color, unless we know we "want" color)case"$TERM" in
xterm-color|*-256color)color_prompt=yes;;esac# uncomment for a colored prompt, if the terminal has the capability; turned# off by default to not distract the user: the focus in a terminal window# should be on the output of commands, not on the prompt#force_color_prompt=yesif[ -n "$force_color_prompt"];thenif[ -x /usr/bin/tput ]&& tput setaf 1 >&/dev/null;then# We have color support; assume it's compliant with Ecma-48# (ISO/IEC-6429). (Lack of such support is extremely rare, and such# a case would tend to support setf rather than setaf.)color_prompt=yes
elsecolor_prompt=fifiif["$color_prompt"= yes ];thenPS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ 'elsePS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ 'fiunset color_prompt force_color_prompt
# If this is an xterm set the title to user@host:dircase"$TERM" in
xterm*|rxvt*)PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1";;
*);;esac# enable color support of ls and also add handy aliasesif[ -x /usr/bin/dircolors ];thentest -r ~/.dircolors &&eval"$(dircolors -b ~/.dircolors)"||eval"$(dircolors -b)"aliasls='ls --color=auto'#alias dir='dir --color=auto'#alias vdir='vdir --color=auto'#alias grep='grep --color=auto'#alias fgrep='fgrep --color=auto'#alias egrep='egrep --color=auto'fi# colored GCC warnings and errors#export GCC_COLORS='error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01'# some more ls aliases#alias ll='ls -l'#alias la='ls -A'#alias l='ls -CF'# Alias definitions.# You may want to put all your additions into a separate file like# ~/.bash_aliases, instead of adding them here directly.# See /usr/share/doc/bash-doc/examples in the bash-doc package.if[ -f ~/.bash_aliases ];then
. ~/.bash_aliases
fi# enable programmable completion features (you don't need to enable# this, if it's already enabled in /etc/bash.bashrc and /etc/profile# sources /etc/bash.bashrc).if ! shopt -oq posix;thenif[ -f /usr/share/bash-completion/bash_completion ];then
. /usr/share/bash-completion/bash_completion
elif[ -f /etc/bash_completion ];then
. /etc/bash_completion
fifiecho'Byebye !'exit0
bandit20@bandit:~$ ls -al
total 32
drwxr-xr-x 2 root root 4096 Oct 162018 .
drwxr-xr-x 41 root root 4096 Oct 162018 ..
-rw-r--r-- 1 root root 220 May 152017 .bash_logout
-rw-r--r-- 1 root root 3526 May 152017 .bashrc
-rw-r--r-- 1 root root 675 May 152017 .profile
-rwsr-x--- 1 bandit21 bandit20 12088 Oct 162018 suconnect
bandit20@bandit:~$ ./suconnect
Usage: ./suconnect <portnumber>
This program will connect to the given port on localhost using TCP. If it receives the correct password from the other side, the next password is transmitted back.
bandit20@bandit:~$ nc -lp 2333 < /etc/bandit_pass/bandit20
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
bandit20@bandit:~$
利用nc监听端口即可做到
1
2
3
4
5
6
7
bandit20@bandit:~$
bandit20@bandit:~$ ls
suconnect
bandit20@bandit:~$ ./suconnect 2333
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Password matches, sending next password
bandit20@bandit:~$
bandit24@bandit:~$ telnet localhost 30002
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 1
Timeout. Exiting.
Connection closed by foreign host.
bandit24@bandit:/tmp/bandit24$ nc localhost 30002
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 5201
Wrong! Please enter the correct pincode. Try again.
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 1213
Wrong! Please enter the correct pincode. Try again.
^C
bandit24@bandit:~$ cd /tmp/bandit24
bandit24@bandit:/tmp/bandit24$ ls
bandit24.sh counters.txt pass pin_mod.py pktempdir tcol
bandit25.sh getpass.sh pass24.sh pin.py qsd.txt test.txt
bash_file.sh mine.sh password.txt pins script.sh wesh.sh
bandit24@bandit:/tmp/bandit24$ UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
-bash: UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ: command not found
bandit24@bandit:/tmp/bandit24$ nc localhost 30002 UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
Fail! You did not supply enough data. Try again.
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 1
^C
bandit24@bandit:/tmp/bandit24$ ls
bandit24.sh fuck24.sh pass24.sh pins tcol
bandit25.sh getpass.sh password.txt pktempdir test.txt
bash_file.sh mine.sh pin_mod.py qsd.txt wesh.sh
counters.txt pass pin.py script.sh
bandit24@bandit:/tmp/bandit24$ python
Python 2.7.13 (default, Sep 26 2018, 18:42:22)[GCC 6.3.0 20170516] on linux2
Type "help", "copyright", "credits" or "license"for more information.
>>> exit()
bandit24@bandit:/tmp/bandit24$ touch fuck24.py
bandit24@bandit:/tmp/bandit24$ vim fuck24.py
bandit24@bandit:/tmp/bandit24$ touch pass24
bandit24@bandit:/tmp/bandit24$ cat fuck24.py
# !/usr/bin/env pythonf= open('pass24','w')passwd='UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ'for i in range(10000):
flag= passwd + ' ' + str(i).zfill(4) + '\n'
f.write(flag)
f.close()
bandit24@bandit:/tmp/bandit24$ python fuck24.py
bandit24@bandit:/tmp/bandit24$ less pass24
bandit24@bandit:/tmp/bandit24$ nc localhost 30002 < pass24 > ans.txt
bandit24@bandit:/tmp/bandit24$ sort ans.txt | uniq -u
Correct!
Exiting.
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG
bandit24@bandit:/tmp/bandit24$
bandit25@bandit:~$ ls
bandit26.sshkey
bandit25@bandit:~$ ssh bandit26@localhost -i bandit26.sshkey
Could not create directory '/home/bandit25/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit25/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
Linux bandit 4.18.12 x86_64 GNU/Linux
,----.. ,----, .---.
/ / \ ,/ .`| /. ./|
/ . : ,` .' : .--'. ';
. / ;. \ ;; / /__./ \ : |
. ; / `; .'___,/ ,' .--'. '\' .
;|;\ ;|| : | /___/ \ |' '| : |;|' ; |.';;;\ \; :
. |' '' : `----'||\ ;`|' ; \; / | ' : ; . \ .\ ;\ \ ', / | | '\ \ ' \ |
; : / ' : | : ' |--"
\ \ .';|.' \ \ ;
www. `---` ver '---' he '---" ire.org
Welcome to OverTheWire!
If you find any problems, please report them to Steven or morla on
irc.overthewire.org.
--[ Playing the games ]--
This machine might hold several wargames.
If you are playing "somegame", then:
* USERNAMES are somegame0, somegame1, ...
* Most LEVELS are stored in /somegame/.
* PASSWORDS for each level are stored in /etc/somegame_pass/.
Write-access to homedirectories is disabled. It is advised to create a
working directory with a hard-to-guess name in /tmp/. You can use the
command "mktemp -d" in order to generate a random and hard to guess
directory in /tmp/. Read-access to both /tmp/ and /proc/ is disabled
so that users can not snoop on eachother. Files and directories with
easily guessable or short names will be periodically deleted!
Please play nice:
* don't leave orphan processes running
* don't leave exploit-files laying around
* don't annoy other players
* don't post passwords or spoilers
* again, DONT POST SPOILERS!
This includes writeups of your solution on your blog or website!
--[ Tips ]--
This machine has a 64bit processor and many security-features enabled
by default, although ASLR has been switched off. The following
compiler flags might be interesting:
-m32 compile for 32bit
-fno-stack-protector disable ProPolice
-Wl,-z,norelro disable relro
In addition, the execstack tool can be used to flag the stack as
executable on ELF binaries.
Finally, network-access is limited for most levels by a local
firewall.
--[ Tools ]--
For your convenience we have installed a few usefull tools which you can find
in the following locations:
* pwndbg (https://github.com/pwndbg/pwndbg) in /usr/local/pwndbg/
* peda (https://github.com/longld/peda.git) in /usr/local/peda/
* gdbinit (https://github.com/gdbinit/Gdbinit) in /usr/local/gdbinit/
* pwntools (https://github.com/Gallopsled/pwntools)
* radare2 (http://www.radare.org/)
* checksec.sh (http://www.trapkit.de/tools/checksec.html) in /usr/local/bin/checksec.sh
--[ More information ]--
For more information regarding individual wargames, visit
http://www.overthewire.org/wargames/
For support, questions or comments, contact us through IRC on
irc.overthewire.org #wargames.
Enjoy your stay!
_ _ _ _ ___ __
| | | (_) | |__ \ / /
| |__ __ _ _ __ __| |_| |_ ) / /_
| '_ \ / _` | '_ \ / _` | | __| / / '_ \
| |_) | (_| | | | | (_| | | |_ / /| (_) |
|_.__/ \__,_|_| |_|\__,_|_|\__|____\___/
Connection to localhost closed.
bandit25@bandit:~$bandit25@bandit:~$ cat /etc/passwd
root❌0:0:root:/root:/bin/bash
daemon❌1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin❌2:2:bin:/bin:/usr/sbin/nologin
sys❌3:3:sys:/dev:/usr/sbin/nologin
sync❌4:65534:sync:/bin:/bin/sync
games❌5:60:games:/usr/games:/usr/sbin/nologin
man❌6:12:man:/var/cache/man:/usr/sbin/nologin
lp❌7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail❌8:8:mail:/var/mail:/usr/sbin/nologin
news❌9:9:news:/var/spool/news:/usr/sbin/nologin
uucp❌10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy❌13:13:proxy:/bin:/usr/sbin/nologin
www-data❌33:33:www-data:/var/www:/usr/sbin/nologin
backup❌34:34:backup:/var/backups:/usr/sbin/nologin
list❌38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc❌39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats❌41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody❌65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt❌100:65534::/nonexistent:/bin/false
messagebus❌101:104::/var/run/dbus:/bin/false
sshd❌102:65534::/run/sshd:/usr/sbin/nologin
identd❌103:65534::/var/run/identd:/bin/false
ntp❌104:107::/home/ntp:/bin/false
bandit0❌11000:11000:bandit level 0:/home/bandit0:/bin/bash
bandit1❌11001:11001:bandit level 1:/home/bandit1:/bin/bash
bandit10❌11010:11010:bandit level 10:/home/bandit10:/bin/bash
bandit11❌11011:11011:bandit level 11:/home/bandit11:/bin/bash
bandit12❌11012:11012:bandit level 12:/home/bandit12:/bin/bash
bandit13❌11013:11013:bandit level 13:/home/bandit13:/bin/bash
bandit14❌11014:11014:bandit level 14:/home/bandit14:/bin/bash
bandit15❌11015:11015:bandit level 15:/home/bandit15:/bin/bash
bandit16❌11016:11016:bandit level 16:/home/bandit16:/bin/bash
bandit17❌11017:11017:bandit level 17:/home/bandit17:/bin/bash
bandit18❌11018:11018:bandit level 18:/home/bandit18:/bin/bash
bandit19❌11019:11019:bandit level 19:/home/bandit19:/bin/bash
bandit2❌11002:11002:bandit level 2:/home/bandit2:/bin/bash
bandit20❌11020:11020:bandit level 20:/home/bandit20:/bin/bash
bandit21❌11021:11021:bandit level 21:/home/bandit21:/bin/bash
bandit22❌11022:11022:bandit level 22:/home/bandit22:/bin/bash
bandit23❌11023:11023:bandit level 23:/home/bandit23:/bin/bash
bandit24❌11024:11024:bandit level 24:/home/bandit24:/bin/bash
bandit25❌11025:11025:bandit level 25:/home/bandit25:/bin/bash
bandit26❌11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext
bandit27❌11027:11027:bandit level 27:/home/bandit27:/bin/bash
bandit28❌11028:11028:bandit level 28:/home/bandit28:/bin/bash
bandit29❌11029:11029:bandit level 29:/home/bandit29:/bin/bash
bandit3❌11003:11003:bandit level 3:/home/bandit3:/bin/bash
bandit30❌11030:11030:bandit level 30:/home/bandit30:/bin/bash
bandit31❌11031:11031:bandit level 31:/home/bandit31:/bin/bash
bandit32❌11032:11032:bandit level 32:/home/bandit32:/home/bandit32/uppershell
bandit33❌11033:11033:bandit level 33:/home/bandit33:/bin/bash
bandit4❌11004:11004:bandit level 4:/home/bandit4:/bin/bash
bandit5❌11005:11005:bandit level 5:/home/bandit5:/bin/bash
bandit6❌11006:11006:bandit level 6:/home/bandit6:/bin/bash
bandit7❌11007:11007:bandit level 7:/home/bandit7:/bin/bash
bandit8❌11008:11008:bandit level 8:/home/bandit8:/bin/bash
bandit9❌11009:11009:bandit level 9:/home/bandit9:/bin/bash
bandit27-git❌11527:11527::/home/bandit27-git:/usr/bin/git-shell
bandit28-git❌11528:11528::/home/bandit28-git:/usr/bin/git-shell
bandit29-git❌11529:11529::/home/bandit29-git:/usr/bin/git-shell
bandit30-git❌11530:11530::/home/bandit30-git:/usr/bin/git-shell
bandit31-git❌11531:11531::/home/bandit31-git:/usr/bin/git-shell
bl@bl-virtual-machine:~/wargame$ ssh bandit26@bandit.labs.overthewire.org -p 2220
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit26@bandit.labs.overthewire.org's password:
Linux bandit 4.18.12 x86_64 GNU/Linux
,----.. ,----, .---.
/ / \ ,/ .`| /. ./|
/ . : ,` .' : .--'. ';
. / ;. \ ;; / /__./ \ : |
. ; / `; .'___,/ ,' .--'. '\' .
;|;\ ;|| : | /___/ \ |' '| : |;|' ; |.';;;\ \; :
. |' '' : `----'||\ ;`|' ; \; / | ' : ; . \ .\ ;\ \ ', / | | '\ \ ' \ |
; : / ' : | : ' |--"
\ \ .';|.' \ \ ;
www. `---` ver '---' he '---" ire.org
Welcome to OverTheWire!
If you find any problems, please report them to Steven or morla on
irc.overthewire.org.
--[ Playing the games ]--
This machine might hold several wargames.
If you are playing "somegame", then:
* USERNAMES are somegame0, somegame1, ...
* Most LEVELS are stored in /somegame/.
* PASSWORDS for each level are stored in /etc/somegame_pass/.
Write-access to homedirectories is disabled. It is advised to create a
working directory with a hard-to-guess name in /tmp/. You can use the
command "mktemp -d" in order to generate a random and hard to guess
directory in /tmp/. Read-access to both /tmp/ and /proc/ is disabled
so that users can not snoop on eachother. Files and directories with
easily guessable or short names will be periodically deleted!
Please play nice:
* don't leave orphan processes running
* don't leave exploit-files laying around
* don't annoy other players
* don't post passwords or spoilers
* again, DONT POST SPOILERS!
This includes writeups of your solution on your blog or website!
--[ Tips ]--
This machine has a 64bit processor and many security-features enabled
by default, although ASLR has been switched off. The following
compiler flags might be interesting:
-m32 compile for 32bit
-fno-stack-protector disable ProPolice
-Wl,-z,norelro disable relro
In addition, the execstack tool can be used to flag the stack as
executable on ELF binaries.
Finally, network-access is limited for most levels by a local
firewall.
--[ Tools ]--
For your convenience we have installed a few usefull tools which you can find
in the following locations:
* pwndbg (https://github.com/pwndbg/pwndbg) in /usr/local/pwndbg/
* peda (https://github.com/longld/peda.git) in /usr/local/peda/
* gdbinit (https://github.com/gdbinit/Gdbinit) in /usr/local/gdbinit/
* pwntools (https://github.com/Gallopsled/pwntools)
* radare2 (http://www.radare.org/)
* checksec.sh (http://www.trapkit.de/tools/checksec.html) in /usr/local/bin/checksec.sh
--[ More information ]--
For more information regarding individual wargames, visit
http://www.overthewire.org/wargames/
For support, questions or comments, contact us through IRC on
irc.overthewire.org #wargames.
Enjoy your stay!
_ _ _ _ ___ __
| | | (_) | |__ \ / /
| |__ __ _ _ __ __| |_| |_ ) / /_
| '_ \ / _` | '_ \ / _` | | __| / / '_ \
| |_) | (_| | | | | (_| | | |_ / /| (_) |
|_.__/ \__,_|_| |_|\__,_|_|\__|____\___/
Connection to bandit.labs.overthewire.org closed.
bl@bl-virtual-machine:~/wargame$ ssh bandit26@bandit.labs.overthewire.org -p 2220
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit26@bandit.labs.overthewire.org's password:
Linux bandit 4.18.12 x86_64 GNU/Linux
,----.. ,----, .---.
/ / \ ,/ .`| /. ./|
/ . : ,` .' : .--'. ';
. / ;. \ ;; / /__./ \ : |
. ; / `; .'___,/ ,' .--'. '\' .
;|;\ ;|| : | /___/ \ |' '| : |;|' ; |.';;;\ \; :
. |' '' : `----'||\ ;`|' ; \; / | ' : ; . \ .\ ;\ \ ', / | | '\ \ ' \ |
; : / ' : | : ' |--"
\ \ .';|.' \ \ ;
www. `---` ver '---' he '---" ire.org
Welcome to OverTheWire!
If you find any problems, please report them to Steven or morla on
irc.overthewire.org.
--[ Playing the games ]--
This machine might hold several wargames.
If you are playing "somegame", then:
* USERNAMES are somegame0, somegame1, ...
* Most LEVELS are stored in /somegame/.
* PASSWORDS for each level are stored in /etc/somegame_pass/.
Write-access to homedirectories is disabled. It is advised to create a
working directory with a hard-to-guess name in /tmp/. You can use the
command "mktemp -d" in order to generate a random and hard to guess
directory in /tmp/. Read-access to both /tmp/ and /proc/ is disabled
so that users can not snoop on eachother. Files and directories with
easily guessable or short names will be periodically deleted!
Please play nice:
* don't leave orphan processes running
* don't leave exploit-files laying around
* don't annoy other players
* don't post passwords or spoilers
* again, DONT POST SPOILERS!
This includes writeups of your solution on your blog or website!
--[ Tips ]--
This machine has a 64bit processor and many security-features enabled
by default, although ASLR has been switched off. The following
compiler flags might be interesting:
-m32 compile for 32bit
-fno-stack-protector disable ProPolice
-Wl,-z,norelro disable relro
In addition, the execstack tool can be used to flag the stack as
executable on ELF binaries.
Finally, network-access is limited for most levels by a local
firewall.
--[ Tools ]--
For your convenience we have installed a few usefull tools which you can find
in the following locations:
* pwndbg (https://github.com/pwndbg/pwndbg) in /usr/local/pwndbg/
* peda (https://github.com/longld/peda.git) in /usr/local/peda/
* gdbinit (https://github.com/gdbinit/Gdbinit) in /usr/local/gdbinit/
* pwntools (https://github.com/Gallopsled/pwntools)
* radare2 (http://www.radare.org/)
* checksec.sh (http://www.trapkit.de/tools/checksec.html) in /usr/local/bin/checksec.sh
--[ More information ]--
For more information regarding individual wargames, visit
http://www.overthewire.org/wargames/
For support, questions or comments, contact us through IRC on
irc.overthewire.org #wargames.
Enjoy your stay!
_ _ _ _ ___ __
| | | (_) | |__ \ / /
!vim
_ _ _ _ ___ __
| | | (_) | |__ \ / /
!v
_ _ _ _ ___ __
| | | (_) | |__ \ / /
:!ls
_ _ _ _ ___ __
| | | (_) | |__ \ / /
| |__ __ _ _ __ __| |_| |_ ) / /_
:!ls
_ _ _ _ ___ __
| | | (_) | |__ \ / /
:sh
$ ls
bandit27-do text.txt
$ cat text.txt
_ _ _ _ ___ __
| | | (_) | |__ \ / /
| |__ __ _ _ __ __| |_| |_ ) / /_
| '_ \ / _` | '_ \ / _` | | __| / / '_ \
| |_) | (_| | | | | (_| | | |_ / /| (_) |
|_.__/ \__,_|_| |_|\__,_|_|\__|____\___/
$ ./bandit27-do
Run a command as another user.
Example: ./bandit27-do id
$ ./bandit27-do id
uid=11026(bandit26) gid=11026(bandit26) euid=11027(bandit27) groups=11026(bandit26)
$ ./bandit27-do cat /etc/bandit_pass/bandit27
3ba3118a22e93127a4ed485be72ef5ea
bl@bl-virtual-machine:~/wargame$ ssh bandit27@bandit.labs.overthewire.org -p 2220
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit27@bandit.labs.overthewire.org's password:
Linux bandit 4.18.12 x86_64 GNU/Linux
,----.. ,----, .---.
/ / \ ,/ .`| /. ./|
/ . : ,` .' : .--'. ';
. / ;. \ ;; / /__./ \ : |
. ; / `; .'___,/ ,' .--'. '\' .
;|;\ ;|| : | /___/ \ |' '| : |;|' ; |.';;;\ \; :
. |' '' : `----'||\ ;`|' ; \; / | ' : ; . \ .\ ;\ \ ', / | | '\ \ ' \ |
; : / ' : | : ' |--"
\ \ .';|.' \ \ ;
www. `---` ver '---' he '---" ire.org
Welcome to OverTheWire!
If you find any problems, please report them to Steven or morla on
irc.overthewire.org.
--[ Playing the games ]--
This machine might hold several wargames.
If you are playing "somegame", then:
* USERNAMES are somegame0, somegame1, ...
* Most LEVELS are stored in /somegame/.
* PASSWORDS for each level are stored in /etc/somegame_pass/.
Write-access to homedirectories is disabled. It is advised to create a
working directory with a hard-to-guess name in /tmp/. You can use the
command "mktemp -d" in order to generate a random and hard to guess
directory in /tmp/. Read-access to both /tmp/ and /proc/ is disabled
so that users can not snoop on eachother. Files and directories with
easily guessable or short names will be periodically deleted!
Please play nice:
* don't leave orphan processes running
* don't leave exploit-files laying around
* don't annoy other players
* don't post passwords or spoilers
* again, DONT POST SPOILERS!
This includes writeups of your solution on your blog or website!
--[ Tips ]--
This machine has a 64bit processor and many security-features enabled
by default, although ASLR has been switched off. The following
compiler flags might be interesting:
-m32 compile for 32bit
-fno-stack-protector disable ProPolice
-Wl,-z,norelro disable relro
In addition, the execstack tool can be used to flag the stack as
executable on ELF binaries.
Finally, network-access is limited for most levels by a local
firewall.
--[ Tools ]--
For your convenience we have installed a few usefull tools which you can find
in the following locations:
* pwndbg (https://github.com/pwndbg/pwndbg) in /usr/local/pwndbg/
* peda (https://github.com/longld/peda.git) in /usr/local/peda/
* gdbinit (https://github.com/gdbinit/Gdbinit) in /usr/local/gdbinit/
* pwntools (https://github.com/Gallopsled/pwntools)
* radare2 (http://www.radare.org/)
* checksec.sh (http://www.trapkit.de/tools/checksec.html) in /usr/local/bin/checksec.sh
--[ More information ]--
For more information regarding individual wargames, visit
http://www.overthewire.org/wargames/
For support, questions or comments, contact us through IRC on
irc.overthewire.org #wargames.
Enjoy your stay!
bandit27@bandit:~$ git clone ssh://bandit27-git@localhost/home/bandit27-git/repofatal: could not create work tree dir 'repo': Permission denied
bandit27@bandit:~$ git clone ssh://bandit27-git@localhost:2220/home/bandit27-git/repo
fatal: could not create work tree dir 'repo': Permission denied
bandit27@bandit:~$ cd /tmp
bandit27@bandit:/tmp$ mkdir b27r
bandit27@bandit:/tmp$ cd b27r
bandit27@bandit:/tmp/b27r$ git clone ssh://bandit27-git@localhost:2220/home/bandit27-git/repo
Cloning into 'repo'...
ssh: connect to host localhost port 2220: Connection refused
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
bandit27@bandit:/tmp/b27r$ git clone ssh://bandit27-git@localhost/home/bandit27-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit27/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit27/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit27-git@localhost's password:
remote: Counting objects: 3, done.
remote: Compressing objects: 100% (2/2), done.
remote: Total 3 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (3/3), done.
bandit27@bandit:/tmp/b27r$ ls
repo
bandit27@bandit:/tmp/b27r$ cd repo
bandit27@bandit:/tmp/b27r/repo$ ls
README
bandit27@bandit:/tmp/b27r/repo$bandit27@bandit:/tmp/b27r/repo$ cat README
The password to the next level is: 0ef186ac70e04ea33b4c1853d2526fa2
bandit27@bandit:/tmp/b27r/repo$
由题目知道git的密码和本关flag一样
很简单的一个git的用法,git支持ssh协议这在之前就已经知道了
所以直接进入bandit27去clone仓库
结果没有权限,以为是端口错了,结果是忘了我们对bandit27的home目录没有读写权限
老办法,去tmp创一个新目录,然后clone,果然成功,flag在repo里的README里
level 29
无意的发现
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
bandit12@bandit:~$ ls
data.txt
bandit12@bandit:~$ ls /tmp/fuck
repo
bandit12@bandit:~$ ls /tmp/fuck/repo
README.md
bandit12@bandit:~$ ls /tmp/fuck/repo/README.md
/tmp/fuck/repo/README.md
bandit12@bandit:~$ cat /tmp/fuck/repo/README.md
# Bandit Notes
Some notes for level29 of bandit.
## credentials
- username: bandit29
- password: bbc96594b4e001778eee9975372716b2
Enjoy your stay!
bandit29@bandit:~$ mkdir /tmp/b29r
bandit29@bandit:~$ cd /tmp/b29r
bandit29@bandit:/tmp/b29r$ git clone ssh://bandit29-git@localhost/home/bandit29-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit29/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit29/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit29-git@localhost's password:
remote: Counting objects: 16, done.
remote: Compressing objects: 100% (11/11), done.
remote: Total 16(delta 2), reused 0(delta 0)
Receiving objects: 100% (16/16), done.
Resolving deltas: 100% (2/2), done.
bandit29@bandit:/tmp/b29r$ ls
repo
bandit29@bandit:/tmp/b29r$ cd repo
bandit29@bandit:/tmp/b29r/repo$ ls
README.md
bandit29@bandit:/tmp/b29r/repo$ cat README.md
# Bandit Notes
Some notes for bandit30 of bandit.
## credentials
- username: bandit30
- password: <no passwords in production!>
bandit29@bandit:/tmp/b29r/repo$ git log
commit 84abedc104bbc0c65cb9eb74eb1d3057753e70f8
Author: Ben Dover <noone@overthewire.org>
Date: Tue Oct 16 14:00:41 2018 +0200
fix username
commit 9b19e7d8c1aadf4edcc5b15ba8107329ad6c5650
Author: Ben Dover <noone@overthewire.org>
Date: Tue Oct 16 14:00:41 2018 +0200
initial commit of README.md
bandit29@bandit:/tmp/b29r/repo$ ls .git/branches/
bandit29@bandit:/tmp/b29r/repo$ ls .git
branches description hooks info objects refs
config HEAD index logs packed-refs
bandit29@bandit:/tmp/b29r/repo$ cat .git/config
[core]repositoryformatversion=0filemode=truebare=falselogallrefupdates=true[remote "origin"]url= ssh://bandit29-git@localhost/home/bandit29-git/repo
fetch= +refs/heads/*:refs/remotes/origin/*
[branch "master"]remote= origin
merge= refs/heads/master
bandit29@bandit:/tmp/b29r/repo$ git reset --hard 84abedc104bbc0c65cb9eb74eb1d3057753e70f8
HEAD is now at 84abedc fix username
bandit29@bandit:/tmp/b29r/repo$ ls
README.md
bandit29@bandit:/tmp/b29r/repo$ cat README.md
# Bandit Notes
Some notes for bandit30 of bandit.
## credentials
- username: bandit30
- password: <no passwords in production!>
bandit29@bandit:/tmp/b29r/repo$
bandit29@bandit:/tmp/b29r/repo$ cat .git/HEAD
ref: refs/heads/master
bandit29@bandit:/tmp/b29r/repo$ git branch
* master
bandit29@bandit:/tmp/b29r/repo$ git branch -a
* master
remotes/origin/HEAD -> origin/master
remotes/origin/dev
remotes/origin/master
remotes/origin/sploits-dev
bandit29@bandit:/tmp/b29r/repo$ git checkout origin/dev
Note: checking out 'origin/dev'.
You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by performing another checkout.
If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -b with the checkout command again. Example:
git checkout -b <new-branch-name>
HEAD is now at 33ce2e9... add data needed for development
bandit29@bandit:/tmp/b29r/repo$ ls
code README.md
bandit29@bandit:/tmp/b29r/repo$ cat README.md
# Bandit Notes
Some notes for bandit30 of bandit.
## credentials
- username: bandit30
- password: 5b90576bedb2cc04c86a9e924ce42faf
bandit29@bandit:/tmp/b29r/repo$ ls code
gif2ascii.py
bandit29@bandit:/tmp/b29r/repo$ cat code/gif2ascii.py
bandit29@bandit:/tmp/b29r/repo$
bandit30@bandit:~$ mkdir /tmp/b30r
bandit30@bandit:~$ cd /tmp/b30r
bandit30@bandit:/tmp/b30r$ ls
bandit30@bandit:/tmp/b30r$ git clone ssh://bandit30-git@localhost/home/bandit30-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit30/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit30/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit30-git@localhost's password:
remote: Counting objects: 4, done.
remote: Total 4(delta 0), reused 0(delta 0)
Receiving objects: 100% (4/4), done.
bandit30@bandit:/tmp/b30r$ cd repo
bandit30@bandit:/tmp/b30r/repo$ ls
README.md
bandit30@bandit:/tmp/b30r/repo$ cat README.md
just an epmty file... muahaha
bandit30@bandit:/tmp/b30r/repo$ git log
commit 3aa4c239f729b07deb99a52f125893e162daac9e
Author: Ben Dover <noone@overthewire.org>
Date: Tue Oct 16 14:00:44 2018 +0200
initial commit of README.md
bandit30@bandit:/tmp/b30r/repo$ cat .git/config
[core]repositoryformatversion=0filemode=truebare=falselogallrefupdates=true[remote "origin"]url= ssh://bandit30-git@localhost/home/bandit30-git/repo
fetch= +refs/heads/*:refs/remotes/origin/*
[branch "master"]remote= origin
merge= refs/heads/master
bandit30@bandit:/tmp/b30r/repo$ git branch -a
* master
remotes/origin/HEAD -> origin/master
remotes/origin/master
bandit30@bandit:/tmp/b30r/repo$ ls .git
branches description hooks info objects refs
config HEAD index logs packed-refs
bandit30@bandit:/tmp/b30r/repo$ cat .git/description
Unnamed repository; edit this file 'description' to name the repository.
bandit30@bandit:/tmp/b30r/repo$ git status
On branch master
Your branch is up-to-date with 'origin/master'.
nothing to commit, working tree clean
bandit30@bandit:/tmp/b30r/repo$ git diff --cache
error: invalid option: --cache
bandit30@bandit:/tmp/b30r/repo$ git diff --cached
bandit30@bandit:/tmp/b30r/repo$ git diff
bandit30@bandit:/tmp/b30r/repo$ git diff HEAD
bandit30@bandit:/tmp/b30r/repo$ git show-ref
3aa4c239f729b07deb99a52f125893e162daac9e refs/heads/master
3aa4c239f729b07deb99a52f125893e162daac9e refs/remotes/origin/HEAD
3aa4c239f729b07deb99a52f125893e162daac9e refs/remotes/origin/master
f17132340e8ee6c159e0a4a6bc6f80e1da3b1aea refs/tags/secret
bandit30@bandit:/tmp/b30r/repo$ git show f17132340e8ee6c159e0a4a6bc6f80e1da3b1aea47e603bb428404d265f59c42920d81e5
bandit30@bandit:/tmp/b30r/repo$
bandit31@bandit:~$ mkdir /tmp/b31r
bandit31@bandit:~$ cd /tmp/b31r
bandit31@bandit:/tmp/b31r$ git clone ssh://bandit31-git@localhosthome/bandit31-git/repo
Cloning into 'repo'...
ssh: Could not resolve hostname localhosthome: No address associated with hostname
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
bandit31@bandit:/tmp/b31r$ ls
bandit31@bandit:/tmp/b31r$ git clone ssh://bandit31-git@localhost/home/bandit31-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit31/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit31/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit31-git@localhost's password:
remote: Counting objects: 4, done.
remote: Compressing objects: 100% (3/3), done.
remote: Total 4(delta 0), reused 0(delta 0)
Receiving objects: 100% (4/4), done.
bandit31@bandit:/tmp/b31r$ cd repo
bandit31@bandit:/tmp/b31r/repo$ ls
README.md
bandit31@bandit:/tmp/b31r/repo$ cat README.md
This time your task is to push a file to the remote repository.
Details:
File name: key.txt
Content: 'May I come in?'
Branch: master
bandit31@bandit:/tmp/b31r/repo$ touch key.txt
bandit31@bandit:/tmp/b31r/repo$ echo'May I come in?' >> key.txt
bandit31@bandit:/tmp/b31r/repo$ cat key.txt
May I come in?
bandit31@bandit:/tmp/b31r/repo$ git add key.txt
The following paths are ignored by one of your .gitignore files:
key.txt
Use -f if you really want to add them.
bandit31@bandit:/tmp/b31r/repo$ git add -f key.txt
bandit31@bandit:/tmp/b31r/repo$ ls -al
total 24
drwxr-sr-x 3 bandit31 root 4096 Feb 26 04:47 .
drwxr-sr-x 3 bandit31 root 4096 Feb 26 04:46 ..
drwxr-sr-x 8 bandit31 root 4096 Feb 26 04:48 .git
-rw-r--r-- 1 bandit31 root 6 Feb 26 04:46 .gitignore
-rw-r--r-- 1 bandit31 root 15 Feb 26 04:47 key.txt
-rw-r--r-- 1 bandit31 root 147 Feb 26 04:46 README.md
bandit31@bandit:/tmp/b31r/repo$ cat .gitignore
*.txt
bandit31@bandit:/tmp/b31r/repo$ git commit -m "Hello"[master de012c9] Hello
1 file changed, 1 insertion(+)
create mode 100644 key.txt
bandit31@bandit:/tmp/b31r/repo$ git push
Could not create directory '/home/bandit31/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit31/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit31-git@localhost's password:
Counting objects: 3, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (2/2), done.
Writing objects: 100% (3/3), 319 bytes |0 bytes/s, done.
Total 3(delta 0), reused 0(delta 0)
remote: ### Attempting to validate files... ####
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
remote: Well done! Here is the password for the next level:
remote: 56a9bf19c63d650ce78e6ec0354ee45e
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
To ssh://localhost/home/bandit31-git/repo
! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to 'ssh://bandit31-git@localhost/home/bandit31-git/repo'
bandit31@bandit:/tmp/b31r/repo$
bl@bl-virtual-machine:~/wargame$ ssh bandit32@bandit.labs.overthewire.org -p 2220This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit32@bandit.labs.overthewire.org's password:
Linux bandit 4.18.12 x86_64 GNU/Linux
,----.. ,----, .---.
/ / \ ,/ .`| /. ./|
/ . : ,` .' : .--'. ';
. / ;. \ ;; / /__./ \ : |
. ; / `; .'___,/ ,' .--'. '\' .
;|;\ ;|| : | /___/ \ |' '| : |;|' ; |.';;;\ \; :
. |' '' : `----'||\ ;`|' ; \; / | ' : ; . \ .\ ;\ \ ', / | | '\ \ ' \ |
; : / ' : | : ' |--"
\ \ .';|.' \ \ ;
www. `---` ver '---' he '---" ire.org
Welcome to OverTheWire!
If you find any problems, please report them to Steven or morla on
irc.overthewire.org.
--[ Playing the games ]--
This machine might hold several wargames.
If you are playing "somegame", then:
* USERNAMES are somegame0, somegame1, ...
* Most LEVELS are stored in /somegame/.
* PASSWORDS for each level are stored in /etc/somegame_pass/.
Write-access to homedirectories is disabled. It is advised to create a
working directory with a hard-to-guess name in /tmp/. You can use the
command "mktemp -d" in order to generate a random and hard to guess
directory in /tmp/. Read-access to both /tmp/ and /proc/ is disabled
so that users can not snoop on eachother. Files and directories with
easily guessable or short names will be periodically deleted!
Please play nice:
* don't leave orphan processes running
* don't leave exploit-files laying around
* don't annoy other players
* don't post passwords or spoilers
* again, DONT POST SPOILERS!
This includes writeups of your solution on your blog or website!
--[ Tips ]--
This machine has a 64bit processor and many security-features enabled
by default, although ASLR has been switched off. The following
compiler flags might be interesting:
-m32 compile for 32bit
-fno-stack-protector disable ProPolice
-Wl,-z,norelro disable relro
In addition, the execstack tool can be used to flag the stack as
executable on ELF binaries.
Finally, network-access is limited for most levels by a local
firewall.
--[ Tools ]--
For your convenience we have installed a few usefull tools which you can find
in the following locations:
* pwndbg (https://github.com/pwndbg/pwndbg) in /usr/local/pwndbg/
* peda (https://github.com/longld/peda.git) in /usr/local/peda/
* gdbinit (https://github.com/gdbinit/Gdbinit) in /usr/local/gdbinit/
* pwntools (https://github.com/Gallopsled/pwntools)
* radare2 (http://www.radare.org/)
* checksec.sh (http://www.trapkit.de/tools/checksec.html) in /usr/local/bin/checksec.sh
--[ More information ]--
For more information regarding individual wargames, visit
http://www.overthewire.org/wargames/
For support, questions or comments, contact us through IRC on
irc.overthewire.org #wargames.
Enjoy your stay!
WELCOME TO THE UPPERCASE SHELL
>> #!/bin/sh
>> bash
sh: 1: BASH: not found
>> man
sh: 1: MAN: not found
>> sh
sh: 1: SH: not found
>> $0$ ls
uppershell
$ id
uid=11033(bandit33) gid=11032(bandit32) groups=11032(bandit32)
$ pwd
/home/bandit32
$ cat /etc/bandit_pass/bandit32
cat: /etc/bandit_pass/bandit32: Permission denied
$ cat /etc/bandit_pass/bandit33
c9c3199ddf4121b10cf581a98d51caee
$
bl@bl-virtual-machine:~/wargame$ ssh bandit33@bandit.labs.overthewire.org -p 2220
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit33@bandit.labs.overthewire.org's password:
Linux bandit 4.18.12 x86_64 GNU/Linux
,----.. ,----, .---.
/ / \ ,/ .`| /. ./|
/ . : ,` .' : .--'. ';
. / ;. \ ;; / /__./ \ : |
. ; / `; .'___,/ ,' .--'. '\' .
;|;\ ;|| : | /___/ \ |' '| : |;|' ; |.';;;\ \; :
. |' '' : `----'||\ ;`|' ; \; / | ' : ; . \ .\ ;\ \ ', / | | '\ \ ' \ |
; : / ' : | : ' |--"
\ \ .';|.' \ \ ;
www. `---` ver '---' he '---" ire.org
Welcome to OverTheWire!
If you find any problems, please report them to Steven or morla on
irc.overthewire.org.
--[ Playing the games ]--
This machine might hold several wargames.
If you are playing "somegame", then:
* USERNAMES are somegame0, somegame1, ...
* Most LEVELS are stored in /somegame/.
* PASSWORDS for each level are stored in /etc/somegame_pass/.
Write-access to homedirectories is disabled. It is advised to create a
working directory with a hard-to-guess name in /tmp/. You can use the
command "mktemp -d" in order to generate a random and hard to guess
directory in /tmp/. Read-access to both /tmp/ and /proc/ is disabled
so that users can not snoop on eachother. Files and directories with
easily guessable or short names will be periodically deleted!
Please play nice:
* don't leave orphan processes running
* don't leave exploit-files laying around
* don't annoy other players
* don't post passwords or spoilers
* again, DONT POST SPOILERS!
This includes writeups of your solution on your blog or website!
--[ Tips ]--
This machine has a 64bit processor and many security-features enabled
by default, although ASLR has been switched off. The following
compiler flags might be interesting:
-m32 compile for 32bit
-fno-stack-protector disable ProPolice
-Wl,-z,norelro disable relro
In addition, the execstack tool can be used to flag the stack as
executable on ELF binaries.
Finally, network-access is limited for most levels by a local
firewall.
--[ Tools ]--
For your convenience we have installed a few usefull tools which you can find
in the following locations:
* pwndbg (https://github.com/pwndbg/pwndbg) in /usr/local/pwndbg/
* peda (https://github.com/longld/peda.git) in /usr/local/peda/
* gdbinit (https://github.com/gdbinit/Gdbinit) in /usr/local/gdbinit/
* pwntools (https://github.com/Gallopsled/pwntools)
* radare2 (http://www.radare.org/)
* checksec.sh (http://www.trapkit.de/tools/checksec.html) in /usr/local/bin/checksec.sh
--[ More information ]--
For more information regarding individual wargames, visit
http://www.overthewire.org/wargames/
For support, questions or comments, contact us through IRC on
irc.overthewire.org #wargames.
Enjoy your stay!
bandit33@bandit:~$ ls
README.txt
bandit33@bandit:~$ cat README.txt
Congratulations on solving the last level of this game!
At this moment, there are no more levels to play in this game. However, we are constantly working
on new levels and will most likely expand this game with more levels soon.
Keep an eye out for an announcement on our usual communication channels!
In the meantime, you could play some of our other wargames.
If you have an idea for an awesome new level, please let us know!
bandit33@bandit:~$
SSH Information
Host: krypton.labs.overthewire.org
Port: 2222
level 0
Welcome to Krypton! The first level is easy. The following string encodes the password using Base64:
S1JZUFRPTklTR1JFQVQ=
Use this password to log in to krypton.labs.overthewire.org with username krypton1 using SSH on port 2222. You can find the files for other levels in /krypton/
$ ssh krypton1@krypton.labs.overthewire.org -p 2222
The authenticity of host '[krypton.labs.overthewire.org]:2222 ([176.9.9.172]:2222)' can't be established.
ECDSA key fingerprint is SHA256:SCySwNrZFEHArEX1cAlnnaJ5gz2O8VEigY9X80nFWUU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[krypton.labs.overthewire.org]:2222,[176.9.9.172]:2222' (ECDSA) to the list of known hosts.
_ _
| | ___ __ _ _ _ __ | |_ ___ _ __
| |/ / '__||||'_ \| __/ _ \| '_ \
| <||||_|||_)|||(_)|||||_|\_\_|\__, | .__/ \__\___/|_||_||___/|_|
a http://www.overthewire.org wargame.
krypton1@krypton.labs.overthewire.org's password:
Permission denied, please try again.
krypton1@krypton.labs.overthewire.org's password:
Permission denied, please try again.
krypton1@krypton.labs.overthewire.org's password:
Welcome to Ubuntu 14.04 LTS (GNU/Linux 4.4.0-92-generic x86_64)
* Documentation: https://help.ubuntu.com/
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
krypton1@krypton:~$
krypton1@krypton:~$ ls -al
total 24
drwxr-xr-x 3 krypton1 krypton1 4096 Feb 27 11:03 .
drwxr-xr-x 10 root root 4096 Feb 27 11:03 ..
-rw-r--r-- 1 krypton1 krypton1 220 Apr 92014 .bash_logout
-rw-r--r-- 1 krypton1 krypton1 3637 Apr 92014 .bashrc
drwx------ 2 krypton1 krypton1 4096 Feb 27 11:03 .cache
-rw-r--r-- 1 krypton1 krypton1 675 Apr 92014 .profile
krypton1@krypton:~$ cd /krypton/
krypton1@krypton:/krypton$ ls
krypton1 krypton2 krypton3 krypton4 krypton5 krypton6
krypton1@krypton:/krypton$ ls krypton1
README krypton2
krypton1@krypton:/krypton$ cat krypton1/README
Welcome to Krypton!
This game is intended to give hands on experience with cryptography
and cryptanalysis. The levels progress from classic ciphers, to modern,
easy to harder.
Although there are excellent public tools, like cryptool,to perform
the simple analysis, we strongly encourage you to try and do these
without them for now. We will use them in later excercises.
** Please try these levels without cryptool first **
The first level is easy. The password for level 2 is in the file
'krypton2'. It is 'encrypted' using a simple rotation called ROT13.
It is also in non-standard ciphertext format. When using alpha characters for
cipher text it is normal to group the letters into 5 letter clusters,
regardless of word boundaries. This helps obfuscate any patterns.
This file has kept the plain text word boundaries and carried them to
the cipher text.
Enjoy!
krypton1@krypton:/krypton$ cat krypton1/krypton2
YRIRY GJB CNFFJBEQ EBGGRA
krypton1@krypton:/krypton$
krypton2@krypton:~$ ls
krypton2@krypton:~$ cd /krypton/
krypton2@krypton:/krypton$ cd krypton2
krypton2@krypton:/krypton/krypton2$ ls
README encrypt keyfile.dat krypton3
krypton2@krypton:/krypton/krypton2$ cat README
Krypton 2
ROT13 is a simple substitution cipher.
Substitution ciphers are a simple replacement algorithm. In this example
of a substitution cipher, we will explore a 'monoalphebetic' cipher.
Monoalphebetic means, literally, "one alphabet" and you will see why.
This level contains an old form of cipher called a 'Caesar Cipher'.
A Caesar cipher shifts the alphabet by a set number. For example:
plain: a b c d e f g h i j k ...
cipher: G H I J K L M N O P Q ...
In this example, the letter 'a' in plaintext is replaced by a 'G' in the
ciphertext so, for example, the plaintext 'bad' becomes 'HGJ' in ciphertext.
The password for level 3 is in the file krypton3. It is in 5 letter
group ciphertext. It is encrypted with a Caesar Cipher. Without any
further information, this cipher text may be difficult to break. You do
not have direct access to the key, however you do have access to a program
that will encrypt anything you wish to give it using the key.
If you think logically, this is completely easy.
One shot can solve it!
Have fun.
Additional Information:
The `encrypt` binary will look for the keyfile in your current working
directory. Therefore, it might be best to create a working direcory in /tmp
and in there a link to the keyfile. As the `encrypt` binary runs setuid
`krypton3`, you also need to give `krypton3` access to your working directory.
Here is an example:
krypton2@melinda:~$ mktemp -d
/tmp/tmp.Wf2OnCpCDQ
krypton2@melinda:~$ cd /tmp/tmp.Wf2OnCpCDQ
krypton2@melinda:/tmp/tmp.Wf2OnCpCDQ$ ln -s /krypton/krypton2/keyfile.dat
krypton2@melinda:/tmp/tmp.Wf2OnCpCDQ$ ls
keyfile.dat
krypton2@melinda:/tmp/tmp.Wf2OnCpCDQ$ chmod 777 .
krypton2@melinda:/tmp/tmp.Wf2OnCpCDQ$ /krypton/krypton2/encrypt /etc/issue
krypton2@melinda:/tmp/tmp.Wf2OnCpCDQ$ ls
ciphertext keyfile.dat
krypton2@krypton:/krypton/krypton2$
krypton2@krypton:/krypton/krypton2$ mktemp -d
/tmp/tmp.fz9I1hQd5d
krypton2@krypton:/krypton/krypton2$ cd /tmp/tmp.fz9I1hQd5d
krypton2@krypton:/tmp/tmp.fz9I1hQd5d$ ln -s /krypton/krypton2/keyfile.dat
krypton2@krypton:/tmp/tmp.fz9I1hQd5d$ ls
keyfile.dat
krypton2@krypton:/tmp/tmp.fz9I1hQd5d$ chmod 777 .
krypton2@krypton:/tmp/tmp.fz9I1hQd5d$ /krypton/krypton2/encrypt /etc/issue
krypton2@krypton:/tmp/tmp.fz9I1hQd5d$ ls
ciphertext keyfile.dat
krypton2@krypton:/tmp/tmp.fz9I1hQd5d$ cat ciphertext
GNGZFGXFEZX
krypton2@krypton:/tmp/tmp.fz9I1hQd5d$ cat keyfile.dat
cat: keyfile.dat: Permission denied
krypton2@krypton:/tmp/tmp.fz9I1hQd5d$ ls -al
total 12
drwxrwxrwx 2 krypton2 krypton2 4096 Feb 27 11:19 .
drwxrwx-wt 3 root root 4096 Feb 27 11:20 ..
-rw-rw-r-- 1 krypton3 krypton2 11 Feb 27 11:19 ciphertext
lrwxrwxrwx 1 krypton2 krypton2 29 Feb 27 11:18 keyfile.dat -> /krypton/krypton2/keyfile.dat
krypton2@krypton:/tmp/tmp.fz9I1hQd5d$
# 25char
257: (space)
155: S
107: C
106: Q
102: J
100: U
87: B
81: G
74: N
69: D
57: Z
56: V
47: W
42: Y
32: T
29: X
29: M
27: L
25: K
20: A
17: E
11: F
7: O
2: I
2: H
1: R
# 26char
354: (space)
243: S
186: Q
158: J
135: N
130: U
129: B
119: D
111: G
86: C
66: W
59: Z
53: V
45: M
37: T
34: E
33: Y
33: X
30: K
27: L
26: A
14: I
12: F
3: O
2: R
2: H
1: P
# 25char
93: (space)
58: S
48: Q
41: J
35: G
34: C
31: N
30: B
27: U
22: D
21: V
16: Z
16: W
13: E
12: M
12: K
9: Y
9: X
9: A
6: T
6: L
5: F
3: I
2: O
1: R
1: P
