BB

technology and craziness.

BB

technology and craziness.

OverTheWire - Bandit - Level 22 → Level 23

Warning: This post contains a solution!
Only continue if:
1.) you want to see a possible alternative solution or
2.) you are stuck and need a hint!

Connect to the server using the following credentials:

Server: bandit.labs.overthewire.org
Port: 2220
Username: bandit22
Password: Yk7oxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Level Goal is:

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.

Check the content of the folder /etc/cron.d/:

1
2
bandit22@bandit:~$ ls /etc/cron.d/
cronjob_bandit22  cronjob_bandit23  cronjob_bandit24

There are three files, the second one (cronjob_bandit23) is the interesting one for the current level. Take a look at the content:

1
2
3
bandit22@bandit:~$ cat /etc/cron.d/cronjob_bandit23
@reboot bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null

A script (/usr/bin/cronjob_bandit23.sh) will be executed once on reboot and every minute. Take a look at the content of the script:

1
2
3
4
5
6
7
8
9
bandit22@bandit:~$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash

myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)

echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"

cat /etc/bandit_pass/$myname > /tmp/$mytarget

In line 4, the current user running the script (in this case bandit23, because bandit23 is running the cronjob) is saved to the variable myname. In line 5, the md5 sum of the String ‘I am user bandit23’ is calculated. The cut command is returning the first part of a line, where the delimiter is a space. This is done because the command md5sum returns a dash after the generated md5 hash:

1
2
bandit22@bandit:~$ echo I am user bandit23 | md5sum
8ca319486bfbbc3663ea0fbe81326349  -

After the cut command:

1
2
bandit22@bandit:~$ echo I am user bandit23 | md5sum | cut -d ' ' -f 1
8ca319486bfbbc3663ea0fbe81326349

And finally, in line 9, the password for the next level is saved to the temporary file ‘/tmp/8ca319486bfbbc3663ea0fbe81326349’:

1
2
bandit22@bandit:~$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
jc1uxxxxxxxxxxxxxxxxxxxxxxxxxxxx