OverTheWire Bandit Write Up – Level 22

I am getting to the final stretch now, I can basically taste the ending. But first I need to get the bandit level 22 out the way. If you haven’t had a chance to read my OverTheWire Bandit Write Up – Level 21 write up, give it a quick read then head back over here.

Level 22

Just like the last level there is a cron job that is run on a regular interval, however this time the job runs a shell script.

Let’s Start Hacking Then

Just like all the levels previous before I can start anything I need to spin up a fresh terminal and initiate a ssh connection.

ssh bandit22@bandit.labs.overthewire.org -p 2220

Once it’s loaded I am asked for the password from the last level. It works and I am in. Now I can get to looking for the script to get the password. I need to start by looking in the cron directory and see whats running. I run the following command.

ls /etc/cron.d

From this I can see the cron job that I am looking for, is a file named cronjob_bandit23 with luck this file will push me into the right direction. Knowing that I am on bandit level 22 I know that the bandit 23 file should be right. I print the file to the screen with the following.

cat /etc/cron.d/cronjob_bandit23

From the output I can see that there is a shell script being run every second of every minute. Don’t worry I won’t go through that again I think you got the idea from the last level. I can now have a look at what’s being run in the script with the following.

cat /usr/bin/cronjob_bandit23.sh

I have added the contents of the file below.

#!/bin/bash

myname=$(whoami)
mytarget=$(echo I am user myname | md5sum | cut -d ' ' -f 1)

echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"

cat /etc/bandit_pass/$myname > /tmp/$mytarget

Looking at this script I can see that it creates a variable of a username, and then creates a file name from a md5 hash of that variable. Looking back at the output of the cronjob I can see that the shell script is being run by the bandit23 user. Knowing this information I run the following to find the file I need.

echo I am user bandit23  | md5sum | cut -d ' ' -f 1

This gives me the file name I need, I then run the following command.

cat /tmp/8ca319486bfbbc3663ea0fbe81326349

…and Wham! Bam! Thank you ma’am! I have the password now for level 23.

Level 22 Complete

I have hidden the password here, if you are playing along don’t peek! Please! It’s more fun getting it yourself.

Leave a Reply