overthewire.org : Bandit

난 컴알못이라 Bandit부터

Level 0

ssh bandit0@bandit.labs.overthewire.org
password : bandit0

Level 0 to 1

boJ9jbbUNNfktd78OOpsqOltutMc3MY1

Level 1 to 2

뭐지 파일이름이 - 인데 안 봐짐

find ./ -name - -exec cat {} \;
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

Level 2 to 3

걍 따옴표 붙이면되는거아님?

cat "spaces in this filename"
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

Level 3 to 4

ls -a
pIwrPrtPN36QITSp3EQaw936yaFoFgAB

Level 4 to 5

스크립트 짤라고했는데 안 짜지네

find ./ -exec cat {} \;
cat: ./: Is a directory
▒▒M▒▒▒▒#8B0wPg▒▒▒▒C▒▒@▒▒FM▒▒hZ▒▒▒P▒邚▒▒▒{#▒TP▒▒6▒]▒▒X:koReBOKuIDDepwhWk7jZC0RTdopnAYKh
▒▒▒▒+▒▒5▒`▒¶R<
▒1*6C▒u#Nr▒;▒-▒(▒▒z▒▒У▒▒ޘ▒▒8鑾?▒@c
                                  O8▒L▒c▒Ч7▒zb~▒▒ף▒▒U▒▒▒▒!▒>P▒
#[:*▒▒▒?▒▒j▒▒▒U▒▒g▒f▒4▒6+>"▒▒B▒Vx▒▒d▒▒;de▒Obandit4@melinda:~/inhere$ PuTTY
koReBOKuIDDepwhWk7jZC0RTdopnAYKh

Level 5 to 6

찾아야될 파일 조건이 1) human-readable   2) 1033 bytes in size   3) not executable

1)은 모르겠다 걍 2)랑 3)만 하면

find ./ -size 1033c ! -executable

크기 뒤에 c는 byte단위를 뜻하는거래

executable은 실행파일인데 그 앞에 ! 붙여서 Not 조건 이 되버리고 근데 걍 이것만해도 나오네

find ./ -size 1033c ! -executable -exec cat {} \;
DXjZPULLxYr17uwoI01bNLQbtFemEgo7

※ Level 4 to 5에서도 Human-Readable이 나왔는데 이거 해결법이 정규표현식으로 하면 된다네?

find ./ -name "[[:print:]]*"

아근데 이방법은 문제에서 던져준 조건이 맞는 줄모르겠다?

1) 사람이 읽을 수 있다는게 파일명을 사람이 읽을 수 있다?

2) 사람이 읽을 수 있다는게 파일내용을 사람이 읽을 수 있다?

뭐지 일단 위 방법은 1)에 대한 내용은데 2)에 대한건 xargs를 쓰면될듯

find ./ | xargs grep "[[:print:]]*"

그래서 결론적으로 완벽하게 똭 만들면

find ./ -size 1033c ! -executable | xargs grep "[[:print:]]*"

Level 6 to 7

이번에도 조건 1) owned by user bandit7 2) owned by group bandit6 3) 33 bytes in size

find / -user bandit7 -group bandit6 -size 33c -exec cat {} \;

음...답은 나왔는데 퍼미션 부족한 파일들에대해서는 출력이안되서 더럽게 뜨네

내가 bandit6으로 로그인했고 소유 그룹에 속해있으니까 퍼미션만 잘 수정해보자..?

find / -user bandit7 -group bandit6 -size 33c -perm +20 -exec cat {} \; 안되나??

find / -user bandit7 -group bandit6 -size 33c 2>/dev/null -exec cat {} \; 걍이렇게 해도 되구만
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

Level 7 to 8

cat data.txt | grep millionth
millionth     cvX2JJa4CFALtqS87jk27qwqGhBM9plV

Level 8 to 9

텍스트가 나타나는 유일한 줄이 아니라 해석 잘못함/.. 중복이 없는 유일한 줄 ㅋㅋㅋㅋ

sort data.txt | uniq -u
UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR

Level 9 to 10

사람이 읽을 수 있고 몇개의 =로 시작하는 줄

strings data.txt | grep '^[=]*'

뭔가 깔끔하게 안나옴

truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk

Level 10 to 11

Base64로 인코딩된 패스워드가 들어있다

cat data.txt | base64 -d
The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

Level 11 to 12

all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions

ROT13이라고 및에 글보니까 이해되네

cat data.txt | tr a-mn-zA-MN-Z n-za-mN-ZA-M
The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

Level 12 to 13

파일 시그니쳐가 1F 8B 08이니까 GZIP

xxd -r data.txt data_b.txt

시불... 계속 file로 확인하고 파일명 변경해주고 풀고 변경하고 계속하면

cat data8.bin
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

Level 13 to 14

오? SSHKey 던져두고 bandit14로 로그인하라네

$ ssh -i sshkey.private bandit14@localhost

Could not create directory '/home/bandit13/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is 05:3a:1c:25:35:0a:ed:2f:cd:87:1c:f6:fe:69:e4:f6.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit13/.ssh/known_hosts).

됨

cat /etc/bandit_pass/bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e

Level 14 to 15

The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.

localhost의 30000포트로 현재 단계의 패스워드를 입력하면 얻을 수 있다.

nc(netcat) : cat명령어에 network를 합친말인듯. 그냥 TCP/UDP 패킷 전송하고 응답값 수신하는 명령어

nc localhost 30000
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr

Level 15 to 16

The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.

이번엔 SSL을 암호화를 이용해서 localhost의 30001포트로 현재 단계의 패스워드 입력하면 얻을 수 있다.

echo BfMYroe26WYalil77FoDi9qh59eK5xNr | openssl s_client localhost:30001
후루루루루룩...
Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “CONNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…

힌트로 -ign_eof를 써보래

echo BfMYroe26WYalil77FoDi9qh59eK5xNr | openssl s_client -connect localhost:30001 -ign_eof
후루루루루룩
=======
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehd

Level 16 to 17

The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000.

localhost의 31000 ~ 32000 포트로 현재 단계 패스워드 보내면 자격(패스워드?)를 얻을 수 있다.

First find out which of these ports have a server listening on them.

일단 리스닝 포트들을 찾아라 

Then find out which of those speak SSL and which don’t.

그리고 어떤 년이 SSL을 말하고 있는지 찾아라

There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.

오늘 한 년만 다음 패스워드를 주고 나머지는 간단하게 니가 보낸걸 보내줄 것

NMAP이 안보이는데 확인해봐야될 듯

find / -name nmap 2</dev/null

/usr/bin/nmap -p 31000-32000 localhost

Starting Nmap 6.40 ( http://nmap.org ) at 2016-01-23 04:41 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00077s latency).
Not shown: 996 closed ports
PORT      STATE SERVICE
31046/tcp open  unknown
31518/tcp open  unknown
31691/tcp open  unknown
31790/tcp open  unknown
31960/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds

openssl s_client -connect localhost:31046 -quiet => SSL X
openssl s_client -connect localhost:31518 -quiet => SSL O => echo
openssl s_client -connect localhost:31691 -quiet => SSL X
openssl s_client -connect localhost:31790 -quiet => SSL O => Private Key 받음
openssl s_client -connect localhost:31960 -quiet => 확인 안 해봄

-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----

mkdir /tmp/ysj16
cd /tmp/ysj16
vi key

vi 에다가 위에 값 다 쳐넣고 해당 키로 ssl 접속하면 끝남 ( -i 옵션이던가? )

더편한방법없나?

Level 17 to 18

diff passwords.new passwords.old
42c42
< kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
---
> BS8bqB1kqkinKJjuxL6k072Qq9NRwQpR

이걸로 bandit18에 로그인하면 자꾸

Byebye !
Connection to localhost closed.

이러면서 안됨

NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19

걍 이대로 18레벨 풀면되는 듯

Level 18 to 19

The password for the next level is stored in a file readme in the homedirectory.

Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.

아까 로그인 안되던게 bashrc를 누가 SSH로 로그인하면 로그아웃되도록 수정했대

bashrc 설정 값 무시하고 로그인하는 방법 써야된다네

ssh bandit18@localhost bash -norc

cat readme
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x

Level 19 to 20

To gain access to the next level, you should use the setuid binary in the homedirectory.

Execute it without arguments to find out how to use it.

The password for this level can be found in the usual place (/etc/bandit_pass), after you have used to setuid binary.

./bandit20-do
Run a command as another user.
  Example: ./bandit20-do id
./bandit20-do id
uid=11019(bandit19) gid=11019(bandit19) euid=11020(bandit20) groups=11020(bandit20),11019(bandit19)

이걸로 걍 /etc/bandit_pass 보면될듯

./bandit20-do cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0j

Level 20 to 21

There is a setuid binary in the homedirectory that does the following:

it makes a connection to localhost on the port you specify as a commandline argument.

It then reads a line of text from the connection and compares it to the password in the previous level (bandit20).

If the password is correct, it will transmit the password for the next level (bandit21).

NOTE: To beat this level, you need to login twice: once to run the setuid command, and once to start a network daemon to which the setuid will connect.

NOTE 2: Try connecting to your own network daemon to see if it works as you think

Putty 두 개 뛰우고 한 개는 서버 돌리고 나머지 하나는 클라이언트로 접속

근데 nc로 서버도열어지넹 개신기

1) 서버(클라이언트한테 bandit20 패스워드 받고 bandit21 패스워드를 불음)

nc -l -p 8888
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr

2) 클라이언트(서버한테 bandit20 패스워드 넘기면 서버가 반응하는 듯)

./suconnect 8888
Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Password matches, sending next password

Level 21 to 22

A program is running automatically at regular intervals from cron, the time-based job scheduler.

Look in /etc/cron.d/ for the configuration and see what command is being executed.

cat /etc/cron.d/cronjob_bandit22

* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
bandit21@melinda:~$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
bandit21@melinda:~$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

Level 22 to 23

A program is running automatically at regular intervals from cron, the time-based job scheduler.

Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.

cat /etc/cron.d/cronjob_bandit23
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
bandit22@melinda:~$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash

myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)

echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"

cat /etc/bandit_pass/$myname > /tmp/$mytarget
whoami
bandit22
echo I am user bandit22 | md5sum | cut -d ' ' -f 1
8169b67bd894ddbb4412f91573b38db3
cat /tmp/8169b67bd894ddbb4412f91573b38db3
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

오잉? 걍 내 패스워드나옴

myname에다가 bandit23넣으면 될듯

echo I am user bandit23 | md5sum | cut -d ' ' -f 1
8ca319486bfbbc3663ea0fbe81326349
cat /tmp/8ca319486bfbbc3663ea0fbe81326349
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

Level 23 to 24

A program is running automatically at regular intervals from cron, the time-based job scheduler.

Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!

키야 이거풀면 기분 좋다 이기야

NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…

cat /etc/cron.d/cronjob_bandit24
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null

cat /usr/bin/cronjob_bandit24.sh

#!/bin/bash

myname=$(whoami)

cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
do
    if [ "$i" != "." -a "$i" != ".." ];
    then
        echo "Handling $i"
        timeout -s 9 60 "./$i"
        rm -f "./$i"
    fi
done

$myname값이 실행하고 있는 계정이고 크론탭으로 bandit24가 실행하니까 /var/spool/bandit24에다가 스크립트 짜면 되긋다

#!/bin/bash
cat /etc/bandit_pass/bandit24 >> pass.txt

UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ

Level 24 to 25

A daemon is listening on port 30002 and will give you the password for bandit25

if given the password for bandit24 and a secret numeric 4-digit pincode.

There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.

vi bf.sh
#!/bin/bash

for i in $(seq -w 0 9999)
do
    echo "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i" >> dic
done;

nc 127.0.0.1 30002 < ./dic | grep -A 2 Correct

bash bf.sh
Correct!
The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG

Level 25 to 26

Logging in to bandit26 from bandit25 should be fairly easy…

The shell for user bandit26 is not /bin/bash, but something else.

Find out what it is, how it works and how to break out of it.

cat /etc/passwd | grep bandit26
bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext

cat /usr/bin/showtext
#!/bin/sh

more ~/text.txt
exit 0

~/text.txt 니까 홈디렉토리 text.txt를 말하는 듯

지금 홈디렉토리보니까 bandit26 ssh key는 있네, 인제봄

ssh -i ./bandit26.sshkey bandit26@localhost

ㅅㅂ more에서 vi편집기이용하는거래 - 푸티 창 걍 작게 만들면 됨

5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z

Level 26

Congratulations on solving the last level of this game!

At this moment, there are no more levels to play in this game. However, we are constantly working

on new levels and will most likely expand this game with more levels soon.

Keep an eye out for an announcement on our usual communication channels!

In the meantime, you could play some of our other wargames.

If you have an idea for an awesome new level, please let us know!