I am getting to the final stretch now, I can basically taste the ending. But first I need to get the bandit level 22 out the way. If you haven’t had a chance to read my OverTheWire Bandit Write Up – Level 21 write up, give it a quick read then head back over here.

Level 22

Just like the last level there is a cron job that is run on a regular interval, however this time the job runs a shell script.

Let’s Start Hacking Then

Just like all the levels previous before I can start anything I need to spin up a fresh terminal and initiate a ssh connection.

ssh bandit22@bandit.labs.overthewire.org -p 2220

Once it’s loaded I am asked for the password from the last level. It works and I am in. Now I can get to looking for the script to get the password. I need to start by looking in the cron directory and see whats running. I run the following command.

ls /etc/cron.d

From this I can see the cron job that I am looking for, is a file named cronjob_bandit23 with luck this file will push me into the right direction. Knowing that I am on bandit level 22 I know that the bandit 23 file should be right. I print the file to the screen with the following.

cat /etc/cron.d/cronjob_bandit23

From the output I can see that there is a shell script being run every second of every minute. Don’t worry I won’t go through that again I think you got the idea from the last level. I can now have a look at what’s being run in the script with the following.

cat /usr/bin/cronjob_bandit23.sh

I have added the contents of the file below.

#!/bin/bash

myname=$(whoami)
mytarget=$(echo I am user myname | md5sum | cut -d ' ' -f 1)

echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"

cat /etc/bandit_pass/$myname > /tmp/$mytarget

Looking at this script I can see that it creates a variable of a username, and then creates a file name from a md5 hash of that variable. Looking back at the output of the cronjob I can see that the shell script is being run by the bandit23 user. Knowing this information I run the following to find the file I need.

echo I am user bandit23  | md5sum | cut -d ' ' -f 1

This gives me the file name I need, I then run the following command.

cat /tmp/8ca319486bfbbc3663ea0fbe81326349

…and Wham! Bam! Thank you ma’am! I have the password now for level 23.

Level 22 Complete

I have hidden the password here, if you are playing along don’t peek! Please! It’s more fun getting it yourself.

Categories: Hacking

Justin Byrne

Justin Byrne is a self motivated tech enthusiasts. Spending more than half his life dedicated to the tech industry. He built his first computer at the age of 11, and has been building ever since. His interests have changed across the years from system building to web programming and even a dab of software engineering., and just like his interests, his operating system has changed sometimes more then 4 times a year.

0 Comments

Leave a Reply