OverTheWire: Bandit Level 21

Bandit Level 21 → Level 22

Level Goal: A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

➜  ~ ssh bandit21@bandit.labs.overthewire.org -p 2220
bandit21@bandit:~$ ls
bandit21@bandit:~$ cd /etc/cron.d/
bandit21@bandit:/etc/cron.d$ ls -l
total 92
-r--r----- 1 root root  46 Nov 14  2014 behemoth4_cleanup
-rw-r--r-- 1 root root 355 May 25  2013 cron-apt
-rw-r--r-- 1 root root  61 Nov 14  2014 cronjob_bandit22
-rw-r--r-- 1 root root  62 Nov 14  2014 cronjob_bandit23
-rw-r--r-- 1 root root  61 May  3  2015 cronjob_bandit24
-rw-r--r-- 1 root root  62 May  3  2015 cronjob_bandit24_root
-r--r----- 1 root root  47 Nov 14  2014 leviathan5_cleanup
-rw------- 1 root root 233 Nov 14  2014 manpage3_resetpw_job
-rw-r--r-- 1 root root  51 Nov 14  2014 melinda-stats
-rw-r--r-- 1 root root  54 Jun 25  2016 natas-session-toucher
-rw-r--r-- 1 root root  49 Jun 25  2016 natas-stats
-r--r----- 1 root root  44 Jun 25  2016 natas25_cleanup
-r--r----- 1 root root  47 Aug  3  2015 natas25_cleanup~
-r--r----- 1 root root  47 Jun 25  2016 natas26_cleanup
-r--r----- 1 root root  43 Jun 25  2016 natas27_cleanup
-rw-r--r-- 1 root root 510 Oct 29  2014 php5
-rw-r--r-- 1 root root  63 Jul  8  2015 semtex0-32
-rw-r--r-- 1 root root  63 Jul  8  2015 semtex0-64
-rw-r--r-- 1 root root  64 Jul  8  2015 semtex0-ppc
-rw-r--r-- 1 root root  35 Nov 14  2014 semtex5
-rw-r--r-- 1 root root 396 Nov 10  2013 sysstat
-rw-r--r-- 1 root root  29 Nov 14  2014 vortex0
-rw-r--r-- 1 root root  30 Nov 14  2014 vortex20
bandit21@bandit:/etc/cron.d$ cat cronjob_bandit22
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
bandit21@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
bandit21@bandit:/etc/cron.d$ file /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
/tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv: ASCII text
bandit21@bandit:/etc/cron.d$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI
bandit21@bandit:/etc/cron.d$

Notes:

The first thing we want to do is look in the /etc/cron.d/ directory. Contained in this directory is a file called cronjob_bandit22 which we will read via cat. The cron job is basically a scheduled task to run a bash script in the path /usr/bin/cronjob_bandit22.sh. From reading this bash script as well you can see that does some file permission modifications and tries to output what looks like a string of text to another file in the /tmp/ directory. If we run the script it fails to perform the code because of permission errors. However, if we cat the /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv file we discovered it reveals the password for the next level.

References: