Level 0#

주어진 정보대로 ssh에 연결하면 된다.

1
ssh 사용자명@서버주소 -p 포트번호

를 쳐서 접속할 수 있다.

1
axii@fedora:~/bandit$ ssh bandit0@bandit.labs.overthewire.org -p 2220
2
The authenticity of host '[bandit.labs.overthewire.org]:2220 ([13.63.65.121]:2220)' can't be established.
3
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
4
This key is not known by any other names.
5
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
6
Warning: Permanently added '[bandit.labs.overthewire.org]:2220' (ED25519) to the list of known hosts.
7
                         _                     _ _ _
8
                        | |__   __ _ _ __   __| (_) |_
9
                        | '_ \ / _` | '_ \ / _` | | __|
10
                        | |_) | (_| | | | | (_| | | |_
11
                        |_.__/ \__,_|_| |_|\__,_|_|\__|
12

13

14
                      This is an OverTheWire game server.
15
            More information on http://www.overthewire.org/wargames
16

17
backend: gibson-0
18
bandit0@bandit.labs.overthewire.org's password:
19

20
      ,----..            ,----,          .---.
21
     /   /   \         ,/   .`|         /. ./|
22
    /   .     :      ,`   .'  :     .--'.  ' ;
23
   .   /   ;.  \   ;    ;     /    /__./ \ : |
24
  .   ;   /  ` ; .'___,/    ,' .--'.  '   \' .
25
  ;   |  ; \ ; | |    :     | /___/ \ |    ' '
26
  |   :  | ; | ' ;    |.';  ; ;   \  \;      :
27
  .   |  ' ' ' : `----'  |  |  \   ;  `      |
28
  '   ;  \; /  |     '   :  ;   .   \    .\  ;
29
   \   \  ',  /      |   |  '    \   \   ' \ |
30
    ;   :    /       '   :  |     :   '  |--"
31
     \   \ .'        ;   |.'       \   \ ;
32
  www. `---` ver     '---' he       '---" ire.org
33

34
Welcome to OverTheWire!
35

36
If you find any problems, please report them to the #wargames channel on
37
discord or IRC.
38

39
--[ Playing the games ]--
40

41
  This machine might hold several wargames.
42
  If you are playing "somegame", then:
43

44
    * USERNAMES are somegame0, somegame1, ...
45
    * Most LEVELS are stored in /somegame/.
46
    * PASSWORDS for each level are stored in /etc/somegame_pass/.
47

48
  Write-access to homedirectories is disabled. It is advised to create a
49
  working directory with a hard-to-guess name in /tmp/.  You can use the
50
  command "mktemp -d" in order to generate a random and hard to guess
51
  directory in /tmp/.  Read-access to both /tmp/ is disabled and to /proc
52
  restricted so that users cannot snoop on eachother. Files and directories
53
  with easily guessable or short names will be periodically deleted! The /tmp
54
  directory is regularly wiped.
55
  Please play nice:
56

57
    * don't leave orphan processes running
58
    * don't leave exploit-files laying around
59
    * don't annoy other players
60
    * don't post passwords or spoilers
61
    * again, DONT POST SPOILERS!
62
      This includes writeups of your solution on your blog or website!
63

64
--[ Tips ]--
65

66
  This machine has a 64bit processor and many security-features enabled
67
  by default, although ASLR has been switched off.  The following
68
  compiler flags might be interesting:
69

70
    -m32                    compile for 32bit
71
    -fno-stack-protector    disable ProPolice
72
    -Wl,-z,norelro          disable relro
73

74
  In addition, the execstack tool can be used to flag the stack as
75
  executable on ELF binaries.
76

77
  Finally, network-access is limited for most levels by a local
78
  firewall.
79

80
--[ Tools ]--
81

82
 For your convenience we have installed a few useful tools which you can find
83
 in the following locations:
84

85
    * gef (https://github.com/hugsy/gef) in /opt/gef/
86
    * pwndbg (https://github.com/pwndbg/pwndbg) in /opt/pwndbg/
87
    * gdbinit (https://github.com/gdbinit/Gdbinit) in /opt/gdbinit/
88
    * pwntools (https://github.com/Gallopsled/pwntools)
89
    * radare2 (http://www.radare.org/)
90

91
--[ More information ]--
92

93
  For more information regarding individual wargames, visit
94
  http://www.overthewire.org/wargames/
95

96
  For support, questions or comments, contact us on discord or IRC.
97

98
  Enjoy your stay!
99

100
bandit0@bandit:~$

처음 접속하는 서버라 접속할지 여부를 묻고 yes를 치면 비밀번호를 입력하라 하는데 주어진대로 bandit0을 입력하면 된다.

1
    * USERNAMES are somegame0, somegame1, ...
2
    * Most LEVELS are stored in /somegame/.
3
    * PASSWORDS for each level are stored in /etc/somegame_pass/.

여기서 마지막에 있는 pw는 /etc/게임명_pass에 있다는 정보가 중요해 보인다.

1
bandit0@bandit:~$ cd etc
2
-bash: cd: etc: No such file or directory
3
bandit0@bandit:~$ ls
4
readme
5
bandit0@bandit:~$ cat readme
6
Congratulations on your first steps into the bandit game!!
7
Please make sure you have read the rules at https://overthewire.org/rules/
8
If you are following a course, workshop, walkthrough or other educational activity,
9
please inform the instructor about the rules as well and encourage them to
10
contribute to the OverTheWire community so we can keep these games free!
11

12
The password you are looking for is: <redacted>

아마 Level 0이라 그냥 readme에 두었나보다.

Level 1#

1
axii@fedora:~/bandit$ ssh bandit1@bandit.labs.overthewire.org -p 2220
2

3
bandit1@bandit:~$ ls -al
4
total 24
5
-rw-r-----   1 bandit2 bandit1   33 Apr  3 15:17 -
6
drwxr-xr-x   2 root    root    4096 Apr  3 15:17 .
7
drwxr-xr-x 150 root    root    4096 Apr  3 15:20 ..
8
-rw-r--r--   1 root    root     220 Mar 31  2024 .bash_logout
9
-rw-r--r--   1 root    root    3851 Apr  3 15:10 .bashrc
10
-rw-r--r--   1 root    root     807 Mar 31  2024 .profile
11
bandit1@bandit:~$ cat -
12
^C

서버 들어갈 때 뜨는 안내문은 Level 0과 같아서 앞으로도 생략하겠다.

Level 0에서 얻은 pw로 접속했다.

ls를 입력해서 디렉토리 파악을 해봤는데 -라는 이름의 파일이 있었다.

cat -로 읽으려하자 아무것도 뜨지않길래 ctrl+c로 끊었다.

문제 안내에서 cat 명령어 설명으로 걸려있는 링크에 가봤다.

파일이 -면 표준입력을 받는다고 되어있다.

1
bandit1@bandit:~$ cat ./-
2
<redacted>

그래서 현재 디렉토리의 -파일이라고 경로로 찍어주니 제대로 출력이 되었다.

Level 2#

1
axii@fedora:~/bandit$ ssh bandit2@bandit.labs.overthewire.org -p 2220
2

3
bandit2@bandit:~$ ls -al
4
total 24
5
drwxr-xr-x   2 root    root    4096 Apr  3 15:17 .
6
drwxr-xr-x 150 root    root    4096 Apr  3 15:20 ..
7
-rw-r--r--   1 root    root     220 Mar 31  2024 .bash_logout
8
-rw-r--r--   1 root    root    3851 Apr  3 15:10 .bashrc
9
-rw-r--r--   1 root    root     807 Mar 31  2024 .profile
10
-rw-r-----   1 bandit3 bandit2   33 Apr  3 15:17 --spaces in this filename--
11
bandit2@bandit:~$ cat ./--spaces\ in\ this\ filename--
12
<redacted>

Level 1과 같이 경로를 찍어주니 작동한다.

Level 3#

1
axii@fedora:~/bandit$ ssh bandit3@bandit.labs.overthewire.org -p 2220
2

3
bandit3@bandit:~$ ls -al
4
total 24
5
drwxr-xr-x   3 root root 4096 Apr  3 15:18 .
6
drwxr-xr-x 150 root root 4096 Apr  3 15:20 ..
7
-rw-r--r--   1 root root  220 Mar 31  2024 .bash_logout
8
-rw-r--r--   1 root root 3851 Apr  3 15:10 .bashrc
9
drwxr-xr-x   2 root root 4096 Apr  3 15:18 inhere
10
-rw-r--r--   1 root root  807 Mar 31  2024 .profile
11
bandit3@bandit:~$ cd inhere/
12
bandit3@bandit:~/inhere$ ls
13
bandit3@bandit:~/inhere$ ls -al
14
total 12
15
drwxr-xr-x 2 root    root    4096 Apr  3 15:18 .
16
drwxr-xr-x 3 root    root    4096 Apr  3 15:18 ..
17
-rw-r----- 1 bandit4 bandit3   33 Apr  3 15:18 ...Hiding-From-You
18
bandit3@bandit:~/inhere$ cat ..
19
../                 ...Hiding-From-You
20
bandit3@bandit:~/inhere$ cat ...Hiding-From-You
21
<redacted>

리눅스에서 .으로 시작하는 파일은 숨김파일이라 ls로는 안보이고 ls -al로 찾고 읽어냈다.

Level 4#

1
axii@fedora:~/bandit$ ssh bandit4@bandit.labs.overthewire.org -p 2220
2

3
bandit4@bandit:~$ ls -al
4
total 24
5
drwxr-xr-x   3 root root 4096 Apr  3 15:18 .
6
drwxr-xr-x 150 root root 4096 Apr  3 15:20 ..
7
-rw-r--r--   1 root root  220 Mar 31  2024 .bash_logout
8
-rw-r--r--   1 root root 3851 Apr  3 15:10 .bashrc
9
drwxr-xr-x   2 root root 4096 Apr  3 15:18 inhere
10
-rw-r--r--   1 root root  807 Mar 31  2024 .profile
11
bandit4@bandit:~$ cd inhere/
12
bandit4@bandit:~/inhere$ ls -al
13
total 48
14
drwxr-xr-x 2 root    root    4096 Apr  3 15:18 .
15
drwxr-xr-x 3 root    root    4096 Apr  3 15:18 ..
16
-rw-r----- 1 bandit5 bandit4   33 Apr  3 15:18 -file00
17
-rw-r----- 1 bandit5 bandit4   33 Apr  3 15:18 -file01
18
-rw-r----- 1 bandit5 bandit4   33 Apr  3 15:18 -file02
19
-rw-r----- 1 bandit5 bandit4   33 Apr  3 15:18 -file03
20
-rw-r----- 1 bandit5 bandit4   33 Apr  3 15:18 -file04
21
-rw-r----- 1 bandit5 bandit4   33 Apr  3 15:18 -file05
22
-rw-r----- 1 bandit5 bandit4   33 Apr  3 15:18 -file06
23
-rw-r----- 1 bandit5 bandit4   33 Apr  3 15:18 -file07
24
-rw-r----- 1 bandit5 bandit4   33 Apr  3 15:18 -file08
25
-rw-r----- 1 bandit5 bandit4   33 Apr  3 15:18 -file09
26
bandit4@bandit:~/inhere$ cat ./-file0
27
cat: ./-file0: No such file or directory
28
bandit4@bandit:~/inhere$ cat ./-file00
29
��y�er`�v>/�ܿa@.�'m�������bandit4@bandit:~/inhere$ cat ./-file01
30
�3��P�WDQ�-^c@�򍣦-�#/Erttbandit4@bandit:~/inhere$ cat ./-file02
31
4t�:Oz�l�)���Lm�L�
32
                   Y�l��9�0��Mbandit4@bandit:~/inhere$ cat ./-file03
33
��~��ɢ܎Ց��;Kde{f
34
                   +<>�bandit4@bandit:~/inhere$ cat ./-file04
35
�-�v��������hH�X��i>*�I�~�aP�8Qbandit4@bandit:~/inhere$ cat ./-file05
36
        VN�F��#��ژ�:է����Vd�Z��כ�#�bandit4@bandit:~/inhere$ cat ./-file06
37
o"ُ֛�� ,�i�M�
38
             -g@x,��v���z�bandit4@bandit:~/inhere$ cat ./-file07
39
<redacted>
40
bandit4@bandit:~/inhere$ cat ./-file08
41
��uB�{N����ފ�!-��s��$aA�1mbandit4@bandit:~/inhere$ cat ./-file09
42
�OP�vV�}�H�:�I�%�#�X�
43
�}�bandit4@bandit:~/inhere$

사람이 읽을 수 있는게 pw라 하니

1
bandit4@bandit:~/inhere$ cat ./-file07
2
<redacted>

이게 pw일것이다.

풀이 후 좀더 생각해보니

1
bandit4@bandit:~/inhere$ file ./*
2
./-file00: data
3
./-file01: data
4
./-file02: data
5
./-file03: DOS executable (COM), start instruction 0x8c887e10 c3ee96c9
6
./-file04: data
7
./-file05: data
8
./-file06: data
9
./-file07: ASCII text
10
./-file08: data
11
./-file09: data

이렇게 먼저 확인했으면 삽질을 안했어도 됐을것이다.

Level 5#

1
axii@fedora:~/bandit$ ssh bandit5@bandit.labs.overthewire.org -p 2220
2

3
bandit5@bandit:~$ ls -al
4
total 24
5
drwxr-xr-x   3 root root    4096 Apr  3 15:18 .
6
drwxr-xr-x 150 root root    4096 Apr  3 15:20 ..
7
-rw-r--r--   1 root root     220 Mar 31  2024 .bash_logout
8
-rw-r--r--   1 root root    3851 Apr  3 15:10 .bashrc
9
drwxr-x---  22 root bandit5 4096 Apr  3 15:18 inhere
10
-rw-r--r--   1 root root     807 Mar 31  2024 .profile
11
bandit5@bandit:~$ cd inhere/
12
bandit5@bandit:~/inhere$ ls -al
13
total 88
14
drwxr-x--- 22 root bandit5 4096 Apr  3 15:18 .
15
drwxr-xr-x  3 root root    4096 Apr  3 15:18 ..
16
drwxr-x---  2 root bandit5 4096 Apr  3 15:18 maybehere00
17
drwxr-x---  2 root bandit5 4096 Apr  3 15:18 maybehere01
18
drwxr-x---  2 root bandit5 4096 Apr  3 15:18 maybehere02
19
drwxr-x---  2 root bandit5 4096 Apr  3 15:18 maybehere03
20
drwxr-x---  2 root bandit5 4096 Apr  3 15:18 maybehere04
21
drwxr-x---  2 root bandit5 4096 Apr  3 15:18 maybehere05
22
drwxr-x---  2 root bandit5 4096 Apr  3 15:18 maybehere06
23
drwxr-x---  2 root bandit5 4096 Apr  3 15:18 maybehere07
24
drwxr-x---  2 root bandit5 4096 Apr  3 15:18 maybehere08
25
drwxr-x---  2 root bandit5 4096 Apr  3 15:18 maybehere09
26
drwxr-x---  2 root bandit5 4096 Apr  3 15:18 maybehere10
27
drwxr-x---  2 root bandit5 4096 Apr  3 15:18 maybehere11
28
drwxr-x---  2 root bandit5 4096 Apr  3 15:18 maybehere12
29
drwxr-x---  2 root bandit5 4096 Apr  3 15:18 maybehere13
30
drwxr-x---  2 root bandit5 4096 Apr  3 15:18 maybehere14
31
drwxr-x---  2 root bandit5 4096 Apr  3 15:18 maybehere15
32
drwxr-x---  2 root bandit5 4096 Apr  3 15:18 maybehere16
33
drwxr-x---  2 root bandit5 4096 Apr  3 15:18 maybehere17
34
drwxr-x---  2 root bandit5 4096 Apr  3 15:18 maybehere18
35
drwxr-x---  2 root bandit5 4096 Apr  3 15:18 maybehere19
36
bandit5@bandit:~/inhere$ file ./*
37
./maybehere00: directory
38
./maybehere01: directory
39
./maybehere02: directory
40
./maybehere03: directory
41
./maybehere04: directory
42
./maybehere05: directory
43
./maybehere06: directory
44
./maybehere07: directory
45
./maybehere08: directory
46
./maybehere09: directory
47
./maybehere10: directory
48
./maybehere11: directory
49
./maybehere12: directory
50
./maybehere13: directory
51
./maybehere14: directory
52
./maybehere15: directory
53
./maybehere16: directory
54
./maybehere17: directory
55
./maybehere18: directory
56
./maybehere19: directory
57
bandit5@bandit:~/inhere$ find . -size 1033c ! -excutable
58
find: unknown predicate `-excutable'
59
bandit5@bandit:~/inhere$ find . -size 1033c ! -executable
60
./maybehere07/.file2
61
bandit5@bandit:~/inhere$ cat ./maybehere07/.file2
62
<redacted>

뭔가 find로 검색해야겠다는건 알겠는데 정확한 옵션이 생각이 안나서 주어진 find의 링크로 가서 찾았다.

1
-size
2
    n[cwbkMG]
3
  File uses less than, more than or exactly n units of space,
4
      rounding up. The following suffixes can be used:
5

6
`c'
7
  for bytes
8

9
! expr
10
  True if expr is false. This character will also usually need
11
      protection from interpretation by the shell.
12

13
-executable
14
  Matches files which are executable and directories which are searchable
15
      (in a file name resolution sense) by the current user. This takes into
16
      account access control lists and other permissions artefacts which the
17
      -perm test ignores. This test makes use of the access(2)
18
      system call, and so can be fooled by NFS servers which do UID mapping (or
19
      root-squashing), since many systems implement access(2) in the
20
      client's kernel and so cannot make use of the UID mapping information held
21
      on the server. Because this test is based only on the result of the
22
      access(2) system call, there is no guarantee that a file for which
23
      this test succeeds can actually be executed.

Level 6#

1
axii@fedora:~/bandit$ ssh bandit6@bandit.labs.overthewire.org -p 2220
2

3
bandit6@bandit:~$ ls -al
4
total 20
5
drwxr-xr-x   2 root root 4096 Apr  3 15:17 .
6
drwxr-xr-x 150 root root 4096 Apr  3 15:20 ..
7
-rw-r--r--   1 root root  220 Mar 31  2024 .bash_logout
8
-rw-r--r--   1 root root 3851 Apr  3 15:10 .bashrc
9
-rw-r--r--   1 root root  807 Mar 31  2024 .profile
10
bandit6@bandit:~$ cd find / -user bandit7 -group bandit6 -size 33c
11
-bash: cd: too many arguments
12
bandit6@bandit:~$ find / -user bandit7 -group bandit6 -size 33c
13
find: ‘/tmp’: Permission denied
14
find: ‘/etc/credstore.encrypted’: Permission denied
15
find: ‘/etc/sudoers.d’: Permission denied
16
find: ‘/etc/stunnel’: Permission denied
17
find: ‘/etc/multipath’: Permission denied
18
find: ‘/etc/ssl/private’: Permission denied
19
find: ‘/etc/polkit-1/rules.d’: Permission denied
20
find: ‘/etc/credstore’: Permission denied
21
find: ‘/etc/xinetd.d’: Permission denied
22
find: ‘/dev/mqueue’: Permission denied
23
find: ‘/dev/shm’: Permission denied
24
find: ‘/snap’: Permission denied
25
find: ‘/lost+found’: Permission denied
26
find: ‘/run/pam_pidns’: Permission denied
27
find: ‘/run/udisks2’: Permission denied
28
find: ‘/run/chrony’: Permission denied
29
find: ‘/run/user/11011’: Permission denied
30
find: ‘/run/user/8002’: Permission denied
31
find: ‘/run/user/11017’: Permission denied
32
find: ‘/run/user/11014’: Permission denied
33
find: ‘/run/user/11008’: Permission denied
34
find: ‘/run/user/11010’: Permission denied
35
find: ‘/run/user/11004’: Permission denied
36
find: ‘/run/user/11009’: Permission denied
37
find: ‘/run/user/11013’: Permission denied
38
find: ‘/run/user/11001’: Permission denied
39
find: ‘/run/user/15000’: Permission denied
40
find: ‘/run/user/11019’: Permission denied
41
find: ‘/run/user/11016’: Permission denied
42
find: ‘/run/user/11015’: Permission denied
43
find: ‘/run/user/15001’: Permission denied
44
find: ‘/run/user/5018’: Permission denied
45
find: ‘/run/user/11006/systemd/inaccessible/dir’: Permission denied
46
find: ‘/run/user/15006’: Permission denied
47
find: ‘/run/user/11003’: Permission denied
48
find: ‘/run/user/14000’: Permission denied
49
find: ‘/run/user/11002’: Permission denied
50
find: ‘/run/user/11022’: Permission denied
51
find: ‘/run/user/15002’: Permission denied
52
find: ‘/run/user/15005’: Permission denied
53
find: ‘/run/user/11026’: Permission denied
54
find: ‘/run/user/11020’: Permission denied
55
find: ‘/run/user/11007’: Permission denied
56
find: ‘/run/user/11018’: Permission denied
57
find: ‘/run/user/11012’: Permission denied
58
find: ‘/run/user/8003’: Permission denied
59
find: ‘/run/user/16000’: Permission denied
60
find: ‘/run/user/11005’: Permission denied
61
find: ‘/run/user/11000’: Permission denied
62
find: ‘/run/user/11025’: Permission denied
63
find: ‘/run/sudo’: Permission denied
64
find: ‘/run/screen/S-bandit24’: Permission denied
65
find: ‘/run/screen/S-behemoth3’: Permission denied
66
find: ‘/run/screen/S-narnia3’: Permission denied
67
find: ‘/run/screen/S-krypton3’: Permission denied
68
find: ‘/run/screen/S-bandit19’: Permission denied
69
find: ‘/run/screen/S-bandit25’: Permission denied
70
find: ‘/run/screen/S-bandit21’: Permission denied
71
find: ‘/run/screen/S-bandit22’: Permission denied
72
find: ‘/run/screen/S-bandit23’: Permission denied
73
find: ‘/run/screen/S-bandit0’: Permission denied
74
find: ‘/run/screen/S-bandit20’: Permission denied
75
find: ‘/run/multipath’: Permission denied
76
find: ‘/run/cryptsetup’: Permission denied
77
find: ‘/run/lvm’: Permission denied
78
find: ‘/run/systemd/propagate/fwupd.service’: Permission denied
79
find: ‘/run/systemd/propagate/ModemManager.service’: Permission denied
80
find: ‘/run/systemd/propagate/polkit.service’: Permission denied
81
find: ‘/run/systemd/propagate/chrony.service’: Permission denied
82
find: ‘/run/systemd/propagate/systemd-logind.service’: Permission denied
83
find: ‘/run/systemd/propagate/irqbalance.service’: Permission denied
84
find: ‘/run/systemd/propagate/systemd-networkd.service’: Permission denied
85
find: ‘/run/systemd/propagate/systemd-resolved.service’: Permission denied
86
find: ‘/run/systemd/propagate/systemd-udevd.service’: Permission denied
87
find: ‘/run/systemd/inaccessible/dir’: Permission denied
88
find: ‘/run/lock/lvm’: Permission denied
89
find: ‘/home/drifter6/data’: Permission denied
90
find: ‘/home/leviathan4/.trash’: Permission denied
91
find: ‘/home/drifter8/chroot’: Permission denied
92
find: ‘/home/bandit30-git’: Permission denied
93
find: ‘/home/bandit29-git’: Permission denied
94
find: ‘/home/bandit28-git’: Permission denied
95
find: ‘/home/ubuntu’: Permission denied
96
find: ‘/home/leviathan0/.backup’: Permission denied
97
find: ‘/home/bandit27-git’: Permission denied
98
find: ‘/home/bandit5/inhere’: Permission denied
99
find: ‘/home/bandit31-git’: Permission denied
100
find: ‘/proc/tty/driver’: Permission denied
101
find: ‘/proc/1/task/1/fd’: Permission denied
102
find: ‘/proc/1/task/1/fdinfo’: Permission denied
103
find: ‘/proc/1/task/1/ns’: Permission denied
104
find: ‘/proc/1/fd’: Permission denied
105
find: ‘/proc/1/map_files’: Permission denied
106
find: ‘/proc/1/fdinfo’: Permission denied
107
find: ‘/proc/1/ns’: Permission denied
108
find: ‘/proc/2/task/2/fd’: Permission denied
109
find: ‘/proc/2/task/2/fdinfo’: Permission denied
110
find: ‘/proc/2/task/2/ns’: Permission denied
111
find: ‘/proc/2/fd’: Permission denied
112
find: ‘/proc/2/map_files’: Permission denied
113
find: ‘/proc/2/fdinfo’: Permission denied
114
find: ‘/proc/2/ns’: Permission denied
115
find: ‘/proc/18/task/18/fd/6’: No such file or directory
116
find: ‘/proc/18/task/18/fdinfo/6’: No such file or directory
117
find: ‘/proc/18/fd/5’: No such file or directory
118
find: ‘/proc/18/fdinfo/5’: No such file or directory
119
find: ‘/manpage/manpage3-pw’: Permission denied
120
find: ‘/var/crash’: Permission denied
121
find: ‘/var/tmp’: Permission denied
122
find: ‘/var/log’: Permission denied
123
find: ‘/var/lib/apt/lists/partial’: Permission denied
124
find: ‘/var/lib/ubuntu-advantage/apt-esm/var/lib/apt/lists/partial’: Permission denied
125
find: ‘/var/lib/amazon’: Permission denied
126
/var/lib/dpkg/info/bandit7.password
127
find: ‘/var/lib/udisks2’: Permission denied
128
find: ‘/var/lib/snapd/void’: Permission denied
129
find: ‘/var/lib/snapd/cookie’: Permission denied
130
find: ‘/var/lib/polkit-1’: Permission denied
131
find: ‘/var/lib/private’: Permission denied
132
find: ‘/var/lib/chrony’: Permission denied
133
find: ‘/var/lib/update-notifier/package-data-downloads/partial’: Permission denied
134
find: ‘/var/spool/bandit24’: Permission denied
135
find: ‘/var/spool/cron/crontabs’: Permission denied
136
find: ‘/var/spool/rsyslog’: Permission denied
137
find: ‘/var/cache/apt/archives/partial’: Permission denied
138
find: ‘/var/cache/private’: Permission denied
139
find: ‘/var/cache/pollinate’: Permission denied
140
find: ‘/var/cache/apparmor/70b6ca72.0’: Permission denied
141
find: ‘/var/cache/ldconfig’: Permission denied
142
find: ‘/root’: Permission denied
143
find: ‘/boot/efi’: Permission denied
144
find: ‘/boot/lost+found’: Permission denied
145
find: ‘/drifter/drifter14_src/axTLS’: Permission denied
146
find: ‘/sys/kernel/tracing/osnoise’: Permission denied
147
find: ‘/sys/kernel/tracing/hwlat_detector’: Permission denied
148
find: ‘/sys/kernel/tracing/instances’: Permission denied
149
find: ‘/sys/kernel/tracing/trace_stat’: Permission denied
150
find: ‘/sys/kernel/tracing/per_cpu’: Permission denied
151
find: ‘/sys/kernel/tracing/options’: Permission denied
152
find: ‘/sys/kernel/tracing/rv’: Permission denied
153
find: ‘/sys/kernel/debug’: Permission denied
154
find: ‘/sys/fs/pstore’: Permission denied
155
find: ‘/sys/fs/bpf’: Permission denied
156
bandit6@bandit:~$ cat /var/lib/dpkg/info/bandit7.password
157
<redacted>

permission denied가 유일하게 안뜬게 /var/lib/dpkg/info/bandit7.password 다.

1
-user uname
2
  File is owned by user uname (numeric user ID allowed).
3
-group gname
4
  File belongs to group gname (numeric group ID allowed).

마찬가지로 위의 링크에서 다음을 찾아서 사용했다.

Level 7#

1
axii@fedora:~/bandit$ ssh bandit7@bandit.labs.overthewire.org -p 2220
2

3
bandit7@bandit:~$ ls -al
4
total 4108
5
drwxr-xr-x   2 root    root       4096 Apr  3 15:18 .
6
drwxr-xr-x 150 root    root       4096 Apr  3 15:20 ..
7
-rw-r--r--   1 root    root        220 Mar 31  2024 .bash_logout
8
-rw-r--r--   1 root    root       3851 Apr  3 15:10 .bashrc
9
-rw-r-----   1 bandit8 bandit7 4184396 Apr  3 15:18 data.txt
10
-rw-r--r--   1 root    root        807 Mar 31  2024 .profile
11
bandit7@bandit:~$ grep millionth data.txt
12
millionth       <redacted>

grep으로 millionth가 있는 줄을 찾았다.

Level 8#

1
axii@fedora:~/bandit$ ssh bandit8@bandit.labs.overthewire.org -p 2220
2

3
bandit8@bandit:~$ ls -al
4
total 56
5
drwxr-xr-x   2 root    root     4096 Apr  3 15:18 .
6
drwxr-xr-x 150 root    root     4096 Apr  3 15:20 ..
7
-rw-r--r--   1 root    root      220 Mar 31  2024 .bash_logout
8
-rw-r--r--   1 root    root     3851 Apr  3 15:10 .bashrc
9
-rw-r-----   1 bandit9 bandit8 33033 Apr  3 15:18 data.txt
10
-rw-r--r--   1 root    root      807 Mar 31  2024 .profile
11
bandit8@bandit:~$ sort data.txt | uniq -u
12
<redacted>

풀이방법을 고민하던 중 주어진 명령어 힌트를 통해 명령어들 사용법을 보던 중 uniq명령어 설명에서 다음과 같은 내용을 발견했다.

1
'uniq' does not detect repeated lines unless they are adjacent.
2
    You may want to sort the input first, or use 'sort -u' without
3
    'uniq'.

uniq 명령어는 반복되는 줄에서만 단독을 탐지못하므로 먼저 정렬을 하라는 말이 있었다. 따라서 sort 명령어로 정렬 후 파이프라인으로 결과를 uniq에 전달하면 된다.

https://manpages.ubuntu.com/manpages/resolute/man1/sort.1.html

https://manpages.ubuntu.com/manpages/resolute/man1/uniq.1.html

Level 9#

1
axii@fedora:~/bandit$ ssh bandit9@bandit.labs.overthewire.org -p 2220
2

3
bandit9@bandit:~$ ls -al
4
total 40
5
drwxr-xr-x   2 root     root     4096 Apr  3 15:17 .
6
drwxr-xr-x 150 root     root     4096 Apr  3 15:20 ..
7
-rw-r--r--   1 root     root      220 Mar 31  2024 .bash_logout
8
-rw-r--r--   1 root     root     3851 Apr  3 15:10 .bashrc
9
-rw-r-----   1 bandit10 bandit9 19382 Apr  3 15:17 data.txt
10
-rw-r--r--   1 root     root      807 Mar 31  2024 .profile
11
bandit9@bandit:~$ strings data.txt | grep "="
12
 ========== the
13
I\=Ow
14
V?L=
15
%3=VZ
16
========== password
17
={M\
18
========== is
19
=Dvq
20
=n/N
21
========== <redacted>
22
zX]%=
23
]\{=

strings로 문자열만 추출한 후 =가 포함된 문자열만 grep으로 뽑아내면 된다.

Level 10#

1
axii@fedora:~/bandit$ ssh bandit10@bandit.labs.overthewire.org -p 2220
2

3
bandit10@bandit:~$ ls -al
4
total 24
5
drwxr-xr-x   2 root     root     4096 Apr  3 15:17 .
6
drwxr-xr-x 150 root     root     4096 Apr  3 15:20 ..
7
-rw-r--r--   1 root     root      220 Mar 31  2024 .bash_logout
8
-rw-r--r--   1 root     root     3851 Apr  3 15:10 .bashrc
9
-rw-r-----   1 bandit11 bandit10   69 Apr  3 15:17 data.txt
10
-rw-r--r--   1 root     root      807 Mar 31  2024 .profile
11
bandit10@bandit:~$ base64 -d data.txt
12
The password is <redacted>

다음과 같이 디코딩 해줄수 있다.

Level 11#

1
axii@fedora:~/bandit$ ssh bandit11@bandit.labs.overthewire.org -p 2220
2

3
bandit11@bandit:~$ ls -al
4
total 24
5
drwxr-xr-x   2 root     root     4096 Apr  3 15:17 .
6
drwxr-xr-x 150 root     root     4096 Apr  3 15:20 ..
7
-rw-r--r--   1 root     root      220 Mar 31  2024 .bash_logout
8
-rw-r--r--   1 root     root     3851 Apr  3 15:10 .bashrc
9
-rw-r-----   1 bandit12 bandit11   49 Apr  3 15:17 data.txt
10
-rw-r--r--   1 root     root      807 Mar 31  2024 .profile
11
bandit11@bandit:~$ cat data.txt
12
Gur cnffjbeq vf <redacted>

설명대로 13칸씩 치환된것같다.

힌트로 나온 명령어들의 사용법을 서치하다가 tr로 해결 가능할 것 같은데 어떻게 사용해야 할지를 모르겠어서 tr명령어 치환의 응용으로 좀더 서치했다.

https://zidarn87.tistory.com/137 이 블로그가 도움이 크게 되었다.

A+13=N이니까

1
bandit11@bandit:~$ cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'
2
The password is <redacted>

다음과 같이 tr을 사용하면 된다.

A-Z까지의 문자를 N-ZA-M로 치환.

Level 12#

1
axii@fedora:~/bandit$ ssh bandit12@bandit.labs.overthewire.org -p 2220
2

3
bandit12@bandit:~$ ls -al
4
total 24
5
drwxr-xr-x   2 root     root     4096 Apr  3 15:17 .
6
drwxr-xr-x 150 root     root     4096 Apr  3 15:20 ..
7
-rw-r--r--   1 root     root      220 Mar 31  2024 .bash_logout
8
-rw-r--r--   1 root     root     3851 Apr  3 15:10 .bashrc
9
-rw-r-----   1 bandit13 bandit12 2637 Apr  3 15:17 data.txt
10
-rw-r--r--   1 root     root      807 Mar 31  2024 .profile
11
bandit12@bandit:~$ mktemp -d
12
/tmp/tmp.7vZuBJsuwi
13
bandit12@bandit:~$ cp data.txt /tmp/tmp.7vZuBJsuwi
14
bandit12@bandit:~$ cd /tmp/tmp.7vZuBJsuwi
15
bandit12@bandit:/tmp/tmp.7vZuBJsuwi$ ls
16
data.txt
17
bandit12@bandit:/tmp/tmp.7vZuBJsuwi$ file data.txt
18
data.txt: ASCII text
19
bandit12@bandit:/tmp/tmp.7vZuBJsuwi$ xxd -r data.txt > file
20
bandit12@bandit:/tmp/tmp.7vZuBJsuwi$ file file
21
file: gzip compressed data, was "data2.bin", last modified: Fri Apr  3 15:17:36 2026, max compression, from Unix, original size modulo 2^32 576
22
bandit12@bandit:/tmp/tmp.7vZuBJsuwi$ gzip -d file >file1
23
gzip: file: unknown suffix -- ignored
24
bandit12@bandit:/tmp/tmp.7vZuBJsuwi$ ls -al
25
total 764
26
drwx------     2 bandit12 bandit12   4096 Apr 28 03:20 .
27
drwxrwx-wt 13166 root     root     765952 Apr 28 03:21 ..
28
-rw-r-----     1 bandit12 bandit12   2637 Apr 28 03:15 data.txt
29
-rw-rw-r--     1 bandit12 bandit12    609 Apr 28 03:17 file
30
-rw-rw-r--     1 bandit12 bandit12      0 Apr 28 03:20 file1
31
bandit12@bandit:/tmp/tmp.7vZuBJsuwi$ rm file1
32
bandit12@bandit:/tmp/tmp.7vZuBJsuwi$ mv file file.gz
33
bandit12@bandit:/tmp/tmp.7vZuBJsuwi$ gzip -d file.gz
34
bandit12@bandit:/tmp/tmp.7vZuBJsuwi$ ls -al
35
total 764
36
drwx------     2 bandit12 bandit12   4096 Apr 28 03:22 .
37
drwxrwx-wt 13166 root     root     765952 Apr 28 03:22 ..
38
-rw-r-----     1 bandit12 bandit12   2637 Apr 28 03:15 data.txt
39
-rw-rw-r--     1 bandit12 bandit12    576 Apr 28 03:17 file
40
bandit12@bandit:/tmp/tmp.7vZuBJsuwi$ file file
41
file: bzip2 compressed data, block size = 900k
42
bandit12@bandit:/tmp/tmp.7vZuBJsuwi$ mv file file.bz2
43
bandit12@bandit:/tmp/tmp.7vZuBJsuwi$ bzip2 -d file.bz2
44
bandit12@bandit:/tmp/tmp.7vZuBJsuwi$ file file
45
file: gzip compressed data, was "data4.bin", last modified: Fri Apr  3 15:17:36 2026, max compression, from Unix, original size modulo 2^32 20480
46
bandit12@bandit:/tmp/tmp.7vZuBJsuwi$ mv file file.gz
47
bandit12@bandit:/tmp/tmp.7vZuBJsuwi$ gzip -d file.gz
48
bandit12@bandit:/tmp/tmp.7vZuBJsuwi$ fil
49
filan             file              filefrag          filegone-bpfcc    filelife-bpfcc    fileslower-bpfcc  filetop-bpfcc
50
bandit12@bandit:/tmp/tmp.7vZuBJsuwi$ file file
51
file: POSIX tar archive (GNU)
52
bandit12@bandit:/tmp/tmp.7vZuBJsuwi$ cat file
53
data5.bin0000644000000000000000000002400015163755020011244 0ustar  rootrootdata6.bin0000644000000000000000000000033715163755020011254 0ustar  rootrootBZh91AY&SY�$����j@@�}�� [#�t!�$�Phd�4��d4h�dɦ�'X�B�c�@�͟M�u�%l*b"�C���p\��d�E �Q��.n9�����V7<R�U���_T�4�ՙ�I�@b̶б���k�]m     �0
54
��H�B)�+t �p��֮T��ȒT��$|��.�p� 2�Hbandit12@bandit:/tmp/tmp.7vZuBJsuwi$ tar -xf file
55
bandit12@bandit:/tmp/tmp.7vZuBJsuwi$ ls -al
56
total 792
57
drwx------     2 bandit12 bandit12   4096 Apr 28 03:25 .
58
drwxrwx-wt 13166 root     root     765952 Apr 28 03:25 ..
59
-rw-r--r--     1 bandit12 bandit12  10240 Apr  3 15:17 data5.bin
60
-rw-r-----     1 bandit12 bandit12   2637 Apr 28 03:15 data.txt
61
-rw-rw-r--     1 bandit12 bandit12  20480 Apr 28 03:17 file
62
bandit12@bandit:/tmp/tmp.7vZuBJsuwi$ file file
63
file: POSIX tar archive (GNU)
64
bandit12@bandit:/tmp/tmp.7vZuBJsuwi$ file data5.bin
65
data5.bin: POSIX tar archive (GNU)
66
bandit12@bandit:/tmp/tmp.7vZuBJsuwi$ tar -xf data5.bin
67
bandit12@bandit:/tmp/tmp.7vZuBJsuwi$ ls -al
68
total 796
69
drwx------     2 bandit12 bandit12   4096 Apr 28 03:27 .
70
drwxrwx-wt 13167 root     root     765952 Apr 28 03:27 ..
71
-rw-r--r--     1 bandit12 bandit12  10240 Apr  3 15:17 data5.bin
72
-rw-r--r--     1 bandit12 bandit12    223 Apr  3 15:17 data6.bin
73
-rw-r-----     1 bandit12 bandit12   2637 Apr 28 03:15 data.txt
74
-rw-rw-r--     1 bandit12 bandit12  20480 Apr 28 03:17 file
75
bandit12@bandit:/tmp/tmp.7vZuBJsuwi$ file data6.bin
76
data6.bin: bzip2 compressed data, block size = 900k
77
bandit12@bandit:/tmp/tmp.7vZuBJsuwi$ rm file
78
bandit12@bandit:/tmp/tmp.7vZuBJsuwi$ mv data6.bin file.bz2
79
bandit12@bandit:/tmp/tmp.7vZuBJsuwi$ bzip2 -d file.bz2
80
bandit12@bandit:/tmp/tmp.7vZuBJsuwi$ file file
81
file: POSIX tar archive (GNU)
82
bandit12@bandit:/tmp/tmp.7vZuBJsuwi$ tar -xf file
83
bandit12@bandit:/tmp/tmp.7vZuBJsuwi$ ls -al
84
total 788
85
drwx------     2 bandit12 bandit12   4096 Apr 28 03:28 .
86
drwxrwx-wt 13166 root     root     765952 Apr 28 03:28 ..
87
-rw-r--r--     1 bandit12 bandit12  10240 Apr  3 15:17 data5.bin
88
-rw-r--r--     1 bandit12 bandit12     79 Apr  3 15:17 data8.bin
89
-rw-r-----     1 bandit12 bandit12   2637 Apr 28 03:15 data.txt
90
-rw-r--r--     1 bandit12 bandit12  10240 Apr  3 15:17 file
91
bandit12@bandit:/tmp/tmp.7vZuBJsuwi$ file data8.bin
92
data8.bin: gzip compressed data, was "data9.bin", last modified: Fri Apr  3 15:17:36 2026, max compression, from Unix, original size modulo 2^32 49
93
bandit12@bandit:/tmp/tmp.7vZuBJsuwi$ rm file
94
bandit12@bandit:/tmp/tmp.7vZuBJsuwi$ mv data8.bin file.gz
95
bandit12@bandit:/tmp/tmp.7vZuBJsuwi$ gzip -d file.gz
96
bandit12@bandit:/tmp/tmp.7vZuBJsuwi$ file file
97
file: ASCII text
98
bandit12@bandit:/tmp/tmp.7vZuBJsuwi$ cat file
99
The password is <redacted>
100
bandit12@bandit:/tmp/tmp.7vZuBJsuwi$

문제 설명대로 엄청난 압축으로 포장되어있다.

중요한 명령어는 3개였다

gzip -d, bzip2 -d, tar -xf

각각 gzip, bzip2, tar 압축을 푸는 명령어다.

Level 13#

1
axii@fedora:~/bandit$ ssh bandit13@bandit.labs.overthewire.org -p 2220
2

3
bandit13@bandit:~$ ls -al
4
total 28
5
drwxr-xr-x   2 root     root     4096 Apr  3 15:17 .
6
drwxr-xr-x 150 root     root     4096 Apr  3 15:20 ..
7
-rw-r--r--   1 root     root      220 Mar 31  2024 .bash_logout
8
-rw-r--r--   1 root     root     3851 Apr  3 15:10 .bashrc
9
-rw-r-----   1 bandit14 bandit13  467 Apr  3 15:17 HINT
10
-rw-r--r--   1 root     root      807 Mar 31  2024 .profile
11
-rw-r-----   1 bandit14 bandit13 1679 Apr  3 15:17 sshkey.private
12
bandit13@bandit:~$ cat HINT
13
If you have trouble with this level, note the following:
14

15
1) As for all other levels, this level has a website with information:
16
   https://overthewire.org/wargames/bandit/bandit14.html
17
2) No, the level is not broken. To verify, see:
18
   https://status.overthewire.org/
19
3) The current version of OverTheWire prevents logging in from one
20
   level to another via localhost. Log out, and see 1)
21
4) If you get errors, read the error message on your screen.
22
   We mean it!
23
bandit13@bandit:~$

비밀번호 대신 SSH 개인키를 통해서 접속하는것 같다. 예전에 한번 해봤던 기억이 있는데 명령어가 기억이 안나서 서치해봤다.

https://code-boki.tistory.com/142 이 블로그에서 도움을 받았다.

1
axii@fedora:~/bandit$ ssh bandit13@bandit.labs.overthewire.org -p 2220
2

3
bandit13@bandit:~$ ssh -i sshkey.private bandit14@bandit.labs.overthewire.org -p 2220
4
The authenticity of host '[bandit.labs.overthewire.org]:2220 ([127.0.0.1]:2220)' can't be established.
5
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
6
This key is not known by any other names.
7
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
8
Could not create directory '/home/bandit13/.ssh' (Permission denied).
9
Failed to add the host to the list of known hosts (/home/bandit13/.ssh/known_hosts).
10
                         _                     _ _ _
11
                        | |__   __ _ _ __   __| (_) |_
12
                        | '_ \ / _` | '_ \ / _` | | __|
13
                        | |_) | (_| | | | | (_| | | |_
14
                        |_.__/ \__,_|_| |_|\__,_|_|\__|
15

16

17
                      This is an OverTheWire game server.
18
            More information on http://www.overthewire.org/wargames
19

20
!!! You are trying to log into this SSH server with a password on port 2220 from localhost.
21
!!! Connecting from localhost is blocked to conserve resources.
22
!!! Please log out and log in again.
23

24
backend: gibson-0
25
Received disconnect from 127.0.0.1 port 2220:2: no authentication methods enabled
26
Disconnected from 127.0.0.1 port 2220
27
bandit13@bandit:~$

ssh 접속을 하고 그 안에서 14로 바로 ssh 접속을 하려 하니 문제가 생겼다. scp 명령어를 통해 개인키 파일을 다운로드 받고 로컬에서 접속하자.

1
axii@fedora:~/bandit$ scp -P 2220 bandit13@bandit.labs.overthewire.org:sshkey.private .
2
                         _                     _ _ _
3
                        | |__   __ _ _ __   __| (_) |_
4
                        | '_ \ / _` | '_ \ / _` | | __|
5
                        | |_) | (_| | | | | (_| | | |_
6
                        |_.__/ \__,_|_| |_|\__,_|_|\__|
7

8

9
                      This is an OverTheWire game server.
10
            More information on http://www.overthewire.org/wargames
11

12
backend: gibson-0
13
bandit13@bandit.labs.overthewire.org's password:
14
sshkey.private                                                                                                                                     100% 1679     2.1KB/s   00:00
15
axii@fedora:~/bandit$ ls
16
sshkey.private

1
axii@fedora:~/bandit$ ssh -i sshkey.private bandit14@bandit.labs.overthewire.org -p 2220
2
                         _                     _ _ _
3
                        | |__   __ _ _ __   __| (_) |_
4
                        | '_ \ / _` | '_ \ / _` | | __|
5
                        | |_) | (_| | | | | (_| | | |_
6
                        |_.__/ \__,_|_| |_|\__,_|_|\__|
7

8

9
                      This is an OverTheWire game server.
10
            More information on http://www.overthewire.org/wargames
11

12
backend: gibson-0
13
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
14
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
15
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
16
Permissions 0640 for 'sshkey.private' are too open.
17
It is required that your private key files are NOT accessible by others.
18
This private key will be ignored.
19
Load key "sshkey.private": bad permissions
20
bandit14@bandit.labs.overthewire.org's password:

이번엔 개인키 권한이 너무 널널하게 되어있어서 거부당했다.

chmod로 나한테만 rw권한을 주고 재시도하자.

1
axii@fedora:~/bandit$ chmod 600 sshkey.private
2
axii@fedora:~/bandit$ ssh -i sshkey.private bandit14@bandit.labs.overthewire.org -p 2220
3

4
bandit14@bandit:~$ cat /etc/bandit_pass/bandit14
5
<redacted>
6
bandit14@bandit:~$

Level 14#

1
axii@fedora:~/bandit$ ssh bandit14@bandit.labs.overthewire.org -p 2220
2

3
bandit14@bandit:~$ ls -al
4
total 24
5
drwxr-xr-x   3 root root 4096 Apr  3 15:17 .
6
drwxr-xr-x 150 root root 4096 Apr  3 15:20 ..
7
-rw-r--r--   1 root root  220 Mar 31  2024 .bash_logout
8
-rw-r--r--   1 root root 3851 Apr  3 15:10 .bashrc
9
-rw-r--r--   1 root root  807 Mar 31  2024 .profile
10
drwxr-xr-x   2 root root 4096 Apr  3 15:17 .ssh
11
bandit14@bandit:~$ nc localhost 30000
12
<redacted>
13
Correct!
14
<redacted>

설명대로 로컬호스트 30000번 포트에 접속한 후 Level 14 비밀번호를 제출했다.

Level 15#

1
axii@fedora:~/bandit$ ssh bandit15@bandit.labs.overthewire.org -p 2220
2

3
bandit15@bandit:~$ nc localhost 30001
4
<redacted>

이번엔 당연히?도 nc로는 다음 pw를 주지 않는다.

1
bandit15@bandit:~$ openssl s_client -connect localhost : 30001
2
s_client: Use -help for summary.
3
bandit15@bandit:~$ openssl s_client -connect localhost:30001
4
CONNECTED(00000003)
5
Can't use SSL_get_servername
6
depth=0 CN = SnakeOil
7
verify error:num=18:self-signed certificate
8
verify return:1
9
depth=0 CN = SnakeOil
10
verify return:1
11
---
12
Certificate chain
13
 0 s:CN = SnakeOil
14
   i:CN = SnakeOil
15
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
16
   v:NotBefore: Jun 10 03:59:50 2024 GMT; NotAfter: Jun  8 03:59:50 2034 GMT
17
---
18
Server certificate
19
-----BEGIN CERTIFICATE-----
20
MIIFBzCCAu+gAwIBAgIUBLz7DBxA0IfojaL/WaJzE6Sbz7cwDQYJKoZIhvcNAQEL
21
BQAwEzERMA8GA1UEAwwIU25ha2VPaWwwHhcNMjQwNjEwMDM1OTUwWhcNMzQwNjA4
22
MDM1OTUwWjATMREwDwYDVQQDDAhTbmFrZU9pbDCCAiIwDQYJKoZIhvcNAQEBBQAD
23
ggIPADCCAgoCggIBANI+P5QXm9Bj21FIPsQqbqZRb5XmSZZJYaam7EIJ16Fxedf+
24
jXAv4d/FVqiEM4BuSNsNMeBMx2Gq0lAfN33h+RMTjRoMb8yBsZsC063MLfXCk4p+
25
09gtGP7BS6Iy5XdmfY/fPHvA3JDEScdlDDmd6Lsbdwhv93Q8M6POVO9sv4HuS4t/
26
jEjr+NhE+Bjr/wDbyg7GL71BP1WPZpQnRE4OzoSrt5+bZVLvODWUFwinB0fLaGRk
27
GmI0r5EUOUd7HpYyoIQbiNlePGfPpHRKnmdXTTEZEoxeWWAaM1VhPGqfrB/Pnca+
28
vAJX7iBOb3kHinmfVOScsG/YAUR94wSELeY+UlEWJaELVUntrJ5HeRDiTChiVQ++
29
wnnjNbepaW6shopybUF3XXfhIb4NvwLWpvoKFXVtcVjlOujF0snVvpE+MRT0wacy
30
tHtjZs7Ao7GYxDz6H8AdBLKJW67uQon37a4MI260ADFMS+2vEAbNSFP+f6ii5mrB
31
18cY64ZaF6oU8bjGK7BArDx56bRc3WFyuBIGWAFHEuB948BcshXY7baf5jjzPmgz
32
mq1zdRthQB31MOM2ii6vuTkheAvKfFf+llH4M9SnES4NSF2hj9NnHga9V08wfhYc
33
x0W6qu+S8HUdVF+V23yTvUNgz4Q+UoGs4sHSDEsIBFqNvInnpUmtNgcR2L5PAgMB
34
AAGjUzBRMB0GA1UdDgQWBBTPo8kfze4P9EgxNuyk7+xDGFtAYzAfBgNVHSMEGDAW
35
gBTPo8kfze4P9EgxNuyk7+xDGFtAYzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
36
DQEBCwUAA4ICAQAKHomtmcGqyiLnhziLe97Mq2+Sul5QgYVwfx/KYOXxv2T8ZmcR
37
Ae9XFhZT4jsAOUDK1OXx9aZgDGJHJLNEVTe9zWv1ONFfNxEBxQgP7hhmDBWdtj6d
38
taqEW/Jp06X+08BtnYK9NZsvDg2YRcvOHConeMjwvEL7tQK0m+GVyQfLYg6jnrhx
39
egH+abucTKxabFcWSE+Vk0uJYMqcbXvB4WNKz9vj4V5Hn7/DN4xIjFko+nREw6Oa
40
/AUFjNnO/FPjap+d68H1LdzMH3PSs+yjGid+6Zx9FCnt9qZydW13Miqg3nDnODXw
41
+Z682mQFjVlGPCA5ZOQbyMKY4tNazG2n8qy2famQT3+jF8Lb6a4NGbnpeWnLMkIu
42
jWLWIkA9MlbdNXuajiPNVyYIK9gdoBzbfaKwoOfSsLxEqlf8rio1GGcEV5Hlz5S2
43
txwI0xdW9MWeGWoiLbZSbRJH4TIBFFtoBG0LoEJi0C+UPwS8CDngJB4TyrZqEld3
44
rH87W+Et1t/Nepoc/Eoaux9PFp5VPXP+qwQGmhir/hv7OsgBhrkYuhkjxZ8+1uk7
45
tUWC/XM0mpLoxsq6vVl3AJaJe1ivdA9xLytsuG4iv02Juc593HXYR8yOpow0Eq2T
46
U5EyeuFg5RXYwAPi7ykw1PW7zAPL4MlonEVz+QXOSx6eyhimp1VZC11SCg==
47
-----END CERTIFICATE-----
48
subject=CN = SnakeOil
49
issuer=CN = SnakeOil
50
---
51
No client certificate CA names sent
52
Peer signing digest: SHA256
53
Peer signature type: RSA-PSS
54
Server Temp Key: X25519, 253 bits
55
---
56
SSL handshake has read 2103 bytes and written 373 bytes
57
Verification error: self-signed certificate
58
---
59
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
60
Server public key is 4096 bit
61
Secure Renegotiation IS NOT supported
62
Compression: NONE
63
Expansion: NONE
64
No ALPN negotiated
65
Early data was not sent
66
Verify return code: 18 (self-signed certificate)
67
---
68
---
69
Post-Handshake New Session Ticket arrived:
70
SSL-Session:
71
    Protocol  : TLSv1.3
72
    Cipher    : TLS_AES_256_GCM_SHA384
73
    Session-ID: 5B3DBB536B4471FE345190BBB659DA1DE97A04D9F505836DB2827A8DE32EC520
74
    Session-ID-ctx:
75
    Resumption PSK: EEC77BDCEA811CD579FA902DD20A6A01C546D81A1F865EB88980656FFDE8DA285A1CC91ADDC4DE57B5C2A7FDFF16416E
76
    PSK identity: None
77
    PSK identity hint: None
78
    SRP username: None
79
    TLS session ticket lifetime hint: 300 (seconds)
80
    TLS session ticket:
81
    0000 - 56 c8 74 c7 4e 15 76 27-f6 8a 4a d4 f1 9c d6 e1   V.t.N.v'..J.....
82
    0010 - 95 2d bc fc 3a 62 10 ab-60 cd f5 8a 5c 49 f2 d6   .-..:b..`...\I..
83
    0020 - e5 2d 47 83 a3 ab e5 a5-90 7e c3 11 cc 89 84 61   .-G......~.....a
84
    0030 - 54 66 5c e7 97 dd b4 fb-c6 8d 3f 7a f6 3f 56 32   Tf\.......?z.?V2
85
    0040 - 13 32 4c 1d 8d 6f 6c bc-25 d9 c7 35 de 8e f2 c6   .2L..ol.%..5....
86
    0050 - 27 08 74 e1 bd b3 62 54-9f c3 4b 01 3b 00 bd cd   '.t...bT..K.;...
87
    0060 - 68 b1 42 1a 0e 6b 30 50-73 ac 79 cf f6 54 e2 2a   h.B..k0Ps.y..T.*
88
    0070 - 39 df 2a 6a 77 2e cd e2-1d 2b 49 42 65 30 e9 ff   9.*jw....+IBe0..
89
    0080 - d6 12 0e e5 6a 8f bb 3a-d1 ca 2a 77 fe 0c 82 e2   ....j..:..*w....
90
    0090 - 0f f1 a5 9d 30 9e 6d 1f-2c aa 64 49 94 66 ab 60   ....0.m.,.dI.f.`
91
    00a0 - f0 14 c9 cd fb 0b 57 ac-e4 1a 83 9e 92 6f b4 fc   ......W......o..
92
    00b0 - 73 60 a2 0c ca 97 c0 16-f7 81 0b 1b 02 c9 2b 95   s`............+.
93
    00c0 - 5f 64 4d e1 a0 16 ef b9-b7 4b 89 da 0e 79 39 8e   _dM......K...y9.
94
    00d0 - 7a 80 bb 42 41 f5 4a db-4d 9b 85 82 f2 37 e0 3b   z..BA.J.M....7.;
95

96
    Start Time: 1777348754
97
    Timeout   : 7200 (sec)
98
    Verify return code: 18 (self-signed certificate)
99
    Extended master secret: no
100
    Max Early Data: 0
101
---
102
read R BLOCK
103
---
104
Post-Handshake New Session Ticket arrived:
105
SSL-Session:
106
    Protocol  : TLSv1.3
107
    Cipher    : TLS_AES_256_GCM_SHA384
108
    Session-ID: D4EDF7520C5DA257DD3539B73758610BF9148AD01629A95682C36D2ADFCA1EC6
109
    Session-ID-ctx:
110
    Resumption PSK: F49305FFEB7700DB0BCCD38272455008CA08C675A5B27887A42CCD4924B91B5440B6BD1A0BC1AB62C4D1FBAEABDD0320
111
    PSK identity: None
112
    PSK identity hint: None
113
    SRP username: None
114
    TLS session ticket lifetime hint: 300 (seconds)
115
    TLS session ticket:
116
    0000 - 56 c8 74 c7 4e 15 76 27-f6 8a 4a d4 f1 9c d6 e1   V.t.N.v'..J.....
117
    0010 - 9b 6a db a2 ba da 77 db-d8 58 84 41 f7 1a 78 e6   .j....w..X.A..x.
118
    0020 - ed f5 c5 e4 e1 45 f4 c2-0d 5e 28 53 1e 17 3d 10   .....E...^(S..=.
119
    0030 - 32 6c 06 06 13 33 77 b7-2a 52 8d ec 7f 33 5f 7c   2l...3w.*R...3_|
120
    0040 - 52 f7 f4 b4 7a 01 07 93-ea e2 e5 0b bd 58 bc 9f   R...z........X..
121
    0050 - 8d 85 c8 9a 3d 3b 31 ac-59 2c 1d 21 26 b9 98 38   ....=;1.Y,.!&..8
122
    0060 - bf 50 6d 7d 90 ba db 49-87 e5 41 ac 9e 0a d4 36   .Pm}...I..A....6
123
    0070 - 69 16 68 c7 ca 9e 40 88-bb 15 b5 59 b8 65 de 0c   i.h...@....Y.e..
124
    0080 - 6b a1 e0 12 5a 8a 87 42-b9 82 b8 32 3c e5 e1 60   k...Z..B...2<..`
125
    0090 - e3 63 cb 82 ad ba 62 10-5a fa 41 54 f8 67 8a 3c   .c....b.Z.AT.g.<
126
    00a0 - 8f 1c 9e 8c 9b 4a 88 e7-d2 18 15 1a e6 33 84 6e   .....J.......3.n
127
    00b0 - 1c 0b 0a 84 f0 7e 27 4f-59 c7 04 be 24 b4 6c 42   .....~'OY...$.lB
128
    00c0 - 70 3f fa e4 e1 39 52 4b-01 65 9d 53 be b6 a4 2c   p?...9RK.e.S...,
129
    00d0 - 6d 77 78 41 39 70 a2 71-ab d3 cc 6b 84 bf 14 f0   mwxA9p.q...k....
130

131
    Start Time: 1777348754
132
    Timeout   : 7200 (sec)
133
    Verify return code: 18 (self-signed certificate)
134
    Extended master secret: no
135
    Max Early Data: 0
136
---
137
read R BLOCK
138
<redacted>
139
Correct!
140
<redacted>
141

142
closed
143
bandit15@bandit:~$

ssl/tls 암호화가 적혀있고, openssl 명령어가 있길래 https://halinstudy.tistory.com/43 이 블로그 글에서 도움받아서 ssl 연결하여 성공했다.

s_client를 쓰면 ssl/tls 연결을 할수있다.

Level 16#

nmap 명령어를 이용해서 열려있는 포트를 스캔해보자.

1
bandit16@bandit:~$ nmap -p 31000-32000 localhost
2
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-04-28 04:24 UTC
3
Nmap scan report for localhost (127.0.0.1)
4
Host is up (0.00019s latency).
5
Not shown: 996 closed tcp ports (conn-refused)
6
PORT      STATE SERVICE
7
31046/tcp open  unknown
8
31518/tcp open  unknown
9
31691/tcp open  unknown
10
31790/tcp open  unknown
11
31960/tcp open  unknown
12

13
Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds

16번 비밀번호가 <redacted>

1
bandit16@bandit:~$ openssl s_client -connect localhost:31046
2
CONNECTED(00000003)
3
4067F0F7FF7F0000:error:0A0000F4:SSL routines:ossl_statem_client_read_transition:unexpected message:../ssl/statem/statem_clnt.c:398:
4
---
5
no peer certificate available
6
---
7
No client certificate CA names sent
8
---
9
SSL handshake has read 293 bytes and written 300 bytes
10
Verification: OK
11
---
12
New, (NONE), Cipher is (NONE)
13
Secure Renegotiation IS NOT supported
14
Compression: NONE
15
Expansion: NONE
16
No ALPN negotiated
17
Early data was not sent
18
Verify return code: 0 (ok)
19
---
20
bandit16@bandit:~$ openssl s_client -connect localhost:31518
21
CONNECTED(00000003)
22
Can't use SSL_get_servername
23
depth=0 CN = SnakeOil
24
verify error:num=18:self-signed certificate
25
verify return:1
26
depth=0 CN = SnakeOil
27
verify return:1
28
---
29
Certificate chain
30
 0 s:CN = SnakeOil
31
   i:CN = SnakeOil
32
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
33
   v:NotBefore: Jun 10 03:59:50 2024 GMT; NotAfter: Jun  8 03:59:50 2034 GMT
34
---
35
Server certificate
36
-----BEGIN CERTIFICATE-----
37
MIIFBzCCAu+gAwIBAgIUBLz7DBxA0IfojaL/WaJzE6Sbz7cwDQYJKoZIhvcNAQEL
38
BQAwEzERMA8GA1UEAwwIU25ha2VPaWwwHhcNMjQwNjEwMDM1OTUwWhcNMzQwNjA4
39
MDM1OTUwWjATMREwDwYDVQQDDAhTbmFrZU9pbDCCAiIwDQYJKoZIhvcNAQEBBQAD
40
ggIPADCCAgoCggIBANI+P5QXm9Bj21FIPsQqbqZRb5XmSZZJYaam7EIJ16Fxedf+
41
jXAv4d/FVqiEM4BuSNsNMeBMx2Gq0lAfN33h+RMTjRoMb8yBsZsC063MLfXCk4p+
42
09gtGP7BS6Iy5XdmfY/fPHvA3JDEScdlDDmd6Lsbdwhv93Q8M6POVO9sv4HuS4t/
43
jEjr+NhE+Bjr/wDbyg7GL71BP1WPZpQnRE4OzoSrt5+bZVLvODWUFwinB0fLaGRk
44
GmI0r5EUOUd7HpYyoIQbiNlePGfPpHRKnmdXTTEZEoxeWWAaM1VhPGqfrB/Pnca+
45
vAJX7iBOb3kHinmfVOScsG/YAUR94wSELeY+UlEWJaELVUntrJ5HeRDiTChiVQ++
46
wnnjNbepaW6shopybUF3XXfhIb4NvwLWpvoKFXVtcVjlOujF0snVvpE+MRT0wacy
47
tHtjZs7Ao7GYxDz6H8AdBLKJW67uQon37a4MI260ADFMS+2vEAbNSFP+f6ii5mrB
48
18cY64ZaF6oU8bjGK7BArDx56bRc3WFyuBIGWAFHEuB948BcshXY7baf5jjzPmgz
49
mq1zdRthQB31MOM2ii6vuTkheAvKfFf+llH4M9SnES4NSF2hj9NnHga9V08wfhYc
50
x0W6qu+S8HUdVF+V23yTvUNgz4Q+UoGs4sHSDEsIBFqNvInnpUmtNgcR2L5PAgMB
51
AAGjUzBRMB0GA1UdDgQWBBTPo8kfze4P9EgxNuyk7+xDGFtAYzAfBgNVHSMEGDAW
52
gBTPo8kfze4P9EgxNuyk7+xDGFtAYzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
53
DQEBCwUAA4ICAQAKHomtmcGqyiLnhziLe97Mq2+Sul5QgYVwfx/KYOXxv2T8ZmcR
54
Ae9XFhZT4jsAOUDK1OXx9aZgDGJHJLNEVTe9zWv1ONFfNxEBxQgP7hhmDBWdtj6d
55
taqEW/Jp06X+08BtnYK9NZsvDg2YRcvOHConeMjwvEL7tQK0m+GVyQfLYg6jnrhx
56
egH+abucTKxabFcWSE+Vk0uJYMqcbXvB4WNKz9vj4V5Hn7/DN4xIjFko+nREw6Oa
57
/AUFjNnO/FPjap+d68H1LdzMH3PSs+yjGid+6Zx9FCnt9qZydW13Miqg3nDnODXw
58
+Z682mQFjVlGPCA5ZOQbyMKY4tNazG2n8qy2famQT3+jF8Lb6a4NGbnpeWnLMkIu
59
jWLWIkA9MlbdNXuajiPNVyYIK9gdoBzbfaKwoOfSsLxEqlf8rio1GGcEV5Hlz5S2
60
txwI0xdW9MWeGWoiLbZSbRJH4TIBFFtoBG0LoEJi0C+UPwS8CDngJB4TyrZqEld3
61
rH87W+Et1t/Nepoc/Eoaux9PFp5VPXP+qwQGmhir/hv7OsgBhrkYuhkjxZ8+1uk7
62
tUWC/XM0mpLoxsq6vVl3AJaJe1ivdA9xLytsuG4iv02Juc593HXYR8yOpow0Eq2T
63
U5EyeuFg5RXYwAPi7ykw1PW7zAPL4MlonEVz+QXOSx6eyhimp1VZC11SCg==
64
-----END CERTIFICATE-----
65
subject=CN = SnakeOil
66
issuer=CN = SnakeOil
67
---
68
No client certificate CA names sent
69
Peer signing digest: SHA256
70
Peer signature type: RSA-PSS
71
Server Temp Key: X25519, 253 bits
72
---
73
SSL handshake has read 2103 bytes and written 373 bytes
74
Verification error: self-signed certificate
75
---
76
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
77
Server public key is 4096 bit
78
Secure Renegotiation IS NOT supported
79
Compression: NONE
80
Expansion: NONE
81
No ALPN negotiated
82
Early data was not sent
83
Verify return code: 18 (self-signed certificate)
84
---
85
---
86
Post-Handshake New Session Ticket arrived:
87
SSL-Session:
88
    Protocol  : TLSv1.3
89
    Cipher    : TLS_AES_256_GCM_SHA384
90
    Session-ID: A10660AFF6046278F4084724F95C62E6B35DDC2CAF7288498E4642C0C2E09FF4
91
    Session-ID-ctx:
92
    Resumption PSK: B32096DE20096F070FE976C4963DD820B6CF8DEC09073123A6AF5E80B8606095577642CED79F7E9EB61EE0D6EC3E1327
93
    PSK identity: None
94
    PSK identity hint: None
95
    SRP username: None
96
    TLS session ticket lifetime hint: 300 (seconds)
97
    TLS session ticket:
98
    0000 - 68 13 9b 72 7d 9a 61 41-77 f8 ea f1 51 42 4f 6f   h..r}.aAw...QBOo
99
    0010 - 87 75 ee 2f 37 10 a4 d2-e3 ad 57 8a e3 1d 40 9a   .u./7.....W...@.
100
    0020 - 76 74 3b 2a 21 c5 75 16-c4 bf 36 bd d8 da 26 ac   vt;*!.u...6...&.
101
    0030 - 99 af 5b 31 00 04 13 3d-90 c5 aa 71 6d c1 88 d5   ..[1...=...qm...
102
    0040 - 9f 7f 12 4b d1 33 9c 96-09 47 cd 6c fe 17 95 9a   ...K.3...G.l....
103
    0050 - f4 62 7b 77 33 4d f4 7d-d3 b8 7b 47 ca ff 6b ed   .b{w3M.}..{G..k.
104
    0060 - 95 db c3 dc c9 d0 14 6c-c0 36 8b 24 81 0f c7 13   .......l.6.$....
105
    0070 - 87 79 ec 62 5a 6a 95 c5-35 4f a7 0b 1d b4 4d f8   .y.bZj..5O....M.
106
    0080 - 4e 07 59 02 b1 ae 85 06-f6 42 c5 69 f9 b7 fe 2b   N.Y......B.i...+
107
    0090 - ac 7e 61 5b 47 47 bf 57-9a 66 6a 85 d0 02 a9 72   .~a[GG.W.fj....r
108
    00a0 - cb c7 d9 26 70 00 37 d0-c1 1b d5 b3 9f ae 5e 49   ...&p.7.......^I
109
    00b0 - 15 5c 6e e3 6d 67 a7 75-bc 17 a5 75 a7 3f fc be   .\n.mg.u...u.?..
110
    00c0 - 20 70 ef a2 b1 e0 9f 38-6b ba 66 59 74 78 7f 02    p.....8k.fYtx..
111
    00d0 - 4d b2 93 31 12 1c ee 14-f0 e5 f2 1a be 53 a3 3f   M..1.........S.?
112

113
    Start Time: 1777350316
114
    Timeout   : 7200 (sec)
115
    Verify return code: 18 (self-signed certificate)
116
    Extended master secret: no
117
    Max Early Data: 0
118
---
119
read R BLOCK
120
---
121
Post-Handshake New Session Ticket arrived:
122
SSL-Session:
123
    Protocol  : TLSv1.3
124
    Cipher    : TLS_AES_256_GCM_SHA384
125
    Session-ID: 4C9F715371AE31DD7EC283EFAB6AC6418CCB104A1C4E1FFFE937FCE7336D1C2D
126
    Session-ID-ctx:
127
    Resumption PSK: 7118ED857750E90297E13A81245C937E2E8E9E646FC1290913D2A46CAAA53E1010C39546DD46BCE545B40099F240CDC8
128
    PSK identity: None
129
    PSK identity hint: None
130
    SRP username: None
131
    TLS session ticket lifetime hint: 300 (seconds)
132
    TLS session ticket:
133
    0000 - 68 13 9b 72 7d 9a 61 41-77 f8 ea f1 51 42 4f 6f   h..r}.aAw...QBOo
134
    0010 - a0 08 aa 06 fc 37 b4 b4-b9 0d a5 62 3d 23 8a 91   .....7.....b=#..
135
    0020 - f6 b3 db 9e df 93 3c 84-0e f7 88 10 75 b5 e2 c4   ......<.....u...
136
    0030 - 18 95 10 cc f0 60 2c ba-90 b0 b6 0b e2 58 00 e7   .....`,......X..
137
    0040 - 02 ee 1e b2 6d 27 2c 17-eb e7 1b 6d cc 56 c4 6a   ....m',....m.V.j
138
    0050 - 6a 19 10 53 84 e3 46 39-58 c8 93 98 b8 b8 e6 63   j..S..F9X......c
139
    0060 - 58 90 bf 0c 2a b1 96 d3-e2 72 bc cb 76 c8 81 8f   X...*....r..v...
140
    0070 - f4 09 94 3d c5 91 dc 6a-48 62 cc 6b a5 92 0e 1e   ...=...jHb.k....
141
    0080 - 73 55 cd c4 76 94 c2 a9-b3 84 d1 c5 96 3f df d0   sU..v........?..
142
    0090 - bf dc 94 99 ec 92 e2 c5-24 4b 3e 9a 23 c1 21 1c   ........$K>.#.!.
143
    00a0 - 60 0c 79 f7 5f 2b 17 6c-24 ef e8 15 c4 7b d7 4d   `.y._+.l$....{.M
144
    00b0 - da ea 91 ea 29 09 95 e7-ca ac 08 5a 65 2d a1 d5   ....)......Ze-..
145
    00c0 - 45 49 f5 ad b6 cd e8 7c-dc 0d 0a 32 f2 78 80 77   EI.....|...2.x.w
146
    00d0 - 89 f2 d1 d0 11 6d d7 65-c9 dc 76 27 d9 31 23 e8   .....m.e..v'.1#.
147

148
    Start Time: 1777350316
149
    Timeout   : 7200 (sec)
150
    Verify return code: 18 (self-signed certificate)
151
    Extended master secret: no
152
    Max Early Data: 0
153
---
154
read R BLOCK
155
<redacted>
156
KEYUPDATE
157
closed
158
bandit16@bandit:~$

31046은 아니고 31518은 뭔가 되긴 했는데 문제 설명에 있던것처럼 keyupdate가 떴다.

찾아보니 openssl s_client를 인터렉티브형으로 사용하면 k가 맨 앞일때 keyupdate라는게 실행되는 것 같다.

따라서 파이프라인으로 안전하게 보내자.

1
bandit16@bandit:~$ cat /etc/bandit_pass/bandit16 | openssl s_client -connect localhost:31790
2
CONNECTED(00000003)
3
Can't use SSL_get_servername
4
depth=0 CN = SnakeOil
5
verify error:num=18:self-signed certificate
6
verify return:1
7
depth=0 CN = SnakeOil
8
verify return:1
9
---
10
Certificate chain
11
 0 s:CN = SnakeOil
12
   i:CN = SnakeOil
13
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
14
   v:NotBefore: Jun 10 03:59:50 2024 GMT; NotAfter: Jun  8 03:59:50 2034 GMT
15
---
16
Server certificate
17
-----BEGIN CERTIFICATE-----
18
MIIFBzCCAu+gAwIBAgIUBLz7DBxA0IfojaL/WaJzE6Sbz7cwDQYJKoZIhvcNAQEL
19
BQAwEzERMA8GA1UEAwwIU25ha2VPaWwwHhcNMjQwNjEwMDM1OTUwWhcNMzQwNjA4
20
MDM1OTUwWjATMREwDwYDVQQDDAhTbmFrZU9pbDCCAiIwDQYJKoZIhvcNAQEBBQAD
21
ggIPADCCAgoCggIBANI+P5QXm9Bj21FIPsQqbqZRb5XmSZZJYaam7EIJ16Fxedf+
22
jXAv4d/FVqiEM4BuSNsNMeBMx2Gq0lAfN33h+RMTjRoMb8yBsZsC063MLfXCk4p+
23
09gtGP7BS6Iy5XdmfY/fPHvA3JDEScdlDDmd6Lsbdwhv93Q8M6POVO9sv4HuS4t/
24
jEjr+NhE+Bjr/wDbyg7GL71BP1WPZpQnRE4OzoSrt5+bZVLvODWUFwinB0fLaGRk
25
GmI0r5EUOUd7HpYyoIQbiNlePGfPpHRKnmdXTTEZEoxeWWAaM1VhPGqfrB/Pnca+
26
vAJX7iBOb3kHinmfVOScsG/YAUR94wSELeY+UlEWJaELVUntrJ5HeRDiTChiVQ++
27
wnnjNbepaW6shopybUF3XXfhIb4NvwLWpvoKFXVtcVjlOujF0snVvpE+MRT0wacy
28
tHtjZs7Ao7GYxDz6H8AdBLKJW67uQon37a4MI260ADFMS+2vEAbNSFP+f6ii5mrB
29
18cY64ZaF6oU8bjGK7BArDx56bRc3WFyuBIGWAFHEuB948BcshXY7baf5jjzPmgz
30
mq1zdRthQB31MOM2ii6vuTkheAvKfFf+llH4M9SnES4NSF2hj9NnHga9V08wfhYc
31
x0W6qu+S8HUdVF+V23yTvUNgz4Q+UoGs4sHSDEsIBFqNvInnpUmtNgcR2L5PAgMB
32
AAGjUzBRMB0GA1UdDgQWBBTPo8kfze4P9EgxNuyk7+xDGFtAYzAfBgNVHSMEGDAW
33
gBTPo8kfze4P9EgxNuyk7+xDGFtAYzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
34
DQEBCwUAA4ICAQAKHomtmcGqyiLnhziLe97Mq2+Sul5QgYVwfx/KYOXxv2T8ZmcR
35
Ae9XFhZT4jsAOUDK1OXx9aZgDGJHJLNEVTe9zWv1ONFfNxEBxQgP7hhmDBWdtj6d
36
taqEW/Jp06X+08BtnYK9NZsvDg2YRcvOHConeMjwvEL7tQK0m+GVyQfLYg6jnrhx
37
egH+abucTKxabFcWSE+Vk0uJYMqcbXvB4WNKz9vj4V5Hn7/DN4xIjFko+nREw6Oa
38
/AUFjNnO/FPjap+d68H1LdzMH3PSs+yjGid+6Zx9FCnt9qZydW13Miqg3nDnODXw
39
+Z682mQFjVlGPCA5ZOQbyMKY4tNazG2n8qy2famQT3+jF8Lb6a4NGbnpeWnLMkIu
40
jWLWIkA9MlbdNXuajiPNVyYIK9gdoBzbfaKwoOfSsLxEqlf8rio1GGcEV5Hlz5S2
41
txwI0xdW9MWeGWoiLbZSbRJH4TIBFFtoBG0LoEJi0C+UPwS8CDngJB4TyrZqEld3
42
rH87W+Et1t/Nepoc/Eoaux9PFp5VPXP+qwQGmhir/hv7OsgBhrkYuhkjxZ8+1uk7
43
tUWC/XM0mpLoxsq6vVl3AJaJe1ivdA9xLytsuG4iv02Juc593HXYR8yOpow0Eq2T
44
U5EyeuFg5RXYwAPi7ykw1PW7zAPL4MlonEVz+QXOSx6eyhimp1VZC11SCg==
45
-----END CERTIFICATE-----
46
subject=CN = SnakeOil
47
issuer=CN = SnakeOil
48
---
49
No client certificate CA names sent
50
Peer signing digest: SHA256
51
Peer signature type: RSA-PSS
52
Server Temp Key: X25519, 253 bits
53
---
54
SSL handshake has read 2103 bytes and written 373 bytes
55
Verification error: self-signed certificate
56
---
57
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
58
Server public key is 4096 bit
59
Secure Renegotiation IS NOT supported
60
Compression: NONE
61
Expansion: NONE
62
No ALPN negotiated
63
Early data was not sent
64
Verify return code: 18 (self-signed certificate)
65
---
66
KEYUPDATE
67
---
68
Post-Handshake New Session Ticket arrived:
69
SSL-Session:
70
    Protocol  : TLSv1.3
71
    Cipher    : TLS_AES_256_GCM_SHA384
72
    Session-ID: A02BEB9374E8D0755B834B52E0D184D8F8F62D1ADA7DE95836EC3886B3CF8D36
73
    Session-ID-ctx:
74
    Resumption PSK: 4A25D9FEBA6E217066D5748A2C3BD06142A284F3142582DA92CC60BC876EB601945A3562A9BB1DB88988F08FFDF6E1E8
75
    PSK identity: None
76
    PSK identity hint: None
77
    SRP username: None
78
    TLS session ticket lifetime hint: 300 (seconds)
79
    TLS session ticket:
80
    0000 - 5f 48 6b 1e f4 2f 61 c2-f7 de 09 f9 4c 8c 21 01   _Hk../a.....L.!.
81
    0010 - 26 7d f9 78 58 08 ad e1-08 a6 c8 21 6d 62 08 cf   &}.xX......!mb..
82
    0020 - 7a 83 15 2a 80 70 03 28-b9 b6 d1 c6 bc aa c5 4d   z..*.p.(.......M
83
    0030 - 7b 79 4c 9c 9c 27 72 f2-bb b3 64 44 20 85 1f 54   {yL..'r...dD ..T
84
    0040 - 6d 75 3b e9 22 5b 65 5e-f7 04 3e 14 25 fc cf 32   mu;."[e^..>.%..2
85
    0050 - 8f 3a 1c 7d 8b 23 cd 90-ff 2a ce 74 8d a9 71 45   .:.}.#...*.t..qE
86
    0060 - de 8c 54 0d 08 bb ee 3a-ca d5 00 5b a9 bd 7b 2a   ..T....:...[..{*
87
    0070 - a7 69 f9 fd 60 da af d4-58 c3 5e aa 1c b8 2d e7   .i..`...X.^...-.
88
    0080 - 43 27 16 35 e0 bc 4b 2b-d6 1a db ac e0 36 db b7   C'.5..K+.....6..
89
    0090 - de 3b 4c c5 b5 36 bc 28-7c 57 85 a8 99 0f a5 03   .;L..6.(|W......
90
    00a0 - 99 67 27 31 8e 91 e8 d9-34 88 d5 ba 6c ed b3 7c   .g'1....4...l..|
91
    00b0 - c4 3d 92 fc 18 08 d3 10-61 cc d9 1b 52 d0 ee a9   .=......a...R...
92
    00c0 - 56 6e 26 a6 e5 e1 5b 1f-8b 84 08 c9 c6 46 be 76   Vn&...[......F.v
93
    00d0 - f6 0a 21 2d e9 d9 60 4f-39 81 87 b4 47 44 8d bf   ..!-..`O9...GD..
94

95
    Start Time: 1777350766
96
    Timeout   : 7200 (sec)
97
    Verify return code: 18 (self-signed certificate)
98
    Extended master secret: no
99
    Max Early Data: 0
100
---
101
read R BLOCK
102
---
103
Post-Handshake New Session Ticket arrived:
104
SSL-Session:
105
    Protocol  : TLSv1.3
106
    Cipher    : TLS_AES_256_GCM_SHA384
107
    Session-ID: C254A41D8F16E0F7C5DB2C0FB855348FF23571482EED8D175A227703FBF0C4A4
108
    Session-ID-ctx:
109
    Resumption PSK: 4950D2CF4B753BCDF29961448FF6908D1C476C70D6A8B7BD3158C6DB402E7E3CA6B33F1041F86330A87E4BCF5C2BDF55
110
    PSK identity: None
111
    PSK identity hint: None
112
    SRP username: None
113
    TLS session ticket lifetime hint: 300 (seconds)
114
    TLS session ticket:
115
    0000 - 5f 48 6b 1e f4 2f 61 c2-f7 de 09 f9 4c 8c 21 01   _Hk../a.....L.!.
116
    0010 - 2d 71 b2 4f ad a5 01 c7-2b 83 96 4d ce 06 3d f3   -q.O....+..M..=.
117
    0020 - 65 11 e6 7c 00 23 55 12-d1 90 6d 5c ad 0f fb c5   e..|.#U...m\....
118
    0030 - 76 77 c1 57 b5 c9 64 87-9a fb f1 e2 3d 8a a2 91   vw.W..d.....=...
119
    0040 - 7c 37 4b 67 8a 46 cd 9b-80 0c 56 67 03 17 a2 ad   |7Kg.F....Vg....
120
    0050 - 43 d9 c5 8e 6e 9e 7b ba-97 3b a8 3c 23 cf cc f0   C...n.{..;.<#...
121
    0060 - 8c db db 88 35 3d 63 a2-92 3c 19 93 23 a5 0b 46   ....5=c..<..#..F
122
    0070 - e3 06 0d ec 52 63 e2 6e-06 3b 3b c7 e3 8a 8b 4c   ....Rc.n.;;....L
123
    0080 - 08 b8 39 97 d5 6a 59 ff-87 d3 c6 09 fa 29 3d 2b   ..9..jY......)=+
124
    0090 - 6f 19 73 d8 c4 4f 6f b2-a2 c4 cf dd 58 6d 28 cf   o.s..Oo.....Xm(.
125
    00a0 - 42 aa 48 c1 88 f2 3a 4a-64 55 62 e6 4e c7 31 6a   B.H...:JdUb.N.1j
126
    00b0 - 13 8f 53 01 03 fb 98 b6-8d 03 27 6a c0 c0 c2 2a   ..S.......'j...*
127
    00c0 - e9 56 95 3b a9 2b a5 08-73 9c c8 fa 02 03 9c ac   .V.;.+..s.......
128
    00d0 - 3d 57 8a ca c7 b1 ae a5-33 f8 4b 11 36 3c 95 ca   =W......3.K.6<..
129

130
    Start Time: 1777350766
131
    Timeout   : 7200 (sec)
132
    Verify return code: 18 (self-signed certificate)
133
    Extended master secret: no
134
    Max Early Data: 0
135
---
136
read R BLOCK
137
DONE

파이프라인으로 보내도 똑같은거 같다. keyupdate 기능을 아예 끄는게 좋아보여서 찾아보니 -quiet로 끌 수 있다.

1
bandit16@bandit:~$ cat /etc/bandit_pass/bandit16 | openssl s_client -connect localhost:31790 -quiet
2
Can't use SSL_get_servername
3
depth=0 CN = SnakeOil
4
verify error:num=18:self-signed certificate
5
verify return:1
6
depth=0 CN = SnakeOil
7
verify return:1
8
Correct!
9
-----BEGIN RSA PRIVATE KEY-----
10
<redacted private key>
11
-----END RSA PRIVATE KEY-----

Level 17#

rsa 암호를 저장해두고 아까처럼 600으로 권한 설정후 접속해주자.

1
axii@fedora:~/bandit$ vi key17
2
axii@fedora:~/bandit$ chmod 600 key17
3
axii@fedora:~/bandit$ ssh -i key17 bandit17@bandit.labs.overthewire.org -p 2220
4

5
bandit17@bandit:~$

1
bandit17@bandit:~$ ls -al
2
total 36
3
drwxr-xr-x   3 root     root     4096 Apr  3 15:17 .
4
drwxr-xr-x 150 root     root     4096 Apr  3 15:20 ..
5
-rw-r-----   1 bandit17 bandit17   33 Apr  3 15:17 .bandit16.password
6
-rw-r--r--   1 root     root      220 Mar 31  2024 .bash_logout
7
-rw-r--r--   1 root     root     3851 Apr  3 15:10 .bashrc
8
-rw-r-----   1 bandit18 bandit17 3300 Apr  3 15:17 passwords.new
9
-rw-r-----   1 bandit18 bandit17 3300 Apr  3 15:17 passwords.old
10
-rw-r--r--   1 root     root      807 Mar 31  2024 .profile
11
drwxr-xr-x   2 root     root     4096 Apr  3 15:17 .ssh
12
bandit17@bandit:~$ diff passwords.new passwords.old
13
42c42
14
< <redacted>
15
---
16
> <redacted>

diff 명령어로 변경된 부분을 확인해보자.

따라서 비밀번호는 <redacted> 이다.

Level 18#

1
axii@fedora:~/bandit$ ssh bandit18@bandit.labs.overthewire.org -p 2220
2

3
Byebye !
4
Connection to bandit.labs.overthewire.org closed.

문제 설명대로 .bashrc 파일이 수정되어서 바로 튕긴다.

1
axii@fedora:~/bandit$ scp -P 2220 bandit18@bandit.labs.overthewire.org:readme .
2
                         _                     _ _ _
3
                        | |__   __ _ _ __   __| (_) |_
4
                        | '_ \ / _` | '_ \ / _` | | __|
5
                        | |_) | (_| | | | | (_| | | |_
6
                        |_.__/ \__,_|_| |_|\__,_|_|\__|
7

8

9
                      This is an OverTheWire game server.
10
            More information on http://www.overthewire.org/wargames
11

12
backend: gibson-0
13
bandit18@bandit.labs.overthewire.org's password:
14
readme                                                                                                                                             100%   33     0.0KB/s   00:01
15
axii@fedora:~/bandit$ cat readme
16
<redacted>

scp로 다운로드해왔다.

Level 19#

1
axii@fedora:~/bandit$ ssh bandit19@bandit.labs.overthewire.org -p 2220
2

3
bandit19@bandit:~$ ls -al
4
total 36
5
drwxr-xr-x   2 root     root      4096 Apr  3 15:17 .
6
drwxr-xr-x 150 root     root      4096 Apr  3 15:20 ..
7
-rwsr-x---   1 bandit20 bandit19 14888 Apr  3 15:17 bandit20-do
8
-rw-r--r--   1 root     root       220 Mar 31  2024 .bash_logout
9
-rw-r--r--   1 root     root      3851 Apr  3 15:10 .bashrc
10
-rw-r--r--   1 root     root       807 Mar 31  2024 .profile
11
bandit19@bandit:~$ file bandit20-do
12
bandit20-do: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=d9b51170e04af1b03902f80228afa7a973330f86, for GNU/Linux 3.2.0, not stripped
13
bandit19@bandit:~$ ./bandit20-do
14
Run a command as another user.
15
  Example: ./bandit20-do whoami
16
bandit19@bandit:~$ ./bandit20-do whoami
17
bandit20
18
bandit19@bandit:~$ cat /etc/bandit_pass/bandit20
19
cat: /etc/bandit_pass/bandit20: Permission denied
20
bandit19@bandit:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
21
<redacted>

./bandit20-do [명령어]를 하면 bandit20 권한으로 명령어를 실행해주는 파일같다.

Level 20#

1
axii@fedora:~/bandit$ ssh bandit20@bandit.labs.overthewire.org -p 2220
2

3
bandit20@bandit:~$ ls -al
4
total 36
5
drwxr-xr-x   2 root     root      4096 Apr  3 15:17 .
6
drwxr-xr-x 150 root     root      4096 Apr  3 15:20 ..
7
-rw-r--r--   1 root     root       220 Mar 31  2024 .bash_logout
8
-rw-r--r--   1 root     root      3851 Apr  3 15:10 .bashrc
9
-rw-r--r--   1 root     root       807 Mar 31  2024 .profile
10
-rwsr-x---   1 bandit21 bandit20 15612 Apr  3 15:17 suconnect
11
bandit20@bandit:~$ file suconnect
12
suconnect: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=5ebb1e531d5117dae7d435f244411b35d765672f, for GNU/Linux 3.2.0, not stripped
13
bandit20@bandit:~$ ./suconnect <redacted>
14
getaddrinfo: Servname not supported for ai_socktype
15
bandit20@bandit:~$ echo '<redacted>' | nc -l -p 11111
16
^Z
17
[1]+  Stopped                 echo '<redacted>' | nc -l -p 11111
18
bandit20@bandit:~$ ./suconnect 11111
19
^C
20
bandit20@bandit:~$ bg
21
[1]+ echo '<redacted>' | nc -l -p 11111 &
22
bandit20@bandit:~$ ./suconnect 11111
23
Could not connect
24
[1]+  Done                    echo '<redacted>' | nc -l -p 11111
25
bandit20@bandit:~$ echo '<redacted>' | nc -l -p 22222 &
26
[1] 27
27
bandit20@bandit:~$ ./suconnect 22222
28
Read: <redacted>
29
Password matches, sending next password
30
<redacted>
31
[1]+  Done                    echo '<redacted>' | nc -l -p 22222
32
bandit20@bandit:~$

nc로 포트를 열고 20번 비밀번호를 그 포트에 보낸다음에 suconnect를 그 포트로 열어야 하는것같다.

처음에 포트 열었다가 백그라운드로 돌리려했는데 순서가 꼬여서 실패하고 다시열었다

명령어 끝에 &를 붙이면 백그라운드로 실행되므로 nc로 포트를 백그라운드로 열고 그 포트로 suconnect를 실행했다.

Level 21#

1
axii@fedora:~/bandit$ ssh bandit21@bandit.labs.overthewire.org -p 2220
2

3
bandit21@bandit:~$ ls -al
4
total 24
5
drwxr-xr-x   2 root     root     4096 Apr  3 15:17 .
6
drwxr-xr-x 150 root     root     4096 Apr  3 15:20 ..
7
-rw-r--r--   1 root     root      220 Mar 31  2024 .bash_logout
8
-rw-r--r--   1 root     root     3851 Apr  3 15:10 .bashrc
9
-r--------   1 bandit21 bandit21   33 Apr  3 15:17 .prevpass
10
-rw-r--r--   1 root     root      807 Mar 31  2024 .profile
11
bandit21@bandit:~$ cd /etc/cron.d
12
bandit21@bandit:/etc/cron.d$ ls
13
behemoth4_cleanup  clean_tmp  cronjob_bandit22  cronjob_bandit23  cronjob_bandit24  e2scrub_all  leviathan5_cleanup  manpage3_resetpw_job  otw-tmp-dir  sysstat
14
bandit21@bandit:/etc/cron.d$ cat cronjob_bandit22
15
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
16
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
17
bandit21@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit22.sh
18
#!/bin/bash
19
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
20
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
21
bandit21@bandit:/etc/cron.d$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
22
<redacted>
23
bandit21@bandit:/etc/cron.d$

문제가 알려준대로 /etc/cron.d로 이동했다.

cronjob_bandit22가 있길래 읽어봤다.

매 분마다 bandit22 권한으로 /usr/bin/cronjob_bandit22.sh를 실행한다는 스크립트다.

이번엔 /usr/bin/cronjob_bandit22.sh을 읽어보자.

22번 pw를 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv에 복사해두는 스크립트다.

tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv를 읽어보면 22번 pw가 나온다.

Level 22#

1
axii@fedora:~/bandit$ ssh bandit22@bandit.labs.overthewire.org -p 2220
2

3
bandit22@bandit:~$ cd /etc/cron.d
4
bandit22@bandit:/etc/cron.d$ ls
5
behemoth4_cleanup  clean_tmp  cronjob_bandit22  cronjob_bandit23  cronjob_bandit24  e2scrub_all  leviathan5_cleanup  manpage3_resetpw_job  otw-tmp-dir  sysstat
6
bandit22@bandit:/etc/cron.d$ cat cronjob_bandit23
7
@reboot bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
8
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
9
bandit22@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit23.sh
10
#!/bin/bash
11

12
myname=$(whoami)
13
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
14

15
echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
16

17
cat /etc/bandit_pass/$myname > /tmp/$mytarget

21번과 도입부는 비슷해서 진행했다.

매 분마다 bandit23 권한으로 /usr/bin/cronjob_bandit23.sh를 실행한다. myname은 bandit23의 whoami 권한일것이므로 myname=bandit23 일 것이고, 따라서 mytarget문자열을 구해보자.

“I am user bandit23”이라는 문자열을 md5sum으로 해시해서 공백이전 첫번째만 가져온다.

그게 mytarget이고, /tmp/mytarget에 23번 pw를 복사한다.

1
bandit22@bandit:/etc/cron.d$ echo "I am user bandit23" | md5sum | cut -d ' ' -f 1
2
8ca319486bfbbc3663ea0fbe81326349
3
bandit22@bandit:/etc/cron.d$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
4
<redacted>

해당 파일을 찾아서 읽는다.

Level 23#

1
axii@fedora:~/bandit$ ssh bandit23@bandit.labs.overthewire.org -p 2220
2

3
bandit23@bandit:~$ cd /etc/cron.d
4
bandit23@bandit:/etc/cron.d$ ls
5
behemoth4_cleanup  clean_tmp  cronjob_bandit22  cronjob_bandit23  cronjob_bandit24  e2scrub_all  leviathan5_cleanup  manpage3_resetpw_job  otw-tmp-dir  sysstat
6
bandit23@bandit:/etc/cron.d$ cat cronjob_bandit24
7
@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
8
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
9
bandit23@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit24.sh
10
#!/bin/bash
11

12
shopt -s nullglob
13

14
myname=$(whoami)
15

16
cd /var/spool/"$myname"/foo || exit
17
echo "Executing and deleting all scripts in /var/spool/$myname/foo:"
18
for i in * .*;
19
do
20
    if [ "$i" != "." ] && [ "$i" != ".." ];
21
    then
22
        echo "Handling $i"
23
        owner="$(stat --format "%U" "./$i")"
24
        if [ "${owner}" = "bandit23" ] && [ -f "$i" ]; then
25
            timeout -s 9 60 "./$i"
26
        fi
27
        rm -rf "./$i"
28
    fi
29
donebandit23@bandit:/etc/cron.d$

분당 한번 bandit24의 권한으로 /usr/bin/cronjob_bandit24.sh 스크립트를 실행한다.

/usr/bin/cronjob_bandit24.sh를 해석해보면 다음과 같다.

shopt는 shell 옵션을 끄고 켤 수 있는 명령어다.

shopt -s [옵션명]으로 키고 shopt -u [옵션명]으로 끌 수 있다.

nullglob 옵션은 *같은 glob 패턴이 매칭되지 않았을때 null로 남겨두는 옵션이다.

예시

1
shopt -u nullglob
2
echo *.txt
3
*.txt
4

5
shopt -s nullglob
6
echo *.txt

myname은 bandit24다.

이후 /var/spool/bandit24/foo로 디렉토리 이동

.*로 일반파일과 숨김파일을 전부 i에 넣고, .(현재 디렉토리)와 ..(상위 디렉토리)는 제외한다.

이후 파일별 소유자명을 owner변수에 저장하고 해당 소유자(owner)가 bandit23인 일반파일이면 실행한다.

timout은 60초

이후 파일을 삭제한다.

정리하자면 현재 디렉토리의 파일중에서 소유자가 bandit23인 일반파일만 bandit 24권한으로 실행하고 전체삭제한다는 뜻이다.

그럼 문제 설명에서 나와있다시피 제작해야할 스크립트는 /var/spool/bandit24/foo에 bandit23을 소유자로 하는 일반파일로 만들어야한다. 그 내용은 /etc/bandit_pass/bandit24의 내용을 읽어서 tmp에 넣어야한다.

풀이 스크립트는 mktemp -d를 통해 만든 tmp 디렉토리 안에다가 만들었다.

명령어 기록이 vi 쓰느라 날라가서 history로 쳤던 명령어만 첨부하겠다.

1
mktemp -d
2
ls -ld /tmp/tmp.JtGkrKrMZL
3
chmod 777 /tmp/tmp.JtGkrKrMZL
4
ls -ld /tmp/tmp.JtGkrKrMZL
5
vi /tmp/tmp.JtGkrKrMZL/sol24.sh

1
#!/bin/bash
2
cat /etc/bandit_pass/bandit24 > "$tmpdir/pass24"
3
#!/bin/bash
4
cat /etc/bandit_pass/bandit24 > /tmp/tmp.JtGkrKrMZL/pw24
5
chmod 777 /tmp/tmp.JtGkrKrMZL/pw24

1
bandit23@bandit:/etc/cron.d$ chmod 777 /tmp/tmp.JtGkrKrMZL/sol24.sh
2
bandit23@bandit:/etc/cron.d$ cp /tmp/tmp.JtGkrKrMZL/sol24.sh /etc/bandit_pass/bandit24
3
cp: cannot create regular file '/etc/bandit_pass/bandit24': Operation not permitted
4
bandit23@bandit:/etc/cron.d$ cp /tmp/tmp.JtGkrKrMZL/sol24.sh /var/spool/bandit24/foo
5
bandit23@bandit:/etc/cron.d$ cat /tmp/tmp.JtGkrKrMZL/pw24
6
<redacted>

Level 24#

1
axii@fedora:~/bandit$ ssh bandit24@bandit.labs.overthewire.org -p 2220
2

3
bandit24@bandit:~$ nc localhost 30002
4
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
5
<redacted> 0001
6
Wrong! Please enter the correct current password and pincode. Try again.
7
<redacted> 0002
8
Wrong! Please enter the correct current password and pincode. Try again.

주어진대로 한번 연결 후 여러번 입력해도 괜찮다.

1
from pwn import *
2
p=remote("localhost", 30002)
3

4
for i in range(10000):
5
    p.sendline(f"<redacted> {i:04d}".encode())
6

7
for l in p.recvall().decode().splitlines():
8
    if "Wrong" not in l:
9
        print(l)

굳이 스크립트가 아니라 pwntools 쓰는게 더 간단해 보였다.

따라서 다음과 같이 보내자.

1
bandit24@bandit:/tmp/tmp.zyqWWpDiAK$ python3 sol.py
2
Warning: _curses.error: setupterm: could not find terminal
3

4
Terminal features will not be available.  Consider setting TERM variable to your current terminal name (or xterm).
5
[x] Opening connection to localhost on port 30002
6
[x] Opening connection to localhost on port 30002: Trying 127.0.0.1
7
[+] Opening connection to localhost on port 30002: Done
8
[x] Receiving all data
9
[x] Receiving all data: 0B
10
[x] Receiving all data: 4.00KB
11
[x] Receiving all data: 8.00KB
12
[x] Receiving all data: 12.00KB
13
[x] Receiving all data: 16.00KB
14
[x] Receiving all data: 20.00KB
15
[x] Receiving all data: 24.00KB
16
[x] Receiving all data: 28.00KB
17
[x] Receiving all data: 32.00KB
18
[x] Receiving all data: 36.00KB
19
[x] Receiving all data: 40.00KB
20
[x] Receiving all data: 44.00KB
21
[x] Receiving all data: 48.00KB
22
[x] Receiving all data: 52.00KB
23
[x] Receiving all data: 56.00KB
24
[x] Receiving all data: 60.00KB
25
[x] Receiving all data: 64.00KB
26
[x] Receiving all data: 68.00KB
27
[x] Receiving all data: 72.00KB
28
[x] Receiving all data: 76.00KB
29
[x] Receiving all data: 80.00KB
30
[x] Receiving all data: 84.00KB
31
[x] Receiving all data: 88.00KB
32
[x] Receiving all data: 92.00KB
33
[x] Receiving all data: 96.00KB
34
[x] Receiving all data: 100.00KB
35
[x] Receiving all data: 104.00KB
36
[x] Receiving all data: 108.00KB
37
[x] Receiving all data: 112.00KB
38
[x] Receiving all data: 116.00KB
39
[x] Receiving all data: 120.00KB
40
[x] Receiving all data: 124.00KB
41
[x] Receiving all data: 128.00KB
42
[x] Receiving all data: 132.00KB
43
[x] Receiving all data: 136.00KB
44
[x] Receiving all data: 140.00KB
45
[x] Receiving all data: 144.00KB
46
[x] Receiving all data: 148.00KB
47
[x] Receiving all data: 152.00KB
48
[x] Receiving all data: 156.00KB
49
[x] Receiving all data: 160.00KB
50
[x] Receiving all data: 164.00KB
51
[x] Receiving all data: 168.00KB
52
[x] Receiving all data: 172.00KB
53
[x] Receiving all data: 176.00KB
54
[x] Receiving all data: 180.00KB
55
[x] Receiving all data: 184.00KB
56
[x] Receiving all data: 188.00KB
57
[x] Receiving all data: 192.00KB
58
[x] Receiving all data: 196.00KB
59
[x] Receiving all data: 200.00KB
60
[x] Receiving all data: 204.00KB
61
[x] Receiving all data: 208.00KB
62
[x] Receiving all data: 212.00KB
63
[x] Receiving all data: 216.00KB
64
[x] Receiving all data: 220.00KB
65
[x] Receiving all data: 224.00KB
66
[x] Receiving all data: 228.00KB
67
[x] Receiving all data: 232.00KB
68
[x] Receiving all data: 236.00KB
69
[x] Receiving all data: 240.00KB
70
[x] Receiving all data: 244.00KB
71
[x] Receiving all data: 248.00KB
72
[x] Receiving all data: 252.00KB
73
[x] Receiving all data: 256.00KB
74
[x] Receiving all data: 260.00KB
75
[x] Receiving all data: 264.00KB
76
[x] Receiving all data: 268.00KB
77
[x] Receiving all data: 272.00KB
78
[x] Receiving all data: 276.00KB
79
[x] Receiving all data: 280.00KB
80
[x] Receiving all data: 284.00KB
81
[x] Receiving all data: 288.00KB
82
[x] Receiving all data: 292.00KB
83
[x] Receiving all data: 296.00KB
84
[x] Receiving all data: 300.00KB
85
[x] Receiving all data: 304.00KB
86
[x] Receiving all data: 308.00KB
87
[x] Receiving all data: 312.00KB
88
[x] Receiving all data: 316.00KB
89
[x] Receiving all data: 320.00KB
90
[x] Receiving all data: 324.00KB
91
[x] Receiving all data: 328.00KB
92
[x] Receiving all data: 332.00KB
93
[x] Receiving all data: 336.00KB
94
[x] Receiving all data: 340.00KB
95
[x] Receiving all data: 344.00KB
96
[x] Receiving all data: 348.00KB
97
[x] Receiving all data: 352.00KB
98
[x] Receiving all data: 356.00KB
99
[x] Receiving all data: 360.00KB
100
[x] Receiving all data: 364.00KB
101
[x] Receiving all data: 368.00KB
102
[x] Receiving all data: 372.00KB
103
[x] Receiving all data: 376.00KB
104
[x] Receiving all data: 380.00KB
105
[x] Receiving all data: 384.00KB
106
[x] Receiving all data: 388.00KB
107
[x] Receiving all data: 392.00KB
108
[x] Receiving all data: 396.00KB
109
[x] Receiving all data: 400.00KB
110
[x] Receiving all data: 404.00KB
111
[x] Receiving all data: 408.00KB
112
[x] Receiving all data: 409.50KB
113
[x] Receiving all data: 413.50KB
114
[x] Receiving all data: 417.50KB
115
[x] Receiving all data: 421.50KB
116
[x] Receiving all data: 425.50KB
117
[x] Receiving all data: 429.50KB
118
[x] Receiving all data: 433.50KB
119
[x] Receiving all data: 437.50KB
120
[x] Receiving all data: 441.50KB
121
[x] Receiving all data: 445.50KB
122
[x] Receiving all data: 449.50KB
123
[x] Receiving all data: 453.50KB
124
[x] Receiving all data: 457.50KB
125
[x] Receiving all data: 461.50KB
126
[x] Receiving all data: 465.50KB
127
[x] Receiving all data: 469.50KB
128
[x] Receiving all data: 473.50KB
129
[x] Receiving all data: 477.50KB
130
[x] Receiving all data: 481.50KB
131
[x] Receiving all data: 485.50KB
132
[x] Receiving all data: 489.50KB
133
[x] Receiving all data: 493.50KB
134
[x] Receiving all data: 497.50KB
135
[x] Receiving all data: 501.50KB
136
[x] Receiving all data: 505.50KB
137
[x] Receiving all data: 509.50KB
138
[x] Receiving all data: 513.50KB
139
[x] Receiving all data: 517.50KB
140
[x] Receiving all data: 521.50KB
141
[x] Receiving all data: 525.50KB
142
[x] Receiving all data: 529.50KB
143
[x] Receiving all data: 533.50KB
144
[x] Receiving all data: 537.00KB
145
[x] Receiving all data: 541.00KB
146
[x] Receiving all data: 545.00KB
147
[x] Receiving all data: 549.00KB
148
[x] Receiving all data: 553.00KB
149
[x] Receiving all data: 557.00KB
150
[x] Receiving all data: 561.00KB
151
[x] Receiving all data: 565.00KB
152
[x] Receiving all data: 569.00KB
153
[x] Receiving all data: 573.00KB
154
[x] Receiving all data: 577.00KB
155
[x] Receiving all data: 581.00KB
156
[x] Receiving all data: 585.00KB
157
[x] Receiving all data: 585.36KB
158
[+] Receiving all data: Done (585.36KB)
159
[*] Closed connection to localhost port 30002
160
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
161
Correct!
162
The password of user bandit25 is <redacted>
163

164
bandit24@bandit:/tmp/tmp.zyqWWpDiAK$