이번 단계는 레벨4에서 레벨5로 넘어가는 과정입니다 이전 게시물을 못봤다면 반드시 이전단계의 패스워드를 알아야 넘어갈수있으니 순서대로 따라와주세요
필자는 root계정에서 명령을 입력합니다 만약 root계정이 아니라 오류 나는 경우 명령어 앞에 sudo를 붙여주세요
우선 문제를 확인하기위해 bandit overthewire 사이트에 접속해주세요
이번단계의 문제입니다
The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.
다음 레벨로 넘어가기위한 비밀번호는 inhere 디렉토리에서 사람이 읽을수 있는 유일한 파일로 저장이된다고합니다
문제 해결팁으로 터미널이 꼬이거나 엉망인경우 reset명령을 사용하라고 합니다
ssh -p 2220 bandit4@bandit.labs.overthewire.org
터미널을 열어서 서버 접속 명령을 입력한뒤 bandit 서버에 접속해줍시다
이때 패스워드는 지난 단계에서 얻은 패스워드를 사용해주세요
root@kali:~# ssh -p 2220 bandit4@bandit.labs.overthewire.org
The authenticity of host '[bandit.labs.overthewire.org]:2220 ([176.9.9.172]:2220)' can't be established.
ECDSA key fingerprint is SHA256:98UL0ZWr85496EtCRkKlo20X3OPnyPSB5tB5RPbhczc.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[bandit.labs.overthewire.org]:2220,[176.9.9.172]:2220' (ECDSA) to the list of known hosts.
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit4@bandit.labs.overthewire.org's password:
Linux bandit.otw.local 5.4.8 x86_64 GNU/Linux
,----.. ,----, .---.
/ / \ ,/ .`| /. ./|
/ . : ,` .' : .--'. ' ;
. / ;. \ ; ; / /__./ \ : |
. ; / ` ; .'___,/ ,' .--'. ' \' .
; | ; \ ; | | : | /___/ \ | ' '
| : | ; | ' ; |.'; ; ; \ \; :
. | ' ' ' : `----' | | \ ; ` |
' ; \; / | ' : ; . \ .\ ;
\ \ ', / | | ' \ \ ' \ |
; : / ' : | : ' |--"
\ \ .' ; |.' \ \ ;
www. `---` ver '---' he '---" ire.org
Welcome to OverTheWire!
If you find any problems, please report them to Steven or morla on
irc.overthewire.org.
--[ Playing the games ]--
This machine might hold several wargames.
If you are playing "somegame", then:
* USERNAMES are somegame0, somegame1, ...
* Most LEVELS are stored in /somegame/.
* PASSWORDS for each level are stored in /etc/somegame_pass/.
Write-access to homedirectories is disabled. It is advised to create a
working directory with a hard-to-guess name in /tmp/. You can use the
command "mktemp -d" in order to generate a random and hard to guess
directory in /tmp/. Read-access to both /tmp/ and /proc/ is disabled
so that users can not snoop on eachother. Files and directories with
easily guessable or short names will be periodically deleted!
Please play nice:
* don't leave orphan processes running
* don't leave exploit-files laying around
* don't annoy other players
* don't post passwords or spoilers
* again, DONT POST SPOILERS!
This includes writeups of your solution on your blog or website!
--[ Tips ]--
This machine has a 64bit processor and many security-features enabled
by default, although ASLR has been switched off. The following
compiler flags might be interesting:
-m32 compile for 32bit
-fno-stack-protector disable ProPolice
-Wl,-z,norelro disable relro
In addition, the execstack tool can be used to flag the stack as
executable on ELF binaries.
Finally, network-access is limited for most levels by a local
firewall.
--[ Tools ]--
For your convenience we have installed a few usefull tools which you can find
in the following locations:
* gef (https://github.com/hugsy/gef) in /usr/local/gef/
* pwndbg (https://github.com/pwndbg/pwndbg) in /usr/local/pwndbg/
* peda (https://github.com/longld/peda.git) in /usr/local/peda/
* gdbinit (https://github.com/gdbinit/Gdbinit) in /usr/local/gdbinit/
* pwntools (https://github.com/Gallopsled/pwntools)
* radare2 (http://www.radare.org/)
* checksec.sh (http://www.trapkit.de/tools/checksec.html) in /usr/local/bin/checksec.sh
--[ More information ]--
For more information regarding individual wargames, visit
http://www.overthewire.org/wargames/
For support, questions or comments, contact us through IRC on
irc.overthewire.org #wargames.
Enjoy your stay!
bandit4@bandit:~$ whoami
bandit4
bandit4@bandit:~$
터미널의 사용자명이 bandit4로 변경된걸보니 정상적으로 접속한걸 확인할수 있습니다
bandit4@bandit:~$ ls
inhere현재 디렉토리에 어떤 파일들이 있는지 확인하기위해 ls 명령을 사용해주세요
ls명령을 사용해보니 inhere 이라는 디렉토리가 하나 나옵니다
inhere는 아까 문제에서 언급된바와 같이 패스워드가 저장되어있는 디렉토리인거 같습니다
cd 명령을 이용하여 디렉토리를 이동해주세요
bandit4@bandit:~$ cd inhere
bandit4@bandit:~/inhere$ ls
-file00 -file02 -file04 -file06 -file08
-file01 -file03 -file05 -file07 -file09
bandit4@bandit:~/inhere$ cd 명령을 통해 inhere디렉토리로 이동후에 ls명령을 다시해보니 file이라는 파일명으로 여러가지 파일이 디렉토리에 있습니다
cat명령을 통해 -file00라는 파일의 내용을 확인해볼까요?
bandit4@bandit:~/inhere$ cat -file00
cat: invalid option -- 'f'
Try 'cat --help' for more information.-file00을 파일명이아니라 -f 문자열만 잘라서 옵션을주려고 시도한다고 컴퓨터가 인식을하여 오류가 발생한거같습니다
즉 우리는 cat -file00이라는 명령을 입력하여 -file00이라는 파일의 내용을 출력해주라고 하였지만 컴퓨터에서는 cat -f 이라고 명령어를 인식하여 발생하는겁니다
이전에 비슷한 상황이있었죠 - 라는 파일명을 cat로 출력할수없어 앞에 ./를 붙여줬습니다
이번에도 마찬가지로 파일명앞에 ./를 붙여서 명령을 시행해봅시다
bandit4@bandit:~/inhere$ cat ./-file00
�/`2ғ�%��rL~5�g��� �����bandit4@bandit:~/inhere$
파일의 내용이 터미널에 출력은되는데 문자가 깨져서 알아볼수가 없습니다
터미널에 파일명을 아래와 같이 입력해줍니다
bandit4@bandit:~/inhere$ cat ./-file*
�/`2ғ�%��rL~5�g��� �������p,k�;��r*�� �.!��C��J �dx,�e�)�#��5��
?��r�l$�?h�9('���!y�e�#�x�O��=��ly���~��A�f����-E�{���m�����ܗMkoReBOKuIDDepwhWk7jZC0RTdopnAYKh
�T�?�i��j���îP�F�l�n��J����{��@�e�0$�in=��_b�5FA�P7sz��gNbandit4@bandit:~/inhere$
파일명뒤에 숫자대신에 Asterisk 문자를 입력해줍니다
이렇게 할경우엔 해당 파일명의 00부터 09까지 모든파일의 내용을 합쳐서 출력해줍니다
�/`2ғ�%��rL~5�g��� �������p,k�;��r*�� �.!��C��J �dx,�e�)�#��5��
?��r�l$�?h�9('���!y�e�#�x�O��=��ly���~��A�f����-E�{���m�����ܗMkoReBOKuIDDepwhWk7jZC0RTdopnAYKh
�T�?�i��j���îP�F�l�n��J����{��@�e�0$�in=��_b�5FA�P7sz��g
위의 내용이 00부터 09까지의 출력입니다
위의 파일 내용중 패스워드가 될만한 문자를 확인해보니깐
우리가 연속적으로 읽을수있는 문자열은 MkoReBOKuIDDepwhWk7jZC0RTdopnAYKh가 있는거같습니다
MkoReBOKuIDDepwhWk7jZC0RTdopnAYKh에 해당하는 파일은 파일명뒤에 숫자가 06에서 07쯤 되어보입니다
bandit4@bandit:~/inhere$ cat ./-file06
ly���~��A�f����-E�{���m�����ܗMbandit4@bandit:~/inhere$ cat ./-file07
koReBOKuIDDepwhWk7jZC0RTdopnAYKh
bandit4@bandit:~/inhere$
file06과 file07을 개별출력하여 확인해보니
-file07에서 koReBOKuIDDepwhWk7jZC0RTdopnAYKh 라는 문자열을 확인할수 있었습니다
cat명령으로 출력된 결과 연속되는 문자열중에서 첫글자 M은 file06에 있는부분이 제외하고 file07에 있는 문자열만 다음 단계로 넘어가기위한 패스워드로 사용합니다
이제 다음단계로 넘어가봅시다
exit 명령을 입력하여 ssh연결을 종료해주세요
ssh -p 2220 bandit5@bandit.labs.overthewire.orgbandit5로 ssh연결을 해봅시다 이때 패스워드는 아까위에서 얻은 문자열을 입력하여 패스워드로 올바른 문자열인지 확인해주세요
lrIWWI6bB37kxfiCQZqUdOIYfr6eEeqR
root@kali:~# ssh -p 2220 bandit5@bandit.labs.overthewire.org
This is a OverTheWire game server. More information on http://www.overthewire.org/wargames
bandit5@bandit.labs.overthewire.org's password:
Linux bandit.otw.local 5.4.8 x86_64 GNU/Linux
,----.. ,----, .---.
/ / \ ,/ .`| /. ./|
/ . : ,` .' : .--'. ' ;
. / ;. \ ; ; / /__./ \ : |
. ; / ` ; .'___,/ ,' .--'. ' \' .
; | ; \ ; | | : | /___/ \ | ' '
| : | ; | ' ; |.'; ; ; \ \; :
. | ' ' ' : `----' | | \ ; ` |
' ; \; / | ' : ; . \ .\ ;
\ \ ', / | | ' \ \ ' \ |
; : / ' : | : ' |--"
\ \ .' ; |.' \ \ ;
www. `---` ver '---' he '---" ire.org
Welcome to OverTheWire!
If you find any problems, please report them to Steven or morla on
irc.overthewire.org.
--[ Playing the games ]--
This machine might hold several wargames.
If you are playing "somegame", then:
* USERNAMES are somegame0, somegame1, ...
* Most LEVELS are stored in /somegame/.
* PASSWORDS for each level are stored in /etc/somegame_pass/.
Write-access to homedirectories is disabled. It is advised to create a
working directory with a hard-to-guess name in /tmp/. You can use the
command "mktemp -d" in order to generate a random and hard to guess
directory in /tmp/. Read-access to both /tmp/ and /proc/ is disabled
so that users can not snoop on eachother. Files and directories with
easily guessable or short names will be periodically deleted!
Please play nice:
* don't leave orphan processes running
* don't leave exploit-files laying around
* don't annoy other players
* don't post passwords or spoilers
* again, DONT POST SPOILERS!
This includes writeups of your solution on your blog or website!
--[ Tips ]--
This machine has a 64bit processor and many security-features enabled
by default, although ASLR has been switched off. The following
compiler flags might be interesting:
-m32 compile for 32bit
-fno-stack-protector disable ProPolice
-Wl,-z,norelro disable relro
In addition, the execstack tool can be used to flag the stack as
executable on ELF binaries.
Finally, network-access is limited for most levels by a local
firewall.
--[ Tools ]--
For your convenience we have installed a few usefull tools which you can find
in the following locations:
* gef (https://github.com/hugsy/gef) in /usr/local/gef/
* pwndbg (https://github.com/pwndbg/pwndbg) in /usr/local/pwndbg/
* peda (https://github.com/longld/peda.git) in /usr/local/peda/
* gdbinit (https://github.com/gdbinit/Gdbinit) in /usr/local/gdbinit/
* pwntools (https://github.com/Gallopsled/pwntools)
* radare2 (http://www.radare.org/)
* checksec.sh (http://www.trapkit.de/tools/checksec.html) in /usr/local/bin/checksec.sh
--[ More information ]--
For more information regarding individual wargames, visit
http://www.overthewire.org/wargames/
For support, questions or comments, contact us through IRC on
irc.overthewire.org #wargames.
Enjoy your stay!
bandit5@bandit:~$ whoami
bandit5
bandit5@bandit:~$