OverTheWire - Bandit - Level 21 → Level 22

2018-12-30 | #Bandit #En #OverTheWire #Walkthrough #Writeup

199 words One minute

Warning: This post contains a solution!

Only continue if:
1.) you want to see a possible alternative solution or
2.) you are stuck and need a hint!

Connect to the server using the following credentials:

Server: bandit.labs.overthewire.org
Port: 2220
Username: bandit21
Password: gE26xxxxxxxxxxxxxxxxxxxxxxxxxxxx

Level Goal is:

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

Check the content of the folder /etc/cron.d/:

1
2
bandit21@bandit:~$ ls /etc/cron.d/
cronjob_bandit22  cronjob_bandit23  cronjob_bandit24

There are three files, the first one (cronjob_bandit22) is the interesting one for the current level. Take a look at the content:

1
2
3
bandit21@bandit:~$ cat /etc/cron.d/cronjob_bandit22 
@reboot bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null

A script (/usr/bin/cronjob_bandit22.sh) will be executed once on reboot and every minute. Take a look at the content of the script:

1
2
3
4
bandit21@bandit:~$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

The script writes the password from the next level (/etc/bandit_pass/bandit22) to a temporary folder (/tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv). We can read it and get the password for the next level:

1
2
bandit21@bandit:~$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Yk7oxxxxxxxxxxxxxxxxxxxxxxxxxxxx