Bandit - Going to Level 24
Goal
A program is running automatically at regular intervals from cron, the time- based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed. NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level! NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around. . .
Getting the information
bandit23@melinda:~$ ls /etc/cron.d/
behemoth4_cleanup
leviathan5_cleanup
natas25_cleanup~ semtex0−ppc
cron−apt
manpage3_resetpw_job natas26_cleanup semtex5
cronjob_bandit22
melinda−stats
natas27_cleanup sysstat
cronjob_bandit23
natas−session−toucher php5
vortex0
cronjob_bandit24
natas−stats
semtex0−32
vortex20
cronjob_bandit24_root natas25_cleanup
semtex0−64
bandit23@melinda:~$ cat /etc/cron.d/cronjob_bandit24
bandit23@melinda:~$ cat /etc/cron.d/cronjob_bandit24_root
bandit23@melinda:~$ cat /usr/bin/cronjob_bandit24.sh
bandit23@melinda:~$ cat /usr/bin/cronjob_bandit24_root.sh
cat: /usr/bin/cronjob_bandit24_root.sh: Permission denied
We can see that the script cronjob_bandit24.sh executes every script in /var/spool/bandit24 before removing them. So how about we create a script (that will be executed by bandit24) that copy the bandit24 password to /tmp/bckbandit24pwd ?
But before that, we create a folder in which we will create the script:
mkdir /tmp/bckBandit
cd /tmp/bckBandit
Here is the script we create, I named it ’b24_script.sh’
Now we need to change the script permissions so that anyone can execute it, and the directory permissions so that anyone can write in it
chmod 777 b24_script.sh
chmod 777 /tmp/bckBandit
From there we would just need to copy the script in /var/spool/bandit24
,
wait for approximately 1 minute, and check in /tmp/bckBandit
to see that a
file named bandit24 has been created and contains the password to the next
level.
However, there is a bug in this level, and this won’t work. Note that if you needed to know exactly when the script had disappeared, you could have used the following command that refresh a ls every 2 seconds:
watch ls /var/spool/bandit24