or
or
By clicking below, you agree to our terms of service.
Sign in with Wallet
New to HackMD? Sign up
| Syntax | Example | Reference | |
|---|---|---|---|
| # Header | Header | 基本排版 | |
| - Unordered List |
|
||
| 1. Ordered List |
|
||
| - [ ] Todo List |
|
||
| > Blockquote | Blockquote |
||
| **Bold font** | Bold font | ||
| *Italics font* | Italics font | ||
| ~~Strikethrough~~ | |||
| 19^th^ | 19th | ||
| H~2~O | H2O | ||
| ++Inserted text++ | Inserted text | ||
| ==Marked text== | Marked text | ||
| [link text](https:// "title") | Link | ||
|  | Image | ||
| `Code` | Code |
在筆記中貼入程式碼 | |
| ```javascript var i = 0; ``` |
|
||
| :smile: |  |
Emoji list | |
| {%youtube youtube_id %} | Externals | ||
| $L^aT_eX$ | LaTeX | ||
| :::info This is a alert area. ::: |
This is a alert area. |
On a scale of 0-10, how likely is it that you would recommend HackMD to your friends, family or business associates?
Please give us some advice and help us improve HackMD.
Syncing
xxxxxxxxxx-
Any changes
Be notified of any changes
-
Mention me
Be notified of mention me
-
Unsubscribe
SubscribeOverTheWire - Bandit
Level0
Level Goal
The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.
解答
ssh -p 2220 bandit0@bandit.labs.overthewire.org連進bandit0主機ls看到檔案readmecat檔案拿到flagLevel1
Level Goal
The password for the next level is stored in a file called - located in the home directory
解答
ls發現有一個檔案-cat打開,但沒辦法pwd看絕對路徑/home/bandit1Level2
Level Goal
The password for the next level is stored in a file called spaces in this filename located in the home directory
解答
ls看到檔案spaces in this filename直接cat取flagLevel3
Level Goal
The password for the next level is stored in a hidden file in the inhere directory.
解答
inhere目錄ls顯示沒東西,加參數ls -al看到.hiddencat取flagLevel4
Level Goal
The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.
解答
ls顯示出有10個檔案file ./*顯示副檔名cat ./-file07打開檔案Level5
Level Goal
The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:
解答
human-readable
1033 bytes in size
not executable
Level6
Level Goal
解答
The password for the next level is stored somewhere on the server and has all of the following properties:
owned by user bandit7
owned by group bandit6
33 bytes in size
Level7
Level Goal
The password for the next level is stored in the file data.txt next to the word millionth
解答
Level8
Level Goal
The password for the next level is stored in the file data.txt and is the only line of text that occurs only once
解答
sort排列後再用uniq -u輸出沒有重複的字串Level9
Level Goal
The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters.
解答
strings過濾可閱讀的文字,再用grep找出開頭是=的字串Level10
Level Goal
The password for the next level is stored in the file data.txt, which contains base64 encoded data
解答
base64 -d解碼Level11
Level Goal
The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions
解答
tr 'A-Za-z' 'N-ZA-Mn-za-m'轉換字元 解密RO13Level12
Level Goal
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)
解答
cp /home/bandit12/data.txt /tmp/myname123xxd -r轉換進位file看壓縮類型gzip -dbzip2 -dtar xvf解壓縮Level13
Level Goal
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on
解答
cat > 檔名把key存入後提權chmod 600 檔名ssh -i 檔名 bandit14@bandit.labs.overthewire.org -p 2220用檔案中的key連線Level14
Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.
解答
/etc/bandit_pass/bandit14拿到進入localhost的密碼telnet指令連線到127.0.0.1就可以拿到密碼Level15
Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.
Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…
解答
openssl s_client -connect ip:port連線後輸入lv14的密碼Level16
Level Goal
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.
解答
nmap -sV 127.0.0.1 -p 31000-32000搜尋127.0.0.1 port 31000~32000的通訊埠Level17
Level Goal
There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new
NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19
解答
diff -y 檔案1 檔案2比較兩個檔案不一樣的字串Level18
Level Goal
The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.
解答
ssh bandit18@bandit.labs.overthewire.org -p 2220 cat readmeLevel19
Level Goal
To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.
解答
ls -l bandit20-do看檔案權限跟可執行的使用者/etc/bandit_pass拿bandit20的密碼Level20
Level Goal
There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).
NOTE: Try connecting to your own network daemon to see if it works as you think
解答
echo輸出lv20的密碼後面用netcat -lp port開起接聽模式jobs查看正在執行的程式Level21
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
解答
bandit22_rootcronjob_bandit22.shLevel22
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.
解答
bandit23cronjob_bandit23.shwcho I am bandit23 | md5sum | cut -d ' ' -f 1$mytarget後cat /tmp/mytarget就可以得到密碼Level23
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…
解答
bandit24cronjob_bandit24.sh/var/spool/$myname/foo內的sh檔/tmp目錄下再創一個目錄/etc/bandit_pass/bandit24複製到剛創的目錄bandit24中touch更改系統時間bandit_24.sh和bandit_pass.txt提權ls -al確認時間cp bandit_24.sh把腳本複製到/var/spool/bandit24/fools -al確認時間bandit_pass.txt就可以拿到密碼了Level24
Level Goal
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.
You do not need to create new connections each time
解答
Level25
Level Goal
Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.
解答
ls看到bandit26.sshkeybandit26.sshkey登入會被關掉cat /etc/passwd | grep bandit26看使用者資訊more的顯示特性把視窗縮小不讓它顯示全部:set shell=/bin/bash:shellLevel26
Level Goal
Good job getting a shell! Now hurry and grab the password for bandit27!
解答
ls看到bandit27-dofile bandit27-do看到bandit27-do是執行檔./bandit27-do執行bandit27-do./bandit27-do cat /etc/bandit_pass/bandit27直接看bandit27密碼Level27
Level Goal
There is a git repository at ssh://bandit27-git@localhost/home/bandit27-git/repo via the port 2220. The password for the user bandit27-git is the same as for the user bandit27.
Clone the repository and find the password for the next level.
解答
git clone ssh://bandit27-git@localhost:2220/home/bandit27-git/repomktemp -d創建暫時目錄git clone ssh://bandit27-git@localhost2220/home/bandit27-git/reporepo目錄後cat README就可以拿到密碼Level28
Level Goal
There is a git repository at ssh://bandit28-git@localhost/home/bandit28-git/repo via the port 2220. The password for the user bandit28-git is the same as for the user bandit28.
Clone the repository and find the password for the next level.
解答
git clone ssh://bandit28-git@localhost:2220/home/bandit28-git/repomktemp -d創建暫時目錄git clone ssh://bandit28-git@localhost2220/home/bandit28-git/reporepo目錄後cat README.md發現密碼被修改過git log查看檔案修改紀錄git show 899ba88df296331cc01f30d022c006775d467f28看最近一次修復訊息洩漏(fix info leak)Level29
Level Goal
There is a git repository at ssh://bandit28-git@localhost/home/bandit28-git/repo via the port 2220. The password for the user bandit28-git is the same as for the user bandit28.
Clone the repository and find the password for the next level.
解答
git clone ssh://bandit29-git@localhost:2220/home/bandit29-git/repomktemp -d創建暫時目錄git clone ssh://bandit29-git@localhost2220/home/bandit29-git/reporepo目錄後cat README.md發現密碼沒在這git branch -a查看其他分支git checkout dev查看dev分支RREADME.md發現密碼再裡面Level30
Level Goal
There is a git repository at ssh://bandit28-git@localhost/home/bandit28-git/repo via the port 2220. The password for the user bandit28-git is the same as for the user bandit28.
Clone the repository and find the password for the next level.
解答
git clone ssh://bandit30-git@localhost:2220/home/bandit30-git/repomktemp -d創建暫時目錄git clone ssh://bandit30-git@localhost2220/home/bandit30-git/reporepo目錄後cat README.md發現密碼沒在這git tag查看標籤git show secret查看secret標籤,發現密碼再裡面Level31
Level Goal
There is a git repository at ssh://bandit28-git@localhost/home/bandit28-git/repo via the port 2220. The password for the user bandit28-git is the same as for the user bandit28.
Clone the repository and find the password for the next level.
解答
git clone ssh://bandit31-git@localhost:2220/home/bandit31-git/repomktemp -d創建暫時目錄git clone ssh://bandit31-git@localhost2220/home/bandit31-git/reporepo目錄後cat README.md發現密碼沒在這gitignore,發現他不會記錄txt檔-f是要強制加入,再把檔案push到遠端push後密碼就出來了Level32
Level Goal
After all this git stuff its time for another escape. Good luck!
解答
ls發現指令變大寫$0引用shellls /etc/bandit_pass/bandit33取密碼心得
OverTheWire - Bandit是我第一次解完一整系列的CTF題目,從0基礎開始研究linux指令,一開始還是會有指令記不住之類的問題,但打久後自然就記起來了,題目都是全英文的,下方都有附相關指令的用法。花了六周解完這系列題目有助於我對linux指令更進一步了解。