Skip to main content

Bandit Level 22 → 23

Shubham
Cybersecurity Enthusiast

Login: ssh bandit22@bandit.labs.overthewire.org -p 2220
Password: tRae0UfB9v0UzbCdn9cY0gQnds9GF58Q

task

A program is running automatically at regular intervals from cron. Look in /etc/cron.d/ for the configuration and see what command is being executed.

theory lil bit

  1. Shell Variables: In the script, $myname is a variable. When the cron job runs for bandit23, the script sets myname to "bandit23".
  2. MD5 Hashing: The command md5sum creates a unique 32-character fingerprint (hash) of a string. In this level, the script uses the hash of a specific string as a hidden filename in /tmp.
  3. Command Substitution: Using $(command) allows the output of one command to be stored in a variable or used inside another string.
  4. Logic: To find the password, we don't need to run the script. We just need to figure out what the filename would be when the user is bandit23, and then read that file.

solution

# Navigate to the cron directory and check the script
bandit22@bandit:~$ cd /etc/cron.d
bandit22@bandit:/etc/cron.d$ cat cronjob_bandit23
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null

# Analyze the script logic
bandit22@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash
myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ' ' -f 1)
echo "Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget"
cat /etc/bandit_pass/$myname > /tmp/$mytarget

# Replicate the logic for bandit23 to find the hidden filename
bandit22@bandit:/etc/cron.d$ echo I am user bandit23 | md5sum | cut -d ' ' -f 1
8ca319486bfbbc3663ea0fbe81326349

# Read the resulting file from the /tmp directory
bandit22@bandit:/etc/cron.d$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
0Zf11ioIjMVN551jX3CmStKLYqjk54Ga

<!-- truncate -->