#13 Wargame bandit 10 (Level21 ~ Level23), tmp

Level21 -> Level22

Level21

시간 기반 작업 스케줄러인 cron에서 일정 간격으로 프로그램이 자동으로 실행됩니다. 
/etc/cron.d/에서 구성을 찾고 어떤 명령이 실행되고 있는지 확인하십시오.

 

1.일단 /etc/cron.d/ 에 접근해보자.

bandit21@bandit:~$ cd /etc/cron.d
bandit21@bandit:/etc/cron.d$ ls
cronjob_bandit15_root  cronjob_bandit22  cronjob_bandit24
cronjob_bandit17_root  cronjob_bandit23  cronjob_bandit25_root

2. 이 파일들중 bandit22 파일 부터 확인 해보자.

bandit21@bandit:/etc/cron.d$ cat cronjob_bandit22
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null

3. sh 파일에 접근 해보자.

bandit21@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

tmp 파일에 넣어 놓은것을 확인했다.

 

3.cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv 를 이용해 tmp을 읽으면, 비밀번호가 나온다!

bandit21@bandit:/etc/cron.d$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

 

마지막으로  Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI 를 이용해 bandit22에 접속하면 성공!

 For your convenience we have installed a few usefull tools which you can find
 in the following locations:

    * gef (https://github.com/hugsy/gef) in /usr/local/gef/
    * pwndbg (https://github.com/pwndbg/pwndbg) in /usr/local/pwndbg/
    * peda (https://github.com/longld/peda.git) in /usr/local/peda/
    * gdbinit (https://github.com/gdbinit/Gdbinit) in /usr/local/gdbinit/
    * pwntools (https://github.com/Gallopsled/pwntools)
    * radare2 (http://www.radare.org/)
    * checksec.sh (http://www.trapkit.de/tools/checksec.html) in /usr/local/bin/checksec.sh

--[ More information ]--

  For more information regarding individual wargames, visit
  http://www.overthewire.org/wargames/

  For support, questions or comments, contact us through IRC on
  irc.overthewire.org #wargames.

  Enjoy your stay!

bandit22@bandit:~$

---

Level22 -> Level23

Level22

 

 

1.이전 문제와 거의 비슷한 문제이다. cat을 이용해 읽어보자.

bandit22@bandit:~$ cat /etc/cron.d/cronjob_bandit23
@reboot bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null

 

 

2. bandit23.sh 을 읽어보자.

bandit22@bandit:~$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash

myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)

echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"

cat /etc/bandit_pass/$myname > /tmp/$mytarget

 

 

 

3.일단 myname 은 bandit23 이고 mytarget값을 찾아내야 한다. 그러니 저 mytarget 형식안에 myname에 bandit23을 넣어서 실행 시켜주자.

bandit22@bandit:~$ cat /usr/bin/cronjob_bandit23.sh &> /dev/null
bandit22@bandit:~$ echo I am user bandit23 | md5sum | cut -d ' ' -f 1
8ca319486bfbbc3663ea0fbe81326349

 

 

 

4.이제 저 8ca319486bfbbc3663ea0fbe81326349 이 tmp 이름인걸 알았으니, /tmp/8ca319486bfbbc3663ea0fbe81326349안에 있는 값을 알아내자.

bandit22@bandit:~$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

 

 

5.알아낸 비밀번호 jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n 로 bandit23에 접속하면 성공!

 For your convenience we have installed a few usefull tools which you can find
 in the following locations:

    * gef (https://github.com/hugsy/gef) in /usr/local/gef/
    * pwndbg (https://github.com/pwndbg/pwndbg) in /usr/local/pwndbg/
    * peda (https://github.com/longld/peda.git) in /usr/local/peda/
    * gdbinit (https://github.com/gdbinit/Gdbinit) in /usr/local/gdbinit/
    * pwntools (https://github.com/Gallopsled/pwntools)
    * radare2 (http://www.radare.org/)
    * checksec.sh (http://www.trapkit.de/tools/checksec.html) in /usr/local/bin/checksec.sh

--[ More information ]--

  For more information regarding individual wargames, visit
  http://www.overthewire.org/wargames/

  For support, questions or comments, contact us through IRC on
  irc.overthewire.org #wargames.

  Enjoy your stay!

bandit23@bandit:~$