MayADevBe Blog

A Blog about Computer Science

OverTheWire Bandit Level 22 -> 23 - Walkthrough

Published - 2022-05-16 | 2min

Previous Level: Level 22

Login

SSH: ssh bandit22@bandit.labs.overthewire.org -p 2220

Password: Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

Task

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

A little bit of Theory

In the previous level I already explained the theory of cronjobs.

The new thing in this task is variables in bash scripting. A variable is like a container for a value. To declare a variable in bash scripting use the following syntax: var_name=var_value. It is possible to save the output of a command in a variable with the following syntax: var_name=$(command). Access the value of an existing variable like this: $var_name

Solution

We will start the same way as in level 22:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

bandit22@bandit:~$ ls -la /etc/cron.d
total 36
drwxr-xr-x  2 root root 4096 Jul 11  2020 .
drwxr-xr-x 87 root root 4096 May 14  2020 ..
-rw-r--r--  1 root root   62 May 14  2020 cronjob_bandit15_root
-rw-r--r--  1 root root   62 Jul 11  2020 cronjob_bandit17_root
-rw-r--r--  1 root root  120 May  7  2020 cronjob_bandit22
-rw-r--r--  1 root root  122 May  7  2020 cronjob_bandit23
-rw-r--r--  1 root root  120 May 14  2020 cronjob_bandit24
-rw-r--r--  1 root root   62 May 14  2020 cronjob_bandit25_root
-rw-r--r--  1 root root  102 Oct  7  2017 .placeholder
bandit22@bandit:~$ cat /etc/cron.d/cronjob_bandit23
@reboot bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh  &> /dev/null
bandit22@bandit:~$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash

myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)

echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"

cat /etc/bandit_pass/$myname > /tmp/$mytarget

Looking at the ‘/usr/bin/cronjob_bandit23.sh’ script, the last line is similar to level 22. This script just introduces variables. The first variable is ‘myname’ and saves the output from the whoami command. Because this script will be run as bandit23, the whoami command will print ‘bandit23’. So the last line tells us that the password from bandit23 will be written into a file in the ‘/tmp’ folder. The filename is created by the line echo I am user $myname | md5sum | cut -d ' ' -f 1. We only need to substitute $myname with bandit23, execute it and the result is the filename.

1
2
3
4

bandit22@bandit:~$ echo I am user bandit23 | md5sum | cut -d ' ' -f 1
8ca319486bfbbc3663ea0fbe81326349
bandit22@bandit:~$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

The line to create the filename inputs the string “I am user bandit23” into md5sum, which will return the md5 hash from the string. The last instruction removes everything after the space. You can test out for yourself what it would look like without this line.

https://overthewire.org/wargames/bandit/bandit23.html

Next Level: Level 24


Share on:
Comments:
Related Content:
OverTheWire Bandit Level 32 -> 33 - Walkthrough

A walkthrough of Level 32 -> 33 of the Bandit wargame from OverTheWire. - Linux Variables and shell escape.

OverTheWire Bandit Level 31 -> 32 - Walkthrough

A walkthrough of Level 31 -> 32 of the Bandit wargame from OverTheWire. - Git Push, Commit, Ignore, Add.