Warning: This post contains a solution!
Only continue if:
1.) you want to see a possible alternative solution or
2.) you are stuck and need a hint!
Connect to the server using the following credentials:
Level Goal is:
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.
Check the content of the folder /etc/cron.d/:
bandit22@bandit:~$ ls /etc/cron.d/ cronjob_bandit22 cronjob_bandit23 cronjob_bandit24
There are three files, the second one (cronjob_bandit23) is the interesting one for the current level. Take a look at the content:
bandit22@bandit:~$ cat /etc/cron.d/cronjob_bandit23 @reboot bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null * * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
A script (/usr/bin/cronjob_bandit23.sh) will be executed once on reboot and every minute.
Take a look at the content of the script:
bandit22@bandit:~$ cat /usr/bin/cronjob_bandit23.sh #!/bin/bash myname=$(whoami) mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1) echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget" cat /etc/bandit_pass/$myname > /tmp/$mytarget
In line 4, the current user running the script (in this case bandit23, because bandit23 is running the cronjob) is saved to the variable myname.
In line 5, the md5 sum of the String 'I am user bandit23' is calculated. The cut command is returning the first part of a line, where the delimiter is a space. This is done because the command md5sum returns a dash after the generated md5 hash:
bandit22@bandit:~$ echo I am user bandit23 | md5sum 8ca319486bfbbc3663ea0fbe81326349 -
After the cut command:
bandit22@bandit:~$ echo I am user bandit23 | md5sum | cut -d ' ' -f 1 8ca319486bfbbc3663ea0fbe81326349
And finally, in line 9, the password for the next level is saved to the temporary file '/tmp/8ca319486bfbbc3663ea0fbe81326349':
bandit22@bandit:~$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349 jc1uxxxxxxxxxxxxxxxxxxxxxxxxxxxx