OverTheWire Bandit Write Up – Level 23

In the last level I looked at Cron jobs running previously created scripts, in bandit level 23 I get to make my own. If you haven’t had a chance to read my OverTheWire Bandit Write Up – Level 21 write up, give it a quick read then head back over here.

Level 23

This level requires the creation of a shell script, this script needs to take the password for the level and put it in a file accessible by the bandit23 user.

Let’s Start Hacking Then

The first thing as with all the levels is to start up a fresh new terminal and initiate a SSH connection to the machine.

ssh bandit23@bandit.labs.overthewire.org -p 2220

Once connected I am prompted for the password. I enter the one I gained last level and I’m in. Now I need to have a look at what cron jobs are in the cron.d directory. I can do this with the following.

ls /etc/cron.d

This provides me with the same list that I had on the last two levels. This time however, I need to have a look at the cronjob_bandit24 file.

cat /etc/cron.d/cronjob_bandit24

From this I can see that every minute of every hour. I think you get the idea of this now. It’s running a shell script cronjob_bandit24.sh. I need to check out what this script is doing, and I can do that with.

cat /usr/bin/cronjob_bandit24.sh

From this script I can see that it looks into the /var/spool/bandit24 directory executes all the executable script files. Then it waits for 60 seconds, kills all processes from that directory and lastly it deletes all the files. Know this key piece of information I knew that I had 60 seconds to create a script and make it executable before it was gone. So I ran the following and created my script.

nano /var/spool/bandit24/jrlbyrne.sh

I then proceeded to enter the following code which would create a file /tmp/bandit24.pass with the contents of the /etc/bandit_pass/bandit24 file.



cat /etc/bandit_pass/$myname > /tmp/$myname.pass

With the script created I needed to make it executable, which I was able to do with the following.

chmod +x /var/spool/bandit24/jrlbyrne.sh

If the previous fails with a file not found style of error, try using nano to edit it again. If the file is empty then you may have had the unfortunate of the script previous running and deleting your file. However it stays, like it did for me I needed to wait for around 60 seconds and then I was able to see if my tmp file was created.

cat /tmp/bandit24.pass

…and Wham! Bam! Thank you ma’am! I have the password now for level 24.

Level 23 Complete

I have hidden the password here, if you are playing along don’t peek! Please! It’s more fun getting it yourself.

Leave a Reply