Bandit - Going to Level 23

Goal

A program is running automatically at regular intervals from cron, the time- based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed. NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.

Getting the information

The idea is the same as before:

bandit22@melinda:~$ ls /etc/cron.d/
behemoth4_cleanup
leviathan5_cleanup
natas25_cleanup~ semtex0−ppc
cron−apt
manpage3_resetpw_job natas26_cleanup semtex5
cronjob_bandit22
melinda−stats
natas27_cleanup sysstat
cronjob_bandit23
natas−session−toucher php5
vortex0
cronjob_bandit24
natas−stats
semtex0−32
vortex20
cronjob_bandit24_root natas25_cleanup
semtex0−64

We use the following command to take a look a the contents of cronjob_bandit23

bandit22@melinda:~$ cat /etc/cron.d/cronjob_bandit23

The output is:

/etc/cron.d/cronjob_bandit23
     bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null

Then we look a cronjob_bandit23.sh with:

bandit22@melinda:~$ cat /usr/bin/cronjob_bandit23.sh

Here is the output :

/etc/cron.d/cronjob_bandit23.sh
#!/bin/bash
myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut −d ’ ’ −f 1)
echo "Copying␣passwordfile␣/etc/bandit_pass/$myname␣to␣/tmp/$mytarget"
33cat /etc/bandit_pass/$myname > /tmp/$mytarget
We can see that the job takes the name of the current user, gets the md5
sum of the sentence "I am user <current user>" and stores the user’s password
in a file named with this computed md5 sum.

We see that mytarget is computed from the username so we retrieve the variable for a user named bandit23:

bandit22@melinda:~$ echo I am user bandit23 | md5sum | cut −d ’ ’ −f 1
8ca319486bfbbc3663ea0fbe81326349

From this we get the name of the file holding the password:

bandit22@melinda:~$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n