OverTheWire Bandit Walkthrough

这是一个免费的网安练习平台。

[传送门][https://overthewire.org/wargames/]

Bandit

Bandit 系列对新手友好，主要用于认识 linux 命令，git，bash 等操作。

Bandit Level 0 → Level 1

ssh 连接

ssh bandit0@bandit.labs.overthewire.org -p 2220
pass:bandit

cat readme

ZjLjTmM6FvvyRnrb2rfNWOZOTa6ip5If

Bandit Level 1 → Level 2

利用 – 截断符读特殊文件

ls,cd,cat,file,du,find

du

统计目录或文件所占用的磁盘空间大小

du命令的强大之处在于其丰富的选项，可以灵活地满足不同场景下的查看需求。下面是一个常用选项的表格汇总：

选项	说明	实用示例
-h	人性化显示：以 K（KB）、M（MB）、G（GB）为单位显示大小，更易读。	du -h my_folder
-s	仅显示总计：只显示指定目录的总大小，而不列出其内部的子目录和文件细节。	du -sh /home/user
-a	显示所有文件：不仅显示目录，也递归显示目录中每个文件的大小。	du -ah my_folder
-c	显示总和：在详细列表的最后一行加上所有文件或目录的总计。	du -ch *.log
--max-depth=N	限制统计深度：只深入到第 N 层目录。 例如，--max-depth=0同 -s，--max-depth=1显示直接子目录。	du -h --max-depth=1 /var/log
--exclude=PATTERN	排除文件：跳过与给定模式匹配的文件或目录，不统计它们。	du -h --exclude='*.tmp' my_dir
示例

du -sh        快速查看当前目录的总大小
du -sh *      查看当前所有目录下的大小

- 在文件名

bandit1@bandit:/home$ cd
bandit1@bandit:~$ ls
-
bandit1@bandit:~$ cat -
^C
bandit1@bandit:~$ cat ./-
263JGJPfgU6LtdEvgfWU1XP5yac29mFx
bandit1@bandit:~$

在 Linux/Unix 的 shell 命令中，单独的短横线 -是一个特殊字符，它通常被用来表示标准输入（stdin）

因此，当你执行 cat -时，cat命令并不会去读取当前目录下那个名为 -的文件，而是会等待你从键盘输入内容（直到你按下 Ctrl+D发送 EOF 信号结束输入）

解决

cat -- -         //选项终止符
cat ./-          //相对路径
cat $(pwd)/-

263JGJPfgU6LtdEvgfWU1XP5yac29mFx

Bandit Level 2 → Level 3

利用 – 截断符读特殊文件

– 和空格在文件名

bandit2@bandit:~$ ls -la
total 24
drwxr-xr-x   2 root    root    4096 Aug 15 13:16 .
drwxr-xr-x 150 root    root    4096 Aug 15 13:18 ..
-rw-r--r--   1 root    root     220 Mar 31  2024 .bash_logout
-rw-r--r--   1 root    root    3851 Aug 15 13:09 .bashrc
-rw-r--r--   1 root    root     807 Mar 31  2024 .profile
-rw-r-----   1 bandit3 bandit2   33 Aug 15 13:16 --spaces in this filename--
bandit2@bandit:~$ cat -- --spaces in this filename--
cat: --spaces: No such file or directory
cat: in: No such file or directory
cat: this: No such file or directory
cat: filename--: No such file or directory
bandit2@bandit:~$ cat  "--spaces in this filename--"
cat: unrecognized option '--spaces in this filename--'
Try 'cat --help' for more information.
bandit2@bandit:~$ cat -- "--spaces in this filename--"
MNk8KNH3Usiio41PRUEoDFPqfxLPlSmx
bandit2@bandit:~$

Linux 命令行中，以两个连字符 --开头的参数通常被解释为命令行选项
在命令行中，双连字符 -- 是一个特殊标记，它表示“此后的所有参数都不是选项，即使它们以 -开头。而空格的话，则可以用转义或者引号（单双）来处理。

MNk8KNH3Usiio41PRUEoDFPqfxLPlSmx

Bandit Level 3 → Level 4

cat –

bandit3@bandit:~$ ls
inhere
bandit3@bandit:~$ ls -la
total 24
drwxr-xr-x   3 root root 4096 Aug 15 13:16 .
drwxr-xr-x 150 root root 4096 Aug 15 13:18 ..
-rw-r--r--   1 root root  220 Mar 31  2024 .bash_logout
-rw-r--r--   1 root root 3851 Aug 15 13:09 .bashrc
drwxr-xr-x   2 root root 4096 Aug 15 13:16 inhere
-rw-r--r--   1 root root  807 Mar 31  2024 .profile
bandit3@bandit:~$ cd inhere/
bandit3@bandit:~/inhere$ ls -la
total 12
drwxr-xr-x 2 root    root    4096 Aug 15 13:16 .
drwxr-xr-x 3 root    root    4096 Aug 15 13:16 ..
-rw-r----- 1 bandit4 bandit3   33 Aug 15 13:16 ...Hiding-From-You
bandit3@bandit:~/inhere$ cat -- '...Hiding-From-You'
2WmrDFRmJIq3IPxneAaMGhap0pFhF3NJ

2WmrDFRmJIq3IPxneAaMGhap0pFhF3NJ

Bandit Level 4 → Level 5

bandit4@bandit:~/inhere$ ls
-file00  -file01  -file02  -file03  -file04  -file05  -file06  -file07  -file08  -file09
bandit4@bandit:~/inhere$ cat -- -file* | awk '{print}' END {print ""}
awk: fatal: cannot open file `END' for reading: No such file or directory
bandit4@bandit:~/inhere$ cat -- -file*
\�G�I�d�� �`"��g���     '�����␦�Y��:bl�A��t�1�ν%gM�������
                                                         ��u.Tq␦`h���Ee�+�<��"!^"�Jߑߟ����>jŠ␦��C�f�w��f>�<?��>��@F��kYq~Jjs�o��;���6���d�H@�9��I�}�v,��C�����Cy>f�|7�`i�}
                                                 �ت�=ؑ�Hz����1�Uk�U���켼�U4oQYVPkxZOOEOO5pTW81FB8j8lxXGUQw
x����/vSژ�5f`}�3Y�ׯ��=9]�

这里被一组数据影响了，手工查看一下

bandit4@bandit:~/inhere$ ls
-file00  -file01  -file02  -file03  -file04  -file05  -file06  -file07  -file08  -file09
bandit4@bandit:~/inhere$ cat -- -file08
x����/vSژ�5f`}�3Y�ׯ��=9]bandit4@bandit:~/inhere$ cat -- -file09
�
�qf�`HԿB�K�����E��\G��Dbandit4@bandit:~/inhere$ cat -- -file07
4oQYVPkxZOOEOO5pTW81FB8j8lxXGUQw
bandit4@bandit:~/inhere$

4oQYVPkxZOOEOO5pTW81FB8j8lxXGUQw

Bandit Level 5 → Level 6

find 条件查找

bandit5@bandit:~/inhere$ find . -type f -size 1033c
./maybehere07/.file2
bandit5@bandit:~/inhere$ cat -- ./maybehere07/.file2
HWasnPhtq9AVKe0dmk45nxy20cvUa6EG

按权限查找还需要学一下

HWasnPhtq9AVKe0dmk45nxy20cvUa6EG

Bandit Level 6 → Level 7

find / -user -group -perm

bandit6@bandit:~$ find / -user bandit7 -group bandit6 -size 33c 2>/dev/null
/var/lib/dpkg/info/bandit7.password
bandit6@bandit:~$ cat /var/lib/dpkg/info/bandit7.password
morbNTDkSW6jIlUc0ymOdMaLnOlFVAaj
bandit6@bandit:~$

morbNTDkSW6jIlUc0ymOdMaLnOlFVAaj

Bandit Level 7 → Level 8

grep 搜索文本定位

bandit7@bandit:~$ cat data.txt |  grep 'millionth'
millionth       dfwvzFQi4mU0wfNbFOe9RoWskMLg7eEc

dfwvzFQi4mU0wfNbFOe9RoWskMLg7eEc

Bandit Level 8 → Level 9

sort [file] | uniq -u 查找不重复内容

bandit8@bandit:~$ sort data.txt  | uniq -u
4CKMh1JI91bUIZZPXDqGanal4xvAg0JM

4CKMh1JI91bUIZZPXDqGanal4xvAg0JM

Bandit Level 9 → Level 10

strings 查看程序内可见字符

bandit9@bandit:~$ strings data.txt | grep "=="
========== the
========== password
Q========== is%
>u`9J========== FGUW5ilLVJrxX9kMYMmlN4MgbpfMiqey

FGUW5ilLVJrxX9kMYMmlN4MgbpfMiqey

Bandit Level 10 → Level 11

base64 -d 解码

base64 -d [filename]

bandit10@bandit:~$ base64 -d data.txt | strings
The password is dtR173fZKb0RRsDFSGsg2RWnpNVj3qRr

Bandit Level 11 → Level 12

tr 字符修改实现 rot13解码

cat data.txt | tr ‘N-ZA-Mn-za-n’ ‘A-Za-z’

tr 是字符级别修改的命令

bandit11@bandit:~$ cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'
The password is 7x16WNeHIi5YkIhWsfFIqoognUTyj9Q4

Bandit Level 12 → Level 13

xxd 二进制与十六进制转换与解压缩

解压一个经过多次压缩且被转换为十六进制转储格式的文件（data.txt），并从中找到下一关的密码。

xxd -r命令将 data文件（十六进制转储格式）还原回原始的二进制压缩文件
-r reverse operation: convert (or patch) hexdump into binary

mktemp -d命令可以创建一个唯一的、随机的临时目录
cp ~/data.txt "$work_dir/data"
xxd -r命令将 data文件（十六进制转储格式）还原回原始的二进制压缩文件
**file -b data**：file命令可以智能地检测文件的真实类型（即使没有扩展名）
**gzip -d**：用于解压 .gz文件
**bzip2 -d**：用于解压 .bz2文件
**tar -xf**：用于解压 .tar文件（也可能解压 .tar.gz或 .tar.bz2，但上述步骤应已处理）

层层解压，第一次我是手动的。 …

bandit12@bandit:/tmp/tmp.FjJsfPyyRr$ cat data9.bin
The password is FO5dwFsc0cbaIiH0h8J2eUks2vdTDwAn

后续优化：
保证文件名以 datax.bin 底层，最后循环解压出data9.bin

Bandit Level 13 → Level 14

利用私钥进行 ssh 连接

For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost

通过私钥登录其他账号

bandit13@bandit:~$ cat sshkey.private
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAxkkOE83W2cOT7IWhFc9aPaaQmQDdgzuXCv+ppZHa++buSkN+
gg0tcr7Fw8NLGa5+Uzec2rEg0WmeevB13AIoYp0MZyETq46t+jk9puNwZwIt9XgB
ZufGtZEwWbFWw/vVLNwOXBe4UWStGRWzgPpEeSv5Tb1VjLZIBdGphTIK22Amz6Zb
ThMsiMnyJafEwJ/T8PQO3myS91vUHEuoOMAzoUID4kN0MEZ3+XahyK0HJVq68KsV
ObefXG1vvA3GAJ29kxJaqvRfgYnqZryWN7w3CHjNU4c/2Jkp+n8L0SnxaNA+WYA7
jiPyTF0is8uzMlYQ4l1Lzh/8/MpvhCQF8r22dwIDAQABAoIBAQC6dWBjhyEOzjeA
J3j/RWmap9M5zfJ/wb2bfidNpwbB8rsJ4sZIDZQ7XuIh4LfygoAQSS+bBw3RXvzE
pvJt3SmU8hIDuLsCjL1VnBY5pY7Bju8g8aR/3FyjyNAqx/TLfzlLYfOu7i9Jet67
xAh0tONG/u8FB5I3LAI2Vp6OviwvdWeC4nOxCthldpuPKNLA8rmMMVRTKQ+7T2VS
nXmwYckKUcUgzoVSpiNZaS0zUDypdpy2+tRH3MQa5kqN1YKjvF8RC47woOYCktsD
o3FFpGNFec9Taa3Msy+DfQQhHKZFKIL3bJDONtmrVvtYK40/yeU4aZ/HA2DQzwhe
ol1AfiEhAoGBAOnVjosBkm7sblK+n4IEwPxs8sOmhPnTDUy5WGrpSCrXOmsVIBUf
laL3ZGLx3xCIwtCnEucB9DvN2HZkupc/h6hTKUYLqXuyLD8njTrbRhLgbC9QrKrS
M1F2fSTxVqPtZDlDMwjNR04xHA/fKh8bXXyTMqOHNJTHHNhbh3McdURjAoGBANkU
1hqfnw7+aXncJ9bjysr1ZWbqOE5Nd8AFgfwaKuGTTVX2NsUQnCMWdOp+wFak40JH
PKWkJNdBG+ex0H9JNQsTK3X5PBMAS8AfX0GrKeuwKWA6erytVTqjOfLYcdp5+z9s
8DtVCxDuVsM+i4X8UqIGOlvGbtKEVokHPFXP1q/dAoGAcHg5YX7WEehCgCYTzpO+
xysX8ScM2qS6xuZ3MqUWAxUWkh7NGZvhe0sGy9iOdANzwKw7mUUFViaCMR/t54W1
GC83sOs3D7n5Mj8x3NdO8xFit7dT9a245TvaoYQ7KgmqpSg/ScKCw4c3eiLava+J
3btnJeSIU+8ZXq9XjPRpKwUCgYA7z6LiOQKxNeXH3qHXcnHok855maUj5fJNpPbY
iDkyZ8ySF8GlcFsky8Yw6fWCqfG3zDrohJ5l9JmEsBh7SadkwsZhvecQcS9t4vby
9/8X4jS0P8ibfcKS4nBP+dT81kkkg5Z5MohXBORA7VWx+ACohcDEkprsQ+w32xeD
qT1EvQKBgQDKm8ws2ByvSUVs9GjTilCajFqLJ0eVYzRPaY6f++Gv/UVfAPV4c+S0
kAWpXbv5tbkkzbS0eaLPTKgLzavXtQoTtKwrjpolHKIHUz6Wu+n4abfAIRFubOdN
/+aLoRQ0yBDRbdXMsZN/jvY44eM+xRLdRVyMmdPtP8belRi2E2aEzA==
-----END RSA PRIVATE KEY-----

chmoe 400 id_rsa

ssh bandit14@bandit.labs.overthewire.org -p 2220 -i id_rsa

登录到了 bandit14

Bandit Level 14 → Level 15

nc 端口连接与数据发送

The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.Note: localhost is a hostname that refers to the machine you are working on。

根据上一关提示，当前密码在 /etc/bandit_pass/bandit14

bandit14@bandit:~$ cat /etc/bandit_pass/bandit14
MU4VWeTyJk8ROof1qqmcBPaLh7lDCPvS

向端口 30000 发送 MU4VWeTyJk8ROof1qqmcBPaLh7lDCPvS

bandit14@bandit:~$ echo "MU4VWeTyJk8ROof1qqmcBPaLh7lDCPvS" | nc localhost 30000
Correct!
8xCjnmgoKbGLhHFAZlGE5Tmu4M2tKJQo

终端提示结构分析

bandit14@bandit:~$

这是一个标准的 Linux Bash 提示符，其结构如下：

• bandit14: 这是当前登录的用户名。

• @: 这是一个分隔符，将用户名和主机名分开。

• bandit: 这是主机名。

• :: 又是一个分隔符。

• ~: 这表示您当前位于当前用户的家目录 (/home/bandit14)。

• $: 这表示您是以普通用户身份登录的（如果是以 root 身份登录，则会显示 #）。

Bandit Level 15 → Level 16

openssl 加密连接与数据传输

使用 SSL/TLS encryption 向本地端口 30001 发送密码

这是一个需要 SSL/TLS 加密连接的任务

openssl 加密链接解决方案

你需要使用 openssl命令而不是 netcat来连接这个加密服务。

1. 基本命令格式：

   echo "[当前密码]" | openssl s_client -connect localhost:30001 -quiet

   请将 [当前密码]替换为你手头上当前关卡的真实密码。

2. 命令解释：

   • openssl s_client: 用于建立 SSL/TLS 客户端连接的工具。

   • -connect localhost:30001: 指定要连接的主机（localhost）和端口（30001）。

   • -quiet: 这个选项非常重要，它能抑制冗长的证书信息等输出，让你更容易看到服务器返回的真正响应（即下一个密码）。

bandit15@bandit:~$ echo "8xCjnmgoKbGLhHFAZlGE5Tmu4M2tKJQo" | openssl s_client -connect localhost:30001 -quiet
Can't use SSL_get_servername
depth=0 CN = SnakeOil
verify error:num=18:self-signed certificate
verify return:1
depth=0 CN = SnakeOil
verify return:1
Correct!
kSkvUpMQ7lBYyCM4GBPvCvT1BfWRy0Dx

Bandit Level 16 → Level 17

nmap 找到存活端口

1. 扫描端口（31000~32000）：找出哪些端口有服务正在监听。

2. 检测 SSL/TLS：区分哪些端口使用加密（SSL/TLS），哪些是明文通信。

3. 找到正确的服务：只有一个端口会返回下一关的凭据，其他端口只会回显你发送的内容。

nmap -p 31000-32000 localhost

bandit16@bandit:~$ nmap -p 31000-32000 localhost
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-13 14:59 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00012s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT      STATE SERVICE
31046/tcp open  unknown
31518/tcp open  unknown
31691/tcp open  unknown
31790/tcp open  unknown
31960/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds

写循环 bash 脚本

这里我是手动的，bash脚本有问题

待优化

echo "kSkvUpMQ7lBYyCM4GBPvCvT1BfWRy0Dx" | openssl s_client -connect localhost:31790 -quiet

bandit16@bandit:/tmp$ echo "kSkvUpMQ7lBYyCM4GBPvCvT1BfWRy0Dx" | openssl s_client -connect localhost:31790 -quiet
Can't use SSL_get_servername
depth=0 CN = SnakeOil
verify error:num=18:self-signed certificate
verify return:1
depth=0 CN = SnakeOil
verify return:1
Correct!
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
-----END RSA PRIVATE KEY-----

Bandit Level 17 → Level 18

diff 命令比较找出修改行

There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new

NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19

bandit17@bandit:~$ diff passwords.old passwords.new                                                                                                                                                                                       

42c42                                                                                                                                                                                                                                     

< gvE89l3AhAhg3Mi9G2990zGnn42c8v20                                                                                                                                                                                                        

---                                                                                                                                                                                                                                       

> x2gLTTjFwMOhQ8oWNbMN362QKxfRqGlO

x2gLTTjFwMOhQ8oWNbMN362QKxfRqGlO

Bandit Level 18 → Level 19

ssh 指定命令登录并执行

一旦使用 ssh 登录用户 bandit18 , 就会有 banner 出现然后关闭连接

Byebye !                                                                                                                                                              
Connection to bandit.labs.overthewire.org closed.

ssh避免直加载 bashrc，直接指定命名执行

ssh bandit18@bandit.labs.overthewire.org -p 2220 "/bin/sh"
mv ~/.bashrc ~/.bashrc.bak
exit

┌──(kali㉿LAPTOP-NPKASGPU)-[/tmp/work]
└─$ ssh bandit18@bandit.labs.overthewire.org -p 2220 "/bin/sh"
                         _                     _ _ _   
                        | |__   __ _ _ __   __| (_) |_ 
                        | '_ \ / _` | '_ \ / _` | | __|
                        | |_) | (_| | | | | (_| | | |_ 
                        |_.__/ \__,_|_| |_|\__,_|_|\__|


                      This is an OverTheWire game server. 
            More information on http://www.overthewire.org/wargames

backend: gibson-0
bandit18@bandit.labs.overthewire.org's password: 
Permission denied, please try again.
bandit18@bandit.labs.overthewire.org's password: 
x2gLTTjFwMOhQ8oWNbMN362QKxfRqGlO
/bin/sh: 1: x2gLTTjFwMOhQ8oWNbMN362QKxfRqGlO: Permission denied
ls
readme
cat readme
cGWpMaKXVwDUNgPAVJbWYuGHVn9zl3j8

cGWpMaKXVwDUNgPAVJbWYuGHVn9zl3j8

Bandit Level 19 → Level 20

bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
0qXahG8ZjOVMN9Ghs7iOWsCfZyXOUbYO
bandit19@bandit:~$ ls -la /etc/bandit_pass/bandit20
-r-------- 1 bandit20 bandit20 33 Aug 15 13:15 /etc/bandit_pass/bandit20

Bandit Level 20 → Level 21

screen 多进程运行

• 在 bandit20的家目录下有一个 setuid二进制文件 suconnect。

• 它需要连接到一个本地端口，验证当前密码（bandit20），然后返回下一关密码（bandit21）。

• 需要同时运行两个命令：

  1. 监听端口并发送密码（nc -l -p 端口+ echo "密码"）

  2. 运行 suconnect连接到该端口（./suconnect 端口）

[[工具手册]] screen

screen
ctrl 0
ctrl 1

bandit20@bandit:~$ echo '0qXahG8ZjOVMN9Ghs7iOWsCfZyXOUbYO' | nc -l -p 60000
EeoULMCra2q0dSkYj561DX7s1CpBuOBt

bandit20@bandit:~$ ./suconnect 60000
Read: 0qXahG8ZjOVMN9Ghs7iOWsCfZyXOUbYO
Password matches, sending next password

Bandit Level 21 → Level 22

查看定时任务 /etc/cron.d

bandit21@bandit:~$ cat /etc/cron.d/cronjob_bandit22
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
bandit21@bandit:~$ ls -la /usr/bin/cronjob_bandit22.sh
-rwxr-x--- 1 bandit22 bandit21 130 Aug 15 13:16 /usr/bin/cronjob_bandit22.sh
bandit21@bandit:~$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
bandit21@bandit:~$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
tRae0UfB9v0UzbCdn9cY0gQnds9GF58Q

tRae0UfB9v0UzbCdn9cY0gQnds9GF58Q

Bandit Level 22 → Level 23

bandit22@bandit:~$ ls /etc/cron.d
behemoth4_cleanup  clean_tmp  cronjob_bandit22  cronjob_bandit23  cronjob_bandit24  e2scrub_all  leviathan5_cleanup  manpage3_resetpw_job  otw-tmp-dir  sysstat
bandit22@bandit:~$ ls /etc/cron.d/cronjob_bandit23
/etc/cron.d/cronjob_bandit23
bandit22@bandit:~$ ls -la /etc/cron.d/cronjob_bandit23
-rw-r--r-- 1 root root 122 Aug 15 13:16 /etc/cron.d/cronjob_bandit23
bandit22@bandit:~$ cat /etc/cron.d/cronjob_bandit23
@reboot bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
bandit22@bandit:~$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash

myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)

echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"

cat /etc/bandit_pass/$myname > /tmp/$mytarget
bandit22@bandit:~$ ls- la cat /etc/bandit_pass/bandit23
Command 'ls-' not found, did you mean:
  command 'lsd' from snap lsd (0.16.0)
  command 'lsc' from deb livescript (1.6.1+dfsg-3)
  command 'lsm' from deb lsm (1.0.4-2)
  command 'lsh' from deb lsh-client (2.1-14)
  command 'lsd' from deb lsd (0.23.1-8)
  command 'lsw' from deb suckless-tools (47-1)
  command 'ls' from deb coreutils (9.4-2ubuntu2)
See 'snap info <snapname>' for additional versions.
bandit22@bandit:~$ ls -la cat /etc/bandit_pass/bandit23
ls: cannot access 'cat': No such file or directory
-r-------- 1 bandit23 bandit23 33 Aug 15 13:15 /etc/bandit_pass/bandit23
bandit22@bandit:~$ echo I am user bandit23  | md5sum | cut -d ' ' -f 1
8ca319486bfbbc3663ea0fbe81326349
bandit22@bandit:~$ ^C
bandit22@bandit:~$ cat /etc/bandit_pass/8ca319486bfbbc3663ea0fbe81326349
cat: /etc/bandit_pass/8ca319486bfbbc3663ea0fbe81326349: No such file or directory
bandit22@bandit:~$ ls /etc/bandit_pass/
bandit0  bandit10  bandit12  bandit14  bandit16  bandit18  bandit2   bandit21  bandit23  bandit25  bandit27  bandit29  bandit30  bandit32  bandit4  bandit6  bandit8
bandit1  bandit11  bandit13  bandit15  bandit17  bandit19  bandit20  bandit22  bandit24  bandit26  bandit28  bandit3   bandit31  bandit33  bandit5  bandit7  bandit9
bandit22@bandit:~$ ls /tmp
ls: cannot open directory '/tmp': Permission denied
bandit22@bandit:~$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
0Zf11ioIjMVN551jX3CmStKLYqjk54Ga
bandit22@bandit:~$

命令解释

bandit22@bandit:~$ echo "I am user bandit23" | md5sum
8ca319486bfbbc3663ea0fbe81326349  -

cat -d ' ' -f 1

以空格为分割，提取第一个地段

0Zf11ioIjMVN551jX3CmStKLYqjk54Ga

Bandit Level 23 → Level 24

shell 代码理解以及定时任务执行提权

bandit23@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash

myname=$(whoami)

cd /var/spool/$myname/foo
echo "Executing and deleting all scripts in /var/spool/$myname/foo:"
for i in * .*;
do
    if [ "$i" != "." -a "$i" != ".." ];
    then
        echo "Handling $i"
        owner="$(stat --format "%U" ./$i)"
        if [ "${owner}" = "bandit23" ]; then
            timeout -s 9 60 ./$i
        fi
        rm -f ./$i
    fi
done

在其目录下，如果存在所有文件是 bandit23，则执行

1. 创建一个脚本（如 get_pass.sh），所有者设为 bandit23。

2. 脚本内容：读取 /etc/bandit_pass/bandit24并保存到 /tmp。

3. 放入 /var/spool/bandit24/foo/，等待 Cron 执行。

#!/bin/bash # 保存到 /var/spool/bandit24/foo/get_pass.sh 
cat /etc/bandit_pass/bandit24 > /tmp/bandit24_pass


chmod +x /var/spool/bandit24/foo/get_pass.sh
chown bandit23:bandit23 /var/spool/bandit24/foo/get_pass.sh


cat /tmp/bandit24_pass

bandit23@bandit:~$ vim /var/spool/bandit24/foo/get_pass.sh
bandit23@bandit:~$ cat /tmp/bandit24_pass
gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8

Bandit Level 24 → Level 25

shell 循环代码书写以数据逐行发送

bandit24@bandit:~$ echo 'gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8' | nc 127.0.0.1 30002
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
Wrong! Please enter the correct current password and pincode. Try again.
gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8 
^C
bandit24@bandit:~$ echo 'gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8 1234' | nc 127.0.0.1 30002
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
Wrong! Please enter the correct current password and pincode. Try again.
^C

需要暴力破解 pincode

4-digit pincod，只需要尝试 0000 - 9999 即可

bandit24@bandit:~$ for pin in {0000..9999}; do echo "gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8 $pin"; done | nc localhost 30002 | grep -v "Wrong"
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
Correct!
The password of user bandit25 is iCi86ttT4KSNe1armKiwbQNmB3YJP3q4

经过验证，for 实现了生成密码并逐行传输的功能

Wrong! Please enter the correct current password and pincode. Try again.
Wrong! Please enter the correct current password and pincode. Try again.
Wrong! Please enter the correct current password and pincode. Try again.
Wrong! Please enter the correct current password and pincode. Try again.
Wrong! Please enter the correct current password and pincode. Try again.
Wrong! Please enter the correct current password and pincode. Try again.
Wrong! Please enter the correct current password and pincode. Try again.
Wrong! Please enter the correct current password and pincode. Try again.
Wrong! Please enter the correct current password and pincode. Try again.
Correct!
The password of user bandit25 is iCi86ttT4KSNe1armKiwbQNmB3YJP3q4

iCi86ttT4KSNe1armKiwbQNmB3YJP3q4

Bandit Level 25 → Level 26

利用 more 突破登录特殊 shell 限制

1. 直接调小窗口
2. 模拟终端
3. 使用管道符截断，比如 | cat

使用 script模拟小终端

script -q /dev/null
stty rows 5

按 v 进入 vi 模式

:set shell=/bin/bash
:shell                          //获取得到shell

bandit26@bandit:~$ cat /etc/bandit_pass/bandit26                                                                                                                    s0773xxkk0MXfdqOfPRVr9L3jJBUOgCZ

Bandit Level 26 → Level 27

仍然是 suid 文件

bandit26@bandit:~$ ./bandit27-do cat /etc/bandit_pass/bandit27
upsNCc7vzaRDx6oZC6GiR6ERwe1MowGB

Bandit Level 27 → Level 28

使用密码 git clone

There is a git repository at ssh://bandit27-git@localhost/home/bandit27-git/repo via the port 2220. The password for the user bandit27-git is the same as for the user bandit27.

Clone the repository and find the password for the next level.

git clone ssh://bandit27-git@localhost:2220/home/bandit27-git/repo 

注意在 /tmp 下自创的文件夹内克隆，并且设置了端口 2220

bandit27@bandit:/tmp/b27$ cat README 
The password to the next level is: Yz9IpL0sBcCeuG7m9uQFt8ZNpS4HZRcN

读取 README 提示即可

Bandit Level 28 → Level 29

git log 查看历史修改记录

按上一关的操作，得到提示

bandit28@bandit:/tmp/fuckyou/repo$ cat README.md 
# Bandit Notes
Some notes for level29 of bandit.

## credentials

- username: bandit29
- password: xxxxxxxxxx

这里就需要利用 git 来进行回溯密码

命令	用途
git clone <repo>	克隆远程仓库
git log	查看提交历史
git log -p	查看带更改的提交历史
git show <commit>	查看某次提交的更改
git checkout <commit>	回滚到某个提交

git log -p 直接查看即可

+++ b/README.md
@@ -4,5 +4,5 @@ Some notes for level29 of bandit.
 ## credentials

 - username: bandit29
-- password: 4pT1t5DENaYuqnqvadYs1oE4QLCdjmJ7
+- password: xxxxxxxxxx

4pT1t5DENaYuqnqvadYs1oE4QLCdjmJ7

Bandit Level 29 → Level 30

git branch 切换分组

同上

bandit29@bandit:/tmp/work1/repo$ cat README.md 
# Bandit Notes
Some notes for bandit30 of bandit.

## credentials

- username: bandit30
- password: <no passwords in production!>

在生产中没有分支，说明密码可能在其他分支

bandit29@bandit:/tmp/work1/repo$ git branch
* (HEAD detached at origin/dev)
  master
bandit29@bandit:/tmp/work1/repo$ git log -p
commit d9fa2d0412351c7fa4302313c61f965dbe3b78fc (HEAD, origin/dev)
Author: Morla Porla <morla@overthewire.org>
Date:   Fri Aug 15 13:16:12 2025 +0000

    add data needed for development

diff --git a/README.md b/README.md
index 1af21d3..bc6ad3d 100644
--- a/README.md
+++ b/README.md
@@ -4,5 +4,5 @@ Some notes for bandit30 of bandit.
 ## credentials

 - username: bandit30
-- password: <no passwords in production!>
+- password: qp30ex3VLz5MDG1n91YowTv4Q8l7CDZL

qp30ex3VLz5MDG1n91YowTv4Q8l7CDZL

git branch	查看当前分支
git branch -a	查看所有分支
git checkout <branchname>	进入所选分支

---

Bandit Level 30 → Level 31

git tag 查看隐藏标签信息

查看 Readme 没有任何信息，提示说 Nothing

bandit30@bandit:/tmp/bbb/repo$ git tag                                            
secret                                                    
bandit30@bandit:/tmp/bbb/repo$ git show secret
fb5S2xb7bRyFmAvQYQGEqsbhVyJqhnDy

Git tag（标签）是 Git 版本控制系统中的一个重要功能，用于给特定的提交（commit）打上标记，通常用于标识重要的版本节点（如发布版本）。

git tag -a <tag-name> -m “tag message”	创建标签
git tag	列出标签
git show <tag-name>	查看表情详细信息

Bandit Level 31 → Level 32

git 取消忽视并推送

bandit31@bandit:/tmp/sb/repo$ cat README.md 
This time your task is to push a file to the remote repository.

Details:
    File name: key.txt
    Content: 'May I come in?'
    Branch: master

bandit31@bandit:/tmp/sb/repo$ cat README.md 
This time your task is to push a file to the remote repository.

Details:
    File name: key.txt
    Content: 'May I come in?'
    Branch: master

bandit31@bandit:/tmp/sb/repo$ echo 'May I come in?' > key.txt
bandit31@bandit:/tmp/sb/repo$ git add key.txt
The following paths are ignored by one of your .gitignore files:
key.txt
hint: Use -f if you really want to add them.
hint: Turn this message off by running
hint: "git config advice.addIgnoredFile false"
bandit31@bandit:/tmp/sb/repo$ ls -la
total 24
drwxrwxr-x 3 bandit31 bandit31 4096 Sep 17 04:46 .
drwxrwxr-x 3 bandit31 bandit31 4096 Sep 17 04:44 ..
drwxrwxr-x 8 bandit31 bandit31 4096 Sep 17 04:46 .git
-rw-rw-r-- 1 bandit31 bandit31    6 Sep 17 04:44 .gitignore
-rw-rw-r-- 1 bandit31 bandit31   15 Sep 17 04:46 key.txt
-rw-rw-r-- 1 bandit31 bandit31  147 Sep 17 04:44 README.md
bandit31@bandit:/tmp/sb/repo$ cat .git
.git/       .gitignore  
bandit31@bandit:/tmp/sb/repo$ cat .gitignore 
*.txt
bandit31@bandit:/tmp/sb/repo$ git add -f key.txt
bandit31@bandit:/tmp/sb/repo$ git commit -m "Adding key.txt as requested"
[master c34be1f] Adding key.txt as requested
 1 file changed, 1 insertion(+)
 create mode 100644 key.txt
bandit31@bandit:/tmp/sb/repo$ git push
The authenticity of host '[localhost]:2220 ([127.0.0.1]:2220)' can't be established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Could not create directory '/home/bandit31/.ssh' (Permission denied).
Failed to add the host to the list of known hosts (/home/bandit31/.ssh/known_hosts).
                         _                     _ _ _   
                        | |__   __ _ _ __   __| (_) |_ 
                        | '_ \ / _` | '_ \ / _` | | __|
                        | |_) | (_| | | | | (_| | | |_ 
                        |_.__/ \__,_|_| |_|\__,_|_|\__|


                      This is an OverTheWire game server. 
            More information on http://www.overthewire.org/wargames

backend: gibson-1
bandit31-git@localhost's password:
Enumerating objects: 4, done.
Counting objects: 100% (4/4), done.
Delta compression using up to 2 threads
Compressing objects: 100% (2/2), done.
Writing objects: 100% (3/3), 338 bytes | 338.00 KiB/s, done.
Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
remote: ### Attempting to validate files... ####
remote: 
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
remote: Well done! Here is the password for the next level:
remote: 3O9RfhqyAlVBEZpVb6LYStshZoqoSx5K
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
To ssh://localhost:2220/home/bandit31-git/repo
 ! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to 'ssh://localhost:2220/home/bandit31-git/repo'

3O9RfhqyAlVBEZpVb6LYStshZoqoSx5K

git add -f <file>	强制添加文件到暂存区
git commit -m “Adding”	将暂存区的文正式添加到本地git仓库
git push origin master	推送到远程指定仓库

1. origin

   • 这是远程仓库的默认名称（别名），指向最初克隆（git clone）的服务器地址。

   • 可以用 git remote -v查看具体的远程仓库 URL（在 Bandit 31 的挑战中，远程仓库是 Bandit 的题目服务器）。

2. master

   • 这是要推送的分支名称（本题明确要求推送到 master分支）。

   • 在 Git 的默认设置中，master是主分支（现代 Git 也可能用 main作为默认分支名）。

Bandit Level 32 → Level 33

$0 uppershell 逃逸

连接后得到终端，会将所有输入的字符进行大写，导致 shell 可用性降低。

WELCOME TO THE UPPERCASE SHELL
>> ls
sh: 1: LS: Permission denied
>> id
sh: 1: ID: Permission denied
>> 1
sh: 1: 1: Permission denied
>> $0
$ ls

直接使用 $0 来创造新的是 shell
在普通终端中，echo $0通常会输出 /bin/bash或 /bin/sh
$0 就代表直接执行 /bin/bash

$ cat /etc/bandit_pass/bandit33
tQdtbs5D5i2vJwkO8mEyYEyTL8izoeJ0

Bandit Level 33 → Level 34 结束篇

bandit33@bandit:~$ ls
README.txt
bandit33@bandit:~$ cat README.txt 
Congratulations on solving the last level of this game!

At this moment, there are no more levels to play in this game. However, we are constantly working
on new levels and will most likely expand this game with more levels soon.
Keep an eye out for an announcement on our usual communication channels!
In the meantime, you could play some of our other wargames.

If you have an idea for an awesome new level, please let us know!

完结撒花，注意关注公告。