Bandit - Going to Level 22

2 November 2017

Goal

A program is running automatically at regular intervals from cron, the time- based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

Getting the information

First lets look at what we have in /etc/cron.d/

bandit21@melinda:~$ ls /etc/cron.d/
behemoth4_cleanup
leviathan5_cleanup
natas25_cleanup~ semtex0−ppc
cron−apt
manpage3_resetpw_job natas26_cleanup semtex5
cronjob_bandit22
melinda−stats
natas27_cleanup sysstat
cronjob_bandit23
natas−session−toucher php5
vortex0
cronjob_bandit24
natas−stats
semtex0−32
vortex20
cronjob_bandit24_root natas25_cleanup
semtex0−64

All right, we can see that we have a file named cronjob_bandit22, so this is probably what we are looking for, lets look at its contents:

bandit21@melinda:~$ cat /etc/cron.d/cronjob_bandit22
∗ ∗ ∗ ∗ ∗ bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null

Apparently the cron job uses a script in /usr/bin/cronjob_bandit22.sh lets take a look at its contents:

bandit21@melinda:~$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

The script modifies the t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv file’s rights and then copy the bandit22 password inside of it !

bandit21@melinda:~$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI