Write-up

[bandit] bandit0 ~ bandit13

ch4rli3kop 2019. 2. 27. 10:08
반응형

bandit

뭔가 이러저러한 이유로 다시 해볼까하는 생각에 시작하게 되었다. 확실히 과거 아무것도 모르던 시절보다, 풀면서 느끼는 점도 다르고, 심지어 새로 배우는 점도 있다..!


bandit0 -> bandit1

> cat readme
boJ9jbbUNNfktd78OOpsqOltutMc3MY1

단순히 파일 읽기임.


bandit1 -> bandit2

> cat ./-
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

역시 파일 읽기이나, - 는 /dev/stdin, /dev/stdout, /dev/stderr 로도 사용될 수 있기 때문에, kernel이 혼동하지 않도록 ./ 상대경로를 붙여서 읽도록 한다.


bandit2 -> bandit3

> cat spaces\ in\ this\ filename
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

파일 이름에 공백과 같은 특수문자가 존재하는 파일 읽기이다. \를 사용하거나 ""를 사용하여 해결할 수 있다.


bandit3 -> bandit4

bandit3@bandit:~$ cd inhere/
bandit3@bandit:~/inhere$ ls -al
total 12
drwxr-xr-x 2 root   root    4096 Oct 16 14:00 .
drwxr-xr-x 3 root   root    4096 Oct 16 14:00 ..
-rw-r----- 1 bandit4 bandit3   33 Oct 16 14:00 .hidden
bandit3@bandit:~/inhere$ cat .hidden
pIwrPrtPN36QITSp3EQaw936yaFoFgAB

디렉토리에 들어가서 숨겨진 파일을 읽어내면 된다.


bandit4 -> bandit5

The password for the next level is stored in the only human-readable file in the inhere directory.

bandit4@bandit:~$ cd inhere/
bandit4@bandit:~/inhere$ ls -al
bandit4@bandit:~/inhere$ file ./*
./-file00: data
./-file01: data
./-file02: data
./-file03: data
./-file04: data
./-file05: data
./-file06: data
./-file07: ASCII text
./-file08: data
./-file09: data
bandit4@bandit:~/inhere$ cat ./-file07
koReBOKuIDDepwhWk7jZC0RTdopnAYKh

file 명령어를 통해 각 파일들의 정보를 확인한 후, 읽어내면 된다.


bandit5 -> bandit6

The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties:

  • human-readable

  • 1033 bytes in size

  • not executable

bandit5@bandit:~/inhere$ ls
maybehere00 maybehere03 maybehere06 maybehere09 maybehere12 maybehere15 maybehere18
maybehere01 maybehere04 maybehere07 maybehere10 maybehere13 maybehere16 maybehere19
maybehere02 maybehere05 maybehere08 maybehere11 maybehere14 maybehere17
bandit5@bandit:~/inhere$ find ./ -readable -size 1033c ! -executable
./maybehere07/.file2
bandit5@bandit:~/inhere$ find ./ -readable -size 1033c ! -executable -exec cat {} \;
DXjZPULLxYr17uwoI01bNLQbtFemEgo7

주어진 조건은 읽을 수 있는, 크기가 1033bytes, not executable인 파일이다. 각 각 find 명령어의 -readable, -size, -executable 옵션을 이용하여 찾을 수 있는데, 각 각의 옵션에 대한 자세한 사항은 아래와 같이 man page에서 확인할 수 있다. 추가적으로 find의 output을 -exec 옵션을 이용하여 cat을 통해 바로 읽게 할 수 있다.


[+]

find 명령어 옵션

bandit5@bandit:~/inhere$ man -k find
BIO_find_type (3ssl) - BIO chain traversal
...
find (1)             - search for files in a directory hierarchy
...

bandit5@bandit:~/inhere$ man 1 find
...
-readable
Matches files which are readable. This takes into account access control lists and other permissions artefacts which the -perm test ignores. This test makes use of the access(2) system call, and so can be fooled by NFS servers which  do UID mapping (or root-squashing), since many systems implement access(2) in the client's kernel and so cannot make use of the UID mapping information held on the server.


-size n[cwbkMG]
File uses n units of space, rounding up. The following suffixes can be used:

`b'   for 512-byte blocks (this is the default if no suffix is used)
`c'   for bytes
`w'   for two-byte words
`k'   for Kilobytes (units of 1024 bytes)
`M'   for Megabytes (units of 1048576 bytes)
`G'   for Gigabytes (units of 1073741824 bytes)

The size does not count indirect blocks, but it does count blocks in sparse files that are not actually allocated. Bear in mind that the `%k' and `%b' format specifiers of -printf handle sparse files differently. The `b' suffix always denotes 512-byte blocks and never 1 Kilobyte blocks, which is different to the behaviour of -ls.

The  + and  - prefixes signify greater than and less than, as usual. Bear in mind that the size is rounded up to the next unit. Therefore -size -1M is not equivalent to -size  -1048576c. The former only matches empty files, the latter matches files from 1 to 1,048,575 bytes.


-executable
Matches files which are executable and directories which are searchable (in a file name resolutionsense). This takes into account access control lists and other permissions artefacts which the -perm test ignores. This test makes use of the access(2) system call, and so can be fooled by NFS servers which do UID mapping (or root-squashing), since many systems implement access(2) in the client's kernel and so cannot make use of the UID mapping information held on the server. Because this test is based only on the result of the access(2) system call, there is no guarantee that a file for which
this test succeeds can actually be executed.
...


bandit6 -> bandit7

The password for the next level is stored somewhere on the server and has all of the following properties:

  • owned by user bandit7

  • owned by group bandit6

  • 33 bytes in size

bandit6@bandit:~$ find / -user bandit7 -group bandit6 -size 33c 2> /dev/null -exec cat {} \;
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

전 문제와 동일하다. find 명령어의 -user, -group, -size 옵션을 통해 파일을 찾을 수 있다. / 루트 디렉토리부터 검색하며, 2> /dev/null을 통해 stderr를 화면에 표시하지 않도록 한다.


[+]

find 명령어 옵션

-user uname
    File is owned by user uname (numeric user ID allowed).
-group gname
    File belongs to group gname (numeric group ID allowed).


bandit7 -> bandit8

The password for the next level is stored in the file data.txt next to the word millionth

bandit7@bandit:~$ ls
data.txt
bandit7@bandit:~$ grep -F "millionth" -A 1 ./data.txt
millionth cvX2JJa4CFALtqS87jk27qwqGhBM9plV
comprehend FKVbjZbVgb0d2RU2DlCqSW049xMITQkB

data.txt 안에 존재하는 수 많은 문자열들 중 "millionth"를 찾아내서 그 다음 줄의 값을 확인해야 하므로 grep명령어를 사용할 수 있다. -F를 사용하여 해당 문자열을 찾아내고, -A를 사용하여 matching line 이후 몇 줄을 추가적으로 화면에 표시할 지 설정할 수 있다.

가 아니다. 문제 해석을 잘 못했다. millionth 옆이니 추가적으로 -A 할 필요없고 그냥 -F 옵션만 있어도 된다.


[+]

grep 명령어 옵션

-F, --fixed-strings
Interpret PATTERN as a list of fixed strings (instead of regular expressions), separated by newlines, any of which is to be matched.

-A NUM, --after-context=NUM
Print NUM lines of trailing context after matching lines. Places a line containing a group separator (--) between contiguous groups of matches. With the -o or --only-matching option, this has no effect and a warning is given.

bandit8 -> bandit9

The password for the next level is stored in the file data.txt and is the only line of text that occurs only once

bandit8@bandit:~$ cat data.txt | sort | uniq -u
UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR

혹은
bandit8@bandit:~$ cat data.txt | sort | uniq -c
    10 07iR6PwHwihvQ3av1fqoRjICCulpoyms
     1 UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR
    10 vBo3qbjNEF2d3meGEkRfc3mKpjtiDz1i

sort 명령어를 통해 정렬한 뒤, uniq 명령어를 사용하여 중복된 행을 제거 혹은 중복된 횟수를 count하도록 하여 찾아낼 수 있다.


[+]

uniq 명령어 옵션

-c, --count
    prefix lines by the number of occurrences
-u, --unique
    only print unique lines

참고: http://bahndal.egloos.com/576672


bandit9 -> bandit10

The password for the next level is stored in the file data.txt in one of the few human-readable strings, beginning with several ‘=’ characters.

bandit9@bandit:~$ strings data.txt | grep "=="
2========== the
========== password
========== isa
========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk

strings 명령어와 grep 명령어의 조합으로 쉽게 찾을 수 있다.


bandit10 -> bandit11

The password for the next level is stored in the file data.txt, which contains base64 encoded data

bandit10@bandit:~$ cat data.txt
VGhlIHBhc3N3b3JkIGlzIElGdWt3S0dzRlc4TU9xM0lSRnFyeEUxaHhUTkViVVBSCg==

bandit10@bandit:~$ cat data.txt | base64 --decode
The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

data.txt 파일은 base64 인코딩된 데이터이므로, base64 명령어를 사용하여 디코딩해준다.


[+]

base64 명령어 옵션

-d, --decode
    decode data

bandit11 -> bandit12

The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions

bandit11@bandit:~$ cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'
The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

bandit11@bandit:~$ cat data.txt | python -c 'import sys; print sys.stdin.read().decode("rot13")'
The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

ROT13을 디코딩하는데에 tr 명령어를 사용할 수 있다. translate의 약자로 지정한 문자를 다른 문자로 치환할 수 있다. 흔히 파일에 존재하는 문자를 모두 대문자로 치환한다던가, 특정 문자만을 제거할 때 사용된다. 자매품으로 python을 이용하여 간단하게 해결할 수도 있다.


bandit12 -> bandit13

The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)

bandit12@bandit:/tmp$ cp ~/data.txt ./TT
bandit12@bandit:/tmp$ file TT
TT: ASCII text
bandit12@bandit:/tmp$ xxd -r TT > TT1
bandit12@bandit:/tmp$ file TT1
TT1: gzip compressed data, was "data2.bin", last modified: Tue Oct 16 12:00:23 2018, max compression, from Unix
bandit12@bandit:/tmp$ mv TT1.gz
mv: missing destination file operand after 'TT1.gz'
Try 'mv --help' for more information.
bandit12@bandit:/tmp$ mv TT1 TT1.gz
bandit12@bandit:/tmp$ gzip -d TT1.gz
bandit12@bandit:/tmp$ file TT1
TT1: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp$ mv TT1 TT1.bz2
bandit12@bandit:/tmp$ bzip2 -d TT1.bz2
bandit12@bandit:/tmp$ file TT1
TT1: gzip compressed data, was "data4.bin", last modified: Tue Oct 16 12:00:23 2018, max compression, from Unix
bandit12@bandit:/tmp$ mv TT1 TT1.gz
bandit12@bandit:/tmp$ gzip -d TT1.gz
bandit12@bandit:/tmp$ file TT1
TT1: POSIX tar archive (GNU)
bandit12@bandit:/tmp$ tar -tvf TT1
-rw-r--r-- root/root     10240 2018-10-16 14:00 data5.bin
bandit12@bandit:/tmp$ mv TT1 TT1.tar
bandit12@bandit:/tmp$ tar -xvf TT1.tar
data5.bin
bandit12@bandit:/tmp$ file data5.bin
data5.bin: POSIX tar archive (GNU)
bandit12@bandit:/tmp$ mv data5.bin TT1.tar
bandit12@bandit:/tmp$ tar -xvf TT1.tar
data6.bin
bandit12@bandit:/tmp$ file data6.bin
data6.bin: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp$ mv data6.bin TT1.bz2
bandit12@bandit:/tmp$ bzip2 -d TT1.bz2
bandit12@bandit:/tmp$ file TT1
TT1: POSIX tar archive (GNU)
bandit12@bandit:/tmp$ mv TT1 TT1.tar
bandit12@bandit:/tmp$ tar -xvf TT1.tar
data8.bin
bandit12@bandit:/tmp$ file data8.bin
data8.bin: gzip compressed data, was "data9.bin", last modified: Tue Oct 16 12:00:23 2018, max compression, from Unix
bandit12@bandit:/tmp$ mv data8.bin TT1.gz
bandit12@bandit:/tmp$ gzip -d TT1.gz
bandit12@bandit:/tmp$ file TT1
TT1: ASCII text
bandit12@bandit:/tmp$ cat TT1
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

하.. 근성으로 해냈다. 나중에 이런 문제를 만났을 경우 binwalk라는 갓갓툴을 사용해서 한 큐에 끝내버리도록 하자.


[+]

xxd 명령어 옵션

-r | -revert
reverse operation: convert (or patch) hexdump into binary. If not writing to stdout, xxd writes into its output file without truncating it. Use the combination -r -p to read plain hexadecimal dumps without line number information and without a particular column layout. Additional Whitespace and line-breaks are allowed anywhere.

hex dump 파일을 다시 binary 파일로 되돌리는 옵션이다.


반응형

'Write-up' 카테고리의 다른 글

[bandit] bandit19 ~ bandit27  (0) 2019.02.28
[bandit] bandit13 ~ bandit19  (0) 2019.02.27
[CODEGATE2019] god-the-reum writeup  (0) 2019.02.09
[CODEGATE 2019] KingMaker writeup  (0) 2019.02.02
[33C3 CTF] tea writeup  (0) 2019.01.25