Bandit 23
Objectives
Level GoalA program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.
Solution
ok so another level dealing with cron jobs
lets see what files we have to work with
Nothing in home directory let's check the cron.d
cool so there is another cronjob_bandit23 let's check that file
alright its running this sh at reboot /usr/bin/cronjob_bandit23.sh let's see what's in there
myname=$(whoami)mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
let's decode this
there are two variables in the front of the bash
myname=$(whoami) - Which should return the user name of the user running the .sh
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1) - this takes the text i am user $myname (which it knows now from the first variable) and creates an md5 hash of the text, cut -d ' ' -f1 stops at the first blank space and only uses the string before that
Then the script copies the password file from the bandit password repository to a tmp folder named the result of the result of the my target function
echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
Let's see what this does as the bandit 22 user
Ok that's cool but we aren't looking for the result of this execution from the bandit22 user we want the bandit23 password which the cron job would have run when the server booted
lets edit the script a little bit to supply it with what result of the whoami command for bandit23 instead of calling the system variable of the logged in uers
let's see if there is a file in tmp named 8ca319486bfbbc3663ea0fbe81326349
sure is
again this really isn't conducive to scripting out in python so I'll skip that
Objectives
Level GoalA program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.
Solution
ok so another level dealing with cron jobs
lets see what files we have to work with
bandit22@bandit:~$ ls
Nothing in home directory let's check the cron.d
bandit22@bandit:~$ ls /etc/cron.dcronjob_bandit22 cronjob_bandit23 cronjob_bandit24
cool so there is another cronjob_bandit23 let's check that file
bandit22@bandit:~$ cat /etc/cron.d/cronjob_bandit23@reboot bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null* * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
alright its running this sh at reboot /usr/bin/cronjob_bandit23.sh let's see what's in there
bandit22@bandit:~$ cat /usr/bin/cronjob_bandit23.sh#!/bin/bash
myname=$(whoami)mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
cat /etc/bandit_pass/$myname > /tmp/$mytarget
let's decode this
there are two variables in the front of the bash
myname=$(whoami) - Which should return the user name of the user running the .sh
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1) - this takes the text i am user $myname (which it knows now from the first variable) and creates an md5 hash of the text, cut -d ' ' -f1 stops at the first blank space and only uses the string before that
Then the script copies the password file from the bandit password repository to a tmp folder named the result of the result of the my target function
echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
cat /etc/bandit_pass/$myname > /tmp/$mytarget
Let's see what this does as the bandit 22 user
bandit22@bandit:~$ mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)bandit22@bandit:~$ echo I am user $myname | md5sum | cut -d ' ' -f 18169b67bd894ddbb4412f91573b38db3
Ok that's cool but we aren't looking for the result of this execution from the bandit22 user we want the bandit23 password which the cron job would have run when the server booted
lets edit the script a little bit to supply it with what result of the whoami command for bandit23 instead of calling the system variable of the logged in uers
bandit22@bandit:~$ myname=bandit23bandit22@bandit:~$ echo I am user $myname | md5sum | cut -d ' ' -f 18ca319486bfbbc3663ea0fbe81326349
let's see if there is a file in tmp named 8ca319486bfbbc3663ea0fbe81326349
sure is
bandit22@bandit:~$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
again this really isn't conducive to scripting out in python so I'll skip that
Comments
Post a Comment