#bash #scripting #bashsyntax #UofTBootCamp #homework

Takeaways

• quotes around the array in a for loop is best practice:

Without them, the for loop will break up the array by substrings separated >by any spaces within the strings instead of by whole string elements within >the array. ie: if you had declare -a arr=("element 1" "element 2" "element 3"), >then for i in ${arr[@]} would mistakenly iterate 6 times since each string >becomes 2 substrings separated by the space in the string, whereas for i in >"${arr[@]}" would iterate 3 times, correctly, as desired, maintaining each >string as a single unit despite having a space in it.

• you can only capture with echo. Using return is the same as exit (so you can only capture the exit code)

Syntax Quickies

quick init + iteration

read -a arr <<< "one two three" for i in ${arr[@]} do echo $i done

• access elements

passing multiple arrays as arguments

`takesaryas_arg() { declare -a argAry1=(“${!1}”) echo “${argAry1[@]}”

declare -a argAry2=(“${!2}”) echo “${argAry2[@]}” } trywithlocalarys() { # array variables could have local scope local descTable=( “sli4-iread” “sli4-iwrite” “sli3-iread” “sli3-iwrite” ) local optsTable=( “—msix —iread” “—msix —iwrite” “—msi —iread” “—msi —iwrite” ) takesaryasarg descTable[@] optsTable[@] } trywithlocal_arys`

#linux #networking #router #automation #bash #python #ruby

The suggest from my tutor was to “write an automation script that goes into my router and pulls the logs from the router logs to system logs and then scans them for any occurrences of nmap and sends the results to me in an email. Possibly filtering by priority?

To Research

Router Access

• does my router have logs accessible
• can my router easily transfer those logs to my system logs or do I have to manually do that?

System logs

• where is the appropriate place to put them?

Cron job

• set it up where?

Email server

• can I send it directly to my thundermail client or does it have to go through gmail?

Additional Practice

• redo this assignment using my linux machine?
• redo in py?

#bash #scripting #nc #networking #ports

What we know:

• There is an open and listening port (30002) that will send back the password if it receives the current lv password + correct pin

What to do with this knowledge:

Attempt 1: I tried writing a script that iterates through 0000-9999, combines each number with the current level's password, and then send each line to the port:

#!/bin/bash start=0000 count=9999

while [ $start -lt $count ] do echo "current password $start" | nc localhost 30002 ((start++)) done

Mistakes Made:

Unfortunately, my loop never stopped looping...

I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space. Wrong! Please enter the correct current password. Try again. Timeout. Exiting. I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space. Wrong! Please enter the correct current password. Try again.

FOLLOW UP ON WHY

Attempt 2: Breaking it down more

This time I decided to separate the problem into two parts:

Script 1: Create a list of possible password + pin combos

#!/bin/bash touch list.txt

for i in {0000..9999} do echo “UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i”>> list.txt done`

Script 2: Iterate through my list.txt and send each one to the listening daemon with nc

#!/bin/bash for line in list.txt do nc localhost 30002 $line done

And viola!

#bandit #bash #scripting #permissions #cron

What we know:

• We will be writing a shell script
• This shell script is removed once executed, meaning that there is likely a script that will remove our script
• The script file that the cronjob relevant to this level is located here: /usr/bin/cronjob_bandit24.sh and contains:

#!/bin/bash

myname=$(whoami)

cd /var/spool/$myname echo "Executing and deleting all scripts in /var/spool/$myname:" for i in * .*; do if [ "$i" != "." -a "$i" != ".." ]; then echo "Handling $i" owner="$(stat --format "%U" ./$i)" if [ "${owner}" = "bandit23" ]; then timeout -s 9 60 ./$i fi rm -f ./$i fi done

What to do with what we know:

First, let's understand the cronjob_bandit24.sh script:

1. #!/bin/bash indicates which shell program will be used to interpret the script — in this case: bash (Bourne Again Shell).

2. An variable is initiated and saves the results of the whoami command. (To verify that the current user is bandit23, I ran the whoami command inside of the directory where the script is located.) We navigate to a directory based on this variable: `/var/spool/bandit23'

3. A loop will initiated through all the files in this directory and for the files that are not equivalent to . or .., we (1) save data from the stat command regarding the file into the variable owner then we (2) check if the file owner is bandit23 and if so, (3) the file is deleted after 60 seconds.

(There's more but these are the most crucial steps to understand for our goals.)

So I attempted to navigate to the bandit23 directory (/var/spool/bandit23/) and received the error message that: -bash: cd: bandit23: No such file or directory

Going back one step into /var/spool/, I discovered that bandit24 exists as a directory. What does this mean?

Mistake 1: Checking Permissions

I thought that the /usr/bin/cronjob_bandit24.sh permissions could be checked from running whoami from the /usr/bin directory in which the file was found. Of course this is not true because whoami checks the current user and not the file. I knew this but I didn't pause to consider what exactly I was checking for when I mindlessly ran whoami. This error is silly, I should have been more mindful as to exactly what I am asking the computer to do in every command I make.

So to check the owner of the script in question, I ran: ls -alh cronjob_bandit24.sh

-rwxr-x--- 1 bandit24 bandit23 376 May 14 2020 cronjob_bandit24.sh

This means the script cronjob_bandit24.sh belongs to owner bandit24 and group bandit23. Now it makes sense that /var/spool/bandit23/ did not exist.

Back on track

I navigated into bandit24 directory and attempted to make a temporary directory only to discover that tmp already existed. (ls was denied.) Inside of tmp, I create a script that copies the password file from where it's located into where I can access it as bandit23.

!#/bin/bash cp /etc/bandit_pass/bandit24 /tmp/emin/pass

Then I created the directory tmp/emin/ and the file pass.

I moved a copy of the script into the relevant directory (/var/spool/bandit24') and waited for my password to appear in/tmp/emin/pass` but it never did!!

MISTAKE 2: Permissions Denied

I tried to execute my script myself using the command:

bash /var/spool/bandit24/tmp/lumpo.sh (yes, that's my script name..) and received the error message:

cat: /etc/bandit_pass/bandit24: Permission denied

I wasn't sure where exactly the error was triggered: was it the execution of the cat command on the original password file or was it the act of writing it onto the file I created? So I decided to check permissions on the files:

My script file is owned by bandit23. My script is run by a server-provided script (/usr/bin/cronjob_bandit24.sh) owned by bandit24.

It needs to read a file owned by bandit24 and write its contents into the file I created and therefore owned by bandit23. This means that the file owned by bandit24 must have permissions for user bandit24 to read its contents and the file I created must have permissions for user bandit24 to write its contents. The assumption I'm making is that because my script file is run by another script file owned by bandit24, it will belong to that user? FOLLOW UP

Checking permissions for the original password file: ls -alh /etc/bandit_pass/bandit24 gives me this information:

-r-------- 1 bandit24 bandit24 33 May 7 2020 /etc/bandit_pass/bandit24

I know that each file or directory has three permission types: read, write, execute. According to the Linux docs:

The first character is the special permission flag that can vary. The following set of three characters (rwx) is for the owner permissions. The second set of three characters (rwx) is for the Group permissions. The third set of three characters (rwx) is for the All Users permissions. Following that grouping since the integer/number displays the number of hardlinks to the file. The last piece is the Owner and Group assignment formatted as Owner:Group.

An example: _rwxrwxrwx 1 owner:group

So we can conclude that since the original password file can be read by the owner that runs it, this not the source of the problem.

Checking permissions on my file ls -alh /tmp/emin/pass gives:

-rw-r--r-- 1 bandit23 root 0 Jan 3 20:38 /tmp/emin/pass

This means that only the owner (bandit23) can read and write to this file. Otherwise, it is read-only.

So I ran chmod 777 on the file which gives full permission to access the file and verify that it is so: ls -alh /tmp/emin/pass

-rwxrwxrwx 1 bandit23 root 0 Jan 3 20:38 /tmp/emin/pass

Now if I try the script again, it should work! ALAS IT DID NOT!!!!!

Now questioning whether the permissions for the directory containing the file needed also to be changed? So I ran the same chmod 777 command recursively from the /tmp/emin directory.

STILL DIDN'T WORK!!!!

The only other file that does not have full permissions and that I have the ability to change is my script. So I changed it to full permissions and it worked. But why?

What is the difference between this file having full permissions: -rwxrwxrwx 1 bandit23 bandit23 59 Jan 3 20:35 lumpo.sh

Vs. read-only permissions? -rw-r--r-- 1 bandit23 bandit23 59 Jan 3 21:33 lumpo.sh

Remember that this file contains the script that copies the password from the bandit24 file to my file: cp /etc/bandit_pass/bandit24 /tmp/emin/pass

Why would my script need write permissions?! This doesn't make sense...

Follow-up Questions:

• What are the usage differences between a (POSIX) shell and bash?
• Why did cp but mv and cat work? Are there permissions blocking copying files on this server? Likely.

What I learned:

PERMISSIONS COME FIRST.

#ssh #bashrc #bash

So, I had to ask for a hint on this one from discord. The person said: “you dont need any extra parameters for ssh command”

I misunderstood this level on a fundamental level. I thought the goal was to login so I could access the readme file for the password. This is not the goal. The goal is to get the password. Logging in is irrelevant. This was mistake one.

Having assumed that I had to log in meant that I interpreted the problem as a matter of “disabling the .bashrc” file so I went about on a wild google search reading about different approaches to doing this. It turns out that this is not an uncommon problem — interestingly. However, this was a mistake on my end to do so because it is skipping the step of what my tool (the level tells you to use ssh) was made to do. I looked up different ways of using ssh towards a specific purpose without understanding the tool's stated purpose.

Had I looked at the manual for ssh instead of assuming I already knew its usage(s), I would have found this description:

ssh (SSH client) is a program for logging into a remote machine and for executing commands on a remote machine.

All I needed to do was read the readme via remote command execution. There was no need to go about disabling the .bashrc.

I've noticed that the levels that I get stuck on are from getting too attached to an initial idea and pursuing that instead of examining ALL my possibilities and experimenting. This almost happened in a previous level but I caught myself. Time to make it into an acronym like my 10DIME for algorithms.

How to problem-solve OTW/CTFs:

1. GOAL: What is my goal?
2. ASSUMPTIONS: Are there any procedural assumptions in my goal statement that limit how I can get to that goal or is it truly a goal?
3. DESCRIBE: Describe my tools. If I can't describe their purpose with certainty, read the description SLOWLY. Not backwards. Not diagonally. SLOWLY.
4. Try EVERYTHING!

GADE.

Next.

The solution was simply ssh banditit18@bandit.labs.overthewire.org -p 2220 "less ~/readme"