overthewire bandit

原创已于 2026-06-16 17:39:40 修改 · 26 阅读

CC 4.0 BY-SA版权

文章标签：

于 2026-06-15 11:02:15 首次发布

bandit5@bandit:~/inhere$ whoami
bandit5
bandit5@bandit:~/inhere$ pwd
/home/bandit5/inhere
bandit5@bandit:~/inhere$ find ./ -size 1033c
./maybehere07/.file2
bandit5@bandit:~/inhere$ find ./ -size 1033c | xargs cat
HWasnPhtq9AVKe0dmk45nxy20cvUa6EG

bandit6@bandit:~$ whoami
bandit6
bandit6@bandit:~$ pwd
/home/bandit6
bandit6@bandit:~$ find / -user bandit7 -group bandit6 -size 33c 2>/dev/null
/var/lib/dpkg/info/bandit7.password
bandit6@bandit:~$ find / -user bandit7 -group bandit6 -size 33c 2>/dev/null | xargs cat
morbNTDkSW6jIlUc0ymOdMaLnOlFVAaj
bandit6@bandit:~$

bandit7@bandit:~$ whoami
bandit7
bandit7@bandit:~$ pwd
/home/bandit7
bandit7@bandit:~$ ls
data.txt
bandit7@bandit:~$ man grep
bandit7@bandit:~$ 
bandit7@bandit:~$ grep -r "millionth"
data.txt:millionth      dfwvzFQi4mU0wfNbFOe9RoWskMLg7eEc
bandit7@bandit:~$ 
bandit7@bandit:~$ grep -r -w -n "millionth"
data.txt:84480:millionth        dfwvzFQi4mU0wfNbFOe9RoWskMLg7eEc
bandit7@bandit:~$

bandit8@bandit:~$ cat data.txt | sort | uniq -c -u
      1 4CKMh1JI91bUIZZPXDqGanal4xvAg0JM
bandit8@bandit:~$ man uniq
bandit8@bandit:~$ man sort
bandit8@bandit:~$

bandit9@bandit:~$ strings data.txt | grep '^='

grep命令详解

常用正则表达式

string命令与cat的区别

bandit10@bandit:~$ ls
data.txt
bandit10@bandit:~$ strings data.txt 
VGhlIHBhc3N3b3JkIGlzIGR0UjE3M2ZaS2IwUlJzREZTR3NnMlJXbnBOVmozcVJyCg==
bandit10@bandit:~$ base64 -d data.txt 
The password is dtR173fZKb0RRsDFSGsg2RWnpNVj3qRr
bandit10@bandit:~$

bandit12@bandit:~$ pwd
/home/bandit12
bandit12@bandit:~$ whoami
bandit12
bandit12@bandit:~$ ls
data.txt
bandit12@bandit:~$ mkdir /tmp/tmp.123456
bandit12@bandit:~$ cp data.txt /tmp/tmp.123456/data.txt
bandit12@bandit:~$ cd /tmp/tmp.123456
bandit12@bandit:/tmp/tmp.123456$ ls
data.txt
bandit12@bandit:/tmp/tmp.123456$ file data.txt 
data.txt: ASCII text
bandit12@bandit:/tmp/tmp.123456$ cat data.txt 
00000000: 1f8b 0808 10da cf69 0203 6461 7461 322e  .......i..data2.
00000010: 6269 6e00 0140 02bf fd42 5a68 3931 4159  bin..@...BZh91AY
00000020: 2653 59e1 71be e800 0018 7fff dec6 ff7c  &SY.q..........|
00000030: bd9f 4fbf ff77 ffff bfed af5d bffb dffd  ..O..w.....]....
00000040: a8fa cfdf fbfb ffbb dd7f f5fb b001 3b18  ..............;.
00000050: 1006 83d4 0340 d000 1934 0034 0006 81a0  .....@...4.4....
00000060: 00d0 000d 0034 0d0c 8000 0d1a 3406 8068  .....4......4..h
00000070: 69a6 4d1a 0d1b 48da 40da 3510 0003 4006  i.M...H.@.5...@.
00000080: 8000 001e a00d 001e a680 3400 01a7 a800  ..........4.....
00000090: 0680 c4d0 000d 1a3d 11ea 1a00 d343 f541  .......=.....C.A
000000a0: a006 269a 03d4 0e9a 1a68 3434 340d 0d06  ..&......h444...
000000b0: 8193 400c 8320 0340 3434 68d1 a000 68c4  ..@.. .@44h...h.
000000c0: 6026 2000 1a06 2000 064d 000d 0000 6432  `& ... ..M....d2
000000d0: 3c08 0200 4056 d394 6653 6796 5b22 e9b8  <...@V..fSg.["..
000000e0: da82 c52c 0888 c1d0 6cee 6a43 f164 4a14  ...,....l.jC.dJ.
000000f0: 6b4a 1d69 111a 91c1 93db ee12 8667 ca43  kJ.i.........g.C
00000100: d036 43f6 3d4f 4999 6065 4091 9a2f bc4d  .6C.=OI.`e@../.M
00000110: 6516 68e6 34ef a4ce 1091 b9ea 52a7 cf48  e.h.4.......R..H
00000120: 3e4f 84c1 a2c5 2383 200a c41e 28ed 8e9b  >O....#. ...(...
00000130: 7868 a526 970b 4041 054d 3b25 c0bb 6bdf  xh.&..@A.M;%..k.
00000140: 1afe 9771 045e 3213 58a5 d129 9cd8 3dd8  ...q.^2.X..)..=.
00000150: 9ca1 2561 c91b 1527 afc0 5643 0425 45ea  ..%a...'..VC.%E.
00000160: dc87 cf98 2104 c30f 01ad 19fb 7e34 c0ba  ....!.......~4..
00000170: 30e1 135a 743d f3d4 6467 cb43 9f4e 0cc1  0..Zt=..dg.C.N..
00000180: 052a 12c1 55f3 2344 2254 b108 6571 016d  .*..U.#D"T..eq.m
00000190: caab c4f6 8c3c e383 2e61 1088 490f 588b  .....<...a..I.X.
000001a0: e6a4 e14a 8cc5 c226 9950 c091 3c2c 6ec5  ...J...&.P..<,n.
000001b0: 7150 851a ac29 1272 422b 3c62 0da4 1bd7  qP...).rB+<b....
000001c0: 605d 7981 aa02 332b bb27 9358 bac9 6ddc  `]y...3+.'.X..m.
000001d0: 1aae 9848 0ff1 46cb c3a0 1f43 9871 0ef8  ...H..F....C.q..
000001e0: 4429 ca3b 9fab 2e74 2b96 6f24 ad53 e4ad  D).;...t+.o$.S..
000001f0: e247 28c8 86d4 0ec0 10ad 412a 0fec 11bc  .G(.......A*....
00000200: 6cd6 3c01 ff5f 8f88 9247 582a 4d44 4942  l.<.._...GX*MDIB
00000210: 92d2 5f6b 61d4 2d2b 5723 179d 98cc a44c  .._ka.-+W#.....L
00000220: 951d c6c6 f143 2af1 5219 1fdd 3e81 8dc4  .....C*.R...>...
00000230: c586 98f0 98e4 d5bd 910c f59a 0142 864b  .............B.K
00000240: b8f2 08f3 65d4 9d5d 5e29 0130 fe7f c5dc  ....e..]^).0....
00000250: 914e 1424 385c 6fba 0081 589d 8f40 0200  .N.$8\o...X..@..
00000260: 00                                       .

bandit12@bandit:/tmp/tmp.123456$ xxd -r data.txt > data.bin
bandit12@bandit:/tmp/tmp.123456$ file data.txt 
data.txt: ASCII text
bandit12@bandit:/tmp/tmp.123456$ file data.bin
data.bin: gzip compressed data, was "data2.bin", last modified: Fri Apr  3 15:17:36 2026, max compression, from Unix, original size modulo 2^32 576
bandit12@bandit:/tmp/tmp.123456$ mv data.bin data.gz
bandit12@bandit:/tmp/tmp.123456$ gunzip data.gz 
bandit12@bandit:/tmp/tmp.123456$ ls
data  data.txt
bandit12@bandit:/tmp/tmp.123456$ ls -l
total 8
-rw-rw-r-- 1 bandit12 bandit12  576 Jun 12 08:03 data
-rw-r----- 1 bandit12 bandit12 2637 Jun 12 08:02 data.txt
bandit12@bandit:/tmp/tmp.123456$ file data
data: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/tmp.123456$ mv data data.bz2
bandit12@bandit:/tmp/tmp.123456$ bunzip2 data.bz2 
bandit12@bandit:/tmp/tmp.123456$ ls -l
total 8
-rw-rw-r-- 1 bandit12 bandit12  437 Jun 12 08:03 data
-rw-r----- 1 bandit12 bandit12 2637 Jun 12 08:02 data.txt
bandit12@bandit:/tmp/tmp.123456$ file data
data: gzip compressed data, was "data4.bin", last modified: Fri Apr  3 15:17:36 2026, max compression, from Unix, original size modulo 2^32 20480
bandit12@bandit:/tmp/tmp.123456$ mv data data.gz
bandit12@bandit:/tmp/tmp.123456$ gunzip data.gz 
bandit12@bandit:/tmp/tmp.123456$ ls -l
total 24
-rw-rw-r-- 1 bandit12 bandit12 20480 Jun 12 08:03 data
-rw-r----- 1 bandit12 bandit12  2637 Jun 12 08:02 data.txt
bandit12@bandit:/tmp/tmp.123456$ file data
data: POSIX tar archive (GNU)
bandit12@bandit:/tmp/tmp.123456$ mv data data.tar
bandit12@bandit:/tmp/tmp.123456$ tar xf data.tar 
bandit12@bandit:/tmp/tmp.123456$ ls -l
total 36
-rw-r--r-- 1 bandit12 bandit12 10240 Apr  3 15:17 data5.bin
-rw-rw-r-- 1 bandit12 bandit12 20480 Jun 12 08:03 data.tar
-rw-r----- 1 bandit12 bandit12  2637 Jun 12 08:02 data.txt
bandit12@bandit:/tmp/tmp.123456$ file data5.bin 
data5.bin: POSIX tar archive (GNU)
bandit12@bandit:/tmp/tmp.123456$ mv data5.bin data5.tar
bandit12@bandit:/tmp/tmp.123456$ tar xf data5.tar 
bandit12@bandit:/tmp/tmp.123456$ ls -l
total 40
-rw-r--r-- 1 bandit12 bandit12 10240 Apr  3 15:17 data5.tar
-rw-r--r-- 1 bandit12 bandit12   223 Apr  3 15:17 data6.bin
-rw-rw-r-- 1 bandit12 bandit12 20480 Jun 12 08:03 data.tar
-rw-r----- 1 bandit12 bandit12  2637 Jun 12 08:02 data.txt
bandit12@bandit:/tmp/tmp.123456$ file data6.bin 
data6.bin: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/tmp.123456$ mv data6.bin data6.bz2
bandit12@bandit:/tmp/tmp.123456$ bunzip2 data6.bz2 
bandit12@bandit:/tmp/tmp.123456$ ls -l
total 48
-rw-r--r-- 1 bandit12 bandit12 10240 Apr  3 15:17 data5.tar
-rw-r--r-- 1 bandit12 bandit12 10240 Apr  3 15:17 data6
-rw-rw-r-- 1 bandit12 bandit12 20480 Jun 12 08:03 data.tar
-rw-r----- 1 bandit12 bandit12  2637 Jun 12 08:02 data.txt
bandit12@bandit:/tmp/tmp.123456$ file data6
data6: POSIX tar archive (GNU)
bandit12@bandit:/tmp/tmp.123456$ mv data6 data6.tar
bandit12@bandit:/tmp/tmp.123456$ ls -l
total 48
-rw-r--r-- 1 bandit12 bandit12 10240 Apr  3 15:17 data5.tar
-rw-r--r-- 1 bandit12 bandit12 10240 Apr  3 15:17 data6.tar
-rw-rw-r-- 1 bandit12 bandit12 20480 Jun 12 08:03 data.tar
-rw-r----- 1 bandit12 bandit12  2637 Jun 12 08:02 data.txt
bandit12@bandit:/tmp/tmp.123456$ tar xf data6.tar
bandit12@bandit:/tmp/tmp.123456$ ls -l
total 52
-rw-r--r-- 1 bandit12 bandit12 10240 Apr  3 15:17 data5.tar
-rw-r--r-- 1 bandit12 bandit12 10240 Apr  3 15:17 data6.tar
-rw-r--r-- 1 bandit12 bandit12    79 Apr  3 15:17 data8.bin
-rw-rw-r-- 1 bandit12 bandit12 20480 Jun 12 08:03 data.tar
-rw-r----- 1 bandit12 bandit12  2637 Jun 12 08:02 data.txt
bandit12@bandit:/tmp/tmp.123456$ file data8.bin 
data8.bin: gzip compressed data, was "data9.bin", last modified: Fri Apr  3 15:17:36 2026, max compression, from Unix, original size modulo 2^32 49
bandit12@bandit:/tmp/tmp.123456$ mv data8.bin data8.gz
bandit12@bandit:/tmp/tmp.123456$ gunzip data8.gz 
bandit12@bandit:/tmp/tmp.123456$ ls -l
total 52
-rw-r--r-- 1 bandit12 bandit12 10240 Apr  3 15:17 data5.tar
-rw-r--r-- 1 bandit12 bandit12 10240 Apr  3 15:17 data6.tar
-rw-r--r-- 1 bandit12 bandit12    49 Apr  3 15:17 data8
-rw-rw-r-- 1 bandit12 bandit12 20480 Jun 12 08:03 data.tar
-rw-r----- 1 bandit12 bandit12  2637 Jun 12 08:02 data.txt
bandit12@bandit:/tmp/tmp.123456$ file data8 
data8: ASCII text
bandit12@bandit:/tmp/tmp.123456$ cat data8
The password is FO5dwFsc0cbaIiH0h8J2eUks2vdTDwAn
bandit12@bandit:/tmp/tmp.123456$

bandit13@bandit:~$ whoami
bandit13
bandit13@bandit:~$ pwd
/home/bandit13
bandit13@bandit:~$ ls
HINT  sshkey.private
bandit13@bandit:~$ cat sshkey.private 
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAxkkOE83W2cOT7IWhFc9aPaaQmQDdgzuXCv+ppZHa++buSkN+
gg0tcr7Fw8NLGa5+Uzec2rEg0WmeevB13AIoYp0MZyETq46t+jk9puNwZwIt9XgB
ZufGtZEwWbFWw/vVLNwOXBe4UWStGRWzgPpEeSv5Tb1VjLZIBdGphTIK22Amz6Zb
ThMsiMnyJafEwJ/T8PQO3myS91vUHEuoOMAzoUID4kN0MEZ3+XahyK0HJVq68KsV
ObefXG1vvA3GAJ29kxJaqvRfgYnqZryWN7w3CHjNU4c/2Jkp+n8L0SnxaNA+WYA7
jiPyTF0is8uzMlYQ4l1Lzh/8/MpvhCQF8r22dwIDAQABAoIBAQC6dWBjhyEOzjeA
J3j/RWmap9M5zfJ/wb2bfidNpwbB8rsJ4sZIDZQ7XuIh4LfygoAQSS+bBw3RXvzE
pvJt3SmU8hIDuLsCjL1VnBY5pY7Bju8g8aR/3FyjyNAqx/TLfzlLYfOu7i9Jet67
xAh0tONG/u8FB5I3LAI2Vp6OviwvdWeC4nOxCthldpuPKNLA8rmMMVRTKQ+7T2VS
nXmwYckKUcUgzoVSpiNZaS0zUDypdpy2+tRH3MQa5kqN1YKjvF8RC47woOYCktsD
o3FFpGNFec9Taa3Msy+DfQQhHKZFKIL3bJDONtmrVvtYK40/yeU4aZ/HA2DQzwhe
ol1AfiEhAoGBAOnVjosBkm7sblK+n4IEwPxs8sOmhPnTDUy5WGrpSCrXOmsVIBUf
laL3ZGLx3xCIwtCnEucB9DvN2HZkupc/h6hTKUYLqXuyLD8njTrbRhLgbC9QrKrS
M1F2fSTxVqPtZDlDMwjNR04xHA/fKh8bXXyTMqOHNJTHHNhbh3McdURjAoGBANkU
1hqfnw7+aXncJ9bjysr1ZWbqOE5Nd8AFgfwaKuGTTVX2NsUQnCMWdOp+wFak40JH
PKWkJNdBG+ex0H9JNQsTK3X5PBMAS8AfX0GrKeuwKWA6erytVTqjOfLYcdp5+z9s
8DtVCxDuVsM+i4X8UqIGOlvGbtKEVokHPFXP1q/dAoGAcHg5YX7WEehCgCYTzpO+
xysX8ScM2qS6xuZ3MqUWAxUWkh7NGZvhe0sGy9iOdANzwKw7mUUFViaCMR/t54W1
GC83sOs3D7n5Mj8x3NdO8xFit7dT9a245TvaoYQ7KgmqpSg/ScKCw4c3eiLava+J
3btnJeSIU+8ZXq9XjPRpKwUCgYA7z6LiOQKxNeXH3qHXcnHok855maUj5fJNpPbY
iDkyZ8ySF8GlcFsky8Yw6fWCqfG3zDrohJ5l9JmEsBh7SadkwsZhvecQcS9t4vby
9/8X4jS0P8ibfcKS4nBP+dT81kkkg5Z5MohXBORA7VWx+ACohcDEkprsQ+w32xeD
qT1EvQKBgQDKm8ws2ByvSUVs9GjTilCajFqLJ0eVYzRPaY6f++Gv/UVfAPV4c+S0
kAWpXbv5tbkkzbS0eaLPTKgLzavXtQoTtKwrjpolHKIHUz6Wu+n4abfAIRFubOdN
/+aLoRQ0yBDRbdXMsZN/jvY44eM+xRLdRVyMmdPtP8belRi2E2aEzA==
-----END RSA PRIVATE KEY-----

将以上文字，复制，粘贴到本地的一个txt里面，修改txt的权限。

私钥只能保留所有者权限才能运行

bandit14@bandit:~$ whoami
bandit14
bandit14@bandit:~$ pwd
/home/bandit14
bandit14@bandit:~$ cat /etc/bandit_pass/bandit14
MU4VWeTyJk8ROof1qqmcBPaLh7lDCPvS
bandit14@bandit:~$ cat /etc/bandit_pass/bandit14 | nc localhost 30000
Correct!
8xCjnmgoKbGLhHFAZlGE5Tmu4M2tKJQo

cat /etc/bandit_pass/bandit15 | openssl s_client -connect localhost:30001

read R BLOCK
8xCjnmgoKbGLhHFAZlGE5Tmu4M2tKJQo
Correct!
kSkvUpMQ7lBYyCM4GBPvCvT1BfWRy0Dx

# 登陆
ssh -p 2220 bandit16@bandit.labs.overthewire.org

# 查看当前密码
cat /etc/bandit_pass/bandit16
kSkvUpMQ7lBYyCM4GBPvCvT1BfWRy0Dx

# 扫描31000-32000
nmap -p 31000-32000 localhost
PORT      STATE SERVICE
31046/tcp open  unknown
31518/tcp open  unknown
31691/tcp open  unknown
31790/tcp open  unknown
31960/tcp open  unknown

# 测试31000-32000谁支持ssl
# 方法一遍历
nmap -p 31000-32000 -sV --script=ssl-enum-ciphers localhost

nmap -p 31046 -sV --script=ssl-enum-ciphers localhost
PORT      STATE SERVICE VERSION
31046/tcp open  echo

nmap -p 31518 -sV --script=ssl-enum-ciphers localhost
PORT      STATE SERVICE  VERSION
31518/tcp open  ssl/echo

nmap -p 31691 -sV --script=ssl-enum-ciphers localhost
PORT      STATE SERVICE VERSION
31691/tcp open  echo

nmap -p 31790 -sV --script=ssl-enum-ciphers localhost
PORT      STATE SERVICE     VERSION
31790/tcp open  ssl/unknown
| fingerprint-strings:
|   FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, LPDString, RTSPRequest, SIPOptions:
|_    Wrong! Please enter the correct current password.
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 4096) - A
|       TLS_RSA_WITH_AES_128_CCM (rsa 4096) - A
|       TLS_RSA_WITH_AES_128_CCM_8 (rsa 4096) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 4096) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 4096) - A
|       TLS_RSA_WITH_AES_256_CCM (rsa 4096) - A
|       TLS_RSA_WITH_AES_256_CCM_8 (rsa 4096) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 4096) - A
|       TLS_RSA_WITH_ARIA_128_GCM_SHA256 (rsa 4096) - A
|       TLS_RSA_WITH_ARIA_256_GCM_SHA384 (rsa 4096) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 4096) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 (rsa 4096) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 4096) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 (rsa 4096) - A
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       Key exchange (secp256r1) of lower strength than certificate key
|   TLSv1.3:
|     ciphers:
|       TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|     cipher preference: client
|_  least strength: A
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port31790-TCP:V=7.94SVN%T=SSL%I=7%D=6/16%Time=6A30DFFB%P=x86_64-pc-linu
SF:x-gnu%r(GenericLines,32,"Wrong!\x20Please\x20enter\x20the\x20correct\x2
SF:0current\x20password\.\n")%r(GetRequest,32,"Wrong!\x20Please\x20enter\x
SF:20the\x20correct\x20current\x20password\.\n")%r(HTTPOptions,32,"Wrong!\
SF:x20Please\x20enter\x20the\x20correct\x20current\x20password\.\n")%r(RTS
SF:PRequest,32,"Wrong!\x20Please\x20enter\x20the\x20correct\x20current\x20
SF:password\.\n")%r(Help,32,"Wrong!\x20Please\x20enter\x20the\x20correct\x
SF:20current\x20password\.\n")%r(FourOhFourRequest,32,"Wrong!\x20Please\x2
SF:0enter\x20the\x20correct\x20current\x20password\.\n")%r(LPDString,32,"W
SF:rong!\x20Please\x20enter\x20the\x20correct\x20current\x20password\.\n")
SF:%r(SIPOptions,32,"Wrong!\x20Please\x20enter\x20the\x20correct\x20curren
SF:t\x20password\.\n");

nmap -p 31960 -sV --script=ssl-enum-ciphers localhost
PORT      STATE SERVICE VERSION
31960/tcp open  echo


# 通过ssl连接
openssl s_client -connect localhost:31790


# 输入当前密码：kSkvUpMQ7lBYyCM4GBPvCvT1BfWRy0Dx

最终成功在下面这条命令：

openssl s_client -connect localhost:31790 -quiet

知识盲区：我混淆了验证服务器身份的Certificate 和登陆用的RSA private key的格式。

这道题卡了三天，我觉得：关键在于耐心和不服输，不要用力过猛，不要执着或纠结，但是要持之以恒，有拿下困难的信心。

bandit17@bandit:~$ whoami
bandit17
bandit17@bandit:~$ 
bandit17@bandit:~$ 
bandit17@bandit:~$  ls
passwords.new  passwords.old
bandit17@bandit:~$ diff passwords.old passwords.new 
42c42
< 0vYv4iuDikHzDLKFtxEkJFxewAjjox0c
---
> x2gLTTjFwMOhQ8oWNbMN362QKxfRqGlO

登陆时执行cat readme命令

ssh bandit18@bandit.labs.overthewire.org "cat readme"

先打开一个tab

cat /etc/bandit_pass/bandit20 | nc -l -p 20202

另外再开一个tab后，通过home目录下的suconnect 连接上一个tab中nc监听的20202。

bandit20@bandit:~$ ./suconnect 20202
Read: 0qXahG8ZjOVMN9Ghs7iOWsCfZyXOUbYO
Password matches, sending next password
bandit20@bandit:~$

密码：

EeoULMCra2q0dSkYj561DX7s1CpBuOBt

bandit21@bandit:~$ whoami
bandit21
bandit21@bandit:~$ cd /etc/cron.d
bandit21@bandit:/etc/cron.d$ pwd
/etc/cron.d
bandit21@bandit:/etc/cron.d$ ls -la
total 60
drwxr-xr-x   2 root root  4096 Jun 14 17:57 .
drwxr-xr-x 132 root root 12288 Jun 14 17:57 ..
-r--r-----   1 root root    47 Jun 14 17:54 behemoth4_cleanup
-rw-r--r--   1 root root   123 Jun 14 17:46 clean_tmp
-rw-r--r--   1 root root   120 Jun 14 17:54 cronjob_bandit22
-rw-r--r--   1 root root   122 Jun 14 17:54 cronjob_bandit23
-rw-r--r--   1 root root   120 Jun 14 17:54 cronjob_bandit24
-rw-r--r--   1 root root   201 Apr  8  2024 e2scrub_all
-r--r-----   1 root root    48 Jun 14 17:55 leviathan5_cleanup
-rw-------   1 root root   138 Jun 14 17:56 manpage3_resetpw_job
-rwx------   1 root root    52 Jun 14 17:57 otw-tmp-dir
-rw-r--r--   1 root root   102 Mar 31  2024 .placeholder
-rw-r--r--   1 root root   396 Jan  9  2024 sysstat
bandit21@bandit:/etc/cron.d$ cat cronjob_bandit22
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
bandit21@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit22.sh 
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
bandit21@bandit:/etc/cron.d$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
tRae0UfB9v0UzbCdn9cY0gQnds9GF58Q
bandit21@bandit:/etc/cron.d$

密码：tRae0UfB9v0UzbCdn9cY0gQnds9GF58Q

bandit22@bandit:~$ whoami
bandit22
bandit22@bandit:~$ cd /etc/cron.d
bandit22@bandit:/etc/cron.d$ ls -la
total 60
drwxr-xr-x   2 root root  4096 Jun 14 17:57 .
drwxr-xr-x 132 root root 12288 Jun 14 17:57 ..
-r--r-----   1 root root    47 Jun 14 17:54 behemoth4_cleanup
-rw-r--r--   1 root root   123 Jun 14 17:46 clean_tmp
-rw-r--r--   1 root root   120 Jun 14 17:54 cronjob_bandit22
-rw-r--r--   1 root root   122 Jun 14 17:54 cronjob_bandit23
-rw-r--r--   1 root root   120 Jun 14 17:54 cronjob_bandit24
-rw-r--r--   1 root root   201 Apr  8  2024 e2scrub_all
-r--r-----   1 root root    48 Jun 14 17:55 leviathan5_cleanup
-rw-------   1 root root   138 Jun 14 17:56 manpage3_resetpw_job
-rwx------   1 root root    52 Jun 14 17:57 otw-tmp-dir
-rw-r--r--   1 root root   102 Mar 31  2024 .placeholder
-rw-r--r--   1 root root   396 Jan  9  2024 sysstat
bandit22@bandit:/etc/cron.d$ cat cronjob_bandit22
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
bandit22@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit22.sh 
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
bandit22@bandit:/etc/cron.d$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
tRae0UfB9v0UzbCdn9cY0gQnds9GF58Q
bandit22@bandit:/etc/cron.d$