일 | 월 | 화 | 수 | 목 | 금 | 토 |
---|---|---|---|---|---|---|
1 | 2 | 3 | 4 | |||
5 | 6 | 7 | 8 | 9 | 10 | 11 |
12 | 13 | 14 | 15 | 16 | 17 | 18 |
19 | 20 | 21 | 22 | 23 | 24 | 25 |
26 | 27 | 28 | 29 | 30 | 31 |
Tags
- 시그널
- 리눅스커널
- pwncollege
- Leviathan
- 리버싱
- 컴퓨터구조
- radare2
- C++
- 워게임
- 커널
- 포너블
- 시스템해킹
- 하드링크
- Bandit
- 알고리즘
- kernel
- Pwnable.kr
- C언어
- 리눅스 커널
- multiplexing
- 어셈블리어
- wargame
- 시스템프로그래밍
- 프로그래밍
- 시스템 프로그래밍
- pwn.college
- 리눅스
- 시스템
- write up
- css
Archives
- Today
- Total
Computer Security
#13 Wargame bandit 10 (Level21 ~ Level23), tmp 본문
Level21 -> Level22
시간 기반 작업 스케줄러인 cron에서 일정 간격으로 프로그램이 자동으로 실행됩니다.
/etc/cron.d/에서 구성을 찾고 어떤 명령이 실행되고 있는지 확인하십시오.
1.일단 /etc/cron.d/ 에 접근해보자.
bandit21@bandit:~$ cd /etc/cron.d
bandit21@bandit:/etc/cron.d$ ls
cronjob_bandit15_root cronjob_bandit22 cronjob_bandit24
cronjob_bandit17_root cronjob_bandit23 cronjob_bandit25_root
2. 이 파일들중 bandit22 파일 부터 확인 해보자.
bandit21@bandit:/etc/cron.d$ cat cronjob_bandit22
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
3. sh 파일에 접근 해보자.
bandit21@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
tmp 파일에 넣어 놓은것을 확인했다.
3.cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv 를 이용해 tmp을 읽으면, 비밀번호가 나온다!
bandit21@bandit:/etc/cron.d$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
마지막으로 Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI 를 이용해 bandit22에 접속하면 성공!
For your convenience we have installed a few usefull tools which you can find
in the following locations:
* gef (https://github.com/hugsy/gef) in /usr/local/gef/
* pwndbg (https://github.com/pwndbg/pwndbg) in /usr/local/pwndbg/
* peda (https://github.com/longld/peda.git) in /usr/local/peda/
* gdbinit (https://github.com/gdbinit/Gdbinit) in /usr/local/gdbinit/
* pwntools (https://github.com/Gallopsled/pwntools)
* radare2 (http://www.radare.org/)
* checksec.sh (http://www.trapkit.de/tools/checksec.html) in /usr/local/bin/checksec.sh
--[ More information ]--
For more information regarding individual wargames, visit
http://www.overthewire.org/wargames/
For support, questions or comments, contact us through IRC on
irc.overthewire.org #wargames.
Enjoy your stay!
bandit22@bandit:~$
Level22 -> Level23
1.이전 문제와 거의 비슷한 문제이다. cat을 이용해 읽어보자.
bandit22@bandit:~$ cat /etc/cron.d/cronjob_bandit23
@reboot bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
2. bandit23.sh 을 읽어보자.
bandit22@bandit:~$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash
myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
cat /etc/bandit_pass/$myname > /tmp/$mytarget
3.일단 myname 은 bandit23 이고 mytarget값을 찾아내야 한다. 그러니 저 mytarget 형식안에 myname에 bandit23을 넣어서 실행 시켜주자.
bandit22@bandit:~$ cat /usr/bin/cronjob_bandit23.sh &> /dev/null
bandit22@bandit:~$ echo I am user bandit23 | md5sum | cut -d ' ' -f 1
8ca319486bfbbc3663ea0fbe81326349
4.이제 저 8ca319486bfbbc3663ea0fbe81326349 이 tmp 이름인걸 알았으니, /tmp/8ca319486bfbbc3663ea0fbe81326349안에 있는 값을 알아내자.
bandit22@bandit:~$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
5.알아낸 비밀번호 jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n 로 bandit23에 접속하면 성공!
For your convenience we have installed a few usefull tools which you can find
in the following locations:
* gef (https://github.com/hugsy/gef) in /usr/local/gef/
* pwndbg (https://github.com/pwndbg/pwndbg) in /usr/local/pwndbg/
* peda (https://github.com/longld/peda.git) in /usr/local/peda/
* gdbinit (https://github.com/gdbinit/Gdbinit) in /usr/local/gdbinit/
* pwntools (https://github.com/Gallopsled/pwntools)
* radare2 (http://www.radare.org/)
* checksec.sh (http://www.trapkit.de/tools/checksec.html) in /usr/local/bin/checksec.sh
--[ More information ]--
For more information regarding individual wargames, visit
http://www.overthewire.org/wargames/
For support, questions or comments, contact us through IRC on
irc.overthewire.org #wargames.
Enjoy your stay!
bandit23@bandit:~$
'Wargame:Bandit' 카테고리의 다른 글
#15 Wargame bandit 12 (Level24 ~ Level26), 브루트포스공격,more명령어 (0) | 2022.07.22 |
---|---|
#14 Wargame bandit 11 (Level23 ~ Level24), touch,bash,cp (0) | 2022.07.21 |
#12 Wargame bandit 9 (Level19 ~ Level21), setuid,nc 명령어 (0) | 2022.07.18 |
#11 Wargame bandit 9 (Level17 ~ Level19), diff명령어,bashrc (0) | 2022.07.17 |
#10 Wargame bandit 8 (Level15 ~ Level17), openssl,nmap명령어, 하트블리드 취약점 (0) | 2022.07.16 |
Comments