This is an OverTheWire game server. More information on http://www.overthewire.org/wargames
[email protected]'s password: ,----.. ,----, .---. / / \ ,/ .`| /. ./| / . : ,` .' : .--'. ' ; . / ;. \ ; ; / /__./ \ : | . ; / ` ; .'___,/ ,' .--'. ' \' . ; | ; \ ; | | : | /___/ \ | ' ' | : | ; | ' ; |.'; ; ; \ \; : . | ' '' : `----' | | \ ; ` | ' ; \; / | ' : ; . \ .\ ; \ \ ', / | | ' \ \ ' \ | ; : / ' : | : ' |--" \ \ .' ; |.' \ \ ; www. `---` ver '---' he '---" ire.org Welcome to OverTheWire! If you find any problems, please report them to the #wargames channel on discord or IRC. --[ Playing the games ]-- This machine might hold several wargames. If you are playing "somegame", then: * USERNAMES are somegame0, somegame1, ... * Most LEVELS are stored in /somegame/. * PASSWORDS for each level are stored in /etc/somegame_pass/. Write-access to homedirectories is disabled. It is advised to create a working directory with a hard-to-guess name in /tmp/. You can use the command "mktemp -d" in order to generate a random and hard to guess directory in /tmp/. Read-access to both /tmp/ is disabled and to /proc restricted so that users cannot snoop on eachother. Files and directories with easily guessable or short names will be periodically deleted! The /tmp directory is regularly wiped. Please play nice: * don't leave orphan processes running * don't leave exploit-files laying around * don't annoy other players * don't post passwords or spoilers * again, DONT POST SPOILERS! This includes writeups of your solution on your blog or website! --[ Tips ]-- This machine has a 64bit processor and many security-features enabled by default, although ASLR has been switched off. The following compiler flags might be interesting: -m32 compile for 32bit -fno-stack-protector disable ProPolice -Wl,-z,norelro disable relro In addition, the execstack tool can be used to flag the stack as executable on ELF binaries. Finally, network-access is limited for most levels by a local firewall. --[ Tools ]-- For your convenience we have installed a few useful tools which you can find in the following locations: * gef (https://github.com/hugsy/gef) in /opt/gef/ * pwndbg (https://github.com/pwndbg/pwndbg) in /opt/pwndbg/ * gdbinit (https://github.com/gdbinit/Gdbinit) in /opt/gdbinit/ * pwntools (https://github.com/Gallopsled/pwntools) * radare2 (http://www.radare.org/) --[ More information ]-- For more information regarding individual wargames, visit http://www.overthewire.org/wargames/ For support, questions or comments, contact us on discord or IRC. Enjoy your stay! bandit0@bandit:~$ ls readme bandit0@bandit:~$ cat readme Congratulations on your first steps into the bandit game!! Please make sure you have read the rules at https://overthewire.org/rules/ If you are following a course, workshop, walkthrough or other educational activity, please inform the instructor about the rules as well and encourage them to contribute to the OverTheWire community so we can keep these games free! The password you are looking for is: ZjLjTmM6FvvyRnrb2rfNWOZOTa6ip5If
bandit4@bandit:~/inhere$ for i in *;docat <$i;done �p��&�y�,�(jo�.at�:uf�^���@i�R�,�Λ�:Y���?�%�A����B��ͩ�3� �)Ʈ�#Y��-6c��IR-�$����:�����/� ������qGi��,�2�Yb� dۙ�rOx����h0~ey ��c�~�h�n��G1}���ߓ��ߤ��W>��#lk�d�ܮ��yE��6�0]�\�$�1�%�������o@��b/��4oQYVPkxZOOEOO5pTW81FB8j8lxXGUQw �nS� �<��]� W��e�˥m�����O��D��2g��?�����`>5HYA�u���8�g�`0�$`��
或者
1 2 3 4 5 6 7 8 9 10 11 12 13
bandit4@bandit:~/inhere$ file ./* ./-file00: data ./-file01: data ./-file02: data ./-file03: data ./-file04: data ./-file05: data ./-file06: data ./-file07: ASCII text ./-file08: data ./-file09: data bandit4@bandit:~/inhere$ cat ./-file07 4oQYVPkxZOOEOO5pTW81FB8j8lxXGUQw
Level 5
HWasnPhtq9AVKe0dmk45nxy20cvUa6EG
原来每一关还有题目提示的
1 2 3 4 5
bandit5@bandit:~/inhere$ find . -type f -size 1033c -exec file {} \; ./maybehere07/.file2: ASCII text, with very long lines (1000) bandit5@bandit:~/inhere$ cat ./maybehere07/.file2 HWasnPhtq9AVKe0dmk45nxy20cvUa6EG ......省略
Level 6
The password for the next level is stored somewhere on the server and has all of the following properties: 下一级的密码存储在服务器上的某个位置,并具有以下所有属性:
The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters. 下一级的密码存储在文件data.txt中,位于少数几个人类可读的字符串之一中,前面有几个“=”字符。
FGUW5ilLVJrxX9kMYMmlN4MgbpfMiqey,string查看加grep筛选
1 2 3 4 5
bandit9@bandit:~$ strings data.txt |grep "==" }========== the 3JprD========== passwordi ~fDV3========== is D9========== FGUW5ilLVJrxX9kMYMmlN4MgbpfMiqey
Level 10
The password for the next level is stored in the file data.txt, which contains base64 encoded data 下一级的密码存储在文件data.txt中,其中包含base64编码的数据
dtR173fZKb0RRsDFSGsg2RWnpNVj3qRr,实在是没啥好讲的
1 2
bandit10@bandit:~$ cat data.txt |base64 -d The password is dtR173fZKb0RRsDFSGsg2RWnpNVj3qRr
Level 11
The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions 下一级的密码存储在文件data.txt中,其中所有小写 (az) 和大写 (AZ) 字母均已旋转 13 个位置
bandit11@bandit:~$ cat data.txt |tr"A-Za-z""N-ZA-Mn-za-m" The password is 7x16WNeHIi5YkIhWsfFIqoognUTyj9Q4
‘A-Za-z’ 表示所有的英文字母,包括大写和小写
‘N-ZA-Mn-za-m’ 是一个替换字符串,数13位字母可以得到
其中’A-Z’对应替换’N-ZA-M’
‘a-z’对应替换为’n-za-m’
Level 12
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work. Use mkdir with a hard to guess directory name. Or better, use the command “mktemp -d”. Then copy the datafile using cp, and rename it using mv (read the manpages!) 下一级的密码存储在文件data.txt中,该文件是经过反复压缩的文件的十六进制转储。对于此级别,在 /tmp 下创建一个可以在其中工作的目录可能会很有用。使用 mkdir 和难以猜测的目录名。或者更好的是,使用命令“mktemp -d”。然后使用 cp 复制数据文件,并使用 mv 重命名它(阅读手册页!)
bandit12@bandit:/tmp/tmp.kMCRHiv7fo$ mv 1 2.gz bandit12@bandit:/tmp/tmp.kMCRHiv7fo$ gzip -d 2.gz bandit12@bandit:/tmp/tmp.kMCRHiv7fo$ file 2 2: POSIX tar archive (GNU) bandit12@bandit:/tmp/tmp.kMCRHiv7fo$ mv 2 3.tar bandit12@bandit:/tmp/tmp.kMCRHiv7fo$ tar -xvf 3.tar data5.bin bandit12@bandit:/tmp/tmp.kMCRHiv7fo$ file data5.bin data5.bin: POSIX tar archive (GNU) bandit12@bandit:/tmp/tmp.kMCRHiv7fo$ mv data5.bin 4.tar bandit12@bandit:/tmp/tmp.kMCRHiv7fo$ tar -xvf 4.tar data6.bin bandit12@bandit:/tmp/tmp.kMCRHiv7fo$ file data6.bin data6.bin: bzip2 compressed data, block size = 900k bandit12@bandit:/tmp/tmp.kMCRHiv7fo$ mv data6.bin 5.bz2 bandit12@bandit:/tmp/tmp.kMCRHiv7fo$ bzip2 -d 5.bz2 bandit12@bandit:/tmp/tmp.kMCRHiv7fo$ file 5 5: POSIX tar archive (GNU) bandit12@bandit:/tmp/tmp.kMCRHiv7fo$ mv 5 5.tar bandit12@bandit:/tmp/tmp.kMCRHiv7fo$ tar -xvf 5.tar data8.bin bandit12@bandit:/tmp/tmp.kMCRHiv7fo$ file data8.bin data8.bin: gzip compressed data, was "data9.bin", last modified: Thu Sep 19 07:08:15 2024, max compression, from Unix, original size modulo 2^32 49 bandit12@bandit:/tmp/tmp.kMCRHiv7fo$ mv data8.bin 6.gz bandit12@bandit:/tmp/tmp.kMCRHiv7fo$ gzip -d 6.gz bandit12@bandit:/tmp/tmp.kMCRHiv7fo$ file 6 6: ASCII text bandit12@bandit:/tmp/tmp.kMCRHiv7fo$ cat 6 The password is FO5dwFsc0cbaIiH0h8J2eUks2vdTDwAn
恶心👿,一直套娃其实有脚本就更好了
Level 13
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note:localhost is a hostname that refers to the machine you are working on 下一级的密码存储在**/etc/bandit_pass/bandit14 中,并且只能由用户 bandit14 读取。对于此级别,您不会获得下一个密码,但您会获得可用于登录下一个级别的 SSH 私钥。注意:** localhost是指您正在使用的计算机的主机名
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost. 将当前级别的密码提交到localhost 的 30000 端口即可获取下一级的密码。
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL/TLS encryption. 可以通过使用 SSL/TLS 加密将当前级别的密码提交到localhost 上的端口 30001来检索下一级的密码。
Helpful note: Getting “DONE”, “RENEGOTIATING” or “KEYUPDATE”? Read the “CONNECTED COMMANDS” section in the manpage. 有用的注释:“完成”、“重新协商”或“密钥更新”?阅读联机帮助页中的“连接命令”部分。
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL/TLS and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it. 可以通过将当前级别的密码提交到本地主机上 31000 到 32000 范围内的端口来检索下一个级别的凭据。首先找出服务器正在监听哪些端口。然后找出哪些支持 SSL/TLS,哪些不支持。只有一台服务器会提供下一个凭据,其他服务器只会将您发送给它的任何内容发送回给您。
Helpful note: Getting “DONE”, “RENEGOTIATING” or “KEYUPDATE”? Read the “CONNECTED COMMANDS” section in the manpage. 有用的注释:“完成”、“重新协商”或“密钥更新”?阅读联机帮助页中的“连接命令”部分。
There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new 主目录中有2个文件: passwords.old和passwords.new 。下一级的密码位于passwords.new中,并且是passwords.old 和password.new之间唯一已更改的行
NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19 注意:如果您已解决此级别并看到“再见!”当尝试登录 bandit18 时,这与下一个级别 bandit19 有关
The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH. 下一级的密码存储在主目录的自述文件中。不幸的是,有人修改了**.bashrc** ,以便在您使用 SSH 登录时将您注销。
This is an OverTheWire game server. More information on http://www.overthewire.org/wargames
[email protected]'s password: $ ls readme $ cat readme cGWpMaKXVwDUNgPAVJbWYuGHVn9zl3j8
Level 19
To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary. 要访问下一个级别,您应该使用主目录中的 setuid 二进制文件。不带参数执行它以了解如何使用它。使用 setuid 二进制文件后,可以在通常的位置 (/etc/bandit_pass) 找到此级别的密码。
0qXahG8ZjOVMN9Ghs7iOWsCfZyXOUbYO
bandit20-do具有SUID权限,直接读取密码即可
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
bandit19@bandit:~$ ls -al total 36 drwxr-xr-x 2 root root 4096 Sep 19 07:08 . drwxr-xr-x 70 root root 4096 Sep 19 07:09 .. -rwsr-x--- 1 bandit20 bandit19 14880 Sep 19 07:08 bandit20-do -rw-r--r-- 1 root root 220 Mar 31 2024 .bash_logout -rw-r--r-- 1 root root 3771 Mar 31 2024 .bashrc -rw-r--r-- 1 root root 807 Mar 31 2024 .profile bandit19@bandit:~$ ./bandit20-do Run a command as another user. Example: ./bandit20-doid bandit19@bandit:~$ ./bandit20-doid uid=11019(bandit19) gid=11019(bandit19) euid=11020(bandit20) groups=11019(bandit19) bandit19@bandit:~$ ./bandit20-docat /etc/bandit_pass/bandit20 0qXahG8ZjOVMN9Ghs7iOWsCfZyXOUbYO
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21). 主目录中有一个 setuid 二进制文件,它执行以下操作:它在您指定为命令行参数的端口上建立到本地主机的连接。然后,它从连接中读取一行文本,并将其与上一级别 (bandit20) 中的密码进行比较。如果密码正确,则会传送下一级(bandit21)的密码。
NOTE: Try connecting to your own network daemon to see if it works as you think 注意:尝试连接到您自己的网络守护程序,看看它是否按您的想法工作
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed. 程序从基于时间的作业调度程序cron定期自动运行。查看**/etc/cron.d/**中的配置并查看正在执行什么命令。
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed. 程序从基于时间的作业调度程序cron定期自动运行。查看**/etc/cron.d/**中的配置并查看正在执行什么命令。
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level! 注意:此级别要求您创建自己的第一个 shell 脚本。这是非常大的一步,当你通过这个关卡时,你应该为自己感到自豪!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around… 注意 2:请记住,您的 shell 脚本一旦执行就会被删除,因此您可能需要保留一份副本……
bandit22@bandit:~$ echo I am user bandit23 | md5sum | cut -d ' ' -f 1 8ca319486bfbbc3663ea0fbe81326349 bandit22@bandit:~$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349 0Zf11ioIjMVN551jX3CmStKLYqjk54Ga
Level 23
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed. 程序从基于时间的作业调度程序cron定期自动运行。查看**/etc/cron.d/**中的配置并查看正在执行什么命令。
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level! 注意:此级别要求您创建自己的第一个 shell 脚本。这是非常大的一步,当你通过这个关卡时,你应该为自己感到自豪!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around… 注意 2:请记住,您的 shell 脚本一旦执行就会被删除,因此您可能需要保留一份副本……
cd /var/spool/$myname/foo echo"Executing and deleting all scripts in /var/spool/$myname/foo:" for i in * .*; do if [ "$i" != "." -a "$i" != ".." ]; then echo"Handling $i" owner="$(stat --format "%U" ./$i)" if [ "${owner}" = "bandit23" ]; then timeout -s 9 60 ./$i fi rm -f ./$i fi done
myname=$(whoami):获取当前用户的用户名,并将其存储在变量myname中。
cd /var/spool/$myname/foo:切换到/var/spool/目录下,该目录包含当前用户名的子目录foo。
echo "Executing and deleting all scripts in /var/spool/$myname/foo:":打印一条消息,告知用户脚本将执行并删除/var/spool/$myname/foo目录下的所有脚本。
for i in * .*;:开始一个循环,遍历当前目录下的所有文件和隐藏文件(包括以点开头的文件)。
if [ "$i" != "." -a "$i" != ".." ];:检查当前文件是否不是.(当前目录)和..(上级目录)。
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing. 守护进程正在侦听端口 30002,并将为您提供密码 bandit25(如果给定 bandit24 的密码和秘密数字 4 位 pincode)。 除非遍历所有 10000 个密码,否则无法检索 pin 码 组合,称为暴力破解。 You do not need to create new connections each time 您不需要每次都创建新连接
iCi86ttT4KSNe1armKiwbQNmB3YJP3q4
写个循环脚本,跑一下就完事了,注意一下bandit24和四位数字之间有空格
1 2 3 4
bandit24@bandit:~$ i=0;while [ $i -le 9999 ];doecho"gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8 "$i;i=$((i+1));done|nc localhost 30002 ................省略了错误密码 Correct! The password of user bandit25 is iCi86ttT4KSNe1armKiwbQNmB3YJP3q4
Level 25
Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it. 从 bandit25 登录 bandit26 应该相当容易……用户 bandit26 的 shell 不是**/bin/bash** ,而是其他东西。了解它是什么、它是如何工作的以及如何摆脱它。
NOTE: if you’re a Windows user and typically use Powershell to ssh into bandit: Powershell is known to cause issues with the intended solution to this level. You should use command prompt instead. 注意:如果您是 Windows 用户并且通常使用 Powershell 来ssh到 bandit:已知 Powershell 会导致此级别的预期解决方案出现问题。您应该使用命令提示符。
There is a git repository at ssh://bandit27-git@localhost/home/bandit27-git/repo via the port 2220. The password for the user bandit27-git is the same as for the user bandit27. 有一个 git 存储库位于 ssh://bandit27-git@localhost/home/bandit27-git/repo 通过端口2220 。用户bandit27-git的密码与用户bandit27的密码相同。
Clone the repository and find the password for the next level. 克隆存储库并找到下一级的密码。
Yz9IpL0sBcCeuG7m9uQFt8ZNpS4HZRcN
1 2 3 4 5 6 7 8 9 10 11
bandit27@bandit:~$ mktemp -d /tmp/tmp.lwdDNwWWpv bandit27@bandit:~$ cd /tmp/tmp.lwdDNwWWpv bandit27@bandit:/tmp/tmp.lwdDNwWWpv$ git clone ssh://bandit27-git@localhost:2220/home/bandit27-git/repo bandit27@bandit:/tmp/tmp.lwdDNwWWpv$ ls repo bandit27@bandit:/tmp/tmp.lwdDNwWWpv$ cd repo/ bandit27@bandit:/tmp/tmp.lwdDNwWWpv/repo$ ls README bandit27@bandit:/tmp/tmp.lwdDNwWWpv/repo$ cat README The password to the next level is: Yz9IpL0sBcCeuG7m9uQFt8ZNpS4HZRcN
Level 28
There is a git repository at ssh://bandit28-git@localhost/home/bandit28-git/repo via the port 2220. The password for the user bandit28-git is the same as for the user bandit28. 有一个 git 存储库位于 ssh://bandit28-git@localhost/home/bandit28-git/repo 通过端口2220 。用户bandit28-git的密码与用户bandit28的密码相同。
Clone the repository and find the password for the next level. 克隆存储库并找到下一级的密码。
bandit28@bandit:~$ mktemp -d /tmp/tmp.tqJ1scDFzf bandit28@bandit:~$ cd /tmp/tmp.tqJ1scDFzf bandit28@bandit:/tmp/tmp.tqJ1scDFzf$ git clone ssh://bandit28-git@localhost:2220/home/bandit28-git/repo Cloning into 'repo'... The authenticity of host '[localhost]:2220 ([127.0.0.1]:2220)' can't be established. ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Could not create directory '/home/bandit28/.ssh' (Permission denied). Failed to add the host to the list of known hosts (/home/bandit28/.ssh/known_hosts). _ _ _ _ | |__ __ _ _ __ __| (_) |_ | '_ \ / _` | '_ \ / _` | | __| | |_) | (_| | | | | (_| | | |_ |_.__/ \__,_|_| |_|\__,_|_|\__| This is an OverTheWire game server. More information on http://www.overthewire.org/wargames bandit28-git@localhost's password: remote: Enumerating objects: 9, done. remote: Counting objects: 100% (9/9), done. remote: Compressing objects: 100% (6/6), done. remote: Total 9 (delta 2), reused 0 (delta 0), pack-reused 0 Receiving objects: 100% (9/9), done. Resolving deltas: 100% (2/2), done. bandit28@bandit:/tmp/tmp.tqJ1scDFzf$ ls repo bandit28@bandit:/tmp/tmp.tqJ1scDFzf$ cd repo/ bandit28@bandit:/tmp/tmp.tqJ1scDFzf/repo$ ls README.md bandit28@bandit:/tmp/tmp.tqJ1scDFzf/repo$ cat README.md # Bandit Notes Some notes for level29 of bandit.
bandit28@bandit:/tmp/tmp.tqJ1scDFzf/repo$ git log --pretty=oneline 817e303aa6c2b207ea043c7bba1bb7575dc4ea73 (HEAD -> master, origin/master, origin/HEAD) fix info leak 3621de89d8eac9d3b64302bfb2dc67e9a566decd add missing data 0622b73250502618babac3d174724bb303c32182 initial commit of README.md bandit28@bandit:/tmp/tmp.tqJ1scDFzf/repo$ git reset --hard HEAD^ HEAD is now at 3621de8 add missing data bandit28@bandit:/tmp/tmp.tqJ1scDFzf/repo$ cat README.md # Bandit Notes Some notes for level29 of bandit.
There is a git repository at ssh://bandit29-git@localhost/home/bandit29-git/repo via the port 2220. The password for the user bandit29-git is the same as for the user bandit29. 有一个 git 存储库位于 ssh://bandit29-git@localhost/home/bandit29-git/repo 通过端口2220 。用户bandit29-git的密码与用户bandit29的密码相同。
Clone the repository and find the password for the next level. 克隆存储库并找到下一级的密码。
bandit29@bandit:~$ mktemp -d /tmp/tmp.FjXziXDmuo bandit29@bandit:~$ cd /tmp/tmp.FjXziXDmuo bandit29@bandit:/tmp/tmp.FjXziXDmuo$ git clone ssh://bandit29-git@localhost:2220/home/bandit29-git/repo bandit29@bandit:/tmp/tmp.FjXziXDmuo$ ls repo bandit29@bandit:/tmp/tmp.FjXziXDmuo$ cd repo/ bandit29@bandit:/tmp/tmp.FjXziXDmuo/repo$ ls README.md bandit29@bandit:/tmp/tmp.FjXziXDmuo/repo$ cat README.md # Bandit Notes Some notes for bandit30 of bandit.
## credentials
- username: bandit30 - password: <no passwords in production!>
bandit29@bandit:/tmp/tmp.FjXziXDmuo/repo$ git branch -a * master remotes/origin/HEAD -> origin/master remotes/origin/dev remotes/origin/master remotes/origin/sploits-dev bandit29@bandit:/tmp/tmp.FjXziXDmuo/repo$ git switch dev branch 'dev'set up to track 'origin/dev'. Switched to a new branch 'dev' bandit29@bandit:/tmp/tmp.FjXziXDmuo/repo$ ls code README.md bandit29@bandit:/tmp/tmp.FjXziXDmuo/repo$ cat README.md # Bandit Notes Some notes for bandit30 of bandit.
There is a git repository at ssh://bandit30-git@localhost/home/bandit30-git/repo via the port 2220. The password for the user bandit30-git is the same as for the user bandit30. 有一个 git 存储库位于 ssh://bandit30-git@localhost/home/bandit30-git/repo 通过端口2220 。用户bandit30-git的密码与用户bandit30的密码相同。
Clone the repository and find the password for the next level. 克隆存储库并找到下一级的密码。
fb5S2xb7bRyFmAvQYQGEqsbhVyJqhnDy
还哈哈上了🤣
1 2 3 4 5 6 7 8 9 10 11
bandit30@bandit:~$ mktemp -d /tmp/tmp.aL2NJXFrGx bandit30@bandit:~$ cd /tmp/tmp.aL2NJXFrGx bandit30@bandit:/tmp/tmp.aL2NJXFrGx$ git clone ssh://bandit30-git@localhost:2220/home/bandit30-git/repo bandit30@bandit:/tmp/tmp.aL2NJXFrGx$ ls repo bandit30@bandit:/tmp/tmp.aL2NJXFrGx$ cd repo/ bandit30@bandit:/tmp/tmp.aL2NJXFrGx/repo$ ls README.md bandit30@bandit:/tmp/tmp.aL2NJXFrGx/repo$ cat README.md just an epmty file... muahaha
大概率和git其他功能有关,还有个tag没提,尝试下,果然有
1 2 3 4
bandit30@bandit:/tmp/tmp.aL2NJXFrGx/repo$ git tag secret bandit30@bandit:/tmp/tmp.aL2NJXFrGx/repo$ git show secret fb5S2xb7bRyFmAvQYQGEqsbhVyJqhnDy
Level 31
There is a git repository at ssh://bandit31-git@localhost/home/bandit31-git/repo via the port 2220. The password for the user bandit31-git is the same as for the user bandit31. 有一个 git 存储库位于 ssh://bandit31-git@localhost/home/bandit31-git/repo 通过端口2220 。用户bandit31-git的密码与用户bandit31的密码相同。
Clone the repository and find the password for the next level. 克隆存储库并找到下一级的密码。
bandit31@bandit:~$ mktemp -d /tmp/tmp.JoBWmokJpp bandit31@bandit:~$ cd /tmp/tmp.JoBWmokJpp bandit31@bandit:/tmp/tmp.JoBWmokJpp$ git clone ssh://bandit31-git@localhost:2220/home/bandit31-git/repo bandit31@bandit:/tmp/tmp.JoBWmokJpp$ cd repo/ bandit31@bandit:/tmp/tmp.JoBWmokJpp/repo$ ls README.md bandit31@bandit:/tmp/tmp.JoBWmokJpp/repo$ cat README.md This time your task is to push a file to the remote repository. ##这次你的任务是将文件推送到远程仓库。 Details: File name: key.txt Content: 'May I come in?' Branch: master bandit31@bandit:/tmp/tmp.JoBWmokJpp/repo$ echo'May I come in?'>key.txt bandit31@bandit:/tmp/tmp.JoBWmokJpp/repo$ cat key.txt May I come in? bandit31@bandit:/tmp/tmp.JoBWmokJpp/repo$ git add . bandit31@bandit:/tmp/tmp.JoBWmokJpp/repo$ git commit -a On branch master Your branch is up to date with 'origin/master'.
nothing to commit, working tree clean bandit31@bandit:/tmp/tmp.JoBWmokJpp/repo$ cat .gitignore *.txt bandit31@bandit:/tmp/tmp.JoBWmokJpp/repo$ git add -f . bandit31@bandit:/tmp/tmp.JoBWmokJpp/repo$ git commit -a Unable to create directory /home/bandit31/.local/share/nano/: No such file or directory It is required for saving/loading search history or cursor positions. ##这里会打开nano你随便输点描述 [master fb00993] a 1 file changed, 1 insertion(+) create mode 100644 key.txt bandit31@bandit:/tmp/tmp.JoBWmokJpp/repo$ git push -u origin master ##push到主分支即可获得密码 The authenticity of host '[localhost]:2220 ([127.0.0.1]:2220)' can't be established. ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Could not create directory '/home/bandit31/.ssh' (Permission denied). Failed to add the host to the list of known hosts (/home/bandit31/.ssh/known_hosts). _ _ _ _ | |__ __ _ _ __ __| (_) |_ | '_ \ / _` | '_ \ / _` | | __| | |_) | (_| | | | | (_| | | |_ |_.__/ \__,_|_| |_|\__,_|_|\__| This is an OverTheWire game server. More information on http://www.overthewire.org/wargames bandit31-git@localhost's password: Enumerating objects: 4, done. Counting objects: 100% (4/4), done. Delta compression using up to 2 threads Compressing objects: 100% (2/2), done. Writing objects: 100% (3/3), 316 bytes | 316.00 KiB/s, done. Total 3 (delta 0), reused 0 (delta 0), pack-reused 0 remote: ### Attempting to validate files... #### remote: remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo. remote: remote: Well done! Here is the password for the next level: remote: 3O9RfhqyAlVBEZpVb6LYStshZoqoSx5K remote: remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo. remote: To ssh://localhost:2220/home/bandit31-git/repo ! [remote rejected] master -> master (pre-receive hook declined) error: failed to push some refs to 'ssh://localhost:2220/home/bandit31-git/repo'
Level 32
After all this git stuff, it’s time for another escape. Good luck! 在经历了所有这些git事情之后,是时候进行另一次逃脱了。祝你好运!
At this moment, level 34 does not exist yet. 目前34级还不存在。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
bandit33@bandit:~$ cat README.txt Congratulations on solving the last level of this game!
At this moment, there are no more levels to play in this game. However, we are constantly working on new levels and will most likely expand this game with more levels soon. Keep an eye out for an announcement on our usual communication channels! In the meantime, you could play some of our other wargames.
If you have an idea for an awesome new level, please let us know! ###### 恭喜你完成了这个游戏的最后一关! 目前,这个游戏没有更多的关卡可以玩了。不过,我们正在不断开发新的关卡,并且很可能很快就会为这个游戏增加更多的关卡。 请留意我们通常的沟通渠道上的通知! 在此期间,你可以尝试玩一些我们的其他战争游戏。 如果你有一个很棒的新关卡的想法,请告诉我们!
