In the last level I looked at Cron jobs running previously created scripts, in bandit level 23 I get to make my own. If you haven’t had a chance to read my OverTheWire Bandit Write Up – Level 22 write up, give it a quick read then head back over here.

Level 23

This level requires the creation of a shell script, this script needs to take the password for the level and put it in a file accessible by the bandit23 user.

Let’s Start Hacking Then

The first thing as with all the levels is to start up a fresh new terminal and initiate a SSH connection to the machine.

ssh bandit23@bandit.labs.overthewire.org -p 2220

Once connected I am prompted for the password. I enter the one I gained last level and I’m in. Now I need to have a look at what cron jobs are in the cron.d directory. I can do this with the following.

ls /etc/cron.d

This provides me with the same list that I had on the last two levels. This time however, I need to have a look at the cronjob_bandit24 file.

cat /etc/cron.d/cronjob_bandit24

From this I can see that every minute of every hour. I think you get the idea of this now. It’s running a shell script cronjob_bandit24.sh. I need to check out what this script is doing, and I can do that with.

cat /usr/bin/cronjob_bandit24.sh

From this script I can see that it looks into the /var/spool/bandit24 directory executes all the executable script files. Then it waits for 60 seconds, kills all processes from that directory and lastly it deletes all the files. Know this key piece of information I knew that I had 60 seconds to create a script and make it executable before it was gone. So I ran the following and created my script.

nano /var/spool/bandit24/jrlbyrne.sh

I then proceeded to enter the following code which would create a file /tmp/bandit24.pass with the contents of the /etc/bandit_pass/bandit24 file.

#!/bin/bash
myname=$(whoami)
cat /etc/bandit_pass/$myname > /tmp/$myname.pass

With the script created I needed to make it executable, which I was able to do with the following.

chmod +x /var/spool/bandit24/jrlbyrne.sh

If the previous fails with a file not found style of error, try using nano to edit it again. If the file is empty then you may have had the unfortunate of the script previous running and deleting your file. However it stays, like it did for me I needed to wait for around 60 seconds and then I was able to see if my tmp file was created.

cat /tmp/bandit24.pass

…and Wham! Bam! Thank you ma’am! I have the password now for level 24.

Level 23 Complete

I have hidden the password here, if you are playing along don’t peek! Please! It’s more fun getting it yourself.

Categories:Hacking

Justin Byrne

Justin Byrne is a self motivated tech enthusiasts. Spending more than half his life dedicated to the tech industry. He built his first computer at the age of 11, and has been building ever since. His interests have changed across the years from system building to web programming and even a dab of software engineering., and just like his interests, his operating system has changed sometimes more then 4 times a year.

0 Comments

Leave a Reply