Level 30 → Level 31
Level Goal
There is a git repository at ssh://bandit30-git@localhost/home/bandit30-git/repo via the port 2220. The password for the user bandit30-git is the same as for the user bandit30.
Clone the repository and find the password for the next level.
Commands you may need to solve this level
git
git clone ssh://bandit30-git@localhost:2220/home/bandit30-git/repo
qp30ex3VLz5MDG1n91YowTv4Q8l7CDZLbandit30@bandit:/tmp/tmp.AVcTRGMwdt$ git clone ssh://bandit30-git@localhost:2220/home/bandit30-git/repo
Cloning into 'repo'...
The authenticity of host '[localhost]:2220 ([127.0.0.1]:2220)' can't be established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Could not create directory '/home/bandit30/.ssh' (Permission denied).
Failed to add the host to the list of known hosts (/home/bandit30/.ssh/known_hosts).
_ _ _ _
| |__ __ _ _ __ __| (_) |_
| '_ \ / _` | '_ \ / _` | | __|
| |_) | (_| | | | | (_| | | |_
|_.__/ \__,_|_| |_|\__,_|_|\__|
This is an OverTheWire game server.
More information on http://www.overthewire.org/wargames
bandit30-git@localhost's password:
remote: Enumerating objects: 4, done.
remote: Counting objects: 100% (4/4), done.
remote: Total 4 (delta 0), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (4/4), done.
bandit30@bandit:/tmp/tmp.AVcTRGMwdt$bandit30@bandit:/tmp/tmp.AVcTRGMwdt$ cd repo
bandit30@bandit:/tmp/tmp.AVcTRGMwdt/repo$ cat README.md
just an epmty file... muahaha
bandit30@bandit:/tmp/tmp.AVcTRGMwdt/repo$tags 를 보자.
bandit30@bandit:/tmp/tmp.AVcTRGMwdt/repo$ git tag
secretbandit30@bandit:/tmp/tmp.AVcTRGMwdt/repo$ git branch -a
* master
remotes/origin/HEAD -> origin/master
remotes/origin/master
bandit30@bandit:/tmp/tmp.AVcTRGMwdt/repo$ git checkout -b master secret
fatal: reference is not a tree: secret
bandit30@bandit:/tmp/tmp.AVcTRGMwdt/repo$ git show secret
fb5S2xb7bRyFmAvQYQGEqsbhVyJqhnDy
bandit30@bandit:/tmp/tmp.AVcTRGMwdt/repo$fb5S2xb7bRyFmAvQYQGEqsbhVyJqhnDy?? 나왔네;;
Level 31 → Level 32
Level Goal
There is a git repository at ssh://bandit31-git@localhost/home/bandit31-git/repo via the port 2220. The password for the user bandit31-git is the same as for the user bandit31.
Clone the repository and find the password for the next level.
Commands you may need to solve this level
git
git clone ssh://bandit31-git@localhost:2220/home/bandit31-git/repo
fb5S2xb7bRyFmAvQYQGEqsbhVyJqhnDybandit31@bandit:~$ mktemp -d
/tmp/tmp.qNyfXVZIRG
bandit31@bandit:~$ cd /tmp/tmp.qNyfXVZIRG
bandit31@bandit:/tmp/tmp.qNyfXVZIRG$ git clone ssh://bandit31-git@localhost:2220/home/bandit31-git/repo
Cloning into 'repo'...
The authenticity of host '[localhost]:2220 ([127.0.0.1]:2220)' can't be established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Could not create directory '/home/bandit31/.ssh' (Permission denied).
Failed to add the host to the list of known hosts (/home/bandit31/.ssh/known_hosts).
_ _ _ _
| |__ __ _ _ __ __| (_) |_
| '_ \ / _` | '_ \ / _` | | __|
| |_) | (_| | | | | (_| | | |_
|_.__/ \__,_|_| |_|\__,_|_|\__|
This is an OverTheWire game server.
More information on http://www.overthewire.org/wargames
bandit31-git@localhost's password:
Permission denied, please try again.
bandit31-git@localhost's password:
remote: Enumerating objects: 4, done.
remote: Counting objects: 100% (4/4), done.
remote: Compressing objects: 100% (3/3), done.
remote: Total 4 (delta 0), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (4/4), done.
bandit31@bandit:/tmp/tmp.qNyfXVZIRG$bandit31@bandit:/tmp/tmp.qNyfXVZIRG$ cd repo
bandit31@bandit:/tmp/tmp.qNyfXVZIRG/repo$ ls
README.md
bandit31@bandit:/tmp/tmp.qNyfXVZIRG/repo$ cat README.md
This time your task is to push a file to the remote repository.
Details:
File name: key.txt
Content: 'May I come in?'
Branch: master
bandit31@bandit:/tmp/tmp.qNyfXVZIRG/repo$log, tag, branch 보자.
bandit31@bandit:/tmp/tmp.qNyfXVZIRG/repo$ git log
commit e48235bba7da974c6fb1dc0fb83e3485f059db37 (HEAD -> master, origin/master, origin/HEAD)
Author: Ben Dover <noone@overthewire.org>
Date: Thu Sep 19 07:08:46 2024 +0000
initial commit
bandit31@bandit:/tmp/tmp.qNyfXVZIRG/repo$ git tag # tag 없다.
bandit31@bandit:/tmp/tmp.qNyfXVZIRG/repo$ git branch -a
* master
remotes/origin/HEAD -> origin/master
remotes/origin/master
bandit31@bandit:/tmp/tmp.qNyfXVZIRG/repo$bandit31@bandit:/tmp/tmp.qNyfXVZIRG/repo$ ls -alrt
total 20
drwx------ 3 bandit31 bandit31 4096 Jan 18 16:26 ..
-rw-rw-r-- 1 bandit31 bandit31 6 Jan 18 16:26 .gitignore
drwxrwxr-x 3 bandit31 bandit31 4096 Jan 18 16:26 .
-rw-rw-r-- 1 bandit31 bandit31 147 Jan 18 16:26 README.md
drwxrwxr-x 8 bandit31 bandit31 4096 Jan 18 16:26 .git
bandit31@bandit:/tmp/tmp.qNyfXVZIRG/repo$ cat .gitignore
*.txt
bandit31@bandit:/tmp/tmp.qNyfXVZIRG/repo$할 일을 보자.
This time your task is to push a file to the remote repository.
Details:
File name: key.txt
Content: 'May I come in?'
Branch: masterkey.txt 안에 “May I come in?” 을 remote repository 에 push 한다.
.gitignore에 *.txt 가 있으면, git push 가 제외되므로 지운다.
bandit31@bandit:/tmp/tmp.qNyfXVZIRG/repo$ cat .gitignore
bandit31@bandit:/tmp/tmp.qNyfXVZIRG/repo$key.text를 만든다.
bandit31@bandit:/tmp/tmp.qNyfXVZIRG/repo$ cat > key.txt
May I come in?
bandit31@bandit:/tmp/tmp.qNyfXVZIRG/repo$git status로 상태를 본다.
bandit31@bandit:/tmp/tmp.qNyfXVZIRG/repo$ git status
On branch master
Your branch is up to date with 'origin/master'.
Changes not staged for commit:
(use "git add <file>..." to update what will be committed)
(use "git restore <file>..." to discard changes in working directory)
modified: .gitignore
Untracked files:
(use "git add <file>..." to include in what will be committed)
key.txt
no changes added to commit (use "git add" and/or "git commit -a")
bandit31@bandit:/tmp/tmp.qNyfXVZIRG/repo$git add로key.txt파일을 등록한다.
bandit31@bandit:/tmp/tmp.qNyfXVZIRG/repo$ git add key.txt
bandit31@bandit:/tmp/tmp.qNyfXVZIRG/repo$ git status
On branch master
Your branch is up to date with 'origin/master'.
Changes to be committed:
(use "git restore --staged <file>..." to unstage)
new file: key.txt
Changes not staged for commit:
(use "git add <file>..." to update what will be committed)
(use "git restore <file>..." to discard changes in working directory)
modified: .gitignore
bandit31@bandit:/tmp/tmp.qNyfXVZIRG/repo$
commit할 준비가 되었으니commit을 한다.
bandit31@bandit:/tmp/tmp.qNyfXVZIRG/repo$ git commit -m "May I come in?"
[master f32440c] May I come in?
1 file changed, 1 insertion(+)
create mode 100644 key.txt
bandit31@bandit:/tmp/tmp.qNyfXVZIRG/repo$- 이게 remote 에 push 한다.
git push origin master
git push 를 사용해 remote 저장소에 local commit
$ git push [alias] [branch name]git push 를 사용해 현재 branch 가 아닌 다른 branch remote 저장소에 commit
git push [alias] [local branch name]:[remote branch name]bandit31@bandit:/tmp/tmp.qNyfXVZIRG/repo$ git remote
origin
bandit31@bandit:/tmp/tmp.qNyfXVZIRG/repo$ git push origin master
The authenticity of host '[localhost]:2220 ([127.0.0.1]:2220)' can't be established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Could not create directory '/home/bandit31/.ssh' (Permission denied).
Failed to add the host to the list of known hosts (/home/bandit31/.ssh/known_hosts).
_ _ _ _
| |__ __ _ _ __ __| (_) |_
| '_ \ / _` | '_ \ / _` | | __|
| |_) | (_| | | | | (_| | | |_
|_.__/ \__,_|_| |_|\__,_|_|\__|
This is an OverTheWire game server.
More information on http://www.overthewire.org/wargames
bandit31-git@localhost's password:
Enumerating objects: 4, done.
Counting objects: 100% (4/4), done.
Delta compression using up to 2 threads
Compressing objects: 100% (2/2), done.
Writing objects: 100% (3/3), 327 bytes | 327.00 KiB/s, done.
Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
remote: ### Attempting to validate files... ####
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
remote: Well done! Here is the password for the next level:
remote: 3O9RfhqyAlVBEZpVb6LYStshZoqoSx5K
remote:
remote: .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.
remote:
To ssh://localhost:2220/home/bandit31-git/repo
! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to 'ssh://localhost:2220/home/bandit31-git/repo'
bandit31@bandit:/tmp/tmp.qNyfXVZIRG/repo$3O9RfhqyAlVBEZpVb6LYStshZoqoSx5KLevel 32 → Level 33
Level Goal
After all this git stuff, it’s time for another escape. Good luck!
Commands you may need to solve this level
sh, man
bandit32:x:11032:11032:bandit level 32:/home/bandit32:/home/bandit32/uppershell
,----.. ,----, .---.
/ / \ ,/ .`| /. ./|
/ . : ,` .' : .--'. ' ;
. / ;. \ ; ; / /__./ \ : |
. ; / ` ; .'___,/ ,' .--'. ' \' .
; | ; \ ; | | : | /___/ \ | ' '
| : | ; | ' ; |.'; ; ; \ \; :
. | ' ' ' : `----' | | \ ; ` |
' ; \; / | ' : ; . \ .\ ;
\ \ ', / | | ' \ \ ' \ |
; : / ' : | : ' |--"
\ \ .' ; |.' \ \ ;
www. `---` ver '---' he '---" ire.org
Welcome to OverTheWire!
If you find any problems, please report them to the #wargames channel on
discord or IRC.
--[ Playing the games ]--
This machine might hold several wargames.
If you are playing "somegame", then:
* USERNAMES are somegame0, somegame1, ...
* Most LEVELS are stored in /somegame/.
* PASSWORDS for each level are stored in /etc/somegame_pass/.
Write-access to homedirectories is disabled. It is advised to create a
working directory with a hard-to-guess name in /tmp/. You can use the
command "mktemp -d" in order to generate a random and hard to guess
directory in /tmp/. Read-access to both /tmp/ is disabled and to /proc
restricted so that users cannot snoop on eachother. Files and directories
with easily guessable or short names will be periodically deleted! The /tmp
directory is regularly wiped.
Please play nice:
* don't leave orphan processes running
* don't leave exploit-files laying around
* don't annoy other players
* don't post passwords or spoilers
* again, DONT POST SPOILERS!
This includes writeups of your solution on your blog or website!
--[ Tips ]--
This machine has a 64bit processor and many security-features enabled
by default, although ASLR has been switched off. The following
compiler flags might be interesting:
-m32 compile for 32bit
-fno-stack-protector disable ProPolice
-Wl,-z,norelro disable relro
In addition, the execstack tool can be used to flag the stack as
executable on ELF binaries.
Finally, network-access is limited for most levels by a local
firewall.
--[ Tools ]--
For your convenience we have installed a few useful tools which you can find
in the following locations:
* gef (https://github.com/hugsy/gef) in /opt/gef/
* pwndbg (https://github.com/pwndbg/pwndbg) in /opt/pwndbg/
* gdbinit (https://github.com/gdbinit/Gdbinit) in /opt/gdbinit/
* pwntools (https://github.com/Gallopsled/pwntools)
* radare2 (http://www.radare.org/)
--[ More information ]--
For more information regarding individual wargames, visit
http://www.overthewire.org/wargames/
For support, questions or comments, contact us on discord or IRC.
Enjoy your stay!
WELCOME TO THE UPPERCASE SHELL
>>Test
/home/bandit32/uppershell
WELCOME TO THE UPPERCASE SHELL
>> ls
sh: 1: LS: Permission denied
>> id
sh: 1: ID: Permission denied
>> $HOME
sh: 1: /home/bandit32: Permission denied
>> $PWD
sh: 1: /home/bandit32: Permission denied
>> ls -al
sh: 1: LS: Permission denied문제에서 “sh, man” 이 나왔으므로, sh 를 테스트 해보자.
sh
bandit31@bandit:~$ sh
$ LS
sh: 1: LS: Permission denied
$ ID
sh: 2: ID: Permission denied
$ $HOME
sh: 3: /home/bandit31: Permission denied
$ $PWD
sh: 4: /home/bandit31: Permission denied
$ ls -al
total 24
drwxr-xr-x 2 root root 4096 Sep 19 07:08 .
drwxr-xr-x 70 root root 4096 Sep 19 07:09 ..
-rw-r--r-- 1 root root 220 Mar 31 2024 .bash_logout
-rw-r--r-- 1 root root 3771 Mar 31 2024 .bashrc
-rwxr-xr-x 1 root root 59 Sep 19 07:08 .gitconfig
-rw-r--r-- 1 root root 807 Mar 31 2024 .profile
$ LS -AL
sh: 6: LS: Permission denied특이점을 보자면,
- 일반 sh 는
sh: N으로N이 늘어나는 반면, 위는sh: 1로 고정된다. sh: 1임을 볼 때, /bin/sh 를 사용함을 알 수 있다.- 그렇다면, $0 을 넣으면 /bin/sh 가 실행되지 않을까?
man sh
-c
Read commands from the command_string operand instead of from the standard input. Special parameter 0 will be set from the command_name operand and the positional parameters ($1, $2, etc.) set from the remaining argument operands.https://linuxhandbook.com/bash-special-variables/
Here's quick look into the special variables you get in bash shell:
| Special Variable | Description |
|---|---|
$0 | Gets the name of the current script. |
$# | Gets the number of arguments passed while executing the bash script. |
$* | Gives you a string containing every command-line argument. |
$@ | It stores the list of every command-line argument as an array. |
$1-$9 | Stores the first 9 arguments. |
$? | Gets the status of the last command or the most recently executed process. |
$! | Shows the process ID of the last background command. |
$$ | Gets the process ID of the current shell. |
$- | It will print the current set of options in your current shell. |
>> $0
$ ps
PID TTY TIME CMD
1405428 pts/43 00:00:00 sh
1405429 pts/43 00:00:00 sh
1405440 pts/43 00:00:00 ps
$ ls
uppershell
$ ls -alrt
total 36
-rw-r--r-- 1 root root 807 Mar 31 2024 .profile
-rw-r--r-- 1 root root 3771 Mar 31 2024 .bashrc
-rw-r--r-- 1 root root 220 Mar 31 2024 .bash_logout
-rwsr-x--- 1 bandit33 bandit32 15136 Sep 19 07:08 uppershell
drwxr-xr-x 2 root root 4096 Sep 19 07:08 .
drwxr-xr-x 70 root root 4096 Sep 19 07:09 ..
$ /bin/bash
bandit33@bandit:~$bandit33@bandit:~$ file uppershell
uppershell: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=9a0992be6dd4b3e5fd9693be1d039ad4a68eaa70, for GNU/Linux 3.2.0, not stripped
bandit33@bandit:~$(gdb) info functions
All defined functions:
Non-debugging symbols:
0x08049000 _init
0x08049030 __libc_start_main@plt
0x08049040 printf@plt
0x08049050 fflush@plt
0x08049060 fgets@plt
0x08049070 geteuid@plt
0x08049080 puts@plt
0x08049090 system@plt
0x080490a0 exit@plt
0x080490b0 setreuid@plt
0x080490c0 toupper@plt
0x080490d0 _start
0x080490fd __wrap_main
0x08049110 _dl_relocate_static_pie
0x08049120 __x86.get_pc_thunk.bx
0x08049130 deregister_tm_clones
0x08049170 register_tm_clones
0x080491b0 __do_global_dtors_aux
0x080491e0 frame_dummy
0x080491e6 main
0x080492f4 _fini
(gdb)(gdb) info variables
All defined variables:
Non-debugging symbols:
0x080481cc __abi_tag
0x0804a000 _fp_hw
0x0804a004 _IO_stdin_used
0x0804a02c __GNU_EH_FRAME_HDR
0x0804a0fc __FRAME_END__
0x0804bf00 __frame_dummy_init_array_entry
0x0804bf04 __do_global_dtors_aux_fini_array_entry
0x0804bf08 _DYNAMIC
0x0804bff4 _GLOBAL_OFFSET_TABLE_
0x0804c028 __data_start
0x0804c028 data_start
0x0804c02c __dso_handle
0x0804c030 __TMC_END__
0x0804c030 _edata
0x0804c040 __bss_start
0x0804c040 stdin
0x0804c040 stdin@GLIBC_2.0
0x0804c044 completed
0x0804c048 _end
(gdb)(gdb) p (char *) 0x804a008
$7 = 0x804a008 "WELCOME TO THE UPPERCASE SHELL"
(gdb) p (char *) 0x804a027
$8 = 0x804a027 ">> "
(gdb)uppershell
$ id
uid=11033(bandit33) gid=11032(bandit32) groups=11032(bandit32)
$ cat /etc/bandit_pass/bandit33
tQdtbs5D5i2vJwkO8mEyYEyTL8izoeJ0