OverTheWire的Wargame对于想要学习攻防技术的入门同学来说是非常好的游戏,通过练习wargame获得基本工具的使用技巧和思路。本文梳理了Wargame入门的Bandit的一些通关技巧,旨在给一些刚开始的同学做一些思路上的整理,但本文的通关方法并不是唯一的最好的方法,仅供参考。
OverTheWire的登录网址:OverTheWire: Wargameshttps://overthewire.org/wargames/
点击左边的Bandit进入Bandit的wargame,本人使用的系统是MacOS,终端是iTerm2,Shell是oh-my-zsh。
在学习的过程中,除了去网上搜索各种命令外,也可以参考工具书《The Linux Command Line Second Edition》,下载链接: https://pan.baidu.com/s/13iWiNLR0gkB-kwfydzeyAw 提取码: jsf5
Bandit Level 0
Level Goal
The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org, on port 2220. The username is bandit0 and the password is bandit0. once logged in, go to the level 1 page to find out how to beat Level 1.
Commands you may need to solve this level
ssh
第一关非常简单,就是使用ssh port2220登录bandit.labs.overthewire.org,账号密码都为 bandit0,打开terminal,登录
ssh -p 2220 bandit0@bandit.labs.overthewire.org
登录成功后,使用ls查阅目录文件,发现readme,用cat读取readme内容,获得密码 boJ9jbbUNNfktd78OOpsqOltutMc3MY1,后面题目ssh的登录方式都是一样的,使用ssh和指定题目的账号bandit[xx]来登录(xx为level的数字,某些特殊的题目除外)。
Bandit Level 1 → Level 2Level Goal
The password for the next level is stored in a file called - located in the home directory
Commands you may need to solve this level
ls, cd, cat, file, du, find
这一关也很简单,主要是考察文件读取,但是这里要注意,‘-’这个名字跟root目录名是一样的,所以必须使用相对路径来访问,用cat ./- 获得密码 CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
Bandit Level 2 → Level 3Level Goal
The password for the next level is stored in a file called spaces in this filename located in the home directory
Commands you may need to solve this level
ls, cd, cat, file, du, find
这关考察的是cat的基本操作,访问带有空格的文件名,用转义字符来转义空格即可,用cat获得密码UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
Bandit Level 3 → Level 4Level Goal
The password for the next level is stored in a hidden file in the inhere directory.
Commands you may need to solve this level
ls, cd, cat, file, du, find
这一关考察访问隐藏文件的技巧,先用cd进入文件夹,再用ls -al列出所有文件,之后用cat访问,得到密码pIwrPrtPN36QITSp3EQaw936yaFoFgAB
Bandit Level 4 → Level 5Level Goal
The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.
Commands you may need to solve this level
ls, cd, cat, file, du, find
进入到inhere目录后,可以看到很多文件,有一个文件藏着密码,用file命令查看一下文件,我们可以看到,只有一个文件是ASCII编码的,用cat来查看它,找到密码koReBOKuIDDepwhWk7jZC0RTdopnAYKh
Bandit Level 5 → Level 6Level Goal
The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:
human-readable1033 bytes in sizenot executable
Commands you may need to solve this level
ls, cd, cat, file, du, find
进入到Bandit5的目录后发现目录里面有很多文件,根据提示,找到1033bytes的文件,用如下命令
find . -type f -size 1033c
找到文件./maybehere07/.file2,找到密码DXjZPULLxYr17uwoI01bNLQbtFemEgo7
find命令的具体使用方法可以查看:Linux find 命令 | 菜鸟教程
Bandit Level 6 → Level 7Level Goal
The password for the next level is stored somewhere on the server and has all of the following properties:
owned by user bandit7owned by group bandit633 bytes in size
Commands you may need to solve this level
ls, cd, cat, file, du, find, grep
首先看题目的要求,bandit7的密码文件有3个属性:被用户bandit7所有,被用户组bandit6所有,并且拥有33字节,但是这个文件在哪里,我们不知道,这关还是考察find工具的使用,这三个属性都可以放到find命令的参数中去,如下
find / -user bandit7 -group bandit6 -size 33c
因为我们不知道放哪里,所有直接从根目录开始查找,最后找到符合这个条件的文件
用cat命令查看这个文件,找到密码HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs
Bandit Level 7 → Level 8Level Goal
The password for the next level is stored in the file data.txt next to the word millionthCommands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
这个关卡的密码藏在millionth这个单词的后面,grep这个命令可以匹配文件中的字符,grep命令功能非常强大,详细的命令使用手册请参考grep(1) - Linux manual page
grep简要使用方法就是直接在grep后面跟上要匹配的字符串,我们用grep来查找millionth这个单词,非常简单,如下
找到密码cvX2JJa4CFALtqS87jk27qwqGhBM9plV
Bandit Level 8 → Level 9Level Goal
The password for the next level is stored in the file data.txt and is the only line of text that occurs only onceCommands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
看题目,密码在data.txt文件中,只出现了一次,所以,只要用uniq命令就能找到这个密码,uniq要跟sort一起用,因为uniq是通过比较上下行字符串来判断是否重复,所以先sort再uniq
uniq命令工具用法如下:
uniq [-cdu][-f<栏位>][-s<字符位置>][-w<字符位置>][--help][--version][输入文件][输出文件]参数:
-c或--count 在每列旁边显示该行重复出现的次数。-d或--repeated 仅显示重复出现的行列。-f<栏位>或--skip-fields=<栏位> 忽略比较指定的栏位。-s<字符位置>或--skip-chars=<字符位置> 忽略比较指定的字符。-u或--unique 仅显示出一次的行列。-w<字符位置>或--check-chars=<字符位置> 指定要比较的字符。--help 显示帮助。--version 显示版本信息。[输入文件] 指定已排序好的文本文件。如果不指定此项,则从标准读取数据;[输出文件] 指定输出的文件。如果不指定此选项,则将内容显示到标准输出设备(显示终端)。
用uniq -u即可找到密码UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR
Bandit Level 9 → Level 10Level Goal
The password for the next level is stored in the file data.txt in one of the few human-readable strings, preceded by several ‘=’ characters.Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
这一关的密码在很多个‘=’的后面,先用cat查看文件信息,输出是非常多的,但是很多不是human-readable的字符,可以用strings来过滤,strings命令在对象文件或二进制文件中查找可打印的字符串。字符串是4个或更多可打印字符的任意序列,以换行符或空字符结束。 strings命令对识别随机对象文件很有用。
strings的命令工具用法如下:
strings [ -a ] [ - ] [ -o ] [ -t Format ] [ -n Number ] [ -Number ] [file ... ]
-a --all:扫描整个文件而不是只扫描目标文件初始化和装载段-f –print-file-name:在显示字符串前先显示文件名-n –bytes=[number]:找到并且输出所有NUL终止符序列- :设置显示的最少的字符数,默认是4个字符-t --radix={o,d,x} :输出字符的位置,基于八进制,十进制或者十六进制-o :类似--radix=o-T --target= :指定二进制文件格式-e --encoding={s,S,b,l,B,L} :选择字符大小和排列顺序:s = 7-bit, S = 8-bit, {b,l} = 16-bit, {B,L} = 32-bit@ :读取中选项
我们用如下命令
strings ./data.txt
找到密码truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
Bandit Level 10 → Level 11Level Goal
The password for the next level is stored in the file data.txt, which contains base64 encoded dataCommands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
这一关非常简单,用base64解码data.txt就行,获得密码IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR
Bandit Level 11 → Level 12Level Goal
The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positionsCommands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd
这一关考察是经典的ROT13加密,密码学是非常重要的一部分,有兴趣的同学可以去搜索一下ROT13,可以找到ROT13的介绍,以及更多的密码学知识,在Krypton的Wargame里面有非常多的关于密码学的关卡,可以用来学习密码学相关的技巧。
在这一关中,我们用tr来进行ROT13的解密,如下:
得到密码5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu
Bandit Level 12 → Level 13Level Goal
The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)Commands you may need to solve this level
grep, sort, uniq, strings, base64, tr, tar, gzip, bzip2, xxd, mkdir, cp, mv, file
先查看这关的文件,又是data.txt,用cat查看文件,是16进制文件,看提示是repeatedly compressed,按照提示,我们先去tmp目录创建一个临时目录,因为权限的问题,我们只能在tmp目录下创建目录,然后我们把文件复制过去,注意,不要给后缀名
bandit12@bandit:~$ mkdir /tmp/bandit12 bandit12@bandit:~$ cp ./data.txt /tmp/bandit12/data bandit12@bandit:~$ cd /tmp/bandit12/
然后,我们用xxd来解析这个16进制文件,之后用file命令来查看文件格式,发现是gz压缩包,用gzip解压,后续一直解压,过程如下:
bandit12@bandit:/tmp/bandit12$ file data data: ASCII text bandit12@bandit:/tmp/bandit12$ xxd -r ./data ./data.out bandit12@bandit:/tmp/bandit12$ file data.out data.out: gzip compressed data, was "data2.bin", last modified: Thu May 7 18:14:30 2020, max compression, from Unix bandit12@bandit:/tmp/bandit12$ mv data.out ./data.gz bandit12@bandit:/tmp/bandit12$ gzip -d ./data.gz ./data.out bandit12@bandit:/tmp/bandit12$ file data.out data.out: bzip2 compressed data, block size = 900k bandit12@bandit:/tmp/bandit12$ mv ./data.out ./data.bz2 bandit12@bandit:/tmp/bandit12$ bunzip2 -d ./data.bz2 ./data.out bandit12@bandit:/tmp/bandit12$ file data.out data.out: gzip compressed data, was "data4.bin", last modified: Thu May 7 18:14:30 2020, max compression, from Unix bandit12@bandit:/tmp/bandit12$ mv ./data.out ./data.gz bandit12@bandit:/tmp/bandit12$ gzip -d data.gz bandit12@bandit:/tmp/bandit12$ ls data4.bin bandit12@bandit:/tmp/bandit12$ file data4.bin data4.bin: POSIX tar archive (GNU) bandit12@bandit:/tmp/bandit12$ mv data4.bin data.tar bandit12@bandit:/tmp/bandit12$ tar xvf data.tar data5.bin bandit12@bandit:/tmp/bandit12$ file data5.bin data5.bin: POSIX tar archive (GNU) bandit12@bandit:/tmp/bandit12$ mv data5.bin data.tar bandit12@bandit:/tmp/bandit12$ tar xvf data.tar data6.bin bandit12@bandit:/tmp/bandit12$ mv data6.bin data.tar bandit12@bandit:/tmp/bandit12$ tar xvf data.tar data8.bin bandit12@bandit:/tmp/bandit12$ file data8.bin data8.bin: gzip compressed data, was "data9.bin", last modified: Thu May 7 18:14:30 2020, max compression, from Unix bandit12@bandit:/tmp/bandit12$ gzip -d data.gz bandit12@bandit:/tmp/bandit12$ ls data data.tar bandit12@bandit:/tmp/bandit12$ file data data: ASCII text bandit12@bandit:/tmp/bandit12$ cat data The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
获得密码8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
在中间步骤中,如果遇到file的结果是gzip compressed data, was "xxx.bin"这种提示的时候,还有一种快捷的方法来获取压缩包内容而不使用gzip解压缩命令,可以用zcat,有兴趣的朋友可以用zcat试试,zcat的命令介绍zcat命令 - Linux命令大全 | linux教程
Bandit Level 13 → Level 14Level Goal
The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working onCommands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap
从这一关开始,解题工具开始更换了,我们要开始了解ssh、telnet、nc、openssl、nmap这些网络工具,这一关的题目是让我们用ssh来登录bandit14,我们查看一下文件,找一下线索。bandit13目录下,有bandit14的ssh private key,我们直接用ssh和私钥登录bandit14。
bandit13@bandit:~$ ssh -i ./sshkey.private bandit14@localhost
登录成功,找一下bandit14的密码,在/etc/bandit_pass里面,找到bandit14的密码4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Bandit Level 14 → Level 15Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap
这一关用nc把14的密码发送到30000这个端口,用nc命令就可以搞定,nc命令代码量小,但是功能强大,如果要学好攻防技术,一定要学习nc这个命令。用nc发送bandit14的密码就可以获得密码
BfMYroe26WYalil77FoDi9qh59eK5xNr
bandit14@bandit:~$ nc localhost 30000 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e Correct! BfMYroe26WYalil77FoDi9qh59eK5xNr
也有同学用telnet来做这道题,telnet也可以做到,用如下命令
telnet -l bandit15 localhost 30000
Bandit Level 15 → Level 16Level Goal
The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.Helpful note: Getting “HEARTBEATING” and “Read R BLOCK”? Use -ign_eof and read the “ConNECTED COMMANDS” section in the manpage. Next to ‘R’ and ‘Q’, the ‘B’ command also works in this version of that command…
Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap
这里,通过openssl连接30001端口,发送当前关卡的密码就可以获得16的密码cluFn7wTiGryunymYOu4RcffSxQluehd,非常简单。
bandit15@bandit:~$ openssl s_client -connect localhost:30001 -ign_eof (省略了服务器信息) --- BfMYroe26WYalil77FoDi9qh59eK5xNr Correct! cluFn7wTiGryunymYOu4RcffSxQluehd
这里有提示说要-ign_eof,但是加不加并没有影响到结果。
Bandit Level 16 → Level 17Level Goal
The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.Commands you may need to solve this level
ssh, telnet, nc, openssl, s_client, nmap
看题目,要求我们先扫描31000到32000端口,并且找到ssl的端口,用nmap可以扫描,nmap是非常好用的端口扫描器,这里nmap可以用很多种参数来实现扫描功能,-A -sV等,都可以,玩家可以自己尝试多种扫描参数。
bandit16@bandit:~$ nmap -sV localhost -p 31000-32000 Starting Nmap 7.40 ( https://nmap.org ) at 2022-01-17 15:36 CET Nmap scan report for localhost (127.0.0.1) Host is up (0.00031s latency). Not shown: 996 closed ports PORT STATE SERVICE VERSION 31046/tcp open echo 31518/tcp open ssl/echo 31691/tcp open echo 31790/tcp open ssl/unknown 31960/tcp open echo 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port31790-TCP:V=7.40%T=SSL%I=7%D=1/17%Time=61E57EF4%P=x86_64-pc-linux-g SF:nu%r(GenericLines,31,"Wrong!x20Pleasex20enterx20thex20correctx20cu SF:rrentx20passwordn")%r(GetRequest,31,"Wrong!x20Pleasex20enterx20the SF:x20correctx20currentx20passwordn")%r(HTTPOptions,31,"Wrong!x20Plea SF:sex20enterx20thex20correctx20currentx20passwordn")%r(RTSPRequest, SF:31,"Wrong!x20Pleasex20enterx20thex20correctx20currentx20password SF:n")%r(Help,31,"Wrong!x20Pleasex20enterx20thex20correctx20currentx SF:20passwordn")%r(SSLSessionReq,31,"Wrong!x20Pleasex20enterx20thex20 SF:correctx20currentx20passwordn")%r(TLSSessionReq,31,"Wrong!x20Please SF:x20enterx20thex20correctx20currentx20passwordn")%r(Kerberos,31,"W SF:rong!x20Pleasex20enterx20thex20correctx20currentx20passwordn")%r SF:(FourOhFourRequest,31,"Wrong!x20Pleasex20enterx20thex20correctx20c SF:urrentx20passwordn")%r(LPDString,31,"Wrong!x20Pleasex20enterx20the SF:x20correctx20currentx20passwordn")%r(LDAPSearchReq,31,"Wrong!x20Pl SF:easex20enterx20thex20correctx20currentx20passwordn")%r(SIPOptions SF:,31,"Wrong!x20Pleasex20enterx20thex20correctx20currentx20password SF:n"); Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 89.48 seconds
31790端口,我们连接试一下,返回ssh_privatekey。
bandit16@bandit:~$ openssl s_client -connect localhost:31790 -ign_eof (省略服务器信息) --- cluFn7wTiGryunymYOu4RcffSxQluehd Correct! -----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama +TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT 8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM 77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3 vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY= -----END RSA PRIVATE KEY----- closed
用private key登录bandit17,我们在/tmp目录下新建一个目录,然后把私钥写到一个文件里面,这里一定要注意,要把文件的权限修改一下,用chmod 600修改权限,不然无法使用ssh -i 登录。
Bandit Level 17 → Level 18Level Goal
There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.newNOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19
登录17之后,查看目录,发现有两个文件,看提示说,修改过的一行就是密码,用diff命令查看修改过的一行,找到密码:kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
bandit17@bandit:~$ ls passwords.new passwords.old bandit17@bandit:~$ diff -d passwords.new passwords.old 42c42 < kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd --- > w0Yfolrc5bwjS4qw5mq1nnQi6mF03bii
Bandit Level 18 → Level 19Level Goal
The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.Commands you may need to solve this level
ssh, ls, cat
这一关直接登录的话,会显示一个“Byebye”,然后会话被关闭,原因是.bashrc被改动了,我们可以用带命令的ssh来查看文件。
ssh -p 2220 bandit18@bandit.labs.overthewire.org "cat ./readme" This is a OverTheWire game server. More information on http://www.overthewire.org/wargames bandit18@bandit.labs.overthewire.org's password: IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
在关闭前读取主目录下的readme文件,获得密码IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
Bandit Level 19 → Level 20Level Goal
To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used the setuid binary.
setuid可以查看到用户权限,ls -al列出所有文件及权限,注意到bandit20-do是-rws-r-x---,这个文件有sudo权限,用它来读取Level 20的文件,获得密码 GbKksEFF4yrVs6il55v6gwY5aVje5f0j
bandit19@bandit:~$ ls -al total 28 drwxr-xr-x 2 root root 4096 May 7 2020 . drwxr-xr-x 41 root root 4096 May 7 2020 .. -rwsr-x--- 1 bandit20 bandit19 7296 May 7 2020 bandit20-do -rw-r--r-- 1 root root 220 May 15 2017 .bash_logout -rw-r--r-- 1 root root 3526 May 15 2017 .bashrc -rw-r--r-- 1 root root 675 May 15 2017 .profile bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20 GbKksEFF4yrVs6il55v6gwY5aVje5f0j
持续更新中…
