Wargames bandit (11-20) problem solving essay

Bandit Level 11 → Level 12
Tips ： The password is stored in data.txt In file , All lowercase and uppercase letters have Rot13 encryption

cat data.txt

Ciphertext ：          Gur cnffjbeq vf 5Gr8L4qetPEsPk8htqjhRK8XSP6x2RHh
Rot13 After decryption :The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

username:bandit12
password:5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu
Pass through ！

Bandit Level 12 → Level 13
Tips ： The password is stored in data.txt In file , This hexadecimal file has been repeatedly compressed , This level needs to be in /tmp Create a path under the path , And then use cp Copy the command to the created directory ,mv The command can be used to rename .

mkdir /tmp/bandit13
cp data.txt /tmp/bandit13
cd /tmp/bandit13
xxd -r data.txt dd	#-r  Reverse operation :  hold xxd The hexadecimal output content of is converted back to the binary content of the original file .
file dd	#dd: gzip compressed data, was "data2.bin"
mv dd dd.gz
gzip -dv dd.gz
file dd	#dd: bzip2 compressed data, block size = 900k
mv dd dd.bz2
bzip2 -dv dd.bz2
file dd	#dd: gzip compressed data, was "data4.bin"
mv dd dd.gz
gzip -dv dd.gz
file dd	#dd: POSIX tar archive (GNU)
tar -xvf dd
file data5.bin	#data5.bin: POSIX tar archive (GNU)
tar -xvf data5.bin
file data6.bin	#data6.bin: bzip2 compressed data, block size = 900k
bzip2 -dv data6.bin
file data6.bin.out	#data6.bin.out: POSIX tar archive (GNU)
tar -xvf data6.bin.out
file data8.bin	#data8.bin: gzip compressed data, was "data9.bin"
mv data8.bin data8.bin.gz
gzip -dv data8.bin.gz
file data8.bin	#data8.bin: ASCII text
cat data8.bin

username:bandit13
password:8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL
Pass through ！

Bandit Level 13 → Level 14
Tips ： The password file is stored in /etc/bandit_pass/bandit14 in , But only bandit14 Users can read , So you can't get the password , But a private key is provided , You can use the private key ssh Sign in , Then go to get the password file

ssh -i ./sshkey.private [email protected]
cat /etc/bandit_pass/bandit14

username:bandit14
password:4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e
Pass through ！

Bandit Level 14 → Level 15
Tips ： The password needs to be submitted to the current level level14 Password to localhost Of 30000 On port

telnet localhost 30000
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e	#bandit14 password 

username:bandit15
password:BfMYroe26WYalil77FoDi9qh59eK5xNr
Pass through ！

Bandit Level 15 → Level 16
Tips ： First you need to use SSL Connect to localhost Of 30001 On port , Then submit the current password

openssl s_client -connect localhost:30001
BfMYroe26WYalil77FoDi9qh59eK5xNr

username:bandit16
password:cluFn7wTiGryunymYOu4RcffSxQluehd
Pass through ！

Bandit Level 16 → Level 17
Tips ： The certificate of the next level needs to submit the current password to localhost Of 31000-32000 A port in , First you need to scan localhost Port listening on , Then look for support SSL Of , Only one port can obtain the certificate of the next level .

nc -v -w 2 localhost -z 31000-32000

The scan results are as follows :
localhost [127.0.0.1] 31960 (?) open
localhost [127.0.0.1] 31790 (?) open
localhost [127.0.0.1] 31691 (?) open
localhost [127.0.0.1] 31518 (?) open
localhost [127.0.0.1] 31046 (?) open
Found only this 5 Ports open , Then try one by one , Good luck. 31790 Ports are

openssl s_client -connect loalhost:31790 > sshkey.txt
cluFn7wTiGryunymYOu4RcffSxQluehd

Successfully obtain the next level CA Write to sshkey.txt In file , Then convert the plaintext private key into the ciphertext private key , Using ssh Log in to the next level by private key , then cat /etc/bandit_pass/bandit17, Get the next level password

openssl rsa -inform PEM -in sshkey.txt -outform PEM -out sshkey.pem
ssh -i sshkey.pem [email protected]
cat /etc/bandit_pass/bandit17

username:bandit17
password:xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn
Pass through ！

Bandit Level 17 → Level 18
Tips ： stay home Under the path password.old and password.new Two documents , The password for the next level is stored in password.new In file , There is only one line of difference between the two files , Just find out which line is different

diff passwords.new passwords.old

username:bandit18
password:kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd
Pass through ！

Bandit Level 18 → Level 19
Tips : The password for the next level is stored in home The next path readme In file , However , Someone has modified .bashrc file , When you use ssh You will exit immediately after logging in , We know ssh Commands can be executed remotely

ssh [email protected] cat ./readme	# Remote execution command 
kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd

username:bandit19
password:IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x
Pass through ！

Bandit Level 19 → Level 20
Tips ： stay home Use under the path setuid Tools to get operations bandit20 File permissions , You can find the usage of this tool by using this tool without entering any parameters , The password is stored in /etc/bandit_pass Under the path

./bandit20-do cat /etc/bandit_pass/bandit20

username:bandit20
password:GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Pass through ！

Bandit Level 20 → Level 21
Tips ： stay home There's a... Under the path suconnect This tool , It uses the specified port number to connect to localhost On , The port number is the parameter of this command , It reads a line of text from the connection and compares the obtained text with bandit20 Compare passwords , If the password is the same , He will return to the password of the next level .

tmux new -s s1 -d	# Set up a in the background s1 conversation 
tmux new -s s2 -d	# Set up a in the background s2 conversation 
tmux attach -t s1	# Get into s1 conversation 
#s1
nc -l -p 40000 localhost
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Ctrl+b d	# return shell
tmux attach -t s2	# Get into s2 conversation 
#s2
./suconnect 40000
Ctrl+b d
tmux attach -t s1	# Get into s1 conversation 

At this time, the next level password is successfully obtained
username:bandit21
password:gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr
Pass through ！