Level Goal

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!

NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…

Solution

Password: jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

Again, let’s check out cron.

Nothing too surprising. Yet another script.

Let’s examine this script.

  1. Set a variable called myname based on the user who runs it (in this case, it’ll be bandit24)
  2. Change to a directory (/var/spool/bandit24)
  3. Output some debugging information
  4. Loop through all files in the directory
    1. Check if the file is the special file or ..
    2. If not, execute the file for 60 seconds before killing it
    3. Delete the file

So we can run commands as bandit24 if we put a shell script in /var/spool/bandit24. We know that in this wargame a user can read their own password file. So we can have our script read the file for us.

cronjobs redirect standard output, so we should save this information to a file. I doubt that bandit24 can write to bandit23‘s home directory, so let’s create a directory in /tmp.

Now we need to write a script to output a file to that directory.

Here’s a simple script to do that.

I’m gonna use vi to create get_pass.sh.

Press i (insert) to activate writing mode. You can now copy + paste the script into the file. Press Esc to exit writing mode, then Shift + zz to save and exit.

Let’s make it executable by all users..

We also need to let bandit24 (let’s make it all users) be able to write to our directory.

Now, let’s copy it to the directory the cronjob executes from.

When the next minute ticks over, we should get a file called password in our directory.

Got’em.