OverTheWire:Bandit通关WriteUp（2019.01.17完）

喜欢ヅ旅行 2022-04-10 03:08 2163阅读 0赞

### OverTheWire:Bandit通关全攻略WriteUp ###

*  背景
 *  通关过程
 *   *  Level 0
     *  Level 0-->Level 1
     *  Level 1 - Level 2
     *  Level 2 - Level 3
     *  Level 3 → Level 4
     *  Level 4 → Level 5
     *  Level 5 → Level 6
     *  Level 6 → Level 7
     *  Level 7 → Level 8
     *  Level 8 → Level 9
     *  Level 9 → Level 10
     *  Level 10 → Level 11
     *  Level 11 → Level 12
     *  Level 12 → Level 13
     *  Level 13 → Level 14
     *  Level 14 → Level 15
     *  Level 15 → Level 16
     *  Level 16 → Level 17
     *  Level 17 → Level 18
     *  Level 18 → Level 19
     *  Level 19 → Level 20
     *  Level 20 → Level 21
     *  Level 21 → Level 22
     *  Level 22 → Level 23
     *  Level 23 → Level 24
     *  Level 24 → Level 25
     *  Level 25 → Level 26
     *  Level 26 → Level 27
     *  Level 27 → Level 28
     *  Level 28 → Level 29
     *  Level 29 → Level 30
     *  Level 30 → Level 31
     *  Level 31 → Level 32
     *  Level 32 → Level 33

# 背景 #

OverTheWire:Bandit是一个学习linux命令的WarGame，通过闯关的模式，不断的学习新的命令，对于学习安全和Linux的朋友是一个很好的练习游戏，网址是 http://overthewire.org/wargames/bandit/ 。  
这个游戏目前有34关，从Level0—Level34。游戏形式是通过ssh连接游戏服务器，通过各种命令行读取下一关的游戏服务器密钥，然后连接下一关的服务器继续读取，直到通关。

SSH Information
    Host: bandit.labs.overthewire.org
    Port: 2220

# 通关过程 #

## Level 0 ##

The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org, on port 2220. The username is **bandit0** and the password is **bandit0**. Once logged in, go to the Level 1 page to find out how to beat Level 1.  
这一关主要是让你选择一个合适ssh工具开始远程，**这一关的用户名和密码均为bandit0**常见的有secureCRT，Xshell, Putty, 不过我最近发现一款免费而且不比Xshell功能少的SSH工具叫MobaXterm，个人推荐。  
Linux下更为方便

ssh bandit0@bandit.labs.overthewire.org -p 2220
    密码：bandit0

## Level 0–>Level 1 ##

he password for the next level is stored in a file called readme located in the home directory. Use this password to log into **bandit1** using SSH. Whenever you find a password for a level, use SSH (on port 2220) to log into that level and continue the game.  
Commands you may need to solve this level  
ls, cd, cat, file, du, find  
其中du命令是用来查看令也是查看使用空间的，但是与df命令不同的是Linux du命令是查看当前指定文件或目录(会递归显示子目录)占用磁盘空间大小，还是和df命令有一些区别的

bandit0@bandit:~$ ls
    readme
    bandit0@bandit:~$ cat readme
    boJ9jbbUNNfktd78OOpsqOltutMc3MY1

得到下一关用户名bandit1，密码为boJ9jbbUNNfktd78OOpsqOltutMc3MY1，之后用户名依次类推，不做赘述

## Level 1 - Level 2 ##

Level Goal  
The password for the next level is stored in a file called - located in the home directory

Commands you may need to solve this level  
ls, cd, cat, file, du, find  
ls发现文件名是一个-，但是这个在linux中有特殊意义导致直接cat不好用

bandit1@bandit:~$ ls
    -
    bandit1@bandit:~$ cat -
    ^Z
    [1]+  Stopped                 cat -
    bandit1@bandit:~$ pwd
    /home/bandit1
    bandit1@bandit:~$ cat /home/bandit1/-
    CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

直接输入绝对路径读取

## Level 2 - Level 3 ##

Level Goal  
The password for the next level is stored in a file called spaces in this filename located in the home directory

Commands you may need to solve this level  
ls, cd, cat, file, du, find

Helpful Reading Material  
Google Search for “spaces in filename”  
文件名有空格的读取

bandit2@bandit:~$ cat spaces\ in\ this\ filename
    UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

用cat命令，然后Tab按键补齐，自动将空格转义，实现了密钥读取，或者给文件名加上双引号也可以读取。

## Level 3 → Level 4 ##

Level Goal  
The password for the next level is stored in a hidden file in the inhere directory.

Commands you may need to solve this level  
ls, cd, cat, file, du, find  
密钥写在一个隐藏文件里面，通过ls -a参数可以找到隐藏文件

bandit3@bandit:~$ ls
    inhere
    bandit3@bandit:~$ cd inhere/
    bandit3@bandit:~/inhere$ ls
    bandit3@bandit:~/inhere$ ls -la
    total 12
    drwxr-xr-x 2 root    root    4096 Oct 16 14:00 .
    drwxr-xr-x 3 root    root    4096 Oct 16 14:00 ..
    -rw-r----- 1 bandit4 bandit3   33 Oct 16 14:00 .hidden
    bandit3@bandit:~/inhere$ cat .hidden
    pIwrPrtPN36QITSp3EQaw936yaFoFgAB

## Level 4 → Level 5 ##

Level Goal  
The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.

Commands you may need to solve this level  
ls, cd, cat, file, du, find  
文件说在人类能读懂的文件里面，可以看到当前目录有9个文件，通过file命令可以用于辨识文件类型。

bandit4@bandit:~$ ls
    inhere
    bandit4@bandit:~$ cd inhere/
    bandit4@bandit:~/inhere$ ls -a
    .   -file00  -file02  -file04  -file06  -file08
    ..  -file01  -file03  -file05  -file07  -file09
    bandit4@bandit:~/inhere$ file ./*
    ./-file00: data
    ./-file01: data
    ./-file02: data
    ./-file03: data
    ./-file04: data
    ./-file05: data
    ./-file06: data
    ./-file07: ASCII text
    ./-file08: data
    ./-file09: data
    bandit4@bandit:~/inhere$ cat ./-file07
    koReBOKuIDDepwhWk7jZC0RTdopnAYKh
    bandit4@bandit:~/inhere$

## Level 5 → Level 6 ##

Level Goal  
The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:

human-readable  
1033 bytes in size  
not executable  
Commands you may need to solve this level  
ls, cd, cat, file, du, find

一看有这么多文件夹

bandit5@bandit:~$ ls
    inhere
    bandit5@bandit:~$ cd inhere/
    bandit5@bandit:~/inhere$ ls -a
    .            maybehere02  maybehere06  maybehere10  maybehere14  maybehere18
    ..           maybehere03  maybehere07  maybehere11  maybehere15  maybehere19
    maybehere00  maybehere04  maybehere08  maybehere12  maybehere16
    maybehere01  maybehere05  maybehere09  maybehere13  maybehere17

根据特征我们可以用find 命令，找到一个符合条件的文件

bandit5@bandit:~/inhere$ find . -type f -size 1033c
    ./maybehere07/.file2
    bandit5@bandit:~/inhere$ cat ./maybehere07/.file2
    DXjZPULLxYr17uwoI01bNLQbtFemEgo7

附find参数解析  
\-size n\[cwbkMG\] : 档案大小 为 n 个由后缀决定的数据块。其中后缀含义为：  
b: 代表 512 位元组的区块（如果用户没有指定后缀，则默认为 b）  
c: 表示字节数  
k: 表示 kilo bytes （1024字节）  
w: 字 （2字节）  
M:兆字节（1048576字节）  
G: 千兆字节 （1073741824字节）  
\-type c : 档案类型是 c 。  
d: 目录  
c: 字型装置档案  
b: 区块装置档案  
p: 具名贮列  
f: 一般档案  
l: 符号连结  
s: socket

## Level 6 → Level 7 ##

Level Goal  
The password for the next level is stored somewhere on the server and has all of the following properties:

owned by user bandit7  
owned by group bandit6  
33 bytes in size  
Commands you may need to solve this level  
ls, cd, cat, file, du, find, grep  
又是找文件，那么依然可以使用find命令，只不过参数稍稍的改变

bandit6@bandit:~$ find / -size 33c -user bandit7 -group bandit6 2>/dev/null
    /var/lib/dpkg/info/bandit7.password
    bandit6@bandit:~$ cat /var/lib/dpkg/info/bandit7.password
    HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

后面的`2>/dev/null`因为find命令在根目录下查找会经常有很多权限的报错信息，所有在linux中通常用这种方式将错误信息重定向到“黑洞中”

## Level 7 → Level 8 ##

Level Goal  
The password for the next level is stored in the file data.txt next to the word millionth