bandit27 -> bandit28
There is a git repository at
ssh://bandit27-git@localhost/home/bandit27-git/repo. The password for the userbandit27-gitis the same as for the userbandit27.
bandit27@bandit:/tmp/TTT$ git clone ssh://bandit27-git@localhost/home/bandit27-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit27/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit27/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit27-git@localhost's password:
remote: Counting objects: 3, done.
remote: Compressing objects: 100% (2/2), done.
remote: Total 3 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (3/3), done.
bandit27@bandit:/tmp/TTT$ ls
repo
bandit27@bandit:/tmp/TTT$ cd repo/
bandit27@bandit:/tmp/TTT/repo$ ls
README
bandit27@bandit:/tmp/TTT/repo$ cat README
The password to the next level is: 0ef186ac70e04ea33b4c1853d2526fa2저장소를 복제하고 내부에 존재하는 파일을 읽으면 된다.
bandit28 -> bandit29
There is a git repository at
ssh://bandit28-git@localhost/home/bandit28-git/repo. The password for the userbandit28-gitis the same as for the userbandit28.Clone the repository and find the password for the next level.
bandit28@bandit:/tmp/TT28$ git clone ssh://bandit28-git@localhost/home/bandit28-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit28/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit28/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit28-git@localhost's password:
remote: Counting objects: 9, done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 9 (delta 2), reused 0 (delta 0)
Receiving objects: 100% (9/9), done.
Resolving deltas: 100% (2/2), done.
bandit28@bandit:/tmp/TT28$ ls
repo
bandit28@bandit:/tmp/TT28$ cd repo/
bandit28@bandit:/tmp/TT28/repo$ ls
README.md
bandit28@bandit:/tmp/TT28/repo$ cat README.md
# Bandit Notes
Some notes for level29 of bandit.
## credentials
- username: bandit29
- password: xxxxxxxxxx
git clone을 통해 Repository를 받으면 위와 같은 정보를 보여준다. password 부분만 지워진 형식이다.
git의 장점은 모든 파일들의 변경사항을 추적할 수 있다는 점이다. 그런 정보들을 다음과 같이 .git 디렉토리에 저장하는데, 이 디렉토리에 있는 정보들을 활용하여 git은 사용자에게 해당 레포지토리의 이전 활동 내역 및 변경 사항을 상세하게 제공한다.
git log 명령어를 활용하여 commit 기록을 볼 수 있고, 추가적으로 -p 옵션을 통해 상세한 수정사항들을 조회할 수 있다.
bandit28@bandit:/tmp/TT28/repo$ ls -al
total 16
drwxr-sr-x 3 bandit28 root 4096 Feb 28 11:20 .
drwxr-sr-x 3 bandit28 root 4096 Feb 28 11:20 ..
drwxr-sr-x 8 bandit28 root 4096 Feb 28 11:20 .git
-rw-r--r-- 1 bandit28 root 111 Feb 28 11:20 README.md
bandit28@bandit:/tmp/TT28/repo/.git$ git log -p
commit 073c27c130e6ee407e12faad1dd3848a110c4f95
Author: Morla Porla <morla@overthewire.org>
Date: Tue Oct 16 14:00:39 2018 +0200
fix info leak
diff --git a/README.md b/README.md
index 3f7cee8..5c6457b 100644
--- a/README.md
+++ b/README.md
@@ -4,5 +4,5 @@ Some notes for level29 of bandit.
## credentials
- username: bandit29
-- password: bbc96594b4e001778eee9975372716b2
+- password: xxxxxxxxxx기존 bbc96594b4e001778eee9975372716b2이었던 패스워드를 xxxxxxx로 변경한 기록을 조회할 수 있다.
bandit29 -> bandit30
There is a git repository at
ssh://bandit29-git@localhost/home/bandit29-git/repo. The password for the userbandit29-gitis the same as for the userbandit29.Clone the repository and find the password for the next level.
bandit29@bandit:/tmp/TT29$ git clone ssh://bandit29-git@localhost/home/bandit29-git/repo
Cloning into 'repo'...
Could not create directory '/home/bandit29/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit29/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit29-git@localhost's password:
remote: Counting objects: 16, done.
remote: Compressing objects: 100% (11/11), done.
remote: Total 16 (delta 2), reused 0 (delta 0)
Receiving objects: 100% (16/16), done.
Resolving deltas: 100% (2/2), done.
bandit29@bandit:/tmp/TT29$ ls
repo
bandit29@bandit:/tmp/TT29$ cd repo/
bandit29@bandit:/tmp/TT29/repo$ cat README.md
# Bandit Notes
Some notes for bandit30 of bandit.
## credentials
- username: bandit30
- password: <no passwords in production!>
bandit29@bandit:/tmp/TT29/repo$ git log -p
commit 84abedc104bbc0c65cb9eb74eb1d3057753e70f8
Author: Ben Dover <noone@overthewire.org>
Date: Tue Oct 16 14:00:41 2018 +0200
fix username
diff --git a/README.md b/README.md
index 2da2f39..1af21d3 100644
--- a/README.md
+++ b/README.md
@@ -3,6 +3,6 @@ Some notes for bandit30 of bandit.
## credentials
-- username: bandit29
+- username: bandit30
- password: <no passwords in production!>
commit 9b19e7d8c1aadf4edcc5b15ba8107329ad6c5650
Author: Ben Dover <noone@overthewire.org>
Date: Tue Oct 16 14:00:41 2018 +0200
initial commit of README.md
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..2da2f39
--- /dev/null
+++ b/README.md
@@ -0,0 +1,8 @@
+# Bandit Notes
+Some notes for bandit30 of bandit.
+
+## credentials
+
+- username: bandit29
+- password: <no passwords in production!>Repository를 받은 뒤, README나 git log를 살펴보아도 별다른 것은 발견할 수 없다. 일단 현재 작업 branch에서는 발견할 수 없으니 다른 branch가 존재한다면 해당 branch를 뒤져보는 것이 타당하다.
bandit29@bandit:/tmp/TT29/repo$ git show-branch --all
* [master] fix username
! [origin/HEAD] fix username
! [origin/dev] add data needed for development
! [origin/master] fix username
! [origin/sploits-dev] add some silly exploit, just for shit and giggles
-----
+ [origin/sploits-dev] add some silly exploit, just for shit and giggles
+ [origin/dev] add data needed for development
+ [origin/dev^] add gif2ascii
*++++ [master] fix username
bandit29@bandit:/tmp/TT29/repo$ git checkout dev
Branch dev set up to track remote branch dev from origin.
Switched to a new branch 'dev'
bandit29@bandit:/tmp/TT29/repo$ ls -al
total 20
drwxr-sr-x 4 bandit29 root 4096 Feb 28 12:24 .
drwxr-sr-x 3 bandit29 root 4096 Feb 28 12:18 ..
drwxr-sr-x 2 bandit29 root 4096 Feb 28 12:24 code
drwxr-sr-x 8 bandit29 root 4096 Feb 28 12:24 .git
-rw-r--r-- 1 bandit29 root 134 Feb 28 12:24 README.md
bandit29@bandit:/tmp/TT29/repo$ cat README.md
# Bandit Notes
Some notes for bandit30 of bandit.
## credentials
- username: bandit30
- password: 5b90576bedb2cc04c86a9e924ce42faf
추가적으로 dev와 sploits-dev가 발견되었다. sploits-dev는 README.md 파일과 log를 모두 살펴보았지만, 별 다른 것은 없는 반면, dev의 README.md에서는 password가 발견되었다.
bandit30 -> bandit31
There is a git repository at
ssh://bandit30-git@localhost/home/bandit30-git/repo. The password for the userbandit30-gitis the same as for the userbandit30.Clone the repository and find the password for the next level.
log도 별 특별한 게 없고, branch 조차 master 밖에 없다. git show 명령어를 사용해봤는데, 특별한 게 보였다. tag가 존재했다. git show 명령어를 통해 값을 확인할 수 있다.
bandit30@bandit:/tmp/TT30/repo$ git show
HEAD master origin/HEAD origin/master secret
bandit30@bandit:/tmp/TT30/repo$ git tag
secret
bandit30@bandit:/tmp/TT30/repo$ git show secret
47e603bb428404d265f59c42920d81e5tag
tag란 브런치, 커밋의 특정 시점을 나타내기 위해 사용하는 일종의 이름표이다. HEAD와 다르게 고정적이며, 이를 이용해 간편히 과거의 특정 시점으로 되돌릴 수 있다.
bandit31 -> bandit32
There is a git repository at
ssh://bandit31-git@localhost/home/bandit31-git/repo. The password for the userbandit31-gitis the same as for the userbandit31.Clone the repository and find the password for the next level.
bandit31@bandit:/tmp/TT31/repo$ cat README.md
This time your task is to push a file to the remote repository.
Details:
File name: key.txt
Content: 'May I come in?'
Branch: master
음 일단 열심히 뒤적뒤적 해보았지만, 별 소득은 없었다. README.md를 자세히 보니 This time your task is to push a file to the remote repository가 눈에 크게 띈다. 요구조건대로 May I come in? 이라는 내용을 가진 key.txt를 생성한 뒤, remote repository에 push 하면 클리어.
bandit31@bandit:/tmp/TT31/repo$ echo "May I come in?" > key.txt
bandit31@bandit:/tmp/TT31/repo$ git add key.txt
The following paths are ignored by one of your .gitignore files:
key.txt
Use -f if you really want to add them.
bandit31@bandit:/tmp/TT31/repo$ git add -f key.txt
bandit31@bandit:/tmp/TT31/repo$ git commit -m "add key.txt"
[master 53dfa50] add key.txt
1 file changed, 1 insertion(+)
create mode 100644 key.txt
bandit31@bandit:/tmp/TT31/repo$ git push
Could not create directory '/home/bandit31/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/bandit31/.ssh/known_hosts).
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit31-git@localhost's password:
Counting objects: 3, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (2/2), done.
Writing objects: 100% (3/3), 324 bytes | 0 bytes/s, done.
Total 3 (delta 0), reused 0 (delta 0)
remote: ### Attempting to validate files... ####
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
remote: Well done! Here is the password for the next level:
remote: 56a9bf19c63d650ce78e6ec0354ee45e
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
To ssh://localhost/home/bandit31-git/repo
! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to 'ssh://bandit31-git@localhost/home/bandit31-git/repo'
bandit32 -> bandit33
After all this
gitstuff its time for another escape. Good luck!
WELCOME TO THE UPPERCASE SHELL
>> ls
sh: 1: LS: not found
>> $0
$ id
uid=11033(bandit33) gid=11032(bandit32) groups=11032(bandit32)
$ cat /etc/bandit_pass/bandit33
c9c3199ddf4121b10cf581a98d51caee
접속하면 굉장히 귀찮게도 입력한 모든 문자를 대문자로 바꿔서 sh로 실행한다. 특수 문자나 숫자는 그대로이니, 대문자를 이름으로 갖고 있는 스크립트를 돌리는 방법과 $변수를 사용하는 방법 등이 있겠다.
Shell script에서 $0, $1, $2... $@, $# 등은 특별한 값을 갖는 변수로 사용된다. 예를 들어 $0은 스크립트를 실행시킬 때 프로그램의 이름을 포함된 문자열 중 첫 번째를 나타낸다. $1부터는 차례대로 인자들이 저장된다.
bash shell 상에서는 $0은 bash가 저장되어 있는데, 본 문제의 shell 상에서는 sh가 저장되어 있다. 따라서, $0을 입력하면 /bin/sh shell이 실행된다.
bandit33 -> bandit34
At this moment, level 34 does not exist yet.
끝났당
'Write-up' 카테고리의 다른 글
| [SuNiNaTas] level 1 (0) | 2019.04.13 |
|---|---|
| [Lord Of BufferOverFlow] 1 ~ 20 (CLEAR) (0) | 2019.03.21 |
| [bandit] bandit19 ~ bandit27 (0) | 2019.02.28 |
| [bandit] bandit13 ~ bandit19 (0) | 2019.02.27 |
| [bandit] bandit0 ~ bandit13 (0) | 2019.02.27 |