I'm a newbie in CTF, so I create this blog to help ME, and YOU, the ones who really want to improve CTF skills. And the first write-up series are about Bandit CTF: http://overthewire.org/wargames/bandit/
Let's go! Hope we will have great time together! Keep calm and Happy CTF! ^^
Level 0: SSH
$ ssh bandit0@bandit.labs.overthewire.org
>> Password: bandit0
bandit0@melinda:~$ ls (you will see a file named readme)
bandit0@melinda:~$ vi readme
Level 1: Strange file name
bandit1@melinda:~$ vi "./-"
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
Level 2: Strange file name
Nothing different!
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK
Level 3: Hidden file
$ cd inhere
$ ls -a
$ vi .hidden
pIwrPrtPN36QITSp3EQaw936yaFoFgAB
Level 4: Many files
I see a command named "cat", and I find it's more useful than "vi".
$ cat "./-file07"
koReBOKuIDDepwhWk7jZC0RTdopnAYKh
Level 5: Super many files
In this level, I saw many folders and files, and they really made me confuse.
So I think we should use some search command to handle this chal.
Let's google!
I think the file contained flag is the lastest modified file, so I search "find last modified file linux" and found this command:
stat --printf="%y %n\n" $(ls -tr $(find * -type f))
But the results didn't look good. Phew!!!
I played some CTFs, and when getting stuck in a problem, I often gave up.
But this time - when I am writing this blog, I'm going to participate a contest between universities in my country. It's very important for me to win this contest, so I must try my best ^^
So what should we do now?
I take a look of some files, and they are big text files. So I think we should find a small file that has the same flag file in bandit4.
OK, let's see. bandit4's -file07 -> 33bytes -> We'll find a file that has the 33 byte-size.
Now we are in bandit5/inhere. List all file with size description:
$ ls -LR -l
I can't find any 33 byte-file, but we have 77 and 51 here. Try submit password of these file but "Permission denied, please try again."
Ah, hidden file!
$ ls -LR -l -a
Still no 33 byte-file. Try submit password of the new 99 byte-file, and error again.
I don't know what to do next, so I click the link "Level 5 → Level 6" in the menu Bandit and find the hint: 1033 bytes. OK, easy! Use my eyes and bingo:
DXjZPULLxYr17uwoI01bNLQbtFemEgo7
But how to use command to find an -x-byte file?
http://www.ducea.com/2008/02/12/linux-tips-find-all-files-of-a-particular-size/
$ find -size 1033c
Note: Please read the description of challenges before solving them!
Time for lunch! I will be right back! :D
---
20150909
Level 6: The level that I gave up!
"The password for the next level is stored somewhere on the server".
$ find / -user bandit7 -group bandit6 -size 33c 2>/dev/null
/var/lib/dpkg/info/bandit7.password
$ cat /var/lib/dpkg/info/bandit7.password
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs
WTF is "2>/dev/null"?
From: http://askubuntu.com/questions/350208/what-does-2-dev-null-mean
dev/null treated as black hole in Linux/Unix, so you can put any this into this but at the end your will not able to get this back from /dev/null/.
so further on 2>, means is you are redirecting [i.e. ">"] stderr [i.e. 2] into black hole [i.e. /dev/null/ ]
Level 7: | grep
cat data.txt | grep millionth
cvX2JJa4CFALtqS87jk27qwqGhBM9plV
Level 8: uniq and sort
$ uniq data.txt -u
What? Many rows??
$ sort data.txt | uniq -u
UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR
or: $ cat data.txt | sort | uniq -u
Level 9: strings
bandit9@melinda:~$ cat data.txt | grep =
Binary file (standard input) matches
Submit flag: 'Binary file (standard input) matches'. Failed :v
Level 10: base64
$ strings data.txt | base64 -d
The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR
Level 13: ssh
Level 14: telnet
$ telnet localhost 30000
BfMYroe26WYalil77FoDi9qh59eK5xNr
Level 15: openssl
$ openssl s_client -connect localhost:30001 -quiet
cluFn7wTiGryunymYOu4RcffSxQluehd
Level 16: nmap
$ nmap localhost -p 31000-32000
$ openssl s_client -connect localhost:31790
Copy and creat sshkey.private
$ ssh -i sshkey.private bandit17@localhost
$ ls
$ diff password.new password.old
< kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd <-- pass 18-19
---
> BS8bqB1kqkinKJjuxL6k072Qq9NRwQpR
xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn <-- pass 17-18
Level 18: ssh with command
ssh bandit18@bandit.labs.overthewire.org cat readme
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
Level 19:
$ ./bandit20-do cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
$ nc -l 6969
$ ./suconnect 6969
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
I take a look of some files, and they are big text files. So I think we should find a small file that has the same flag file in bandit4.
OK, let's see. bandit4's -file07 -> 33bytes -> We'll find a file that has the 33 byte-size.
Now we are in bandit5/inhere. List all file with size description:
$ ls -LR -l
I can't find any 33 byte-file, but we have 77 and 51 here. Try submit password of these file but "Permission denied, please try again."
Ah, hidden file!
$ ls -LR -l -a
Still no 33 byte-file. Try submit password of the new 99 byte-file, and error again.
I don't know what to do next, so I click the link "Level 5 → Level 6" in the menu Bandit and find the hint: 1033 bytes. OK, easy! Use my eyes and bingo:
DXjZPULLxYr17uwoI01bNLQbtFemEgo7
But how to use command to find an -x-byte file?
http://www.ducea.com/2008/02/12/linux-tips-find-all-files-of-a-particular-size/
$ find -size 1033c
Note: Please read the description of challenges before solving them!
Time for lunch! I will be right back! :D
---
20150909
Level 6: The level that I gave up!
"The password for the next level is stored somewhere on the server".
$ find / -user bandit7 -group bandit6 -size 33c 2>/dev/null
/var/lib/dpkg/info/bandit7.password
$ cat /var/lib/dpkg/info/bandit7.password
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs
WTF is "2>/dev/null"?
From: http://askubuntu.com/questions/350208/what-does-2-dev-null-mean
dev/null treated as black hole in Linux/Unix, so you can put any this into this but at the end your will not able to get this back from /dev/null/.
so further on 2>, means is you are redirecting [i.e. ">"] stderr [i.e. 2] into black hole [i.e. /dev/null/ ]
Level 7: | grep
cat data.txt | grep millionth
cvX2JJa4CFALtqS87jk27qwqGhBM9plV
Level 8: uniq and sort
$ uniq data.txt -u
What? Many rows??
$ sort data.txt | uniq -u
UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR
or: $ cat data.txt | sort | uniq -u
Level 9: strings
bandit9@melinda:~$ cat data.txt | grep =
Binary file (standard input) matches
Submit flag: 'Binary file (standard input) matches'. Failed :v
Search for the error: "The grep -a, --text option may be of use to you"
OK, $ cat data.txt | grep -a "=="
truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk
or: $ strings data.txt | grep '='
Level 10: base64
$ strings data.txt | base64 -d
The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR
Level 11: tr
bandit11@melinda:~$ cat data.txt | tr 'a-zA-Z' 'n-za-mN-ZA-M'
The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu
Level 12: xxd mv cd mkdir
bandit12@melinda:/tmp/hihihi$ strings data8
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
Level 13: ssh
$ ssh -i sshkey.private bandit14@localhost
$ cat /etc/bandit_pass/bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
$ telnet localhost 30000
BfMYroe26WYalil77FoDi9qh59eK5xNr
Level 15: openssl
$ openssl s_client -connect localhost:30001 -quiet
cluFn7wTiGryunymYOu4RcffSxQluehd
Level 16: nmap
$ nmap localhost -p 31000-32000
$ openssl s_client -connect localhost:31790
Copy and creat sshkey.private
$ ssh -i sshkey.private bandit17@localhost
$ ls
$ diff password.new password.old
< kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd <-- pass 18-19
---
> BS8bqB1kqkinKJjuxL6k072Qq9NRwQpR
xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn <-- pass 17-18
Level 18: ssh with command
ssh bandit18@bandit.labs.overthewire.org cat readme
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
Level 19:
$ ./bandit20-do cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Level 20:
$ ./suconnect 6969
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
--- manacian ---
--- ctf for beginners ---
0 comments:
Post a Comment