1. Bandit25 목표
Logging in to bandit26 from bandit25 should be fairly easy…
The shell for user bandit26 is not /bin/bash, but something else.
Find out what it is, how it works and how to break out of it.
Commands you may need to solve this level
ssh, cat, more, vi, ls, id, pwd
2. Bandit25 구현
# 비밀번호 root 입력 접속
ssh -oStrictHostKeyChecking=no root@localhost -p 2220
chown -R root:root /home/bandit25/.[!.]*
cat <<'PRIVATE_KEY' > /home/bandit25/bandit26.sshkey
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEApis2AuoooEqeYWamtwX2k5z9uU1Afl2F8VyXQqbv/LTrIwdW
pTfaeRHXzr0Y0a5Oe3GB/+W2+PReif+bPZlzTY1XFwpk+DiHk1kmL0moEW8HJuT9
/5XbnpjSzn0eEAfFax2OcopjrzVqdBJQerkj0puv3UXY07AskgkyD5XepwGAlJOG
xZsMq1oZqQ0W29aBtfykuGie2bxroRjuAPrYM4o3MMmtlNE5fC4G9Ihq0eq73MDi
1ze6d2jIGce873qxn308BA2qhRPJNEbnPev5gI+5tU+UxebW8KLbk0EhoXB953Ix
3lgOIrT9Y6skRjsMSFmC6WN/O7ovu8QzGqxdywIDAQABAoIBAAaXoETtVT9GtpHW
qLaKHgYtLEO1tOFOhInWyolyZgL4inuRRva3CIvVEWK6TcnDyIlNL4MfcerehwGi
il4fQFvLR7E6UFcopvhJiSJHIcvPQ9FfNFR3dYcNOQ/IFvE73bEqMwSISPwiel6w
e1DjF3C7jHaS1s9PJfWFN982aublL/yLbJP+ou3ifdljS7QzjWZA8NRiMwmBGPIh
Yq8weR3jIVQl3ndEYxO7Cr/wXXebZwlP6CPZb67rBy0jg+366mxQbDZIwZYEaUME
zY5izFclr/kKj4s7NTRkC76Yx+rTNP5+BX+JT+rgz5aoQq8ghMw43NYwxjXym/MX
c8X8g0ECgYEA1crBUAR1gSkM+5mGjjoFLJKrFP+IhUHFh25qGI4Dcxxh1f3M53le
wF1rkp5SJnHRFm9IW3gM1JoF0PQxI5aXHRGHphwPeKnsQ/xQBRWCeYpqTme9amJV
tD3aDHkpIhYxkNxqol5gDCAt6tdFSxqPaNfdfsfaAOXiKGrQESUjIBcCgYEAxvmI
2ROJsBXaiM4Iyg9hUpjZIn8TW2UlH76pojFG6/KBd1NcnW3fu0ZUU790wAu7QbbU
i7pieeqCqSYcZsmkhnOvbdx54A6NNCR2btc+si6pDOe1jdsGdXISDRHFb9QxjZCj
6xzWMNvb5n1yUb9w9nfN1PZzATfUsOV+Fy8CbG0CgYEAifkTLwfhqZyLk2huTSWm
pzB0ltWfDpj22MNqVzR3h3d+sHLeJVjPzIe9396rF8KGdNsWsGlWpnJMZKDjgZsz
JQBmMc6UMYRARVP1dIKANN4eY0FSHfEebHcqXLho0mXOUTXe37DWfZza5V9Oify3
JquBd8uUptW1Ue41H4t/ErsCgYEArc5FYtF1QXIlfcDz3oUGz16itUZpgzlb71nd
1cbTm8EupCwWR5I1j+IEQU+JTUQyI1nwWcnKwZI+5kBbKNJUu/mLsRyY/UXYxEZh
ibrNklm94373kV1US/0DlZUDcQba7jz9Yp/C3dT/RlwoIw5mP3UxQCizFspNKOSe
euPeaxUCgYEAntklXwBbokgdDup/u/3ms5Lb/bm22zDOCg2HrlWQCqKEkWkAO6R5
/Wwyqhp/wTl8VXjxWo+W+DmewGdPHGQQ5fFdqgpuQpGUq24YZS8m66v5ANBwd76t
IZdtF5HXs2S5CADTwniUS5mX1HO9l5gUkk+h0cH5JnPtsMCnAUM+BRY=
-----END RSA PRIVATE KEY-----
PRIVATE_KEY
chmod 400 /home/bandit25/bandit26.sshkey
chown -R bandit25:bandit25 /home/bandit25/bandit26.sshkey
echo gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8 > /home/bandit25/.bandit24.password
echo "I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space." > /home/bandit25/.banner
echo "The password of user bandit25 is iCi86ttT4KSNe1armKiwbQNmB3YJP3q4" > /home/bandit25/.flag
echo "5763" > /home/bandit25/.pin
chown -R bandit25:bandit25 /home/bandit25/.bandit24.password /home/bandit25/.banner /home/bandit25/.flag /home/bandit25/.pin
chmod 640 /home/bandit25/.bandit24.password /home/bandit25/.banner /home/bandit25/.flag /home/bandit25/.pin
useradd bandit26 && echo -e "s0773xxkk0MXfdqOfPRVr9L3jJBUOgCZ\ns0773xxkk0MXfdqOfPRVr9L3jJBUOgCZ" | passwd bandit26
chown -R root:root /home/bandit26/.[!.]*
chmod 755 /home/bandit26
chown root:root /home/bandit26
echo s0773xxkk0MXfdqOfPRVr9L3jJBUOgCZ > /etc/bandit_pass/bandit26
chmod 400 /etc/bandit_pass/bandit26
chown bandit26:bandit26 /etc/bandit_pass/bandit26
mkdir -p /home/bandit26/.ssh
chmod 755 /home/bandit26/.ssh
cat <<AUTH_KEY | base64 --decode > /home/bandit26/.ssh/authorized_keys
c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDbUt6WUM2aWlnU3A1aFpxYTNC
ZmFUblAyNVRVQitYWVh4WEpkQ3B1Lzh0T3NqQjFhbE45cDVFZGZPdlJqUnJrNTdjWUgvNWJiNDlG
NkovNXM5bVhOTmpWY1hDbVQ0T0llVFdTWXZTYWdSYndjbTVQMy9sZHVlbU5MT2ZSNFFCOFZySFk1
eWltT3ZOV3AwRWxCNnVTUFNtNi9kUmRqVHNDeVNDVElQbGQ2bkFZQ1VrNGJGbXd5cldobXBEUmJi
MW9HMS9LUzRhSjdadkd1aEdPNEErdGd6aWpjd3lhMlUwVGw4TGdiMGlHclI2cnZjd09MWE43cDNh
TWdaeDd6dmVyR2ZmVHdFRGFxRkU4azBSdWM5Ni9tQWo3bTFUNVRGNXRid290dVRRU0doY0gzbmNq
SGVXQTRpdFAxanF5UkdPd3hJV1lMcFkzODd1aSs3eERNYXJGM0wgYmFuZGl0MjZAYmFuZGl0Cg==
AUTH_KEY
chmod 640 /home/bandit26/.ssh/authorized_keys
chown bandit26:bandit26 /home/bandit26/.ssh/authorized_keys
cat <<'SHOWTEXT' > /home/bandit26/text.txt
_ _ _ _ ___ __
| | | (_) | |__ \ / /
| |__ __ _ _ __ __| |_| |_ ) / /_
| '_ \ / _` | '_ \ / _` | | __| / / '_ \
| |_) | (_| | | | | (_| | | |_ / /| (_) |
|_.__/ \__,_|_| |_|\__,_|_|\__|____\___/
SHOWTEXT
chmod 640 /home/bandit26/text.txt
chown bandit26:bandit26 /home/bandit26/text.txt
cat <<'SHOWTEXT' > /usr/bin/showtext && chmod 755 /usr/bin/showtext
#!/bin/sh
export TERM=linux
exec more ~/text.txt
exit 0
SHOWTEXT
sed -i '/\/home\/bandit26:/s/\/bin\/bash/\/usr\/bin\/showtext/' /etc/passwd
3. Bandit25 문제풀의
# bandit25 로 설정한 패스워드를 입력하여 접속한다.
# iCi86ttT4KSNe1armKiwbQNmB3YJP3q4
ssh -oStrictHostKeyChecking=no bandit25@localhost -p 2220
# 26번에 접속되었을때 실행되는 쉘 확인
cat /etc/passwd
# 26번에 접속되었을때 실행되는 프로그램 확인
cat /usr/bin/showtext
# 기본 rows와 cols 확인
stty size
# more 명령어가 터미널을 다 차지하지 않게 하기위해 행/열을 수정
stty rows 15 cols 15
# bandit26에 접속
# 터미널을 다 차지 않기 때문에 showtext에 more 명령어로 출력되다가 멈춤
ssh -oStrictHostKeyChecking=no -p 2220 -i /home/bandit25/bandit26.sshkey bandit26@localhost
# v키를 눌러서 편집모드
v
# 기본 쉘을 /usr/bin/showtext에서 /bin/bash로 변경
:set shell=/bin/bash
# 기본 쉘에 접속
:shell
# 기본 rows와 cols 로 변경
stty rows 42 cols 139
clear
# 패스워드 확인
# 하지만 26번에 이미 접속된 상황이며 비밀번호로 접속하나
# 기본키로 접속하나 more명령어를 활용해야 하는 상황은 동일
cat /etc/bandit_pass/bandit26'Wargame > Bandit' 카테고리의 다른 글
| [ Docker ] Bandit Wargame 만들기 - 27번 문제 ( 28 / 33 ) (0) | 2024.06.21 |
|---|---|
| [ Docker ] Bandit Wargame 만들기 - 26번 문제 ( 27 / 33 ) (0) | 2024.06.21 |
| [ Docker ] Bandit Wargame 만들기 - 24번 문제 ( 25 / 33 ) (0) | 2024.06.19 |
| [ Docker ] Bandit Wargame 만들기 - 23번 문제 ( 24 / 33 ) (0) | 2024.06.19 |
| [ Docker ] Bandit Wargame 만들기 - 22번 문제 ( 23 / 33 ) (0) | 2024.06.19 |