# CTF-Wargame

https://overthewire.org/wargames/

# Wargames

## Suggested order to play the games in

1. Bandit
2. Leviathan or Natas or Krypton
3. Narnia
4. Behemoth
5. Utumno
6. Maze

## Bandit

### From the official tips:

There are several things you can try when you are unsure how to continue:

• First, if you know a command, but don’t know how to use it, try the manual (man page) by entering “**man **” (without the quotes). e.g. if you know about the “ls” command, type: man ls. The “man” command also has a manual, try it. Press q to quit the man command.
• Second, if there is no man page, the command might be a shell built-in. In that case use the “**help **” command. E.g. help cd
• Lastly, if you are still stuck, you can join us on IRC

### Level 0

 1  ssh bandit0@bandit.labs.overthewire.org -p 2220 

--[ Playing the games ]--

This machine might hold several wargames.
If you are playing "somegame", then:

* USERNAMES are somegame0, somegame1, ...
* Most LEVELS are stored in /somegame/.
* PASSWORDS for each level are stored in /etc/somegame_pass/.

working directory with a hard-to-guess name in /tmp/.  You can use the
command "mktemp -d" in order to generate a random and hard to guess
so that users can not snoop on eachother. Files and directories with
easily guessable or short names will be periodically deleted!

* don't leave orphan processes running
* don't leave exploit-files laying around
* don't annoy other players
* don't post passwords or spoilers
* again, DONT POST SPOILERS!

--[ Tips ]--

This machine has a 64bit processor and many security-features enabled
by default, although ASLR has been switched off.  The following
compiler flags might be interesting:

-m32                    compile for 32bit
-fno-stack-protector    disable ProPolice
-Wl,-z,norelro          disable relro

In addition, the execstack tool can be used to flag the stack as
executable on ELF binaries.

Finally, network-access is limited for most levels by a local
firewall.

--[ Tools ]--

For your convenience we have installed a few usefull tools which you can find
in the following locations:

* pwndbg (https://github.com/pwndbg/pwndbg) in /usr/local/pwndbg/
* peda (https://github.com/longld/peda.git) in /usr/local/peda/
* gdbinit (https://github.com/gdbinit/Gdbinit) in /usr/local/gdbinit/
* pwntools (https://github.com/Gallopsled/pwntools)
* checksec.sh (http://www.trapkit.de/tools/checksec.html) in /usr/local/bin/checksec.sh

http://www.overthewire.org/wargames/

irc.overthewire.org #wargames.



### Level 1

ls之后得到flag，即下一关的密码（不知道为啥windows的CMD一直登陆不仅

 1 2  bandit0@bandit:~$cat readme boJ9jbbUNNfktd78OOpsqOltutMc3MY1  wargame的原理就是上一关的flag是下一关ssh的密码 ### Level 2   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21  bandit1@bandit:~$ ls - bandit1@bandit:~$cd - -bash: cd: OLDPWD not set bandit1@bandit:~$ cd \- -bash: cd: OLDPWD not set bandit1@bandit:~$cd /- -bash: cd: /-: No such file or directory bandit1@bandit:~$ ls -al total 24 -rw-r----- 1 bandit2 bandit1 33 Oct 16 2018 - drwxr-xr-x 2 root root 4096 Oct 16 2018 . drwxr-xr-x 41 root root 4096 Oct 16 2018 .. -rw-r--r-- 1 root root 220 May 15 2017 .bash_logout -rw-r--r-- 1 root root 3526 May 15 2017 .bashrc -rw-r--r-- 1 root root 675 May 15 2017 .profile bandit1@bandit:~$cat /- cat: /-: No such file or directory bandit1@bandit:~$ cat ./- CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9 

ls查看了才知道是是一个文件

bash中，-会被解析为stdin，即标准输出流，假如直接$cat -，这条命令会回显输入的任意字符，知道输入eof 摆脱转义的方法就是使用相对路径或者绝对路径 ### level 3   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17  bandit2@bandit:~$ ls spaces in this filename bandit2@bandit:~$ls -al total 24 drwxr-xr-x 2 root root 4096 Oct 16 2018 . drwxr-xr-x 41 root root 4096 Oct 16 2018 .. -rw-r--r-- 1 root root 220 May 15 2017 .bash_logout -rw-r--r-- 1 root root 3526 May 15 2017 .bashrc -rw-r--r-- 1 root root 675 May 15 2017 .profile -rw-r----- 1 bandit3 bandit2 33 Oct 16 2018 spaces in this filename bandit2@bandit:~$ cat spaces\ in\ this\ filename UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK bandit2@bandit:~$cat "spaces in this filename" UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK bandit2@bandit:~$ cat 'spaces in this filename' UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK 

https://unix.stackexchange.com/questions/148043/is-space-not-allowed-in-a-filename

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18  bandit3@bandit:~$ls -al total 24 drwxr-xr-x 3 root root 4096 Oct 16 2018 . drwxr-xr-x 41 root root 4096 Oct 16 2018 .. -rw-r--r-- 1 root root 220 May 15 2017 .bash_logout -rw-r--r-- 1 root root 3526 May 15 2017 .bashrc drwxr-xr-x 2 root root 4096 Oct 16 2018 inhere -rw-r--r-- 1 root root 675 May 15 2017 .profile bandit3@bandit:~$ bandit3@bandit:~$cd inhere bandit3@bandit:~/inhere$ ls -al total 12 drwxr-xr-x 2 root root 4096 Oct 16 2018 . drwxr-xr-x 3 root root 4096 Oct 16 2018 .. -rw-r----- 1 bandit4 bandit3 33 Oct 16 2018 .hidden bandit3@bandit:~/inhere$cat .hidden pIwrPrtPN36QITSp3EQaw936yaFoFgAB  看来，直接ls -al 是个好习惯 这题应该考察的是linux 的隐藏文件，linux的隐藏文件都以.开头 ### level 5 bandit4@bandit:~$ ls -al
total 24
drwxr-xr-x  3 root root 4096 Oct 16  2018 .
drwxr-xr-x 41 root root 4096 Oct 16  2018 ..
-rw-r--r--  1 root root  220 May 15  2017 .bash_logout
-rw-r--r--  1 root root 3526 May 15  2017 .bashrc
drwxr-xr-x  2 root root 4096 Oct 16  2018 inhere
-rw-r--r--  1 root root  675 May 15  2017 .profile
bandit4@bandit:~$cd inhere/ bandit4@bandit:~/inhere$ ls -al
total 48
drwxr-xr-x 2 root    root    4096 Oct 16  2018 .
drwxr-xr-x 3 root    root    4096 Oct 16  2018 ..
-rw-r----- 1 bandit5 bandit4   33 Oct 16  2018 -file00
-rw-r----- 1 bandit5 bandit4   33 Oct 16  2018 -file01
-rw-r----- 1 bandit5 bandit4   33 Oct 16  2018 -file02
-rw-r----- 1 bandit5 bandit4   33 Oct 16  2018 -file03
-rw-r----- 1 bandit5 bandit4   33 Oct 16  2018 -file04
-rw-r----- 1 bandit5 bandit4   33 Oct 16  2018 -file05
-rw-r----- 1 bandit5 bandit4   33 Oct 16  2018 -file06
-rw-r----- 1 bandit5 bandit4   33 Oct 16  2018 -file07
-rw-r----- 1 bandit5 bandit4   33 Oct 16  2018 -file08
-rw-r----- 1 bandit5 bandit4   33 Oct 16  2018 -file09
bandit4@bandit:~/inhere$cat ./-file00 ����������~% C[�걱>��| � bandit4@bandit:~/inhere$ cat ./-file01
���U"7�w���H��ê�Q����(���#���
bandit4@bandit:~/inhere$cat ./-file02 �T�v��(�ִ�����A*� 2J�Ş؇_�y7 bandit4@bandit:~/inhere$ cat ./-file03
��.A��u��#���w$N?c�-��Db3��=�� bandit4@bandit:~/inhere$ cat ./-file05
+��pm���;��:D��^��@�gl�Q�
bandit4@bandit:~/inhere$cat ./-file04 �=<�W�����ht�Z��!��{�U � bandit4@bandit:~/inhere$ cat ./-file06
��@�%@���ZP*E��1�V���̫*����
bandit4@bandit:~/inhere$cat ./-file07 koReBOKuIDDepwhWk7jZC0RTdopnAYKh bandit4@bandit:~/inhere$



### level 6

  1 2 3 4 5 6 7 8 9 10  bandit5@bandit:~/inhere$ls maybehere00 maybehere04 maybehere08 maybehere12 maybehere16 maybehere01 maybehere05 maybehere09 maybehere13 maybehere17 maybehere02 maybehere06 maybehere10 maybehere14 maybehere18 maybehere03 maybehere07 maybehere11 maybehere15 maybehere19 bandit5@bandit:~/inhere$ du -a -b | grep 1033 1033 ./maybehere07/.file2 bandit5@bandit:~/inhere$cat ./maybehere07/.file2 DXjZPULLxYr17uwoI01bNLQbtFemEgo7 bandit5@bandit:~/inhere$ 

### level 7

https://www.runoob.com/linux/linux-comm-find.html

https://www.cnblogs.com/RXDXB/p/11696751.html

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67  bandit6@bandit:/home$find / -user 'bandit7' -group 'bandit6' -size 33c find: ‘/run/lvm’: Permission denied find: ‘/run/screen/S-bandit27’: Permission denied find: ‘/run/screen/S-bandit25’: Permission denied find: ‘/run/screen/S-bandit2’: Permission denied find: ‘/run/screen/S-bandit16’: Permission denied find: ‘/run/screen/S-bandit0’: Permission denied find: ‘/run/screen/S-bandit20’: Permission denied find: ‘/run/screen/S-bandit30’: Permission denied find: ‘/run/screen/S-bandit14’: Permission denied find: ‘/run/screen/S-bandit33’: Permission denied find: ‘/run/screen/S-bandit13’: Permission denied find: ‘/run/screen/S-bandit31’: Permission denied find: ‘/run/screen/S-bandit8’: Permission denied find: ‘/run/screen/S-bandit5’: Permission denied find: ‘/run/screen/S-bandit4’: Permission denied find: ‘/run/screen/S-bandit29’: Permission denied find: ‘/run/screen/S-bandit28’: Permission denied find: ‘/run/screen/S-bandit21’: Permission denied find: ‘/run/screen/S-bandit26’: Permission denied find: ‘/run/screen/S-bandit24’: Permission denied find: ‘/run/screen/S-bandit22’: Permission denied find: ‘/run/screen/S-bandit1’: Permission denied find: ‘/run/screen/S-bandit19’: Permission denied find: ‘/run/screen/S-bandit23’: Permission denied find: ‘/run/shm’: Permission denied find: ‘/run/lock/temp/bandit31-git’: Permission denied find: ‘/run/lock/temp/bandit30-git’: Permission denied find: ‘/run/lock/temp/bandit29-git’: Permission denied find: ‘/run/lock/temp/bandit28-git’: Permission denied find: ‘/run/lock/temp/bandit27-git’: Permission denied find: ‘/run/lock/temp/bandit5/inhere’: Permission denied find: ‘/run/lock/lvm’: Permission denied find: ‘/var/spool/bandit24’: Permission denied find: ‘/var/spool/rsyslog’: Permission denied find: ‘/var/spool/cron/crontabs’: Permission denied find: ‘/var/log’: Permission denied find: ‘/var/tmp’: Permission denied find: ‘/var/cache/ldconfig’: Permission denied find: ‘/var/cache/apt/archives/partial’: Permission denied /var/lib/dpkg/info/bandit7.password find: ‘/var/lib/apt/lists/partial’: Permission denied find: ‘/var/lib/polkit-1’: Permission denied find: ‘/cgroup2/csessions’: Permission denied find: ‘/home/bandit28-git’: Permission denied find: ‘/home/bandit30-git’: Permission denied find: ‘/home/bandit31-git’: Permission denied find: ‘/home/bandit5/inhere’: Permission denied find: ‘/home/bandit27-git’: Permission denied find: ‘/home/bandit29-git’: Permission denied find: ‘/tmp’: Permission denied find: ‘/lost+found’: Permission denied find: ‘/root’: Permission denied find: ‘/etc/ssl/private’: Permission denied find: ‘/etc/lvm/backup’: Permission denied find: ‘/etc/lvm/archive’: Permission denied find: ‘/etc/polkit-1/localauthority’: Permission denied find: ‘/sys/fs/pstore’: Permission denied find: ‘/proc/tty/driver’: Permission denied find: ‘/proc/29536/task/29536/fd/6’: No such file or directory find: ‘/proc/29536/task/29536/fdinfo/6’: No such file or directory find: ‘/proc/29536/fd/5’: No such file or directory find: ‘/proc/29536/fdinfo/5’: No such file or directory find: ‘/boot/lost+found’: Permission denied bandit6@bandit:/home$ cat /var/lib/dpkg/info/bandit7.password HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs 

### level 8

strings：用于打印文件中可打印的字符

 1 2 3 4 5 6 7  bandit7@bandit:~$ls data.txt bandit7@bandit:~$ less data.txt bandit7@bandit:~$strings data.txt |grep millionth millionth cvX2JJa4CFALtqS87jk27qwqGhBM9plV bandit7@bandit:~$ 

cat命令在这也是可以和strings互换的

### level 9

uniq 命令用于检查及删除文本文件中重复出现的行列，一般与 sort 命令结合使用 uniq 可检查文本文件中重复出现的行列

https://www.runoob.com/linux/linux-comm-uniq.html

sort命令用于将文本文件内容加以排序 sort可针对文本文件的内容，以行为单位来排序

https://www.runoob.com/linux/linux-comm-sort.html

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105  bandit8@bandit:~$cat data.txt | sort | uniq -c 10 07iR6PwHwihvQ3av1fqoRjICCulpoyms 10 0ob6rCn4D4jQ6KCiaT5hmOdWFrm2quR1 10 1drBmDT7PYS7hVgoTWkJSjUZUK7ZAIAa 10 1JnkIYLDOdn5M7TGabYxOWkn7HazMjYW 10 1wBrW0VGjKeYiXltbEWrUipwSHQfTu44 10 2Dxbtw8cnKyHwvt0lfFNYOGc4cE59uua 10 2TRkCQhbMjcM0hwL31NnJQ0DVagWN3Ca 10 4c7EsUtqLnLR9hiepV5EQVhdMgyi8onL 10 4cQDXE4IPH8fCBUBZaTPgnY2gwnPnlj6 10 6495bfC0lI1Qkw5kzZHnbVWooaOZHLvj 10 6rEzM4Qro8dH0e3uemAyYseTiNiNAYap 10 78rgduVcLZjLzZmooObdaN541MKV6IfQ 10 8qkrbCAUG9I28M49j9flUro5fWxenFzF 10 aIl4xN5maZVCQITz0xH0KNXIlLc0MhNf 10 aPsCQmSWVYGQQHUD6k1fHC2kqSyMlxwV 10 awglWaTRSAWBcol8hSMTJP4FYhIGJHVO 10 bCJdTkork5IRbZaaPZK0WVPgYIIO4mHF 10 BPl0XNou7xAZAI5fdzWzSmPkW1PnvTE1 10 bvIaDTzHBOGSO7CfpH9vUrJRRlwYTUA7 10 CS8HVrDmKGLG53qziqQCLWNRlUP1FHsV 10 CwwHDVp0pO6zmFp87L9AtFzqU5aB5j9w 10 CyziIvGRdotoy9yA00RAnvvkvrYdKCPp 10 DRqDxJYAv7IUfAMmrXtXEiz63TUjqeDn 10 DXI6y5CNPU06rVpkoZgnZJBWfkdW131j 10 enNw6tuj8mSxxS7f2Yd05puXVeuCZ39G 10 ewllxPExW9eaHxAH8WZkW9lDuK5cZcUy 10 eyKcuNPKnjt25kaOZxkMYQ9xqp45aIk9 10 fIBXc239DbhORY4t9xjgi7fSm4thHsIb 10 fiK30QpqzoULACXZwkBEKJZvpPQx9Uqm 10 FlHOKVUDNLx6Ga7CxC4ISRYNflN1GAnF 10 G4BHP66B4l3XkvB05CMgzrEKyjHhuCwz 10 gCx35PlKn08nrFFrAgHYLrUVWWZjLdqM 10 GEzwi36aKB8PLlCPH2wzl9gHzVm97IYu 10 glONDdR72FJL3Gc03nVNO4PKNzXFGH1A 10 gqGBgY1IdFDGG2XzB2o1VNGY4j6OL76V 10 h7jtcUsBhrryyLhtt1mT6Jdmp0l6ozBs 10 HKryX0XX2HT4WBT0OUzRz5Ac5B2rvIHU 10 iM3PaCO3VAxAdbdVsdGtEwuwrFQPYJV7 10 irGm6F73sbUrFhHukhp6JXgMQyLxJTz1 10 jtNdk5KDgrMkxgbZSJOvjOcM58svrzDY 10 jVscZ5eK5DWN7IvDSehXmyplCXRSbHJS 10 KerqNiDbY0zV2VxnOCmWX5XWxumldlAe 10 kha3sCpHsydUNrxLLXV3cFqWyucGjdxr 10 kt1VUEZpimCS4BaoAvhN3rgHOmhqaMIR 10 KUzqHCrxHSpgfkF5ZAzUfjlBaXW3zIaZ 10 L0nxAwlfV9V3J5onKIT8KYQ9InTcQ7yE 10 lnB8MWOYjETxoC8bQYrMFnxxQXAWHjP4 10 lZ9DhnzeHgIuLqYPmNzONpMCkuBYoeJI 10 M8JMUd7MSd4mOwZj1843ejBH5RXJOloa 10 mdug9JbW836YVZh3ALULBAxODlinqonJ 10 MIpMch66sYTmmqepKYczlRA9aJrnkt68 10 MpAqsgjJIVLT1MxSZcRoOOzl6g1db98Q 10 MQrydyojsVIYJSY8y1nCMjZGxnL1My7F 10 MsxcvOe3PGrt78wpZG2bBNF5wfXpZhET 10 n5fEmvCXKbJErzIDt3MLTmZZVMRNynrR 10 NL91hwGrqW5lVgoicb592Sd0djnHnbjZ 10 Nnih4Q0jf3xEOTcmM3yw2HkOm3VPox0w 10 NT4p09XwRb0k0wG9yIuvfs3MblMGpMc1 10 nU5zbsdUfmzv7cjNwkV9Hgb65OVe5EDt 10 nyvBweoC3kzt5QRTjbDfrWO7jhwOGN4g 10 OcVxHzDW027KWNFS03G31KQEb5TgN1WV 10 peXkYozDKE2u2BEOed5vvkY0nyjkGawn 10 PXHEt0PztCiArDZ7UCBmqKdBCiXNQWBN 10 QmFayGbrzFoiQ5Z2PGmnD2N6Pf77cxl9 10 QNTac9UtCmQ5VGAnzj10Z9BwV4TuaVvu 10 qsbKthWb80f3vQKBP7O12SjfFo1V5VkL 10 quhCb8ZIUJXXM2SbY1ER1D5GaDlQjdDa 10 QYeOFhgJCJEfKM1ZpT0K322R6SuKdCFT 10 r0VIMA1yzv838m7UfvutUhCf0zaY3Rqw 10 rfUNSGOvmQXz0m7PtFoEoPg1BpTbll7X 10 rJMbGeeDTMsj1RA4YibIQr0o9azHgP0I 10 rQAYnkKAXIViP4ROmehnDMIAXLpOOLEp 10 sBB2H7HateUFxr2oxrqUVoumFM60f1lj 10 SjFHXKRcIc7jlAYGknVMnGXSFd6xRmnF 10 tDZbF2SuhsvfaA3eTnwfcjQa1pZoPJeX 10 tiyVGzZcRwUPVAiqkroFMUbMI9ut9hcT 10 tLKyRATtoCuxMR4zZg1Dnlnr3je3bSHe 10 tmzBM5rcV9y7AM1xDHudL2yX9oefGieT 10 tWwjd16fG17vGdjutfOygVTjEGxlijOS 10 uBRx9inQTeaDZAuzEb2MadWXmkH8uW4O 1 UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR 10 vBo3qbjNEF2d3meGEkRfc3mKpjtiDz1i 10 VElUBEIhJ4yBgOBSN05WgtV2rF6kkGdz 10 vl9liaz8TKv1enUi0S2REhn01hKjjFIK 10 vVwG2mb8rU8eCuIlBhCJrZJ4GWR35nWY 10 W0vbGkT5mfRVWHAXCcMekevbenMJHFhN 10 W6pn7siBPh5G6ndjv1xx26iHxke8PviX 10 WaKxNQhiI9dXwvzB1PMpbQRy4CutGrWt 10 WbfstqfIvgiEuCVVuxwLgLyzUMtho2jP 10 WBjoFnis277W9vWB8M67h3z1glOYG2Fy 10 wSpAMdiBSeywE4d1DQZoSp5o8ZVOCqGP 10 wWfTfhYKmBkmyGH9D6Qjb6x7bMt5narC 10 x0bga8Oxz5lgM8k52HrYy4ez7XJI0lM0 10 XURYdoIx95clq6s90MORDydQ187DxQhS 10 xWmqkcrZ7TmjE7LKjqHVXSLw9fqsjYXp 10 XWy99VXVCnwdr780PK86hP6rBMkV5E3n 10 y9sn56N0ZhyxaySYRs518D4vqkMShHwb 10 YiQvaaidmD39i0ryGZz97Upc5NjgPklY 10 YR0sflfJZ34iuY3wM3DNNO19dBYnJDmt 10 yXGLvp7UaeiDKxLGXQYlWuRWdIgeCaT0 10 YzZX7E35vOa6IQ9SRUGdlEpyaiyjvWXE bandit8@bandit:~$ cat data.txt | sort | uniq -u UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR 

uniq -c 统计每个字符串出现的次数，-u即可显示只出现一次的字符串

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29  bandit9@bandit:~$strings data.txt |grep "=.*" 2========== the ========== password >t= yP rV~dHm= ========== isa =FQ?P\U = F[ pb=x J;m= =)$= ========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk iv8!= bandit9@bandit:~$bandit9@bandit:~$ strings data.txt |grep "=" 2========== the ========== password >t= yP rV~dHm= ========== isa =FQ?P\U = F[ pb=x J;m= =)$= ========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk iv8!=  后面看别人直接grep也能成功，可真是出人意料 这边的知识点应该是grep是支持正则表达式的字符串的 ### level 11  1 2 3 4 5 6 7 8  bandit10@bandit:~$ strings data.txt | less bandit10@bandit:~$strings data.txt VGhlIHBhc3N3b3JkIGlzIElGdWt3S0dzRlc4TU9xM0lSRnFyeEUxaHhUTkViVVBSCg== bandit10@bandit:~$ cat data.txt VGhlIHBhc3N3b3JkIGlzIElGdWt3S0dzRlc4TU9xM0lSRnFyeEUxaHhUTkViVVBSCg== bandit10@bandit:~$strings data.txt | base64 -d The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR bandit10@bandit:~$ 

base64用法如下

 1 2 3  $echo "Hello World" | base64 SGVsbG8gV29ybGQK$ echo "SGVsbG8gV29ybGQK" | base64 -d 

-d选项为解密

### level 12

tr 命令用于转换或删除文件中的字符

tr 指令从标准输入设备读取数据，经过字符串转译后，将结果输出到标准输出设备

https://www.runoob.com/linux/linux-comm-tr.html

https://www.xp.cn/php/2675.html

### level 16

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76  bandit15@bandit:~$openssl s_client -connect localhost:30001 -ign_eof CONNECTED(00000003) depth=0 CN = localhost verify error:num=18:self signed certificate verify return:1 depth=0 CN = localhost verify return:1 --- Certificate chain 0 s:/CN=localhost i:/CN=localhost --- Server certificate -----BEGIN CERTIFICATE----- MIICBjCCAW+gAwIBAgIEYo1NxTANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDDAls b2NhbGhvc3QwHhcNMjAwMTA1MTQzNTU4WhcNMjEwMTA0MTQzNTU4WjAUMRIwEAYD VQQDDAlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKF4u2eu a8VipZPviX0hfNiCnaD2ojAffdBhKTy1bmZSNRuHPBDnU7z8rblNSknSjCITda1C GEAI8ZktRbtLpBTbYeTgqPN/EiN5UIRMKbU6P2O93zNFPBsmyfQLrgt+DSLnsxlB i/yYyT7WLdtNVBpgwRwkqi9K7dk9vf9waswLAgMBAAGjZTBjMBQGA1UdEQQNMAuC CWxvY2FsaG9zdDBLBglghkgBhvhCAQ0EPhY8QXV0b21hdGljYWxseSBnZW5lcmF0 ZWQgYnkgTmNhdC4gU2VlIGh0dHBzOi8vbm1hcC5vcmcvbmNhdC8uMA0GCSqGSIb3 DQEBBQUAA4GBAJECW6IB3Ria4xG002BqD3zEbtmrDlK6nmJq+uQ4eJ6cT18o9REb npy/lFzlv2LfcrYAnuAp6Fh89MKaYjNzJURjRQ9RkmcYgQJa1n+OBkATb7V+84/a k9PDRkscxdNFMGBSvzFD33XZ5lbaGdrwCPyoxenoYghV/753wffN7J6H -----END CERTIFICATE----- subject=/CN=localhost issuer=/CN=localhost --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: X25519, 253 bits --- SSL handshake has read 1019 bytes and written 269 bytes Verification error: self signed certificate --- New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 7EEA483CA2D18FE7CB98BB6A1CC800C7BE4444E492EBFD398DDA8EABD18712C2 Session-ID-ctx: Master-Key: D0D0B7463ABC8AD513D016BEBF3932F325BE53DBBA712624C9E820AB95735BF63FA59EAECFF34AE5523F2E05BC8BE5F2 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - 56 e9 4e 87 6a 28 48 d0-13 42 5f b9 61 b0 dd d0 V.N.j(H..B_.a... 0010 - d6 bb 15 df 9d 3a 2c 9f-2d 88 a4 e2 b8 ec 36 de .....:,.-.....6. 0020 - 6c ba 2d ac d0 d4 0b 12-d1 76 ac cd 8f 8d 4d b9 l.-......v....M. 0030 - e4 8d 7f 9e 0b f5 2a 67-42 6c 52 08 94 27 09 75 ......*gBlR..'.u 0040 - 67 e5 8a 66 24 50 4f db-a7 9d 01 0d 81 ba b3 12 g..f$PO......... 0050 - c5 2e 8d ee ef 0a 2d 6d-a0 89 72 36 18 30 b2 24 ......-m..r6.0.$0060 - fa 82 0a b5 9d da d2 55-70 a7 fd 6d 3f 96 9e 85 .......Up..m?... 0070 - 8f e8 f8 8d 0e 29 0f 84-12 97 9c 31 7d 79 ef 75 .....).....1}y.u 0080 - f5 f9 f6 cc 74 29 58 a0-a9 48 f5 17 c4 1d 73 ba ....t)X..H....s. 0090 - f1 30 ce 52 12 b6 e2 c2-75 f9 94 b9 04 2a a9 d8 .0.R....u....*.. Start Time: 1581676007 Timeout : 7200 (sec) Verify return code: 18 (self signed certificate) Extended master secret: yes --- BfMYroe26WYalil77FoDi9qh59eK5xNr Correct! cluFn7wTiGryunymYOu4RcffSxQluehd closed bandit15@bandit:~$ 

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212   bandit17@bandit:~$ls passwords.new passwords.old bandit17@bandit:~$ strings passwords.old 4d22drdsITVoHcfd8bAHeeKrdL3mMHpU QeGg8ya1PGU13yp57EWuUaxErl8VWjlM CUGTwQyhKs4fEQLH0UdD7ywCrYBDceZ7 2hUdQXUPpBJKzkslSHCOiC3ytdJ1cuqI WxgyH7990nLi81smXOeDGnKTpZTlAU3f g4diRjbnq4PhyC1rfuCaFXZmBLgHPmo6 MBf7rFYTik6DurpaVdC5mXngsTiXWwhv 3zt8L6QnDKXLGWhRvQBUczrk6O5KLl7i bm9g6Ypy9zVLojtpPaKBKViAKnL19QEY N2rkdeuoi1RBXCiCDQWlk4BU76M3wJFv PR0AOkN4NodK61ewgBHS56sEDr3LAobb CaVTEQzrWPuDvBm9D4CGL8BSC4arizFq FgheNL06s1UCW8UiuFUWSmtGedi2TxIH Lvh1gpC39tdJMAJH0atjJLF4yRlCoSH4 OpTHYem6UHMY2zLgwm2sI4e1faHw0M1b Z84471LxMWArPnxJGsMmvvl2qCcBXZ7M CExYI7LMdZLSj9AiFp8rutQY6uIcqdfx lC1IFZxlnj05ZuWKY5Ytad9bTZ0eMgYC 4OfOZR4CMqlUFgxw8nZbKtW3eJcZPrqn bbctuDOWMvYUCWAiY7APEUnYPUo0zYiT sCepFVPJBglEuU8uY0LllG1oIJ2HOvrH o9sp7odH3blIlshg2aCrWPdzuDq5lxx5 97Vd3224QGOfsPGwjURphDfn7ISeXd3S Tz97n5taD1ZskKSlC1WHDU1CZZ5I3PnM NDkYNzqHAZnjn7GoKk6kUjmBwLbZ5IjT pd1THzlzKbAnR9uPnI75EpXdZVUFyVD9 GGwbSfJpRjzYvNHb1n2riVU3VnxCSe9I qLufXtxv2XKcjrWDqIojlINiJhU9LYCp kpxAYarBToFo4Vsr1jDBQREvRtbUA9i2 s8ZEkk0YuNoA9YnyUvVwFy29cMIP4psJ m0q33SCpHDBfTL2yRb8Db2lb6qIX8hjf xhHqvStzyrj0k1eLNbiQHmadzlY80iZg FExGbU63PyeJsfxtoIaVjiFKXAhEon0C 04y09Cd0CvZBSnrC1BjauTj70D3P84Gw Kr58zsSpmfKy4ILtUqbo2hqooPHnI13L ruisEF4OA3MyOdLEFwVdW84ZwJXRioRT kN2hWkHUehtqqWpnZW1CulYiOv8RJwPl V045YMJnMGdta9yQD8ALdny0hholXmdw gZ5U640FLMMChheWKHNdaQ1lKzLuqjxZ Al0xVJb5bEzhnFG8nPFe6IJa2FjXVSzo CT2ZJy6MoLkTqdHuhL5zUIsW41WCntAA hlbSBPAWJmL6WFDb06gpTx1pPButblOA 46lUvvv0JJzyY0IOhWgGp5IjfsllmvaC FcSd4Me936rwbk2pAU9ylx9NXTrzdCaX vfU4mCzATtqUMNLg3a7mPs3OY6Dr4jaZ mOWgkKPfjXibrdfgG57CWMcbeqBRg4IU VudOaCtkUbhOdF7dE7KACOqH0R9weDhQ vzwsuF0cp5IrmEmGb7qNr4VUlsLi463t ymAqpKh2CPdC7iqFk4KcKdlXeKZqSrhW ta02hN70k7BoxfiVn7viAFoWKaGDOKnC bPLvqxn5BDtg4wy8c2uO0x7y3yi3RPMU VUcDEAfnRTt8nTlAd55q94L6rr0jfCCU QAIDBC5fx4bBOsyOd8NYItiPWGMaGXY9 X1NUQJrIsrNfaGHMUolOcepDiNss842e DAL411ARIMja2B3VibQxzNn8iqxCvtPB Gq0BvsinoaBAuqwLJwtWCSe1wMdiSBSZ RVO0eC5aK1WRlpKqPAglNSOPwc1OvUp8 XCBD77G8bknfL90F44o0Nbe1jqCBvxqh qOZOpK7UHdGgsZeQirx8wr9omjopkzuP nQ1IO5OUcJ4P8ZSrLYNQLFnWS32AMUcE oUpDAclcfOrSI10qeUCHqxvSxR0aXyrN uzPVdEpMDIvTBj3eB4mgmhEeCg1WEFqL WThihtgEnlmNQ6SAqROgERjyxNfgJZk5 l9sPHyleBjYNlZxQbHiCKNoeEfL7W3RA qfcmi6vHWL5CS7nqkHTcSdeRIoxDEGjU cI4zMnmzAP4Ei6FvZQ4vgvUhrhKYajGH MlKrQsbeU3cvq0GNIvwSMipBFUCHRLb4 yqPoTs4J1oNw6KqREjqQk1fXNxAtQzNN 6HgQNDvsu4VC7KBhIpQRCIRhLo4izRjG nPhoiXgdg3T385gjubCcKtnEa2kSQYiF BBWqlFI2IycHpCSESbmi8bgQ3XaRVkH9 zC5qgaooKVu5QNTtqEXcgPpmX2IXZcd5 BP8DJZaleBMYuyMzG96xJ6RDk6QUvLoi NsYnz4oTlDRKsDyWWVvseAeLnrVz80ul 2MVRp5Pej7Ngv3QlcfY9MhFrpm1EER3U niQz99Dp18DDLdpkqxatJEorlEuxbffD 0LZ5juRJ7Kpn9Y1d2tnXjZY5Qe5YsoSn DFkA6xfENw4qcgbyJOR1Lq4wHzoEzXf1 DuyGtXuifUSHgURCvn8wW8ZVGkMFEwCG lsp7PdEBOlGtgQaiZA1BMdxpHPA0YPCt fZPxMUd4y9F8Ty8W36yMVQRVxJ7M1n4B rNnhvIf0O32W7YkNFetirVBSHpxx8PVa IAvk989y4J29tuDjZlSUAcQJ0GKlSLA7 6h32PPx4KHY0pxOVSViJDOzjaidS79i5 3bCdLIIpnsFeobeQnORAVeM7dwvlRhYc VlaVTJjuHSNlmnukU27pLKfjQDcpFm0R jVxCHhuF6NHsDa6UdNHgBdNIDH7SZzCE tY71skfE2Y1Tez1451HdcwjueU9wWO9S JUplInoYI9VmMuoTU64WX9fQgljz0SRr YCScjMB7OB5QL8ZiPgyd7wRqlsqhjjGu 3fBUnc3gvyg7iyW1V4D0quYJPM3iNNy4 mrbw5khrpkAXdNfkTs6Eqzj8Am07I4CK crz9kBtBVlvTVZnvJ3AqfeFYuw89koZh uD036o50sDvVj9JU0ZMi76np4kE2SLw6 6QX3T8Ul4qgruVmX0Vx8h7H8GkTyAoZ1 EbdKERioX8ShHYhFCIFVIyvP13kL75jA QyRSUG1osue0Rrc114FF98YH7HjJWPgJ jMxInIjNK0ChvSQX10862VqCwIQsek95 2pqtLZiT8CzsalDfnn68FjdhbtgqEK1C 80JH1LNM5JFed5XQBVYeiKU5qNNqDjLS bandit17@bandit:~$strings passwords.new 4d22drdsITVoHcfd8bAHeeKrdL3mMHpU QeGg8ya1PGU13yp57EWuUaxErl8VWjlM CUGTwQyhKs4fEQLH0UdD7ywCrYBDceZ7 2hUdQXUPpBJKzkslSHCOiC3ytdJ1cuqI WxgyH7990nLi81smXOeDGnKTpZTlAU3f g4diRjbnq4PhyC1rfuCaFXZmBLgHPmo6 MBf7rFYTik6DurpaVdC5mXngsTiXWwhv 3zt8L6QnDKXLGWhRvQBUczrk6O5KLl7i bm9g6Ypy9zVLojtpPaKBKViAKnL19QEY N2rkdeuoi1RBXCiCDQWlk4BU76M3wJFv PR0AOkN4NodK61ewgBHS56sEDr3LAobb CaVTEQzrWPuDvBm9D4CGL8BSC4arizFq FgheNL06s1UCW8UiuFUWSmtGedi2TxIH Lvh1gpC39tdJMAJH0atjJLF4yRlCoSH4 OpTHYem6UHMY2zLgwm2sI4e1faHw0M1b Z84471LxMWArPnxJGsMmvvl2qCcBXZ7M CExYI7LMdZLSj9AiFp8rutQY6uIcqdfx lC1IFZxlnj05ZuWKY5Ytad9bTZ0eMgYC 4OfOZR4CMqlUFgxw8nZbKtW3eJcZPrqn bbctuDOWMvYUCWAiY7APEUnYPUo0zYiT sCepFVPJBglEuU8uY0LllG1oIJ2HOvrH o9sp7odH3blIlshg2aCrWPdzuDq5lxx5 97Vd3224QGOfsPGwjURphDfn7ISeXd3S Tz97n5taD1ZskKSlC1WHDU1CZZ5I3PnM NDkYNzqHAZnjn7GoKk6kUjmBwLbZ5IjT pd1THzlzKbAnR9uPnI75EpXdZVUFyVD9 GGwbSfJpRjzYvNHb1n2riVU3VnxCSe9I qLufXtxv2XKcjrWDqIojlINiJhU9LYCp kpxAYarBToFo4Vsr1jDBQREvRtbUA9i2 s8ZEkk0YuNoA9YnyUvVwFy29cMIP4psJ m0q33SCpHDBfTL2yRb8Db2lb6qIX8hjf xhHqvStzyrj0k1eLNbiQHmadzlY80iZg FExGbU63PyeJsfxtoIaVjiFKXAhEon0C 04y09Cd0CvZBSnrC1BjauTj70D3P84Gw Kr58zsSpmfKy4ILtUqbo2hqooPHnI13L ruisEF4OA3MyOdLEFwVdW84ZwJXRioRT kN2hWkHUehtqqWpnZW1CulYiOv8RJwPl V045YMJnMGdta9yQD8ALdny0hholXmdw gZ5U640FLMMChheWKHNdaQ1lKzLuqjxZ Al0xVJb5bEzhnFG8nPFe6IJa2FjXVSzo CT2ZJy6MoLkTqdHuhL5zUIsW41WCntAA kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd 46lUvvv0JJzyY0IOhWgGp5IjfsllmvaC FcSd4Me936rwbk2pAU9ylx9NXTrzdCaX vfU4mCzATtqUMNLg3a7mPs3OY6Dr4jaZ mOWgkKPfjXibrdfgG57CWMcbeqBRg4IU VudOaCtkUbhOdF7dE7KACOqH0R9weDhQ vzwsuF0cp5IrmEmGb7qNr4VUlsLi463t ymAqpKh2CPdC7iqFk4KcKdlXeKZqSrhW ta02hN70k7BoxfiVn7viAFoWKaGDOKnC bPLvqxn5BDtg4wy8c2uO0x7y3yi3RPMU VUcDEAfnRTt8nTlAd55q94L6rr0jfCCU QAIDBC5fx4bBOsyOd8NYItiPWGMaGXY9 X1NUQJrIsrNfaGHMUolOcepDiNss842e DAL411ARIMja2B3VibQxzNn8iqxCvtPB Gq0BvsinoaBAuqwLJwtWCSe1wMdiSBSZ RVO0eC5aK1WRlpKqPAglNSOPwc1OvUp8 XCBD77G8bknfL90F44o0Nbe1jqCBvxqh qOZOpK7UHdGgsZeQirx8wr9omjopkzuP nQ1IO5OUcJ4P8ZSrLYNQLFnWS32AMUcE oUpDAclcfOrSI10qeUCHqxvSxR0aXyrN uzPVdEpMDIvTBj3eB4mgmhEeCg1WEFqL WThihtgEnlmNQ6SAqROgERjyxNfgJZk5 l9sPHyleBjYNlZxQbHiCKNoeEfL7W3RA qfcmi6vHWL5CS7nqkHTcSdeRIoxDEGjU cI4zMnmzAP4Ei6FvZQ4vgvUhrhKYajGH MlKrQsbeU3cvq0GNIvwSMipBFUCHRLb4 yqPoTs4J1oNw6KqREjqQk1fXNxAtQzNN 6HgQNDvsu4VC7KBhIpQRCIRhLo4izRjG nPhoiXgdg3T385gjubCcKtnEa2kSQYiF BBWqlFI2IycHpCSESbmi8bgQ3XaRVkH9 zC5qgaooKVu5QNTtqEXcgPpmX2IXZcd5 BP8DJZaleBMYuyMzG96xJ6RDk6QUvLoi NsYnz4oTlDRKsDyWWVvseAeLnrVz80ul 2MVRp5Pej7Ngv3QlcfY9MhFrpm1EER3U niQz99Dp18DDLdpkqxatJEorlEuxbffD 0LZ5juRJ7Kpn9Y1d2tnXjZY5Qe5YsoSn DFkA6xfENw4qcgbyJOR1Lq4wHzoEzXf1 DuyGtXuifUSHgURCvn8wW8ZVGkMFEwCG lsp7PdEBOlGtgQaiZA1BMdxpHPA0YPCt fZPxMUd4y9F8Ty8W36yMVQRVxJ7M1n4B rNnhvIf0O32W7YkNFetirVBSHpxx8PVa IAvk989y4J29tuDjZlSUAcQJ0GKlSLA7 6h32PPx4KHY0pxOVSViJDOzjaidS79i5 3bCdLIIpnsFeobeQnORAVeM7dwvlRhYc VlaVTJjuHSNlmnukU27pLKfjQDcpFm0R jVxCHhuF6NHsDa6UdNHgBdNIDH7SZzCE tY71skfE2Y1Tez1451HdcwjueU9wWO9S JUplInoYI9VmMuoTU64WX9fQgljz0SRr YCScjMB7OB5QL8ZiPgyd7wRqlsqhjjGu 3fBUnc3gvyg7iyW1V4D0quYJPM3iNNy4 mrbw5khrpkAXdNfkTs6Eqzj8Am07I4CK crz9kBtBVlvTVZnvJ3AqfeFYuw89koZh uD036o50sDvVj9JU0ZMi76np4kE2SLw6 6QX3T8Ul4qgruVmX0Vx8h7H8GkTyAoZ1 EbdKERioX8ShHYhFCIFVIyvP13kL75jA QyRSUG1osue0Rrc114FF98YH7HjJWPgJ jMxInIjNK0ChvSQX10862VqCwIQsek95 2pqtLZiT8CzsalDfnn68FjdhbtgqEK1C 80JH1LNM5JFed5XQBVYeiKU5qNNqDjLS bandit17@bandit:~$ diff passwords.old passwords.new 42c42 < hlbSBPAWJmL6WFDb06gpTx1pPButblOA --- > kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd bandit17@bandit:~$ 这么长肯定不可能用肉眼去代替机器做的事嘛 所以就用到了diff命令 <为第一个文件，> 为第二个文件，因此flag为kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd ### level 19   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31  bl@bl-virtual-machine:~/wargame$ ssh bandit18@bandit.labs.overthewire.org -p 2220 This is a OverTheWire game server. More information on http://www.overthewire.org/wargames bandit18@bandit.labs.overthewire.org's password: #kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd Linux bandit 4.18.12 x86_64 GNU/Linux ,----.. ,----, .---. / / \ ,/ .| /. ./| / . : , .' : .--'. ' ; . / ;. \ ; ; / /__./ \ : | . ; /  ; .'___,/ ,' .--'. ' \' . ; | ; \ ; | | : | /___/ \ | ' ' | : | ; | ' ; |.'; ; ; \ \; : . | ' ' ' : ----' | | \ ;  | ' ; \; / | ' : ; . \ .\ ; \ \ ', / | | ' \ \ ' \ | ; : / ' : | : ' |--" \ \ .' ; |.' \ \ ; www. --- ver '---' he '---" ire.org Welcome to OverTheWire! Enjoy your stay! Byebye ! Connection to bandit.labs.overthewire.org closed. bl@bl-virtual-machine:~/wargame$ 由上一关提示已经知道了，我们会看到byebye，直接看题目 .bashrc会禁止所有通过ssh登陆的 仅作了解，错误方向 https://blog.csdn.net/luoluonuoyasuolong/article/details/88806211 一种方法是利用命令拼接，将命令作为参数传过去，在执行shell之前运行  1 2 3 4 5 6  bl@bl-virtual-machine:~/wargame$ ssh bandit18@bandit.labs.overthewire.org -p 2220 'cat ./readme' This is a OverTheWire game server. More information on http://www.overthewire.org/wargames bandit18@bandit.labs.overthewire.org's password: IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x 

 1 2 3 4 5 6 7 8  bl@bl-virtual-machine:~/wargame$scp -P 2220 bandit18@bandit.labs.overthewire.org:./readme ./readme This is a OverTheWire game server. More information on http://www.overthewire.org/wargames bandit18@bandit.labs.overthewire.org's password: readme 100% 33 0.0KB/s 00:00 bl@bl-virtual-machine:~/wargame$ cat ./readme IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x bl@bl-virtual-machine:~/wargame$ 顺便爬下了他的.bashrc文件，这道题的万恶之源   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116  # ~/.bashrc: executed by bash(1) for non-login shells. # see /usr/share/doc/bash/examples/startup-files (in the package bash-doc) # for examples # If not running interactively, don't do anything case$- in *i*) ;; *) return;; esac # don't put duplicate lines or lines starting with space in the history. # See bash(1) for more options HISTCONTROL=ignoreboth # append to the history file, don't overwrite it shopt -s histappend # for setting history length see HISTSIZE and HISTFILESIZE in bash(1) HISTSIZE=1000 HISTFILESIZE=2000 # check the window size after each command and, if necessary, # update the values of LINES and COLUMNS. shopt -s checkwinsize # If set, the pattern "**" used in a pathname expansion context will # match all files and zero or more directories and subdirectories. #shopt -s globstar # make less more friendly for non-text input files, see lesspipe(1) #[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)" # set variable identifying the chroot you work in (used in the prompt below) if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then debian_chroot=$(cat /etc/debian_chroot) fi # set a fancy prompt (non-color, unless we know we "want" color) case "$TERM" in xterm-color|*-256color) color_prompt=yes;; esac # uncomment for a colored prompt, if the terminal has the capability; turned # off by default to not distract the user: the focus in a terminal window # should be on the output of commands, not on the prompt #force_color_prompt=yes if [ -n "$force_color_prompt" ]; then if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then # We have color support; assume it's compliant with Ecma-48 # (ISO/IEC-6429). (Lack of such support is extremely rare, and such # a case would tend to support setf rather than setaf.) color_prompt=yes else color_prompt= fi fi if [ "$color_prompt" = yes ]; then PS1='${debian_chroot:+($debian_chroot)}$\033[01;32m$\u@\h$\033[00m$:$\033[01;34m$\w$\033[00m$\$' else PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ ' fi unset color_prompt force_color_prompt # If this is an xterm set the title to user@host:dir case "$TERM" in xterm*|rxvt*) PS1="$\e]0;{debian_chroot:+(debian_chroot)}\u@\h: \w\a$$PS1" ;; *) ;; esac # enable color support of ls and also add handy aliases if [ -x /usr/bin/dircolors ]; then test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)" alias ls='ls --color=auto' #alias dir='dir --color=auto' #alias vdir='vdir --color=auto' #alias grep='grep --color=auto' #alias fgrep='fgrep --color=auto' #alias egrep='egrep --color=auto' fi # colored GCC warnings and errors #export GCC_COLORS='error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01' # some more ls aliases #alias ll='ls -l' #alias la='ls -A' #alias l='ls -CF' # Alias definitions. # You may want to put all your additions into a separate file like # ~/.bash_aliases, instead of adding them here directly. # See /usr/share/doc/bash-doc/examples in the bash-doc package. if [ -f ~/.bash_aliases ]; then . ~/.bash_aliases fi # enable programmable completion features (you don't need to enable # this, if it's already enabled in /etc/bash.bashrc and /etc/profile # sources /etc/bash.bashrc). if ! shopt -oq posix; then if [ -f /usr/share/bash-completion/bash_completion ]; then . /usr/share/bash-completion/bash_completion elif [ -f /etc/bash_completion ]; then . /etc/bash_completion fi fi echo 'Byebye !' exit 0 

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78  bandit23@bandit:~$cat /etc/cron.d/cronjob_bandit24 @reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null * * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null bandit23@bandit:~$ cat /usr/bin/cronjob_bandit24.sh #!/bin/bash myname=$(whoami) cd /var/spool/$myname echo "Executing and deleting all scripts in /var/spool/$myname:" for i in * .*; do if [ "$i" != "." -a "$i" != ".." ]; then echo "Handling$i" timeout -s 9 60 ./$i rm -f ./$i fi done bandit23@bandit:~$ls -al /usr/bin/cronjob_bandit24.sh -rwxr-x--- 1 bandit24 bandit23 253 Oct 16 2018 /usr/bin/cronjob_bandit24.sh bandit23@bandit:~$ ls /var/spool/bandit24 ls: cannot open directory '/var/spool/bandit24': Permission denied bandit23@bandit:~$ls /var/spool/ bandit24 cron mail rsyslog bandit23@bandit:~$ ls /var/spool/ -al total 1348 drwxr-xr-x 5 root root 4096 Oct 16 2018 . drwxr-xr-x 11 root root 4096 Oct 16 2018 .. drwxrwx-wx 37 root bandit24 1359872 Feb 16 10:41 bandit24 drwxr-xr-x 3 root root 4096 Oct 16 2018 cron lrwxrwxrwx 1 root root 7 Oct 16 2018 mail -> ../mail drwx------ 2 root root 4096 Jan 14 2018 rsyslog bandit23@bandit:~$ls bandit23@bandit:~$ touch fuck.sh touch: cannot touch 'fuck.sh': Permission denied bandit23@bandit:~$touch /tmp/bandit23/fuck.sh bandit23@bandit:~$ ls -al /tmp/bandit23/ total 305956 drwxrwxrwx 7 bandit23 root 4096 Feb 16 10:56 . drwxrws-wt 1 root root 313204736 Feb 16 10:57 .. -rw-r--r-- 1 bandit23 bandit23 0 Feb 16 10:56 fuck.sh -rw-r--r-- 1 bandit24 bandit24 1 Feb 14 16:05 out -rw-r--r-- 1 bandit24 bandit24 0 Feb 14 16:49 output -rw-r--r-- 1 bandit24 bandit24 66 Feb 14 20:48 pass drwxr-xr-x 3 bandit27 bandit27 4096 Feb 7 13:12 repo drwxr-xr-x 3 bandit28 bandit28 4096 Feb 7 13:21 repo28 drwxr-xr-x 4 bandit29 bandit29 4096 Feb 7 13:28 repo29 drwxr-xr-x 3 bandit30 bandit30 4096 Feb 7 13:29 repo30 drwxr-xr-x 3 bandit31 bandit31 4096 Feb 7 13:55 repo31 -rwxrwxrwx 1 bandit23 bandit23 99 Feb 15 17:49 shell.sh bandit23@bandit:~$vim /tmp/bandit23/fuck.sh bandit23@bandit:/tmp/bandit23$ cat fuck.sh #!/bin/bash cat /etc/bandit_pass/bandit24 >> /tmp/bandit23/bandit23_pass bandit23@bandit:~$chmod +x /tmp/bandit23/fuck.sh bandit23@bandit:~$ bandit23@bandit:~$cd /tmp/bandit23 bandit23@bandit:/tmp/bandit23$ ls fuck.sh out output pass repo repo28 repo29 repo30 repo31 shell.sh bandit23@bandit:/tmp/bandit23$cp fuck.sh /var/spool/bandit24/fuck.sh bandit23@bandit:/tmp/bandit23$ ls fuck.sh out output pass repo repo28 repo29 repo30 repo31 shell.sh bandit23@bandit:/tmp/bandit23$ls fuck.sh out output pass repo repo28 repo29 repo30 repo31 shell.sh bandit23@bandit:/tmp/bandit23$ ls fuck.sh out output pass repo repo28 repo29 repo30 repo31 shell.sh bandit23@bandit:/tmp/bandit23$ls bandit23_pass out pass repo28 repo30 shell.sh fuck.sh output repo repo29 repo31 bandit23@bandit:/tmp/bandit23$ cat bandit23_pass UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ bandit23@bandit:/tmp/bandit23$ ### level 25   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65  bandit24@bandit:~$ telnet localhost 30002 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space. UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 1 Timeout. Exiting. Connection closed by foreign host. bandit24@bandit:/tmp/bandit24$nc localhost 30002 I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space. UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 5201 Wrong! Please enter the correct pincode. Try again. UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 1213 Wrong! Please enter the correct pincode. Try again. ^C bandit24@bandit:~$ cd /tmp/bandit24 bandit24@bandit:/tmp/bandit24$ls bandit24.sh counters.txt pass pin_mod.py pktempdir tcol bandit25.sh getpass.sh pass24.sh pin.py qsd.txt test.txt bash_file.sh mine.sh password.txt pins script.sh wesh.sh bandit24@bandit:/tmp/bandit24$ UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ -bash: UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ: command not found bandit24@bandit:/tmp/bandit24$nc localhost 30002 UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space. Fail! You did not supply enough data. Try again. UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 1 ^C bandit24@bandit:/tmp/bandit24$ ls bandit24.sh fuck24.sh pass24.sh pins tcol bandit25.sh getpass.sh password.txt pktempdir test.txt bash_file.sh mine.sh pin_mod.py qsd.txt wesh.sh counters.txt pass pin.py script.sh bandit24@bandit:/tmp/bandit24$python Python 2.7.13 (default, Sep 26 2018, 18:42:22) [GCC 6.3.0 20170516] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> exit() bandit24@bandit:/tmp/bandit24$ touch fuck24.py bandit24@bandit:/tmp/bandit24$vim fuck24.py bandit24@bandit:/tmp/bandit24$ touch pass24 bandit24@bandit:/tmp/bandit24$cat fuck24.py # !/usr/bin/env python f = open('pass24','w') passwd = 'UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ' for i in range(10000): flag = passwd + ' ' + str(i).zfill(4) + '\n' f.write(flag) f.close() bandit24@bandit:/tmp/bandit24$ python fuck24.py bandit24@bandit:/tmp/bandit24$less pass24 bandit24@bandit:/tmp/bandit24$ nc localhost 30002 < pass24 > ans.txt bandit24@bandit:/tmp/bandit24$sort ans.txt | uniq -u Correct! Exiting. I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space. The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG bandit24@bandit:/tmp/bandit24$ 

 1 2 3  # vim模式下 :set shell=/bin/sh :sh 

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123   bl@bl-virtual-machine:~/wargame$ssh bandit26@bandit.labs.overthewire.org -p 2220 This is a OverTheWire game server. More information on http://www.overthewire.org/wargames bandit26@bandit.labs.overthewire.org's password: Linux bandit 4.18.12 x86_64 GNU/Linux ,----.. ,----, .---. / / \ ,/ .| /. ./| / . : , .' : .--'. ' ; . / ;. \ ; ; / /__./ \ : | . ; /  ; .'___,/ ,' .--'. ' \' . ; | ; \ ; | | : | /___/ \ | ' ' | : | ; | ' ; |.'; ; ; \ \; : . | ' ' ' : ----' | | \ ;  | ' ; \; / | ' : ; . \ .\ ; \ \ ', / | | ' \ \ ' \ | ; : / ' : | : ' |--" \ \ .' ; |.' \ \ ; www. --- ver '---' he '---" ire.org Welcome to OverTheWire! If you find any problems, please report them to Steven or morla on irc.overthewire.org. --[ Playing the games ]-- This machine might hold several wargames. If you are playing "somegame", then: * USERNAMES are somegame0, somegame1, ... * Most LEVELS are stored in /somegame/. * PASSWORDS for each level are stored in /etc/somegame_pass/. Write-access to homedirectories is disabled. It is advised to create a working directory with a hard-to-guess name in /tmp/. You can use the command "mktemp -d" in order to generate a random and hard to guess directory in /tmp/. Read-access to both /tmp/ and /proc/ is disabled so that users can not snoop on eachother. Files and directories with easily guessable or short names will be periodically deleted! Please play nice: * don't leave orphan processes running * don't leave exploit-files laying around * don't annoy other players * don't post passwords or spoilers * again, DONT POST SPOILERS! This includes writeups of your solution on your blog or website! --[ Tips ]-- This machine has a 64bit processor and many security-features enabled by default, although ASLR has been switched off. The following compiler flags might be interesting: -m32 compile for 32bit -fno-stack-protector disable ProPolice -Wl,-z,norelro disable relro In addition, the execstack tool can be used to flag the stack as executable on ELF binaries. Finally, network-access is limited for most levels by a local firewall. --[ Tools ]-- For your convenience we have installed a few usefull tools which you can find in the following locations: * pwndbg (https://github.com/pwndbg/pwndbg) in /usr/local/pwndbg/ * peda (https://github.com/longld/peda.git) in /usr/local/peda/ * gdbinit (https://github.com/gdbinit/Gdbinit) in /usr/local/gdbinit/ * pwntools (https://github.com/Gallopsled/pwntools) * radare2 (http://www.radare.org/) * checksec.sh (http://www.trapkit.de/tools/checksec.html) in /usr/local/bin/checksec.sh --[ More information ]-- For more information regarding individual wargames, visit http://www.overthewire.org/wargames/ For support, questions or comments, contact us through IRC on irc.overthewire.org #wargames. Enjoy your stay! _ _ _ _ ___ __ | | | (_) | |__ \ / / !vim _ _ _ _ ___ __ | | | (_) | |__ \ / / !v _ _ _ _ ___ __ | | | (_) | |__ \ / / :!ls _ _ _ _ ___ __ | | | (_) | |__ \ / / | |__ __ _ _ __ __| |_| |_ ) / /_ :!ls _ _ _ _ ___ __ | | | (_) | |__ \ / / :sh$ ls bandit27-do text.txt $cat text.txt _ _ _ _ ___ __ | | | (_) | |__ \ / / | |__ __ _ _ __ __| |_| |_ ) / /_ | '_ \ / _ | '_ \ / _ | | __| / / '_ \ | |_) | (_| | | | | (_| | | |_ / /| (_) | |_.__/ \__,_|_| |_|\__,_|_|\__|____\___/$ ./bandit27-do Run a command as another user. Example: ./bandit27-do id $./bandit27-do id uid=11026(bandit26) gid=11026(bandit26) euid=11027(bandit27) groups=11026(bandit26)$ ./bandit27-do cat /etc/bandit_pass/bandit27 3ba3118a22e93127a4ed485be72ef5ea 

### level 28

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125  bl@bl-virtual-machine:~/wargame$ssh bandit27@bandit.labs.overthewire.org -p 2220 This is a OverTheWire game server. More information on http://www.overthewire.org/wargames bandit27@bandit.labs.overthewire.org's password: Linux bandit 4.18.12 x86_64 GNU/Linux ,----.. ,----, .---. / / \ ,/ .| /. ./| / . : , .' : .--'. ' ; . / ;. \ ; ; / /__./ \ : | . ; /  ; .'___,/ ,' .--'. ' \' . ; | ; \ ; | | : | /___/ \ | ' ' | : | ; | ' ; |.'; ; ; \ \; : . | ' ' ' : ----' | | \ ;  | ' ; \; / | ' : ; . \ .\ ; \ \ ', / | | ' \ \ ' \ | ; : / ' : | : ' |--" \ \ .' ; |.' \ \ ; www. --- ver '---' he '---" ire.org Welcome to OverTheWire! If you find any problems, please report them to Steven or morla on irc.overthewire.org. --[ Playing the games ]-- This machine might hold several wargames. If you are playing "somegame", then: * USERNAMES are somegame0, somegame1, ... * Most LEVELS are stored in /somegame/. * PASSWORDS for each level are stored in /etc/somegame_pass/. Write-access to homedirectories is disabled. It is advised to create a working directory with a hard-to-guess name in /tmp/. You can use the command "mktemp -d" in order to generate a random and hard to guess directory in /tmp/. Read-access to both /tmp/ and /proc/ is disabled so that users can not snoop on eachother. Files and directories with easily guessable or short names will be periodically deleted! Please play nice: * don't leave orphan processes running * don't leave exploit-files laying around * don't annoy other players * don't post passwords or spoilers * again, DONT POST SPOILERS! This includes writeups of your solution on your blog or website! --[ Tips ]-- This machine has a 64bit processor and many security-features enabled by default, although ASLR has been switched off. The following compiler flags might be interesting: -m32 compile for 32bit -fno-stack-protector disable ProPolice -Wl,-z,norelro disable relro In addition, the execstack tool can be used to flag the stack as executable on ELF binaries. Finally, network-access is limited for most levels by a local firewall. --[ Tools ]-- For your convenience we have installed a few usefull tools which you can find in the following locations: * pwndbg (https://github.com/pwndbg/pwndbg) in /usr/local/pwndbg/ * peda (https://github.com/longld/peda.git) in /usr/local/peda/ * gdbinit (https://github.com/gdbinit/Gdbinit) in /usr/local/gdbinit/ * pwntools (https://github.com/Gallopsled/pwntools) * radare2 (http://www.radare.org/) * checksec.sh (http://www.trapkit.de/tools/checksec.html) in /usr/local/bin/checksec.sh --[ More information ]-- For more information regarding individual wargames, visit http://www.overthewire.org/wargames/ For support, questions or comments, contact us through IRC on irc.overthewire.org #wargames. Enjoy your stay! bandit27@bandit:~$ git clone ssh://bandit27-git@localhost/home/bandit27-git/repofatal: could not create work tree dir 'repo': Permission denied bandit27@bandit:~$git clone ssh://bandit27-git@localhost:2220/home/bandit27-git/repo fatal: could not create work tree dir 'repo': Permission denied bandit27@bandit:~$ cd /tmp bandit27@bandit:/tmp$mkdir b27r bandit27@bandit:/tmp$ cd b27r bandit27@bandit:/tmp/b27r$git clone ssh://bandit27-git@localhost:2220/home/bandit27-git/repo Cloning into 'repo'... ssh: connect to host localhost port 2220: Connection refused fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists. bandit27@bandit:/tmp/b27r$ git clone ssh://bandit27-git@localhost/home/bandit27-git/repo Cloning into 'repo'... Could not create directory '/home/bandit27/.ssh'. The authenticity of host 'localhost (127.0.0.1)' can't be established. ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc. Are you sure you want to continue connecting (yes/no)? yes Failed to add the host to the list of known hosts (/home/bandit27/.ssh/known_hosts). This is a OverTheWire game server. More information on http://www.overthewire.org/wargames bandit27-git@localhost's password: remote: Counting objects: 3, done. remote: Compressing objects: 100% (2/2), done. remote: Total 3 (delta 0), reused 0 (delta 0) Receiving objects: 100% (3/3), done. bandit27@bandit:/tmp/b27r$ls repo bandit27@bandit:/tmp/b27r$ cd repo bandit27@bandit:/tmp/b27r/repo$ls README bandit27@bandit:/tmp/b27r/repo$ bandit27@bandit:/tmp/b27r/repo$cat README The password to the next level is: 0ef186ac70e04ea33b4c1853d2526fa2 bandit27@bandit:/tmp/b27r/repo$ 

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17  bandit12@bandit:~$ls data.txt bandit12@bandit:~$ ls /tmp/fuck repo bandit12@bandit:~$ls /tmp/fuck/repo README.md bandit12@bandit:~$ ls /tmp/fuck/repo/README.md /tmp/fuck/repo/README.md bandit12@bandit:~$cat /tmp/fuck/repo/README.md # Bandit Notes Some notes for level29 of bandit. ## credentials - username: bandit29 - password: bbc96594b4e001778eee9975372716b2  原来是碰巧有人在/tmp/fuck创建了这个git仓库，同道中人啊   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120  bl@bl-virtual-machine:~/wargame$ ssh bandit28@bandit.labs.overthewire.org -p 2220 This is a OverTheWire game server. More information on http://www.overthewire.org/wargames bandit28@bandit.labs.overthewire.org's password: Linux bandit 4.18.12 x86_64 GNU/Linux ,----.. ,----, .---. / / \ ,/ .| /. ./| / . : , .' : .--'. ' ; . / ;. \ ; ; / /__./ \ : | . ; /  ; .'___,/ ,' .--'. ' \' . ; | ; \ ; | | : | /___/ \ | ' ' | : | ; | ' ; |.'; ; ; \ \; : . | ' ' ' : ----' | | \ ;  | ' ; \; / | ' : ; . \ .\ ; \ \ ', / | | ' \ \ ' \ | ; : / ' : | : ' |--" \ \ .' ; |.' \ \ ; www. --- ver '---' he '---" ire.org Welcome to OverTheWire! Enjoy your stay! bandit28@bandit:~$ls bandit28@bandit:~$ mkdir /tmp/b28r bandit28@bandit:~$cd /tmp/b28r bandit28@bandit:/tmp/b28r$ ls bandit28@bandit:/tmp/b28r$git clone ssh://bandit28-git@localhost/home/bandit28-git/repo Cloning into 'repo'... Could not create directory '/home/bandit28/.ssh'. The authenticity of host 'localhost (127.0.0.1)' can't be established. ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc. Are you sure you want to continue connecting (yes/no)? yes Failed to add the host to the list of known hosts (/home/bandit28/.ssh/known_hosts). This is a OverTheWire game server. More information on http://www.overthewire.org/wargames bandit28-git@localhost's password: remote: Counting objects: 9, done. remote: Compressing objects: 100% (6/6), done. remote: Total 9 (delta 2), reused 0 (delta 0) Receiving objects: 100% (9/9), done. Resolving deltas: 100% (2/2), done. bandit28@bandit:/tmp/b28r$ ls repo bandit28@bandit:/tmp/b28r$cd repo bandit28@bandit:/tmp/b28r/repo$ ls README.md bandit28@bandit:/tmp/b28r/repo$cat README.md # Bandit Notes Some notes for level29 of bandit. ## credentials - username: bandit29 - password: xxxxxxxxxx bandit28@bandit:/tmp/b28r/repo$ ls -al total 16 drwxr-sr-x 3 bandit28 root 4096 Feb 26 04:12 . drwxr-sr-x 3 bandit28 root 4096 Feb 26 04:12 .. drwxr-sr-x 8 bandit28 root 4096 Feb 26 04:12 .git -rw-r--r-- 1 bandit28 root 111 Feb 26 04:12 README.md bandit28@bandit:/tmp/b28r/repo$ls .git branches description hooks info objects refs config HEAD index logs packed-refs bandit28@bandit:/tmp/b28r/repo$ ls .git/branches/ bandit28@bandit:/tmp/b28r/repo$cat .git/HEAD ref: refs/heads/master bandit28@bandit:/tmp/b28r/repo$ git log commit 073c27c130e6ee407e12faad1dd3848a110c4f95 Author: Morla Porla Date: Tue Oct 16 14:00:39 2018 +0200 fix info leak commit 186a1038cc54d1358d42d468cdc8e3cc28a93fcb Author: Morla Porla Date: Tue Oct 16 14:00:39 2018 +0200 add missing data commit b67405defc6ef44210c53345fc953e6a21338cc7 Author: Ben Dover Date: Tue Oct 16 14:00:39 2018 +0200 initial commit of README.md bandit28@bandit:/tmp/b28r/repo$git revert 186a1038cc54d1358d42d468cdc8e3cc28a93fcb error: could not revert 186a103... add missing data hint: after resolving the conflicts, mark the corrected paths hint: with 'git add ' or 'git rm ' hint: and commit the result with 'git commit' bandit28@bandit:/tmp/b28r/repo$ git reset --hard 186a1038cc54d1358d42d468cdc8e3cc28a93fcb HEAD is now at 186a103 add missing data bandit28@bandit:/tmp/b28r/repo$ls README.md bandit28@bandit:/tmp/b28r/repo$ cat README.md # Bandit Notes Some notes for level29 of bandit. ## credentials - username: bandit29 - password: bbc96594b4e001778eee9975372716b2 bandit28@bandit:/tmp/b28r/repo$git reset --hard b67405defc6ef44210c53345fc953e6a21338cc7 HEAD is now at b67405d initial commit of README.md bandit28@bandit:/tmp/b28r/repo$ cat README.md # Bandit Notes Some notes for level29 of bandit. ## credentials - username: bandit29 - password: bandit28@bandit:/tmp/b28r/repo$ 老办法，直接tmp目录创建新目录，然后clone 发现README里明显有一个假flagxxxxxx，其他也没啥东西可推测的，题目也就只有一个git的提示，我们便想到git的分支和回滚，查看branch发现没有其他分支，git log发现有以前的提交，利用命令git reset --hard <commit_id>回滚到对应版本，然后cat README.md得到flag：bbc96594b4e001778eee9975372716b2 还可以用git show 查看版本差别 ### level 30   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115   Enjoy your stay! bandit29@bandit:~$ mkdir /tmp/b29r bandit29@bandit:~$cd /tmp/b29r bandit29@bandit:/tmp/b29r$ git clone ssh://bandit29-git@localhost/home/bandit29-git/repo Cloning into 'repo'... Could not create directory '/home/bandit29/.ssh'. The authenticity of host 'localhost (127.0.0.1)' can't be established. ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc. Are you sure you want to continue connecting (yes/no)? yes Failed to add the host to the list of known hosts (/home/bandit29/.ssh/known_hosts). This is a OverTheWire game server. More information on http://www.overthewire.org/wargames bandit29-git@localhost's password: remote: Counting objects: 16, done. remote: Compressing objects: 100% (11/11), done. remote: Total 16 (delta 2), reused 0 (delta 0) Receiving objects: 100% (16/16), done. Resolving deltas: 100% (2/2), done. bandit29@bandit:/tmp/b29r$ls repo bandit29@bandit:/tmp/b29r$ cd repo bandit29@bandit:/tmp/b29r/repo$ls README.md bandit29@bandit:/tmp/b29r/repo$ cat README.md # Bandit Notes Some notes for bandit30 of bandit. ## credentials - username: bandit30 - password: bandit29@bandit:/tmp/b29r/repo$git log commit 84abedc104bbc0c65cb9eb74eb1d3057753e70f8 Author: Ben Dover Date: Tue Oct 16 14:00:41 2018 +0200 fix username commit 9b19e7d8c1aadf4edcc5b15ba8107329ad6c5650 Author: Ben Dover Date: Tue Oct 16 14:00:41 2018 +0200 initial commit of README.md bandit29@bandit:/tmp/b29r/repo$ ls .git/branches/ bandit29@bandit:/tmp/b29r/repo$ls .git branches description hooks info objects refs config HEAD index logs packed-refs bandit29@bandit:/tmp/b29r/repo$ cat .git/config [core] repositoryformatversion = 0 filemode = true bare = false logallrefupdates = true [remote "origin"] url = ssh://bandit29-git@localhost/home/bandit29-git/repo fetch = +refs/heads/*:refs/remotes/origin/* [branch "master"] remote = origin merge = refs/heads/master bandit29@bandit:/tmp/b29r/repo$git reset --hard 84abedc104bbc0c65cb9eb74eb1d3057753e70f8 HEAD is now at 84abedc fix username bandit29@bandit:/tmp/b29r/repo$ ls README.md bandit29@bandit:/tmp/b29r/repo$cat README.md # Bandit Notes Some notes for bandit30 of bandit. ## credentials - username: bandit30 - password: bandit29@bandit:/tmp/b29r/repo$ bandit29@bandit:/tmp/b29r/repo$cat .git/HEAD ref: refs/heads/master bandit29@bandit:/tmp/b29r/repo$ git branch * master bandit29@bandit:/tmp/b29r/repo$git branch -a * master remotes/origin/HEAD -> origin/master remotes/origin/dev remotes/origin/master remotes/origin/sploits-dev bandit29@bandit:/tmp/b29r/repo$ git checkout origin/dev Note: checking out 'origin/dev'. You are in 'detached HEAD' state. You can look around, make experimental changes and commit them, and you can discard any commits you make in this state without impacting any branches by performing another checkout. If you want to create a new branch to retain commits you create, you may do so (now or later) by using -b with the checkout command again. Example: git checkout -b HEAD is now at 33ce2e9... add data needed for development bandit29@bandit:/tmp/b29r/repo$ls code README.md bandit29@bandit:/tmp/b29r/repo$ cat README.md # Bandit Notes Some notes for bandit30 of bandit. ## credentials - username: bandit30 - password: 5b90576bedb2cc04c86a9e924ce42faf bandit29@bandit:/tmp/b29r/repo$ls code gif2ascii.py bandit29@bandit:/tmp/b29r/repo$ cat code/gif2ascii.py bandit29@bandit:/tmp/b29r/repo$ git log发现就只有两次提交，cat README发现说密码不在production https://www.cnblogs.com/jiangzhaowei/p/7879916.html 这里果然出现了中英的差别，百度才得知production就是我们通常所说的master分支，上文中可以看到git开发中常见的几个分支devmasterrelease 直接git branch -a 查看所有分支，切换到dev分支，便得到了flag：5b90576bedb2cc04c86a9e924ce42faf ### level 31   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65  bandit30@bandit:~$ mkdir /tmp/b30r bandit30@bandit:~$cd /tmp/b30r bandit30@bandit:/tmp/b30r$ ls bandit30@bandit:/tmp/b30r$git clone ssh://bandit30-git@localhost/home/bandit30-git/repo Cloning into 'repo'... Could not create directory '/home/bandit30/.ssh'. The authenticity of host 'localhost (127.0.0.1)' can't be established. ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc. Are you sure you want to continue connecting (yes/no)? yes Failed to add the host to the list of known hosts (/home/bandit30/.ssh/known_hosts). This is a OverTheWire game server. More information on http://www.overthewire.org/wargames bandit30-git@localhost's password: remote: Counting objects: 4, done. remote: Total 4 (delta 0), reused 0 (delta 0) Receiving objects: 100% (4/4), done. bandit30@bandit:/tmp/b30r$ cd repo bandit30@bandit:/tmp/b30r/repo$ls README.md bandit30@bandit:/tmp/b30r/repo$ cat README.md just an epmty file... muahaha bandit30@bandit:/tmp/b30r/repo$git log commit 3aa4c239f729b07deb99a52f125893e162daac9e Author: Ben Dover Date: Tue Oct 16 14:00:44 2018 +0200 initial commit of README.md bandit30@bandit:/tmp/b30r/repo$ cat .git/config [core] repositoryformatversion = 0 filemode = true bare = false logallrefupdates = true [remote "origin"] url = ssh://bandit30-git@localhost/home/bandit30-git/repo fetch = +refs/heads/*:refs/remotes/origin/* [branch "master"] remote = origin merge = refs/heads/master bandit30@bandit:/tmp/b30r/repo$git branch -a * master remotes/origin/HEAD -> origin/master remotes/origin/master bandit30@bandit:/tmp/b30r/repo$ ls .git branches description hooks info objects refs config HEAD index logs packed-refs bandit30@bandit:/tmp/b30r/repo$cat .git/description Unnamed repository; edit this file 'description' to name the repository. bandit30@bandit:/tmp/b30r/repo$ git status On branch master Your branch is up-to-date with 'origin/master'. nothing to commit, working tree clean bandit30@bandit:/tmp/b30r/repo$git diff --cache error: invalid option: --cache bandit30@bandit:/tmp/b30r/repo$ git diff --cached bandit30@bandit:/tmp/b30r/repo$git diff bandit30@bandit:/tmp/b30r/repo$ git diff HEAD bandit30@bandit:/tmp/b30r/repo$git show-ref 3aa4c239f729b07deb99a52f125893e162daac9e refs/heads/master 3aa4c239f729b07deb99a52f125893e162daac9e refs/remotes/origin/HEAD 3aa4c239f729b07deb99a52f125893e162daac9e refs/remotes/origin/master f17132340e8ee6c159e0a4a6bc6f80e1da3b1aea refs/tags/secret bandit30@bandit:/tmp/b30r/repo$ git show f17132340e8ee6c159e0a4a6bc6f80e1da3b1aea47e603bb428404d265f59c42920d81e5 bandit30@bandit:/tmp/b30r/repo$ https://cloud.tencent.com/developer/section/1138782 https://www.softwhy.com/article-8540-1.html git show-ref：查看本地引用 得到了奇奇怪怪的新知识了 ### level 32   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86  bandit31@bandit:~$ mkdir /tmp/b31r bandit31@bandit:~$cd /tmp/b31r bandit31@bandit:/tmp/b31r$ git clone ssh://bandit31-git@localhosthome/bandit31-git/repo Cloning into 'repo'... ssh: Could not resolve hostname localhosthome: No address associated with hostname fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists. bandit31@bandit:/tmp/b31r$ls bandit31@bandit:/tmp/b31r$ git clone ssh://bandit31-git@localhost/home/bandit31-git/repo Cloning into 'repo'... Could not create directory '/home/bandit31/.ssh'. The authenticity of host 'localhost (127.0.0.1)' can't be established. ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc. Are you sure you want to continue connecting (yes/no)? yes Failed to add the host to the list of known hosts (/home/bandit31/.ssh/known_hosts). This is a OverTheWire game server. More information on http://www.overthewire.org/wargames bandit31-git@localhost's password: remote: Counting objects: 4, done. remote: Compressing objects: 100% (3/3), done. remote: Total 4 (delta 0), reused 0 (delta 0) Receiving objects: 100% (4/4), done. bandit31@bandit:/tmp/b31r$cd repo bandit31@bandit:/tmp/b31r/repo$ ls README.md bandit31@bandit:/tmp/b31r/repo$cat README.md This time your task is to push a file to the remote repository. Details: File name: key.txt Content: 'May I come in?' Branch: master bandit31@bandit:/tmp/b31r/repo$ touch key.txt bandit31@bandit:/tmp/b31r/repo$echo 'May I come in?' >> key.txt bandit31@bandit:/tmp/b31r/repo$ cat key.txt May I come in? bandit31@bandit:/tmp/b31r/repo$git add key.txt The following paths are ignored by one of your .gitignore files: key.txt Use -f if you really want to add them. bandit31@bandit:/tmp/b31r/repo$ git add -f key.txt bandit31@bandit:/tmp/b31r/repo$ls -al total 24 drwxr-sr-x 3 bandit31 root 4096 Feb 26 04:47 . drwxr-sr-x 3 bandit31 root 4096 Feb 26 04:46 .. drwxr-sr-x 8 bandit31 root 4096 Feb 26 04:48 .git -rw-r--r-- 1 bandit31 root 6 Feb 26 04:46 .gitignore -rw-r--r-- 1 bandit31 root 15 Feb 26 04:47 key.txt -rw-r--r-- 1 bandit31 root 147 Feb 26 04:46 README.md bandit31@bandit:/tmp/b31r/repo$ cat .gitignore *.txt bandit31@bandit:/tmp/b31r/repo$git commit -m "Hello" [master de012c9] Hello 1 file changed, 1 insertion(+) create mode 100644 key.txt bandit31@bandit:/tmp/b31r/repo$ git push Could not create directory '/home/bandit31/.ssh'. The authenticity of host 'localhost (127.0.0.1)' can't be established. ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc. Are you sure you want to continue connecting (yes/no)? yes Failed to add the host to the list of known hosts (/home/bandit31/.ssh/known_hosts). This is a OverTheWire game server. More information on http://www.overthewire.org/wargames bandit31-git@localhost's password: Counting objects: 3, done. Delta compression using up to 4 threads. Compressing objects: 100% (2/2), done. Writing objects: 100% (3/3), 319 bytes | 0 bytes/s, done. Total 3 (delta 0), reused 0 (delta 0) remote: ### Attempting to validate files... #### remote: remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo. remote: remote: Well done! Here is the password for the next level: remote: 56a9bf19c63d650ce78e6ec0354ee45e remote: remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo. remote: To ssh://localhost/home/bandit31-git/repo ! [remote rejected] master -> master (pre-receive hook declined) error: failed to push some refs to 'ssh://bandit31-git@localhost/home/bandit31-git/repo' bandit31@bandit:/tmp/b31r/repo$ 这一关目的通过README可看到，是需要push到远程仓库，这对我们再熟悉不过了 不过，这有个坑就是.gitignore，里面忽略了*.txt git add -f或删掉.gitignore都行，然后push上去，这操作太骚了，改写了git push失败的返回结果，在结果里给出了flag ### level 33   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109  bl@bl-virtual-machine:~/wargame$ ssh bandit32@bandit.labs.overthewire.org -p 2220This is a OverTheWire game server. More information on http://www.overthewire.org/wargames bandit32@bandit.labs.overthewire.org's password: Linux bandit 4.18.12 x86_64 GNU/Linux ,----.. ,----, .---. / / \ ,/ .| /. ./| / . : , .' : .--'. ' ; . / ;. \ ; ; / /__./ \ : | . ; /  ; .'___,/ ,' .--'. ' \' . ; | ; \ ; | | : | /___/ \ | ' ' | : | ; | ' ; |.'; ; ; \ \; : . | ' ' ' : ----' | | \ ;  | ' ; \; / | ' : ; . \ .\ ; \ \ ', / | | ' \ \ ' \ | ; : / ' : | : ' |--" \ \ .' ; |.' \ \ ; www. --- ver '---' he '---" ire.org Welcome to OverTheWire! If you find any problems, please report them to Steven or morla on irc.overthewire.org. --[ Playing the games ]-- This machine might hold several wargames. If you are playing "somegame", then: * USERNAMES are somegame0, somegame1, ... * Most LEVELS are stored in /somegame/. * PASSWORDS for each level are stored in /etc/somegame_pass/. Write-access to homedirectories is disabled. It is advised to create a working directory with a hard-to-guess name in /tmp/. You can use the command "mktemp -d" in order to generate a random and hard to guess directory in /tmp/. Read-access to both /tmp/ and /proc/ is disabled so that users can not snoop on eachother. Files and directories with easily guessable or short names will be periodically deleted! Please play nice: * don't leave orphan processes running * don't leave exploit-files laying around * don't annoy other players * don't post passwords or spoilers * again, DONT POST SPOILERS! This includes writeups of your solution on your blog or website! --[ Tips ]-- This machine has a 64bit processor and many security-features enabled by default, although ASLR has been switched off. The following compiler flags might be interesting: -m32 compile for 32bit -fno-stack-protector disable ProPolice -Wl,-z,norelro disable relro In addition, the execstack tool can be used to flag the stack as executable on ELF binaries. Finally, network-access is limited for most levels by a local firewall. --[ Tools ]-- For your convenience we have installed a few usefull tools which you can find in the following locations: * pwndbg (https://github.com/pwndbg/pwndbg) in /usr/local/pwndbg/ * peda (https://github.com/longld/peda.git) in /usr/local/peda/ * gdbinit (https://github.com/gdbinit/Gdbinit) in /usr/local/gdbinit/ * pwntools (https://github.com/Gallopsled/pwntools) * radare2 (http://www.radare.org/) * checksec.sh (http://www.trapkit.de/tools/checksec.html) in /usr/local/bin/checksec.sh --[ More information ]-- For more information regarding individual wargames, visit http://www.overthewire.org/wargames/ For support, questions or comments, contact us through IRC on irc.overthewire.org #wargames. Enjoy your stay! WELCOME TO THE UPPERCASE SHELL >> #!/bin/sh >> bash sh: 1: BASH: not found >> man sh: 1: MAN: not found >> sh sh: 1: SH: not found >> $0$ ls uppershell $id uid=11033(bandit33) gid=11032(bandit32) groups=11032(bandit32)$ pwd /home/bandit32 $cat /etc/bandit_pass/bandit32 cat: /etc/bandit_pass/bandit32: Permission denied$ cat /etc/bandit_pass/bandit33 c9c3199ddf4121b10cf581a98d51caee $ 这关是真的骚，Linux中大小写严格区分，导致我们的命令都执行不了 后来看题解得知$0可以直接进入sh，然后就可以了woc

#!/bin/bash
bash


### level 34

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102  bl@bl-virtual-machine:~/wargame$ssh bandit33@bandit.labs.overthewire.org -p 2220 This is a OverTheWire game server. More information on http://www.overthewire.org/wargames bandit33@bandit.labs.overthewire.org's password: Linux bandit 4.18.12 x86_64 GNU/Linux ,----.. ,----, .---. / / \ ,/ .| /. ./| / . : , .' : .--'. ' ; . / ;. \ ; ; / /__./ \ : | . ; /  ; .'___,/ ,' .--'. ' \' . ; | ; \ ; | | : | /___/ \ | ' ' | : | ; | ' ; |.'; ; ; \ \; : . | ' ' ' : ----' | | \ ;  | ' ; \; / | ' : ; . \ .\ ; \ \ ', / | | ' \ \ ' \ | ; : / ' : | : ' |--" \ \ .' ; |.' \ \ ; www. --- ver '---' he '---" ire.org Welcome to OverTheWire! If you find any problems, please report them to Steven or morla on irc.overthewire.org. --[ Playing the games ]-- This machine might hold several wargames. If you are playing "somegame", then: * USERNAMES are somegame0, somegame1, ... * Most LEVELS are stored in /somegame/. * PASSWORDS for each level are stored in /etc/somegame_pass/. Write-access to homedirectories is disabled. It is advised to create a working directory with a hard-to-guess name in /tmp/. You can use the command "mktemp -d" in order to generate a random and hard to guess directory in /tmp/. Read-access to both /tmp/ and /proc/ is disabled so that users can not snoop on eachother. Files and directories with easily guessable or short names will be periodically deleted! Please play nice: * don't leave orphan processes running * don't leave exploit-files laying around * don't annoy other players * don't post passwords or spoilers * again, DONT POST SPOILERS! This includes writeups of your solution on your blog or website! --[ Tips ]-- This machine has a 64bit processor and many security-features enabled by default, although ASLR has been switched off. The following compiler flags might be interesting: -m32 compile for 32bit -fno-stack-protector disable ProPolice -Wl,-z,norelro disable relro In addition, the execstack tool can be used to flag the stack as executable on ELF binaries. Finally, network-access is limited for most levels by a local firewall. --[ Tools ]-- For your convenience we have installed a few usefull tools which you can find in the following locations: * pwndbg (https://github.com/pwndbg/pwndbg) in /usr/local/pwndbg/ * peda (https://github.com/longld/peda.git) in /usr/local/peda/ * gdbinit (https://github.com/gdbinit/Gdbinit) in /usr/local/gdbinit/ * pwntools (https://github.com/Gallopsled/pwntools) * radare2 (http://www.radare.org/) * checksec.sh (http://www.trapkit.de/tools/checksec.html) in /usr/local/bin/checksec.sh --[ More information ]-- For more information regarding individual wargames, visit http://www.overthewire.org/wargames/ For support, questions or comments, contact us through IRC on irc.overthewire.org #wargames. Enjoy your stay! bandit33@bandit:~$ ls README.txt bandit33@bandit:~$cat README.txt Congratulations on solving the last level of this game! At this moment, there are no more levels to play in this game. However, we are constantly working on new levels and will most likely expand this game with more levels soon. Keep an eye out for an announcement on our usual communication channels! In the meantime, you could play some of our other wargames. If you have an idea for an awesome new level, please let us know! bandit33@bandit:~$ 

https://blog.csdn.net/winkar/article/details/38408873?locationNum=5&fps=1

https://www.freebuf.com/column/181443.html

https://www.jianshu.com/p/bf8cc6b0efd1

## Krypton

SSH Information Host: krypton.labs.overthewire.org Port: 2222

### level 0

Welcome to Krypton! The first level is easy. The following string encodes the password using Base64:

S1JZUFRPTklTR1JFQVQ=
Use this password to log in to krypton.labs.overthewire.org with username krypton1 using SSH on port 2222. You can find the files for other levels in /krypton/


KRYPTONISGREAT


  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30  $ssh krypton1@krypton.labs.overthewire.org -p 2222 The authenticity of host '[krypton.labs.overthewire.org]:2222 ([176.9.9.172]:2222)' can't be established. ECDSA key fingerprint is SHA256:SCySwNrZFEHArEX1cAlnnaJ5gz2O8VEigY9X80nFWUU. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[krypton.labs.overthewire.org]:2222,[176.9.9.172]:2222' (ECDSA) to the list of known hosts. _ _ | | ___ __ _ _ _ __ | |_ ___ _ __ | |/ / '__| | | | '_ \| __/ _ \| '_ \ | <| | | |_| | |_) | || (_) | | | | |_|\_\_| \__, | .__/ \__\___/|_| |_| |___/|_| a http://www.overthewire.org wargame. krypton1@krypton.labs.overthewire.org's password: Permission denied, please try again. krypton1@krypton.labs.overthewire.org's password: Permission denied, please try again. krypton1@krypton.labs.overthewire.org's password: Welcome to Ubuntu 14.04 LTS (GNU/Linux 4.4.0-92-generic x86_64) * Documentation: https://help.ubuntu.com/ The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. krypton1@krypton:~$ 

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40  krypton1@krypton:~$ls -al total 24 drwxr-xr-x 3 krypton1 krypton1 4096 Feb 27 11:03 . drwxr-xr-x 10 root root 4096 Feb 27 11:03 .. -rw-r--r-- 1 krypton1 krypton1 220 Apr 9 2014 .bash_logout -rw-r--r-- 1 krypton1 krypton1 3637 Apr 9 2014 .bashrc drwx------ 2 krypton1 krypton1 4096 Feb 27 11:03 .cache -rw-r--r-- 1 krypton1 krypton1 675 Apr 9 2014 .profile krypton1@krypton:~$ cd /krypton/ krypton1@krypton:/krypton$ls krypton1 krypton2 krypton3 krypton4 krypton5 krypton6 krypton1@krypton:/krypton$ ls krypton1 README krypton2 krypton1@krypton:/krypton$cat krypton1/README Welcome to Krypton! This game is intended to give hands on experience with cryptography and cryptanalysis. The levels progress from classic ciphers, to modern, easy to harder. Although there are excellent public tools, like cryptool,to perform the simple analysis, we strongly encourage you to try and do these without them for now. We will use them in later excercises. ** Please try these levels without cryptool first ** The first level is easy. The password for level 2 is in the file 'krypton2'. It is 'encrypted' using a simple rotation called ROT13. It is also in non-standard ciphertext format. When using alpha characters for cipher text it is normal to group the letters into 5 letter clusters, regardless of word boundaries. This helps obfuscate any patterns. This file has kept the plain text word boundaries and carried them to the cipher text. Enjoy! krypton1@krypton:/krypton$ cat krypton1/krypton2 YRIRY GJB CNFFJBEQ EBGGRA krypton1@krypton:/krypton$ 通过README可知，简单的ROT13加密 LEVEL TWO PASSWORD ROTTEN  进入下一关 ### level 2   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76  krypton2@krypton:~$ ls krypton2@krypton:~$cd /krypton/ krypton2@krypton:/krypton$ cd krypton2 krypton2@krypton:/krypton/krypton2$ls README encrypt keyfile.dat krypton3 krypton2@krypton:/krypton/krypton2$ cat README Krypton 2 ROT13 is a simple substitution cipher. Substitution ciphers are a simple replacement algorithm. In this example of a substitution cipher, we will explore a 'monoalphebetic' cipher. Monoalphebetic means, literally, "one alphabet" and you will see why. This level contains an old form of cipher called a 'Caesar Cipher'. A Caesar cipher shifts the alphabet by a set number. For example: plain: a b c d e f g h i j k ... cipher: G H I J K L M N O P Q ... In this example, the letter 'a' in plaintext is replaced by a 'G' in the ciphertext so, for example, the plaintext 'bad' becomes 'HGJ' in ciphertext. The password for level 3 is in the file krypton3. It is in 5 letter group ciphertext. It is encrypted with a Caesar Cipher. Without any further information, this cipher text may be difficult to break. You do not have direct access to the key, however you do have access to a program that will encrypt anything you wish to give it using the key. If you think logically, this is completely easy. One shot can solve it! Have fun. Additional Information: The encrypt binary will look for the keyfile in your current working directory. Therefore, it might be best to create a working direcory in /tmp and in there a link to the keyfile. As the encrypt binary runs setuid krypton3, you also need to give krypton3 access to your working directory. Here is an example: krypton2@melinda:~$mktemp -d /tmp/tmp.Wf2OnCpCDQ krypton2@melinda:~$ cd /tmp/tmp.Wf2OnCpCDQ krypton2@melinda:/tmp/tmp.Wf2OnCpCDQ$ln -s /krypton/krypton2/keyfile.dat krypton2@melinda:/tmp/tmp.Wf2OnCpCDQ$ ls keyfile.dat krypton2@melinda:/tmp/tmp.Wf2OnCpCDQ$chmod 777 . krypton2@melinda:/tmp/tmp.Wf2OnCpCDQ$ /krypton/krypton2/encrypt /etc/issue krypton2@melinda:/tmp/tmp.Wf2OnCpCDQ$ls ciphertext keyfile.dat krypton2@krypton:/krypton/krypton2$ krypton2@krypton:/krypton/krypton2$mktemp -d /tmp/tmp.fz9I1hQd5d krypton2@krypton:/krypton/krypton2$ cd /tmp/tmp.fz9I1hQd5d krypton2@krypton:/tmp/tmp.fz9I1hQd5d$ln -s /krypton/krypton2/keyfile.dat krypton2@krypton:/tmp/tmp.fz9I1hQd5d$ ls keyfile.dat krypton2@krypton:/tmp/tmp.fz9I1hQd5d$chmod 777 . krypton2@krypton:/tmp/tmp.fz9I1hQd5d$ /krypton/krypton2/encrypt /etc/issue krypton2@krypton:/tmp/tmp.fz9I1hQd5d$ls ciphertext keyfile.dat krypton2@krypton:/tmp/tmp.fz9I1hQd5d$ cat ciphertext GNGZFGXFEZX krypton2@krypton:/tmp/tmp.fz9I1hQd5d$cat keyfile.dat cat: keyfile.dat: Permission denied krypton2@krypton:/tmp/tmp.fz9I1hQd5d$ ls -al total 12 drwxrwxrwx 2 krypton2 krypton2 4096 Feb 27 11:19 . drwxrwx-wt 3 root root 4096 Feb 27 11:20 .. -rw-rw-r-- 1 krypton3 krypton2 11 Feb 27 11:19 ciphertext lrwxrwxrwx 1 krypton2 krypton2 29 Feb 27 11:18 keyfile.dat -> /krypton/krypton2/keyfile.dat krypton2@krypton:/tmp/tmp.fz9I1hQd5d$ 将密文GNGZFGXFEZX进行凯撒位移 HOHAGHYGFAY IPIBHIZHGBZ JQJCIJAIHCA KRKDJKBJIDB LSLEKLCKJEC MTMFLMDLKFD NUNGMNEMLGE OVOHNOFNMHF PWPIOPGONIG QXQJPQHPOJH RYRKQRIQPKI SZSLRSJRQLJ TATMSTKSRMK UBUNTULTSNL VCVOUVMUTOM WDWPVWNVUPN XEXQWXOWVQO YFYRXYPXWRP ZGZSYZQYXSQ AHATZARZYTR BIBUABSAZUS CJCVBCTBAVT DKDWCDUCBWU ELEXDEVDCXV FMFYEFWEDYW GNGZFGXFEZX  发现果然好像没有可读的，再看看README原来这是个示例（我好蠢   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22  krypton2@krypton:/tmp/tmp.fz9I1hQd5d$ cat /etc/issue Ubuntu 14.04.5 LTS \n \l krypton2@krypton:/tmp/tmp.fz9I1hQd5d$ls /krypton/krypton2/krypton3 /krypton/krypton2/krypton3 krypton2@krypton:/tmp/tmp.fz9I1hQd5d$ ls /krypton/krypton2/ -al total 32 drwxr-xr-x 2 root root 4096 Nov 4 05:21 . drwxr-xr-x 8 root root 4096 Nov 4 05:21 .. -rw-r----- 1 krypton2 krypton2 1815 Nov 4 05:21 README -rwsr-x--- 1 krypton3 krypton2 8970 Nov 4 05:21 encrypt -rw-r----- 1 krypton3 krypton3 27 Nov 4 05:21 keyfile.dat -rw-r----- 1 krypton2 krypton2 13 Nov 4 05:21 krypton3 krypton2@krypton:/tmp/tmp.fz9I1hQd5d$ls ciphertext keyfile.dat krypton2@krypton:/tmp/tmp.fz9I1hQd5d$ rm -f ciphertext krypton2@krypton:/tmp/tmp.fz9I1hQd5d$/krypton/krypton2/encrypt /krypton/krypton2/krypton3 krypton2@krypton:/tmp/tmp.fz9I1hQd5d$ ls ciphertext keyfile.dat krypton2@krypton:/tmp/tmp.fz9I1hQd5d$cat ciphertext AYCQYPGQCYQW krypton2@krypton:/tmp/tmp.fz9I1hQd5d$ 

BZDRZQHRDZRX
CAESARISEASY
DBFTBSJTFBTZ
ECGUCTKUGCUA
FDHVDULVHDVB
GEIWEVMWIEWC
HFJXFWNXJFXD
IGKYGXOYKGYE
JHLZHYPZLHZF
KIMAIZQAMIAG
LJNBJARBNJBH
MKOCKBSCOKCI
NLPDLCTDPLDJ
OMQEMDUEQMEK
PNRFNEVFRNFL
QOSGOFWGSOGM
RPTHPGXHTPHN
SQUIQHYIUQIO
TRVJRIZJVRJP
USWKSJAKWSKQ
VTXLTKBLXTLR
WUYMULCMYUMS
XVZNVMDNZVNT
YWAOWNEOAWOU
ZXBPXOFPBXPV
AYCQYPGQCYQW


### level 3

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41  krypton3@krypton:~$ls krypton3@krypton:~$ cd /krypton/krypton3 krypton3@krypton:/krypton/krypton3$ls HINT1 HINT2 README found1 found2 found3 krypton4 krypton3@krypton:/krypton/krypton3$ cat README Well done. You've moved past an easy substitution cipher. Hopefully you just encrypted the alphabet a plaintext to fully expose the key in one swoop. The main weakness of a simple substitution cipher is repeated use of a simple key. In the previous exercise you were able to introduce arbitrary plaintext to expose the key. In this example, the cipher mechanism is not available to you, the attacker. However, you have been lucky. You have intercepted more than one message. The password to the next level is found in the file 'krypton4'. You have also found 3 other files. (found1, found2, found3) You know the following important details: - The message plaintexts are in English (*** very important) - They were produced from the same key (*** even better!) Enjoy. krypton3@krypton:/krypton/krypton3$cat found1 CGZNL YJBEN QYDLQ ZQSUQ NZCYD SNQVU BFGBK GQUQZ QSUQN UZCYD SNJDS UDCXJ ZCYDS NZQSU QNUZB WSBNZ QSUQN UDCXJ CUBGS BXJDS UCTYV SUJQG WTBUJ KCWSV LFGBK GSGZN LYJCB GJSZD GCHMS UCJCU QJLYS BXUMA UJCJM JCBGZ CYDSN CGKDC ZDSQZ DVSJJ SNCGJ DSYVQ CGJSO JCUNS YVQZS WALQV SJJSN UBTSX COSWG MTASN BXYBU CJCBG UWBKG JDSQV YDQAS JXBNS OQTYV SKCJD QUDCX JBXQK BMVWA SNSYV QZSWA LWAKB MVWAS ZBTSS QGWUB BGJDS TSJDB WCUGQ TSWQX JSNRM VCMUZ QSUQN KDBMU SWCJJ BZBTT MGCZQ JSKCJ DDCUE SGSNQ VUJDS SGZNL YJCBG UJSYY SNXBN TSWAL QZQSU QNZCY DSNCU BXJSG CGZBN YBNQJ SWQUY QNJBX TBNSZ BTYVS OUZDS TSUUM ZDQUJ DSICE SGNSZ CYDSN QGWUJ CVVDQ UTBWS NGQYY VCZQJ CBGCG JDSNB JULUJ STQUK CJDQV VUCGE VSQVY DQASJ UMAUJ CJMJC BGZCY DSNUJ DSZQS UQNZC YDSNC USQUC VLANB FSGQG WCGYN QZJCZ SBXXS NUSUU SGJCQ VVLGB ZBTTM GCZQJ CBGUS ZMNCJ LUDQF SUYSQ NSYNB WMZSW TBUJB XDCUF GBKGK BNFAS JKSSG QGWDC USQNV LYVQL UKSNS TQCGV LZBTS WCSUQ GWDCU JBNCS UESGN SUDSN QCUSW JBJDS YSQFB XUBYD CUJCZ QJCBG QGWQN JCUJN LALJD SSGWB XJDSU COJSS GJDZS GJMNL GSOJD SKNBJ STQCG VLJNQ ESWCS UMGJC VQABM JCGZV MWCGE DQTVS JFCGE VSQNQ GWTQZ ASJDZ BGUCW SNSWU BTSBX JDSXC GSUJS OQTYV SUCGJ DSSGE VCUDV QGEMQ ESCGD CUVQU JYDQU SDSKN BJSJN QECZB TSWCS UQVUB FGBKG QUNBT QGZSU QGWZB VVQAB NQJSW KCJDB JDSNY VQLKN CEDJU TQGLB XDCUY VQLUK SNSYM AVCUD SWCGS WCJCB GUBXI QNLCG EHMQV CJLQG WQZZM NQZLW MNCGE DCUVC XSJCT SQGWC GJKBB XDCUX BNTSN JDSQJ NCZQV ZBVVS QEMSU YMAVC UDSWJ DSXCN UJXBV CBQZB VVSZJ SWSWC JCBGB XDCUW NQTQJ CZKBN FUJDQ JCGZV MWSWQ VVAMJ JKBBX JDSYV QLUGB KNSZB EGCUS WQUUD QFSUY SQNSU krypton3@krypton:/krypton/krypton3$ cat found2 QVJDB MEDGB QJJSG WQGZS NSZBN WUXBN JDSYS NCBWU MNICI STBUJ ACBEN QYDSN UQENS SJDQJ UDQFS UYSQN SKQUS WMZQJ SWQJJ DSFCG EUGSK UZDBB VCGUJ NQJXB NWQXN SSUZD BBVZD QNJSN SWCGQ ABMJQ HMQNJ SNBXQ TCVSX NBTDC UDBTS ENQTT QNUZD BBVUI QNCSW CGHMQ VCJLW MNCGE JDSSV CPQAS JDQGS NQAMJ JDSZM NNCZM VMTKQ UWCZJ QJSWA LVQKJ DNBME DBMJS GEVQG WQGWJ DSUZD BBVKB MVWDQ ISYNB ICWSW QGCGJ SGUCI SSWMZ QJCBG CGVQJ CGENQ TTQNQ GWJDS ZVQUU CZUQJ JDSQE SBXUD QFSUY SQNST QNNCS WJDSL SQNBV WQGGS DQJDQ KQLJD SZBGU CUJBN LZBMN JBXJD SWCBZ SUSBX KBNZS UJSNC UUMSW QTQNN CQESV CZSGZ SBGGB ISTAS NJKBB XDQJD QKQLU GSCED ABMNU YBUJS WABGW UJDSG SOJWQ LQUUM NSJLJ DQJJD SNSKS NSGBC TYSWC TSGJU JBJDS TQNNC QESJD SZBMY VSTQL DQISQ NNQGE SWJDS ZSNST BGLCG UBTSD QUJSU CGZSJ DSKBN ZSUJS NZDQG ZSVVB NQVVB KSWJD STQNN CQESA QGGUJ BASNS QWBGZ SCGUJ SQWBX JDSMU MQVJD NSSJC TSUQG GSUYN SEGQG ZLZBM VWDQI SASSG JDSNS QUBGX BNJDC UUCOT BGJDU QXJSN JDSTQ NNCQE SUDSE QISAC NJDJB QWQME DJSNU MUQGG QKDBK QUAQY JCUSW BGTQL JKCGU UBGDQ TGSJQ GWWQM EDJSN RMWCJ DXBVV BKSWQ VTBUJ JKBLS QNUVQ JSNQG WKSNS AQYJC USWBG XSANM QNLDQ TGSJW CSWBX MGFGB KGZQM USUQJ JDSQE SBXQG WKQUA MNCSW BGQME MUJQX JSNJD SACNJ DBXJD SJKCG UJDSN SQNSX SKDCU JBNCZ QVJNQ ZSUBX UDQFS UYSQN SMGJC VDSCU TSGJC BGSWQ UYQNJ BXJDS VBGWB GJDSQ JNSUZ SGSCG ASZQM USBXJ DCUEQ YUZDB VQNUN SXSNJ BJDSL SQNUA SJKSS GQGWQ UUDQF SUYSQ NSUVB UJLSQ NUACB ENQYD SNUQJ JSTYJ CGEJB QZZBM GJXBN JDCUY SNCBW DQISN SYBNJ SWTQG LQYBZ NLYDQ VUJBN CSUGC ZDBVQ UNBKS UDQFS UYSQN SUXCN UJACB ENQYD SNNSZ BMGJS WQUJN QJXBN WVSES GWJDQ JUDQF SUYSQ NSXVS WJDSJ BKGXB NVBGW BGJBS UZQYS YNBUS ZMJCB GXBNW SSNYB QZDCG EQGBJ DSNSC EDJSS GJDZS GJMNL UJBNL DQUUD QFSUY SQNSU JQNJC GEDCU JDSQJ NCZQV ZQNSS NTCGW CGEJD SDBNU SUBXJ DSQJN SYQJN BGUCG VBGWB GRBDG QMANS LNSYB NJSWJ DQJUD QFSUY SQNSD QWASS GQZBM GJNLU ZDBBV TQUJS NUBTS JKSGJ CSJDZ SGJMN LUZDB VQNUD QISUM EESUJ SWJDQ JUDQF SUYSQ NSTQL DQISA SSGST YVBLS WQUQU ZDBBV TQUJS NALQV SOQGW SNDBE DJBGB XVQGZ QUDCN SQZQJ DBVCZ VQGWB KGSNK DBGQT SWQZS NJQCG KCVVC QTUDQ FSUDQ XJSCG DCUKC VVGBS ICWSG ZSUMA UJQGJ CQJSU UMZDU JBNCS UBJDS NJDQG DSQNU QLZBV VSZJS WQXJS NDCUW SQJD krypton3@krypton:/krypton/krypton3$cat found3 DSNSM YBGVS ENQGW QNBUS KCJDQ ENQIS QGWUJ QJSVL QCNQG WANBM EDJTS JDSAS SJVSX NBTQE VQUUZ QUSCG KDCZD CJKQU SGZVB USWCJ KQUQA SQMJC XMVUZ QNQAQ SMUQG WQJJD QJJCT SMGFG BKGJB GQJMN QVCUJ UBXZB MNUSQ ENSQJ YNCPS CGQUZ CSGJC XCZYB CGJBX ICSKJ DSNSK SNSJK BNBMG WAVQZ FUYBJ UGSQN BGSSO JNSTC JLBXJ DSAQZ FQGWQ VBGEB GSGSQ NJDSB JDSNJ DSUZQ VSUKS NSSOZ SSWCG EVLDQ NWQGW EVBUU LKCJD QVVJD SQYYS QNQGZ SBXAM NGCUD SWEBV WJDSK SCEDJ BXJDS CGUSZ JKQUI SNLNS TQNFQ AVSQG WJQFC GEQVV JDCGE UCGJB ZBGUC WSNQJ CBGCZ BMVWD QNWVL AVQTS RMYCJ SNXBN DCUBY CGCBG NSUYS ZJCGE CJ krypton3@krypton:/krypton/krypton3$ cat HINT1 Some letters are more prevalent in English than others. krypton3@krypton:/krypton/krypton3$cat HINT2 "Frequency Analysis" is your friend. krypton3@krypton:/krypton/krypton3$ krypton3@krypton:/krypton/krypton3$ https://www.jianshu.com/p/a131136c0dbf # 25char 257: (space) 155: S 107: C 106: Q 102: J 100: U 87: B 81: G 74: N 69: D 57: Z 56: V 47: W 42: Y 32: T 29: X 29: M 27: L 25: K 20: A 17: E 11: F 7: O 2: I 2: H 1: R  # 26char 354: (space) 243: S 186: Q 158: J 135: N 130: U 129: B 119: D 111: G 86: C 66: W 59: Z 53: V 45: M 37: T 34: E 33: Y 33: X 30: K 27: L 26: A 14: I 12: F 3: O 2: R 2: H 1: P  # 25char 93: (space) 58: S 48: Q 41: J 35: G 34: C 31: N 30: B 27: U 22: D 21: V 16: Z 16: W 13: E 12: M 12: K 9: Y 9: X 9: A 6: T 6: L 5: F 3: I 2: O 1: R 1: P  假如把所有综合一起统计 703: (space) 456: S:e 340: Q:t 301: J:a 257: U:o 246: B:i 240: N:n 227: G:s 227: C:h 210: D:r 132: Z:d 130: V:l 129: W:c 86: M:u 84: Y:m 75: T:w 71: X:f 67: K:g 64: E:y 60: L:p 55: A:b 28: F:v 19: I:k 12: O:j 4: R:x 4: H:q 2: P:z  把上述词频带入解开，貌似也不是密码啊  1 2 3  krypton3@krypton:/krypton/krypton3$ cat krypton4 KSVVW BGSJD SVSIS VXBMN YQUUK BNWCU ANMJS gellc isear eleke lfiun mtoog incho bnuae 

http://www.richkni.co.uk/php/crypta/freq.php

http://www.simonsingh.net/The_Black_Chamber/hintsandtips.html

secret:  A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
text:    B O I H G K N Q V T W Y U R X Z A J E M S L D F P C


 1  $cat krypton4 | tr '[A-Z]' '[BOIHGKNQVTWYURXZAJEMSLDFPC]'   1 2 3  krypton3@krypton:/krypton/krypton3$ cat krypton4 | tr '[A-Z]' '[BOIHGKNQVTWYURXZAJEMSLDFPC]' WELLD ONETH ELEVE LFOUR PASSW ORDIS BRUTE krypton3@krypton:/krypton/krypton3\$