# Bandit ## 網站傳送門: https://overthewire.org/wargames/bandit/ ## 使用說明: ### 開自己terminal, SSH 去每一站提供的🈯️定 port, username ,and ip >ssh -p 2220 bandit<題號>@bandit.labs.overthewire.org >enter password ### 解完後 >exit ### format below: ```markdown= Lv.n: password for this level Topic: 題目介紹 思路: 我的解法 ``` 有點潦草,但還能看👀 🚬🍻生活好忙碌,有空會整理 sor 如果哪裡不清楚可以留言讓我知道~ ### Lv.0: password: bandit ### Lv.1: password: ZjLjTmM6FvvyRnrb2rfNWOZOTa6ip5If **Topic**: how to open a "-" dashed filename using terminal? **Exp**: using - as an argument refers to STDIN/STDOUT i.e dev/stdin or dev/stdout .So if you want to open this type of file you have to specify the full location of the file such as ./- .For eg. , if you want to see what is in that file use cat ./- ### Lv.2: password: 263JGJPfgU6LtdEvgfWU1XP5yac29mFx **Topic**: 概念同上, use cat ./(絕對路令) 打開即可 ### Lv.3: password: MNk8KNH3Usiio41PRUEoDFPqfxLPlSmx 用 `ll` 查看隱藏檔案 ### Lv4: password: 2WmrDFRmJIq3IPxneAaMGhap0pFhF3NJ **Topic:** 一個folder內有多個file, 其中只有一個檔案存在only human-readable file **思路**:對整個folder進行grep: grep -r “[0-9a-zA-Z]” folder-name ### Lv5: password: 4oQYVPkxZOOEOO5pTW81FB8j8lxXGUQw **Topic**: 巢狀file裡給你三個條件: human-readable+1033 bytes in size+not executable **思路**:原本先試著`ll`發現有超多sub-folder,grep不了。 du, 是用來查hows disk usage (in blocks), not exact file size in bytes, 打咩 find: 我是只有針對file bytes 去處理,`find inhere/ -type f -size 1033c `這表示對inhere這個folder找尋size為1033 bytes的file. => `Find folder-name -type f 指定size 大小 ` ### Lv.6: password: HWasnPhtq9AVKe0dmk45nxy20cvUa6EG **Topic**: The password for the next level is stored somewhere on the server and has all of the following properties: owned by user bandit7 owned by group bandit6 => 指定user, group 我們可以用`find` command套一些參數:`find / -user bandit7 -group bandit6 -type f 2>/dev/null` * 指定user, group, /:從根目錄開始找 * type f: must be a regular file (not a directory or device * 2>/dev/null: 2 檔是log error message, 這個指定表示:suppress error messages like "Permission denied”把不必要的雜訊error message🥚🦅 => suppress error messages like "Permission denied" 如果沒用2>/dev/null: ![](https://hackmd.io/_uploads/SkJAR959ex.png) 找到檔案路徑, cat即可 ### Lv.7: password: morbNTDkSW6jIlUc0ymOdMaLnOlFVAaj **思路**:單純grep key word而已 ### Lv.8: password: dfwvzFQi4mU0wfNbFOe9RoWskMLg7eEc **Topic**: data.txt 裡有n行字串, password is the only line of text that occurs only once **思路**: 先cat 看一下檔案內容...亂又醜 下面有一些提示字:我們先理解一下[uniq](https://blog.gtwang.org/linux/linux-uniq-command-tutorial/) >uniq 是一個可以將重複文字刪除的小工具,留下不重複的資料。 ‼️但值得注意的是 uniq只能比對鄰近的字串,因此我們要搭配`sort`使用 **思路**: `sort data.txt | uniq -u` 用pipeline將排序好的txt file輸出沒有重複的那行即為解 ### Lv.9: password: 4CKMh1JI91bUIZZPXDqGanal4xvAg0JM **Topic**: The password for the next level is stored in the file data.txt in one of the few **human-readable** strings, **preceded by several ‘=’ characters.** 先cat 一下file: 長得像`��֘!Ξ\\S�)_�N�a��9c���d�薕����3N��'�L/` 蠻醜的,先處理成 1. human-readable 再用 2.preceded by several ‘=’ characters的特性 grep出來 **思路**:`strings data.txt | grep "===="` ### Lv.10: password: FGUW5ilLVJrxX9kMYMmlN4MgbpfMiqey Topic: use dase64 to decode the data.txt sol: `echo $(base64 -d data.txt)` 補充: base64 常見指令 ```bash! # encode: # for string: """ It is recommended to use the -n flag with echo to prevent adding a '/n', which would also be encoded. """ echo -n "your strings" | base64 # for a file.txt base64 -i input_file.txt # or using input redirection: base64 < input_file.txt ----------- # decode # for string: echo "your strings" | base64 -d # or using here-string base64 -d <<< "your string" # 上述兩者等價 # # for a file.txt echo $(base64 -d input_file.txt) ``` 再補充: linux 的 **redirect**: https://weikaiwei.com/linux/redirect-2/ ### Lv.11: password: dtR173fZKb0RRsDFSGsg2RWnpNVj3qRr **topic**: <font color="red">ROT13</font>, all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions **思路**: 先cat data.txt => `Gur cnffjbeq vf 7k16JArUVv5LxVuJfsSVdbbtaHGlw9D4` 了解`tr`: Usage: tr [OPTION]... STRING1 [STRING2] 將 string1 的字元一一與 string2 對應替換,用下方例子說明:把 A-Z 翻譯成 N-ZA-M (小寫也一樣),所以 A 會被翻譯成 N,Z 會被翻譯成 M,依此類推 ```bash! tr 'A-Za-z' 'N-ZA-Mn-za-m' <<< "Gur cnffjbeq vf 7k16JArUVv5LxVuJfsSVdbbtaHGlw9D4" ``` ### Lv.12: password: 7x16WNeHIi5YkIhWsfFIqoognUTyj9Q4 寫完可以直接精熟tar, gz, bzip2 (已嘔吐🤮) **Topic**: 精熟tar, gz, bzip2 可以先cat一下data.txt | head => ```bash! 00000000: 1f8b 0808 0933 9f68 0203 6461 7461 322e .....3.h..data2. 00000010: 6269 6e00 0148 02b7 fd42 5a68 3931 4159 bin..H...BZh91AY 00000020: 2653 59be 9d9d 9600 001f ffff fe7f fbcf &SY............. 00000030: af7f 9eff f7ee ffdf bff7 fef7 ddbe 9db7 ................ 00000040: bf9f 9f5f ca6f fffe d6fb feff b001 3ab3 ..._.o........:. 00000050: 0403 40d0 0000 00d0 01a0 03d4 0000 0346 ..@............F ``` <font color="red">1f8b</font>是...未 ### Lv.13: password: FO5dwFsc0cbaIiH0h8J2eUks2vdTDwAn **Topic**: ls後發現有一個`sshkey.private` file,cat 一下內容,是Lv.14登入時要用到的private key: ```shell! -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEAxkkOE83W2cOT7IWhFc9aPaaQmQDdgzuXCv+ppZHa++buSkN+ gg0tcr7Fw8NLGa5+Uzec2rEg0WmeevB13AIoYp0MZyETq46t+jk9puNwZwIt9XgB ... ``` **思路**: 1. 先嘗試用對這檔案 chmod 600 => `chmod: changing permissions of 'sshkey.private': Operation not permitted `看起來2. 嘗試ssh 去 bandit14,記得除了指定port之外,記得帶上私鑰訊息 `ssh -p 2220 -i sshkey.private bandit14@bandit.labs.overthewire.org` 接著就可以去題目給的指定目錄拿password了 ### Lv.14: password: MU4VWeTyJk8ROof1qqmcBPaLh7lDCPvS **Topic**: 如何將data送至指定port and ip by netcat(nc)`echo "Your data here" | nc <IP_Address> <Port_Number>` sol: `echo "MU4VWeTyJk8ROof1qqmcBPaLh7lDCPvS" | nc localhost 30000` 補充: ### Lv.15: password: 8xCjnmgoKbGLhHFAZlGE5Tmu4M2tKJQo ### Lv.16: password: kSkvUpMQ7lBYyCM4GBPvCvT1BfWRy0Dx RSA private key store at: /tmp/random_sshkey/private.key ans: ssh -i path to private.key file -p 2220 bandit17@bandit.labs.overthewire.org 補充: `nmap -sV` vs `ss -tulpn` 共通點: 皆可以看到`看到 port 狀態` 差異點: `nmap -sV ip -p port_range1-port_range2` 原理: ---- 在這題遇到題目說的: **Helpful note: Getting “DONE”, “RENEGOTIATING” or “KEYUPDATE”? Read the “CONNECTED COMMANDS” section in the manpage.** 中的KEYUPDATE,然後畫面就停住了 爬一下文+問gpt後: - openssl s_client: 模擬SSL/TLS client 連接到任何支持SSL/TLS protocol的server. `openssl s_client -connect server_ip_addr:a_port` e.g. `openssl s_client -connect www.google.com:443`驗證server是否正常回應+連接的細節(Server certificate , RSA RIVATE KEY...) 1. 為什麼會停住? ans: 當它顯示 KEYUPDATE,代表伺服器要求做 TLS 1.3 的金鑰更新。 -> OpenSSL 已經完成更新,接下來它在「等待伺服器繼續送資料」或「等待你再輸入」。 -> 所以它不是卡住了,只是連線還活著,但握手完成後server沒有再主動送東西,你這邊也沒再打字,那麼畫面就會一直停在這裡。 2. massage在哪一層: ans: 應用層, 經過 TLS 加密再送出去。 3. KEYUPDATE 那行在幹嘛: ans: TLS 1.3 規範裡,伺服器可以主動要求更新金鑰,s_client 會把這件事印出來給你看。 4. 那此題怎解: ans: openssl s_client 裡,加上 `-quiet` 會讓 OpenSSL 不要印出 TLS 協議事件(像 KEYUPDATE、read R BLOCK 這些 debug 訊息),只會顯示 應用層資料的回應,協議事件就不會干擾你。 ```bash= openssl s_client -connect server_ip_addr:a_port -quiet/--ign_eof ``` 延續2. - 當你「輸入結束」或「管道關閉」時,s_client 會收到一個 EOF (end-of-file)。 預設情況下,s_client 會把這個 EOF 轉成「TLS close_notify」,告訴伺服器我要斷線。如果伺服器還想回應(例如觸發了 KEYUPDATE),s_client 已經關掉寫端,結果就會看起來「卡住」。 - 加上 -ign_eof 之後,s_client 會 忽略你本地輸入結束的 EOF。 也就是說,它不會急著送「close_notify」,會繼續維持連線,等伺服器端回應。所以 **TLS session 不會被你自己提前關掉,自然就能正常收完伺服器送回來的資料。** ### Lv.17 **Topic:** There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new **sol**: use `diff` 對比兩個檔案內容差異, diff file1 file2 => ```yaml= 42c42 # 檔案1 的第 42 行 被change成 檔案2 的第 42 行 < x2gLTTjFwMOhQ8oWNbMN362QKxfRqGlO # < 開頭的那一行是第一個 diff 參數的內容(passwords.new) --- > gvE89l3AhAhg3Mi9G2990zGnn42c8v20 # > 開頭的那一行是第二個 diff 參數的內容(passwords.old) ``` ```yaml= bandit17@bandit:~$ diff -u passwords.old passwords.new --- passwords.old 2025-08-15 13:15:58.437906896 +0000 +++ passwords.new 2025-08-15 13:15:58.442077343 +0000 @@ -39,7 +39,7 @@ xT5cHcjeKEBqWXcPYg334ENuYyCXdwzr UZhr02EkzIBiOwy0M5nYS06iYZXKPhF1 dGrSFeLcZ1xkc7fTwzBCCkfQszrtd7SH -gvE89l3AhAhg3Mi9G2990zGnn42c8v20 +x2gLTTjFwMOhQ8oWNbMN362QKxfRqGlO tB0WQB4tQtGJPMzXQodyOWndvgkL1KLH qO1tMtSxhIB4BsPQr121iQC0rimvBPcA sxY3qdTxF4eaWiUCuTWV2bKe35cOBCnz # -u 會顯示前後幾行上下文,常用於 patch / git ``` ### Lv.18: password: x2gLTTjFwMOhQ8oWNbMN362QKxfRqGlO **Topic**: 繞開.bashrc自動執行的限制