Wargames与bash知识13
Bandit21
基于时间的作业调度程序cron会定期自动运行一个程序。在/etc/cron.d/中查找配置,并查看正在执行的命令
cron, crontab, crontab(5) (use "man 5 crontab" to access this)
发现一个插曲,如果意外退出,短时间内登录是不需要密码的
bash
bandit21@bandit:/usr/bin$ ^C
bandit21@bandit:/usr/bin$ ssh -p 2220 -l bandit21 bandit.labs.overthewire.org
The authenticity of host '[bandit.labs.overthewire.org]:2220 ([127.0.0.1]:2220)' can't be established.
ED25519 key fingerprint is SHA256:C2ihUBV7ihnV1wUXRb4RrEcLfXC5CXlhmAAM/urerLY.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Could not create directory '/home/bandit21/.ssh' (Permission denied).
Failed to add the host to the list of known hosts (/home/bandit21/.ssh/known_hosts).
_ _ _ _
| |__ __ _ _ __ __| (_) |_
| '_ \ / _` | '_ \ / _` | | __|
| |_) | (_| | | | | (_| | | |_
|_.__/ \__,_|_| |_|\__,_|_|\__|
This is an OverTheWire game server.
More information on http://www.overthewire.org/wargames
!!! You are trying to log into this SSH server with a password on port 2220 from localhost.
!!! Connecting from localhost is blocked to conserve resources.
!!! Please log out and log in again.
bandit21@bandit.labs.overthewire.org: Permission denied (publickey).
bandit21@bandit:/usr/bin$
在家目录发现bandit20的密码
bash
bandit21@bandit:~$ cat .prevpass
VxCazJaVykI6W36BkBU0mJTCM8rR95XT
进入定时任务执行脚本目录,查看文件,发现几个.sh文件都有读权限,按个看看也无妨。
bash
bandit21@bandit:~$ cd /etc/cron.d
bandit21@bandit:/etc/cron.d$ ls
cronjob_bandit15_root cronjob_bandit22 cronjob_bandit24 e2scrub_all sysstat
cronjob_bandit17_root cronjob_bandit23 cronjob_bandit25_root otw-tmp-dir
bandit21@bandit:/etc/cron.d$ ls -l
total 36
-rw-r--r-- 1 root root 62 Oct 5 06:19 cronjob_bandit15_root
-rw-r--r-- 1 root root 62 Oct 5 06:19 cronjob_bandit17_root
-rw-r--r-- 1 root root 120 Oct 5 06:19 cronjob_bandit22
-rw-r--r-- 1 root root 122 Oct 5 06:19 cronjob_bandit23
-rw-r--r-- 1 root root 120 Oct 5 06:19 cronjob_bandit24
-rw-r--r-- 1 root root 62 Oct 5 06:19 cronjob_bandit25_root
-rw-r--r-- 1 root root 201 Jan 8 2022 e2scrub_all
-rwx------ 1 root root 52 Oct 5 06:20 otw-tmp-dir
-rw-r--r-- 1 root root 396 Feb 2 2021 sysstat
bandit21@bandit:/etc/cron.d$ cat cronjob_bandit15_root
* * * * * root /usr/bin/cronjob_bandit15_root.sh &> /dev/null
bandit21@bandit:/etc/cron.d$ cat cronjob_bandit17_root
* * * * * root /usr/bin/cronjob_bandit17_root.sh &> /dev/null
bandit21@bandit:/etc/cron.d$ cat cronjob_bandit22
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
bandit21@bandit:/etc/cron.d$ cat cronjob_bandit23
@reboot bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
bandit21@bandit:/etc/cron.d$ cat cronjob_bandit24
@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
bandit21@bandit:/etc/cron.d$ cat cronjob_bandit25_root
* * * * * root /usr/bin/cronjob_bandit25_root.sh &> /dev/null
bandit21@bandit:/etc/cron.d$ cat sysstat
#The first element of the path is a directory where the debian-sa1
#script is located
PATH=/usr/lib/sysstat:/usr/sbin:/usr/sbin:/usr/bin:/sbin:/bin
#Activity reports every 10 minutes everyday
5-55/10 * * * * root command -v debian-sa1 > /dev/null && debian-sa1 1 1
#Additional run at 23:59 to rotate the statistics file
59 23 * * * root command -v debian-sa1 > /dev/null && debian-sa1 60 2
bandit21@bandit:/etc/cron.d$
cron
cron的定时任务需要在作业文件中设定执行时间,包括时分秒、天数等,一共 7 个部分,格式如下:
-
-
-
* [* ] root cmd
-
-
分 时 日 月 星期 年 用户 命令
其中:
分:必须,可选 0-59,可设置 ,-/ 特殊字符
时:必须,可选 0-23,可设置 ,- / 特殊字符
日:必须,可选 1-31,可设置 ,-?/LW 特殊字符
月:必须,可选 1-12或 jan-dec,可设置 ,- / 特殊字符
星期:必须,可选 0-7 或 sun-sta,可设置 ,-?/L# 特殊字符
年:非必须,可留空,可设置 1970-2099,可设置 ,- / 特殊字符
几个特殊字符的含义如下:
- 全部。意思是在该时间的任意点都应当执行?不指定,任意。仅用于 日(月)和日(周)。0 0 5
? 代表每个月的第5天零点,不论星期几。0 0 ? * 1 代表每周一,不论是当月的哪天。
, 多个值的分隔符,例如1,5,10
- 代表连续值,例如1-20
/ 步长。例如 5/15,代表从5开始,以15为步长。因此,当5/15位于分钟的位置时,表示小时内的第5、20、35和50分钟。
L 最后一天。可以是每月最后一天或者每周最后一天。如果用在 天(周)字段,并且前面加数字,则表示最后一个周N。例如5L,表示最后一个周五(5表示周五,L表示最后)
W 工作日,指周一到周五的任意一天表示第几个的意思,例如 6#3,表示当月第3个星期六(6表示周六,3表示第3个)
bash
bandit21@bandit:/etc/cron.d$ cd /usr/bin
bandit21@bandit:/usr/bin$ ls *sh
bash cronjob_bandit23.sh env_parallel.csh env_parallel.tcsh rsh
chsh cronjob_bandit24.sh env_parallel.dash env_parallel.zsh sh
c_rehash cronjob_bandit25_root.sh env_parallel.fish gettext.sh ssh
cronjob_bandit15_root.sh dash env_parallel.ksh instmodsh static-sh
cronjob_bandit17_root.sh env_parallel.ash env_parallel.mksh rbash tclsh
cronjob_bandit22.sh env_parallel.bash env_parallel.sh rescan-scsi-bus.sh
bandit21@bandit:/usr/bin$ ls -l *sh
-rwxr-xr-x 1 root root 1396520 Jan 6 2022 bash
-rwxr-xr-x 1 root root 44808 Nov 24 2022 chsh
-rwxr-xr-x 1 root root 6963 May 24 2023 c_rehash
-rwx------ 1 root root 142 Oct 5 06:19 cronjob_bandit15_root.sh
-rwx------ 1 root root 443 Oct 5 06:19 cronjob_bandit17_root.sh
-rwxr-x--- 1 bandit22 bandit21 130 Oct 5 06:19 cronjob_bandit22.sh
-rwxr-x--- 1 bandit23 bandit22 211 Oct 5 06:19 cronjob_bandit23.sh
-rwxr-x--- 1 bandit24 bandit23 384 Oct 5 06:19 cronjob_bandit24.sh
-rwx------ 1 root root 497 Oct 5 06:19 cronjob_bandit25_root.sh
-rwxr-xr-x 1 root root 125688 Mar 23 2022 dash
-rwxr-xr-x 1 root root 14565 Aug 28 2021 env_parallel.ash
-rwxr-xr-x 1 root root 13565 Aug 28 2021 env_parallel.bash
-rwxr-xr-x 1 root root 5377 Aug 28 2021 env_parallel.csh
-rwxr-xr-x 1 root root 14554 Aug 28 2021 env_parallel.dash
-rwxr-xr-x 1 root root 6643 Aug 28 2021 env_parallel.fish
-rwxr-xr-x 1 root root 12595 Aug 28 2021 env_parallel.ksh
-rwxr-xr-x 1 root root 12626 Aug 28 2021 env_parallel.mksh
-rwxr-xr-x 1 root root 14754 Aug 28 2021 env_parallel.sh
-rwxr-xr-x 1 root root 5380 Aug 28 2021 env_parallel.tcsh
-rwxr-xr-x 1 root root 12604 Aug 28 2021 env_parallel.zsh
-rwxr-xr-x 1 root root 5188 Mar 25 2022 gettext.sh
-rwxr-xr-x 1 root root 4373 May 23 2023 instmodsh
lrwxrwxrwx 1 root root 4 Jan 6 2022 rbash -> bash
-rwxr-xr-x 1 root root 38762 Mar 25 2022 rescan-scsi-bus.sh
lrwxrwxrwx 1 root root 21 Sep 19 02:21 rsh -> /etc/alternatives/rsh
lrwxrwxrwx 1 root root 4 Sep 19 02:19 sh -> dash
-rwxr-xr-x 1 root root 846888 Aug 24 13:40 ssh
lrwxrwxrwx 1 root root 7 Feb 4 2022 static-sh -> busybox
lrwxrwxrwx 1 root root 8 Mar 25 2022 tclsh -> tclsh8.6
bandit21@bandit:/usr/bin$ cat cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
bandit21@bandit:/usr/bin$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
WdDozAdTM2z9DiFEQ2mGlwngMfj4EZff
bandit21@bandit:/usr/bin$
bandit21@bandit:/usr/bin$ cd /etc/bandit_pass/
bandit21@bandit:/etc/bandit_pass$ ls -l bandit22
-r-------- 1 bandit22 bandit22 33 Oct 5 06:19 bandit22