Overthewire: Bandit Level0-Level33 通关版
本文基于学习网站OverTheWire: Bandit
这是一个为计算机专业打下坚实的Linux,Web,git基础知识的网站或项目。
Level 0
Level Goal
The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org, on port 2220. The username is bandit0 and the password is bandit0. Once logged in, go to the Level 1 page to find out how to beat Level 1.
ssh -p 2220 bandit0@bandit.labs.overthewire.org
输入密码bandit0.
Level 0 → Level 1
Level Goal
The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.
Commands you may need to solve this level
ls , cd , cat , file , du , find
获得的密码用来下一关的ssh的登录认证。
Level 1 → Level 2
Level Goal
The password for the next level is stored in a file called - located in the home directory
Commands you may need to solve this level
ls , cd , cat , file , du , find
方法1:用相对路径./
方法2:查看当前目录pwd
Level 2 → Level 3
Level Goal
The password for the next level is stored in a file called spaces in this filename located in the home directory
Commands you may need to solve this level
ls , cd , cat , file , du , find
方法1:用字符串
方法2:用转义字符\
Level 3 → Level 4
Level Goal
The password for the next level is stored in a hidden file in the inhere directory.
Commands you may need to solve this level
ls , cd , cat , file , du , find
用ls -al 找到隐藏的文件,用相对路径获取密码。
Level 4 → Level 5
Level Goal
The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.
Commands you may need to solve this level
ls , cd , cat , file , du , find
只需用file 找到可读(ASCII)文件。
用cat ./-file* 虽然也能查看到密码,但难以判断密码从何开始。
Level 5 → Level 6
Level Goal
The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:
[*]human-readable
[*]1033 bytes in size
[*]not executable
Commands you may need to solve this level
ls , cd , cat , file , du , find
下一级的密码存储在以下某处的文件中 inhere 目录,并具有以下所有属性:
[*]人类可读
[*]大小为 1033 字节
[*]不可执行
这样比下图更合乎请求。
find . -type f -readable ! -executable -size 1033c
Level 6 → Level 7
Level Goal
The password for the next level is stored somewhere on the server and has all of the following properties:
[*]owned by user bandit7
[*]owned by group bandit6
[*]33 bytes in size
Commands you may need to solve this level
ls , cd , cat , file , du , find , grep
在根目录下查找会经常有很多权限的报错信息,可以用2>/dev/null这种方式将错误信息重定向到/dev/null 以保持输出干净。
或者执行
find / -size 33c -user bandit7 -group bandit6后,直接找到bandit7.password文件
Level 7 → Level 8
Level Goal
The password for the next level is stored in the file data.txt next to the word millionth
Commands you may need to solve this level
man, grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
./可以省略。
Level 8 → Level 9
Level Goal
The password for the next level is stored in the file data.txt and is the only line of text that occurs only once
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
可以用-c列出出现的次数,然后从中找到是1的那一行即可
man uniq
Level 9 → Level 10
Level Goal
The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters.
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
Level 10 → Level 11
Level Goal
The password for the next level is stored in the file data.txt, which contains base64 encoded data
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
base64 解码即可。
Level 11 → Level 12
Level Goal
The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
方法一(输入重定向):~$ tr 'a-zA-Z' 'n-za-mN-ZA-M' < data.txt
方法二(管道传递):~$ cat data.txt | tr 'a-zA-Z' 'n-za-mN-ZA-M'
Level 12 → Level 13
Level Goal
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work. Use mkdir with a hard to guess directory name. Or better, use the command “mktemp -d”. Then copy the datafile using cp, and rename it using mv (read the manpages!)
Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd, mkdir, cp, mv, file
这题考的压缩的知识,但是非常的需要耐心(无聊)。
预备知识
[*]处理gzip压缩:mv data data.gz然后gzip -d data.gz或`gunzip data.gz。
[*]处理bzip2压缩:mv data data.bz然后bzip2 -d data.bz或` bunzip2 data.bz。
[*]处理tar归档:mv data data.tar然后tar -xf data.tar,依此类推。
[*]xxd -r data.txt > data:使用 xxd 工具将十六进制格式的 data.txt 文件反向转换为二进制文件 data。-r 表示反向操作。
[*]file file1,file2... 用于查看文件类型。
进入环境后,直接 cat data.txt,发现是他是十六进制的文本。于是xxd -r data.txt > data.
bandit12@bandit:~$ ls
data.txt
bandit12@bandit:~$ cat data.txt
00000000: 1f8b 0808 41d4 f767 0203 6461 7461 322e....A..g..data2.
00000010: 6269 6e00 0149 02b6 fd42 5a68 3931 4159bin..I...BZh91AY
00000020: 2653 59a8 ffa7 8f00 001d 7fff dbeb 7ffa&SY.............
00000030: bb7f a5ef bb7e f5fb fdff b7c7 f3ff ff7f.....~..........
00000040: ff7f fff7 deba fdfa eff7 dddf b001 3b19..............;.
00000050: a200 d01a 0190 0034 0006 800d 0340 0346.......4.....@.F
00000060: 8000 0340 0320 0069 a034 0640 0346 4680...@. .i.4.@.FF.
00000070: 68d1 a68c 8321 9313 4da4 f510 6406 8003h....!..M...d...
00000080: 4006 9a00 000d 000d 0069 a007 a9a0 001a@........i......
00000090: 1b50 03d4 01a6 9a1e a001 a343 4683 469a.P.........CF.F.
000000a0: 3d40 001a 7a8d 01a0 074c 801e a1a6 8064=@..z....L.....d
000000b0: 01a3 d434 00c4 0d00 000d 0001 a680 1a19...4............
000000c0: 0061 0f53 41a0 0000 0d00 341a 0320 0034.a.SA.....4.. .4
000000d0: d1ea 0168 4882 8244 0130 5550 f16b f52e...hH..D.0UP.k..
000000e0: a322 cb9f bb8c aaf6 e244 cc70 b151 47c8.".......D.p.QG.
000000f0: 6c03 a3ae 4a81 1ee0 03ce 840e a978 2046l...J........x F
00000100: 630b 4b0d 9883 7078 e7e8 5bfb 68f1 f685c.K...px..[.h...
00000110: 6f46 771c 3920 449f f0cb 39e2 0841 10b5oFw.9 D...9..A..
00000120: 8714 e981 115c d1bc 2da4 318b 106c 904e.....\..-.1..l.N
00000130: 9328 5e97 405a 4054 21db e049 1a32 5f3d.(^.@Z@T!..I.2_=
00000140: 7069 408f f0a4 8ce5 fbea 282c 51d1 49e4pi@.......(,Q.I.
00000150: d52f 0762 dd90 27b8 79d3 0499 52e0 060c./.b..'.y...R...
00000160: fd91 a474 d408 88f3 1fda d2d1 325a baeb...t........2Z..
00000170: bfe7 f0f6 cc3c 776d f369 e73c 47d4 66ea.....<wm.i.<G.f.
00000180: 4b90 e404 03b3 6a09 4687 945d 09ef 706bK.....j.F..]..pk
00000190: 8f82 2503 80d0 0a0a 3e60 f879 bf02 2d42..%.....>`.y..-B
000001a0: bf37 9c96 4b22 585c 35c8 3cf1 da9f 518b.7..K"X\5.<...Q.
000001b0: ccd5 a68c 9647 aa38 8a50 89d2 f89c 1ff0.....G.8.P......
000001c0: 1042 18c3 6549 400d fe17 ec74 3171 6d74.B..eI@....t1qmt
000001d0: a8bb 0def f11a 5a69 0e70 aa34 0037 b180......Zi.p.4.7..
000001e0: 1540 c4d2 0af7 e290 8784 ce9e 147a 6836.@...........zh6
000001f0: 944b 3f18 2ba2 c620 af92 fb01 184f 3def.K?.+.. .....O=.
00000200: 1b7d 0162 733d adca 90ac 7142 8319 f703.}.bs=....qB....
00000210: 5930 69e2 8320 9110 5d63 0db9 9294 d4efY0i.. ..]c......
00000220: 50b9 5907 0924 92c1 014e a284 25ce a6efP.Y..$...N..%...
00000230: 67b2 4e06 6d21 4136 2ac0 292d 6638 033cg.N.m!A6*.)-f8.<
00000240: 21af be4e 13bb b74f 2c10 18c7 eea3 c436!..N...O,......6
00000250: c988 05e6 5638 1ff1 7724 5385 090a 8ffa....V8..w$S.....
00000260: 78f0 d951 192d 4902 0000 x..Q.-I...
bandit12@bandit:~$ mkdir /tmp/dig
bandit12@bandit:~$ cp data.txt /tmp/dig
bandit12@bandit:~$ cd /tmp/dig
bandit12@bandit:/tmp/dig$ ls
data.txt
bandit12@bandit:/tmp/dig$ file data.txt
data.txt: ASCII text
bandit12@bandit:/tmp/dig$ xxd -r data.txt > data
bandit12@bandit:/tmp/dig$ file data
data: gzip compressed data, was "data2.bin", last modified: Thu Apr 10 14:22:57 2025, max compression, from Unix, original size modulo 2^32 585Level 30 → Level 31
Level Goal
There is a git repository at ssh://bandit30-git@localhost/home/bandit30-git/repo via the port 2220. The password for the user bandit30-git is the same as for the user bandit30.
Clone the repository and find the password for the next level.
Commands you may need to solve this level
git
创建目录sd,但是git clone的时候一直提示权限不足。于是,改为了se,成功克隆!
实际上应该可以通过chown命令来绕过,建议阅读 chown 。不过,这里直接成功了,就不再演示。
https://img2024.cnblogs.com/blog/3426414/202505/3426414-20250519001247664-1776825137.png
按照前面几关的经验试试看。结果什么也没找到,空文件?
bandit12@bandit:/tmp/dig$ mv data data.gz
bandit12@bandit:/tmp/dig$ gunzip data.gz
bandit12@bandit:/tmp/dig$ file data
data: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/dig$ mv data data.bz
bandit12@bandit:/tmp/dig$ bunzip data.bz
Command 'bunzip' not found, did you mean:
command 'bunzip2' from deb bzip2 (1.0.8-5.1build0.1)
command 'lunzip' from deb lunzip (1.13-6)
command 'funzip' from deb unzip (6.0-28ubuntu4.1)
command 'gunzip' from deb gzip (1.12-1ubuntu1)
command 'bunzip3' from deb bzip3 (1.3.2-1)
command 'unzip' from deb unzip (6.0-28ubuntu4.1)
command 'ebunzip' from deb eb-utils (4.4.3-14)
command 'runzip' from deb rzip (2.1-4.1)
Try: apt install <deb name>
bandit12@bandit:/tmp/dig$ bunzip2 data.bz
bandit12@bandit:/tmp/dig$ file data
data: gzip compressed data, was "data4.bin", last modified: Thu Apr 10 14:22:57 2025, max compression, from Unix, original size modulo 2^32 20480
bandit12@bandit:/tmp/dig$ mv data data.gz
bandit12@bandit:/tmp/dig$ gzip -d data.gz
bandit12@bandit:/tmp/dig$ file data
data: POSIX tar archive (GNU)
bandit12@bandit:/tmp/dig$ mv data data.tar
bandit12@bandit:/tmp/dig$ tar -xf data.tar
bandit12@bandit:/tmp/dig$ ls
data5.bindata.tardata.txt[!note] git tag
git tag 列出所有标签。
git show secret 显示 secret 标签指向的提交的详细信息。
最后,用tag标签找到/显示出(show)了密码。
mv data5.bin data5.tar
tar -xf data5.tarLevel 31 → Level 32
Level Goal
There is a git repository at ssh://bandit31-git@localhost/home/bandit31-git/repo via the port 2220. The password for the user bandit31-git is the same as for the user bandit31.
Clone the repository and find the password for the next level.
Commands you may need to solve this level
git
git clone之后,用nano编辑文本,输入Content后面的内容(不包含引号)。
或者重定向文本echo "May I come in?"。
查看写入文本后的根目录,提交key.txt到remote。但是提示.gitignore被覆盖(?)并且忽略了key.txt。于是,尝试读取、删除.gitignore。
然后,重新提交key.txt,检查当前版本信息,发现key.txt已经提交(new file:key.txt)。
暂存、提交并远程推送到仓库:
bandit12@bandit:~$ mkdir /tmp/dig
bandit12@bandit:~$ cd /tmp/dig
bandit12@bandit:/tmp/dig$ vim 1.sh
bandit12@bandit:/tmp/dig$ bash 1.sh
cp: cannot stat 'data.txt': No such file or directory
gzip: data8 already exists; do you wish to overwrite (y or n)? y
Password: The password is FO5dwFsc0cbaIiH0h8J2eUks2vdTDwAnLevel 32 → Level 33
Level Goal
After all this git stuff, it’s time for another escape. Good luck!
Commands you may need to solve this level
sh, man
没有说明关卡目标?很疑惑。
打开关卡后,发现输入什么都会被变成大写,提示权限不足。这与关卡前的“WELCOME TO THE UPPERCASE SHELL”相符。
多次尝试后发现可以用$0来绕过。
#!/bin/bash
# 创建临时目录并复制文件
mkdir -p /tmp/dig
cp data.txt /tmp/dig
cd /tmp/dig
# 十六进制转二进制
xxd -r data.txt > data
# 处理 gzip 压缩
mv data data.gz
gzip -d data.gz
# 处理 bzip2 压缩
mv data data.bz
bzip2 -d data.bz
# 处理第一次 tar 解包
mv data data.tar
tar -xf data.tar
# 处理第二次 tar 解包 (data5.bin)
mv data5.bin data5.tar
tar -xf data5.tar
# 处理 bzip2 压缩的 data6.bin
mv data6.bin data6.bz
bzip2 -d data6.bz
# 处理第三次 tar 解包 (data6)
mv data6 data6.tar
tar -xf data6.tar
# 处理最终 gzip 压缩的 data8.bin
mv data8.bin data8.gz
gzip -d data8.gz
# 输出密码
echo "Password: $(cat data8)"Level 33 → Level 34
At this moment, level 34 does not exist yet.
参考链接:
1.OverTheWire - Bandit Walkthrough | R4f4soft
2. Write-up for the Bandit Wargame - BreakInSecurity
来源:程序园用户自行投稿发布,如果侵权,请联系站长删除
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!
页:
[1]